SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Also available in other formats.
Register your product to gain access to bonus material or receive a coupon.
CompTIA Advanced Security Practitioner (CASP+) CAS-004 Cert Guide Premium Edition eBook and Practice Test
The exciting new CompTIA Advanced Security Practitioner (CASP+) CAS-004 Cert Guide Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson Test Prep practice test software. The Premium Edition eBook and Practice Test contains the following items:
* The CompTIA Advanced Security Practitioner (CASP+) CAS-004 Premium Edition Practice Test, including four full practice exams and enhanced practice test features
* PDF and EPUB formats of the CompTIA Advanced Security Practitioner (CASP+) CAS-004 Cert Guide from Pearson IT Certification, which are accessible via your PC, tablet, and smartphone
About the Premium Edition Practice Test
This Premium Edition contains an enhanced version of the Pearson Test Prep practice test software with four full practice exams. This integrated learning package
* Enables you to focus on individual topic areas or take complete, timed exams
* Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
* Provides unique sets of exam-realistic practice questions
* Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most
Pearson Test Prep Practice Test software minimum system requirements:
Pearson Test Prep online system requirements:
Browsers: Chrome version 73 and above; Safari version 12 and above; Microsoft Edge 44 and above. Devices: Devices: Desktop and laptop computers, tablets running Android v8.0 and above or iPadOS v13 and above, smartphones running Android v8.0 and above or iOS v13 and above with a minimum screen size of 4.7. Internet access required.
Pearson Test Prep offline system requirements:
Windows 10, Windows 8.1; Microsoft .NET Framework 4.5 Client; Pentium-class 1 GHz processor (or equivalent); 512 MB RAM; 650 MB disk space plus 50 MB for each downloaded practice exam; access to the Internet to register and download exam databases
About the Premium Edition eBook
Learn, prepare, and practice for CompTIA Advanced Security Practitioner (CASP+) CAS-004 exam success with this Cert Guide from Pearson IT Certification, a leader in IT certification learning.
Master CompTIA Advanced Security Practitioner (CASP+) CAS-004 exam topics
Assess your knowledge with chapter-ending quizzes
Review key concepts with exam preparation tasks
Practice with realistic exam questions
CompTIA Advanced Security Practitioner (CASP+) CAS-004 Cert Guide from Pearson IT Certification prepares you to succeed on the CompTIA Advanced Security Practitioner (CASP+) CAS-004 exam by directly addressing the exam's objectives. Leading expert Troy McMillan shares preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills.
This complete study package includes
* Complete coverage of the exam objectives and a test-preparation routine proven to help you pass the exams
* Chapter-ending Key Topic tables, which help you drill on key concepts you must know thoroughly
* An online, interactive Flash Cards application to help you drill on Key Terms by chapter
* A final preparation chapter, which guides you through tools and resources to help you craft your review and test-taking strategies
* Study plan suggestions and templates to help you organize and optimize your study time
Well regarded for its level of detail, study plans, assessment features, and challenging review questions and exercises, this study guide helps you master the concepts and techniques that ensure your exam success, including
* Ensuring a secure network architecture
* Determining the proper infrastructure security design
* Implementing secure cloud and virtualization solutions
* Performing threat and vulnerability management activities
* Implementing appropriate incident response
* Applying secure configurations to enterprise mobility
