CASP+ CompTIA Advanced Security Practitioner Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Acknowledgments

About the Authors

About the Technical Editor

Table of Exercises

Introduction

Before You Begin the CompTIA CASP+ Certification Exam

Who Should Read This Book

What You Will Learn

How This Book Is Organized

How to Use This Book

Tips for Taking the CASP+ Exam

Interactive Online Learning Environment and TestBank

CompTIA CASP+ Study Guide Exam Objectives

The CASP+ Exam Objective Map

Reader Support for This Book

Assessment Test

Answers to Assessment Test

Chapter 1: Risk Management

Risk Terminology

The Risk Assessment Process

Policies Used to Manage Employees

Cost-Benefit Analysis

Continuous Monitoring

Enterprise Security Architecture Frameworks and Governance

Training and Awareness for Users

Best Practices for Risk Assessments

Business Continuity Planning and Disaster Recovery

Reviewing the Effectiveness of Existing Security Controls

Conducting Lessons Learned and After-Action Reviews

Creation, Collection, and Analysis of Metrics

Analyzing Security Solutions to Ensure They Meet Business Needs

Testing Plans

Internal and External Audits

Using Judgment to Solve Difficult Problems

Summary

Exam Essentials

Review Questions

Chapter 2: Configure and Implement Endpoint Security Controls

Hardening Techniques

Trusted Operating Systems

Compensating Controls

Summary

Exam Essentials

Review Questions

Chapter 3: Security Operations Scenarios

Threat Management

Actor Types

Intelligence Collection Methods

Frameworks

Indicators of Compromise

Response

Summary

Exam Essentials

Review Questions

Chapter 4: Security Ops: Vulnerability Assessments and Operational Risk

Terminology

Vulnerability Management

Vulnerabilities

Inherently Vulnerable System/Application

Proactive Detection

Summary

Exam Essentials

Review Questions

Chapter 5: Compliance and Vendor Risk

Shared Responsibility in Cloud Computing

Security Concerns of Integrating Diverse Industries

Regulations, Accreditations, and Standards

Contract and Agreement Types

Third-Party Attestation of Compliance

Legal Considerations

Summary

Exam Essentials

Review Questions

Chapter 6: Cryptography and PKI

The History of Cryptography

Cryptographic Goals and Requirements

Supporting Security Requirements

Risks with Data

Hashing

Symmetric Algorithms

Asymmetric Encryption

Public Key Infrastructure Hierarchy

Digital Certificates

Implementation of Cryptographic Solutions

Recognizing Cryptographic Attacks

Troubleshooting Cryptographic Implementations

Summary

Exam Essentials

Review Questions

Chapter 7: Incident Response and Forensics

The Incident Response Framework

Forensic Concepts

Forensic Analysis Tools

Summary

Exam Essentials

Review Questions

Chapter 8: Security Architecture

Security Requirements and Objectives for a Secure Network Architecture

Organizational Requirements for Infrastructure Security Design

Integrating Applications Securely into an Enterprise Architecture

Data Security Techniques for Securing Enterprise Architecture

Security Requirements and Objectives for Authentication and Authorization Controls

Summary

Exam Essentials

Review Questions

Chapter 9: Secure Cloud and Virtualization

Implement Secure Cloud and Virtualization Solutions

How Cloud Technology Adoption Impacts Organization Security

Summary

Exam Essentials

Review Questions

Chapter 10: Mobility and Emerging Technologies

Emerging Technologies and Their Impact on Enterprise Security and Privacy

Secure Enterprise Mobility Configurations

Security Considerations for Technologies, Protocols, and Sectors

Summary

Exam Essentials

Review Questions

Appendix: Answers to Review Questions

Chapter 1: Risk Management

Chapter 2: Configure and Implement Endpoint Security Controls

Chapter 3: Security Operations Scenarios

Chapter 4: Security Ops: Vulnerability Assessments and Operational Risk

Chapter 5: Compliance and Vendor Risk

Chapter 6: Cryptography and PKI

Chapter 7: Incident Response and Forensics

Chapter 8: Security Architecture

Chapter 9: Secure Cloud and Virtualization

Chapter 10: Mobility and Emerging Technologies

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 Governmental information classification

