This chapter covers physical security controls, specifically locks, cameras, and access badges, as tested in CompTIA A+ Core 2 (220-1102) Objective 2.2. Physical security is a foundational layer of defense that protects hardware, data, and personnel. Expect approximately 5–10% of exam questions to touch on physical security, often in the context of preventing unauthorized access, theft, or tampering. Mastering these concepts helps you identify appropriate controls for given scenarios and understand how they integrate with broader security policies.
Jump to a section
Imagine a medieval castle with multiple layers of defense. The outer wall has a heavy wooden door with a lock; only those with the correct key can enter. Inside, there are inner gates that require a different key, and guards patrol the corridors. Some areas are monitored by lookouts (cameras) who report any suspicious activity to the captain. The captain keeps a log of everyone who enters and leaves, and issues badges to trusted messengers. If a messenger loses their badge, the captain cancels it and issues a new one. Attackers might try to pick the lock, climb the wall, or bribe a guard. In response, the castle uses stronger locks, higher walls, and rotating guard shifts. This mirrors how modern physical security uses locks, cameras, and access badges to create layered defenses. Locks prevent unauthorized entry, cameras provide surveillance and deterrence, and badges control and log access. Just as the castle's security is only as strong as its weakest point, an organization's physical security must address all vulnerabilities, from tailgating to lost badges.
What Is Physical Security and Why Does It Matter?
Physical security refers to measures designed to protect physical assets—hardware, facilities, and people—from unauthorized access, damage, or theft. In the CompTIA A+ Core 2 exam, physical security is part of Domain 2.0 (Security), Objective 2.2: "Given a scenario, implement physical security controls." The exam expects you to know the purpose, implementation, and limitations of locks, cameras, and access badges, as well as related concepts like tailgating, mantrap, and biometrics.
Physical security is critical because many data breaches originate from physical access. An attacker who can physically touch a workstation can bypass most software controls, steal hard drives, or install keyloggers. Even with strong network security, a single unlocked door can compromise an entire organization. Therefore, CompTIA emphasizes a layered approach (defense in depth) where physical controls complement logical ones.
Locks: Types, Mechanisms, and Vulnerabilities
Locks are the most basic physical access control. They prevent or delay unauthorized entry. The exam covers several lock types:
Keyed Locks: Traditional pin-tumbler locks. A key lifts pins to the correct height, allowing the plug to rotate. Vulnerable to lock picking, bumping, and key duplication.
Combination Locks: Use a sequence of numbers or symbols. Common on lockers and safes. Vulnerable to shoulder surfing and brute force if the combination is short.
Electronic Locks: Use a keypad, card reader, or biometric scanner. Often part of an access control system. Vulnerable to power loss, hacking, or credential theft.
Cable Locks: Used to secure laptops or equipment to a fixed object. Easily cut with bolt cutters, so they provide only low security.
Smart Locks: Connect via Bluetooth or Wi-Fi, allowing remote access and logging. Vulnerable to wireless attacks and firmware exploits.
Key Security Concepts for Locks: - Key Control: Policies to prevent unauthorized key duplication. Master key systems allow different access levels but create a single point of failure if compromised. - Lock Bumping: A technique using a specially cut key to force pins past the shear line. Bump-resistant locks have special pins to prevent this. - Tailgating: Following an authorized person through a door. Locks alone cannot prevent this; it requires additional controls like mantrap or security guards.
Cameras: Surveillance and Deterrence
Cameras (CCTV) provide monitoring and recording of physical areas. They serve as a deterrent, as evidence, and for real-time observation. The exam focuses on:
Types: Analog (coaxial cable) vs. IP cameras (network-based). IP cameras offer higher resolution and remote access.
Placement: Cover entry/exit points, server rooms, loading docks, and high-value asset areas. Avoid blind spots.
Recording: Continuous vs. motion-activated. Retention policies vary (e.g., 30 days). Storage can be local (DVR/NVR) or cloud-based.
Privacy Considerations: Cameras should not monitor private areas like restrooms. Laws vary by jurisdiction.
Limitations:
Cameras can be disabled (e.g., cut cables, spray paint).
Poor lighting reduces effectiveness; IR cameras help in darkness.
Recordings may be tampered with if not properly secured.