* Configuring and implementing endpoint security controls
* Troubleshooting issues with cryptographic implementations
* Applying appropriate risk strategies
Download the sample pages (includes Chapter 4)
Introduction I
Part I: Security Architecture
Chapter 1 Ensuring a Secure Network Architecture 3
Services 3
Load Balancer 3
Intrusion Detection System (IDS)/Network Intrusion Detection System (NIDS)/Wireless Intrusion Detection System (WIDS) 3
Intrusion Prevention System (IPS)/Network Intrusion Prevention System (NIPS)/Wireless Intrusion Prevention System (WIPS) 6
Web Application Firewall (WAF) 6
Network Access Control (NAC) 8
Virtual Private Network (VPN) 10
Domain Name System Security Extensions (DNSSEC) 11
Firewall/Unified Threat Management (UTM)/Next-Generation Firewall (NGFW) 11
Network Address Translation (NAT) Gateway 19
Internet Gateway 21
Forward/Transparent Proxy 21
Reverse Proxy 22
Distributed Denial-of-Service (DDoS) Protection 22
Routers 22
Mail Security 26
Application Programming Interface (API) Gateway/Extensible Markup Language (XML) Gateway 30
Traffic Mirroring 30
Sensors 32
Segmentation 39
Microsegmentation 40
Local Area Network (LAN)/Virtual Local Area Network (VLAN) 40
Jump Box 43
Screened Subnet 44
Data Zones 44
Staging Environments 45
Guest Environments 45
VPC/Virtual Network (VNET) 45
Availability Zone 46
NAC Lists 47
Policies/Security Groups 47
Regions 49
Access Control Lists (ACLs) 49
Peer-to-Peer 49
Air Gap 49
De-perimeterization/Zero Trust 49
Cloud 50
Remote Work 50
Mobile 50
Outsourcing and Contracting 52
Wireless/Radio Frequency (RF) Networks 53
Merging of Networks from Various Organizations 58
Peering 59
Cloud to on Premises 59
Data Sensitivity Levels 59
Mergers and Acquisitions 60
Cross-domain 61
Federation 61
Directory Services 61
Software-Defined Networking (SDN) 62
Open SDN 63
Hybrid SDN 64
SDN Overlay 64
Exam Preparation Tasks 66
Chapter 2 Determining the Proper Infrastructure Security Design 73
Scalability 73
Vertically 73
Horizontally 74
Resiliency 74
High Availability/Redundancy 74
Diversity/Heterogeneity 75
Course of Action Orchestration 75
Distributed Allocation 76
Replication 76
Clustering 76
Automation 76
Autoscaling 76
Security Orchestration, Automation, and Response (SOAR) 77
Bootstrapping 77
Performance 77
Containerization 78
Virtualization 79
Content Delivery Network 79
Caching 80
Exam Preparation Tasks 81
Chapter 3 Securely Integrating Software Applications 85
Baseline and Templates 85
Baselines 85
Create Benchmarks and Compare to Baselines 85
Templates 86
Secure Design Patterns/Types of Web Technologies 87
Container APIs 88
Secure Coding Standards 89
Application Vetting Processes 90
API Management 91
Middleware 91
Software Assurance 92
Sandboxing/Development Environment 92
Validating Third-Party Libraries 93
Defined DevOps Pipeline 93
Code Signing 94
Interactive Application Security Testing (IAST) vs. Dynamic Application Security Testing (DAST) vs. Static Application Security Testing (SAST) 95
Considerations of Integrating Enterprise Applications 100
Customer Relationship Management (CRM) 100
Enterprise Resource Planning (ERP) 100
Configuration Management Database (CMDB) 101
Content Management System (CMS) 101
Integration Enablers 101
Integrating Security into Development Life Cycle 103
Formal Methods 103
Requirements 103
Fielding 104
Insertions and Upgrades 104
Disposal and Reuse 104
Testing 105
Development Approaches 109
Best Practices 117
Exam Preparation Tasks 119
Chapter 4 Securing the Enterprise Architecture by Implementing Data Security Techniques 125
Data Loss Prevention 125
Blocking Use of External Media 125
Print Blocking 126
Remote Desktop Protocol (RDP) Blocking 126
Clipboard Privacy Controls 127
Restricted Virtual Desktop Infrastructure (VDI) Implementation 128
Data Classification Blocking 128
Data Loss Detection 129
Watermarking 129