TABLE 1.2 Commercial information classification

TABLE 1.3 Sample qualitative aggregate score findings

TABLE 1.4 Annualized loss expectancy (ALE) of DMZ assets

Chapter 3

TABLE 3.1 Basic rule set

Chapter 6

TABLE 6.1 Attributes of symmetric and asymmetric encryption

TABLE 6.2 Integrity verification methods

Chapter 8

TABLE 8.1 Basic rule set

Chapter 9

TABLE 9.1 Common security controls for virtual systems

TABLE 9.2 Legitimate and malicious desktop sharing programs

List of Illustrations

Chapter 1

FIGURE 1.1 Risk-ranking matrix

Chapter 3

FIGURE 3.1 LulzSec

FIGURE 3.2 Firewall placement and design

FIGURE 3.3 Basic network with firewall

Chapter 4

FIGURE 4.1 The vulnerability management life cycle

FIGURE 4.2 Qualitative severity rating scale of CVSS 3.1

FIGURE 4.3 CCE-80785-9 for Red Hat Enterprise Linux 8

FIGURE 4.4 The patch management life cycle

FIGURE 4.5 How bytecode works

FIGURE 4.6 LDAP injection

FIGURE 4.7 Impact/Effort Matrix

FIGURE 4.8 Data pipeline

Chapter 5

FIGURE 5.1 Layers of cloud computing

FIGURE 5.2 Distribution of security responsibility

FIGURE 5.3 Google Cloud Status Dashboard

FIGURE 5.4 CMMI levels

FIGURE 5.5 CSA STAR levels

Chapter 6

FIGURE 6.1 Hashing process

FIGURE 6.2 An example of a cryptographic hash on a software product

FIGURE 6.3 Symmetric encryption process

FIGURE 6.4 Asymmetric encryption

FIGURE 6.5 Hierarchical trust model

FIGURE 6.6 An example of a chain of trust

FIGURE 6.7 Digital signature creation

FIGURE 6.8 “Your connection is not private” error

Chapter 7

FIGURE 7.1 Relationship in hypothetical decision-making

FIGURE 7.2 Incident response playbook template

FIGURE 7.3 Document retention

Chapter 8

FIGURE 8.1 The data life cycle

Guide

Cover

Table of Contents

Title Page

Copyright

Acknowledgments

About the Author

About the Technical Editor

Table of Exercises

Introduction

Begin Reading

Appendix: Answers to Review Questions

Index

End User License Agreement

Pages

v

vi

vii

ix

xi

xxiii

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

CompTIA®CASP+®Study Guide

Exam CAS-004

Fourth Edition

Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada and the United Kingdom.

ISBN: 978-1-119-80316-4ISBN: 978-1-119-80318-8 (ebk.)ISBN: 978-1-119-80317-1 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: WILEY, the Wiley logo, Sybex, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA and CASP+ are trademarks or registered trademarks of CompTIA, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2022942942

Cover image: © Jeremy Woodhouse/Getty Images, Inc.Cover design: Wiley

Acknowledgments

My first three books were dedicated to Kenneth, Shelby, and Gavin: thank you for your love and support and all your electronical advice.

To Kelly Talbot, my editor, thank you for your kind patience and making things easy when you could, which wasn't often.

To Chris Crayton, my technical editor, you were right—most of the time. As a woman in IT for 20+ years, I know there are still man-made disasters.

And to Ophelia…because I can, so I did.

About the Authors

Nadean H. Tanner is the senior manager of consulting at Mandiant, working most recently on building real-world cyber range engagements to practice threat hunting and incident response. She has been in IT for more than 20 years and specifically in cybersecurity for more than a decade. She holds more than 30 industry certifications including CompTIA CASP+, Security+, and (ISC)2 CISSP.

Tanner has trained and consulted for Fortune 500 companies and the U.S. Department of Defense in cybersecurity, forensics, analysis, red/blue teaming, vulnerability management, and security awareness.

She is the author of the Cybersecurity Blue Team Toolkit, published by Wiley in 2019, and CASP+ Practice Tests: Exam CAS-004, published by Sybex in 2020. She also was the technical editor for the CompTIA Security+ Study Guide: Exam SY0-601 and CompTIA PenTest+ Study Guide: Exam PT0-002 written by Mike Chapple and David Seidl.

In her spare time, Tanner enjoys speaking at technical conferences such as Black Hat, Wild West Hacking Fest, and OWASP events.

Jeff T. Parker is an information security professional with more than 20 years’ experience in cybersecurity consulting and IT risk management. Jeff started in information security while working as a software engineer for HP in Boston, Massachusetts. Jeff then took the role of a global IT risk manager for Deutsche Post to enjoy Prague in the Czech Republic with his family for several years. There he developed and oversaw the implementation of a new IT risk management strategy. Today, Jeff most enjoys time with his two children in Nova Scotia. Currently, Jeff is developing custom e-learning courses in security awareness for Mariner Innovations.

Jeff maintains several certifications, including CISSP, CEH, and CompTIA's CySA+ and ITT+. He also coauthored the book Wireshark for Security Professionals: Using Wireshark and the Metasploit Framework (Wiley, 2017) with Jessey Bullock. Jeff also has written Wiley practice exam books for the CompTIA certifications CySA+ and the A+ (2018 and 2019, respectively).

About the Technical Editor

Chris Crayton is a technical consultant, trainer, author, and industry-leading technical editor. He has worked as a computer technology and networking instructor, information security director, network administrator, network engineer, and PC specialist. Chris has authored several print and online books on PC repair, CompTIA A+, CompTIA Security+, and Microsoft Windows. He has also served as technical editor and content contributor on numerous technical titles for several of the leading publishing companies. He holds numerous industry certifications, has been recognized with many professional and teaching awards, and has served as a state-level SkillsUSA final competition judge.

Table of Exercises

Exercise 1.1

Calculating Annualized Loss Expectancy

Exercise 1.2

Reviewing the Employee Termination Process

Exercise 2.1

Running a Security Scanner to Identify Vulnerabilities

Exercise 2.2

Bypassing Command Shell Restrictions

Exercise 3.1

Using WinDump to Sniff Traffic

Exercise 3.2

Reviewing and Assessing ACLs

Exercise 4.1

Tracking Vulnerabilities in Software

Exercise 4.2

Performing Passive Reconnaissance on Your Company, School, or Another Organization

Exercise 5.1

What Services Should Be Moved to the Cloud?

