CompTIA A+ Exam 220-902 sub-objective 3.2 – Compare and contrast common prevention methods

Back to the main 902 ExamNotes page

Detailed (and official) description of CompTIA A+ sub-objective 3.2

3.2 Compare and contrast common prevention methods.

Physical security
Lock doors
Mantrap
Cable locks
Securing physical documents/passwords/shredding
Biometrics
ID badges
Key fobs
RFID badge
Smart card
Tokens
Privacy filters
Entry control roster

Digital security
Antivirus/Antimalware
Firewalls
User authentication/strong passwords
Multifactor authentication
Directory permissions
VPN
DLP
Disabling ports
Access control lists
Smart card
Email filtering
Trusted/untrusted software sources

User education/AUP
Principle of least privilege

Welcome to Exam Notes by CertBlaster! This section will cover the content addressed in 220-902 objective 3.2 Compare and contrast common prevention methods. We will examine attack prevention on both the digital and physical environments. In addition to the standard protection method we will also look at securing transmissions and ports devices and privilege configurations that enhance your security. And off we go, enjoy!

Physical security

The first area we will look at is physical security. Often minimalized or considered common knowledge physical security is one of the primary defenses in the workplace. Keeping the entry points to secure areas locked is fundamental to overall security.

Lock doors

Locking doors seems like a simple task. But let’s look deeper and see what level of security we can achieve. First is the lock and key. This method is acceptable to secure a single server. The keys can be copied if left unattended. Locks can be picked to permit unauthorized access. It is best to combine this method with others in a secure area.

Mantrap

I the simplest explanation a mantrap is an area of controlled access between two more secure areas. For example the a small room with two doors between two controlled access areas that could require one simple level of security to enter the space, but a higher level or different authentication method for the second door. Further to prevent or at least minimize tailgating the first door will need to be secured (closed) before the access mechanism(s) on the second door can be used.  The second more secure location may require multifactor authentication. Optimally each mantrap would be monitored by a security guard.

photo of Door lock
Door lock

Cable locks

Cable locks are used to secure valuable items like laptops that could easily be removed from the workplace. Combination or key locks are used on a cable solidly secured to the laptop and the desk.

photo of a Laptop Kensington lock
Laptop Kensington lock

Securing physical documents/passwords/shredding

Documents containing sensitive data should be password protected. Devices containing sensitive material should be secured allowing only authorized access. Sensitive data stored on secure devices should also be encrypted and password protected. Finally when the sensitive material is updated or no longer needed, it should be disposed of by shredding all physical copies. Digital copies of the data should be destroyed by overwriting the hard drive with zeros, magnetically destroying it or physically destroying the drive. Portable devices like USB or SSD cards can be broken in half or smashed with a hammer.

Biometrics

Using a person’s unique personal attributes like Iris, Fingerprint or Voice to authenticate them is known as biometrics. Biometric security is quite tough to fool. Initially you provide a sample of the attribute to be tested which is then stored in a database for comparison to your access attempt. Often you will find a fingerprint scanner and passcode combined to provide multifactor authentication as you will see below.

ID badges

Good everyday access is provided through security badges that contain coded data that identifies you to the security system including a current picture to satisfy and personal security challenges. The data about you can be stored on a magnetic strip or NFC contactless storage. The card should also have the company logo and be tamperproof.

Key fob

The key fob is frequently used in contactless authentication. The key fob contains a security token that changes at predetermined intervals to synchronize with the master security system. This guarantees that the user has possession of the key fob. The possession can be proven through entering the number displayed into the system.

photo of Hardware token
Hardware token

RFID badge

Another form of this authentication does not require the user to input the data, it is transmitted wirelessly using Radio Frequency Identification (RFID) to transmit the security token.

Smart cards

Smart cards are another way to deliver security tokens to the system. The Smart card may or may not be combined with the badge technology. One thing that separates many Smart Cards from the others is its ability to both send and receive data. This enables mutual authentication allowing each component to trust the other.

graphic of a Smartcard
Smartcard

Tokens

Tokens are the security component necessary for devices to communicate and provide the holder of the token the appropriate access level. They are passed across connections to a card reader, a magnetic swipe or wireless communication.

Privacy filters

Privacy filters are employed by users who work in close enough proximity to each other and require security from shoulder surfing. The filter narrows the monitor’s viewable angle to direct the output only to the desired user.

Entry control roster

An entry control roster is a list of people with allowable credentials that is used by security personnel to log these parties.

Digital security

Digital security is without a doubt one of the most important aspects of security in today’s computing environment. We’ll look at how we utilize the different technologies to stay safe and secure.

Antivirus/Antimalware

Antivirus/Antimalware is a crucial component of computer protection. Often you will see both products rolled into one. In order to maintain your programs’ effectiveness its antimalware and antivirus signatures must be updated frequently. The protection programs examine all traffic and compare the behavior and contents of files against those of known threats. If a match or suspicious file is discovered it the program will warn you of the malware and secure the file in its quarantine until you make a determination. Remember not to judge a file by its name alone. Trojans use the names of legitimate files. Leave the quarantined one alone and look for a replacement at a trustworthy site.

