CompTIA CASP Certification

Exam CAS-002 Cram Guide

Enterprise Security (Exam Coverage 18%)

1.1 Given a scenario, select appropriate cryptographic concepts and techniques. ¡ Steganography hides informa on or provides a covert channel. A message is
Techniques concealed within an image, random text, or another seemingly legi mate item.
¡ Key stretching is where weaker keys or passwords are combined with and hashed with Examples of steganography include invisible ink, microdots, and modified images.
a random value called a salt to create much longer keys. Algorithms include Password- ¡ Implica ons of cryptographic methods and design
Based Key Deriva on Func on 2 (PBKDF2) and Bcrypt. ¡ Stream cipher – RC4 is the only widely used stream cipher. It encrypts one character
¡ Hashing is one way encryp on, at a me. It is good for VoIP and streaming media.
in which a variable input is run Key Stretching
¡ Block ciphers are stronger than stream ciphers. DES and 3DES encrypt 64 bits at a
through an algorithm such as HASH RESULT me.
MD5 or SHA1 to provide a Modes of block ciphers include the following:
fixed output or hash. This
¡ ECB or Electronic Codebook splits the data into block-sized chunks, and then encrypts
provides message integrity,
each block using the shared key. It is the weakest in that blocks of the same data will
authen ca on, and non- ITERATION encrypt to the same value.
repudia on. COUNT N HASH FUNCTION
¡ CBC or Cipher Block Chaining combines the output of block of data with the input of
¡ Code signing is accomplished
the next block, thus chaining the blocks together. It uses a counter rather than an
by encryp ng the hash of the
ini aliza on vector (IV).
executable code. Microso
¡ CFB or Cipher Feedback mode is similar to CBC but does not require padding.
uses authen code to do this.
SALT PASSWORD ¡ OFB or output Feedback uses an IV. As there are no chaining dependencies, it is the
¡ Pseudo random number
strongest mode
genera on provides entropy or
randomness to make keys Known flaws/weaknesses – DES was replaced by 3DES a er DES was cracked. RC4 with
harder to crack. a weak IV used in Wired Equivalent Privacy (WEP) was upgraded to RC4 with a much
longer IV in WiFi Protected Access (WPA).
¡ Perfect forward security protects past keys if the current key is cracked.
??? Strength vs. performance vs. feasibility to implement vs. interoperability. AES is a
¡ Transport encryp on protects data in mo on. It can be accomplished with a VPN,
common, strong, high performance, interoperable symmetric encryp on protocol
IPsec, SSL, TLS, SSH, etc.
developed by the Na onal Ins tute of Standards (NIST).
¡ Data at rest encryp on encrypts a hard drive, a por on of a hard drive, or other
Implementa ons
storage medium. Bitlocker encrypts a hard drive using a Trusted Pla orm Module
¡ DRM or Digital rights management may restrict copying, taking a screenshot, prin ng,
(TPM). Encryp ng File System (EFS) encrypts files and folders.
or forwarding a document or other digital content. A document may also be set to
¡ Data in use encryp on encrypts memory in use.
delete itself on a par cular date.
¡ Digital signature encrypts a hash with the sender's private key and can be read with
¡ Watermarking combines steganography and digital rights management to iden fy the
the sender's public key. It would provide non-repudia on, authen ca on, and copyright or ownership of digital material such as manuscripts, videos or images. It is a
message integrity for emails. deterrent to unauthorized sharing.
Concepts ¡ GPG or GNU Privacy Guard (GPG) is an implementa on of OpenPGP available for
¡ Entropy is the amount of randomness. It is used to generate random data for
many opera ng systems for securing email or whole disk encryp on.
cryptographic keys and other processes.
¡ SSL or Secure Sockets Layer provides a secure connec on between internet browsers
¡ Entropy can come specialized hardware or even from user keyboard inputs or mouse
and websites. SSL can also be used to create a VPN is Secure Sockets Tunneling
movements.
Protocol (SSTP).
¡ Diffusion makes the ciphertext change dras cally upon changes to the input.
¡ TLS or Transport Layer Security is stronger than SSL in that it requires mutual
¡ Confusion makes the ciphertext and totally dependent on the key.
authen ca on and checks the cer ficate ownership against the DNS A record of the
¡ Non-repudia on using a digital signature would make sure that two users cannot deny web site.
sending confiden al emails to each other. ¡ SSH or Secure Shell uses SLogin to securely replace Telnet, and uses Secure Copy
¡ Confiden ality is protec on from informa on disclosure to untrusted par es. To (SCP) and Secure FTP (SFTP) to securely replace Telnet. All of the SSH protocols are
ensure confiden ality of a computer with different opera ng systems in different on TCP port 22.
par ons, encrypt each par on separately. ¡ S/MIME or Secure/Mul purpose Internet Mail Extension (S/MIME) is a protocol that
¡ Integrity is assurance that a message has not been modified. It is provided by a hash adds security to MIME forma ed email messages. It provides authen ca on through
and can be provided by a backup or backup image in the case that current data is digital signatures and provides privacy through encryp on.
corrupted.
¡ Chain of trust is usually in a hierarchy with the root cer ficate authority (CA) taken 1.2 Explain the security implica ons associated with enterprise storage
offline for protec on, and intermediate CA issuing cer ficates. Intermediate CAs are Storage types
trusted because the root CA vouches for them. ¡ Virtual storage - Using the Fibre Channel switches, certain ports can be segmented to
¡ Root of trust for virtual Trusted Pla orm Modules (vTPM) is provided by a hardware be a private virtual SAN, or vSAN, limi ng their communica on to other ports in that
TPM. vSAN or virtual fabric. This isolates the vSAN's data.
¡ Cryptographic applica ons and proper/improper implementa ons – A company ¡ Cloud storage is inexpensive compared to buying the equipment, and you don't have
should use an algorithm recommended by other respected informa on security rather to maintain the hardware or run backups. Data is accessed from anywhere, and
than a rela vely untested “home-brewed” algorithm. people can collaborate from different places on a wide variety of devices.
¡ Advanced PKI concepts ¡ Data warehousing provides high-value targets. End-to-end security should be built into
¡ Wild card cer ficates cover a set of domains with the same suffix such as the core of a data warehouse from data extrac on to transporta on to distribu on to
hr.corp.com, payroll.corp.com and dev.corp.com. If one is compromised, then all data marts, analy cal servers, and end users.
associated domains are compromised. ¡ Data archiving should be encrypted in transport and at its final res ng place. SSL is
¡ OSCP vs. CRL – The Online Cer ficate Status Protocol (OCSP) provides fresher data appropriate for transport encryp on and AES256 for encryp on of data at rest.
than the Cer ficate Revoca on List (CRL). The OCSP allows a cer ficate to be ¡ NAS solu ons generally run their own simplified opera ng system and are file-based
validated by a single server that returns the validity of that cer ficate. storage. NAS can recognizes files and manages their storage and can also
¡ Issuance to en es – Cer ficates can be issued to users, applica ons, and devices. independently perform func ons, such as searching.
¡ Key escrow is backup and storage of cer ficates by a third party so they can be ¡ SAN or Storage Area Network is a high-speed, private network of storage devices all
recovered. linked together to create one large storage resource.
¡ Recovery agent provides more immediate and local recovery of cer ficates if a user ¡ vSAN or virtual SAN is to a SAN as a VLAN is to a LAN. It is a segregated and
leaves and organiza on. protected area of a SAN.
CompTIA CASP Certification
Exam CAS-002
Domain 1.0 Network Architecture (Cont.)
Storage protocols
¡ iSCSI or Internet Small Computer System Interface works on top of the Transport
Control Protocol (TCP) add sends SCSI commands or LANs and WANs.
¡ FCoE or Fibre Channel over Ethernet uses Fibre Channel communica ons over exis ng
Ethernet networks.
¡ NFS or Network File System is an older network protocol developed for file sharing in
UNIX environments.
¡ SMB or Server Message Blocks is used in Windows-based network environments, but
