220-1202 Security Study Guide for the CompTIA A+ Core Series Exam

General Information

No IT system can function optimally without impeccable security. As this technology grows in scope and importance, there is a need for increasing proficiency in security so that vital data is protected. This involves not only planning to deter threat actors but also having procedures in place in case a system is breached. Working in IT, you will need to be conversant in all types of security vulnerabilities for devices and network connections. The CompTIA A+ 1202 test devotes 28% (roughly one-fourth) of its questions to security concept assessment. More than half (55%) of the questions about security begin with a scenario.

Security Measures

Security measures are practical concepts, both physical and logical, that are designed to maintain the integrity and security of a network, device, or program, among others. For the CompTIA A+ test, you must be able to summarize various security measures and their purposes.

Physical Security

When considering cybersecurity, it’s sometimes easy to overlook the crucial role physical security plays in safeguarding digital data. Physical security measures are any devices or controls used to protect the physical components of a network. Physical security is essential because no matter how many security measures you put in place on a device itself, physical impediments are the only thing that will stop a criminal from walking away with the entire device.

These are some of the most common physical security measures:

• bollards—Bollards are placed around the perimeter of an area to prevent catastrophic entrance or access to the area. Bollards are very sturdy, typically made of concrete or steel, and are designed to prevent vehicles, such as cars or trucks, from entering a secured area.

• access control vestibule—An access control vestibule, commonly known as a mantrap, is used to prevent infiltration methods such as tailgating and piggybacking. The access control vestibule is a small area with a set of two locked doors, separating the outside world from a secure area. An individual enters through the first door, but that door must then be closed behind them before the second door will open.

• badge reader—Identification badges can be used as proof of access authorization, with the related badge readers helping to prevent unauthorized access. Employees are issued badges, such as proximity cards or smart cards. When the employee scans an authenticated badge, they are allowed entry to the area.

• video surveillance—Video surveillance is one of the most important aspects of physical security, as it allows for the investigator to see what has occurred in the physical area. Fixed and pan-tilt-zoom (PTZ) cameras are the two primary types used for video surveillance. A fixed camera is limited to the scope of the stationary camera and may create blind spots. The PTZ camera, however, can cover a 360-degree area and offers zooming capabilities. The drawback of the PTZ camera, however, is that it is commonly employed to cover a large area, reducing the likelihood that the camera will be pointed in the direction of the occurrence at the time.

• alarm systems—An alarm system can alert of potential unauthorized access. These systems are also used to notify if an access control system has logged unauthorized access or for response and detection in the event of a break-in. Common sensors found in an alarm system include video surveillance, motion detection devices, and magnetic contact sensors.

• motion sensors—A motion sensor is a device that is programmed to detect motion in a particular space. The sensitivity of these sensors can be adjusted to meet the specific needs of the enterprise, thereby minimizing false alarms.

• door locks—Door locks should be used whenever possible. Aside from locks preventing unauthorized entrance to the building, locks should also be used to protect rooms containing sensitive equipment (such as the server room or network closet).

• equipment locks—Equipment locks are designed to secure a specific type or piece of equipment. For example, a cable lock can be used to help prevent a thief from stealing laptops. This type of lock involves a cable that loops around a heavy (ideally immovable) object and then secures the lock to a small security hole on the side of the laptop. Server locks are used to secure servers but are becoming obsolete as rack-mounted enclosures provide more security for servers. USB locks are plastic pieces that can be inserted into a USB port to close the port. A specialty tool is needed to remove this lock.

• security guards—Security guards are one of the few security controls that are classified not only as preventative controls but also as deterrent and detective controls. This is because organizations with onsite security staff are less likely to be targeted for attacks than those with no security guards. Security guards have the authority to physically restrict access to the premises or specific areas within the premises to individuals without proper identification and authorization. They can also investigate if something appears to be amiss.

• fences—Fences are physical barriers designed to keep unauthorized persons out of an area or space. Fences are commonly the first line of physical defense against unauthorized access and work best when paired with other physical security measures, such as badge readers and security guards.

