CompTIA Advanced Security Practitioner (CASP) CAS-002 .

Transcription

CompTIA AdvancedSecurity Practitioner(CASP) CAS-002Cert GuideRobin AbernathyTroy McMillan800 East 96th StreetIndianapolis, Indiana 46240 USA

CompTIA Advanced Security Practitioner (CASP) CAS-002Cert GuideAssociate PublisherDave DusthimerCopyright 2015 by Pearson Education, Inc.Acquisitions EditorBetsy BrownAll rights reserved. No part of this book shall be reproduced, stored ina retrieval system, or transmitted by any means, electronic, mechanical,photocopying, recording, or otherwise, without written permission fromthe publisher. No patent liability is assumed with respect to the use of theinformation contained herein. Although every precaution has been taken inthe preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damagesresulting from the use of the information contained herein.ISBN-13: 978-0-7897-5401-1ISBN-10: 0-7897-5401-0Library of Congress Control Number: 2015930524Printed in the United States of AmericaSecond Printing: July 2015TrademarksAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson cannot attest tothe accuracy of this information. Use of a term in this book should not beregarded as affecting the validity of any trademark or service mark.Windows is a registered trademark of Microsoft Corporation.Warning and DisclaimerEvery effort has been made to make this book as complete and as accurateas possible, but no warranty or fitness is implied. The information providedis on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss ordamages arising from the information contained in this book or from theuse of the CD or programs accompanying it.Special SalesFor information about buying this title in bulk quantities, or for specialsales opportunities (which may include electronic versions; custom coverdesigns; and content particular to your business, training goals, marketingfocus, or branding interests), please contact our corporate sales departmentat corpsales@pearsoned.com or (800) 382-3419.For government sales inquiries, please contact governmentsales@pearsoned.com.For questions about sales outside the U.S., please contact international@pearsoned.com.Development EditorAllison BeaumontJohnsonManaging EditorSandra SchroederProject EditorMandie FrankCopy EditorKitty WilsonIndexerTim WrightProofreaderThe Wordsmithery LLCTechnical EditorsChris CraytonRob ShimonskiPublishing CoordinatorVanessa EvansMultimedia DeveloperLisa MatthewsDesignerAlan ClementsCompositionTricia Bronkella

Contents at a GlanceIntroduction 1Part I: Enterprise SecurityCHAPTER 1Cryptographic Concepts and Techniques31CHAPTER 2Enterprise StorageCHAPTER 3Network and Security Components, Concepts, and ArchitecturesCHAPTER 4Security Controls for HostsCHAPTER 5Application Vulnerabilities and Security Controls77189229Part II: Risk Management and Incident ResponseCHAPTER 6Business Influences and Associated Security RisksCHAPTER 7Risk Mitigation Planning, Strategies, and ControlsCHAPTER 8Security, Privacy Policies, and ProceduresCHAPTER 9Incident Response and Recovery Procedures267286331365Part III: Research, Analysis, and AssessmentCHAPTER 10 Industry Trends391CHAPTER 11 Securing the Enterprise416CHAPTER 12 Assessment Tools and Methods431Part IV: Integration of Computing, Communications, and Business DisciplinesCHAPTER 13 Business Unit Collaboration461CHAPTER 14 Secure Communication and Collaboration477CHAPTER 15 Security Across the Technology Life Cycle511Part V: Technical Integration of Enterprise ComponentsCHAPTER 16 Host, Storage, Network, and Application Integration into a SecureEnterprise Architecture 533CHAPTER 17 Authentication and Authorization Technologies561106

Part VI: AppendixesAPPENDIX AAnswers595APPENDIX B CASP CAS-002 Exam UpdatesGlossaryIndex619662CD-only Elements:APPENDIX C Memory TablesAPPENDIX D Memory Tables Answer Key615

