CASP/1.0 Enterprise Security 40%

Distinguish which cryptographic tools and techniques are appropriate for a given situation.

Cryptographic applications and proper implementation

Advanced PKI concepts

Wild card

OCSP—Online Certificate Status Protocol VS CRL – Certification Revocation List

Issuance to entities

"RFC 2510 PKI Certificate Management Protocols". Retrieved 12MAY2014. {{cite web}}: Check date values in: |accessdate= (help)

Users

"CERT issued certificate". Retrieved 15MAY2014. {{cite web}}: Check date values in: |accessdate= (help)

Systems

Muller, Randy (August 2006). "How IT Works: Certificate Services". TechNet Magazine. 2006 (August). Retrieved 2021-10-22.

Applications

Implications of cryptographic methods and design

Strength vs. performance vs. feasibility to implement vs. interoperability

"Understanding Cryptographic Performance" (PDF). Retrieved 15MAY2014. {{cite web}}: Check date values in: |accessdate= (help) "Elliptic Curve". Retrieved 15MAY2014. {{cite web}}: Check date values in: |accessdate= (help)

Transport encryption

Digital signature

Hashing

Code signing

Non-repudiation

Entropy

Pseudo random number generation

Perfect forward secrecy

Confusion and Diffusion

Distinguish and select among different types of virtualized, distributed and shared computing

Advantages and disadvantages of virtualizing servers and minimizing physical space requirements

"Example of minimizing physical server space". Retrieved 22MAY2014. {{cite web}}: Check date values in: |accessdate= (help)

VLAN – Virtual Local Area Network

Securing virtual environments, appliances and equipment

"Virtual Environment Security". Retrieved 22MAY2014. {{cite web}}: Check date values in: |accessdate= (help)

Vulnerabilities associated with a single physical server hosting multiple companies’ virtual machines

Vulnerabilities associated with a single platform hosting multiple companies’ virtual machines

Secure use of on-demand / elastic cloud computing

Provisioning and De-provisioning

Data remnants

Vulnerabilities associated with co-mingling of hosts with different security requirements

Virtual Machine Escape

Privilege elevation

Virtual Desktop Infrastructure (VDI)

Terminal services

Explain the security implications of enterprise storage

Integrate hosts, networks, infrastructures, applications and storage into secure comprehensive solutions

"Integrating Application Delivery Solutions into Data Center Infrastructure". Retrieved 28MAY2014. {{cite web}}: Check date values in: |accessdate= (help)

Advanced network design

Remote access

Placement of security devices

Critical infrastructure / Supervisory Control and Data Acquisition (SCADA)

VoIP - Voice over IP

IPv6

Complex network, Network security, solutions for data flow

Unified Threat Management

"Network Security Solutions". {{cite web}}: Text "accessdate2014JUN02" ignored (help) "High Performance Network Security, Enterprise and Data-Center Firewall". Retrieved 2014JUN02. {{cite web}}: Check date values in: |accessdate= (help)

Secure data flows to meet changing business needs

"Network Security". Retrieved 2014JUN02. {{cite web}}: Check date values in: |accessdate= (help)

Secure DNS – Domain Name Service (Server)

Securing zone transfer

TSIG- Transaction Signature Interoperability Group

Secure directory services

LDAP – Lightweight Directory Access Protocol

AD—Active Directory

Federated ID

Single sign on

Network design consideration

Building layouts

Facilities management

Multitier networking data design considerations

Logical deployment diagram and corresponding physical deployment diagram of all relevant devices

Distinguish among security controls for hosts

"Host Based Security Controls". {{cite web}}: Text "accessdate2014JUN03" ignored (help)

Host-based firewalls

Trusted OS – Operating System (e.g. how and when to use it)

End point security software

Anti-malware

Anti-virus

Anti-spyware

Spam filters

Host hardening

Standard operating environment

Security Policy / group policy implementation

Command shell restrictions

Warning banners

"System/Network Login Banners". {{cite web}}: Text "accessdate2014JUN03" ignored (help)

Restricted interfaces

"The Benefit of Structured Interfaces in Collaborative Communication" (PDF). Retrieved 2014JUN03. {{cite web}}: Check date values in: |accessdate= (help)

Asset management (inventory control)

Data exfiltration

HIDS – Host Based Intrusion Detection System/HIPS – Host Based Intrusion Prevention System

NIDS – Network Based Intrusion Detection System/NIPS – Network Based Intrusion Prevention System

Explain the importance of application security

Web application security design considerations

"Design Guidelines for Secure Web Applications". Retrieved 2014JUN16. {{cite web}}: Check date values in: |accessdate= (help)

Secure: by design, by default, by deployment

"A Look Inside the Security Development Lifecycle at Microsoft". Retrieved 2014JUN16. {{cite web}}: Check date values in: |accessdate= (help)

Specific application issues

XSS - Cross-Site Scripting

Click-jacking

Session management

Input validation

SQL injection

Application sandboxing

Application security frameworks

Standard libraries

Industry accepted approaches

Secure coding standards

"Secure Coding Standards". Retrieved 2014JUN25. {{cite web}}: Check date values in: |accessdate= (help)

Exploits resulting from improper error and exception handling

"Improper error handling". Retrieved 2014JUN25. {{cite web}}: Check date values in: |accessdate= (help)

Privilege escalation

Improper storage of sensitive data

"CWE-591: Sensitive Data Storage in Improperly Locked Memory". Retrieved 2014JUN25. {{cite web}}: Check date values in: |accessdate= (help)

Fuzzing/false injection

Secure cookie storage and transmission

Client-side processing vs. server-side processing

AJAX

State management

JavaScript

Buffer overflow

Memory leaks

Integer overflows

Race conditions

Time of check to time of use

Resource exhaustion

Resource Management

Given a scenario, distinguish and select the method or tool that is appropriate to conduct an assessment

Tool type

Port scanners

Vulnerability scanners

Protocol analyzer

Switchport analyzer

Network enumerator

Password cracker

Fuzzer

"OWASP Testing Guide Appendix C: Fuzz Vectors". Retrieved 2014JUN25. {{cite web}}: Check date values in: |accessdate= (help)

HTTP – Hypertext Transfer Protocol interceptor

"Intercepting Messages". {{cite web}}: |access-date= requires |url= (help); Check date values in: |accessdate= (help); Missing or empty |url= (help); Text "http://portswigger.net/burp/Help/proxy_intercept.html" ignored (help)

Attacking tools/frameworks

"Black Hat: Top 20 hack-attack tools". {{cite web}}: |access-date= requires |url= (help); Check date values in: |accessdate= (help); Missing or empty |url= (help); Text "http://www.networkworld.com/article/2168329/malware-cybercrime/black-hat--top-20-hack-attack-tools.html" ignored (help)

Methods

"5 ways hackers attack you (and how to counter them)". {{cite web}}: |access-date= requires |url= (help); Check date values in: |accessdate= (help); Missing or empty |url= (help); Text "http://www.usatoday.com/story/tech/columnist/komando/2013/07/19/hacker-attack-trojan-horse-drive-by-downloads-passwords/2518053/" ignored (help)

Vulnerability assessment

Penetration testing

Black box

White box

Grey Box

Fingerprinting

Code review

Social engineering

Retrieved from "https://en.wikibooks.org/w/index.php?title=CASP/1.0_Enterprise_Security_40%25&oldid=3997851"