Exercise 5.2

Identifying Risks and Issues with Cloud Computing

Exercise 5.3

Reviewing Documents

Exercise 8.1

Configuring iptables

Exercise 8.2

Using Pingdom Full Page Test

Exercise 8.3

Testing Your Antivirus Program

Exercise 8.4

Reviewing and Assessing ACLs

Exercise 9.1

Creating a Virtual Machine

Exercise 9.2

Identifying What Services Should Be Moved to the Cloud

Exercise 9.3

Identifying Risks and Issues with Cloud Computing

Exercise 9.4

Understanding Online Storage

Exercise 9.5

Turning to the Cloud for Storage and Large File Transfer

Exercise 9.6

Eavesdropping on Web Conferences

Exercise 9.7

Sniffing Email with Wireshark

Exercise 9.8

Sniffing VoIP with Cain & Abel

Introduction

The CASP+ certification was developed by the Computer Technology Industry Association (CompTIA) to provide an industry-wide means of certifying the competency of security professionals who have a minimum of 10 years' general hands-on IT experience with at least 5 years' hands-on IT security experience. The security professional's job is to protect the confidentiality, integrity, and availability of an organization's valuable information assets. As such, these individuals need to have the ability to apply critical thinking and judgment.

 According to CompTIA, the CASP+ certification is a vendor-neutral credential. CASP+ validates advanced-level security skills and knowledge internationally. There is no prerequisite, but CASP+ certification is intended to follow CompTIA Network+, Security+, CySA+, Cloud+, and PenTest+ or equivalent certifications/experience and has a technical, “hands-on” focus at the enterprise level.

Many certification books present material for you to memorize before the exam, but this book goes a step further in that it offers best practices, tips, and hands-on exercises that help those in the field of security better protect critical assets, build defense in depth, and accurately assess risk.

If you're preparing to take the CASP+ exam, it is a good idea to find out as much information as possible about computer security practices and techniques. Because this test is designed for those with years of experience, you will be better prepared by having the most hands-on experience possible; this study guide was written with this in mind. We have included hands-on exercises, real-world scenarios, and review questions at the end of each chapter to give you some idea as to what the exam is like. You should be able to answer at least 90 percent of the test questions in this book correctly before attempting the exam; if you're unable to do so, reread the problematic chapters and try the questions again. Your score should improve.

Before You Begin the CompTIA CASP+ Certification Exam

Before you begin studying for the exam, it's good for you to know that the CASP+ certification is offered by CompTIA (an industry association responsible for many certifications) and is granted to those who obtain a passing score on a single exam. Before you begin studying for the exam, learn all you can about the certification.

 A list of the CASP+ CAS-004 exam objectives is presented in this introduction. See the section “The CASP+ Exam Objective Map.”

Obtaining CASP+ certification demonstrates that you can help your organization design and maintain system and network security services to secure the organization's assets. By obtaining CASP+ certification, you show that you have the technical knowledge and skills required to conceptualize, design, and engineer secure solutions across complex enterprise environments.

Who Should Read This Book

The CompTIA CASP+ Study Guide: Exam CAS-004, Fourth Edition, is designed to give you insight into the working world of IT security, and it describes the types of tasks and activities that a security professional with 5–10 years of experience carries out. Organized classes and study groups are the ideal structures for obtaining and practicing with the recommended equipment.

 College classes, training classes, and boot camps are recommended ways to gain proficiency with the tools and techniques discussed in the book. However, nothing delivers hands-on learning like experiencing your own attempts, successes, and mistakes—on a home lab. More on home labs later.

What You Will Learn

This CompTIA CASP+ Study Guide covers all you need to know to pass the CASP+ exam. The exam is based on exam objectives, and this study guide is based on the current iteration of the CASP+ exam, version CAS-004.

Per the CASP+ CompTIA objectives for exam version CAS-004, the four domains include the following:

Domain 1.0 Security Architecture

Domain 2.0 Security Operations

Domain 3.0 Security Engineering and Cryptography

Domain 4.0 Governance, Risk, and Compliance

Each of these four domains further divide into objectives. For example, the fourth domain, “Governance, Risk, and Compliance,” is covered across three objectives:

4.1 Given a set of requirements, apply the appropriate risk strategies.

4.2 Explain the importance of managing and mitigating vendor risk.

4.3 Explain compliance frameworks and legal considerations, and their organizational impact.

4.4 Explain the importance of business continuity and disaster recovery concepts.

These objectives read like a job task, but they are more akin to a named subset of knowledge. Many subobjectives and topics are found under each objective. These are listed hierarchically, ranging from 20 to 50 topics per objective. Yes, that's a lot of topics when you add it all up. In short, there is a lot of material to cover. Next, we address how the book tackles it all.

How This Book Is Organized

Remember how we just explained the CASP+ exam is based on domains and objectives? Your goal for exam preparation is essentially to cover all of those subobjectives and topics. That was our goal, too, in writing this study guide, so that's how we structured this book—around the same exam objectives, specifically calling out every subobjective and topic. If a topic or phrase from the exam objectives list isn't specifically called out, the concepts and understanding behind that topic or phrase are discussed thoroughly in the relevant chapters.

Nonetheless, CompTIA didn't structure the exam objectives to make for good reading or an easy flow. It would be simple to tell you that each chapter correlates exactly to two or three objectives. Instead, the book is laid out to create a balance between a relevant flow of information for learning and relatable coverage of the exam objectives. This book structure then serves to be most helpful for identifying and filling any knowledge gaps that you might have in a certain area and, in turn, best prepare you for the exam.

