Sign in Subscribe

CompTIA A+ Core 2 Security Measures Explained: What They Do and Why They Matter

CompTIA A+ Core 2 Security Measures Explained: What They Do and Why They Matter

1. Security Measures in CompTIA A+ Core 2: What You Actually Need to Know

For A+ Core 2, security isn’t one of those side topics you can breeze past and hope for the best. It shows up all over the place in real support work — password resets, phishing calls, VPN headaches, lost laptops, browser warnings, wireless setup, backups, and basic device hardening. The exam objective is to summarize security measures and their purposes, which means you need more than definitions. You’ve really got to know what each control is protecting, what problem it’s trying to solve, and when it’s actually the right call for the situation in front of you.

The core model is the CIA triad: confidentiality, integrity, and availability. Encryption is mainly about confidentiality, which is exactly why it’s such a big deal when a laptop goes missing or sensitive files are in play. Hashing, permissions, and change control all help protect integrity, basically by keeping data accurate and cutting down on changes that shouldn’t have happened in the first place. Backups, redundancy, and patching all support availability because they help keep systems and data accessible when something breaks or just plain goes sideways. Many controls support more than one goal, but the exam often asks for the primary purpose.

It also helps to think in terms of defense in depth. Security works best when you don’t lean on just one control and hope for the best. In real life, you want layers. I usually think of security like a building with a few locked doors between you and the important stuff. If one door fails, there’s still another one in the way. I like to think of it this way: physical controls protect the building itself, network controls help watch the traffic flowing through it, endpoint controls lock down the device, identity controls decide who gets through the door, and data controls protect the stuff that really matters once you’re inside. And if one layer fails? That next layer should still buy you some time, slow the bad guy down, and give you a chance to catch the issue before it snowballs into something much worse.

A+ also expects you to recognize control categories:

Category Purpose Examples
Preventive Reduce the chances of an incident before it even starts MFA, patching, host-based firewalls, and encryption are all good examples
Detective Catch suspicious activity or policy violations when they happen Logs, alerts, cameras, and antimalware detections
Corrective Restore service or data after an incident Backups, reimaging, account recovery
Deterrent Discourage bad behavior Warning signs, visible cameras, login banners
Compensating Alternate control when the preferred one is not possible Extra monitoring when a legacy system cannot be fully patched

CompTIA also mixes physical, technical, and administrative controls. A badge reader is physical. A firewall is technical. A password reset procedure is administrative. Learn to classify controls both ways.

2. Authentication, MFA, and Access Control

Authentication proves identity. Authorization determines what an authenticated user can do. That difference is one of the spots where new techs — and exam candidates — get tripped up the most.

The classic authentication factors are something you know (password, PIN), something you have (smart card, hardware token, authenticator app device), and something you are (fingerprint, face). Modern systems may also reference somewhere you are (location) and something you do (behavioral patterns), but A+ usually emphasizes the classic three.

Passwords should be long, unique, and hard to guess. Honestly, a better approach these days is usually longer passphrases, checking against known breached passwords, and using MFA instead of forcing constant password changes. Now, to be fair, some organizations still require expiration because of policy or compliance, so you’ll still run into that in the real world. Account lockout policies help mitigate repeated password guessing and brute-force attempts, though password spraying may be designed to stay below lockout thresholds. Lockout settings usually include a threshold, a lockout duration, and a reset counter — pretty standard stuff, but still important. Just keep in mind that lockout can also be abused to create a denial-of-service issue for users.

MFA requires multiple factors from different categories. If stolen passwords are the threat, MFA is one of the strongest controls you can put in place. Common MFA methods include authenticator apps, one-time passcodes, push prompts, hardware tokens, smart cards, and biometrics paired with a PIN. Smart cards often hold certificates and private keys for certificate-based authentication, so they tend to show up more in tightly controlled environments. Tokens may generate time-based or event-based one-time codes, depending on how they’re set up. SSO is different: it reduces repeated logins across systems, but it is not itself a second factor.