Firewalls

Fundamentally there are two types of firewall. There are hardware and software firewalls. To protect business and small networks against attack hardware firewalls are often placed between the internet and the network being protected filtering the traffic that is allowed to pass onto the network. A software firewall is important, not as a standalone solution, but as a deeper look at the traffic both in and out of your machine. A hardware firewall inspects inbound traffic only while a software firewall can monitor both inbound and outbound traffic.  These complement each other and even in the case of a SOHO you will find a hardware firewall incorporated into the broadband router. The software firewall is often part of the OS as it is in the case of Windows Firewall on Microsoft OSs. These software firewalls are designed to interoperate with antivirus or antimalware packages. The software firewall is more easily configurable by the end user should they find their normal activity blocked.

User authentication/strong passwords

In a business environment and in order to access computer systems, user authentication is required. A strong password is recommended It should be long, 16 or more characters, use upper and lower case characters, numbers, and symbols. The Strong password K5wp#bLjp6B2G7-y was provided by a random password generator as you will see below. The generator also offers an easy way to remember the cryptic password with a phrase “KOREAN 5 walmart park # bestbuy LAPTOP jack park 6 BESTBUY 2 GOLF 7 – yelp”. Good luck with that!

Screenshot of Strong password generator
Strong password generator

Multifactor Authentication

A strong password combined with a second form of authentication either biometric or a badge or token is referred to as Multifactor authentication. You may see a numeric keypad with a fingerprint scanner embedded, this would be a very common multifactor method. It could be as simple as your security badge combined with your passcode. The takeaway from this is that an imposter may be able to obtain one factor, it is unlikely that they will obtain both.

Directory permissions

This term relates to the permissions allowed to a particular login or user. Unless specifically allowed the hierarchy will expressly deny permissions. Usually a user is a member of a group and will be given the shared group permissions. If a user inherits a deny in the group, but is explicitly allowed they will be allowed.

VPN

A Virtual Private Network (VPN) offers a way to communicate securely over an insecure network (the internet). The VPN creates a secure encrypted tunnel between remote users and the private network hosted by the business.

DLP

Data Loss Prevention (DLP) is less about physically losing data and more about user activities that could compromise data security. Operations like sending email or moving files is scrutinized by DLP programs or even devices. The sensitive data is pre-classified to allow for categorization. Sometimes referred to as Data in Motion, DLP checks these activities for sensitive material.

Disabling ports

When malicious activity is detected your firewall has the ability to disable ports and protocols to stop malware from spreading.

Access control lists

An Access Control Lists (ACLs) hold and manage database of the users and groups that are granted access to files and folders. Group membership helps manage this process. Keep in mind that a particular user may belong to one or more groups, in this any case if the permissions are not specifically set access will be denied the user. When multiple settings are listed will be granted the lowest level of access specified in the groups

Smart card (See Above)

Email filtering

Email filtering is used by organizations to spot malicious or unapproved traffic in and out of the network. Email filtering can also be configured by the end user in email clients and on incoming email services to reduce spam and block unwanted senders.

Trusted/untrusted software sources

When you are looking for a new program for your PC or mobile device it is imperative that you think before you click. Always take any steps to ensure that you are using trusted source. The sites include but are not limited to the device manufacturer, the software vendor (not “dump” sites) and your operating system update site. In most cases this will be the iOS App Store, Google Play and the Windows Store. You will recognize a trusted site first by its familiar appearance, then the graphics (crisp) and terminology (grammar). Carefully examine the graphics on the page for clarity, they will not ever look fuzzy or pasted. Next check the text for grammatical errors both signs that you are being spoofed. Then examine the URL for accuracy it should be readily identifiable. Software is the vehicle of most malware. In the majority of the instances surround the downloading of files that the user thinks is legitimate, then installing a desired piece of software. Malicious programming can be hidden inside a legitimate file making it hard to detect. These attacks can also entirely replace the contents of a file, or simply rename their file to something you would trust and execute. Your defenses are multiple. For example email and antivirus scanners will look for specified text strings or symbols within the file and determine the presence of malware. If the programming and disguise is clever enough you will end up installing an infected program from an untrusted source. Be vigilant.

User education/AUP

The best defense in computer security is a well-informed user. Whenever you are called upon to make repairs relating to unsecure practices make sure that you take the time to explain what happened and why. Use terms that they will understand and relate to. Don’t impress them with your knowledge, improve theirs. In the corporate world there is a preponderance of dry and technical warnings and policies. Make an effort to make any communication digestible by the ordinary individual. Use engaging terminology and educate all users. It only takes one bad click to have a considerable impact on your enterprise’s quality of life. Foremost you will need a freely available Acceptable Use Policy (AUP). The AUP will outline the rules regarding company information, allowed activities and communication protocols. This document should be written clearly enough to be understood by all. It should be legally binding and the penalties for ignoring it should be clear. Mention termination along with fines and prosecution. Include The AUP in all new hire packets and require a signature. If necessary hold a meeting incorporating all employees to explain the policy and answer questions. Require a sign-off at the conclusion to verify their understanding and keep the signed document in the user’s personnel file. Address your problems proactively.

Principle of least privilege

In regards to access privileges on your network less is better. This is where the Principle of Least Privilege (PoLP) comes in. The PoLP increases security by reducing the user’s privileges to only those necessary for the performance of their duties. This blocks ordinary users from installing software and performing any other actions that are not permitted by their job description. The privileges can be elevated when necessary with this temporary elevation lasting only for the duration of the specified activity.

That’s all for 3.2! We hope you found it informative. Good luck on the test.

Back to the main 902 ExamNotes page

 

Leave a Reply

Your email address will not be published. Required fields are marked *

On Facebook

Share This
Real Time Web Analytics