Physical Access Security

Physical access security is a method of access control for sensitive areas or equipment that requires user verification prior to access. Physical access security user verification is often provided by something the user has, such as:

• key fobs—Key fobs are small security devices that store authentication information. They can be easily attached to a keyring or lanyard to provide both security and instant access.

• smart cards—Smart cards are typically the size of your driver’s license or credit card. The embedded memory and chipset in these cards can store identification and authentication information.

• mobile digital key—A mobile digital key is credential data stored on a mobile device, such as a smartphone, which is used to transmit encrypted credential data to a receiving device. A mobile digital key can act similarly to a smart card or key fob, using wireless transmission connections, most commonly Bluetooth® or near-field communication (NFC), for authentication.

• keys—Physical keys are used to open a specific lock or set of locks. Keys are less secure because they are easily duplicated or stolen, and their usage is hard to control.

Biometrics

Biometric locks can add an additional layer of protection to an organization’s physical security. Smart cards and proximity badges can be lost and potentially fall into the wrong hands. Biometric locks use an individual’s features, such as their retina or fingerprints, to authenticate them.

These are common methods for biometric authentication:

• retina scanner—A retina scanner compares the retinal scan of a person’s eye against the markers on file to verify identity. Retinal scanners are more intrusive than other types of biometric authentication, and the accuracy of the scan can be limited by diseases of the eye, such as cataracts, glaucoma, or severe astigmatism.

• fingerprint scanner—A fingerprint scanner matches fingerprints to verified users. Fingerprint scanners are a standard method of biometric authentication, but they may cause bottlenecking at high traffic locations and can lack accuracy in high-dirt environments.

• palmprint scanner—A palmprint scanner compares the scanned palmprint against that of the verified user and looks for such markers as lines, scars, and fingerprints. Palmprint scans tend to be more accurate than fingerprint scans due to the larger surface area of the scan location, which allows for more points of comparison.

• facial recognition technology (FRT)—FRT is a biometric technology that uses unique facial characteristics and identifiers to authenticate a user. FRT is commonly used for authentication on computing devices, such as cellular phones and laptops, as well as a method of identification in the public sector, such as in airport security screenings.

• voice recognition technology (VRT)—VRT is a biometric authentication method that uses unique identifiers of a user’s vocal characteristics, such as frequency, pitch, and tone, as well as speech patterns to create a voiceprint. This technology has potential limitations, including spoofing with a recorded voice or disruption by external noises.

Lighting

Lighting can impact the picture quality of video surveillance. To ensure high-quality video, the area should be adequately lit. Most video surveillance systems used today, however, include infrared (IR) capabilities that allow for surveillance in low-light or dark areas.

Magnetometers

A magnetometer, commonly known as a metal detector, can be used to detect metal objects. The metal detector can also be used as a security choke point. Metal detectors can also be used upon exiting a facility if the enterprise is concerned about insider threats, but this is controversial, as it may be considered an infringement on employee rights to privacy.

Logical Security

In contrast to physical security controls, which are visible and tangible, logical security controls refer to security policies and software safeguards used to protect systems. You should be able to explain these concepts.

Principle of Least Privilege

Permissions should only be given to a user if they absolutely need them to complete their job. This idea is known as the principle of least privilege. The fewer users who have access to sensitive files, the less likely it is that something bad will happen to those files.

Zero-Trust Model

The zero-trust model is a cybersecurity framework that utilizes the concept that no entity in a network is inherently trusted. Users and devices must verify their identities prior to being allowed access to any resources. This security model also employs the principle of least privilege to create additional access control once access is granted, as well as micro-segmentation to keep network resources isolated.

Access Control List (ACL)

ACLs are used to specify which traffic should be allowed through a firewall and which traffic should be blocked. Using an ACL, incoming traffic can be blocked or granted permission based on several factors, including source or destination port, as well as source or destination IP address.