Table of ContentsIntroduction1Part I: Enterprise SecurityChapter 1Cryptographic Concepts and Techniques 31Cryptographic Techniques 32Key Stretching 32Hashing32MD2/MD4/MD5/MD6 34SHA/SHA-2/SHA-3HAVAL3536RIPEMD-16036Code Signing 36Message Authentication Code 36Pseudo-Random Number Generation 37Perfect Forward Secrecy 37Transport Encryption 38SSL/TLS38HTTP/HTTPS/SHTTP 39SET and 3-D Secure 39IPsec39Data at Rest Encryption 40Symmetric Algorithms 40Asymmetric Algorithms 44Hybrid Ciphers 47Digital Signatures 47Cryptographic Concepts 48Entropy 49DiffusionConfusion4949Non-repudiation 50Confidentiality 50Integrity50

viCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideChain of Trust/Root of Trust 50Cryptographic Applications and Proper/Improper Implementations 51Advanced PKI Concepts 52Wildcard52OCSP Versus CRL 53Issuance to Entities 53UsersSystems5455Applications56Key Escrow 56Steganography 56Implications of Cryptographic Methods and Design 56Stream Ciphers 56Block Ciphers 57Modes57Known Flaws/Weaknesses 61Strength Versus Performance Versus Feasibility to Implement VersusInteroperability 66Cryptographic Implementations 67Digital Rights Management (DRM) 67Watermarking67GNU Privacy Guard (GPG) 67Secure Sockets Layer (SSL) 68Secure Shell (SSH) 69Secure Multipurpose Internet Mail Extensions (S/MIME) 69Review All Key Topics 70Complete the Tables and Lists from Memory 71Define Key Terms 71Chapter 2Enterprise Storage 77Storage Types 78Virtual Storage 78Cloud Storage 79Data Warehousing 80Data Archiving 82

ContentsSANsNAS8384VSANs86Storage Protocols 87iSCSI87FCoE88NFS and CIFS 89Secure Storage Management 90Multipathing 90Snapshots91Deduplication 92Dynamic Disk Pools 93LUN Masking/Mapping 94HBA Allocation 95Offsite or Multisite Replication 95Encryption 96Disk-Level Encryption 96Block-Level Encryption 96File-Level Encryption 97Record-Level Encryption 98Port-Level Encryption 98Review All Key Topics 99Define Key Terms 100Chapter 3Network and Security Components, Concepts, andArchitectures 106Advanced Network Design (Wired/Wireless) 107Remote Access 107VPNs107SSH108RDP109VNC109SSL 110IPv6 and Associated Transitional Technologies 111vii

viiiCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideTransport Encryption 113FTP, FTPS, and SFTP 113HTTP, HTTPS, and SHTTP 113Network Authentication Methods 114Authentication Factors 116802.1x118Mesh Networks 120Application of Solutions 121Security Devices 122UTM122NIPS123NIDS124INE 126SIEM126HSM127Placement of Devices ion- and Protocol-Aware Technologies 131WAF131NextGen Firewalls 133IPS 134Passive Vulnerability Scanners 134Active Vulnerability Scanners 134DAM135Networking Devices 136Switches137ARP Poisoning 138VLANs139

ContentsFirewallsTypes140141Firewall Architecture 143Wireless Controllers 149Routers151Proxies152Ports152Virtual Networking and Security Components 153Virtual Switches 153Virtual Firewalls 154Virtual Wireless Controllers 155Virtual Routers 155Virtual Proxy Servers 156Virtual Computing 156Complex Network Security Solutions for Data Flow 156SSL Inspection 156Network Flow Data 157Secure Configuration and Baselining of Networking and SecurityComponents 158ACLs158Creating Rule Sets 159Change Monitoring 159Configuration Lockdown 160Availability Controls 160Software-Defined Networking 166Cloud-Managed Networks 167Network Management and Monitoring Tools 169Advanced Configuration of Routers, Switches, and Other NetworkDevices 171Transport Security 171Trunking Security 172Route Protection 174ix

xCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideSecurity Zones 174Data-Flow Enforcement 175DMZ176Separation of Critical Assets 176Network Access Control 176Quarantine/Remediation 177Operational and Consumer Network-Enabled Devices 178Building Automation Systems 178IP Video 179HVAC Controllers 180Sensors180Physical Access Control Systems 181A/V Systems 181Scientific/Industrial Equipment 182Critical Infrastructure/Supervisory Control and Data Acquisition (SCADA)/Industrial Control Systems (ICS) 183Review All Key Topics 184Define Key Terms 185Chapter 4Security Controls for Hosts 189Trusted OS 190Endpoint Security Software 191AntimalwareAntivirus191192Antispyware 192Spam Filters 192Patch Management 193IPS/IDS193Data Loss Prevention 194Host-Based Firewalls 194Log Monitoring 196Host Hardening 198Standard Operating Environment/Configuration Baselining 199Application Whitelisting and Blacklisting 199Security/Group Policy Implementation 200Command Shell Restrictions 202

