220-1102 Security Study Guide for the CompTIA A+ Core Series Exam

Wireless Security Protocols and Authentication Methods

Wireless networks are inherently less secure than wired networks. However, there are several methods that can be used to secure wireless networks. You must be able to compare and contrast these protocols and authentication methods.

Protocols and Encryption

You should be able to differentiate between different protocols and encryption methods used with wireless networks.

Wi-Fi Protected Access 2 (WPA2)

WPA2 improved upon WPA by using the Advanced Encryption Standard (AES). WPA2 is exploitable if the WPS service is enabled on the device.

WPA3

WPA3 is the successor to WPA2. It introduced 192-bit cryptographic strength in Enterprise mode and requires CCMP 128 as a minimum in personal mode. WPA3-Personal also uses Simultaneous Authentication of Equals (SAE) instead of the preshared key (PSK) exchange used in previous versions of WPA.

Temporal Key Integrity Protocol (TKIP)

The TKIP provides a new encryption key for every sent packet. TKIP uses the RC4 encryption algorithm protocol for its cipher. An RC4 encryption algorithm encrypts plain text by bytes to produce a cipher stream. The key for the RC4 algorithm is based on the MAC address and initialization vector of the sending device and is used to check message integrity.

Advanced Encryption Standard (AES)

The AES is a secure encryption method that is still used today. WPA2 uses AES in order to secure wireless networks.

Authentication

Wireless networks should never be left open, and they should always require some form of authentication. Let’s look at a few wireless authentication methods.

Remote Authentication Dial-In User Service (RADIUS)

RADIUS is an authentication method used to allow for centralized authentication and accounting. Although it gets its name from the days of dial-up internet, RADIUS is now the common method used to authenticate over virtual private networks (VPNs) and wireless networks.

Terminal Access Controller Access-Control System (TACACS)

TACACS (now TACACS+) was originally developed by Cisco®, but was released as an open standard. These protocols are used for the authentication of users on network devices, such as routers and switches.

Kerberos

Kerberos is an open standard for authentication that is used in conjunction with AD for authentication. Kerberos can also be used with the 802.1X protocol for direct authentication.

Multi-Factor

Multi-factor authentication requires a user to provide more than one authentication type, as discussed earlier in this study guide. A common implementation of multi-factor relating to wireless authentication is the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), which requires the user to not only have a password but also a certificate installed on the computer.

Detecting, Removing, and Preventing Malware

To succeed on questions about malware, you should be able to evaluate a given scenario, find malware, and remove it with effective tools and procedures. You should also know how to prevent malware in the future. Questions of this type will be scenario based.

Malware

The term malware is used to describe any malicious software that includes (but is not limited to) trojans, spyware, viruses, and worms. Let’s take a deeper look at some of the different types of malware that exist today.

Trojan

Trojans are malicious programs that disguise themselves as valuable programs. Imagine a scenario where a user downloads a program that they believe will allow them to listen to music or watch a movie for free. They downloaded the program because they believed it to be a valuable and legitimate program; however, when they run the program, they have actually installed malware on their device. This is an example of a trojan.

Rootkit

Rootkits are malicious programs with the goal of gaining privileged access to a computer. Rootkits hide themselves by taking advantage of operating system (OS) functions, and they can attack operating systems, hypervisors, and firmware.

Virus

A virus is defined as any malicious program that replicates itself and attempts to infect other computers. Viruses, unlike worms, need human interaction to spread. They are only able to replicate to other drives on the same computer and not across the network. Viruses are designed for many different goals, from corrupting data to stealing information.

Spyware

Spyware is a type of malware that covertly collects data on a user after it is installed on their computer. Spyware is typically a virus that requires user interaction to infect. For example, a user would have to click on a link in an email for the spyware to download. Spyware can be used for malicious purposes, such as stealing confidential data or credentials, or as a data collection device for advertising purposes.

Ransomware

Ransomware is so named because it essentially holds your files and data ransom until you pay the attacker. As the popularity of cryptocurrency (e.g., Bitcoin) has grown, so has ransomware. Attackers can request Bitcoin as their method of payment to release the data after a ransomware attack, making the attackers more difficult to track down after the transaction.

