CompTIA Advanced Security Practitioner (CASP+) CAS-004

Chapter 1

Risk Management 19%

Summarize business and industry influences and associated security risks.

Risk management of new products, new technologies and user behaviors

New or changing business models/strategies

Partnerships, Outsourcing, Cloud

Acquisition/merger – divestiture/demerger Data ownership Data reclassification

Security concerns of integrating diverse industries

Rules, Policies, Regulations Export controls, Legal requirements,

Geography, Data sovereignty, Jurisdictions

Internal and external influences

Competitors, Auditors/audit findings, Regulatory entities, Internal and external client requirements, Top-level management.

Impact of de-perimeterization (e.g., constantly changing network boundary)

Telecommuting

Cloud

Mobile, BYOD

Outsourcing, Ensuring third-party providers have requisite levels of information security

Chapter 2

Compare and contrast security, privacy policies and procedures based on organizational requirements.

1. Policy and process life cycle management

1. New business
2. New technologies
3. Environmental changes
4. Regulatory requirements
5. Emerging risks

2. Support legal compliance and advocacy by partnering with human resources, legal, management and other entities

3. Understand common business documents to support security

6. Risk assessment (RA)
7. Business impact analysis (BIA)
8. Interoperability agreement (IA)
9. Interconnection security agreement (ISA)
10. Memorandum of understanding (MOU)
11. Service-level agreement (SLA)
12. Operating-level agreement (OLA)
13. Non-disclosure agreement (NDA)
14. Business partnership agreement (BPA)
15. Master service agreement (MSA)

4. Research security requirements for contracts

16. Request for proposal (RFP)
17. Request for quote (RFQ)
18. Request for information (RFI)

5. Understand general privacy principles for sensitive information

6. Support the development of policies containing standard security practices

19. Separation of duties
20. Job rotation
21. Mandatory vacation
22. Least privilege
23. Incident response
24. Forensic tasks
25. Employment and termination procedures
26. Continuous monitoring
27. Training and awareness for users
28. Auditing requirements and frequency
29. Information classification

Given a scenario, execute risk mitigation strategies and controls.

1. Categorize data types by impact levels based on CIA

2. Incorporate stakeholder input into CIA impact-level decisions

3. Determine minimum-required security controls based on aggregate score

4. Select and implement controls based on CIA requirements and organizational policies

5. Extreme scenario planning/ worst-case scenario

6. Conduct system-specific risk analysis

7. Make risk determination based upon known metrics

7.1 Magnitude of impact based on ALE and SLE

7.2 Likelihood of threat Motivation Source ARO Trend analysis

7.3 Return on investment (ROI)

7.4 Total cost of ownership

8. Translate technical risks in business terms

9. Recommend which strategy should be applied based on risk appetite

• Avoid
• Transfer
• Mitigate
• Accept

10. Risk management processes

Exemptions

Deterrence

Inherent

Residual

11. Continuous improvement/monitoring
12. Business continuity planning
RTO
RPO
MTTR
MTBF

13. IT governance

Adherence to risk management frameworks

14. Enterprise resilience

Analyze risk metric scenarios to secure the enterprise

1. Review effectiveness of existing security controls
Gap analysis
Lessons learned
After-action reports
2. Reverse engineer/deconstruct existing solutions
3. Creation, collection and analysis of metrics
KPIs
KRIs
4. Prototype and test multiple solutions
5. Create benchmarks and compare to baselines
6. Analyze and interpret trend data to anticipate cyber defense needs
7. Analyze security solution metrics and attributes to ensure they meet business needs
Performance
Latency
Scalability
Capability
Usability
Maintainability
Availability
Recoverability
ROI
TCO
8. Use judgment to solve problems where the most secure solution is not feasible

Chapter 3

Enterprise Security Architecture 25%

Analyze a scenario and integrate network and security components, concepts and architectures to meet security requirements.