Access Badges: Credential-Based Entry
Access badges are physical tokens (cards, fobs) that store credentials used with electronic locks. They are part of an Access Control System (ACS). The exam covers:
Types: Proximity cards (RFID), smart cards (contact/contactless), and magnetic stripe cards.
How they work: The badge emits a unique ID when scanned by a reader. The reader sends the ID to a controller, which checks against a database. If authorized, the door unlocks.
Benefits: Easy to revoke (deactivate badge), audit trail of entries, and granular access levels.
Weaknesses: Badge can be lost, stolen, cloned (e.g., RFID cloning). Combined with PIN or biometrics (two-factor) increases security.
Related Concepts: - Mantrap: A small room with two doors. The first door must close before the second opens, preventing tailgating. - Biometrics: Fingerprint, retina, or facial recognition. Can be used alone or with badges. High security but can be spoofed and has false rejection rates. - Security Guards: Human element that can enforce policies, check IDs, and respond to incidents.
Defense in Depth: Layering Physical Controls
CompTIA emphasizes that no single control is sufficient. A layered approach includes:
Perimeter: Fences, bollards, gates.
Building: Locked doors, alarms, cameras.
Internal: Badge readers, mantrap, security guards.
Asset: Cable locks, lockable cabinets, hard drive encryption.
For example, a server room might have: an electronic lock with badge + PIN, a camera recording the door, a mantrap, and a log of all access. Even if one layer fails, others remain.
Common Attack Vectors and Countermeasures
Social Engineering: Attackers pose as employees or vendors. Counter: verify identity, security awareness training.
Tailgating: Follow authorized person. Counter: mantrap, security guard, turnstiles.
Lock Picking: Use bump-resistant locks, electronic locks without keyways.
Badge Cloning: Use encrypted badges, or two-factor authentication.
Camera Tampering: Place cameras out of reach, use tamper-detection alarms.
Exam-Specific Details
You must know the following for the exam:
The difference between a lock that is bump-resistant vs. bump-proof (no lock is fully proof, but resistant reduces risk).
That cable locks are low security and can be cut with bolt cutters.
That biometric systems have a False Acceptance Rate (FAR) and False Rejection Rate (FRR).
That a mantrap prevents tailgating by requiring two doors.
That access badges should be combined with a PIN for two-factor authentication.
That cameras should be placed to cover critical areas and have adequate lighting.
Configuration and Best Practices
While the exam does not require specific vendor commands, you should understand how to implement controls:
Badge System: Define access levels (e.g., employee vs. contractor), set schedules (e.g., only during business hours), and maintain a revocation process.
Camera System: Configure motion detection, retention period, and secure storage. Use encrypted transmission for IP cameras.
Locks: Use high-security locks for sensitive areas. Implement key control policies.
Example Policy: "All server room doors must use electronic locks with badge and PIN. Access is logged and reviewed weekly. Lost badges must be reported within 1 hour."
Integration with Other Security
Physical security ties into overall security policy. For example: - Incident Response: Camera footage helps investigate breaches. - Asset Management: Physical locks protect inventory. - Compliance: Many regulations (HIPAA, PCI-DSS) require physical access controls.
In the exam, you may be asked to recommend controls based on a scenario. Always consider the threat, cost, and usability.
Identify Assets and Threats
Begin by listing physical assets: servers, network equipment, sensitive documents, employee workstations. Then identify threats: theft, vandalism, unauthorized access, natural disasters. For each asset, determine the required level of protection (e.g., server room needs high security, break room needs low). This step aligns with risk assessment. In the exam, scenarios often describe a threat (e.g., tailgating) and ask which control to implement. Knowing the threat guides the choice.
Select Appropriate Locks
Choose lock types based on asset criticality and environment. For a server room, use electronic locks with audit trails. For a laptop, use a cable lock. For a filing cabinet, use a keyed lock. Consider vulnerabilities: if the threat is lock picking, use bump-resistant locks. If the threat is tailgating, locks alone are insufficient—add mantrap or guard. In the exam, you may be given a scenario where a keyed lock is used for a high-security area; that is wrong—should be electronic.