is also supported by Apple and most Linux/UNIX environments. File sharing on the
typical Windows desktop is over SMB
¡ CIFS or Common Informa on File System is an older version of SMB.
Secure storage management
¡ Mul path devices can have mul ple pathways for communica on. This is known as
mul path or mul pathing, and it increases availability by ensuring that no single point
of failure exists.
¡ Snapshots are read-only copies of data that creates a restore point in the history of the
data at that moment. ►Deduplica on is the elimina on of redundant data saving
backup me, bandwidth, storage space and costs.
¡ Dynamic disk pools (DDPs) move data, parity informa on, and spare capacity across a
pool of hard drives so that the data is fault tolerant. DDPs can recover from disk
failures up to eight mes faster than RAID.
¡ LUN or Logical Unit Number (LUN) is a set of disks or por ons of disks or a single disk
for exclusive use of a host
¡ LUN masking/mapping associates a LUN with a host. The host must authen cate, and
then only LUN masking only reveals to it the LUNs to which it is assigned. LUN
masking is done at the Host Bus Adapter (HBA).
¡ HBA or Host Bus Adapter is a special NIC op mized for storage. Moving the HBA to an
a acker's computer would defeat LUN masking.
¡ Zoning is like LUN masking, but it is done at the storage switch level.
¡ Offsite or mul site replica on would provide availability in the event of data center
failure due to a natural disaster.
¡ Encryp on protects the confiden ality of data. Encryp on can be accomplished at the
following levels: disk, block, file, record, field or port.
Disk - Whole disk encryp on is faster if hardware encryp on is used. Trusted Pla orm
Modules (TPMs) integrated into the motherboard, or removable Hardware Security
Modules (HSMs) store encryp on keys and aid in crypto processing.
Block encryp on uses block ciphers that encrypt a block of data at a me and o en have
feedback modes such as cipher block chaining which increase security but are more
suscep ble to noise in transmission.
Stream ciphers, which are generally not as secure as block ciphers, individually encrypted
bytes of data and the loss of one byte does not affect the decryp on of addi onal bytes,
as it does with block ciphers using feedback modes.
File - Alterna ves to encryp ng the whole hard drive include encryp ng specific folders
or files, using Microso 's Encryp ng File System (EFS), UNIX/Linux's crypt command or a
third party program.
Record - Alterna ves to encryp ng the whole database include record encryp on of only
sensi ve records, and field encryp on of only sensi ve fields such as credit card numbers
or social security account numbers.
Port - Certain ports are encrypted by default such as TCP 443 which encrypts HTTP traffic
using SSL or TLS.
1.3 Given a scenario, analyze network and security components, concepts, and
architectures
Advanced network design (wired/wireless)
¡ Remote access
¡ VPN – A VPN could be suscep ble to split tunneling in which devices might connect
to the Internet at the same me they connect to the corporate VPN. Malware from
the Internet could infect the corporate VPN.
¡ SSH allows secure access to resources at the command line on TCP Port 22.
¡ RDP or Remote Desktop Protocol allows secure access to resources using a GUI on
TCP Port 3389.
¡ VNC or Virtual Network Compu ng GUI insecure access to a remote computer and
generally should not be used. VNC by default uses a TCP port range in the low
5800s to the low 5900s.
¡ SSL or Secure Sockets Layer can be used in a Secure Sockets Tunneling Protocol
(SSTP) VPN using firewall friendly TCP Port 443. SSTP requires no setup and can be
used on a kiosk computer.
¡ IPv6 and associated transi onal technologies. To block IPv6 when there is no IPv6
rou ng into or out of the network block UDP port 3544 at the firewall. IPv6
implements Neighbor Discovery Protocol (NDP) and privacy extensions.
¡ Transport encryp on is the secure delivery of data between par es. It provides the
ability to communicate over untrusted mediums while s ll guaranteeing
confiden ality, integrity, authen city, and non-repudia on
¡ Network authen ca on methods. Authen ca on is more complex as organiza ons
open satellite loca ons, support remote users, or combine with other organiza ons'
networks and resources
¡ 802.1x offers authen ca on using EAP to both the wired and wireless networks
supports mul ple authen ca on methods, such as token cards, Kerberos, one- me
passwords, cer ficates, and public key authen ca on.
¡ Mesh network authen ca on supports mobility in wireless mesh networks (WMNs)
by providing secure and seamless handoff between access points for mobile clients
leveraging the IEEE 802.1x authen ca on architecture.
¡ UTM or Unified Threat Management is an all in one firewall appliance that may
include Internet content filtering, an virus, intrusion preven on, and stateful
func ons.
¡ NIDS or Network based Intrusion Detec on Systems inspect network traffic and do
logging and aler ng.
¡ NIPS or Network based Intrusion Preven on Systems take the next step in that they
also neutralize a acks.
¡ INE - A High Assurance Internet Protocol Encryptor (HAIPE) is an encryp on device
that uses NSA Federal Informa on Protec on Standard (FIPS) Suite A and Suite B and
can be used to send Top Secret data over the Internet.
¡ SIEM or Security Incident and Event Management uses the cloud to aggregate event
and log data from mul ple disparate systems while providing a single dashboard from
which to process the data.
¡ HSM or Hardware Security Module is a removable card that may be used to encrypt in
a high availability clustered environment. It enhances pla orm authen ca on by
storing unique RSA keys and providing cryptoprocessing.
¡ Placement of devices – The NIPS should be placed a er the SSL accelerator that
decrypts network traffic.
¡ Applica on and protocol aware technologies include intrusion detec on and intrusion
preven on systems, Web Applica on Firewalls (WAF), NextGen firewalls, vulnerability
scanners, and Database Ac vity Monitoring (DAM).
WAF protect against buffer overflows, injec on a acks, XSS, XSRF, and malformed data.
NextGen firewalls protect at Layer 3 to 7 of the OSI model and include Internet Content
Filtering (ICF), and NIPS func onality.
IPS stops malicious traffic based on signatures, anomalies, or behavior.
Passive vulnerability scanners include NESSUS and the Microso Baseline Analyzer
(MBSA).
DAM goes beyond monitoring and aler ng to also block unauthorized database
ac vi es.
Virtual networking and security components
¡ Switches connect hosts on a LAN by MAC address. They reduce or eliminate collisions.
VLANs can and should be created on switches. Each VLAN is a broadcast domain and
to some extent a security zone.
¡ Firewalls control traffic based on such parameters as ACL, stateful connec on
inspec on, or inspec on of the contents of packets at the applica on layer.
¡ Wireless controllers may be secured by changing the default password, filtering by
MAC address, disabling SSID broadcast. Using the lowest power level that does the
job, centralizing antenna placement and implemen ng WPA2.
¡ Routers connect networks generally based on network addresses, usually IP network
addresses. They create subnets which isolate broadcast domains, and to some extent
isolate security zones.
¡ Forward Proxies –Cache Internet content, provide NAT, and provide Internet content
filtering (ICF).
¡ Transparent proxies also cache Internet content but do not require a special
configura on in user's browsers. They transparently inspect and filter user content by
applying rules on routers and firewalls.
¡ Reverse proxies cache, filter, and load balance web traffic for web server farms.
¡ Open proxies bypass firewalls and content inspec on by using SSL on firewall friendly
TCP Port 443 to allow computer users to conceal their ac ons from web servers, ISPs
and cable providers.
Complex security solu ons for network data flow
¡ SSL inspec on decrypts, inspects, and then re-encrypts SSL traffic before it is sent to
its des na on for the purposes of data loss preven on, Internet content filtering, and
network intrusion preven on.
¡ Network flow data collects IP network traffic as it enters or exits an interface to
determine the source and des na on of traffic, class of service, and the causes of
CompTIA CASP Certification
Exam CAS-002

Domain 1.0 Network Architecture (Cont.)

