CompTIA CASP+ CAS-004 Exam Guide: A-Z of Advanced Cybersecurity Concepts, Mock Exams, Real-world Scenarios with Expert Tips
- Length: 596 pages
- Edition: 1
- Language: English
- Publisher: BPB Publications
- Publication Date: 2022-06-28
- ISBN-10: 9355512694
- ISBN-13: 9789355512697
- Sales Rank: #1775034 (See Top 100 Books)
CompTIA CASP+ CAS-004 Exam Guide
Key Features
- In-depth explanation of security architecture, security operations, security engineering and cryptography.
- Boosts practical skills with the aid of troubleshooting tips and exam-specific notes.
- Provides live use-cases to design, implement, and integrate security solutions across enterprise environments.
Description
CompTIA CASP+ certification evaluates advanced technical security skills, such as security engineering and operations, enterprise-level risk assessments and IT governance, and the implementation of secure systems and network design and controls.
This CASP+ certification guide enables security professionals to become proficient and certified in creating highly resilient enterprise systems and networks that adhere to regulatory requirements. It contains real-world scenarios, practice tests, and numerous troubleshooting tips. Readers are instructed to create and construct security architectures for diverse business requirements. The book teaches how to create robust security methods for traditional, cloud, hybrid, and virtual environments. Readers learn how to set up application vulnerability controls, such as sandboxing, database security, and firmware security, and reduce their risks. Towards the end, readers can investigate various cryptography approaches such as hashing, code signing, SMIME, PKI, and DRM watermarking.
Every chapter of this CASP+ study guide is dedicated to helping the reader develop the practical, performance-based skills necessary to succeed in the exam.
What you will learn
- Conduct risk analysis, establish risk metrics and compare security baselines
- Learn different ways to secure host systems, devices, and storage controls
- Learn about malware sandboxing, fingerprinting, reconnaissance, and memory debugging
- Several vulnerability assessment tools include port scanners, protocol analyzers, and application interceptors
- Exposure to code signing, DRM watermarking, hashing, and PKI
- Expert advice on integrating hosts, networks, storage, and applications
Who this book is for
This book is for security architects, senior security engineers, security lead, and most security practitioners who want to get certified in designing an enterprise security landscape that works best for the business environment. The book expects professional knowledge on security before reading this book.
Cover Page Title Page Copyright Page Dedication Page About the Author About the Reviewer Acknowledgements Preface Errata Table of Contents 1. Introduction to CASP Introduction Structure Book objectives Intended audience Steps to exam preparation Exam objectives Exam topics description Chapter 1: Introduction to CASP+ exam Chapter 2: Business and Industry Trends, Influences, and Risks Chapter 3: Organizational Security Policies and Documents Chapter 4: Risk Mitigation Strategies Chapter 5: Enterprise Risk Measurement and Metrics Chapter 6: Components of Network Security Chapter 7: Securing Host Systems and Devices Chapter 8: Secure Storage Controls Chapter 9: Internet of Things Chapter 10: Cloud and Virtualization Security Chapter 11: Application Vulnerability Controls Chapter 12: Security Assessments Chapter 13: Selecting Vulnerability Assessment Tools Chapter 14: Securing Communication and Collaborative Solutions Chapter 15: Implementing Cryptographic Techniques Chapter 16: Identification, Authentication, and Authorization Chapter 17: Security Incidents and Response Chapter 18: Integrating Hosts, Networks, Storage, and Applications Chapter 19: Security Activities across Technology Lifecycle Chapter 20: CASP+ Skill Assessment Exam-I Chapter 21: CASP+ Skill Assessment Exam-II Chapter 22: Study Plan Sample practice questions CASP Answers: 2. Business and Industry Trends, Influences, and Risks Introduction Structure Objective Risk management of new technologies Changing business models Outsourcing and partnerships Cloud computing trends Merger and acquisition influences Data ownership Data reclassification Security concerns of integrating industries Export controls Legal requirements Sarbanes-Oxley (SOX) Act Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Personal Information Protection and Electronic Documents Act (PIPEDA) Payment Card Industry Data Security Standard (PCI DSS) Federal Information Security Management Act (FISMA) USA PATRIOT Act EU laws and regulations Geography Data sovereignty Jurisdictions Internal and external influences Competitors Auditors/audit findings Regulatory entities Internal and external client requirements Top-level management Impact of De-parameterization Telecommuting Mobile threats BYOD Outsourcing