Extra Bits

Beyond what the exam requires, there is of course some “added value” in the form of tips, notes, stories, and URLs where you can go for additional information online. This is typical for the Sybex study guide format. The extra bits are obviously set apart from the study guide text, and they can be enjoyed as you wish. In most cases, URLs will point to a recent news event related to the topic at hand, a link to the cited regulation, or the site where a tool can be downloaded. If a particular concept interests you, you are encouraged to follow up with that article or URL. What you will learn in this study guide is exactly what you need to know to prepare for the CASP+ certification exam. What you will learn from those tips, notes, and URLs is additional context in which the topic at hand may be better understood. Next, we discuss what you should already have in order to be successful when learning from this book.

Requirements: Practice and Experience

To be most successful in reading and learning from this book, you will need to bring something to the table yourself, that is, your experience.

Experience

You're preparing to take one of CompTIA's most advanced certification exams. CompTIA's website associates the CASP+ exam with the SANS Institute GIAC Certified Enterprise Defender (GCED) exam, as only these two exams focus on “cybersecurity practitioner skills” at an advanced level. In comparison, the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) exams focus on cybersecurity management skills.

The CASP+ exam covers a very wide range of information security topics. Understandably, the range is as wide as the range of information security job disciplines. As each of us grows from a junior level to the higher-level, technical lead roles, the time we spend working in one specialty area overshadows our exposure to other specialties. For example, three senior security practitioners working as an Active Directory engineer, a malware reverse engineer, and a network administrator might be highly skilled in their respective jobs yet have only a simple understanding of each other's roles. The exam topics include specific techniques and technologies that would be familiar to people who have held lead roles in the corresponding area of information security. Someone with experience in one or more technical areas has a great advantage, and that experience will benefit the candidate studying from this book and taking the CASP+ exam.

Last, CompTIA's recommended level of experience is a minimum of 10 years of general hands-on IT experience, including at least five years of hands-on technical security experience. If you have the five years, it is very likely that you have had at least minimal exposure to or understanding of most topics covered, enough for you to benefit from reading this book.

Practice

Given that the certification's title includes the word practitioner, you are expected to have, or be capable of building, a home lab for yourself. This does not mean that you need a 42U rack full of servers and network hardware in the basement (though it might bring up a lot of excitement at home). A home lab can be as simple as having one or two virtualized machines (VMs) running on your laptop or desktop with adequate CPU and RAM. This can be done using VirtualBox or VMware Workstation Player, both of which are free. There are many prebuilt VMs available online, designed specifically for security practice. A home lab can be started at little to no cost and be running within 15 minutes. No excuses.

Dedicating some routine time on a home lab will advance your skills and experience as well as demonstrate your passion for the subject. Current and future managers will love it! Seriously, though, when you make time to build, tweak, break, and rebuild systems in your home lab, not only do you readily advance your skills and learn new technologies, but you do so without the consequences of bringing down production.

The final reason for building up a home lab is that it gives you an immediate environment on which to try some of the tools and techniques mentioned in this CASP+ study guide. As with the experience mentioned earlier, your success on the exam is affected by how much you have learned from reading versus how much you understand from doing. The best of success to you on the exam and in your career.

 Like all exams, the CASP+ certification from CompTIA is updated periodically and may eventually be retired or replaced. At some point after CompTIA is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

How to Use This Book

Here is how the book is structured, chapter by chapter:

Chapter 1

, “Risk Management”

This chapter covers risk management, in particular the security risks surrounding business and industry. The chapter also discusses risk mitigation strategies and controls, including making risk determinations based on a variety of metrics, strategy recommendations based on risk appetite, and business continuity planning.

Chapter 2

, “Configure and Implement Endpoint Security Controls”

This chapter starts with security controls for host devices. Topics include host hardening, external I/O restrictions, secure operating systems, and several variants of endpoint security software. To wrap up the wide umbrella of network security concepts and architectures, this chapter covers network access control, security zones, and network-enabled devices. Finally, the secure configuration and baselining of network devices are discussed.

Chapter 3

, “Security Operations Scenarios”

This chapter concentrates on managing threats that require resources such as time, money, and intelligence. This chapter also includes threat management including active hunting for a breach as well as how to proactively protect an organization from compromise.

Chapter 4

, “Security Ops: Vulnerability Assessments and Operational Risk”

This chapter covers security controls around software vulnerabilities, specific application issues, and operating system vulnerabilities. The chapter also covers material related to incident response and incident recovery. Finally, a large section of the chapter is dedicated to policies and procedures related to security, privacy, and contracts.

Chapter 5

, “Compliance and Vendor Risk”

This chapter focuses on managing and mitigating vendor risk as well as compliance frameworks and legal considerations and their organizational impact. Emphasis is on integrating diverse industries, many different data considerations, and geographic and legal considerations. It also covers the different regulations, accreditations, and standards that affect cybersecurity.

Chapter 6

, “Cryptography and PKI”

This chapter covers cryptographic techniques, implementations of both hardware and protocols, and various cryptographic applications.

Chapter 7

, “Incident Response and Forensics”

This chapter covers research: best practices, research methods, threat intelligence, and the global security community. Additionally, there is related coverage of incident recovery and how severity is determined. This chapter also discusses the research requirements related to contracts. Last, post-incident response, lessons learned, and reporting are also covered.