conges on. ¡ Host-based firewalls are a program that protects a single Internet-connected
Secure configura on and baselining of networking and security components - A secure computer from intruders. They are par cularly useful when users have a con nuous
baseline provides a reference point to judge abnormal traffic. DSL or cable modem connec on.
¡ ACLs or Access Control Lists control allowed traffic and disallow incoming spoofed ¡ Log monitoring should be con nuous. SYSLOG and SIEM are used to collect and
addresses, source rou ng, and broadcasts. monitor logs.
¡ Change monitoring makes sure that any changes do not weaken the security of a Host hardening
network. ¡ Standard opera ng environment/configura on baselining is typically a standard disk
¡ Configura on lockdown prevents unauthorized changes to a secure baseline. image with the opera ng system, approved applica ons and security configura ons.
¡ Availability controls include flood guards that would rate limit suspect network traffic. ¡ Applica on whitelis ng and blacklis ng would prevent the use of non-standard or
So ware defined networking creates policies to control and enforce router and switch insecure applica ons.
configura on in an enterprise. ¡ Security/group policy implementa on is the best way to push out password policies
Cloud managed networks can reduce up-front cost and bring faster more reliable and account lockout policies.
connec vity using a pay-as-you-use cloud service model that simplifies remote ¡ Command shell restric ons can be enforced. The majority of end users have no need
management and troubleshoo ng of mul ple sites from single dashboard. for access to command shells/command prompts and administra ve tools on their
Network management and monitoring tools improve opera onal efficiency with machine.
customizable dashboards, alerts, and reports to quickly iden fy and remediate network
¡ Patch management ensures that patches are downloaded to a patch management
and applica on reliability and performance issues.
server, tested, approved, and pushed out to client machines. The last step is audi ng
Advanced configura on of routers, switches and other network devices
to ensure patches have been installed on all worksta ons.
¡ Transport security for configura on of network devices is provided by SSH, TLS, or
¡ Configuring dedicated interfaces for management protects these interfaces in the
TACACS+. Configura on via a console port is more secure than remote access.
event of a DDoS on a network.
¡ Trunking security – Dynamic trunking protocol should be disabled so an a acker
¡ Out-of-band enable remote reboot and remedia on of hosts that have crashed - HP
cannot nego ate a trunk port on a switch.
offers Integrated Lights Out (ILO) and Dell offers Dell Remote Access Card (DRAC) for
¡ Route protec on would protect against disclose of rou ng tables. Backup routes are
this recovery capability.
o en less secured and more vulnerable to a ack than primary routes.
¡ ACLs should be enforced on management interfaces, data interfaces, and storage
Security zones
¡ Data flow enforcement restric ons include blocking outside traffic that purports to be
interfaces.
from within the organiza on, and not allowing any web requests to the Internet that ¡ Peripheral restric ons should be enforced on USB, Bluetooth, and Firewire.
are not from the proxy server. ¡ Full disk encryp on (FDE) should be implemented. BitLocker is Microso 's FDE
¡ DMZ or De-Militarized Zone is an area between two firewalls. The first firewall solu on. It uses a Trusted Pla orm Module (TPM) to encrypt the hard drive and aid in
protects Web and other public facing servers from threats on the Internet. The second cryptoprocessing.
firewall more completely protects the internal network. Security advantages and disadvantages of virtualizing servers include precise control
¡ Separa on of cri cal assets might include pu ng them in a separate VLAN.
over the distribu on of workloads over
compu ng resources. Several virtual
¡ Network access control includes quaran ne and remedia on. NAC is the means to VMs VS Containers
machines can run on one physical server.
ensure that computers comply with security policies such as patching, firewall use, and
¡ Type I hypervisor is itself an opera ng
a recent an virus scan.
system that is installed directly on the APP APP
Opera onal and consumer network enabled devices must be protected: Building server hardware. Guest opera ng Dependencies Dependencies
automa on systems, IP video, HVAC controllers, sensors, physical access control systems, systems then run on the hypervisor.
A/V systems and scien fic/industrial equipment.
This is used in datacenters for
Controls for these devices include the following: Separate VLANs with access controlled Guest Guest
scalability. OS OS
by a proxy server, Quality of Service (QoS) applied, and firewalls with strict access control
¡ Type II hypervisor is a virtual machine
lists (ACLs) for access to their isolated network.
Cri cal infrastructure/Supervisory Control and Data Acquisi on (SCADA)/Industrial manager that installs on top of a host's VM VM

Control Systems (ICS) can be protected by firewalls, separate VLANs, and intrusion opera ng system such as Windows or Hypervisor (Type 1)
preven on systems. Patching may require recer fica on. UNIX. This is used on desktops for Server
tasks such as training and patch
1.4 Given a scenario, select and troubleshoot security controls for hosts tes ng.
APP
Trusted OS provides mul level security and mandatory access control. Security Enhanced ¡ Container-based hypervisor isolates APP

Linux (SELinux) is a trusted OS implementa on used to prevent malicious or suspicious the guests but doesn't virtualize the Dependencies Dependencies
code from execu ng. hardware. You are generally limited to
End point security so ware includes the following: running the host OS in the virtualized Guest Guest
¡ An -malware so ware includes the following programs / program features: an -virus, container. Container virtualiza on has OS OS

an -spam, and an -spyware, and pop-up blockers. na ve OS or near na ve performance.

¡ An -virus should be deployed that has a centralized management sta on to deploy the Cloud augmented security services can VM VM

latest an virus defini ons, and which also scans email a achments at the email be used to thwart distributed denial of Hypervisor (Type 2)
gateway. service a acks. Host OS
¡ An -spyware - Spyware transmits Personal Iden fiable Informa on (PII) from your ¡ Hash matching is used in an -virus Server
computer to Internet sites without your knowledge. Spyware nega vely affects so ware, an -spam so ware,
confiden ality. vulnerability scanning, and in
¡ Spam filters - Spam is unwanted email with adver sing. An an -spam solu on signature based intrusion detec on APP 1 APP 1

prevents unsolicited email messages from entering the company's network. SPAM can and intrusion protec on systems. APP 1
Dependencies
APP 1
Dependencies
APP 2
also be blocked at the email gateway. ¡ Sandboxing isolates an applica on so APP 1 APP 1 APP 2
Dependencies Dependencies Dependencies
¡ Patch management - A patch fixes bugs in their programs, addresses security it cannot edit opera ng systems files
APP 1 APP 1 APP 2

problems, or adds func onality. A hot fix is patch that fixes a cri cal issue. Hot fixes are or other files on the user's hard disk Dependencies Dependencies Dependencies

not fully tested. A service pack is a fully tested set of patches. and cannot write data outside of the Container Container Container

sandbox. Dependencies 1 Depend. 2

¡ HIPS/HIDS - HIDs do logging and aler ng on a host. HIPs are like an an virus on
steroids. They can log off a user, disable an account, stop a write to the registry, and ¡ Content filtering screens objec onable Docker