1. Physical and virtual network and security devices
UTM
IDS/IPS
NIDS/NIPS
INE
NAC
SIEM
Switch
Firewall
Wireless controller
Router
Proxy
Load balancer
HSM
MicroSD HSM
2. Application and protocol-aware technologies
WAF
Firewall
Passive vulnerability scanners
DAM
3. Advanced network design (wired/wireless)
Remote access
VPN
IPSec
SSL/TLS
SSH
RDP
VNC
VDI
Reverse proxy
IPv4 and IPv6 transitional technologies
Network authentication methods
802.1x
Mesh networks
Placement of fixed/mobile devices
Placement of hardware and applications
4. Complex network security solutions for data flow
DLP
Deep packet inspection
Data flow enforcement
Network flow (S/flow)
Data flow diagram
5. Secure configuration and baselining of networking and security components
6. Software-defined networking
7. Network management and monitoring tools
Alert definitions and rule writing
Tuning alert thresholds
Alert fatigue
8. Advanced configuration of routers, switches and other network devices
Transport security
Trunking security
Port security
Route protection
DDoS protection
Remotely triggered black hole
9. Security zones
DMZ
Separation of critical assets
Network segmentation
10. Network access control
Quarantine/remediation
Persistent/volatile or non-persistent agent
Agent vs. agentless
11. Network-enabled devices
System on a chip (SoC)
Building/home automation systems
IP video
HVAC controllers
Sensors
Physical access control systems
A/V systems
Scientific/industrial equipment
12. Critical infrastructure
Supervisory control and data acquisition (SCADA)
Industrial control systems (ICS)

Analyze a scenario to integrate security controls for host devices to meet security requirements.

1. Trusted OS (e.g., how and when to use it)
SELinux
SEAndroid
TrustedSolaris
Least functionality
2. Endpoint security software
Anti-malware
Antivirus
Anti-spyware
Spam filters
Patch management
HIPS/HIDS
Data loss prevention
Host-based firewalls
Log monitoring
Endpoint detection response
3. Host hardening
Standard operating environment/ configuration baselining
Application whitelisting and blacklisting
Security/group policy implementation
Command shell restrictions
Patch management
Manual
Automated
Scripting and replication
Configuring dedicated interfaces
Out-of-band management
ACLs
Management interface
Data interface
External I/O restrictions
USB
Wireless
Bluetooth
NFC
IrDA
RF
802.11
RFID
Drive mounting
Drive mapping
Webcam
Recording mic
Audio output
SD port
HDMI port
File and disk encryption
Firmware updates
4. Boot loader protections
Secure boot
Measured launch
Integrity measurement architecture
BIOS/UEFI
Attestation services
TPM
5. Vulnerabilities associated with hardware
6. Terminal services/application delivery services

Analyze a scenario to integrate security controls for mobile and small form factor devices to meet security requirements.

1. Enterprise mobility management
Containerization
Configuration profiles and payloads
Personally owned, corporate-enabled
Application wrapping
Remote assistance access
VNC
Screen mirroring
Application, content and data management
Over-the-air updates (software/firmware)
Remote wiping
SCEP
BYOD
COPE
VPN
Application permissions
Side loading
Unsigned apps/system apps
Context-aware management
Geolocation/geofencing
User behavior
Security restrictions
Time-based restrictions
2. Security implications/privacy concerns
Data storage
Non-removable storage
Removable storage
Cloud storage
Transfer/backup data to uncontrolled storage
USB OTG
Device loss/theft
Hardware anti-tamper
eFuse
TPM
Rooting/jailbreaking
Push notification services
Geotagging
Encrypted instant messaging apps
Tokenization
OEM/carrier Android fragmentation
Mobile payment
NFC-enabled
Inductance-enabled
Mobile wallet
Peripheral-enabled payments (credit card reader)
Tethering
USB
Spectrum management
Bluetooth 3.0 vs. 4.1
Authentication
Swipe pattern
Gesture
Pin code
Biometric
Facial
Fingerprint
Iris scan
Malware
Unauthorized domain bridging
Baseband radio/SOC
Augmented reality
SMS/MMS/messaging
3. Wearable technology
Devices
Cameras
Watches
Fitness devices
Glasses
Medical sensors/devices
Headsets
Security implications
Unauthorized remote activation/ deactivation of devices or features
Encrypted and unencrypted communication concerns
Physical reconnaissance
Personal data theft
Health privacy
Digital forensics of collected data

Given software vulnerability scenarios, select appropriate security controls.