Chapter 8

, “Security Architecture”

This chapter covers material related to how business and technology meet in the enterprise environment. In particular, the chapter addresses technical integration of hosts, storage, networks, and applications in an enterprise architecture. Also, this chapter includes coverage of the interaction between business units and their security goals.

Chapter 9

, “Secure Cloud and Virtualization”

This chapter concentrates on cloud and virtualization technologies. It includes cloud service models, cloud security services, the security-related pros and cons of virtualization, and data security considerations. There is also heavy coverage of several physical and virtual network devices as they relate to security.

Chapter 10

, “Mobility and Emerging Technologies”

This chapter focuses on mobility and integration with enterprise security, including analysis and impact, implementing security controls, and determining the correct solution for an environment. Coverage of cost-benefit analysis and evaluation of a proposed solution as to its performance, latency, scalability, capability, usability, and maintainability while taking availability metrics into account are discussed.

Appendix: Answers to Review Questions

Here you'll find the answers to the review questions that appear at the end of each chapter.

Tips for Taking the CASP+ Exam

The CASP+ exam is a standard pass/fail exam with a maximum of 90 questions. You will have 165 minutes (2 hours, 45 minutes) to finish. There will be multiple-choice and performance-based questions (PBQs).

If you're not familiar with PBQs but you have the recommended real-world experience, then there is little to worry about. For many candidates, PBQs are a comfortable opportunity to demonstrate experience. Unlike a multiple-choice question, the PBQ is a simulation of a scenario. The scenario is one you would likely encounter in the real world. The “catch” on PBQs versus multiple-choice questions is the time you spend on them. Unlike a multiple-choice question where you might spend a few seconds or a minute reading, the PBQ might involve more reading and then the time to apply or simulate the action asked of you. Luckily, the PBQs tend to occur early on in the test, and you will likely have only three to five PBQs for the entire exam (but no guarantees here). Just gauge your time carefully as you progress through the exam.

Here are our tips for taking the CASP+ exam:

If you are taking the exam at a testing facility, bring two forms of ID with you. One must be a photo ID, such as a driver's license. The other can be a major credit card or a passport. Both forms must include a signature.

Arrive early at the exam center. This gives you a chance to relax and, if it helps, to review any study materials you brought. Some people prefer to bring nothing, and some might want a final review of exam-related information.

When you are ready to enter the testing room, everything must go into an available locker. No material is allowed in the testing area.

Read the questions carefully. Again,

carefully

. Don't be tempted to jump to an early conclusion. Know what each question is asking.

Don't leave any unanswered questions. If you must, select your “best guess” and mark the question for later review.

Questions will include extra information that doesn't apply to the actual problem (just as in the real world).

You have the option of going through the exam several times to review before you submit it, or marking questions for later review. Some people mark about 10 to 20 questions and then go back to them after they have completed all of the other questions.

Use all of your time to review, and change your answers only if you misread the question. Don't rush through it.

Again, breathe deeply and read

carefully

.

For the latest pricing on the exams and updates to the registration procedures, visit CompTIA's website at www.comptia.org.

Interactive Online Learning Environment and TestBank

Studying the material in this book is an important part of preparing for the exam, but we provide additional tools to help you prepare. The online TestBank will help you understand the types of questions that will appear on the certification exam.

The sample tests in the TestBank include all the questions in each chapter as well as the questions from the assessment test. In addition, there are two practice exams. You can use these tests to evaluate your understanding and identify areas that may require additional study.

The flashcards in the TestBank will push the limits of what you should know for the certification exam. There are 100 questions, which are provided in digital format. Each flashcard has one question and one correct answer.

The online glossary is a searchable list of key terms introduced in this exam guide that you should know for the exam.

To start using these to study for the exam, go to www.wiley.com/go/sybextestprep and register your book to receive your unique PIN; once you have the PIN, return to www.wiley.com/go/sybextestprep, find your book, and follow the register or login link to register a new account or add this book to an existing account.

CompTIA CASP+ Study Guide Exam Objectives

This table provides the extent, by percentage, that each domain is represented on the actual examination.

Domain

% of Examination

1.0 Security Architecture

29%

2.0 Security Operations

30%

3.0 Security Engineering and Cryptography

26%

4.0 Governance, Risk, and Compliance

15%

Total

100%

The CASP+ Exam Objective Map

This table is where you can find the objectives covered in this book.

Objective

Chapter

Domain 1.0 Security Architecture

1.1 Given a scenario, analyze the security requirements and objectives to ensure an appropriate, secure network architecture or a new or existing network.

8

1.2 Given a scenario, analyze the organizational requirements to determine the proper infrastructure security design.

8

1.3 Given a scenario, integrate software applications securely into an enterprise architecture.

8

1.4 Given a scenario, implement data security techniques for securing enterprise architecture.

8

1.5 Given a scenario, analyze the security requirements and objectives to provide the appropriate authentication controls.