stop a process or applica on from launching. content based on website or email Host OS
¡ Data loss preven on (DLP) systems monitor and protect data whether it is at rest, in content. Sites on hacking, adult sites, Server
use, or in mo on. DLP techniques include content inspec on, and analysis of sites with malware, and sites that
transac ons within a centralized management framework. could be used for data exfiltra on
CompTIA CASP Certification
Exam CAS-002
Domain 1.0 Name (Cont.)
such as webmail might be blocked.
Boot loader protec ons
¡ Secure Boot provides a hardware-verified, malware-free boot process in which the
digital signatures of key boot files are verified.
¡ Measured Launch is powered by Intel's Trusted Execu on Technology (TXT).
¡ IMA or Integrity Measurement Architecture (IMA) from IBM verifies the integrity of
Linux OSs.
¡ BIOS/UEFI – Secure Boot requires the Unified Extensible Firmware Interface (UEFI)
which is a replacement for the older BIOS. UEFI blocks malware including rootkits that
could take over a BIOS-controlled host.
Vulnerabili es associated with co-mingling of hosts with different security requirements
¡ VMEscape is an a ack that affects more than one virtual machine. It is exemplified
when sensi ve data is found on a hidden directory within the hypervisor
¡ Privilege eleva on is when an a acker with access to a user account exploits a bug or
configura on error to gain elevated privileges
¡ Live VM migra on expose encryp on keys that are unencrypted in memory
¡ Data remnants are traces of proprietary data which can remain on the virtual machine
and be exploited
Virtual Desktop Infrastructure (VDI) would not only eliminate the need for physical
desktops, but would also centralize the loca on of all desktop applica ons, without losing
physical control of any network devices.
Terminal services/applica on delivery services include Direct Access which transparently
provides connec vity to domain applica ons without the need for a tradi onal virtual
private network (VPN).
TPM or Trusted Pla orm Module Securely generates encryp on keys. Its remote
a esta on feature creates a hash the hardware and so ware so that the TPM will not
work if moved to another computer
VTPM is a mechanism to securely store cryptographic keys used to sign code and code
modules on the VMs.
HSM is a removable device that may be used to encrypt in a high availability clustered
environment. A TPM is a hardware chip that stores encryp on keys.
1.5 Differen ate applica on vulnerabili es and select appropriate security controls
Web applica on security design considera ons
¡ Secure: by design, by default, by deployment. Security should be baked-in rather than
clamped on. The Secure So ware Life Cycle (SSLC) should be followed.
Specific applica on issues
¡ Insecure direct object references are exemplified by changing a parameter in a URL
and retrieving a different valid web page. Account login, session ID and other sensi ve
informa on should not be transmi ed in the URL.
¡ XSS or Cross-Site Scrip ng vulnerabili es are exploited by an a acker who injects
malicious code into a trusted website or web applica on. This injected code is then
passed from the trusted site to the end user's browser.
¡ Cross-site Request Forgery (CSRF) is exemplified by an a acker with a connec on to a
vic m exploits the vic m's connec on to a VPN.
¡ Click-jacking is when an a acker uses mul ple transparent layers to trick a user into
clicking on a bu on or link on another page when the vic m was intending to click on
the top level page.
¡ Session management IDs are used by an applica on to uniquely iden fy a client
browser and a level of access. The a acker uses session IDs to take over a session in
session hijacking.
¡ Input valida on defeats buffer overflows and injec on a acks.
¡ SQL injec on a ack indicators may include the following: DBO (Database Owner), Sp_
(stored procedure), insert, table, double equals = =.
¡ Improper error and excep on handling. Generic error messages should be displayed to
users, but logging should be detailed.
¡ Privilege escala on is exemplified if an a acker accessed a printer from the Internet.
The a acker then accessed the print server, using the printer as a launch pad for a
shell exploit.
¡ Improper storage of sensi ve data would be prevented by proper data classifica on.
¡ Fuzzing/fault injec on is random input genera on to see if they can compromise an
applica on or system.
¡ Secure cookie storage and transmission. Cookies can be encrypted as in secure
cookies.
¡ Buffer overflow. Measures to protect against buffer overflows include input valida on,
patching, and the no-execute bit of Data Execu on Preven on. DLP is a feature of
modern CPUs that segregates areas of memory into data and code
¡ Memory leaks are the result of an applica on alloca ng memory and then not freeing
up that memory when the applica on no longer needs it. Memory leaks are a common
in older languages like C and C++.
¡ Integer overflows occur when the result of an arithme c opera on exceeds the
maximum size of the integer type used to store it. They can be used to zero out the
payment for a shopping cart from an online store.
¡ Race condi ons occur when an applica on depends on mul ple processes accessing
the same data in a specific order.
¡ Race condi on is also known as a me of check, or TOC, and me of use, or TOU,
vulnerability.
¡ TOC/TOU. An a acker who can iden fy TOC/TOU vulnerability will a empt to
manipulate data a er it has been checked or authen cated, but before the applica on
uses this data to perform some opera on.
¡ Resource exhaus on is a denial of service a ack that consumes so much of an
important resource, such as network bandwidth or CPU me, that the applica on will
no longer be able to perform its normal opera ons.
¡ Geo-tagging adds geographical coordinates to photographs, video, and SMS
messages.
¡ Data remnants or residual digital data may remain even a er nominal file dele on and
may be exploited by a ackers.
Applica on sandboxing limits the environments in which applica on code can execute to
protect the underlying opera ng system.
Applica on security frameworks
¡ Standard libraries when improperly used, can introduce security issues in the program
being developed. For example, some C programming language standard library
func ons do not check buffer size and can be exploited.
¡ Industry accepted approaches
¡ Web services security (WS-security)
Secure coding standards are rules and guidelines for developing secure so ware
systems. Effec ve secure coding standards protects against applica on security threats.
Database Ac vity Monitor (DAM) observes and reports on suspicious ac ons in a
database.
Web Applica on Firewalls (WAF) prevents cross-site scrip ng (XSS), SQL injec on and
malformed packets.
Common Web Applica on Firewall (WAF) Protec on Methods
Pattern Recognition Session Protection
Signature
Knowledgebase
Client-side processing vs. server-side processing. Server-side input valida on is more
secure than client-side input valida on.
Client-side issues
¡ JSON/REST or JavaScript Object Nota on/Representa onal State Transfer may allow
an a acker can create their own signed access tokens allowing arbitrary account
access.
¡ Browser extensions should be disallowed or limited and signed.
¡ Ac veX is Microso 's answer to Java. Browsers should be set to only accept signed
Ac veX applets.
¡ Java Applets that are not digitally signed should operate in a restricted resource area
called a sandbox.
¡ Flash is a browser plugin that plays anima ons, videos and sound files within web
pages. A secure Flash se ng is the Always Deny op on in the Global Privacy Se ngs.
¡ Flash cookies that store persistent flash informa on are vulnerable to spyware.
¡ HTML5 is a more secure alterna ve to Adobe Flash.
¡ AJAX or Asynchronous JavaScript and XML, or AJAX, is a collec on of programming
techniques used on the client-side to create interac ve user interfaces within web
applica ons without having to update the en re page.
¡ SOAP or Simple Object Access Protocol (SOAP) is an XML-based protocol for
exchanging structured messages across networks. Similar to SAML and XACML, SOAP
uses HTTP or other exis ng protocols for communica on.
¡ State Management on the client side saved server memory but is less secure than
server side state management and takes more bandwidth.
CompTIA CASP Certification
Exam CAS-002

Domain 2.0 Risk Management and Incident Response (Exam Coverage 18%)
2.1 Interpret business and industry influences and explain associated security risks
Risk management of new products, new technologies and user behaviors will limit new
a ack vectors.
New or changing business models/strategies must be evaluated for necessary data flows
and the most secure means to join networks.
¡ Partnerships/Outsourcing - Before undertaking a partnership or outsourcing,
management must careful consider the security impact of the change. The addi onal
risk exposure and the cost of mi ga ng may make the change unwise.
¡ Cloud - Security drawbacks of cloud compu ng are loss of physical control over data,
and blended systems and data.
Cloud Compu ng Benefits and Disadvantages
Benefits Session Protection
¡ Mergers can be dangerous, because companies must integrate differing technology
pla orms and security controls, streamline security responsibili es and repor ng, and
review the handling of sensi ve data.
¡ The level of risk, depends on what can be done with the data and on how important it
is that the data remain private.
¡ Integrity refers to the risk that data could be modified by unauthorized people. An
example is the modifica on of payroll informa on for an organiza on, which could
lead to an employee being paid more than intended.
¡ Availability refers to the risk that data or services cannot be used when needed. For
example, if an e-commerce site is down due to equipment failure or malicious a ack,
a company can lose sales and revenue.
Determine minimum required security controls based on aggregate score. If different
tables in a database have different CIA values then the highest value in each category is
determines the overall database CIA score.
Extreme scenario planning/worst case scenario. If a risk is unlikely, but would put an
organiza on out of business, then it should be mi gated.
Conduct system specific risk analysis. The Agile project development model should
require an in-depth risk analysis before moving on to the next phase.
Make risk determina on either qualita ve based in expect judgment or quan ta ve
based on a numerical analysis.
¡ Magnitude of impact. High impact events must be mi gated or avoided. SLE is Single
Loss Expectancy. SLE is the impact of the threat
¡ Likelihood of threat is ARO or Annual Rate of Occurrence
¡ ALE is Annual Loss Expectancy. ALE = SLE x ARO
¡ Return on investment (ROI) is the amount of money or benefit gained in rela on to
the amount of money spent is called return on investment.
¡ Total cost of ownership would include maintenance as well as acquisi on costs.
Recommend which strategy should be applied based on risk appe te. Strategies for
addressing risk fall into four general categories: mi gate, transfer, accept, and avoid.
¡ Avoid show stopping risks.
¡ Transfer risks using SLAs, insurance, and partnerships such as NATO.
¡ Mi gate risks using controls such as firewalls, DLP, and intrusion protec on systems.
¡ Accept low level risks when the cost to mi gate is greater than the cost of loss.