Multifactor Authentication (MFA)

Even the strongest passwords can be compromised. This is where MFA comes in. MFA requires two or more different authentication types. Authentication types are typically categorized into three main categories: something you know (e.g., password, PIN, security question), something you have (e.g., authenticator application, hardware token), and something you are (e.g., biometric features). Because MFA requires two or more different types of authentication, a user would not be able to use just a personal identification number (PIN) and a password, since both fall into the category of something you know. Instead, the user would need a combination of the authentication types, such as a password and a token.

• email—Email can be used as a method of MFA, but it is the least secure method. Email can be a helpful notification tool for unauthorized access, as it alerts the individual if suspicious activity is detected.

• hardware token—Also known as a hard token, this is a physical device that the user must have on them to gain access to a network’s resources. The drawback of a hardware token is the risk of losing it, which an unauthorized user could then use to authenticate to a system.

• authenticator application—Authenticator applications are technically soft tokens that act like hard tokens. An application is loaded onto a device and used for authentication, such as Google Authenticator.

• short message service (SMS)—An SMS can be used as a method of MFA by sending a time-sensitive code, typically a five- to eight-digit code, to the authorized user’s connected SMS number.

• voice call—A voice call, like an SMS, can be used to verify the user by placing an automated call to the contact number on file for the user. A verification code is thereby provided to the user for authentication purposes.

• one-time password/passcode (OTP)—An OTP is a single-use password that is valid for only one login attempt or use, after which it becomes invalid. An OTP is commonly either time-restricted or reliant on a hash-based message authentication code (HMAC), which is valid for a single event and is not limited by time.

• time-based one-time password (TOTP)—A TOTP is a common method for MFA that generates a unique OTP with a very short validity time, commonly 30 seconds to a minute for highly sensitive scenarios. Authenticator apps, such as Google Authenticator or Microsoft Authenticator, are frequently used to generate these time-sensitive passwords.

Single Sign-On (SSO)

SSO is an authentication and authorization technique that enables access to multiple resources using a single verified credential. SSO centralizes authentication, reducing the number of usernames and passwords a user is required to remember, thereby reducing password fatigue, streamlining access control management, and minimizing the attack surface.

Security Assertions Markup Language (SAML)

SAML is a cybersecurity protocol primarily used for SSO authentication and the exchange of authorization data between an identity provider (IdP) and a service provider (SP). This is done via a SAML assertion, an Extensible Markup Language (XML) document containing the authentication data provided by the IdP.

Just-in-Time (JIT) Access

JIT access is a cybersecurity method that imposes a specific time frame and limited scope on resource access. JIT only allows access to the resources required to complete a task, and only for the duration needed to complete it.

Privileged Access Management (PAM)

PAM is a cybersecurity solution used to manage accounts with elevated privileges or access to network resources. PAM provides increased monitoring and control of privileged accounts while reducing the potential attack surface of the network.

Mobile Device Management (MDM)

MDM policies are used to enforce security measures on mobile devices, such as cell phones and tablets. Many organizations require their users to access email or other business-related apps on their phones, but this can present security risks to the organization. MDM policies can help offset some of the risk. An example of an MDM policy would be an organization requiring anyone accessing business email or business apps to have a PIN-disabled lock screen on their phone.

Data Loss Prevention (DLP)

DLP is a cybersecurity technique that involves various tools and methods to secure data from unauthorized access, tampering, or loss. DLP can be applied across multiple channels, including emails, endpoints, and websites, to identify, protect, and monitor data in all states. Additionally, DLP can be used as a policy-enforcement mechanism to ensure that policies are being adhered to.

Identity Access Management (IAM)

IAM is a cybersecurity framework that controls access to digital assets within an organization. IAM provides centralized management of identities, privileges, and security policy enforcement, along with auditing and monitoring capabilities.

Directory Services

Directory services refers to a centralized storage location for the databases that contain the information used for the authentication of users, resources, and devices within a network. Standard directory services include Microsoft’s Active Directory (AD) for Windows-based networks and Lightweight Directory Access Protocol (LDAP), which is a cross-platform compatible protocol.

Microsoft Windows Security Settings

Microsoft Windows provides useful settings for enhancing security. You must know their names and how they are used. Questions on this subject will be scenario-based.