Keylogger

Some attacks will try to install keyloggers onto a user’s computer in order to steal private data, passwords, or credit card numbers. Keyloggers come in both hardware and software forms. A keylogger will track all the keystrokes made on the computer running the keylogger. This information can then be transmitted over to the attack entity for them to parse for useful stolen information.

Boot Sector Virus

A boot sector virus infects the master boot record (MBR) of a hard disk and is designed to load when a device is booted up, reinfecting the OS each time it is booted up. Secure boot can be used to identify a boot sector virus.

Cryptominers

Cryptominers are users who perform cryptographic computations to create cryptocoins. A cryptominer can infect others computers and use the other computer’s processing power to perform the computations for the cryptominer.

Tools and Methods

There are various tools and methods that can be used to detect and prevent malware. Tools and methods for the prevention of malware are not one-off procedures. Multiple layers of prevention, detection, and eradication should be used to fully protect a system.

Recovery Mode

Microsoft Windows® offers a suite of built-in recovery tools known as the Windows Recovery Environment (WinRE). This console can be especially helpful if a computer has been infected by malware. Some of the tools in the recovery console will allow you to reset the operating system back to default or simply restore the computer to an earlier time, such as before the computer became infected.

Antivirus

Many threats described above can be mitigated simply by having an antivirus program installed. Antivirus software is made up of two main components, the antivirus engine and the antivirus database. The antivirus engine is responsible for real-time scanning. The antivirus definitions database is a repository of signatures that is used to detect known malware.

Anti-Malware

Anti-malware software is extremely similar to antivirus software, but it takes the detection a step farther. Anti-malware software can usually check files outside of the Windows file systems, such as those on malicious websites and those coming in via email.

Software Firewalls

When referring to software firewalls in this section, we are referring to firewalls that come as part of the operating system. Windows computers come with a built-in software firewall called Windows Defender Firewall. This firewall can help prevent worms and malicious inbound connections.

Anti-Phishing Training

Anti-phishing training is training of end users targeted specifically at understanding phishing techniques and tactics. This training may involve sending spoof phishing emails to end users to identify potential weak spots in users and training.

User Education

While there are plenty of wonderful tools out there to help protect against attacks, end user education is one of the most important. This is because antivirus software and spam filters are not perfect. It is important for users to understand what types of items they should download and not download, what types of websites they should not visit, and how to identify a phishing scam.

OS Reinstallation

For a highly corrupted OS, the OS may need to be reinstalled with a clean installation. This will remove all data previously attached to the old installation of the OS, including viruses and malware it may have been infected with.

For this test you should be able to compare and contrast different types of threats, social engineering, and vulnerabilities. In the following section, we will cover the important details about these issues.

Social engineering is the act of manipulating individuals into giving you unauthorized access to a building or room, or giving you private information.

Phishing

Phishing is the most common type of social engineering. In a phishing attack, the attacker sends a fraudulent email pretending to be from a legitimate source, such as a colleague, vendor, or even a user’s bank. The goal of a phishing attempt is to get the unsuspecting user to give up their private information.

Vishing

Vishing is phishing through Voice over Internet Protocol (VoIP) calls. Vishing calls may attempt to elicit information from the recipient using social engineering techniques. For example, a caller may state that they are from the IRS and the recipient needs to provide back tax payment or risk further financial or legal penalties.

Shoulder Surfing

Shoulder surfing is the act of stealing a person’s data by looking over their shoulder as they type private information on a computer or a code into a door or ATM.

Whaling

Whaling is phishing that specifically targets individuals high up in a company’s hierarchy, such as CEOs and CFOs or other high-value targets.

Tailgating

Social engineers will sometimes tailgate or follow another person into a building. This means sneaking into a locked door right behind a person who has permission to enter. Sometimes, the social engineer may carry boxes so that an individual, who is just trying to be polite, will unlock and hold the door open for them.