ContentsPatch Management 203Configuring Dedicated Interfaces 203Out-of-Band NICs 203ACLs204Management Interface 205Data Interface 205Peripheral Restrictions 206USB206Bluetooth207FireWire207Full Disk Encryption 208Security Advantages and Disadvantages of Virtualizing Servers 209Type I Hypervisor 210Type II Hypervisor 211Container-Based Virtualization 211Cloud-Augmented Security Services 212Hash Matching 212Antivirus213Antispam213Vulnerability Scanning 214Sandboxing 216Content Filtering 216Boot Loader Protections 217Secure Boot 217Measured Launch 218Integrity Measurement Architecture (IMA) 218BIOS/UEFI218Vulnerabilities Associated with Commingling of Hosts with DifferentSecurity Requirements 219VM Escape 219Privilege Elevation 220Live VM Migration 220Data Remnants 221Virtual Desktop Infrastructure (VDI) 221Terminal Services/Application Delivery Services 222xi

xiiCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideTrusted Platform Module (TPM) 223Virtual TPM (VTPM) 223Hardware Security Module (HSM) 224Review All Key Topics 224Define Key Terms 225Chapter 5Application Vulnerabilities and Security Controls 229Web Application Security Design Considerations 230Secure by Design, by Default, by Deployment 230Specific Application Issues 230Insecure Direct Object References 231XSS231Cross-Site Request Forgery (CSRF) 232Click-Jacking232Session Management 233Input Validation 235SQL Injection 235Identifying a SQL Attack 236Improper Error and Exception Handling 237Privilege Escalation 237Improper Storage of Sensitive Data 237Fuzzing/Fault Injection 238Secure Cookie Storage and Transmission 239Buffer Overflow 239Memory Leaks 242Integer Overflows 242Race Conditions 242Time of Check/Time of Use 242Resource Exhaustion 243Geotagging243Data Remnants 244Application Sandboxing 244Application Security Frameworks 245Standard Libraries 245

ContentsIndustry-Accepted Approaches 245WASC245OWASP246BSI 246ISO/IEC 27000 246Web Services Security (WS-Security) 246Secure Coding Standards 247Software Development Methods 247Build and Fix 248Waterfall248V-Shaped249Prototyping 250IncrementalSpiral250251Rapid Application Development (RAD) 252AgileJAD253254Cleanroom 254Database Activity Monitoring (DAM) 254Web Application Firewalls (WAF) 255Client-Side Processing Versus Server-Side Processing 255JSON/REST256Browser Extensions 256ActiveX 257Java Applets 257Flash257HTML5257AJAX258SOAP258State Management 260JavaScript 260Review All Key Topics 260Define Key Terms 261xiii

xivCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuidePart II: Risk Management and Incident ResponseChapter 6Business Influences and Associated Security Risks 267Risk Management of New Products, New Technologies, and UserBehaviors 268New or Changing Business Models/Strategies 268Partnerships269Outsourcing269Cloud Computing 270Merger and Demerger/Divestiture 271Security Concerns of Integrating Diverse Industries suring That Third-Party Providers Have Requisite Levels of InformationSecurity 273Internal and External Influences 275Competitors275Auditors/Audit Findings 275Regulatory Entities 276Onsite Assessment 276Document Exchange/Review 276Process/Policy Review 276Internal and External Client Requirements 277Top-Level Management 277Impact of De-perimiterization 278Telecommuting 278Cloud278BYOD (“Bring Your Own Device”) 278Outsourcing279Review All Key Topics 280Define Key Terms 280

