This chapter covers the following topics:
The Goals of the CASP Certification: This section describes CASP’s sponsoring bodies and the stated goals of the certification.
The Value of the CASP Certification: This section examines the career and business drivers for the CASP certification.
CASP Exam Objectives: This section lists the official objectives covered on the CASP exam.
Steps to Becoming a CASP: This section explains the process involved in achieving the CASP certification.
CompTIA Authorized Materials Use Policy: This section provides information on the CompTIA Certification Exam Policies web page.
The CompTIA Certified Advanced Security Practitioner (CASP) exam is designed to identify IT professionals with advanced-level competency in enterprise security; risk management; incident response; research and analysis; and integration of computing, communications, and business disciplines.
As the number of security threats to organizations grows and the nature of these threats broadens, companies large and small have realized that security can no longer be an afterthought. It must be built into the DNA of the enterprise to be successful. This means trained professionals must not only be versed in security theory but must also be able to implement measures that provide enterprisewide security. While no prerequisites exist to take the exam, it is often the next step for many security professionals after passing the CompTIA Security+ exam.
The CASP exam is a vendor-neutral exam created and managed by CompTIA. An update to the CASP certification exam launched April 2, 2018. The new exam, CAS-003, replaces CAS-002, which will retire in October 2018. This book is designed to prepare you for the new exam, CAS-003, but can also be used to prepare for the CAS-002 exam. This certification is considered a mastery- or advanced-level certification.
In today’s world, security is no longer a one-size-fits-all proposition. Earning the CASP credential is a way security professionals can demonstrate their ability to design, implement, and maintain the correct security posture for an organization, based on the complex environments in which today’s organizations exist.
CompTIA is an American National Standards Institute (ANSI)-accredited certifier that creates and maintains a wide array of IT certification exams, such as A+, Network+, Server+, and Security+. The credentials obtained by passing these various exams are recognized in the industry as demonstrating the skills tested in these exams.
The CASP exam is one of several security-related exams that can validate a candidate’s skills and knowledge. The following are some of the most popular ones, to put the CASP exam in proper perspective:
Certified Information Systems Security Professional (CISSP); ISC2: This is a globally recognized standard of achievement that confirms an individual’s knowledge in the field of information security. CISSPs are information assurance professionals who define the architecture, design, management, and/or controls that assure the security of business environments. It was the first certification in the field of information security to meet the stringent requirements of ISO/IEC Standard 17024.
Security+ (CompTIA): This exam covers the most important foundational principles for securing a network and managing risk. Access control, identity management, and cryptography are important topics on the exam, along with a selection of appropriate mitigation and deterrent techniques to address network attacks and vulnerabilities.
Certified Ethical Hacker (CEH; EC Council): This exam validates the skills of an ethical hacker. Such individuals are usually trusted people who are employed by organizations to undertake attempts to penetrate networks and/or computer systems using the same methods and techniques as unethical hackers.
CompTIA’s stated goal (verbatim from the CompTIA CASP web page) is as follows:
Successful candidates will have the knowledge required to:
Conceptualize, engineer, integrate and implement secure solutions across complex enterprise environments
Apply critical thinking and judgment across a broad spectrum of security disciplines to propose and implement sustainable security solutions that map to organizational strategies
Translate business needs into security requirements
Analyze risk impact
Respond to security incidents
The CASP certification holds value for both the exam candidate and the enterprise. The CASP certification has been approved by the U.S. Department of Defense to meet Information Assurance (IA) technical and management certification requirements and has been chosen by Dell and HP advanced security personnel. Advantages can be gained by both the candidate and the organization employing the candidate.
There are numerous reasons a security professional would spend the time and effort required to achieve this credential. Here are some of them:
To meet the growing demand for security professionals
To become more marketable in an increasingly competitive job market
To enhance skills in a current job
To qualify for or compete more successfully for a promotion
To increase salary
DoDD 8140 and 8750 workforce qualification requirements both prescribe that members of the military who hold certain job roles must hold security certifications. The directive lists the CASP certification at several levels. Figure I-1 shows job roles that require various certifications, including CASP.
In short, the CASP certification demonstrates that the holder has the knowledge and skills tested in the exam and also that the candidate has hands-on experience and can organize and implement a successful security solution.
For the organization, the CASP certification offers a reliable benchmark to which job candidates can be measured by validating knowledge and experience. Candidates who successfully pass this rigorous exam will stand out from the rest, not only making the hiring process easier but also adding a level of confidence in the final hire.