Impersonation

One common social engineering tactic is impersonation. Social engineers will often pretend to be someone else to gain access to what they are looking for. One example of this would be an attacker pretending to be from your internet provider asking for access to your network closet.

Dumpster Diving

Businesses and individuals throw away a lot of valuable information that can be used by an attacker. When an attacker digs through the trash hoping to find private information that wasn’t shredded, this is known as dumpster diving.

Evil Twin

An evil twin is an imposter access point that impersonates a legitimate access point in order to intercept data. For example, a user could connect to an access point at their local cafe that provides free Wi-Fi access under the name “Cafe Guest.” The evil twin will create an imposter access point also named “Cafe Guest” and intercept data when the user connects to the evil twin.

Threats

Threats are potential hazards to a network that can be either physically or logically based. A threat is an attack designed to interrupt, intercept, or damage data from a target. Threats can come from a single threat actor, such as a script kiddie, or numerous threat actors acting in coordination with one another, such as a nation state.

Denial of Service (DoS)

A denial-of-service (DoS) attack is one in which a large amount of meaningless traffic is directed toward a device or network in an attempt to overburden and bring it down.

Distributed Denial of Service (DDoS)

A distributed denial of service (DDOS) is a denial-of-service attack in which multiple computers (often a botnet) are used to send an abundance of traffic in an attempt to bring down a network’s resources.

Zero-Day Attack

A zero-day attack is one that targets a vulnerability that developers have not identified yet or for which they have not had time to release a patch or fix.

Spoofing

Spoofing is a form of an impersonation attack. Some commonly spoofed items include a source IP address, source MAC address, source email address, and usernames.

On-Path Attack

An on-path attack, previously known as a man-in-the-middle (MITM) attack, is an eavesdropping attack. The attacker will try to plant themself between two systems and intercept the traffic.

Brute-Force Attack

In a brute-force attack, the attacker attempts to guess as many of the possible values as they can. Brute force is generally used as a method of password cracking, but can be used in some other scenarios as well.

Dictionary Attack

One form of brute-force attack is known as a dictionary attack. Rather than the attacker trying to come up with passwords to guess themselves, they can use a list of all leaked passwords online (known as a dictionary).

Insider Threat

An insider threat is a threat from within the organization itself and may be perpetrated by disgruntled employees or for personal gain. Insider threats are more common than external threats and can expose the organization to significant levels of damage as the threat has access to the network. An internal threat may be more difficult to detect since the threat is expected to be on the network.

Structured Query Language (SQL) Injection

An SQL injection is an attack in which the threat enters a series of malicious code with a Structured Query Language (SQL) query to gain access to SQL databases.

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is used to embed malicious scripts into a legitimate web page and is commonly used to hijack web pages to coax the end user to install malware.

Vulnerabilities

Vulnerabilities in cyber security are weaknesses in the OS or network that can be exploited for access. Threat actors leverage vulnerabilities to gain access to a network. While zero-day threats do occur, the majority of vulnerabilities have been previously identified with released patches. It is easier for a threat actor to try known vulnerabilities against a target to gain access to the network than to attempt to discover a new vulnerability.

Non-Compliant Systems

A non-compliant system is a system or device that does not follow the standard security precautions as dictated by the system administrator. Non-compliant software or systems can pose a threat to an organization’s network. It’s important to fix non-compliant devices as soon as you notice them.

Unpatched Systems

Patches protect systems, software, or networks from known vulnerabilities. Unpatched systems leave the network or device open to exploitation through these known vulnerabilities.

Unprotected Systems

An unprotected system is a system that does not have the appropriate security measures in place, such as a device without an antivirus or anti-malware program installed or a system without a properly configured firewall.

End-of-Life (EOL) Operating Systems (OSs)

An EOL OS is an OS that is no longer supported by the vendor. This means that no new patches or updates will be released for vulnerabilities, leaving the OS open to exploitation.

Bring Your Own Device (BYOD)

The prevalence of BYOD policies in networks complicates network security. BYOD policies allow users to use their own devices on a network and are therefore difficult to police and pose both a data leakage and data portability vulnerability. These devices may not be properly secured, both physically and logically, making them targets for threat actors.