Due diligence and due care Conclusion 3. Organization Security Policies and Documents Introduction Structure Objective Process life cycle management New business New technologies Environmental changes Regulatory requirements Emerging risks Legal compliance and advocacy Business documents to support security Risk assessment Business impact analysis (BIA) Interoperability agreement (IA) Interconnection security agreement (ISA) Memorandum of understanding (MOU) Service-level agreement (SLA) Operating-level agreement (OLA) Non-disclosure agreement (NDA) Business partnership agreement (BPA) Master service agreement (MSA) Security requirements for contracts Request for information (RFI) Request for quote (RFQ) Request for proposal (RFP) Agreement or contract Privacy principles for sensitive information Separation of duties Job rotation Least privilege Incident response Events versus incidents Rules of engagement, authorization, and scope Forensic tasks Employment and termination procedures Continuous monitoring Training and awareness for users Auditing requirements and frequency Information classification and life cycle Commercial business classifications Military and government classifications Information life cycle Conclusion 4. Risk Mitigation Strategies Introduction Structure Objective Data classification by impact levels based on CIA Incorporate stakeholder input into CIA decisions Determine the aggregate CIA score Determine minimum required security controls based on aggregate score Implement controls based on CIA requirements Access control categories Compensative Corrective Detective Deterrent Directive Preventive Recovery Access control types Administrative (Management) controls Logical (Technical) controls Physical controls Security control frameworks ISO/IEC 27000 series Zachman Framework The Open Group Architecture Framework (TOGAF) CIS critical security controls Information Technology Infrastructure Library (ITIL) Six Sigma Capability Maturity Model Integration (CMMI) Extreme scenario planning/worst-case scenario Conduct system-specific risk analysis Risk determination using known metrics Qualitative risk analysis Quantitative risk analysis Magnitude of impact based on ALE and SLE SLE ALE Likelihood of threat Motivation Total cost of ownership Translate technical risks in business terms Risk Appetite Strategy Avoid Transfer Mitigate Accept Risk management processes Information and asset value and costs Vulnerabilities and threats identification Exemptions Deterrence Inherent Residual Continuous improvement/monitoring Business Continuity Planning (BCP) Personnel components Project scope Conduct the BIA IT governance Policies Processes Procedures Standards Guidelines Baselines Conclusion 5. Enterprise Risk Measurement and Metrics Introduction Structure Objectives Review effectiveness of existing security controls Gap analysis Lessons learned and after-action reports Reverse engineer/deconstruct existing solutions Creation, collection, and analysis of metrics KPIs Prototype and test multiple solutions Create benchmarks and compare baselines Analyze trends and data Analyze security solution metrics and attributes Performance Latency Scalability Capability Usability Maintainability Availability Recoverability Cost/benefit analysis ROI TCO Judgment to solve problems Conclusion 6. Components of Network Security Introduction Structure Objective UTM IDS/IPS HIDS/HIPS NIPS NIDS NAC SIEM Firewall Switches Router Proxy Load balancer HSM Application and protocol-aware technologies WAF Passive vulnerability scanners Active vulnerability scanners VPN IPsec SSL/TLS TLS SSH RDP Reverse proxy Network authentication methods 802.1x Software-defined networking Conclusion 7. Securing Hosts and Devices Introduction Structure Objective Trusted OS SELinux SEAndroid TrustedSolaris Least functionality Endpoint security software Endpoint protection working Endpoint protection versus antivirus software Endpoint detection response Patch management Manual patch management Automated patch management Data loss prevention How does DLP work? Log monitoring Host hardening Standard environment/configuration baselining Application whitelisting and blacklisting Security/Group Policy implementation Command shell restrictions Configuring dedicated interfaces Out-of-band management Management interfaces Data interface Bluetooth File and disk encryption TPM Virtual TPM Firmware updates Boot loader protections Secure Boot Measured launch Integrity measurement architecture BIOS/UEFI Attestation services Vulnerabilities associated with hardware Conclusion 8. Secure Storage Controls Introduction Structure Objective Data classification Business drivers Information assurance Use case examples IBM Spectrum Scale Verify Privilege Vault Security implications/privacy concerns Data storage Non-removable storage Removable storage Cloud storage Transfer/backup data to uncontrolled storage Improper storage of sensitive data Data recovery and storage