¡ Dives tures must insure a clean break between companies when security controls are
maintained. Confiden ality agreements should be signed.
Security concerns of integra ng diverse industries should be addressed with a risk
assessment so that each organiza on is aware of the other organiza on's risk por olio.
This risk assessment should look at the following:
Risk management processes
¡ Exemp ons to risks must be carefully weighed, because of unintended consequences
¡ Deterrence is exemplified in a warning to another na on that if they hack our power
grid, then we either respond in turn, or bomb their power grid.
¡ Inherent risk is innate in ac vity, such as connec ng to the Internet, driving, or even

¡ Rules concerning what is and isn't allowed by each of the separate companies.
breathing the air that others breathe. It is generally accepted as a cost of doing
business.
¡ Policies that outline the high-level security objec ves of the separate companies.
¡ Residual risk is what is le a er an organiza on has mi gate all the risks that their
Generally the policies that offer the highest security should be adopted.
budget allows.
¡ Regula ons and standards that will apply to the parent company as a result of a
merger. These might include PCI, SAS 70 and/or HIPAA standards. Enterprise Security Architecture (ESA) framework provides a more formalized
methodology is needed that can take business drivers, capabili es, baselines, and
¡ Geography - A company to be acquired that is located in Europe would subject the
reusable pa erns into account
parent company based in the USA to European Union (EU) business related
Con nuous improvement/monitoring. If security was perfect today, only con nuous
compliance and regulatory requirements monitoring and improvement can make sure that new a acks are thwarted.
Ensuring third party providers have requisite levels of informa on security. This should Business Con nuity Planning (BCP) provides for quick resump on of cri cal business
be included in a SLA and a non-disclosure agreement. func ons a er a disaster.
Internal and external influences include the following: Compe tors, auditors/audit
findings, regulatory en es, internal and external client requirements, and new ini a ves
by top level management.
Impact of de-perimeteriza on (e.g. constantly changing network boundary) – Defense in Business Con nuity Plan (BCP) Life Cycle
depth must be implemented with host based firewalls and intrusion preven on systems.
¡ Telecommu ng
¡ Cloud compu ng is elas c, on-demand, and can save money. But the company loses
full control over their data
Blended systems and data add complexity which can reduce security.
¡ BYOD risks should be reduced by encryp ng data in transit for remote access and
implemen ng NAC to limit insecure devices access.
¡ Outsourcing agreements should include security clauses such as the right to audit. A
review should be conducted of the outsourcing provider's security policies, procedures
and relevant hos ng cer fica ons.