Defender Antivirus

Windows Defender or Windows Defender Antivirus is the pre-installed antivirus software included with all recent versions of the Windows OS.

Activate/Deactivate

Windows Defender can be activated and deactivated via the Virus & threat protection feature by clicking on Manage settings. Specific aspects of the Defender can also be activated and deactivated as needed, such as real-time protection and cloud-delivered protection.

Update Definitions

To maintain the most current malware definitions and signatures, Windows Defender needs to be updated regularly. This software and its definitions are updated through the Windows Update process.

Firewall

Windows Defender Firewall is a host-based firewall designed to block access from the network. Defender Firewall can be specified to protect the domain network, private network, and public network separately.

Activate/Deactivate

Windows Defender Firewall can be activated or deactivated easily through the Firewall & network protection feature. Windows Firewall blocks incoming connections by default.

Port Security

Windows Defender Firewall enables the creation of custom rules for specific ports as needed, providing advanced port security.

Application Security

By default, the Windows Defender Firewall creates a pop-up when applications attempt to listen in on a port for incoming connections. If allowed, Firewall will create a new rule for the application, allowing it through. Allowed applications can be managed through the Firewall & network protection feature.

User and Groups

As mentioned previously, not all users will require the same level of access control. These Windows permissions are a critical part of access control:

• local vs. Microsoft account—Using a Microsoft account on a device allows for synchronization between the device and all data stored in the Microsoft Cloud. A local account does not provide this synchronization and requires manual setup for synchronization.

• standard account—Most users will fall into the standard account category. A standard account will have varying permissions based on roles and groups set by the administrator.

• administrator—Administrator accounts have complete power over the OS and access to everything. Administrator accounts should be reserved for those who absolutely require them. The more administrators that exist on a network, the more room for error.

• guest user—The guest account on Windows is an account that exists on every Windows machine. It’s a low-privilege account that can be used for individuals who only need occasional access to the device.

• power user—A power user account is one step down from an administrator account. It is the second most powerful account type within the Windows OS. A power user can be given read and write permissions but will not be able to change the OS system files.

Login OS Options

The Windows OS offers the following login options that require varying levels of authentication:

• username and password—One widespread method of authentication is the use of a username and password combination to identify the user and the permissions associated with the user.

• personal identification number (PIN)—A PIN is a password of a set length designed for simplifying the login process while still retaining security. A PIN is also often used in two-factor authentication (2FA) and multifactor authentication (MFA).

• fingerprint—A fingerprint scanner is a biometric method of authentication that can be used as a stand-alone authentication method or in 2FA/MFA.

• facial recognition—Facial recognition uses facial-scanning technology to identify a user and can be used as a standalone authentication method or in 2FA/MFA.

• single sign-on (SSO)—SSO is an authentication technique that uses a single authentication method to provide access to all applications and systems that the user may need, reducing the need for the user to remember multiple login and password credentials for various applications.

• passwordless/Windows Hello—Windows Hello is the Windows OS’s passwordless authentication system, which allows a verified user to use alternate methods to authenticate into a Windows system. Windows Hello can be configured to accept facial recognition, a fingerprint scan, or a PIN as passwordless authentication.

New Technology File System (NTFS) vs. Share Permissions

New Technology File System (NTFS) is a Microsoft-developed file system used as the default file system on Windows machines, though it is cross-compatible with many other modern operating systems. NTFS should be used whenever possible, as it provides the most control over data resources. The advantage of using NTFS permissions over share permissions is that they are applied to both local users and network users, and they are based on the permissions granted to an individual user at the Windows logon. Share permissions are not applied to users who log in locally to the machine.

File and Folder Attributes

File and folder attributes on a Windows OS are used to define how and by whom a file or folder can be accessed, manipulated, and used. It’s possible to encrypt individual files and folders on a computer using the Encrypted File System (EFS) that is built into professional versions of Windows.

Inheritance

Rather than needing to specify permissions on every file and folder, administrators can configure inheritance. Inheritance allows files and folders within another folder to inherit the permissions of the top-level folder.