8

1.6 Given a set of requirements, implement secure cloud and virtualization solutions.

9

1.7 Explain how cryptography and public key infrastructure (PKI) support security objectives and requirements.

6

1.8 Explain the impact of emerging technologies on enterprise security and privacy.

10

Domain 2.0 Security Operations

2.1 Given a scenario, perform threat management activities.

3

2.2 Given a scenario, analyze indicators of compromise and formulate an appropriate response.

3

2.3 Given a scenario, perform vulnerability management activities.

4

2.4 Given a scenario, use the appropriate vulnerability assessment and penetration testing methods and tools.

4

2.5 Given a scenario, analyze vulnerabilities and recommend risk mitigations.

4

2.6 Given a scenario, use processes to reduce risk.

4

2.7 Given an incident, implement the appropriate response.

7

2.8 Explain the importance of forensic concepts.

7

2.9 Given a scenario, use forensic analysis tools.

7

Domain 3.0 Security Engineering and Cryptography

3.1 Given a scenario, apply secure configurations to enterprise mobility.

10

3.2 Given a scenario, configure and implement endpoint security controls.

2

3.3 Explain security considerations impacting specific sectors and operational technologies.

10

3.4 Explain how cloud technologies adoption impacts organizational security.

9

3.5 Given a business requirement, implement the appropriate PKI solution.

6

3.6 Given a business requirement, implement cryptographic protocols and algorithms.

6

3.7 Given a scenario, troubleshoot issues with cryptographic implementations.

6

Domain 4.0 Governance, Risk, and Compliance

4.1 Given a set of requirements, apply the appropriate risk strategies.

1

4.2 Explain the importance of managing and mitigating vendor risk.

5

4.3 Explain compliance frameworks and legal considerations and their organizational impact.

5

4.4 Explain the importance of business continuity and disaster recovery concepts.

1

Reader Support for This Book

John Wiley & Sons provides the following for its readers.

Companion Download Files

As you work through the examples in this book, the project files you need are all available for download from www.wiley.com/go/sybextestprep.

How to Contact the Publisher

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Assessment Test

Alice is an administrator who works in the finance department. She has clicked a link in an email that has executed unwanted actions in a web application she is using. What type of attack is this?

XXS

CSRF

SQLi

Buffer overflow

You are exploring the best option for your organization to move from a physical data center to virtual machines hosted on bare-metal servers. Which of the following is the BEST option for that move?

Type 1 hypervisor

Type 2 hypervisor

iPaaS

IaaS

You are looking for a replacement for POP3. Which of the following protocols offers advantages over POP3 for mobile users?

HTTPS

NTP

IMAP

SMTP

DNSSEC provides authority and data integrity. DNSSEC will not protect against which of the following?

Spoofing

Kiting/tasting

Verification

Masquerade

You have built an access control list for a router that is subject to PCI DSS. The ACL you have built contains four commands that deny HTTP, POP3, FTP, and Telnet. No traffic is coming through the router. What is the most likely reason?

Traffic is dropped because of the “deny TCP any HTTP” statement.

Traffic is dropped because of the “deny TCP any FTP” statement.

Traffic is accepted but not forwarded to the proper location.

There are no permit statements in the ACL.

You are evaluating the security policy of a large enterprise. There are many elements and points of enforcement, including email and remote access systems. XML is the natural choice as the basis for the common security policy language. What language standard should be implemented with XML for a fine-grained, attribute-based access control?

OASIS

SAMLv2

SOAP

XACML

Using Microsoft Network Monitor, you have captured traffic on TCP port 23. Your security policy states that port 23 is not to be used. What client-server protocol is probably running over this port?

SNMP

Telnet

PuTTY

FTP

TCP is connection oriented, while UDP is connectionless. Which of these is NOT a valid header in a UDP packet?

Source port

Destination port

Length

Sequence number

You are having difficulties reaching tech support for a specific web application that has crashed. You have to find the agreement between your company and the provider. What is the document that requires a provider to maintain a certain level of support?

NDA

SLA

MOU

MTTR

Which of the following would be considered a detective and administrative control?

Fences and gates

IDS and honeypots

IPS and antivirus

Audit logs

You have interviewed several candidates for a position that is open in your security department. Human resources will need to conduct a background check before offering a position to your final candidate. Why is a background check necessary?

Helps provide the right person for the right job

Is a single point of failure

Reinforces a separation of duties

Improves performance

You have finished conducting an audit to verify the protection mechanisms you have placed on information systems. What is this type of audit called?

Information security audit

Operational audit

Forensic audit

Procedure audit

You have been instructed to remove all data from a hard drive with the caveat that you want to reuse the drive. Which of the following would be the BEST option?

Put the hard drive in the microwave for two minutes

Empty the recycle bin

Degauss the drive

Perform a seven-pass bit-level drive wipe

You want to form a legal partnership with another organization. Which of these is the BEST description of a partnership?

A business that legally has no separate existence from the owner

A business where the owners are not personally liable for the company's debts

A form of business operation that declares the business is a separate legal entity from the board of directors

A legal form of business between two or more individuals who share management and profits

The manufacturer of a motherboard advertises the presence of a TPM chip. What is TPM used for?

Speed

Encryption

Hyperthreading

Authentication

Your company is conducting new web business with companies with home offices in the EU. Under the rules of GDPR, visitors to the website may exercise their EU data rights that include which of the following?

Not be informed of a breach

To have their presence on a site erased

To not be taxed on purchases

Receive a healthy discount

As you are building a business continuity plan, you are investigating cybersecurity threats for your manufacturing organization. Cyberthreats to your business would not include ________________.

Ransomware

DDoS

Intellectual property theft

Resource management

You have both

mycompany.com

and

www.mycompany.com

pointing to the same application hosted by the same server. What type of DNS record is this found in?

Authentication

SOA

CNAME

AWS

You are conducting a risk analysis for your company, specifically looking at quantitative data. Which of these would NOT be considered quantitative?

