CASP/1.0 Enterprise Security 40%
Distinguish which cryptographic tools and techniques are appropriate for a given situation.[edit | edit source]
Cryptographic applications and proper implementation[edit | edit source]
Advanced PKI concepts[edit | edit source]
Wild card[edit | edit source]
OCSP—Online Certificate Status Protocol VS CRL – Certification Revocation List[edit | edit source]
Issuance to entities[edit | edit source]
"RFC 2510 PKI Certificate Management Protocols". http://www.ietf.org/rfc/rfc2510.txt. Retrieved 12MAY2014.
Users[edit | edit source]
"CERT issued certificate". https://pki.cert.org/help/pki_faq.html#certissuedcertificate. Retrieved 15MAY2014.
Systems[edit | edit source]
Muller, Randy (August 2006). "How IT Works: Certificate Services". TechNet Magazine 2006 (August). https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc160951(v=msdn.10). Retrieved 2021-10-22.
Applications[edit | edit source]
Implications of cryptographic methods and design[edit | edit source]
Strength vs. performance vs. feasibility to implement vs. interoperability[edit | edit source]
"Understanding Cryptographic Performance". http://cache.freescale.com/files/32bit/doc/app_note/AN2761.pdf. Retrieved 15MAY2014. "Elliptic Curve". http://www.nsa.gov/business/programs/elliptic_curve.shtml. Retrieved 15MAY2014.
Transport encryption[edit | edit source]
Digital signature[edit | edit source]
Hashing[edit | edit source]
Code signing[edit | edit source]
Non-repudiation[edit | edit source]
Entropy[edit | edit source]
Pseudo random number generation[edit | edit source]
Perfect forward secrecy[edit | edit source]
Confusion and Diffusion[edit | edit source]
[edit | edit source]
Advantages and disadvantages of virtualizing servers and minimizing physical space requirements[edit | edit source]
"Example of minimizing physical server space". http://arcserve.com/~/media/Files/SuccessStoryTechBriefs/patrick-air-force-base_219786.ashx. Retrieved 22MAY2014.
VLAN – Virtual Local Area Network[edit | edit source]
Securing virtual environments, appliances and equipment[edit | edit source]
"Virtual Environment Security". https://www.bit9.com/solutions/virtual-environment-security. Retrieved 22MAY2014.
Vulnerabilities associated with a single physical server hosting multiple companies’ virtual machines[edit | edit source]
Vulnerabilities associated with a single platform hosting multiple companies’ virtual machines[edit | edit source]
Secure use of on-demand / elastic cloud computing[edit | edit source]
Provisioning and De-provisioning[edit | edit source]
Data remnants[edit | edit source]
Vulnerabilities associated with co-mingling of hosts with different security requirements[edit | edit source]
Virtual Machine Escape[edit | edit source]
Privilege elevation[edit | edit source]
Virtual Desktop Infrastructure (VDI)[edit | edit source]
Terminal services[edit | edit source]
Explain the security implications of enterprise storage[edit | edit source]
Virtual storage[edit | edit source]
NAS- Network Attached Storage[edit | edit source]
SAN – Storage Area Network[edit | edit source]
vSAN – Virtual Storage Area Network[edit | edit source]
iSCSI - internet Small Computer System Interface[edit | edit source]
FCOE – Fiber Channel Over Ethernet[edit | edit source]
LUN – Logical Unit Number[edit | edit source]
HBA- Host Based Adapter allocation[edit | edit source]
Redundancy (location)[edit | edit source]
Secure storage management[edit | edit source]
Multipath[edit | edit source]
Snapshots[edit | edit source]
Deduplication[edit | edit source]
Integrate hosts, networks, infrastructures, applications and storage into secure comprehensive solutions[edit | edit source]
"Integrating Application Delivery Solutions into Data Center Infrastructure". http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/ace-application-control-engine-module/White_Paper_Integrating_Application_Delivery_Solutions_into_Data_Center_Infrastructure.html. Retrieved 28MAY2014.
Advanced network design[edit | edit source]
Remote access[edit | edit source]
Placement of security devices[edit | edit source]
Critical infrastructure / Supervisory Control and Data Acquisition (SCADA)[edit | edit source]
VoIP - Voice over IP[edit | edit source]
IPv6[edit | edit source]
Complex network, Network security, solutions for data flow[edit | edit source]
Unified Threat Management[edit | edit source]
"Network Security Solutions". http://secunia.com/solutions/. "High Performance Network Security, Enterprise and Data-Center Firewall". http://www.fortinet.com/solutions/. Retrieved 2014JUN02.
Secure data flows to meet changing business needs[edit | edit source]
"Network Security". http://www.windstreambusiness.com/solutions/network-security. Retrieved 2014JUN02.