Run as Administrator vs. Standard User

Running the system as administrator allows for complete access and control, while a standard user has more limited access and permissions. The administrator mode should only be used if absolutely necessary, since running as administrator provides complete access to the system. The standard user should be used for daily activities.

User Account Control (UAC)

When a user attempts to run a program that requires administrator privileges, they’ll receive a UAC pop-up. This pop-up will request an administrator password before the program can run. UAC is beneficial as it forces administrators to approve programs before they are run or installed. This can be especially helpful for users who are not tech-savvy and are trying to download or run programs that may be malicious.

BitLocker

BitLocker is a program that offers full drive encryption. Unlike EFS, which encrypts individual files, BitLocker encrypts the entire drive. BitLocker relies on the computer having a Trusted Platform Module (TPM) chip to function. BitLocker is enabled by default on Windows 11.

BitLocker To Go

BitLocker To Go is a similar encryption method to BitLocker, allowing you to encrypt removable/portable drives, such as external hard drives and USB drives. Unlike the full version of BitLocker, though, BitLocker To Go does not require a TPM chip.

Encrypting File System (EFS)

The EFS is a feature that is available in professional versions of Windows. EFS enables you to encrypt individual files and folders with just a single click. EFS can be configured in the Advanced Attributes dialog box of a file or folder.

Active Directory

Active Directory (AD) is the Microsoft directory used to manage users, applications, computers, and other resources. AD can be used to help implement security measures across an organization. AD is not an authentication protocol, but instead acts as storage for authentication data and works closely with Kerberos, which is the actual authentication protocol.

Joining Domain

Ensuring that all computers in an environment are part of your domain guarantees they receive the proper security policies. When a computer is in your domain, you’ll be able to see it and manage it within AD.

Assigning Login Script

A login script is a series of instructions that a device follows when logging in. Login scripts can be set on the profile tab of a user in AD. These scripts can be used to map network drives, log computer access, gather information from a computer, and perform many other tasks.

Moving Objects within Organizational Units (OUs)

An OU is a subdivision of your domain within Active Directory. For example, if an organization has three separate locations, it may choose to have three organizational units within its domain. Objects can be moved between OUs through the graphical user interface (GUI) or through PowerShell.

Assigning Home Folders

A home folder can be set for each user in AD. If the home folder doesn’t exist when it’s added in AD, then AD will create the folder and set the permissions for you. By default, this folder can be accessed only by the user and the domain administrators. Home folders should be used by personnel to store their files on the server. Because computers can be lost or stolen, it’s best for users to store their documents on the server in this way rather than store them locally on their own machines.

Applying Group Policy

Group policies are extremely useful in securing an organization. Group policies can be used to set password policies, block unwanted applications, and even block access to the internet entirely in some cases. They can also be used to push out security updates, which are important to keep an organization safe.

Selecting Security Groups

A security group can be created to make assigning privileges and permissions to groups of users more efficient. Security groups are also helpful when auditing permissions, as the groups can be examined rather than the individual user.

Configuring folder redirection

Folder redirection allows administrators (and, in some cases, users) to redirect the path of a specific folder to a new location. One popular implementation of this is to redirect a user’s Documents folder (stored locally on their machine) to a network location, such as the home folder.

Wireless Security Protocols

Wireless networks are inherently less secure than wired networks. However, several methods can be used to secure wireless networks. You must be able to compare and contrast these protocols and the related authentication methods.

Protocols and Encryption

You should be able to distinguish between these protocols and encryption methods used in wireless networks:

• Wi-Fi® Protected Access 2 (WPA2)—WPA2 improved upon WPA by using the Advanced Encryption Standard (AES). WPA2 is exploitable if the WPS service is enabled on the device.

• WPA3—WPA3 is the successor to WPA2. It introduced 192-bit cryptographic strength in Enterprise mode and requires the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP-128) as a minimum in personal mode. WPA3-Personal also uses Simultaneous Authentication of Equals (SAE) instead of the pre-shared key (PSK) exchange used in previous versions of WPA.