2.2 Given a scenario, execute risk mi ga on planning, strategies and controls

Classify informa on types into levels of CIA based on organiza on/industry - Enterprise
risk management is the process of finding, analyzing, and quan fying risk, and it is the
cornerstone of enterprise security
Incorporate stakeholder input into CIA decisions - Stakeholders include systems owners,
security administrators, data owners, system users, partner organiza ons, regulatory
authori es and anyone else with a vested interest.
Implement technical controls based on CIA requirements and policies of the
organiza on
¡ Confiden ality refers to the risk that data will be accessed by unauthorized people.
CompTIA CASP Certification
Exam CAS-002
Domain 2.0 Risk Management and Incident Response (Cont.)
IT Governance is a formalized process to align IT strategy with business strategy, ensuring
that an organiza on stays focused on achieving their goals within a legal and regulatory
framework.
2.3 Compare and contrast security, privacy policies and procedures based on
organiza onal requirements
Policy development and updates in light of new business, technology, risks and
environment changes – Current and future threats must be taken into account.
Process/procedure development and updates in light of policy, environment and
business changes would involve the forma on of interdisciplinary teams.
Support legal compliance and advocacy by partnering with HR, legal, management and
other en es to make sure that all applicable laws and regula ons are followed and to
develop the appropriate security policies.
Use common business documents to support security – These include the following:
¡ Risk assessment (RA) iden fies poten al hazards and analyze what could happen if a
hazard occurs.
¡ Statement of Applicability (SOA) outlines countermeasures to be taken in order to
reduce risks
¡ Business Impact Analysis (BIA) is a high level analysis that iden fies a company's
exposure to the sudden loss of cri cal business func ons.
¡ Interoperability Agreement (IA) specifies informa on exchange between organiza ons,
such as terrorist informa on exchanged between the FBI, CIA, and Homeland Security.
¡ Interconnec on Security Agreement (ISA) is put into place between two or more
organiza ons who agree to share an interconnected network. The goal is to agree on
security standards and protect the shared network.
¡ Memorandum of Understanding (MOU) is an agreement between organiza ons that
allows them to work together to achieve a common goal. The MOU defines the terms
of the coopera ve work.
¡ Service Level Agreement (SLA) is put in place between two organiza ons to establish a
baseline for services provided from one organiza on to the other. Most commonly,
SLAs pertain to transac on level performance.
¡ Opera ng Level Agreement (OLA) defines which personnel and departments are
responsible for mee ng certain criteria in one organiza on to support an SLA with
another organiza on
¡ Non-Disclosure Agreement (NDA) one party agrees to protect the confiden al
informa on of the other. The agreement can be reciprocal or not.
¡ Business Partnership Agreement (BPA) defines informa on such as the goals, name,
and loca on of a business partnership. It also describes how contribu ons and profits
are shared
Use general privacy principles for sensi ve informa on (PII)
¡ Sensi ve PII includes informa on includes medical informa on as well as social
security, driver's license and credit card numbers.
¡ Corporate PII data breach harms individuals and could damage an organiza on's
reputa on and expose it to li ga on.
¡ Sensi ve database fields with PII should be encrypted, while less sensi ve fields
should be stored as a hash.
Support the development of policies that contain:
¡ Separa on of du es creates a check and balance. Separa on of du es makes social
engineering harder in that more than one person has to be compromised.
¡ Job rota on insures that others are trained and are not a single point of failure. An
example of job rota on is employees in the accoun ng department moving between
the accounts payable and accounts receivable roles. ►Mandatory vaca on. Some
companies such as banks might specify that employees need to take two consecu ve
weeks of vaca on a year so their work can be audited.
¡ Least privilege. An administrator should create an addi onal account without
administra ve privileges to ensure that he is logging in using least privilege.
¡ Incident response - Components of incident response include basic forensic
procedures, damage and loss control, chain of custody, and first responder incident
response.
¡ Forensic tasks. No fy the incident response team. Most important on the team are
administrators and data owners
¡ Secure the area. This would include crime scene tape. Contain the incident. Analyze
the most perishable material first.
¡ Employment and termina on procedures should be followed so that when an
employee leaves an organiza on, the computer accounts and workplace access of that
employee are promptly disabled.
¡ Con nuous monitoring maintains ongoing awareness of informa on security,
vulnerabili es, and threats to make fully informed organiza onal risk management
decisions.
¡ Training and awareness for users should include policies and training in place to
preserve both the security and the reputa on of the company.
¡ Audi ng requirements and frequency. Audit logs should be reviewed daily. Audi ng
account login would verify the me and date certain users access a server.
2.4 Given a scenario, conduct incident response and recovery procedures
E-Discovery or Electronic Discovery is where electronic data is discovered, secured, and
searched so it can be used as evidence in a court proceeding.
¡ Electronic inventory and asset control would show patching levels of different servers,
and the servers that should be secured in the event of an a ack.
¡ Data reten on policies should be followed and all relevant data preserved. If a court
asks for data in excess of company policy it must be presented if it available on a
backup tape.
¡ Data recovery and storage allows restora on of data that has been deleted, or
corrupted. A server may be keep a er re rement if it is the only one that can read a
data format of informa on that must be preserved.
¡ Data owners classify data and understand the value of the classified informa on and
the implica ons of its disclosure.
¡ Data handling ensures that data is stored, archived, and disposed of in a secure
manner
¡ Legal hold preserves all forms of relevant data when li ga on is an cipated.
Data breach is the uninten onal or inten onal exposure of classified informa on to
untrusted par es.
¡ Detec on and collec on. Chain of custody should be maintained. The most perishable
informa on should be collected first.
¡ Data analy cs would establish thresholds that might indicate a system has been
compromised. Detec on of a data breach and collec on of relevant forensics can be
performed by data analy cs that look for telling pa erns in the data.
¡ Mi ga on starts by pu ng the appropriate controls in place. Intrusion preven on can
shut down a breach before it can affect systems.
¡ Minimize the chance of a breach by employing the security measures such as data
classifica on, compartmentaliza on, encryp on, intrusion detec on, physical security,
and security policy.
¡ Isolate compromised systems to contain a security incident.
¡ Recovery/recons tu on data, services, and systems should be restored and secured.
¡ Response may include measures taken to prevent future breaches.
¡ Disclosure of a breach may be governed by law, regula on or contract.
Design systems to facilitate incident response by logging enough relevant informa on to
understand and respond to an a ack. Audit reduc on tools, and Security Incident and
Event Management (SIEM) should be used.
¡ Internal and external viola ons should be reported and remediated.
Privacy policy is a statement that discloses the means a party gathers, uses, and discloses
an individual's confiden al data. It establishes protec ons on an individual's privacy.
Criminal ac ons should be reported if a third party is aware of another employee's
malfeasance.
Insider threats are remediated by compartmentaliza on of data, need to know, and least
privilege.
Non-malicious threats/misconfigura ons may s ll cause damage if employees are not
thoroughly trained or make honest mistakes.
Establish and review system, audit and security logs or breaches will go undetected un l
they are much more serious.
Incident and emergency response
¡ Chain of custody should be maintained and documenta on made of who collected
and who had access to evidence.
¡ Forensic analysis of compromised system - Live forensics collect data from running
systems, providing much more informa on that would be available in a disk-only
forensic analysis
¡ Con nuity of Opera on Plan (COOP) defines and provides for the nearly
uninterrupted opera on of mission essen al func ons. It facilitates decision making in
a crisis to ensure near con nuous performance and protects essen al assets.
¡ Order of vola lity is the order that digital evidence is collected as follows: CPU
registers, cache memory, memory, arp cache, network connec ons, virtual memory,
hard disk, CDs and DVDs, and then any printed documenta on.
CompTIA CASP Certification
Exam CAS-002
Domain 3.0 Research, Analysis and Assessment (Exam Coverage 20%)
3.1 Apply research methods to determine industry trends and impact to the enterprise
Perform ongoing research A security professional needs to be involved in the research
process in addi on to other du es.
¡ Best prac ces. Social media and security websites have communi es where you can
share industry news, events, trends, and alerts.
¡ New technologies are highlighted by security blogs and podcasts.
¡ New security systems and services. Some vendors, such as Microso , Cisco, and
Adobe, provide security advisory up to date informa on on vulnerabili es and
countermeasures in their technologies.
¡ Technology evolu on (e.g. RFCs, ISO). New standards are o en responses to new
threats and should be given serious considera on.
Situa onal awareness is a deep understanding of the shi ing threat landscape.
¡ Latest client-side a acks are o en disclosed at vendors conven ons to “hacker cons.”
¡ Knowledge of current vulnerabili es and threats. Conven ons are an outstanding
venue to make connec ons, to network with other security professionals, and to get
the latest industry news.
¡ Zero day mi ga ng controls and remedia on are best accomplished by behavior based
and anomaly based intrusion protec on systems/ Honeypots and honeynets disclose
new a ack vectors.
¡ Emergent threats and issues can be sta s cally broken down by security vendors. IT
budgets should be aligned with the emerging threat landscape.
Research security implica ons of new business tools
¡ Social media/networking use makes a company vulnerable to phishing a acks,
disclosure of confiden al informa on, and exposure to poisoned links.
¡ End user cloud storage could be used for data exfiltra on.
¡ Integra on within the business will lead to a much be er perspec ve on current and
future a acks and defenses against a acks.
Global IA industry/community
¡ Computer Emergency Response Team (CERT) has for over a quarter of a century
focused on a safe and strong Internet by response to major incidents, threat analysis,
and sharing of cri cal cybersecurity informa on.
¡ Conven ons/conferences are ways to obtain informa on about the latest's threats
from those in the know.
¡ Threat actors range from script kiddies, to hack vists, the professional hackers, to
na on states with advanced persistent threats (APTs) that won't go away even if they
are temporarily blocked.
¡ Emerging threat sources/threat intelligence is disclosed by research, threat feeds, and
conferences.
Research security requirements for contracts
¡ Request for Proposal (RFP) asks for a vendor's general approach to a project.
¡ Request for Quote (RFQ) asks for pricing, payment terms, and deliverables.
¡ Request for Informa on (RFI) asks for more detailed informa on on a specific solu on.
¡ Agreements. A Service-Level Agreement or SLA is contractually binding. SLAs might
include minimum requirements for up me, incident response me, available
bandwidth, disaster recovery, and technical support.
3.2 Analyze scenarios to secure the enterprise
Create benchmarks and compare to baselines. A benchmark is a secure star ng point. It
would need to be adjusted if a new applica on was added to the baseline. Thresholds
indicate unacceptable varia on from the baseline.
Prototype and test mul ple solu ons to ensure their effec veness, reliability and
efficiency.
Cost benefit analysis would ensure that the value of a new ini a ve is not outweighed by
its security drawbacks.
¡ ROI or Return on Investment is the amount of money gained in rela on to the amount
of money on a project.
¡ TCO or Total Cost of Ownership not only looks at acquisi on costs, but the cost of
upkeep, and training.