Biometrics are convenient, but they have tradeoffs. Systems can produce false acceptance and false rejection results, so they are usually paired with another method such as a PIN. Least privilege, need to know, RBAC, and separation of duties are authorization concepts. They limit access after login and should apply to users, applications, and service accounts.

In real support work, identity proofing matters most during resets. A safe password reset workflow is pretty straightforward: verify identity using approved methods, reset the credential, require a change at next sign-in if policy calls for it, document the ticket, and escalate if anything feels off. The same idea applies to MFA resets, honestly. Don’t remove or reset MFA just because someone sounds urgent, frustrated, or irritated. Take the time to verify the request properly every single time. That part really matters.

Account lockout troubleshooting: if a user keeps locking out, check for stale passwords in mobile mail apps, saved browser credentials, mapped drives, VPN clients, or multiple devices. If you start seeing repeated login failures across a bunch of different accounts, that’s when my attention really perks up. That pattern can look a lot like password spraying, and that’s not something you want to shrug off. And yeah, that’s absolutely something you want to escalate right away.

3. Endpoint Security and Workstation Hardening

Endpoint security is basically about the workstation, laptop, or mobile device the user’s actually touching every day. One weak endpoint can become the easy way in for malware, stolen credentials, or an attacker trying to move deeper into the environment. In real support work, that’s usually how small problems turn into big ones.

Modern endpoint protection often combines signature-based, heuristic, behavioral, and cloud-assisted detection. In real support work, antivirus and antimalware overlap so much that I honestly wouldn’t get too hung up on the exact wording. The bigger question is whether the control is catching and blocking malicious activity. For A+, what really matters is the job it’s doing: detect, block, quarantine, and alert on malicious activity. A technician should know how to verify the agent is installed, real-time protection is enabled, definitions are current, scans are running, quarantine events are showing up, and tamper protection hasn’t been turned off. False positives do happen, so exclusions need to be tightly controlled and documented really clearly.

A host-based firewall filters traffic on the device itself. It can apply different rules for domain, private, and public network profiles. Inbound rules commonly allow only approved services; outbound rules may be restricted in tighter environments. If a business app stops working, do not disable the firewall as a shortcut. Confirm the profile, check logs, identify the blocked port or executable, and create the narrowest rule necessary.

File and folder permissions support least privilege. In practice, access should be assigned to groups rather than individual users whenever possible. A common support issue is “access denied.” Troubleshoot by checking group membership, inherited permissions, explicit denies, and whether both share permissions and file-system permissions are involved. Avoid the bad habit of granting full control to everyone just to close a ticket.

Disk encryption protects data at rest. Full-disk encryption is a baseline control for laptops and other portable devices. On business systems, keys are often protected by a TPM, and recovery keys should be escrowed in a secure management system or directory service. If the motherboard, TPM state, or boot configuration changes, the device may suddenly ask for a recovery key. Encryption does a great job protecting a powered-off device from offline access, but once someone’s already signed in, it won’t stop them from opening files they’re allowed to reach.

Secure Boot helps validate trusted boot components in the UEFI startup chain to reduce bootkits and rootkits. It depends on UEFI and platform policy. It adds another layer of trust during startup, but it definitely doesn’t replace patching, antimalware, or encryption. It’s one more barrier, not the whole security strategy.

Patch management closes known vulnerabilities in operating systems, browsers, drivers, and applications. Good patching practice means testing updates first, rolling them out in stages, planning maintenance windows, handling reboots, documenting exceptions, and then checking compliance afterward so you actually know what got updated. Otherwise, you’re basically guessing. Third-party applications matter a lot too, because attackers often go after browsers, document readers, and collaboration tools first. They’re widely used, which makes them an attractive target. Least functionality is another hardening principle: disable unnecessary services, remove unapproved software, restrict local admin rights, enable screen locks, and control removable media.