• Temporal Key Integrity Protocol (TKIP)—TKIP provides a new encryption key for every sent packet. TKIP uses the Rivest Cipher 4 (RC4) encryption algorithm protocol for its cipher. An RC4 encryption algorithm encrypts plain text by bytes to produce a cipher stream. The key for the RC4 algorithm is based on the media access control (MAC) address and the initialization vector of the sending device, and it is used to check message integrity.

• Advanced Encryption Standard (AES)—AES is a secure encryption method that is still used today. WPA2 uses AES to secure wireless networks.

Authentication

Wireless networks should never be left open, and they should always require some form of authentication. Let’s look at a few wireless authentication methods:

• Remote Authentication Dial-In User Service (RADIUS)—RADIUS is an authentication method used to allow for centralized authentication and accounting. Although it gets its name from the days of dial-up internet, RADIUS is now the standard method used to authenticate over virtual private networks (VPNs) and wireless networks.

• Terminal Access Controller Access-Control System (TACACS)—TACACS (now TACACS+) was originally developed by Cisco®, but was released as an open standard. These protocols are used for authenticating users on network devices, such as routers and switches.

• Kerberos—Kerberos is an open standard for authentication that is used in conjunction with AD. Kerberos can also be used with the 802.1X protocol for direct authentication.

• multifactor—Multifactor authentication (MFA) requires a user to provide more than one authentication type, as discussed earlier in this study guide. A typical implementation of MFA relating to wireless authentication is Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), which requires the user to have not only a password but also a certificate installed on their computer.

Malware

To answer questions about malware, you should be able to evaluate a given scenario, find malware, and remove it with practical tools and procedures. You should also know methods for preventing malware. Questions of this type will be scenario-based.

Malware

The term malware is used to describe any malicious software, including (but not limited to) trojans, spyware, viruses, and worms. Let’s take a deeper look at some of the different types of malware that exist today:

• trojan—Trojans (or trojan horses) are malicious programs that disguise themselves as valuable programs. Imagine a scenario where a user downloads a program that they believe will allow them to listen to music or watch a movie for free. They downloaded the program because they believed it to be a valuable and legitimate program; however, when they ran the program, they actually installed malware on their device. This is an example of a trojan.

• rootkit—Rootkits are malicious programs designed to gain privileged access to a computer. Rootkits conceal themselves by exploiting operating system (OS) functions, allowing them to target operating systems, hypervisors, and firmware.

• virus—A virus is defined as any malicious program that replicates itself and attempts to infect other computers. Viruses, unlike worms, which are self-replicating and self-propogating, need human interaction to spread. They are only able to replicate to different drives on the same computer and not across the network. Viruses are designed for various purposes, ranging from corrupting data to stealing information.

• spyware—Spyware is a type of malware that covertly collects data on a user after it is installed on their computer. This type of malware can be used for malicious purposes, such as stealing confidential data or credentials, or as a data collection device for advertising purposes. Spyware is typically a virus that requires user interaction to infect. For example, a user might be encouraged to click on a link in an email so the spyware downloads.

• ransomware—Ransomware is so named because it prevents access to your files and data until you pay the attacker. As the popularity of cryptocurrency (e.g., Bitcoin) has grown, so has ransomware. Attackers may demand some form of cryptocurrency as payment to release the data after a ransomware attack, making it more difficult for law enforcement to track them after the transaction.

• keylogger—Some attacks will try to install keyloggers onto a user’s computer to steal private data, passwords, or credit card numbers. Keyloggers come in both hardware and software forms. A keylogger tracks all the keystrokes made on the computer running the keylogger. This information can then be transmitted over to the attack entity for them to parse for useful stolen information.

• boot sector virus—A boot sector virus infects the master boot record (MBR) of a hard disk and is designed to load when a device is booted up, reinfecting the OS each time it is booted up. Secure boot can be used to identify a boot sector virus.

• cryptominer—Cryptominers are users who perform cryptographic computations to create cryptocoins. A cryptominer can infect other computers to utilize their processing power to perform computations on behalf of the cryptominer.