Volume

Temperature

Pressure

Reputation

You have investigated a breach into your network. You found lower-level credentials used to access files and functions reserved for higher-privilege credentials. What is this called?

Phishing

Dumpster diving

Privilege escalation

Pass-the-hash

Who in your organization is responsible for setting goals and directing risk analysis?

Board of directors

CIO

Senior management

Human resources

Your training manager is copying MP4 security awareness videos to mobile devices from their laptop. What is this called?

Uploading

Downloading

Blueloading

Sideloading

You work for a publicly traded company. While evaluating your organization's information classification, some information can be given the lowest-level classification. The lowest level of public-sector information classification is which of the following?

Secret

FOUO

Public

Unclassified

You have calculated the single loss expectancy of a mission-critical asset by multiplying the asset value by the exposure factor. What else could your team review if you were interested in qualitative costs?

Cost of repair

Value of lost data

Lost productivity

Public relations

The users on your network should have only the access needed to do their jobs. What is this security control called?

Single point of failure

Least privilege

Separate of duties

Mandatory vacations

You need an IDS but have no security budget. What IDS tool listed is open source?

Nexpose

Nessus

Snort

PuTTY

Windows supports remote access protocols through the GUI. Remote access allows you to connect to a remote host in a different location over a network or over the Internet. What tool is native in Windows that provides this access?

TeamViewer

Remote Desktop Connection

Terminal Desktop Server

Wireshark

You have an end user who has called the help desk because they visited a website that instructed them to reset their DNS. What is the command you use at the Windows command line to accomplish this?

netstat

tracert

ipconfig /renew

ipconfig /flushdns

To prepare for appropriate preventative measures, you have downloaded a tool that will allow you to check weak credentials on your network. Which of the tools listed will perform a simple dictionary attack on NTLM passwords?

L0phtCrack

Wireshark

Maltego

Social-Engineer Toolkit

You are a privileged user launching Nmap. You use the default

nmap scan: #nmap target

. What is the default option?

-sS

-A

-O

-SYN

Answers to Assessment Test

B. A cross-site request forgery (CSRF) is an attack that forces an end user to execute actions in a web application that they are currently authenticating. As an administrator, CSRF can compromise an entire web application.

A. A Type 1 hypervisor is a hypervisor installed on a bare-metal server, meaning that the hypervisor is its own operating system. Type 1 hypervisors usually perform better due to the direct access to physical hardware.

C. Internet Message Access Protocol (IMAP) can be used as a replacement for POP3. It can be beneficial for mobile users because of folder management, remote mail, and the ability to sign in from multiple mobile devices. SMTP is used to send mail; IMAP and POP3 are used to receive mail.

B. DNSSEC does not protect against DNS kiting or tasting. DNS kiting, or tasting, is a practice where someone registers, cancels, and registers the domain again, all within a grace period. Income can be earned from the site because the site is functional, but you don't have to pay to register the site.

D. There must be a permit statement on an access control list (ACL). Otherwise, all deny statements will add to the implicit deny all, and nothing is permitted.

D. Extensible Access Control Markup Language (XACML) has architecture and a processing model that helps evaluate access requests according to rules placed in policies.

B. Telnet is a protocol used to establish a connection to TCP port 23. It is blocked because there is no built-in security and should be avoided because of eavesdropping. Usernames and passwords are sent in the clear.

D. User Datagram Protocol (UDP) is connectionless, so there will not be a sequence number.

B. A service level agreement (SLA) will be the agreement between parties that lists the level of support that your company will receive from the provider.

D. Audit logs would be a detective control function and an administrative control type.

A. A background should be conducted on any candidate that you are bringing into your organization. Credentials need to be validated, and positions and experience verified. This way you have the right person in the right position.

A. An information security audit is performed to ensure that the protections you have placed on information systems are working as expected.

D. If you want to use the drive again after removing all data, then perform a seven-pass drive wipe at the bit level. Degaussing will ruin the drive and make it inoperable. Emptying the recycle bin or microwaving the drive will not actually remove any data.

D. A partnership is a type of business where two or more individuals share potential profits as well as risk.

B. A Trusted Platform Module (TPM) chip is technology designed to provide hardware-based encryption.

B. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information (PI) for all people who live in the European Union (EU).

D. Resource management is not a threat to a manufacturing organization.

C. Canonical name (CNAME) records are used to alias one name to another.

D. Quantitative data can be expressed as numbers. If you can measure it, it is a quantity.

C. Security mechanisms should prevent unauthorized access and usage of data and functions. These preventive measures are circumvented by attackers finding new vulnerabilities and security gaps.

C. Senior management is responsible for setting goals, initiating analysis, and making sure the proper people and resources are assigned and available during risk analysis.

D. Sideloading is a term that refers to transferring a file between two local devices without using the Internet. A file can be transferred using Wi-Fi, Bluetooth, or USB. Sideloading can also describe installing applications on Android devices that do not reside in the Google Play store.

C. Public classification means that it can be released and freely distributed. FOUO means For Official Use Only. Secret and Unclassified are governmental information classifications.

D. Public relations would be a qualitative control because it does not seek a numerical or mathematical statistic. Qualitative is subjective and deals with words and meaning.

B. The principle of least privilege is the practice of limiting the access rights of users to the minimum to get their job done. This reduces the risk of attackers gaining access to systems and compromising critical systems.

C. Snort is an open-source, free, and lightweight network intrusion detection system (IDS) for both Windows and Linux that detects any new threats to a network.