The material contained in the CASP exam objectives is divided into five domains. The following pages outline the objectives tested in each of the domains for the CAS-003 exam.
Risk management of new products, new technologies and user behaviors
New or changing business models/strategies
Partnerships
Outsourcing
Cloud
Acquisition/merger–divestiture/demerger
Data ownership
Data reclassification
Security concerns of integrating diverse industries
Rules
Policies
Regulations
Export controls
Legal requirements
Geography
Data sovereignty
Jurisdictions
Internal and external influences
Competitors
Auditors/audit findings
Regulatory entities
Internal and external client requirements
Top-level management
Impact of de-perimeterization (e.g., constantly changing network boundary)
Telecommuting
Cloud
Mobile
BYOD
Outsourcing
Ensuring third-party providers have requisite levels of information security
Policy and process life cycle management
New business
New technologies
Environmental changes
Regulatory requirements
Emerging risks
Support legal compliance and advocacy by partnering with human resources, legal, management and other entities
Understand common business documents to support security
Risk assessment (RA)
Business impact analysis (BIA)
Interoperability agreement (IA)
Interconnection security agreement (ISA)
Memorandum of understanding (MOU)
Service-level agreement (SLA)
Operating-level agreement (OLA)
Non-disclosure agreement (NDA)
Business partnership agreement (BPA)
Master service agreement (MSA)
Research security requirements for contracts
Request for proposal (RFP)
Request for quote (RFQ)
Request for information (RFI)
Understand general privacy principles for sensitive information
Support the development of policies containing standard security practices
Separation of duties
Job rotation
Mandatory vacation
Least privilege
Incident response
Forensic tasks
Employment and termination procedures
Continuous monitoring
Training and awareness for users
Auditing requirements and frequency
Information classification
Categorize data types by impact levels based on CIA
Incorporate stakeholder input into CIA impact-level decisions
Determine minimum-required security controls based on aggregate score
Select and implement controls based on CIA requirements and organizational policies
Extreme scenario planning/worst-case scenario
Conduct system-specific risk analysis
Make risk determination based upon known metrics
Magnitude of impact based on ALE and SLE
Likelihood of threat
Motivation
Source
ARO
Trend analysis
Return on investment (ROI)
Total cost of ownership
Translate technical risks in business terms
Recommend which strategy should be applied based on risk appetite
Avoid
Transfer
Mitigate
Accept
Risk management processes
Exemptions
Deterrence
Inherent
Residual
Continuous improvement/monitoring
Business continuity planning
RTO
RPO
MTTR
MTBF
IT governance
Adherence to risk management frameworks
Enterprise resilience
Review effectiveness of existing security controls
Gap analysis
Lessons learned
After-action reports
Reverse engineer/deconstruct existing solutions
Creation, collection and analysis of metrics
KPIs
KRIs
Prototype and test multiple solutions
Create benchmarks and compare to baselines
Analyze and interpret trend data to anticipate cyber defense needs
Analyze security solution metrics and attributes to ensure they meet business needs
Performance
Latency
Scalability
Capability
Usability
Maintainability
Availability
Recoverability
ROI
TCO
Use judgment to solve problems where the most secure solution is not feasible
Physical and virtual network and security devices
UTM
IDS/IPS
NIDS/NIPS
INE
NAC
SIEM
Switch
Firewall
Wireless controller
Router
Proxy
Load balancer
HSM
MicroSD HSM
Application and protocol-aware technologies
WAF
Firewall
Passive vulnerability scanners
DAM
Advanced network design (wired/wireless)
Remote access
VPN
IPSec
SSL/TLS
SSH
RDP
VNC
VDI
Reverse proxy
IPv4 and IPv6 transitional technologies
Network authentication methods
802.1x
Mesh networks
Placement of fixed/mobile devices
Placement of hardware and applications
Complex network security solutions for data flow
DLP
Deep packet inspection
Data flow enforcement
Network flow (S/flow)
Data flow diagram
Secure configuration and baselining of networking and security components
Software-defined networking
Network management and monitoring tools
Alert definitions and rule writing
Tuning alert thresholds
Alert fatigue
Advanced configuration of routers, switches and other network devices
Transport security
Trunking security
Port security
Route protection
DDoS protection
Remotely triggered black hole
Security zones
DMZ
Separation of critical assets
Network segmentation
