CASP/1.0 Enterprise Security 40%
Distinguish which cryptographic tools and techniques are appropriate for a given situation.Edit
Cryptographic applications and proper implementationEdit
Advanced PKI conceptsEdit
Wild cardEdit
OCSP—Online Certificate Status Protocol VS CRL – Certification Revocation ListEdit
Issuance to entitiesEdit
"RFC 2510 PKI Certificate Management Protocols". Retrieved 12MAY2014. {{cite web}}: Check date values in: |accessdate= (help)
UsersEdit
"CERT issued certificate". Retrieved 15MAY2014. {{cite web}}: Check date values in: |accessdate= (help)
SystemsEdit
Muller, Randy (August 2006). "How IT Works: Certificate Services". TechNet Magazine. 2006 (August). Retrieved 2021-10-22.
ApplicationsEdit
Implications of cryptographic methods and designEdit
Strength vs. performance vs. feasibility to implement vs. interoperabilityEdit
"Understanding Cryptographic Performance" (PDF). Retrieved 15MAY2014. {{cite web}}: Check date values in: |accessdate= (help)
"Elliptic Curve". Retrieved 15MAY2014. {{cite web}}: Check date values in: |accessdate= (help)
Transport encryptionEdit
Digital signatureEdit
HashingEdit
Code signingEdit
Non-repudiationEdit
EntropyEdit
Pseudo random number generationEdit
Perfect forward secrecyEdit
Confusion and DiffusionEdit
Edit
Advantages and disadvantages of virtualizing servers and minimizing physical space requirementsEdit
"Example of minimizing physical server space". Retrieved 22MAY2014. {{cite web}}: Check date values in: |accessdate= (help)
VLAN – Virtual Local Area NetworkEdit
Securing virtual environments, appliances and equipmentEdit
"Virtual Environment Security". Retrieved 22MAY2014. {{cite web}}: Check date values in: |accessdate= (help)
Vulnerabilities associated with a single physical server hosting multiple companies’ virtual machinesEdit
Vulnerabilities associated with a single platform hosting multiple companies’ virtual machinesEdit
Secure use of on-demand / elastic cloud computingEdit
Provisioning and De-provisioningEdit
Data remnantsEdit
Vulnerabilities associated with co-mingling of hosts with different security requirementsEdit
Virtual Machine EscapeEdit
Privilege elevationEdit
Virtual Desktop Infrastructure (VDI)Edit
Terminal servicesEdit
Explain the security implications of enterprise storageEdit
Virtual storageEdit
NAS- Network Attached StorageEdit
SAN – Storage Area NetworkEdit
vSAN – Virtual Storage Area NetworkEdit
iSCSI - internet Small Computer System InterfaceEdit
FCOE – Fiber Channel Over EthernetEdit
LUN – Logical Unit NumberEdit
HBA- Host Based Adapter allocationEdit
Redundancy (location)Edit
Secure storage managementEdit
MultipathEdit
SnapshotsEdit
DeduplicationEdit
Integrate hosts, networks, infrastructures, applications and storage into secure comprehensive solutionsEdit
"Integrating Application Delivery Solutions into Data Center Infrastructure". Retrieved 28MAY2014. {{cite web}}: Check date values in: |accessdate= (help)
Advanced network designEdit
Remote accessEdit
Placement of security devicesEdit
Critical infrastructure / Supervisory Control and Data Acquisition (SCADA)Edit
VoIP - Voice over IPEdit
IPv6Edit
Complex network, Network security, solutions for data flowEdit
Unified Threat ManagementEdit
"Network Security Solutions". {{cite web}}: Text "accessdate2014JUN02" ignored (help)
"High Performance Network Security, Enterprise and Data-Center Firewall". Retrieved 2014JUN02. {{cite web}}: Check date values in: |accessdate= (help)
Secure data flows to meet changing business needsEdit
"Network Security". Retrieved 2014JUN02. {{cite web}}: Check date values in: |accessdate= (help)
Secure DNS – Domain Name Service (Server)Edit
Securing zone transferEdit
TSIG- Transaction Signature Interoperability GroupEdit
Secure directory servicesEdit
LDAP – Lightweight Directory Access ProtocolEdit
AD—Active DirectoryEdit
Federated IDEdit
Single sign onEdit
Network design considerationEdit
Building layoutsEdit
Facilities managementEdit