B. Remote Desktop Connection (RDC) will allow a user to authenticate and have access to all programs, files, and network resources on a system.

D. The command-line interface (CLI) command to flush and reset the cached contents of DNS is

ipconfig /flushdns

.

A. These are four great hacking tools that are free and available on the Internet. Remember to use your powers for good.

A. The default option for privileged users is

-sS

. This is a TCP SYN scan. Nmap will send a SYN packet, as if you were going to open a real connection, and you wait for a response. If you get a SYN/ACK back, the port is open. An RST means the port is closed.

Chapter 1Risk Management

THE FOLLOWING COMPTIA CASP+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

4.1 Given a set of requirements, apply the appropriate risk strategies

Risk assessment

Likelihood

Impact

Qualitative vs. quantitative

Exposure factor

Asset value

Total cost of ownership (TCO)

Return on investment (ROI)

Mean time to recovery (MTTR)

Mean time between failure (MTBF)

Annualized loss expectancy (ALE)

Annualized rate of occurrence (ARO)

Single loss expectancy (SLE)

Gap analysis

Risk handling techniques

Transfer

Accept

Avoid

Mitigate

Risk types

Inherent

Residual

Exceptions

Risk management life cycle

Identify

Assess

Control

People

Process

Technology

Protect

Detect

Respond

Restore

Review

Frameworks

Risk tracking

Risk register

Key performance indicators

Scalability

Reliability

Availability

Key risk indicators

Risk appetite vs. risk tolerance

Tradeoff analysis

Usability vs. security requirements

Policies and security practices

Separation of duties

Job rotation

Mandatory vacation

Least privilege

Employment and termination procedures

Training and awareness for users

Auditing requirements and frequency

4.4 Explain the Importance of Business Continuity and Disaster Recovery Concepts

Business impact analysis

Recovery point objective

Recovery time objective

Recovery service level

Mission essential functions

Privacy impact assessment

Disaster recovery plan (DRP)/business continuity plan (BCP)

Cold site

Warm site

Hot site

Mobile site

Incident response plan

Roles/responsibilities

After-action reports

Testing plans

Checklist

Walk-through

Tabletop exercises

Full interruption test

Parallel test/simulation test

This chapter discusses risk. As a CASP+, you should be able to interpret business and industry influences and explain associated security risks. From a computing standpoint, risk is all around you. Everywhere you turn, there are risks; they begin the minute you first turn on a computer and grow exponentially the moment the network card becomes active.

Even in the nontechnical sense, there is risk: Who do you let in the facility? Are visitors escorted? Do you allow employees to connect personal devices such as tablet computers, smartphones, and so forth to company networks? There is even risk when deciding what approach to use for email. You may use an in-house email server or outsource email and use a cloud-based solution, such as Gmail or Outlook.com. Here again, you will find that there is the potential for risk in each choice. These are just the tip of the iceberg. This chapter discusses what CompTIA expects you to know for the exam related to risk.

Risk Terminology

Before discussing risk management, it is important to make sure that some basic terms are defined. All industries share basic vocabulary and semantics. IT security is no different, and within the topic of risk, there are some terms that you will see again and again. Let's begin by reviewing these terms:

Asset

An

asset

is an item of value to an institution, such as data, hardware, software, or physical property. An asset is an item or collection of items that has a quantitative (numeric) or qualitative (subjective) value to a company.

Risk

Risk

is the probability or likelihood of the occurrence or realization of a threat.

Vulnerability

A

vulnerability

can be described as a weakness in hardware, software, or components that may be exploited in order for a threat to destroy, damage, or compromise an asset.

Threat

A

threat

is any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset. The likelihood of the threat is the probability of occurrence or the odds that the event will actually occur.

Motivation

Motivation

is the driving force behind the activity. As an example, hackers can be motivated by many different reasons. Some common reasons include prestige, money, fame, and challenge.

Risk Source

The

source

of a risk can be either internal or external. Internal risk can be anything from a disgruntled employee to a failed hard drive. External risk includes natural disasters such as floods and person-made events such as strikes and protests. As an example, the risk source might be that the lock on a server cabinet is broken, whereas the threat is that someone can now steal the server hard drive.

From the standpoint of IT security, the following are some common examples of threats:

Natural Disaster

Natural disasters

are events over which we have no control, such as bad weather (hurricanes, snowstorms, tornadoes), fires, floods, earthquakes, and tsunamis, but could also include global events like pandemics.

Malicious Code

Malicious code

includes all forms of damaging programs, such as viruses, worms, Trojans, keyloggers, and so forth. This software is distinguishable in that it is developed to damage, alter, expose, or destroy a system or data. For example, viruses are executable programs that can replicate and attach to and infect other executable objects. Some viruses also perform destructive or discreet activities (payload) after replication and infection are accomplished.

Breach of Physical Security

A

breach of physical security

can be instigated by a trusted insider or an untrusted outsider. Intruders, vandals, and thieves remove sensitive information, destroy data, or physically damage or remove hardware such as hard drives and mobile devices.

Hacker Attack

Hacker attacks

generally result in stolen, lost, damaged, or modified data. Loss or damage to an organization's data can be a critical threat if there are no backups or external archiving of the data as part of the organization's data recovery and business continuity plan. Also, if the compromised data is of a confidential nature, this can also be a critical threat to the organization, depending on the potential damage that can arise from this compromise.

Distributed Denial of Service

A