Digital Rights Management (DRM) 129
Network Traffic Decryption/Deep Packet Inspection 130
Network Traffic Analysis 130
Data Classification, Labeling, and Tagging 130
Metadata/Attributes 130
Obfuscation 131
Tokenization 131
Scrubbing 131
Masking 132
Anonymization 132
Encrypted vs. Unencrypted 132
Data Life Cycle 132
Create 132
Use 133
Share 133
Store 133
Archive or Destroy 133
Data Inventory and Mapping 133
Data Integrity Management 134
Data Storage, Backup, and Recovery 134
Redundant Array of Inexpensive Disks (RAID) 138
Exam Preparation Tasks 143
Chapter 5 Providing the Appropriate Authentication and Authorization Controls 149
Credential Management 149
Password Repository Application 149
Hardware Key Manager 150
Privileged Access Management 151
Privilege Escalation 151
Password Policies 151
Complexity 153
Length 153
Character Classes 153
History 154
Maximum/Minimum Age 154
Auditing 155
Reversable Encryption 156
Federation 156
Transitive Trust 156
OpenID 156
Security Assertion Markup Language (SAML) 157
Shibboleth 158
Access Control 159
Mandatory Access Control (MAC) 160
Discretionary Access Control (DAC) 160
Role-Based Access Control 161
Rule-Based Access Control 161
Attribute-Based Access Control 161
Protocols 162
Remote Authentication Dial-in User Service (RADIUS) 162
Terminal Access Controller Access Control System (TACACS) 163
Diameter 164
Lightweight Directory Access Protocol (LDAP) 164
Kerberos 165
OAuth 166
802.1X 166
Extensible Authentication Protocol (EAP) 167
Multifactor Authentication (MFA) 168
Knowledge Factors 169
Ownership Factors 169
Characteristic Factors 170
Physiological Characteristics 170
Behavioral Characteristics 171
Biometric Considerations 172
2-Step Verification 173
In-Band 174
Out-of-Band 174
One-Time Password (OTP) 175
HMAC-Based One-Time Password (HOTP) 175
Time-Based One-Time Password (TOTP) 175
Hardware Root of Trust 176
Single Sign-On (SSO) 177
JavaScript Object Notation (JSON) Web Token (JWT) 178
Attestation and Identity Proofing 179
Exam Preparation Tasks 180
Chapter 6 Implementing Secure Cloud and Virtualization Solutions 185
Virtualization Strategies 185
Type 1 vs. Type 2 Hypervisors 186
Containers 187
Emulation 188
Application Virtualization 189
VDI 189
Provisioning and Deprovisioning 189
Middleware 190
Metadata and Tags 190
Deployment Models and Considerations 190
Business Directives 191
Cloud Deployment Models 192
Hosting Models 193
Multitenant 193
Single-Tenant 194
Service Models 194
Software as a Service (SaaS) 194
Platform as a Service (PaaS) 194
Infrastructure as a Service (IaaS) 195
Cloud Provider Limitations 196
Internet Protocol (IP) Address Scheme 196
VPC Peering 196
Extending Appropriate On-premises Controls 196
Storage Models 196
Object Storage/File-Based Storage 197
Database Storage 197
Block Storage 198
Blob Storage 198
Key-Value Pairs 198
Exam Preparation Tasks 199
Chapter 7 Supporting Security Objectives and Requirements with Cryptography and Public Key Infrastructure (PKI) 203
Privacy and Confidentiality Requirements 203
Integrity Requirements 204
Non-repudiation 204
Compliance and Policy Requirements 204
Common Cryptography Use Cases 205
Data at Rest 205
Data in Transit 205
Data in Process/Data in Use 205
Protection of Web Services 206
Embedded Systems 206
Key Escrow/Management 207
Mobile Security 209
Secure Authentication 209
Smart Card 209
Common PKI Use Cases 210
Web Services 210
Email 210
Code Signing 211
Federation 211
Trust Models 212
VPN 212
Enterprise and Security Automation/Orchestration 213
Exam Preparation Tasks 214
Chapter 8 Managing the Impact of Emerging Technologies on Enterprise Security and Privacy 219
Artificial Intelligence 219
Machine Learning 220
Quantum Computing 220
Blockchain 220
Homomorphic Encryption 221
Secure Multiparty Computation 221
Private Information Retrieval 221
Secure Function Evaluation 221
Private Function Evaluation 221
Distributed Consensus 221