1. Application security design considerations, Secure: by design, by default, by deployment, 2. Specific application issues, Unsecure direct object references, XSS, Cross-site request forgery (CSRF), Click-jacking, Session management, Input validation, SQL injection, Improper error and exception handling, Privilege escalation, Improper storage of sensitive data, Fuzzing/fault injection, Secure cookie storage and transmission, Buffer overflow, Memory leaks, Integer overflows, Race conditions, Time of check, Time of use, Resource exhaustion, Geotagging, Data remnants, Use of third-party libraries, Code reuse, 3. Application sandboxing, 4. Secure encrypted enclaves, 5. Database activity monitor, 6. Web application firewalls, 7. Client-side processing vs. server-side processing, JSON/REST, Browser extensions, ActiveX, Java applets, HTML5, AJAX, SOAP, State management, JavaScript, 8. Operating system vulnerabilities, 9. Firmware vulnerabilities,

Enterprise Security Operations 20%

Given a scenario, conduct a security assessment using the appropriate methods

1. Methods, Malware sandboxing, Memory dumping, runtime debugging, Reconnaissance, Fingerprinting, Code review, Social engineering, Pivoting, Open source intelligence, Social media, Whois, Routing tables, DNS records, Search engines, 2. Types, Penetration testing, Black box, White box, Gray box, Vulnerability assessment, Self-assessment, Tabletop exercises, Internal and external audits, Color team exercises, Red team, Blue team, White team,

Analyze a scenario or output, and select the appropriate tool for a security assessment.

1. Network tool types, Port scanners, Vulnerability scanners, Protocol analyzer, Wired, Wireless, SCAP scanner, Network enumerator, Fuzzer, HTTP interceptor, Exploitation tools/frameworks, Visualization tools, Log reduction and analysis tools, 2. Host tool types, Password cracker, Vulnerability scanner, Command line tools, Local exploitation tools/frameworks, SCAP tool, File integrity monitoring, Log analysis tools, Antivirus, Reverse engineering tools, 3. Physical security tools, Lock picks, RFID tools, IR camera,

Given a scenario, implement incident response and recovery procedures.

1. E-discovery, Electronic inventory and asset control, Data retention policies, Data recovery and storage, Data ownership, Data handling, Legal holds, 2. Data breach, Detection and collection, Data analytics, Mitigation, Minimize, Isolate, Recovery/reconstitution, Response, Disclosure, 3. Facilitate incident detection and response, Hunt teaming, Heuristics/behavioral analytics, Establish and review system, audit and security logs, 4. Incident and emergency response, Chain of custody, Forensic analysis of compromised system, Continuity of operations, Disaster recovery, Incident response team, Order of volatility 5. Incident response support tools dd tcpdump nbtstat netstat nc (Netcat) memdump tshark foremost 6. Severity of incident or breach Scope Impact Cost Downtime Legal ramifications 7. Post-incident response Root-cause analysis Lessons learned After-action report

Technical Integration of Enterprise Security 23%

Given a scenario, integrate hosts, storage, networks and applications into a secure enterprise architecture.

1. Adapt data flow security to meet changing business needs, 2. Standards, Open standards, Adherence to standards, Competing standards, Lack of standards, De facto standards, 3. Interoperability issues, Legacy systems and software/current systems, Application requirements, Software types, In-house developed, Commercial, Tailored commercial, Open source, Standard data formats, Protocols and APIs, 4. Resilience issues, Use of heterogeneous components, Course of action automation/orchestration, Distribution of critical assets, Persistence and non- persistence of data, Redundancy/high availability, Assumed likelihood of attack, 5. Data security considerations, Data remnants, Data aggregation, Data isolation, Data ownership, Data sovereignty, Data volume, 6. Resources provisioning and deprovisioning, Users, Servers, Virtual devices, Applications, Data remnants, 7. Design considerations during mergers, acquisitions and demergers/divestitures, 8. Network secure segmentation and delegation, 9. Logical deployment diagram and corresponding physical deployment diagram of all relevant devices, 10. Security and privacy considerations of storage integration, 11. Security implications of integrating enterprise applications, CRM, ERP, CMDB, CMS, Integration enablers, Directory services, DNS, SOA, ESB,

Given a scenario, integrate cloud and virtualization technologies into a secure enterprise architecture.

