CASP/1.0 Enterprise Security 40%
Distinguish which cryptographic tools and techniques are appropriate for a given situation.[edit | edit source]
Cryptographic applications and proper implementation[edit | edit source]
Advanced PKI concepts[edit | edit source]
Wild card[edit | edit source]
OCSP—Online Certificate Status Protocol VS CRL – Certification Revocation List[edit | edit source]
Issuance to entities[edit | edit source]
"RFC 2510 PKI Certificate Management Protocols". Retrieved 12MAY2014. {{cite web}}
: Check date values in: |accessdate=
(help)
Users[edit | edit source]
"CERT issued certificate". Retrieved 15MAY2014. {{cite web}}
: Check date values in: |accessdate=
(help)
Systems[edit | edit source]
Muller, Randy (August 2006). "How IT Works: Certificate Services". TechNet Magazine. 2006 (August). Retrieved 2021-10-22.
Applications[edit | edit source]
Implications of cryptographic methods and design[edit | edit source]
Strength vs. performance vs. feasibility to implement vs. interoperability[edit | edit source]
"Understanding Cryptographic Performance" (PDF). Retrieved 15MAY2014. {{cite web}}
: Check date values in: |accessdate=
(help)
"Elliptic Curve". Retrieved 15MAY2014. {{cite web}}
: Check date values in: |accessdate=
(help)
Transport encryption[edit | edit source]
Digital signature[edit | edit source]
Hashing[edit | edit source]
Code signing[edit | edit source]
Non-repudiation[edit | edit source]
Entropy[edit | edit source]
Pseudo random number generation[edit | edit source]
Perfect forward secrecy[edit | edit source]
Confusion and Diffusion[edit | edit source]
[edit | edit source]
Advantages and disadvantages of virtualizing servers and minimizing physical space requirements[edit | edit source]
"Example of minimizing physical server space". Retrieved 22MAY2014. {{cite web}}
: Check date values in: |accessdate=
(help)
VLAN – Virtual Local Area Network[edit | edit source]
Securing virtual environments, appliances and equipment[edit | edit source]
"Virtual Environment Security". Retrieved 22MAY2014. {{cite web}}
: Check date values in: |accessdate=
(help)
Vulnerabilities associated with a single physical server hosting multiple companies’ virtual machines[edit | edit source]
Vulnerabilities associated with a single platform hosting multiple companies’ virtual machines[edit | edit source]
Secure use of on-demand / elastic cloud computing[edit | edit source]
Provisioning and De-provisioning[edit | edit source]
Data remnants[edit | edit source]
Vulnerabilities associated with co-mingling of hosts with different security requirements[edit | edit source]
Virtual Machine Escape[edit | edit source]
Privilege elevation[edit | edit source]
Virtual Desktop Infrastructure (VDI)[edit | edit source]
Terminal services[edit | edit source]
Explain the security implications of enterprise storage[edit | edit source]
Virtual storage[edit | edit source]
NAS- Network Attached Storage[edit | edit source]
SAN – Storage Area Network[edit | edit source]
vSAN – Virtual Storage Area Network[edit | edit source]
iSCSI - internet Small Computer System Interface[edit | edit source]
FCOE – Fiber Channel Over Ethernet[edit | edit source]
LUN – Logical Unit Number[edit | edit source]
HBA- Host Based Adapter allocation[edit | edit source]
Redundancy (location)[edit | edit source]
Secure storage management[edit | edit source]
Multipath[edit | edit source]
Snapshots[edit | edit source]
Deduplication[edit | edit source]
Integrate hosts, networks, infrastructures, applications and storage into secure comprehensive solutions[edit | edit source]
"Integrating Application Delivery Solutions into Data Center Infrastructure". Retrieved 28MAY2014. {{cite web}}
: Check date values in: |accessdate=
(help)
Advanced network design[edit | edit source]
Remote access[edit | edit source]
Placement of security devices[edit | edit source]
Critical infrastructure / Supervisory Control and Data Acquisition (SCADA)[edit | edit source]
VoIP - Voice over IP[edit | edit source]
IPv6[edit | edit source]
Complex network, Network security, solutions for data flow[edit | edit source]
Unified Threat Management[edit | edit source]
"Network Security Solutions". {{cite web}}
: Text "accessdate2014JUN02" ignored (help)
"High Performance Network Security, Enterprise and Data-Center Firewall". Retrieved 2014JUN02. {{cite web}}
: Check date values in: |accessdate=
(help)
Secure data flows to meet changing business needs[edit | edit source]
"Network Security". Retrieved 2014JUN02. {{cite web}}
: Check date values in: |accessdate=
(help)
Secure DNS – Domain Name Service (Server)[edit | edit source]
Securing zone transfer[edit | edit source]
TSIG- Transaction Signature Interoperability Group[edit | edit source]
Secure directory services[edit | edit source]
LDAP – Lightweight Directory Access Protocol[edit | edit source]
AD—Active Directory[edit | edit source]
Federated ID[edit | edit source]
Single sign on[edit | edit source]
Network design consideration[edit | edit source]
Building layouts[edit | edit source]