Deploy Surveillance Cameras
Place cameras at all entry/exit points, in hallways leading to sensitive areas, and in server rooms. Ensure lighting is adequate; use IR for dark areas. Decide on recording: motion-activated saves storage, continuous is better for evidence. Set retention period (commonly 30 days). Secure the camera network—use VLANs and encryption to prevent tampering. In the exam, remember that cameras are a deterrent and provide evidence, but don't prevent entry.
Implement Access Badge System
Install badge readers at doors. Issue badges to authorized personnel. Configure access levels: e.g., employees can enter during work hours, contractors only specific rooms. Integrate with a central database. Enable logging to track who enters where and when. For high security, require badge + PIN (two-factor). Establish a process for lost badges: immediately deactivate and issue new one. In the exam, know that badges can be cloned; use encryption or smart cards to mitigate.
Establish Policies and Training
Write policies: no tailgating, report lost badges, escort visitors. Train employees on security awareness—e.g., don't hold door for strangers. Conduct periodic audits: review access logs, check for unauthorized access. Update controls as threats evolve. In the exam, you may be asked what to do after an incident (e.g., review camera footage, change locks). Policies are key to ensuring controls are used correctly.
Enterprise Scenario 1: Data Center Security
A large financial institution operates a data center housing thousands of servers with sensitive customer data. The physical security requirements are stringent due to compliance (PCI-DSS, SOX). They implement a multi-layered approach:
Perimeter: 8-foot fence with barbed wire, bollards to prevent vehicle ramming.
Building: Reinforced doors with electronic locks using smart cards and PIN. Mantrap at main entrance. Security guards 24/7.
Internal: Biometric scanners (fingerprint) for server room doors. IP cameras with motion detection and 90-day retention. All access logged and reviewed weekly.
Asset: Cable locks on portable equipment, lockable server racks.
What goes wrong: If the biometric system has a high false rejection rate, employees may become frustrated and prop doors open, defeating security. Regular maintenance and backup authentication methods (e.g., badge override) are essential.
Enterprise Scenario 2: Office Building Access
A mid-sized tech company has a single office with 200 employees. They use proximity badges for entry. The system logs entry times but not exits. One day, a badge is lost but not reported for 48 hours. An attacker finds it and enters after hours, stealing laptops.
Problem: No exit logging makes it hard to detect unauthorized after-hours presence. The delay in reporting the lost badge allowed the attack.
Solution: Implement exit readers or door contacts to track when people leave. Enforce a policy that lost badges must be reported within 1 hour. Use two-factor (badge + PIN) to prevent use of lost badge alone. Also, cameras would have recorded the theft, aiding investigation.
Enterprise Scenario 3: Hospital Controlled Substances
A hospital pharmacy stores narcotics. Access is restricted to authorized personnel. They use a combination lock on the door and a logbook. A nurse forgets the combination and writes it on a sticky note near the door. Another staff member uses it to steal drugs.
Problem: Combination locks lack audit trails and are vulnerable to shoulder surfing. The sticky note is a security violation.
Solution: Replace with electronic lock using badge + PIN. The system logs each access with timestamp and identity. Combine with a camera inside the pharmacy. Train staff not to share credentials. This provides accountability and deters theft.
What the 220-1102 Exam Tests on Physical Security
The exam objective 2.2 states: "Given a scenario, implement physical security controls." You must be able to recommend the appropriate control for a given situation. The exam focuses on:
Types of locks: Keyed, combination, electronic, cable. Know their strengths and weaknesses.
Cameras: Placement, recording types, limitations.
Access badges: Proximity vs. smart cards, two-factor authentication.
Biometrics: FAR vs. FRR, common types.
Mantrap: Purpose and operation.
Tailgating: Definition and prevention.
Security guards: Role.
Common Wrong Answers and Why Candidates Choose Them
Choosing a cable lock to secure a server room door – Candidates think cable locks are strong because they are made of steel. Reality: cable locks are for portable devices and can be cut easily. For a door, use an electronic lock or deadbolt.
Using a keyed lock for a high-traffic area – Keyed locks require physical key management, which is insecure. Electronic locks allow easy revocation and logging. Candidates may not consider manageability.
Believing a mantrap is the same as a turnstile – A mantrap is an enclosed space with two doors; a turnstile is a rotating gate. Both prevent tailgating but mantrap is more secure. Candidates confuse the terms.
Thinking biometrics are foolproof – Biometrics can be spoofed (e.g., gelatin fingerprint) and have false rejections. Candidates may overestimate their security.