ContentsChapter 7Risk Mitigation Planning, Strategies, and Controls 286Classify Information Types into Levels of CIA Based on Organization/Industry 287Information Classification and Life Cycle 289Commercial Business Classifications 289Military and Government Classifications 290Information Life Cycle 291Incorporate Stakeholder Input into CIA Decisions 291Implement Technical Controls Based on CIA Requirements and Policies ofthe Organization 291Access Control Categories 292Compensative 292Corrective292Detective 292Deterrent293Directive 293Preventive 293Recovery293Access Control Types 293Administrative (Management) Controls 294Logical (Technical) Controls 295Physical Controls 296Security Requirements Traceability Matrix (SRTM) 297Determine the Aggregate CIA Score 298Extreme Scenario/Worst-Case Scenario Planning 299Determine Minimum Required Security Controls Based on AggregateScore 301Conduct System-Specific Risk Analysis 301Make Risk Determination 302Qualitative Risk Analysis 302Quantitative Risk Analysis 303Magnitude of Impact 304SLE304ALE304xv

xviCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideLikelihood of Threat 305MotivationSourceARO305306306Trend Analysis 306Return on Investment (ROI) 307Payback 308Net Present Value (NPV) 308Total Cost of Ownership 309Recommend Which Strategy Should be Applied Based on RiskAppetite 310Avoid310Transfer 311Mitigate311Accept 312Risk Management Processes 312Information and Asset (Tangible/Intangible) Value and Costs 312Vulnerabilities and Threats Identification 313Exemptions 313Deterrence 314Inherent314Residual314Enterprise Security Architecture Frameworks 315Sherwood Applied Business Security Architecture (SABSA) 315Control Objectives for Information and Related Technology(CobiT) 316NIST SP 800-53 317Continuous Improvement/Monitoring 318Business Continuity Planning 318Business Continuity Scope and Plan 318Personnel Components 319Project Scope 319Business Continuity Steps 320IT Governance 320

ContentsPolicies321Organizational Security Policy 322System-Specific Security Policy 323Issue-Specific Security Policy 323Policy Categories 323Standards 324Baselines324Guidelines324Procedures324Review All Key Topics 324Complete the Tables and Lists from Memory 325Define Key Terms 326Chapter 8Security, Privacy Policies, and Procedures 331Policy Development and Updates in Light of New Business, Technology,Risks, and Environment Changes 332ISO/IEC 27000 Series 333Process/Procedure Development and Updates in Light of Policy,Environment, and Business Changes 336Support Legal Compliance and Advocacy by Partnering with HR, Legal,Management, and Other Entities 337Sarbanes-Oxley (SOX) Act 337Health Insurance Portability and Accountability Act (HIPAA) 338Gramm-Leach-Bliley Act (GLBA) of 1999 338Computer Fraud and Abuse Act (CFAA) 338Federal Privacy Act of 1974 338Computer Security Act of 1987 339Personal Information Protection and Electronic Documents Act(PIPEDA) 339Basel II 339Payment Card Industry Data Security Standard (PCI DSS) 339Federal Information Security Management Act (FISMA) of 2002 339Economic Espionage Act of 1996 339USA PATRIOT Act 340Health Care and Education Reconciliation Act of 2010 340xvii

xviiiCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideUse Common Business Documents to Support Security 340Risk Assessment (RA)/Statement of Applicability (SOA) 340Business Impact Analysis (BIA) 341Business Impact Analysis (BIA) Development 341Interoperability Agreement (IA) 344Interconnection Security Agreement (ISA) 345Memorandum of Understanding (MOU) 345Service-Level Agreement (SLA) 345Operating-Level Agreement (OLA) 345Nondisclosure Agreement (NDA) 346Business Partnership Agreement (BPA) 346Use General Privacy Principles for Sensitive Information (PII) 347Support the Development of Various Policies 348Separation of Duties 348Job Rotation 349Mandatory Vacation 350Least Privilege 350Incident Response 351Event Versus Incident 353Incident Response Team and Incident Investigations 353Rules of Engagement, Authorization, and Scope 354Forensic Tasks 354Employment and Termination Procedures 356Continuous Monitoring 356Training and Awareness for Users 357Auditing Requirements and Frequency 359Review All Key Topics 359Define Key Terms 360Chapter 9Incident Response and Recovery Procedures 365E-Discovery 366Electronic Inventory and Asset Control 366Data Retention Policies 367Data Recovery and Storage 368Data Backup Types and Schemes 369Electronic Backup 372