Data ownership Data handling Data security considerations Data remnants Data aggregation Data isolation Data ownership Data sovereignty Data volume Security and privacy considerations of storage Conclusion 9. Securing the Internet of Things Introduction Structure Objective IoT device lifecycle Device identity Protected boot Protected storage Hardware security Trusted execution environment Built-in security Threats to firmware and RoT update Software security Containers Security management Secure device onboarding Platform integrity Network defense Platform monitoring McAfee Embedded Control Security objectives and requirements Conclusion 10. Cloud and Virtualization Security Introduction Structure Objective Deployment models Cloud and virtualization considerations Public Private Hybrid Community Multitenancy Single tenancy On-premise versus hosted Cloud service models Virtualization security Type 1 versus Type 2 Hypervisors Container-based Hyper converged infrastructure Virtual desktop infrastructure Secure enclaves and volumes Cloud augmented security services Hash matching Vulnerability scanning Sandboxing Content filtering Cloud security broker Security as a Service Managed security service providers Vulnerabilities associated with hosts VMEscape Privilege elevation Live VM migration Data remnants Data security considerations Vulnerabilities with single server hosting Multiple VMs and multiple data types/owners Resources provisioning and de-provisioning Virtual devices Data remnants Conclusion 11. Application Security Controls Introduction Structure Objectives Application security design considerations Security: By design, by default, by deployment Application security issues Insecure direct object reference XSS Cross-site request forgery Click-jacking Session management Input validation SQL injection Improper error and exception handling Privilege escalation Improper storage of sensitive data Fuzzing/fault injection Secure cookie storage and transmission Buffer overflow Memory leaks Integer overflows Race conditions Time of check/time of use Resource exhaustion Geotagging Data remnants Use of third-party libraries Code reuse Application sandboxing Secure encrypted enclaves Database activity monitor Web application firewalls Client-side versus server-side processing JSON/REST Browser extensions ActiveX Java applets HTML5 AJAX SOAP State management JavaScript Operating system vulnerabilities Firmware vulnerabilities Conclusion 12. Security Assessments Introduction Structure Objective Vulnerability assessment methodology Malware sandboxing Memory dumping, runtime debugging Reconnaissance Fingerprinting Code review Social engineering Phishing/pharming Shoulder surfing Identity theft Dumpster diving Pivoting Open-source intelligence Social media Whois Routing tables DNS records Search engines Penetration test Black box White box Gray box Vulnerability assessment Self-assessment Tabletop exercises Internal and external audits Color team exercises Conclusion 13. Selecting Vulnerability Assessment Tools Introduction Structure Objectives Network tool types Port scanners Network vulnerability scanners Protocol analyzer Wired Wireless SCAP scanner Permissions and access Execute scanning Network enumerator Fuzzer HTTP interceptor Exploitation tools/frameworks Visualization tools Log reduction and analysis tools Host tool types Password cracker Host vulnerability scanners Command-line tools Netstat Ping Tracert/traceroute Ipconfig/ifconfig Nslookup/dig Sysinternals OpenSSL Local exploitation tools/frameworks SCAP tool File integrity monitoring Log analysis tools Antivirus Reverse engineering tools Physical security tools Lock picks Locks RFID tools IR camera Conclusion 14. Securing Communication and Collaborative Solutions Introduction Structure Objectives Remote access Dial-up VPN Resource and services Desktop and application sharing Remote assistance Tools for unified collaboration Web-based video conferencing Video conferencing Conferencing via audio Unified communication Instant messaging Email IMAP POP SMTP Email spoofing Phishing Whaling Spam Capturing messages Information disclosure Malware Integration of telephony and VoIP Sites for collaboration Social media Collaboration in the cloud Conclusion 15. Implementing Cryptographic Techniques Introduction Structure Objectives Techniques Stretching techniques Hashing MD2/MD4/MD5/MD6 SHA/SHA-2/SHA-3 Signatures in digital format Signing of code Generation of pseudo-random numbers Perfect upfront secrecy Encryption of data in transit SSL/TLS HTTP/HTTPS/SHTTP 3-D secure and SET IPsec Data-in-memory/processing Encryption of data at rest Symmetric algorithms Advanced encryption standard (AES) IDEA Twofish RC4/RC5/RC6 Diffie-Hellman RSA El Gamal ECC Encryption at the disk level Encryption at the block level Encryption at the record level Steganography Implementations Modules for cryptography Processors for cryptography Providers of cryptographic services DRM Watermarking