Big Data 222
Virtual/Augmented Reality 223
3-D Printing 224
Passwordless Authentication 224
Nano Technology 225
Deep Learning 225
Natural Language Processing 225
Deep Fakes 226
Biometric Impersonation 226
Exam Preparation Tasks 227
Part II: Security Operations
Chapter 9 Performing Threat Management Activities 231
Intelligence Types 231
Tactical 231
Strategic 232
Operational 232
Actor Types 233
Advanced Persistent Threat (APT)/Nation-State 233
Insider Threat 234
Competitor 234
Hacktivist 234
Script Kiddie 235
Organized Crime 235
Threat Actor Properties 235
Resource 235
Supply Chain Access 235
Create Vulnerabilities 236
Capabilities/Sophistication 236
Identifying Techniques 237
Intelligence Collection Methods 237
Intelligence Feeds 237
Deep Web 237
Proprietary 238
Open-Source Intelligence (OSINT) 238
Human Intelligence (HUMINT) 243
Frameworks 243
MITRE Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK) 243
Diamond Model of Intrusion Analysis 245
Cyber Kill Chain 246
Exam Preparation Tasks 246
Chapter 10 Analyzing Indicators of Compromise and Formulating an Appropriate Response 251
Indicators of Compromise 251
Packet Capture (PCAP) 251
Logs 252
Notifications 256
Notification Severity/Priorities 260
Syslog 261
Unusual Process Activity 263
Response 265
Firewall Rules 265
IPS/IDS Rules 267
ACL Rules 267
Signature Rules 267
Behavior Rules 268
DLP Rules 268
Scripts/Regular Expressions 268
Exam Preparation Tasks 268
Chapter 11 Performing Vulnerability Management Activities 275
Vulnerability Scans 275
Credentialed vs. Non-credentialed 275
Agent-Based/Server-Based 276
Criticality Ranking 277
Active vs. Passive 278
Security Content Automation Protocol (SCAP) 278
Extensible Configuration Checklist Description Format (XCCDF) 278
Open Vulnerability and Assessment Language (OVAL) 279
Common Platform Enumeration (CPE) 279
Common Vulnerabilities and Exposures (CVE) 279
Common Vulnerability Scoring System (CVSS) 279
Common Configuration Enumeration (CCE) 282
Asset Reporting Format (ARF) 282
Self-assessment vs. Third-Party Vendor Assessment 283
Patch Management 283
Manual Patch Management 284
Automated Patch Management 284
Information Sources 284
Advisories 285
Bulletins 286
Vendor Websites 287
Information Sharing and Analysis Centers (ISACs) 287
News Reports 287
Exam Preparation Tasks 287
Chapter 12 Using the Appropriate Vulnerability Assessment and Penetration Testing Methods and Tools 293
Methods 293
Static Analysis/Dynamic Analysis 293
Side-Channel Analysis 293
Reverse Engineering 294
Wireless Vulnerability Scan 295
Rogue Access Points 295
Software Composition Analysis 296
Fuzz Testing 296
Pivoting 297
Post-exploitation 297
Persistence 298
Tools 298
SCAP Scanner 298
Network Traffic Analyzer 299
Vulnerability Scanner 300
Protocol Analyzer 302
Port Scanner 302
HTTP Interceptor 304
Exploit Framework 304
Password Cracker 306
Dependency Management 307
Requirements 308
Scope of Work 308
Rules of Engagement 308
Invasive vs. Non-invasive 308
Asset Inventory 308
Permissions and Access 309
Corporate Policy Considerations 310
Facility Considerations 310
Physical Security Considerations 310
Rescan for Corrections/Changes 310
Exam Preparation Tasks 310
Chapter 13 Analyzing Vulnerabilities and Recommending Risk Mitigations 315
Vulnerabilities 315
Race Conditions 315
Overflows 315
Broken Authentication 318
Unsecure References 319
Poor Exception Handling 319
Security Misconfiguration 319
Improper Headers 320
Information Disclosure 321
Certificate Errors 321
Weak Cryptography Implementations 321
Weak Ciphers 322
Weak Cipher Suite Implementations 322
Software Composition Analysis 322
Use of Vulnerable Frameworks and Software Modules 323
Use of Unsafe Functions 323
Third-Party Libraries 323
Code Injections/Malicious Changes 324
End of Support/End of Life 324
Regression Issues 324
Inherently Vulnerable System/Application 325