Specific Numbers, Values, and Terms
FAR (False Acceptance Rate) and FRR (False Rejection Rate) – know the difference.
Retention period – common is 30-90 days for camera footage.
Lock bumping – technique using a bump key.
RFID cloning – copying proximity badge data.
Two-factor authentication – something you have (badge) + something you know (PIN).
Edge Cases and Exceptions
Power loss: Electronic locks may fail secure (locked) or fail safe (unlocked). Know which is appropriate for security vs. safety (e.g., fire exit doors fail safe).
Tailgating prevention: A mantrap works but if the first door is held open, the second won't lock. Some systems have anti-passback.
Camera privacy laws: In some jurisdictions, audio recording without consent is illegal. The exam may mention privacy considerations.
How to Eliminate Wrong Answers
If the scenario involves high security, eliminate cable locks and simple keyed locks.
If tailgating is the threat, look for mantrap or security guard, not just a lock.
If the scenario mentions lost credentials, choose a system that allows immediate revocation (electronic badge system).
If the question asks for deterrent, cameras are a good choice; for prevention, use locks or guards.
Physical security uses defense in depth: locks, cameras, badges, guards, and policies.
Cable locks are low security; use electronic locks for sensitive areas.
Cameras are for surveillance and evidence, not prevention.
Access badges should be used with a PIN for two-factor authentication.
Mantraps prevent tailgating by requiring two doors.
Biometrics have FAR and FRR; not foolproof.
Lost badges must be immediately deactivated.
Keyed locks lack audit trails; electronic locks provide logging.
Tailgating is prevented by mantraps, turnstiles, or security guards.
Physical security policies are essential for effectiveness.
These come up on the exam all the time. Here's how to tell them apart.
Keyed Locks
No power required
No audit trail
Key management overhead
Vulnerable to lock picking and bumping
Low cost
Electronic Locks
Requires power (battery or wired)
Provides audit logs
Easy to revoke credentials
Vulnerable to hacking if networked
Higher cost
Mistake
Cable locks are very secure because they use thick steel cables.
Correct
Cable locks can be cut with bolt cutters in seconds. They are only a low-security deterrent for portable devices, not for permanent fixtures.
Mistake
A keyed lock provides an audit trail because you know who has the key.
Correct
Keyed locks do not log who actually used the key. Anyone with a copy can enter without a record. Electronic locks provide individual audit trails.
Mistake
Biometric systems are 100% accurate and cannot be fooled.
Correct
Biometrics have false acceptance (FAR) and false rejection (FRR). They can be spoofed with replicas (e.g., printed iris, gelatin fingerprint).
Mistake
Cameras prevent theft because people see them.
Correct
Cameras are a deterrent but do not physically prevent entry. A determined attacker may bypass or disable cameras. They are best for evidence and monitoring.
Mistake
A mantrap is just a fancy name for a revolving door.
Correct
A mantrap is a small room with two interlocking doors that cannot both be open at the same time. A revolving door is different; mantrap is specifically designed to prevent tailgating.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An electronic lock with badge reader and PIN (two-factor). It provides an audit trail, easy revocation, and higher security than a keyed lock. For high security, add biometrics. Avoid cable locks or simple keyed locks.
Use a mantrap (two interlocking doors) or a turnstile that only allows one person per pass. Security guards can also enforce no tailgating. Cameras and signs are deterrents but not preventive.
FAR (False Acceptance Rate) is the probability that the system incorrectly accepts an unauthorized person. FRR (False Rejection Rate) is the probability that it incorrectly rejects an authorized person. Lower FAR is better for security; lower FRR is better for usability.
Yes, many low-frequency RFID badges can be cloned using off-the-shelf readers. To prevent cloning, use encrypted smart cards or two-factor authentication (badge + PIN).
No, that violates privacy laws and policies. Cameras should only monitor public areas and entry points. Always consider legal and ethical implications.
It depends on the fail-safe/fail-secure setting. Fail-safe unlocks on power loss (for fire exits). Fail-secure stays locked (for security). Choose based on safety vs. security needs.
Common retention is 30 to 90 days, depending on storage capacity and compliance requirements. Check local laws and organizational policy.
You've just covered Physical Security: Locks, Cameras, Access Badges — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?