• stalkerware— Stalkerware is a type of malware that is designed to monitor and track an infected user’s activity, such as geolocation data, keystrokes, app usage, web browsing history, and photos and videos. Stalkerware, often disguised as a legitimate application, is commonly installed on a targeted device through direct interaction.

• fileless— Fileless malware is a malware that does not write to the hard drive but instead resides in the random access memory (RAM) of a device. This results in no trackable files or footprint, making fileless malware extremely difficult to detect through traditional anti-malware scanners. Fileless malware uses legitimate system tools and processes to operate, referred to as living-off-the-land (LOTL) attacks.

Adware

Adware is a type of malware that delivers unwanted advertisements to an infected device and is often bundled with legitimate software applications. Adware can range from mildly intrusive to highly malicious, featuring intrusive ads, unauthorized data collection, or redirection to malicious websites.

Potentially Unwanted Program (PUP)

A PUP is software that is not intentionally installed by the user and may affect the operational ability of the device. PUPs are commonly bundled with other software or may come preinstalled on devices or OSs. For example, on most new cellular phones, multiple applications will be preinstalled from the factory, some of which will be unnecessary for functionality.

Tools and Methods

There are various tools and methods available to detect and prevent malware. These are not one-off procedures, but are rather multiple layers of prevention, detection, and eradication that should be employed to fully protect a system.

Recovery Console

Microsoft Windows offers a suite of built-in recovery tools through the Recovery Console (the more advanced version is Windows Recovery Environment [WinRE]). This console can be especially helpful if a computer has been infected by malware. Some of the tools in the Recovery Console will allow you to reset the OS to its default settings or simply restore the computer to an earlier state, such as before the computer became infected.

Endpoint Detection and Response (EDR)

EDR is a cybersecurity tool that enables the monitoring of and response to threats on connected endpoint devices, such as laptops, computers, and mobile devices. Implementing an EDR system provides increased visibility into endpoint devices, proactive threat monitoring, detection, and response, while also reducing alert fatigue for security response personnel.

Managed Detection and Response (MDR)

MDR is a cybersecurity solution that uses both software-based technologies and human expertise to enhance security for a system or network, often provided by a third-party provider. MDR extends beyond traditional monitoring and response by also incorporating incident investigation across the entire network or system, including endpoints.

Extended Detection and Response (XDR)

XDR goes beyond EDR to provide a multifaceted approach to security and network visibility by monitoring and analyzing data from multiple network layers, including hardware, endpoints, email, and cloud activity. XDR also provides automation for threat response and detection.

Antivirus

Many threats described above can be mitigated simply by having an antivirus program installed. Antivirus software consists of two main components: the antivirus engine and the antivirus database. The antivirus engine is responsible for real-time scanning. The antivirus definitions database is a repository of signatures that is used to detect known malware.

Anti-Malware

Anti-malware software is similar to antivirus software, but it takes the detection a step further. Anti-malware software can typically check files outside of the Windows file system, including those on malicious websites and those received via email.

Email Security Gateway

An email security gateway or secure email gateway (SEG) is a cybersecurity solution dedicated to email security, including incoming and outgoing email transmissions. SEGs can identify possible threats, such as phishing attempts or potential malware, through the use of anti-spam and anti-malware filters as well as phishing, URL, and attachment detection.

Software Firewalls

When referring to software firewalls in this section, we mean firewalls that are built into the OS. Windows computers come with a built-in software firewall called Windows Defender Firewall. This firewall can help prevent worms and malicious inbound connections.

User Education

While there are plenty of excellent tools available to help protect against attacks, end-user education is one of the most important. This is because antivirus software and spam filters are not perfect. It is essential for users to understand what types of items they should download and not download, what types of websites they should not visit, and how to identify a phishing scam.

Anti-Phishing Training

Anti-phishing training is specifically designed for end users to understand phishing techniques and tactics. This training may involve sending spoof phishing emails to users to identify potential weak spots in their security awareness and training.

OS Reinstallation

For a highly corrupted OS, it may be necessary to reinstall the OS with a clean installation. This will remove all data previously attached to the old installation of the OS, including viruses and malware that might have infected it.