1. Technical deployment models (outsourcing/insourcing/ managed services/partnership), Cloud and virtualization considerations and hosting options, Public, Private, Hybrid, Community, Multi-tenancy, Single tenancy, On-premise vs. hosted, Cloud service models, SaaS, IaaS, PaaS, 2. Security advantages and disadvantages of virtualization, Type 1 vs. Type 2 hypervisors, Container-based, vTPM, Hyperconverged infrastructure, Virtual desktop infrastructure, Secure enclaves and volumes, 3. Cloud augmented security services, Anti-malware, Vulnerability scanning, Sandboxing, Content filtering, Cloud security broker, Security as a service, Managed security service providers, 4. Vulnerabilities associated with comingling of hosts with different security requirements, VMEscape, Privilege elevation, Live VM migration, Data remnants, 5. Data security considerations, Vulnerabilities associated with a single server hosting multiple data types, Vulnerabilities associated with a single platform hosting multiple data types/owners on multiple virtual machines, 6. Resources provisioning and deprovisioning, Virtual devices, Data remnants,

Given a scenario, integrate and troubleshoot advanced authentication and authorization technologies to support enterprise security objectives.

1. Authentication, Certificate-based authentication, Single sign-on, 802.1x, Context-aware authentication, Push-based authentication, 2. Authorization, OAuth, XACML, SPML, 3. Attestation, 4. Identity proofing, 5. Identity propagation, 6. Federation, SAML, OpenID, Shibboleth, WAYF, 7. Trust models, RADIUS configurations, LDAP, AD,

Given a scenario, implement cryptographic techniques.

1. Techniques, Key stretching, Hashing, Digital signature, Message authentication, Code signing, Pseudo-random number generation, Perfect forward secrecy, Data-in-transit encryption, Data-in-memory/processing, Data-at-rest encryption, Disk, Block, File, Record, Steganography, 2. Implementations, Crypto modules, Crypto processors, Cryptographic service providers, DRM, Watermarking, GPG, SSL/TLS, SSH, S/MIME, Cryptographic applications and proper/improper implementations, Strength, Performance, Feasibility to implement, Interoperability, Stream vs. block, PKI, Wild card, OCSP vs. CRL, Issuance to entities, Key escrow, Certificate, Tokens, Stapling, Pinning, Cryptocurrency/blockchain, Mobile device encryption considerations, Elliptic curve cryptography, P-256 vs. P-384 vs. P521,

Given a scenario, select the appropriate control to secure communications and collaboration solutions.

1. Remote access, Resource and services, Desktop and application sharing, Remote assistance, 2. Unified collaboration tools, Conferencing, Web, Video, Audio, Storage and document collaboration tools, Unified communication, Instant messaging, Presence, Email, Telephony and VoIP integration, Collaboration sites, Social media, Cloud-based,

Research, Development and Collaboration 13%

Given a scenario, apply research methods to determine industry trends and their impact to the enterprise.

1. Perform ongoing research, Best practices, New technologies, security systems and services, Technology evolution (e.g., RFCs, ISO), 2. Threat intelligence, Latest attacks, Knowledge of current vulnerabilities and threats, Zero-day mitigation controls and remediation, Threat model, 3. Research security implications of emerging business tools, Evolving social media platforms, Integration within the business, Big Data, AI/machine learning, 4. Global IA industry/community, Computer emergency response team (CERT), Conventions/conferences, Research consultants/vendors, Threat actor activities, Emerging threat sources,

Given a scenario, implement security activities across the technology life cycle.

1. Systems development life cycle, Requirements, Acquisition, Test and evaluation, Commissioning/decommissioning, Operational activities, Monitoring, Maintenance, Configuration and change management, Asset disposal, Asset/object reuse, 2. Software development life cycle, Application security frameworks, Software assurance, Standard libraries, Industry-accepted approaches, Web services security (WS-security), Forbidden coding techniques, NX/XN bit use, ASLR use, Code quality, Code analyzers, Fuzzer, Static, Dynamic, Development approaches, DevOps, Security implications of agile, waterfall and spiral software development methodologies, Continuous integration, Versioning, Secure coding standards, Documentation, Security requirements traceability matrix (SRTM), Requirements definition, System design document, Testing plans, Validation and acceptance testing, Regression, User acceptance testing, Unit testing, Integration testing, Peer review, 3. Adapt solutions to address:, Emerging threats, Disruptive technologies, Security trends, 4. Asset management (inventory control),

Explain the importance of interaction across diverse business units to achieve security goals.

1. Interpreting security requirements and goals to communicate with stakeholders from other disciplines, Sales staff, Programmer, Database administrator, Network administrator, Management/executive management, Financial, Human resources, Emergency response team, Facilities manager, Physical security manager, Legal counsel, 2. Provide objective guidance and impartial recommendations to staff and senior management on security processes and controls, 3. Establish effective collaboration within teams to implement secure solutions, 4. Governance, risk and compliance committee.,