Network access control
Quarantine/remediation
Persistent/volatile or non-persistent agent
Agent vs. agentless
Network-enabled devices
System on a chip (SoC)
Building/home automation systems
IP video
HVAC controllers
Sensors
Physical access control systems
A/V systems
Scientific/industrial equipment
Critical infrastructure
Supervisory control and data acquisition (SCADA)
Industrial control systems (ICS)
Trusted OS (e.g., how and when to use it)
SELinux
SEAndroid
TrustedSolaris
Least functionality
Endpoint security software
Anti-malware
Antivirus
Anti-spyware
Spam filters
Patch management
HIPS/HIDS
Data loss prevention
Host-based firewalls
Log monitoring
Endpoint detection response
Host hardening
Standard operating environment/configuration baselining
Application whitelisting and blacklisting
Security/group policy implementation
Command shell restrictions
Patch management
Manual
Automated
Scripting and replication
Configuring dedicated interfaces
Out-of-band management
ACLs
Management interface
Data interface
External I/O restrictions
USB
Wireless
Bluetooth
NFC
IrDA
RF
802.11
RFID
Drive mounting
Drive mapping
Webcam
Recording mic
Audio output
SD port
HDMI port
File and disk encryption
Firmware updates
Boot loader protections
Secure boot
Measured launch
Integrity measurement architecture
BIOS/UEFI
Attestation services
TPM
Vulnerabilities associated with hardware
Terminal services/application delivery services
Enterprise mobility management
Containerization
Configuration profiles and payloads
Personally owned, corporate-enabled
Application wrapping
Remote assistance access
VNC
Screen mirroring
Application, content and data management
Over-the-air updates (software/firmware)
Remote wiping
SCEP
BYOD
COPE
VPN
Application permissions
Side loading
Unsigned apps/system apps
Context-aware management
Geolocation/geofencing
User behavior
Security restrictions
Time-based restrictions
Security implications/privacy concerns
Data storage
Non-removable storage
Removable storage
Cloud storage
Transfer/backup data to uncontrolled storage
USB OTG
Device loss/theft
Hardware anti-tamper
eFuse
TPM
Rooting/jailbreaking
Push notification services
Geotagging
Encrypted instant messaging apps
Tokenization
OEM/carrier Android fragmentation
Mobile payment
NFC-enabled
Inductance-enabled
Mobile wallet
Peripheral-enabled payments (credit card reader)
Tethering
USB
Spectrum management
Bluetooth 3.0 vs. 4.1
Authentication
Swipe pattern
Gesture
Pin code
Biometric
Facial
Fingerprint
Iris scan
Malware
Unauthorized domain bridging
Baseband radio/SOC
Augmented reality
SMS/MMS/messaging
Wearable technology
Devices
Cameras
Watches
Fitness devices
Glasses
Medical sensors/devices
Headsets
Security implications
Unauthorized remote activation/deactivation of devices or features
Encrypted and unencrypted communication concerns
Physical reconnaissance
Personal data theft
Health privacy
Digital forensics of collected data
Application security design considerations
Secure: by design, by default, by deployment
Specific application issues
Unsecure direct object references
XSS
Cross-site request forgery (CSRF)
Click-jacking
Session management
Input validation
SQL injection
Improper error and exception handling
Privilege escalation
Improper storage of sensitive data
Fuzzing/fault injection
Secure cookie storage and transmission
Buffer overflow
Memory leaks
Integer overflows
Race conditions
Time of check
Time of use
Resource exhaustion
Geotagging
Data remnants
Use of third-party libraries
Code reuse
Application sandboxing
Secure encrypted enclaves
Database activity monitor
Web application firewalls
Client-side processing vs. server-side processing
JSON/REST
Browser extensions
ActiveX
Java applets
HTML5
AJAX
SOAP
State management
JavaScript
Operating system vulnerabilities
Firmware vulnerabilities
Methods
Malware sandboxing
Memory dumping, runtime debugging
Reconnaissance
Fingerprinting
Code review
Social engineering
Pivoting
Open source intelligence
Social media
Whois
Routing tables
DNS records
Search engines
Types
Penetration testing
Black box
White box
Gray box
Vulnerability assessment
Self-assessment
Tabletop exercises
Internal and external audits
Color team exercises
Red team
Blue team
White team
Network tool types
Port scanners
Vulnerability scanners
Protocol analyzer
Wired
Wireless
SCAP scanner
Network enumerator
Fuzzer
HTTP interceptor
Exploitation tools/frameworks
Visualization tools
Log reduction and analysis tools
Host tool types
Password cracker
Vulnerability scanner
Command line tools
Local exploitation tools/frameworks
SCAP tool
File integrity monitoring
Log analysis tools
Antivirus
Reverse engineering tools
Physical security tools
Lock picks
RFID tools
IR camera
E-discovery