Metrics collec on and analysis of the right dataset will disclose whether a solu on
con nues to be cost effec ve or needs to be upgraded or replaced.
Analyze and interpret trend data to an cipate cyber defense needs will lead to proac ve
and not just reac ve solu ons.
Review effec veness of exis ng security controls as zero day threats emerge
Reverse engineer/deconstruct exis ng solu ons to make sure they don't have any fatal
flaws that can be exploited.
Analyze security solu on a ributes to ensure they meet business needs:
¡ Performance metrics should be collected to make sure that the solu on will work
under load.
¡ Latency or delay in communica ons can be fatal for a security applica on.
¡ Scalability is the ability to meet increasing demands in a graceful way.
¡ Capability is the ability to meet or achieve a specific goal such as enforcement of
computer security policies, acceptable use policies, and best security prac ces.
¡ Usability is manifest by an intui ve interface for a security product.
¡ Maintainability means that if a security product goes offline, it can quickly be returned
to service.
¡ Availability is the con nuous or near con nuous opera on and persistence of security
controls.
¡ Recoverability is the capability to restore systems to the precise point at which the
failure occurred.
Conduct a lessons-learned/a er-ac on report and put any recommenda ons into ac on
if they have merit. Honesty and thoroughness are the key to improving security a er an
incident.
Use judgment to solve difficult problems that do not have a best solu on. Think as a
manager and not just as an IT technician by exploring the business case for security
controls and responses.
3.3 Given a scenario, select methods or tools appropriate to conduct an assessment and
analyze results
Tool type
¡ Port scanners would show if vulnerable ports are open and could
fingerprint/determine the opera ng system being scanned.
¡ Vulnerability scanners passively a empt to iden fy weaknesses. If users report
corrupted data a er a recent patch update, then vulnerability scanning should be used
to iden fy the cause.
¡ Protocol analyzer. Sniffers capture network packets. They are usually integrated with a
protocol analyzers that understand the content of the packets. Examples are Wireshark
and Microso Network Monitor.
¡ Network enumerators such as Superscan discover hosts, shares, users, and weak
passwords on a network.
¡ Password crackers such as John the Ripper discover weak passwords. A password
cracker would be most useful for a security technician to run on a single, standalone
machine with no network interface to verify its overall security posture.
¡ Fuzzer discovers security vulnerabili es by sending random input strings to a program.
A vulnerability is discovered if that input results in an excep on, crash or server error.
¡ HTTP interceptor reveals the specific code and input valida on passed between a
browser and website. An HTTP interceptor proxies traffic between the tester's web
browser and the web server.
¡ Exploita on tools/frameworks such as Metasploit is more than just a collec on of
exploits, it's an infrastructure that you can build upon with your own set of
exploita on tools.
¡ Passive reconnaissance and intelligence gathering tools reveal cri cal informa on
about the effec veness of an organiza ons security controls.
Social media use should be governed by corporate policy. Employees may not understand
the risks associated with the informa on they post online, nor realize the damage that
could be caused by disclosure of sensi ve informa on.
Whois records should be sani zed of employee names or a ackers can harvest this
informa on.
Rou ng tables can reveal backup routes that are not as hardened as primary routes.
Methods
¡ Vulnerability assessment can test the security of a network for a wide range of
problems without disrup ng opera ons
¡ Malware sandboxing isolates malicious code so that it can be studied and defenses can
be developed.
¡ Memory dumping, run me debugging extracts memory contents so malware's
dynamic ac vity can be examined.
¡ Penetra on tes ng proves that a threat can exploit a vulnerability.
¡ Black box tes ng is conducted without any knowledge of a network.
¡ White box tes ng is conducted with complete knowledge of the source code and/or an
administra ve login.
¡ Grey box tes ng is conducted with par al source code, or the login of a regular user.
¡ Reconnaissance is the discovery and mapping of systems, services, or vulnerabili es in
prepara on for an a ack.
¡ Fingerprin ng discloses the opera ng system is running on the target computer. Port
scanners do stack fingerprin ng.
¡ Code review finds and fixes of security issues before the code is tested or shipped. I.
¡ Social engineering vulnerabili es are reduced by security policy training. This puts
users on the security team and educates them about threats and countermeasures.
CompTIA CASP Certification
Exam CAS-002
Domain 4.0 Integration of Computing, Communications and Business Disciplines (Exam Coverage 15%)
4.1 Given a scenario, facilitate collabora on across diverse business units to achieve
security goals
Interpre ng security requirements and goals to communicate with stakeholders from
other disciplines
¡ Sales staff are high value targets for compe tors as they usually know corporate plans,
roadmaps, and new products.
¡ Programmers are responsible for secure coding that is baked-in and code review.
¡ Database administrators have access to confiden al data such as corporate financials,
customer account PII.
¡ Network administrators maintain availability of servers, switches, routers, and security
devices.
¡ Management/execu ve management provide direc on and support for security
policies and ini a ves.
¡ Financial staff record and control of sensi ve informa on. They monitor cash flows and
look for irregulari es.
¡ Human resources vet and help train new employees. In the vent an employee is
terminated, HR coordinates with IT security to ensure that employee access is
promptly terminated,
¡ Emergency response team respond to, contain, and remediate security incidents and
share the solu ons.
¡ Facili es manager controls HVAC and janitorial services.
¡ Physical security manager controls guards, locks, burglar alarm systems, and card
reader access control systems.
Provide objec ve guidance and impar al recommenda ons to staff and senior
management on security processes and controls may be provided by third party audits
and penetra on tes ng.
Establish effec ve collabora on within teams to implement secure solu ons. This may
mean job shadowing and/or crosschecks on applica on code.
IT governance includes Enterprise Security Architecture (ESA) frameworks that plan,
allocate, and control informa on security resources that include people, processes, and
technologies so that IT aligns with business needs.
4.2 Given a scenario, select the appropriate control to secure communica ons and
collabora on solu ons
Security of unified collabora on tools
¡ Web and video conferencing should ensure that desktop sharing is read only or access
is ghtly controlled.
¡ Instant messaging might be limited to within an organiza on, encrypted, and archived.
¡ Remote assistance provide temporary control of emote computers to resolve issues.
Authen ca on must be strong so an a acker is not granted access to an employee's
computer.
¡ Presence allows employees to see if another party is immediately available to chat.
¡ Email that is sensi ve should be digitally signed and encrypted using a program such as
S/MIME, PGP, or GPG.
¡ Telephony should be encrypted if sensi ve informa on is discussed.
¡ VoIP can be secured using Secure Real- me Protocol (SRTP) by install a HIPS on the
Session Ini a on Protocol (SIP) servers and configuring 802.1q on the network.
¡ Collabora on sites facilitate coopera on between organiza onal units and a be er
understanding of their roles and responsibili es in effec ve informa on security.
¡ Social media is an ineffec ve solu on because its policies may not align with business
Domain 5.0 Technical Integration of Enterprise Components (Exam Coverage 15%)
5.1 Given a scenario, integrate hosts, storage, networks and applica ons into a secure
enterprise architecture
Secure data flows to meet changing business needs
Standards
¡ Open standards provide interoperability without licensing fees.
¡ Adherence to standards reduces incompa bili es between systems.
¡ Compe ng standards may need to be sorted out before a company adopts one unless
the product is upgradable in firmware to either standard.
¡ Lack of standards and the use of unproven technologies leads to unforeseen
vulnerabili es.
¡ Defacto standards are ins tuted by common use. De jure standards are supported by a
standards organiza on.
Interoperability issues
¡ Legacy systems/current systems when integrated may produce gaps in security.
Generally the strongest security between the systems should be used. Parallel
opera on may be used un l all issues are iden fied.
security policies
¡ Cloud-based collabora on should be encrypted. Implement NAC to limit insecure
devices access to a company cloud.
Remote access - Encrypt data in transit for remote access. Implement NAC to limit
insecure devices access.
Mobile device management or MDM. To ensure that the so ware will not be modified
by a third party or end users before being installed on mobile devices implement remote
a esta on with applica on whitelis ng.
¡ BYOD should u lize an MDM solu on with encrypted containeriza on of company
data.
Over-the-air technologies concerns include downloading malicious apps that can track
devices or and spying on the user. Also unencrypted data stored in SIM cards, SMS
phishing, and geoloca on of shared photos.
4.3 Implement security ac vi es across the technology life cycle
End-to-end solu on ownership is exemplified by end-to-end encryp on for data transfer
using SSL tunneling so ware on the financial system used between company loca ons.
¡ Opera onal ac vi es include thwar ng threats and vulnerabili es during normal and
abnormal computer opera ons.
¡ Commissioning of systems should not put a company on the bleeding edge of
technology.
¡ Decommissioning and asset disposal should include sani za on and destruc on of
sensi ve materials.
¡ Asset/object reuse. Before an asset is reused mul ple bit level overwrites should be
performed on the hard drive.
¡ General change management should involve a change management board that
approves significant changes.
Systems Development Life Cycle
¡ Security System Development Life Cycle (SSDLC)/Security Development Lifecycle (SDL)
SDLC creates so ware that is secure by design. The price of failure is costly and
disrup ve events.
¡ Security Requirements Traceability Matrix (SRTM) is a table that enumerates security
requirements and their associated security controls.
¡ Valida on and acceptance tes ng verified that the product or applica on meets the
security as well as func onality requirements. Acceptance tes ng could be black box
or white box or some combina on.
¡ Security implica ons of agile, waterfall and spiral so ware development
methodologies. These development models can be equally secure if security
milestones coincide with func onal milestones and security is not an a erthought.
Adapt solu ons to address emerging threats and security trends such as the rise of
advanced persistent threats.
Asset management includes inventory and classifica on of IT assets so they can be
properly protected.
Device tracking technologies can be used to spy on the user or to make sure that a user is
not misusing a company vehicle on company me.
¡ Geo-loca on/GPS loca on technologies enable tracking the real-world loca on of an
item. These technologies allow geotagging of loca ons of photographs,
¡ Object tracking and containment technologies
¡ Geo-tagging/geo-fencing cannot automa cally disable cameras within a facility or
provide a no fica on that a package or user has arrived onsite.
¡ RFID, beacons, and satellites can be used to perform geo-tagging.
¡ Applica on requirements include to determining how the new applica on will work
with both legacy systems and current systems.
¡ In-house developed vs. commercial vs. commercial customized. Commercial off the
shelf (COTS) so ware is widely tested. Modified off the shelf (MOTS) so ware can be
customized for higher security. Custom code should be patched.
¡ Technical deployment models (Outsourcing/insourcing/managed
services/partnership) should determine necessary data flows and common security
controls. Based on an assessment of compliance, partnerships may be rethought.
Cloud and virtualiza on considera ons and hos ng op ons:
¡ Public cloud has the lowest prices based on the most sharing and the lowest
customiza on.
¡ Private cloud is the most secure and customizable but requires significant corporate IT
resources.
¡ Hybrid clouds are a combina on of clouds.
¡ Community clouds of like-minded organiza ons such as financial or DOD community
are the next best alterna ve to private clouds if security is a paramount concern and
CompTIA CASP Certification
Exam CAS-002

