WIXLIB

Introduction xixHacking-Lab provides capture-the-flag (CTF) exercises in a variety of fields at www.hacking-lab.com/index.html.The OWASP Hacking Lab provides excellent web application–focused exercises atwww.owasp.org/index.php/OWASP Hacking Lab.PentesterLab provides subscription-based access to penetration testing exercises atwww.pentesterlab.com/exercises/.Because the exam uses scenario-based learning, expect the questions to involve analysisand thought, rather than relying on simple memorization. The questions in this book areintended to help you be confident that you know the topic well enough to think throughhands-on exercises.Taking the ExamOnce you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher.www.comptiastore.com/Articles.asp?ID 265&category vouchersCompTIA partners with Pearson VUE’s testing centers, so your next step will be tolocate a testing center near you. In the United States, you can do this based on your addressor your ZIP code, while non-U.S. test takers may find it easier to enter their city andcountry. You can search for a test center near you at the Pearson Vue website, where youwill need to navigate to “Find a test center.”www.pearsonvue.com/comptia/Now that you know where you’d like to take the exam, simply set up a Pearson VUEtesting account and schedule an amOn the day of the test, bring two forms of identification, and make sure to show up withplenty of time before the exam starts. Remember that you will not be able to take your notes,electronic devices (including smartphones and watches), or other materials in with you.After the CompTIA Advanced SecurityPractitioner ExamOnce you have taken the exam, you will be notified of your score immediately, so you’llknow if you passed the test right away. You should keep track of your score report withyour exam registration records and the email address you used to register for the exam.

IntroductionxxMaintaining Your CertificationCompTIA certifications must be renewed on a periodic basis. To renew your certification,you can either pass the most current version of the exam, earn a qualifying higher-levelCompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units (CEUs) to renew it. CompTIA providesinformation on renewals via its tion/how-to-renewWhen you sign up to renew your certification, you will be asked to agree to the CE program’s Code of Ethics, to pay a renewal fee, and to submit the materials required for yourchosen renewal method.You can find a full list of the industry certifications you can use to acquire CEUs towardrenewing the CASP n/renewothers/renewing-caspUsing This Book to PracticeThis book is composed of five domain-based chapters and two randomized test chapters toemulate the real test experience.As you work through questions in this book, you will encounter tools and technologythat you may not be familiar with. If you find that you are facing a consistent gap or thata domain is particularly challenging, we recommend spending some time with books andmaterials that tackle that domain in depth. This can help you fill in gaps and help you bemore prepared for the exam.CASP DomainsThe following table shows how much weight is given to an objective on the exam.DomainPercentage of Exam1.0 Risk Management19%2.0 Enterprise Security Architecture25%3.0 Enterprise Security Operations20%4.0 Technical Integration of Enterprise Security23%5.0 Research, Development, and Collaboration13%Total100%

IntroductionObjectives MapThe following table shows where you can find an objective covered in this book.ObjectiveChapter1.0 Risk Management1.1 Summarize business and industry influences and associated security risks.Chapter 1Risk Management of new products, technology, and users. Businessmodels including partnerships, outsourcing, cloud, and strategies aroundmergers, divestiture, and acquisitions. Data ownership and reclassification. Rules, policies, regulations. Competitors, auditors, regulations.1.2 Compare and contrast security, privacy policies, and proceduresbased on organizational requirements.Chapter 1Policy and process life cycles. Legal compliance and advocacy bypartnering with human resources, legal, and management. Commonbusiness documents supporting security including risk assessments,business impact analysis, interoperability agreement, interconnectionsecurity agreements, memorandum of understanding, service level andoperating level agreements, as well as non-disclosure, business partnership, and master service agreements. Research security requirementssuch as requests for proposals, for quotes, and for information. Privacyrequirements and development of policies containing standard securitypractices.1.3 Given a scenario, execute risk mitigation strategies and controls.Chapter 1CIA and security controls. Scenario planning and risk analysis. Riskdetermination using metrics, such as annual loss and single lossexpectancy. Recommending a strategy based on risk avoidance, transference, mitigation, and acceptance. Risk management processes,including exemptions, deterrence, inherent, and residual. Business continuity planning.1.4 Analyze risk metric scenarios to secure the enterprise.Review effectiveness of security controls with gap analysis, lessonslearned, and after-action reports. Reverse engineer existing solutions andanalyze metrics. Prototype solutions, benchmarks, and baselines, andinterpretation of data to anticipate cyber defense needs. Analyze possiblesolutions based on performance, latency, scalability, capability, usability,maintainability, availability, and recoverability.Chapter 1xxi

xxiiIntroductionObjectiveChapter2.0 Enterprise Security Architecture2.1 Analyze a scenario and integrate network and security components,concepts, and architectures to meet security requirements.Chapter 2Physical and virtual network security devices as well as application andprotocol-aware technologies. Advanced network design and complex network security for data in transit. Secure configuration, baselining, andmonitoring of assets. Security zones, network access control, and criticalinfrastructure.2.2 Analyze a scenario to integrate security controls for host devices tomeet security requirements.Chapter 2Trusted operating systems, endpoint security software, host hardening, and hardware vulnerabilities. Terminal services and applicationdelivery services.2.3 Analyze a scenario to integrate security controls for mobile andsmall-form-factor devices to meet security requirements.Chapter 2Enterprise mobility management, including containers, remote assistanceand wiping, VPN, and mobile payment systems. Security implicationsand privacy concerns of data storage. Wearable technology and securityimplications.2.4 Given software vulnerability scenarios, select the appropriate security controls.Chapter 2Application security design considerations and application issues,including XSS, CSRF, SQLi, session management, input validation,buffer overflow, memory leaks, race conditions, and privilege escalation.Application sandboxing, secure encrypted enclaves, database monitoring,web application firewalls, and client-side versus server-side processing.Operating system and firmware vulnerabilities.3.0 Enterprise Security Operations3.1 Given a scenario, conduct a security assessment using the appropriate methods.Malware, debugging, reconnaissance, fingerprinting, code review, socialengineering, OSINT, and pivoting. Type of penetration testing, includingblack, white, and gray box. Vulnerability assessments, audits, and teamexercises.Chapter 3