ContentsData Ownership 372Data Handling 373Legal Holds 374Data Breach 374Detection and Collection 375Data Analytics 376MitigationMinimize376376Isolate 376Recovery/Reconstitution 377ResponseDisclosure377377Design Systems to Facilitate Incident Response 378Internal and External Violations 378Privacy Policy Violations 379Criminal Actions 379Insider Threat 379Non-Malicious Threats/Misconfigurations 380Establish and Review System, Audit and Security Logs 380Incident and Emergency Response 381Chain of Custody 381Evidence 381Surveillance, Search, and Seizure 382Forensic Analysis of Compromised System 383Media Analysis 383Software Analysis 384Network Analysis 384Hardware/Embedded Device Analysis 384Continuity of Operations Plan (COOP) 384Order of Volatility 385Review All Key Topics 386Define Key Terms 387xix

xxCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuidePart III: Research, Analysis, and AssessmentChapter 10Industry Trends 391Perform Ongoing Research 392Best Practices 392New Technologies 393New Security Systems and Services 394Technology Evolution 395Situational Awareness 396Latest Client-Side Attacks 396Knowledge of Current Vulnerabilities and Threats 397Vulnerability Management Systems 398Advanced Persistent Threats 398Zero-Day Mitigating Controls and Remediation 398Emergent Threats and Issues 399Research Security Implications of New Business Tools 400Social Media/Networking 401End-User Cloud Storage 402Integration Within the Business 403Global IA Industry/Community 403Computer Emergency Response Team (CERT) 403Conventions/Conferences 404Threat Actors 405Emerging Threat Sources/Threat Intelligence 406Research Security Requirements for Contracts 406Request for Proposal (RFP) 407Request for Quote (RFQ) 407Request for Information (RFI) 408Agreements408Review All Key Topics 408Define Key Terms 409Chapter 11Securing the Enterprise 416Create Benchmarks and Compare to Baselines 417Prototype and Test Multiple Solutions 418

ContentsCost/Benefit Analysis 419ROITCO419419Metrics Collection and Analysis 419Analyze and Interpret Trend Data to Anticipate Cyber Defense Needs 420Review Effectiveness of Existing Security Controls 421Reverse Engineer/Deconstruct Existing Solutions 422Analyze Security Solution Attributes to Ensure They Meet BusinessNeeds 422Performance422Latency 423Scalability423Capability423Usability 424MaintainabilityAvailability424424Recoverability 424Conduct a Lessons-Learned/After-Action Report 425Use Judgment to Solve Difficult Problems That Do Not Have a BestSolution 425Review All Key Topics 426Define Key Terms 426Chapter 12Assessment Tools and Methods 431Assessment Tool Types 432Port Scanners 432Vulnerability Scanners 434Protocol Analyzer 434Network Enumerator 435Password Cracker 436Fuzzer 438HTTP Interceptor 439Exploitation Tools/Frameworks 439Passive Reconnaissance and Intelligence-Gathering Tools 440Social Media 441xxi

xxiiCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideWhois441Routing Tables 443Assessment Methods 445Vulnerability Assessment 445Malware Sandboxing 446Memory Dumping, Runtime Debugging 447Penetration Testing 448Black Box 451White Box 451Gray Box 451Reconnaissance452Fingerprinting 452Code Review 454Social Engineering 455Phishing/Pharming 455Shoulder Surfing 456Identity Theft 456Dumpster Diving 456Review All Key Topics 456Define Key Terms 457Part IV: Integration of Computing, Communications, and Business DisciplinesChapter 13Business Unit Collaboration 461Interpreting Security Requirements and Goals to Communicate withStakeholders from Other Disciplines 462Sales Staff 462Programmer 463Database Administrator 463Network Administrator 464Management/Executive Management 465Financial466Human Resources 467Emergency Response Team 467Facilities Manager 468Physical Security Manager 468

ContentsProvide Objective Guidance and Impartial Recommendations to Staff andSenior Management on Security Processes and Controls 469Establish Effective Collaboration within Teams to Implement SecureSolutions 469IT Governance 471Review All Key Topics 471Define Key Terms 472Chapter 14Secure Communication and Collaboration 477Security of Unified Collaboration Tools 478Web Conferencing 478Video Conferencing 479Instant Messaging 481Desktop Sharing 481Remote Assistance 482Presence483Email484IMAP484POP484SMTP484Email Spoofing 485Spear Phishing 485WhalingSpam486486Captured Messages 486Disclosure of Information 487Malware487TelephonyVoIP487488Collaboration Sites 489Social Media 489Cloud-Based Collaboration 490Remote Access 491Dial-up 491VPN492xxiii

xxivCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideSSL 495Remote Administration 495Mobile Device Management 495BYOD495Over-the-Air Technologies Concerns 497FHSS, DSSS, OFDM, FDMA, CDMA, OFDMA, and GSM 497802.11 Techniques 498Cellular or Mobile Wireless Techniques 498WLAN Structure 499Access Point 499SSID499Infrastructure Mode Versus Ad Hoc Mode 499WLAN Standards c501Bluetooth502Infrared502WLAN Security 502WEP502WPA503WPA2503Personal Versus Enterprise WPA 503SSID Broadcast 504MAC Filter 504Satellites504Wireless Attacks 505Wardriving505Warchalking 505Rogue Access Points 505Review All Key Topics 506Define Key Terms 506