Facilities management[edit | edit source]
Multitier networking data design considerations[edit | edit source]
Logical deployment diagram and corresponding physical deployment diagram of all relevant devices[edit | edit source]
Distinguish among security controls for hosts[edit | edit source]
"Host Based Security Controls". {{cite web}}
: Text "accessdate2014JUN03" ignored (help)
Host-based firewalls[edit | edit source]
Trusted OS – Operating System (e.g. how and when to use it)[edit | edit source]
End point security software[edit | edit source]
Anti-malware[edit | edit source]
Anti-virus[edit | edit source]
Anti-spyware[edit | edit source]
Spam filters[edit | edit source]
Host hardening[edit | edit source]
Standard operating environment[edit | edit source]
Security Policy / group policy implementation[edit | edit source]
Command shell restrictions[edit | edit source]
Warning banners[edit | edit source]
"System/Network Login Banners". {{cite web}}
: Text "accessdate2014JUN03" ignored (help)
Restricted interfaces[edit | edit source]
"The Benefit of Structured Interfaces in Collaborative Communication" (PDF). Retrieved 2014JUN03. {{cite web}}
: Check date values in: |accessdate=
(help)
Asset management (inventory control)[edit | edit source]
Data exfiltration[edit | edit source]
HIDS – Host Based Intrusion Detection System/HIPS – Host Based Intrusion Prevention System[edit | edit source]
NIDS – Network Based Intrusion Detection System/NIPS – Network Based Intrusion Prevention System[edit | edit source]
Explain the importance of application security[edit | edit source]
Web application security design considerations[edit | edit source]
"Design Guidelines for Secure Web Applications". Retrieved 2014JUN16. {{cite web}}
: Check date values in: |accessdate=
(help)
Secure: by design, by default, by deployment[edit | edit source]
"A Look Inside the Security Development Lifecycle at Microsoft". Retrieved 2014JUN16. {{cite web}}
: Check date values in: |accessdate=
(help)
Specific application issues[edit | edit source]
XSS - Cross-Site Scripting[edit | edit source]
Click-jacking[edit | edit source]
Session management[edit | edit source]
Input validation[edit | edit source]
SQL injection[edit | edit source]
Application sandboxing[edit | edit source]
Application security frameworks[edit | edit source]
Standard libraries[edit | edit source]
Industry accepted approaches[edit | edit source]
Secure coding standards[edit | edit source]
"Secure Coding Standards". Retrieved 2014JUN25. {{cite web}}
: Check date values in: |accessdate=
(help)
Exploits resulting from improper error and exception handling[edit | edit source]
"Improper error handling". Retrieved 2014JUN25. {{cite web}}
: Check date values in: |accessdate=
(help)
Privilege escalation[edit | edit source]
Improper storage of sensitive data[edit | edit source]
"CWE-591: Sensitive Data Storage in Improperly Locked Memory". Retrieved 2014JUN25. {{cite web}}
: Check date values in: |accessdate=
(help)
Fuzzing/false injection[edit | edit source]
Secure cookie storage and transmission[edit | edit source]
Client-side processing vs. server-side processing[edit | edit source]
AJAX[edit | edit source]
State management[edit | edit source]
JavaScript[edit | edit source]
Buffer overflow[edit | edit source]
Memory leaks[edit | edit source]
Integer overflows[edit | edit source]
Race conditions[edit | edit source]
Time of check to time of use[edit | edit source]
Resource exhaustion[edit | edit source]
Given a scenario, distinguish and select the method or tool that is appropriate to conduct an assessment[edit | edit source]
Tool type[edit | edit source]
Port scanners[edit | edit source]
Vulnerability scanners[edit | edit source]
Protocol analyzer[edit | edit source]
Switchport analyzer[edit | edit source]
Network enumerator[edit | edit source]
Password cracker[edit | edit source]
Fuzzer[edit | edit source]
"OWASP Testing Guide Appendix C: Fuzz Vectors". Retrieved 2014JUN25. {{cite web}}
: Check date values in: |accessdate=
(help)
HTTP – Hypertext Transfer Protocol interceptor[edit | edit source]
"Intercepting Messages". {{cite web}}
: |access-date=
requires |url=
(help); Check date values in: |accessdate=
(help); Missing or empty |url=
(help); Text "http://portswigger.net/burp/Help/proxy_intercept.html" ignored (help)
Attacking tools/frameworks[edit | edit source]
"Black Hat: Top 20 hack-attack tools". {{cite web}}
: |access-date=
requires |url=
(help); Check date values in: |accessdate=
(help); Missing or empty |url=
(help); Text "http://www.networkworld.com/article/2168329/malware-cybercrime/black-hat--top-20-hack-attack-tools.html" ignored (help)
Methods[edit | edit source]
"5 ways hackers attack you (and how to counter them)". {{cite web}}
: |access-date=
requires |url=
(help); Check date values in: |accessdate=
(help); Missing or empty |url=
(help); Text "http://www.usatoday.com/story/tech/columnist/komando/2013/07/19/hacker-attack-trojan-horse-drive-by-downloads-passwords/2518053/" ignored (help)