Shell Security (SSH) S/MIME Implementations of cryptographic applications Strength vs. performance vs. implementability vs. interoperability Strength Performance Implementation possibilities Interoperability Block vs. stream Ciphers in the stream Cipher blocks Flaws/weaknesses that have been identified PKI Wildcard Applications Certificate Tokens Graph 15.7 pinning USB tokens Cryptocurrency/blockchain Conclusion 16. Identification, Authentication, and Authorization Introduction Structure Objective Authentication Authentication factors Knowledge-based factors Ownership affecting factors Characteristics to look for Concepts of authentication that aren’t authentic Management of accounts and identity Password management Physiological characteristics Behavior characteristics Biometrics considerations Multi-factor authentication Using certificates for authentication Context-aware authentication Push authentication Authorization Access control models Discretionary access control Mandatory access control Role-based access control Rules-based access control Controlling access content-driven Access control matrix ACLs Access control policies Attestation Identity propagation Federation OpenID RADIUS server configuration LDAP Active Directory (AD) Conclusion 17. Security Incidents and Response Introduction Structure Data breach Detection and collection Data analytics Mitigation Minimize Isolate Recovery/reconstitution Response Disclosure Incident detection and response Internal and external violations Privacy policy violations Criminal actions Insider threats Non-malicious threats/misconfigurations Hunt teaming Heuristics and behavioral analytics Review system, audit and security logs Incident and emergency response Chain of custody Evidence Surveillance, search, and seizure Forensic analysis of compromised system Media analysis Software analysis Network analysis Hardware/embedded device analysis Continuity of Operations Disaster recovery Incident response team Order of volatility Incident response support tools Severity of incident or breach Scope Impact System process criticality Cost Downtime Legal ramifications Post-incident response Root-cause analysis Lessons learned After-action report Change control process Conclusion 18. Integrating Hosts, Networks, Storage, and Applications Introduction Structure Objectives Adapt security to meet business needs Standards Open standards Adherence to standards Competing standards Lack of standards De facto standards Interoperability issues Legacy and current systems Application requirements In-house developed Commercial Tailored commercial Open source Standard data formats Protocols and APIs Resilience issues Use of heterogeneous components Course of action automation/orchestration Distribution of critical assets Persistence and non-persistence of data Redundancy and high availability Assumed likelihood of attack Data security considerations Data remnants Data aggregation Data isolation Data ownership Data sovereignty Data volume Resources provisioning and de-provisioning Users Servers Virtual devices Applications Considerations during mergers, acquisitions, and demergers Network secure segmentation and delegation Logical deployment diagram and corresponding physical deployment diagram of all relevant devices Security and privacy considerations of storage integration Security implications of integrating enterprise applications CRM ERP CMDB CMS Integration enablers Directory Services DNS SOA ESB Conclusion 19. Security Activities Across Technology Lifecycle Introduction Structure Objectives Systems development life cycle Requirements Acquisition Test and evaluation Commissioning/decommissioning Operational activities Monitoring Maintenance Configuration and change management Asset disposal Asset/object reuse Software development life cycle Plan/initiate project Gather requirements Design Develop Test/validate Release/maintain Certify/accredit Change and configuration management Application security frameworks Software assurance Auditing and logging Risk analysis and mitigation Regression and acceptance testing Security impact of acquired software WASC OWASP ISO/IEC 27000 Web Services Security (WS-Security) Forbidden coding techniques Code quality Code analyzers Fuzzing Static Dynamic Misuse case testing Test coverage analysis Interface testing Agile DevOps Versioning Secure coding standards Documentation Security requirements traceability matrix Requirements definition System design document Testing plans Validation and acceptance testing Unit testing Adapt solutions Addressing disruptive technologies Address security trends Asset management (Inventory control) Device-tracking technologies Geolocation/GPS location Object tracking and containment technologies Geotagging/Geo-fencing RFID Conclusion 20. CASP+ Skill Assessment Question and Answers 21. CASP+ Skill Assessment Question and Answers 22. Appendix D Study Planner Index
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.