A practical hardened workstation checklist would look something like this: automatic updates on, host-based firewall enabled, endpoint protection healthy, full-disk encryption turned on, a standard user account by default, screen lock enforced, only approved software installed, and unnecessary services disabled.

4. Alright, let’s shift gears for a minute and talk about network, wireless, and remote access security, because this is where things get very real in day-to-day support.

Wireless security questions often come down to choosing the right mode. WPA2/WPA3-Personal uses a shared passphrase and is common for home and small office use. WPA2/WPA3-Enterprise is more appropriate for business environments and commonly uses 802.1X authentication with a RADIUS server. WPA3-Personal uses SAE, which improves resistance to offline dictionary attacks compared with WPA2-PSK, but weak passwords are still a problem.

MAC filtering is not a strong security control because MAC addresses are easy to spoof and the administrative overhead is high. Captive portals help with guest access, terms acceptance, or payment workflow, but they do not provide encryption by themselves. Encryption comes from the wireless protocol and application-layer protections such as secure web sessions.

Guest network isolation is important. Guest Wi-Fi should stay completely separate from internal systems, usually through segmentation like VLANs and firewall rules so guests can get internet access without getting anywhere near internal resources. Segmentation is also really useful for printers, IoT devices, labs, kiosks, and servers, especially when you don’t want one noisy device to have access to everything else. It limits exposure and helps contain problems, but it can also generate support tickets when cross-segment access isn’t allowed or isn’t documented well.

VPN creates an encrypted tunnel between endpoints, typically the user device and a VPN gateway. It is especially useful on untrusted networks and for reaching internal resources. Some deployments send all traffic through the VPN (full tunnel), while others send only company-bound traffic (split tunnel). Secure web traffic protects the session to a specific site or app, while a VPN protects the broader connection between the device and the VPN endpoint. They solve different problems. They’re related, but they’re definitely not the same thing, and that distinction shows up a lot on the exam.

Common remote access issues include expired passwords, failed MFA, invalid certificates, DNS problems, time drift on token devices, and users connecting to Wi-Fi but forgetting that internal resources still need the VPN. Also know the risks of rogue or evil twin access points. A familiar network name does not guarantee a legitimate network.

5. Physical Security, Mobile Devices, and BYOD

Physical security still matters because a stolen device or unauthorized entry can blow past a lot of technical controls all at once. Common physical measures include locks, badge readers, mantraps, cameras, cable locks, privacy screens, secure storage, and visitor management. Cameras are mostly detective controls, though just seeing them there can discourage bad behavior too. Badge revocation should happen quickly during offboarding or after a lost badge report.

Tailgating is when an unauthorized person follows an authorized person into a restricted area. Piggybacking is closely related and often implies the authorized person knowingly allows it. A+ may use either term.

For mobile devices, the basics are strong screen locks, biometrics with PIN fallback, encryption, remote lock, and remote wipe. In business environments, these controls are usually enforced through MDM/UEM platforms. MDM can require encryption, enforce PIN length, deploy apps, separate work data from personal data, and issue a remote wipe or selective wipe. Remote wipe is useful, but the device usually has to be enrolled and then come back online before the command actually takes effect. So yeah, it’s helpful, but it’s definitely not instant magic.

BYOD requires clear boundaries: what the company can manage, what support is offered, what security settings are mandatory, and how corporate data is removed when the user leaves or the device is retired. Containerization or work profiles help keep personal and business data separate, and that makes life a lot easier for both support staff and users.

6. Let’s move into data protection, encryption, backups, and disposal.

A+ security questions often become easier if you separate data at rest, data in transit, and data in use. Full-disk encryption protects data at rest, which is the data sitting on the device. VPN and secure web traffic protect data in transit. Data in use is harder to protect because the user and applications are actively working with it.