Electronic inventory and asset control
Data retention policies
Data recovery and storage
Data ownership
Data handling
Legal holds
Data breach
Detection and collection
Data analytics
Mitigation
Minimize
Isolate
Recovery/reconstitution
Response
Disclosure
Facilitate incident detection and response
Hunt teaming
Heuristics/behavioral analytics
Establish and review system, audit and security logs
Incident and emergency response
Chain of custody
Forensic analysis of compromised system
Continuity of operations
Disaster recovery
Incident response team
Order of volatility
Incident response support tools
dd
tcpdump
nbtstat
netstat
nc (Netcat)
memcopy
tshark
foremost
Severity of incident or breach
Scope
Impact
Cost
Downtime
Legal ramifications
Post-incident response
Root-cause analysis
Lessons learned
After-action report
Adapt data flow security to meet changing business needs
Standards
Open standards
Adherence to standards
Competing standards
Lack of standards
De facto standards
Interoperability issues
Legacy systems and software/current systems
Application requirements
Software types
In-house developed
Commercial
Tailored commercial
Open source
Standard data formats
Protocols and APIs
Resilience issues
Use of heterogeneous components
Course of action automation/orchestration
Distribution of critical assets
Persistence and non-persistence of data
Redundancy/high availability
Assumed likelihood of attack
Data security considerations
Data remnants
Data aggregation
Data isolation
Data ownership
Data sovereignty
Data volume
Resources provisioning and deprovisioning
Users
Servers
Virtual devices
Applications
Data remnants
Design considerations during mergers, acquisitions and demergers/divestitures
Network secure segmentation and delegation
Logical deployment diagram and corresponding physical deployment diagram of all relevant devices
Security and privacy considerations of storage integration
Security implications of integrating enterprise applications
CRM
ERP
CMDB
CMS
Integration enablers
Directory services
DNS
SOA
ESB
Technical deployment models (outsourcing/insourcing/managed services/partnership)
Cloud and virtualization considerations and hosting options
Public
Private
Hybrid
Community
Multitenancy
Single tenancy
On-premise vs. hosted
Cloud service models
SaaS
IaaS
PaaS
Security advantages and disadvantages of virtualization
Type 1 vs. Type 2 hypervisors
Container-based
vTPM
Hyperconverged infrastructure
Virtual desktop infrastructure
Secure enclaves and volumes
Cloud augmented security services
Anti-malware
Vulnerability scanning
Sandboxing
Content filtering
Cloud security broker
Security as a service
Managed security service providers
Vulnerabilities associated with comingling of hosts with different security requirements
VMEscape
Privilege elevation
Live VM migration
Data remnants
Data security considerations
Vulnerabilities associated with a single server hosting multiple data types
Vulnerabilities associated with a single platform hosting multiple data types/owners on multiple virtual machines
Resources provisioning and deprovisioning
Virtual devices
Data remnants
Authentication
Certificate-based authentication
Single sign-on
802.1x
Context-aware authentication
Push-based authentication
Authorization
OAuth
XACML
SPML
Attestation
Identity proofing
Identity propagation
Federation
SAML
OpenID
Shibboleth
WAYF
Trust models
RADIUS configurations
LDAP
AD
Techniques
Key stretching
Hashing
Digital signature
Message authentication
Code signing
Pseudo-random number generation
Perfect forward secrecy
Data-in-transit encryption
Data-in-memory/processing
Data-at-rest encryption
Disk
Block
File
Record
Steganography
Implementations
Crypto modules
Crypto processors
Cryptographic service providers
DRM
Watermarking
GPG
SSL/TLS
SSH
S/MIME
Cryptographic applications and proper/improper implementations
Strength
Performance
Feasibility to implement
Interoperability
Stream vs. block
PKI
Wild card
OCSP vs. CRL
Issuance to entities
Key escrow
Certificate
Tokens
Stapling
Pinning
Cryptocurrency/blockchain
Mobile device encryption considerations
Elliptic curve cryptography
P256 vs. P384 vs. P512
Remote access
Resource and services
Desktop and application sharing
Remote assistance
Unified collaboration tools
Conferencing
Web
Video
Audio
Storage and document collaboration tools
Unified communication
Instant messaging
Presence
Telephony and VoIP integration
Collaboration sites
Social media
Cloud-based
Perform ongoing research
Best practices
New technologies, security systems and services
Technology evolution (e.g., RFCs, ISO)
Threat intelligence
Latest attacks
Knowledge of current vulnerabilities and threats
Zero-day mitigation controls and remediation
Threat model