Domain 5.0 Technical Integration of Enterprise Components (Cont.)

budget and/or resources do not permit a private cloud. Authoriza on
Mul -tenancy has less security but a lower cost than single tenancy cloud models. ¡ OAUTH or Open Authoriza on allows a user to authorize access to a third-party
¡ Vulnerabili es associated with a single physical server hos ng mul ple companies' resource by providing an access token that does not contain confiden al
virtual machines include a single point of failure and blending systems with diverse authen ca on creden als.
security needs. ¡ XACML or Extensible Access Control Markup Language is an XML-based standard for
¡ Vulnerabili es associated with a single pla orm hos ng mul ple companies' virtual access control-based decisions.
machines: ¡ SPML or Service Provisioning Markup Language (SPML) is an XML-based framework
¡ Secure use of on-demand/elas c cloud compu ng saves money by only providing as for automa ng and managing the provisioning of resources between partner
much capability as needed when needed. Otherwise, extra capability in an networks and organiza ons
organiza ons datacenter might go unused most of the me.
¡ Data remnants can be scrapped from de-provisioned virtual machines.
¡ Data aggrega on can provide too much insight into a company's opera ons. SAML Authen ca on Steps
¡ Data isola on would protect confiden al company documents.
¡ Resources provisioning and de-provisioning should be automated to save costs. This USER RADIUS RADIUS RADIUS
provides scalability and 24/7 self-service availability for the addi on and dele on of Server Server Server
users for cloud apps, servers, virtual devices, and applica ons.
¡ Securing virtual environments, services, applica ons, appliances and equipment
should include securing the hypervisor, and VM templates. vTPMs can be used for Request Login
encryp on.
¡ Design considera ons during mergers, acquisi ons and demergers/dives tures Forward to SAML Login
should start with an analysis of the respec ve regulatory environments, respec ve
current security controls, and necessary data flows. Request to Validate User
¡ Network secure segmenta on and delega on would limit informa on breaches by
providing compartmentaliza on. User Validated
Logical deployment diagram and corresponding physical deployment diagram of all
relevant devices would provide insight into the security design and whether security Successful SAML Login
controls can be bypassed.
Secure infrastructure design (e.g. decide where to place certain devices/applica ons) Grant Session
would include placing the NIPS downstream of the SSL accelerator so that decrypted
traffic can be examined.
Storage integra on (security considera ons) would include using mul pathing on a Fibre
Channel SAN to provide fault tolerance and storage network isola on from DOS a acks
on the produc on network. A esta on is referral to a home organiza on to provide authen ca on without exposing
Enterprise applica on integra on enablers include the following: shared secrets.
¡ CRM or customer rela onship management applica ons allow companies to
Iden ty propaga on is exchange of iden ty informa on between coopera ng
proac vely manage their rela onship with customers. applica ons.
¡ ERP or Enterprise resource planning integrates all of an organiza on's processes into a Federa on provides single sign-on in the cloud. Federa on can be provided by the
customized mul purpose system hosted on a unified database. following:
¡ GRC or governance, risk management, and compliance provides a security framework ¡ SAML or Security Asser on Markup Language (SAML) is an XML-based standard for
to minimize data breaches securely exchanging authen ca on-related data. SAML uses transient iden fiers to
¡ ESB or Enterprise Service Bus coordinates ac vi es between services using a common prevent replay a acks.
message format. ¡ OpenID is an open federated ID standard similar to SAML. OpenID uses the following
¡ SOA or a service-oriented architecture allows applica on components to provide standards: OpenID Authen ca on, A ribute Exchange, Simple Registra on Extension,
services to other components over a network. and Provider Authen ca on Policy Exchange.
¡ Directory Services provide a SSO with universal access to resources based on ¡ Shibboleth is another alterna ve to SAML. It is distributed web resource access
permissions. control system in which the target website trusts the source site to authen cate its
¡ DNS is used to resolve a hostname to an IP address. A acks against DNS include users and manage their a ributes correctly.
pharming and cache poisoning. TSIG or trusted signatures and DNSSEC use ¡ WAYF or Where Are You From provides universal access to mul ple web-based
cer ficates to authen cate DNS servers. services. It also provides a SSO and uses also uses a esta on.
¡ CMDB or a configura on management database acts like a data warehouse for IT Advanced trust models
organiza ons. RADIUS configura ons for a web of trusted RADIUS servers communica ng over the
¡ CMS or Configura on Management System is a unified set of tools that automate the Internet should enforce TLS.
collec on, storage, and management of the configura on data of so ware, hardware, LDAP - If two companies are joining their networks with the first company using RADIUS
and infrastructure. with 802.1x, and the second using a cap ve SSL portal with an LDAP backend, then the
second should enable 802.1x on their network devices
5.2 Given a scenario, integrate advanced authen ca on and authoriza on technologies AD or Ac ve Directory authen ca on is provided by Kerberos that uses me stamped
to support enterprise objec ves ckets that prevent replay a acks.
Authen ca on is proving who you are to a computer.
¡ Cer ficate-based authen ca on is stronger than authen ca on using a password.
¡ Single sign-on simplifies access, but is a single point of failure. It allows removal of all
privileges at the same me.

© 2015 ExamForce, a Division of LearnForce Partners, LLC. All Rights Reserved. No part of this work may be reproduced, transcribed, or used in any form or by any means
graphic, electronic, or mechanical, including photocopying, recording, taping, web distribu on, or informa on storage and retrieval systems without the prior wri en permission
of the copyright holder. For more informa on visit our website at www.examforce.com or call 800-845-8569 (US and Canada) or (727) 507-9646 Int'l. Some of the product and
company names used in this work may be trademarks or registered trademarks of their respec ve owners and have been used for iden fica on purposes only.