Backups primarily protect availability. Backups won’t stop someone from getting into live data, but they’ll help you get files back after deletion, corruption, hardware failure, or ransomware. That’s why they’re such a big deal. At a basic level, know the idea of full, incremental, and differential backups. More important for A+ is that backups must be tested by performing restore verification, not just by checking that a backup job reported success. For ransomware resilience, offline, offsite, or immutable backup copies are especially valuable because they’re much harder for malware to reach and encrypt.e because malware can still encrypt any backup repository it can reach.

A simple recovery mindset helps too: figure out what has to come back first, how much data loss you can tolerate, and how quickly service needs to be restored. Even without heavy disaster recovery terminology, that is the technician view of recovery priorities.

Secure disposal depends on the media type. Overwriting or sanitizing may be appropriate for some HDDs. Degaussing applies to magnetic media such as some hard drives and tapes, not SSDs or optical media. For SSDs and flash media, vendor secure erase, cryptographic erase where supported, or physical destruction is often more reliable because wear leveling can make simple overwriting insufficient. Paper records may require shredding. Good disposal practice also includes documentation and chain of custody for sensitive media.

7. Email, Browsing, and Administrative Security Practices

Spam filters, attachment controls, browser protections, and user awareness all need to work together. Phishing can be used to steal credentials, deliver malware, trigger MFA fatigue, or carry out business email compromise. Users should be trained to check links carefully, treat unexpected attachments with caution, avoid enabling risky macros, and report suspicious messages quickly.s messages quickly.

Certificate warnings should not be ignored casually. The issue could be an expired certificate, a hostname mismatch, an untrusted issuer, or even interception risk. In managed environments, internal PKI or inspection appliances can also trigger warnings, so the right response is to verify the destination address, check the certificate details if you’re trained to do that, and contact IT instead of just clicking through.

Administrative controls matter just as much as technical controls. Security awareness training, acceptable use policies, clean desk expectations, onboarding and offboarding processes, incident reporting, and documentation all help reduce risk. Access revocation should happen quickly when a user changes roles or leaves the organization. Shared accounts should be avoided whenever possible because they weaken accountability.

A basic incident report should capture who reported the issue, what happened, when it happened, what device or account is involved, what actions were already taken, and whether sensitive data may be affected. Preserve evidence according to policy. For example, if malware is suspected, isolate the endpoint from the network, but don’t start changing things unnecessarily before escalating.

8. Exam Review, Troubleshooting, and Best-Fit Scenarios

CompTIA often gives several answers that sound related and asks for the best fit. Choose the control that directly addresses the stated risk.

Issue Best Answer Why
Stolen laptop Full-disk encryption Protects data confidentiality if the device is offline and lost
User clicked phishing link Reset password, review sign-ins, verify MFA, escalate Limits account compromise and starts incident response
Public Wi-Fi remote worker VPN plus MFA Protects remote access on an untrusted network
Repeated bad login attempts Account lockout policy Mitigates brute-force attempts, though not all spraying attacks
Idle unlocked workstation Screen lock / auto-lock Protects an authenticated session from casual misuse
Ransomware recovery Tested backups Corrective control that restores availability

Rapid troubleshooting checklist:
Locked account: check stale cached credentials, mobile apps, VPN retries, and failed sign-in logs.
VPN failure: verify internet access, credentials, MFA method, certificate status, and whether internal access requires full connection.
Malware alert: isolate device, confirm detection status, preserve evidence per policy, reimage if required, and restore data if needed.
Lost device: confirm encryption, disable accounts or sessions, revoke tokens or certificates if applicable, use tracking or MDM tools, and document the incident.

Top exam traps: authentication vs authorization, MFA vs SSO, encryption vs backup, screen lock vs account lockout, captive portal vs encryption, MAC filtering vs real wireless security, WPA Personal vs Enterprise, antivirus vs firewall, and preventive vs detective vs corrective controls.

Final memory aid: if the issue is proving identity, think authentication. If it is limiting actions after login, think authorization. If the device is lost, think encryption and remote management. If the network is untrusted, think VPN and MFA. If ransomware hits, think backups, patching, and least privilege. That is the A+ way to match security measures to their purpose.