ContentsChapter 15Security Across the Technology Life Cycle 511End-to-End Solution Ownership 512Operational Activities 512Maintenance 513Commissioning/Decommissioning 514Asset Disposal 514Asset/Object Reuse 515General Change Management 516Systems Development Life Cycle (SDLC) 517Security System Development Life Cycle (SSDLC)/SecurityDevelopment Life Cycle (SDL) 519Security Requirements Traceability Matrix (SRTM) 522Validation and Acceptance Testing 522Security Implications of Agile, Waterfall, and Spiral SoftwareDevelopment Methodologies 523Agile Software Development 523The Waterfall Model 523The Spiral Model 524Adapt Solutions to Address Emerging Threats and Security Trends 525Asset Management (Inventory Control) 526Device-Tracking Technologies 526Geolocation/GPS Location 526Object Tracking and Containment Technologies 526Geotagging/Geofencing 527RFID527Review All Key Topics 528Define Key Terms 528Part V: Technical Integration of Enterprise ComponentsChapter 16Host, Storage, Network, and Application Integration into a SecureEnterprise Architecture 533Secure Data Flows to Meet Changing Business Needs 534Standards 535Open Standards 536Adherence to Standards 536Competing Standards 536xxv

xxviCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideLack of Standards 536De Facto Standards 536Interoperability Issues 537Legacy Systems/Current Systems 537Application Requirements 538In-House Developed Versus Commercial Versus CommercialCustomized Applications 539Technical Deployment Models 539Cloud and Virtualization Considerations and Hosting Options 540Public Cloud 540Private Cloud 540Hybrid Cloud 540Community Cloud 541Multi-Tenancy Model 541Single-Tenancy Model 541Vulnerabilities Associated with a Single Physical Server Hosting MultipleCompanies’ Virtual Machines 541Vulnerabilities Associated with a Single Platform Hosting MultipleCompanies’ Virtual Machines 542Secure Use of On-demand/Elastic Cloud Computing 542Data Remnants 543Data Aggregation 543Data Isolation 543Resource Provisioning and Deprovisioning 543UsersServers544544Virtual Devices 544Applications545Securing Virtual Environments, Services, Applications, Appliances, andEquipment 545Design Considerations During Mergers, Acquisitions, and Demergers/Divestitures 545Network Secure Segmentation and Delegation 545Logical and Physical Deployment Diagrams of Relevant Devices 546

ContentsSecure Infrastructure Design 548DMZs548VLANsVPNs549550Wireless Networks 550Storage Integration (Security Considerations) 552Enterprise Application Integration Enablers 552CRM552ERP553GRC553ESB553SOA553Directory Services 554DNS554CMDBCMS555555Review All Key Topics 555Define Key Terms 556Chapter 17Authentication and Authorization Technologies 561Authentication562Identity and Account Management 562Password Types and Management 563Characteristic Factors 566Physiological Characteristics 567Behavioral Characteristics 568Biometric Considerations 568Dual-Factor and Multi-Factor Authentication 570Certificate-Based Authentication 570Single Sign-On 571Authorization572Access Control Models 572Discretionary Access Control 572Mandatory Access Control 573Role-Based Access Control 573Rule-Based Access Control 574xxvii

xxviiiCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideContent-Dependent Versus Context-Dependent Access Control 574Access Control Matrix 574ACLs575Access Control Policies 575Default to No Access 575OAUTH575XACML577SPML578Attestation579Identity Propagation 84Advanced Trust Models 585RADIUS Configurations 585LDAP586Active Directory (AD) 586Review All Key Topics 588Define Key Terms 589Part VI: AppendixesAppendix A Answers 595Appendix B CASP CAS-002 Exam Updates 615Always Get the Latest at the Companion Website 615Technical Content 616Glossary 619Index662CD-only Elements:Appendix C Memory TablesAppendix D Memory Tables Answer Key

