2.7 - CompTIA A+ Core 2

Security Best Practices: Professor Messer

Data-at-rest encryption

• Data-at-rest encryption: This technique involves encrypting data stored on physical storage devices, ensuring that sensitive information remains secure even if the hardware is lost or stolen. Often achieved via full disk encryption (FDE) and often built into filesystems (e.g., NTFS/BitLocker on Microsoft Windows).

Password considerations

Length

• Length: A strong password has a minimum of 12 to 16 characters.

Character types

• Character types: A strong password has a mixture of lowercase letters, uppercase letters, numbers, and symbols to increase its complexity and make it harder to crack.

Uniqueness

• Uniqueness: Refers to using different strong passwords on multiple sites, instead of using the same password or variants of the same password.

Complexity

• Complexity: Strong passwords have a high degree of complexity (entropy) that makes them difficult to guess.

Expiration

• Expiration: Passwords should expire after a set time period to reduce the risk of unauthorized access and ensure that users regularly update their credentials.

Basic input/output system (BIOS)/Unified Extensible Firmware Interface (UEFI) passwords

• Administrator BIOS password: The password used to make changes to UEFI BIOS configs.

• User BIOS password: The Password that stops the boot processes/OS loading until the password is entered.

• Good BIOS password practices: No blank passwords, passwords are always required, and the system should never automatically log in with the username and password.

End-user best practices

Use screensaver logs

• Use screensaver logs: Require a password to unlock after a set period of inactivity, ensuring that unauthorized users cannot access your device.

Log off when not in use

• Log off when not in use: Requiring users to log out after the completion of their work - prevents unauthorized tampering of files and digital accounts.

Secure/protect critical hardware (e.g., laptops)

• Secure/protect critical hardware (e.g., laptops): Utilize locking mechanisms, such as cable locks or security enclosures, to safeguard against theft and unauthorized access.

Secure personally identifiable information (PII) and passwords

• Secure personally identifiable information (PII) and passwords: Protect information that can tie data to a specific person - use privacy filters to prevent shoulder surfing in public places, and position your monitor towards a wall.

Use password managers

• Use password managers: A practice that allows protection/organization of passwords in a centralized location.

Account management

Restrict user permissions

• Restrict user permissions: A security practice that restricts the access rights users have on a device to be specific to a person and their job function.

Restrict log-in times

• Restrict log-in times: A security practice that restricts the times users can log in to a network (e.g., between midnight and 5 AM), to prevent access from third parties.

Disable guest account

• Disable guest accounts: A security practice that involves disabling unnecessary accounts that may pose a risk to the network (e.g., guest accounts).

User failed attempts lockout

• User failed attempt lockout: Microsoft/OS setting that locks an account after a set number of failed login attempts - used to prevent brute force password attacks

Use timeout/screen lock

• Use timeout/screen lock: A security practice that prompts users to re-enter credentials after a period of inactivity, reducing the likelihood of unauthorized access.

Apply account expiration dates

• Apply account expiration date: A security practice that involves setting a time when an account will become inactive, useful for students, contractors, or any account that needs temporary access to a system.

Change the default administrator’s user account/password

• Change the default administrator’s user account/password: A security practice that involves modifying the default credentials of the administrator account to prevent unauthorized access and ensure that only authorized users can configure system settings.

Disable AutoRun

• Disable AutoRun: This feature automatically executes programs from removable media when inserted, which can pose security risks by allowing malware to spread without user intervention. Removed from Windows 7 and later, but still available for Windows Vista and earlier.

Disable unused services

• Disable unused services: Security practice that involves turning off services that are not essential for the system to function, thereby freeing up system resources and reducing potential vulnerabilities that could be exploited by attackers.