Research security implications of emerging business tools
Evolving social media platforms
Integration within the business
Big Data
AI/machine learning
Global IA industry/community
Computer emergency response team (CERT)
Conventions/conferences
Research consultants/vendors
Threat actor activities
Emerging threat sources
Systems development life cycle
Requirements
Acquisition
Test and evaluation
Commissioning/decommissioning
Operational activities
Monitoring
Maintenance
Configuration and change management
Asset disposal
Asset/object reuse
Software development life cycle
Application security frameworks
Software assurance
Standard libraries
Industry-accepted approaches
Web services security (WS-security)
Forbidden coding techniques
NX/XN bit use
ASLR use
Code quality
Code analyzers
Fuzzer
Static
Dynamic
Development approaches
DevOps
Security implications of agile, waterfall and spiral software development methodologies
Continuous integration
Versioning
Secure coding standards
Documentation
Security requirements traceability matrix (SRTM)
Requirements definition
System design document
Testing plans
Validation and acceptance testing
Regression
User acceptance testing
Unit testing
Integration testing
Peer review
Adapt solutions to address:
Emerging threats
Disruptive technologies
Security trends
Asset management (inventory control)
Interpreting security requirements and goals to communicate with stakeholders from other disciplines
Sales staff
Programmer
Database administrator
Network administrator
Management/executive management
Financial
Human resources
Emergency response team
Facilities manager
Physical security manager
Legal counsel
Provide objective guidance and impartial recommendations to staff and senior management on security processes and controls
Establish effective collaboration within teams to implement secure solutions
Governance, risk and compliance committee
To become a CASP, there are certain prerequisite procedures to follow. The following sections cover those topics.
While there is no required prerequisite, the CASP certification is intended to follow CompTIA Security+ or equivalent experience and has a technical, hands-on focus at the enterprise level.
A CompTIA Advanced Security Practitioner (CASP) voucher costs $390.
The following are the characteristics of the exam:
Launches: April 2, 2018
Number of questions: 90 (maximum)
Type of questions: Multiple choice and performance based
Length of test: 165 minutes
Passing score: Pass/fail only; no scaled score
Recommended experience: 10 years’ experience in IT administration, including at least 5 years of hands-on technical security experience
Languages: English
CompTIA has recently started a more proactive movement toward preventing test candidates from using brain dumps in their pursuit of certifications. CompTIA currently implements the CompTIA Authorized Quality Curriculum (CAQC) program, whereby content providers like Pearson can submit their test preparation materials to an authorized third party for audit. The CAQC checks to ensure that adequate topic coverage is provided by the content. Only authorized partners can submit their material to the third party.
In the current CAS-003 Blueprint, CompTIA includes a section titled “CompTIA Authorized Materials Use Policy” that says:
CompTIA Certifications, LLC is not affiliated with and does not authorize, endorse or condone utilizing any content provided by unauthorized third-party training sites (aka “brain dumps”). Individuals who utilize such materials in preparation for any CompTIA examination will have their certifications revoked and be suspended from future testing in accordance with the CompTIA Candidate Agreement. In an effort to more clearly communicate CompTIA’s exam policies on use of unauthorized study materials, CompTIA directs all certification candidates to the CompTIA Certification Exam Policies. Please review all CompTIA policies before beginning the study process for any CompTIA exam. Candidates will be required to abide by the CompTIA Candidate Agreement. If a candidate has a question as to whether study materials are considered unauthorized (aka “brain dumps”), he/she should contact CompTIA at [email protected] to confirm.
Remember: Just because you purchase a product does not mean that the product is legitimate. Some of the best brain dump companies out there charge for their products. Also, keep in mind that using materials from a brain dump can result in certification revocation. Please make sure that all products you use are from a legitimate provider rather than a brain dump company. Using a brain dump is cheating and directly violates the non-disclosure agreement (NDA) you sign at exam time.
3.230.147.225