IntroductionObjectiveChapter3.2 Analyze a scenario or output, and select the appropriate tool for asecurity assessment.Chapter 3Network tools, such as port scanners, vulnerability scanners, protocolanalyzers, fuzzers, and logging-analysis tools. Host tool types, suchas password crackers, command line tools, SCAP, FIM, antivirus, andreverse-engineering tools. Physical security tools, such as lock picks,RFID tools, and IR camera.3.3 Given a scenario, implement incident response and recoveryprocedures.Chapter 3E-discovery, data retention, recovery, ownership, and handling. Databreach response, detection, mitigation, recovery, response, and disclosure. Incident detection and response, incident response tools tohelp determine the severity of the incident or breach, and posting incident response.4.0 Technical Integration of Enterprise Security4.1 Given a scenario, integrate hosts, storage, networks, and applicationsinto a secure enterprise architecture.Chapter 4Data flow security. Open, competing, adherence, and de facto standards. Interoperability issues, including software types, legacy systems,application requirements, protocols, and standard data formats. Resilience issues, provisioning, and deprovisioning resources, including users,servers, virtual systems, and applications. Network segmentation, security and privacy considerations, and enterprise applications.4.2 Given a scenario, integrate cloud and virtualization technologies intoa secure enterprise architecture.Chapter 4Technical deployment models (outsourcing/insourcing/managed services/partnerships), cloud and virtualization considerations, security advantages, and disadvantages of virtualization. Cloud-augmented securityservices, and vulnerabilities associated with hosts with different securityrequirements.4.3 Given a scenario, integrate and troubleshoot advanced authenticationand authorization technologies to support enterprise security objectives.Authentication, authorization, attestation, identity proofing, identitypropagation, federation, and trust models.Chapter 4xxiii

xxivIntroductionObjectiveChapter4.4 Given a scenario, implement cryptographic techniques.Chapter 4Cryptographic techniques, such as hashing, digital signatures, codesigning, data-in-transit encryption, data-in-memory processing, dataat-rest encryption, and steganography. Implementing encryption in anenterprise, such as DRM, SSH, SSL, S/MIME, and PKI.4.5 Given a scenario, select the appropriate control to secure communications and collaboration solutions.Chapter 4Remote access, resources and services, and remote assistance. Unifiedcollaboration tools for video/audio/web conferencing, instant messaging,email, VoIP, and collaboration sites.5.0 Research, Development, and Collaboration5.1 Given a scenario, apply research methods to determine industrytrends and their impact on the enterprise.Chapter 5Ongoing research in best practices, new technologies, security systems,and services. Threat intelligence of latest attacks, current vulnerabilities, and threats; zero-day mitigation controls; and threat modeling.Research security implications of emerging business tools and the globalIA industry/community.5.2 Given a scenario, implement security activities across the technologylife cycle.Chapter 5Systems/software development lifecycles. Application frameworks,development approaches, secure coding standards, and documentation. Validation and acceptance testing. Adapting solutions to addressemerging threats, security trends, and disruptive technology. Assetmanagement and inventory control.5.3 Explain the importance of interaction across diverse business units toachieve security goals.Interpreting security requirements and goals to communicate with stakeholders, such as sales, programmers, DBA, network administrators,human resources, and legal counsel. Provide guidance and recommendations to staff and management on processes and security controls. Governance, risk, and compliance committees.Chapter 5

CompTIA CASP Practice TestsEXAM CAS-003

Chapter1Risk ManagementTHE CASP EXAM TOPICS COVERED INTHIS CHAPTER INCLUDE: Domain 1: Risk Management 1.1 Summarize business and industry influences and associated security risks. Risk management of new products, new technologies,and user behaviors New or changing business models/strategies Partnerships Outsourcing Cloud Acquisition/merger—divestiture/demerger Data ownership Data reclassificationSecurity concerns of integrating diverse industries Rules Policies Regulations Export controls Legal requirements Geography Data sovereignty JurisdictionsInternal and ext ernal influences Competitors Auditors/audit findings Regulatory entities Internal and external client requirements Top-level management

Impact of de-perimeterization (e.g., constantlychanging network boundary) Telecommuting Cloud Mobile BYOD Outsourcing Ensuring third-party providers have requisitelevels of information security 1.2 Compare and contrast security, privacy policies, and procedures based on organizationalrequirements. Policy and process life cycle management New business New technologies Environmental changes Regulatory requirements Emerging risksSupport legal compliance and advocacy by partnering with human resources, legal, management,and other entities. Understand common business documents tosupport security. Risk Assessment (RA) Business Impact Analysis (BIA) Interoperability Agreement (IA) Interconnection Security Agreement (ISA) Memorandum of Understanding (MOU) Service-Level Agreement (SLA) Operating-Level Agreement (OLA) Non-Disclosure Agreement (NDA) Business Partnership Agreement (BPA) Master Service Agreement (MSA)

CompTIA CASP (CompTIA Advanced Security Practitioner) Practice Tests is a companion volume to CompTIA CASP (CompTIA Advanced Security Practitioner) Study Guide (Wiley, 2019, Parker/Gregg). If you're looking to test your knowledge before you take the CASP exam, this book will help you by providing a combination of 1,000 ques-