Secure DNS – Domain Name Service (Server)[edit | edit source]
Securing zone transfer[edit | edit source]
TSIG- Transaction Signature Interoperability Group[edit | edit source]
Secure directory services[edit | edit source]
LDAP – Lightweight Directory Access Protocol[edit | edit source]
AD—Active Directory[edit | edit source]
Federated ID[edit | edit source]
Single sign on[edit | edit source]
Network design consideration[edit | edit source]
Building layouts[edit | edit source]
Facilities management[edit | edit source]
Multitier networking data design considerations[edit | edit source]
Logical deployment diagram and corresponding physical deployment diagram of all relevant devices[edit | edit source]
Distinguish among security controls for hosts[edit | edit source]
"Host Based Security Controls". http://www.networkworld.com/newsletters/2004/1101datacenter1.html.
Host-based firewalls[edit | edit source]
Trusted OS – Operating System (e.g. how and when to use it)[edit | edit source]
End point security software[edit | edit source]
Anti-malware[edit | edit source]
Anti-virus[edit | edit source]
Anti-spyware[edit | edit source]
Spam filters[edit | edit source]
Host hardening[edit | edit source]
Standard operating environment[edit | edit source]
Security Policy / group policy implementation[edit | edit source]
Command shell restrictions[edit | edit source]
Warning banners[edit | edit source]
"System/Network Login Banners". https://security.tennessee.edu/Pages/login-banner.aspx.
Restricted interfaces[edit | edit source]
"The Benefit of Structured Interfaces in Collaborative Communication". http://www.aaai.org/Papers/Symposia/Fall/2001/FS-01-05/FS01-05-009.pdf. Retrieved 2014JUN03.
Asset management (inventory control)[edit | edit source]
Data exfiltration[edit | edit source]
HIDS – Host Based Intrusion Detection System/HIPS – Host Based Intrusion Prevention System[edit | edit source]
NIDS – Network Based Intrusion Detection System/NIPS – Network Based Intrusion Prevention System[edit | edit source]
Explain the importance of application security[edit | edit source]
Web application security design considerations[edit | edit source]
"Design Guidelines for Secure Web Applications". http://msdn.microsoft.com/en-us/library/ff648647.aspx. Retrieved 2014JUN16.
Secure: by design, by default, by deployment[edit | edit source]
"A Look Inside the Security Development Lifecycle at Microsoft". http://msdn.microsoft.com/en-us/magazine/cc163705.aspx. Retrieved 2014JUN16.
Specific application issues[edit | edit source]
XSS - Cross-Site Scripting[edit | edit source]
Click-jacking[edit | edit source]
Session management[edit | edit source]
Input validation[edit | edit source]
SQL injection[edit | edit source]
Application sandboxing[edit | edit source]
Application security frameworks[edit | edit source]
Standard libraries[edit | edit source]
Industry accepted approaches[edit | edit source]
Secure coding standards[edit | edit source]
"Secure Coding Standards". http://www.cert.org/secure-coding/research/secure-coding-standards.cfm?. Retrieved 2014JUN25.
Exploits resulting from improper error and exception handling[edit | edit source]
"Improper error handling". https://www.owasp.org/index.php/Improper_error_handling. Retrieved 2014JUN25.
Privilege escalation[edit | edit source]
Improper storage of sensitive data[edit | edit source]
"CWE-591: Sensitive Data Storage in Improperly Locked Memory". http://cwe.mitre.org/data/definitions/591.html. Retrieved 2014JUN25.
Fuzzing/false injection[edit | edit source]
Secure cookie storage and transmission[edit | edit source]
Client-side processing vs. server-side processing[edit | edit source]
AJAX[edit | edit source]
State management[edit | edit source]
JavaScript[edit | edit source]
Buffer overflow[edit | edit source]
Memory leaks[edit | edit source]
Integer overflows[edit | edit source]
Race conditions[edit | edit source]
Time of check to time of use[edit | edit source]
Resource exhaustion[edit | edit source]
Given a scenario, distinguish and select the method or tool that is appropriate to conduct an assessment[edit | edit source]
Tool type[edit | edit source]
Port scanners[edit | edit source]
Vulnerability scanners[edit | edit source]
Protocol analyzer[edit | edit source]
Switchport analyzer[edit | edit source]
Network enumerator[edit | edit source]
Password cracker[edit | edit source]
Fuzzer[edit | edit source]
"OWASP Testing Guide Appendix C: Fuzz Vectors". https://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors. Retrieved 2014JUN25.
HTTP – Hypertext Transfer Protocol interceptor[edit | edit source]
"Intercepting Messages".
Attacking tools/frameworks[edit | edit source]
"Black Hat: Top 20 hack-attack tools".
Methods[edit | edit source]
"5 ways hackers attack you (and how to counter them)".