Multitier networking data design considerationsEdit
Logical deployment diagram and corresponding physical deployment diagram of all relevant devicesEdit
Distinguish among security controls for hostsEdit
"Host Based Security Controls". {{cite web}}: Text "accessdate2014JUN03" ignored (help)
Host-based firewallsEdit
Trusted OS – Operating System (e.g. how and when to use it)Edit
End point security softwareEdit
Anti-malwareEdit
Anti-virusEdit
Anti-spywareEdit
Spam filtersEdit
Host hardeningEdit
Standard operating environmentEdit
Security Policy / group policy implementationEdit
Command shell restrictionsEdit
Warning bannersEdit
"System/Network Login Banners". {{cite web}}: Text "accessdate2014JUN03" ignored (help)
Restricted interfacesEdit
"The Benefit of Structured Interfaces in Collaborative Communication" (PDF). Retrieved 2014JUN03. {{cite web}}: Check date values in: |accessdate= (help)
Asset management (inventory control)Edit
Data exfiltrationEdit
HIDS – Host Based Intrusion Detection System/HIPS – Host Based Intrusion Prevention SystemEdit
NIDS – Network Based Intrusion Detection System/NIPS – Network Based Intrusion Prevention SystemEdit
Explain the importance of application securityEdit
Web application security design considerationsEdit
"Design Guidelines for Secure Web Applications". Retrieved 2014JUN16. {{cite web}}: Check date values in: |accessdate= (help)
Secure: by design, by default, by deploymentEdit
"A Look Inside the Security Development Lifecycle at Microsoft". Retrieved 2014JUN16. {{cite web}}: Check date values in: |accessdate= (help)
Specific application issuesEdit
XSS - Cross-Site ScriptingEdit
Click-jackingEdit
Session managementEdit
Input validationEdit
SQL injectionEdit
Application sandboxingEdit
Application security frameworksEdit
Standard librariesEdit
Industry accepted approachesEdit
Secure coding standardsEdit
"Secure Coding Standards". Retrieved 2014JUN25. {{cite web}}: Check date values in: |accessdate= (help)
Exploits resulting from improper error and exception handlingEdit
"Improper error handling". Retrieved 2014JUN25. {{cite web}}: Check date values in: |accessdate= (help)
Privilege escalationEdit
Improper storage of sensitive dataEdit
"CWE-591: Sensitive Data Storage in Improperly Locked Memory". Retrieved 2014JUN25. {{cite web}}: Check date values in: |accessdate= (help)
Fuzzing/false injectionEdit
Secure cookie storage and transmissionEdit
Client-side processing vs. server-side processingEdit
AJAXEdit
State managementEdit
JavaScriptEdit
Buffer overflowEdit
Memory leaksEdit
Integer overflowsEdit
Race conditionsEdit
Time of check to time of useEdit
Resource exhaustionEdit
Given a scenario, distinguish and select the method or tool that is appropriate to conduct an assessmentEdit
Tool typeEdit
Port scannersEdit
Vulnerability scannersEdit
Protocol analyzerEdit
Switchport analyzerEdit
Network enumeratorEdit
Password crackerEdit
FuzzerEdit
"OWASP Testing Guide Appendix C: Fuzz Vectors". Retrieved 2014JUN25. {{cite web}}: Check date values in: |accessdate= (help)
HTTP – Hypertext Transfer Protocol interceptorEdit
"Intercepting Messages". {{cite web}}: |access-date= requires |url= (help); Check date values in: |accessdate= (help); Missing or empty |url= (help); Text "http://portswigger.net/burp/Help/proxy_intercept.html" ignored (help)
Attacking tools/frameworksEdit
"Black Hat: Top 20 hack-attack tools". {{cite web}}: |access-date= requires |url= (help); Check date values in: |accessdate= (help); Missing or empty |url= (help); Text "http://www.networkworld.com/article/2168329/malware-cybercrime/black-hat--top-20-hack-attack-tools.html" ignored (help)
MethodsEdit
"5 ways hackers attack you (and how to counter them)". {{cite web}}: |access-date= requires |url= (help); Check date values in: |accessdate= (help); Missing or empty |url= (help); Text "http://www.usatoday.com/story/tech/columnist/komando/2013/07/19/hacker-attack-trojan-horse-drive-by-downloads-passwords/2518053/" ignored (help)