About the AuthorsAbout the AuthorsRobin Abernathy, CASP, is a product developer and technical editor for KaplanIT. She has developed and reviewed certification preparation materials in a varietyof product lines, including Microsoft, CompTIA, Cisco, ITIL, (ISC)2, and PMI andholds multiple certifications from these vendors. Her work with Kaplan IT includespractice tests and study guides for the Transcender and Self Test Software brands.Robin most recently co-authored Pearson’s CISSP Cert Guide with Troy McMillan.She provides training on computer hardware, software, networking, security, andproject management. Robin also presents at technical conferences and hosts webinars on IT certification topics.Troy McMillan, CASP, is a product developer and technical editor for Kaplan ITas well as a full-time trainer. He became a professional trainer 13 years ago, teachingCisco, Microsoft, CompTIA, and wireless classes. His recent work includes: Contributing subject matter expert for CCNA Cisco Certified Network AssociateCertification Exam Preparation Guide (Kaplan) Prep test question writer for Network Study Guide (Sybex) Technical editor for Windows 7 Study Guide (Sybex) Contributing author for CCNA-Wireless Study Guide (Sybex) Technical editor for CCNA Study Guide, Revision 7 (Sybex) Author of VCP VMware Certified Professional on vSphere 4 Review Guide: ExamVCP-410 and associated instructional materials (Sybex) Author of Cisco Essentials (Sybex) Author of CISSP Cert Guide (Pearson) Prep test question writer for CCNA Wireless 640-722 (Cisco Press)He also has appeared in the following training videos for OnCourse Learning: Security ; Network ; Microsoft 70-410, 411, and 412 exam prep; ICND 1; ICND 2; andCloud .He now creates certification practice tests and study guides for the Transcender andSelf-Test brands. Troy lives in Sugarloaf Key, Florida, with his wife, Heike.xxix

xxxCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideDedicationFor my husband, Michael, and my son, Jonas. I love you both!—RobinI dedicate this book to my father, who passed away this year. I miss you every day.—Troy

AcknowledgmentsAcknowledgmentsFirst, I once again thank my heavenly Father for blessing me throughout my life.I would also like to thank all my family members, many of whom wondered wheretheir acknowledgement was in the CISSP Cert Guide. To my siblings, Libby McDaniel Loggins and Kenneth McDaniel: Thanks for putting up with my differencesand loving me anyway. To their spouses, Dave Loggins and Michelle Duncan McDaniel, thanks for choosing my siblings and deciding to still stay with them, evenwhen you realized I was part of the package. LOL! To my husband’s family, I thankyou for accepting me into your family. James and Sandra Abernathy, thanks for raising such a wonderful man. Cathy Abernathy Bonds and Tony Abernathy, thanks forhelping to shape him into the man he is.I must thank my wonderful husband, Michael, and son, Jonas, for once again beingwilling to do “guy things” while I was locked away in the world of CASP. You aremy world! What a wonderful ride we are on!!!Thanks to all at Pearson for once again assembling a wonderful team to help Troyand me get through this CASP journey.To you, the reader, I wish you success in your IT certification goals!—Robin AbernathyI must thank my coworkers at Kaplan IT cert prep, who have helped me to growover the past 10 years. Thank you, Ann, George, Aima, Bob, Josh, Robin, and Shahara. I also must as always thank my beautiful wife, who has supported me throughthe lean years and continues to do so. Finally, I have to acknowledge all the help andguidance from the Pearson team.—Troy McMillanxxxi

xxxiiCompTIA Advanced Security Practitioner (CASP) CAS-002 Cert GuideAbout the ReviewersChris Crayton, MCSE, is an author, technical consultant, and trainer. Formerly,he worked as a computer technology and networking instructor, information security director, network administrator, network engineer, and PC specialist. Chris hasauthored several print and online books on PC repair, CompTIA A , CompTIA Security , and Microsoft Windows. He has also served as technical editor and contentcontributor on numerous technical titles for sever

Review All Key Topics 99 Define Key Terms 100 Chapter 3 Network and Security Components, Concepts, and Architectures 106 . x CompTIA Advanced Security Practitioner (CASP) CAS-002 Cert Guide Security Zo