Client-Side Processing vs. Server-Side Processing 325
JSON/Representational State Transfer (REST) 326
Browser Extensions 326
Hypertext Markup Language 5 (HTML5) 327
Asynchronous JavaScript and XML (AJAX) 327
Simple Object Access Protocol (SOAP) 329
Machine Code vs. Bytecode or Interpreted vs. Emulated 329
Attacks 329
Directory Traversal 330
Cross-site Scripting (XSS) 331
Cross-site Request Forgery (CSRF) 331
Injection 332
Sandbox Escape 337
Virtual Machine (VM) Hopping 337
VM Escape 337
Border Gateway Protocol (BGP) Route Hijacking 338
Interception Attacks 339
Denial-of-Service (DoS)/DDoS 339
Authentication Bypass 340
Social Engineering 340
VLAN Hopping 341
Exam Preparation Tasks 341
Chapter 14 Using Processes to Reduce Risk 347
Proactive and Detection 347
Hunts 347
Developing Countermeasures 347
Deceptive Technologies 347
Security Data Analytics 348
Processing Pipelines 349
Indexing and Search 350
Log Collection and Curation 350
Database Activity Monitoring 350
Preventive 351
Antivirus 352
Immutable Systems 352
Hardening 352
Sandbox Detonation 352
Application Control 353
License Technologies 353
Allow List vs. Block List 354
Time of Check vs. Time of Use 354
Atomic Execution 355
Security Automation 355
Cron/Scheduled Tasks 355
Bash 356
PowerShell 357
Python 357
Physical Security 358
Review of Lighting 358
Review of Visitor Logs 359
Camera Reviews 359
Open Spaces vs. Confined Spaces 361
Exam Preparation Tasks 362
Chapter 15 Implementing the Appropriate Incident Response 367
Event Classifications 367
False Positive 367
False Negative 367
True Positive 367
True Negative 367
Triage Event 367
Preescalation Tasks 368
Incident Response Process 368
Preparation 369
Training 369
Testing 370
Detection 370
Analysis 371
Containment 371
Recovery 371
Response 372
Lessons Learned 372
Specific Response Playbooks/Processes 373
Scenarios 373
Non-automated Response Methods 374
Automated Response Methods 374
Communication Plan 375
Stakeholder Management 377
Legal 377
Human Resources 377
Public Relations 378
Internal and External 378
Exam Preparation Tasks 379
Chapter 16 Forensic Concepts 385
Legal vs. Internal Corporate Purposes 385
Forensic Process 385
Identification 385
Evidence Collection 385
Evidence Preservation 388
Analysis 389
Verification 391
Presentation 391
Integrity Preservation 392
Hashing 392
Cryptanalysis 394
Steganalysis 394
Exam Preparation Tasks 394
Chapter 17 Forensic Analysis Tools 399
File Carving Tools 399
Foremost 399
Strings 400
Binary Analysis Tools 401
Hex Dump 401
Binwalk 401
Ghidra 401
GNU Project Debugger (GDB) 401
OllyDbg 402
readelf 402
objdump 402
strace 402
ldd 402
file 403
Analysis Tools 403
ExifTool 403
Nmap 403
Aircrack-ng 403
Volatility 404
The Sleuth Kit 405
Dynamically vs. Statically Linked 405
Imaging Tools 405
Forensic Toolkit (FTK) Imager 405
dd 406
Hashing Utilities 407
sha256sum 407
ssdeep 407
Live Collection vs. Post-mortem Tools 407
netstat 407
ps 409
vmstat 409
ldd 410
lsof 410
netcat 410
tcpdump 411
conntrack 411
Wireshark 412
Exam Preparation Tasks 413
Part III: Security Engineering and Cryptography
Chapter 18 Applying Secure Configurations to Enterprise Mobility 419
Managed Configurations 419
Application Control 419
Password 419
MFA Requirements 420
Token-Based Access 421
Patch Repository 422
Firmware Over-the-Air 422
Remote Wipe 422
Wi-Fi 423
Profiles 424
Bluetooth 424
Near-Field Communication (NFC) 424
Peripherals 425
Geofencing 425
VPN Settings 425
Geotagging 426
Certificate Management 426
Full Device Encryption 427
Tethering 427
Airplane Mode 427
Location Services 427
DNS over HTTPS (DoH) 428
Custom DNS 428
Deployment Scenarios 429
Bring Your Own Device (BYOD) 429
Corporate-Owned 429
Corporate-Owned, Personally Enabled (COPE) 429
Choose Your Own Device (CYOD) 429
Implications of Wearable Devices 429
Digital Forensics on Collected Data 430
Unauthorized Application Stores 431
Jailbreaking/Rooting 431
Side Loading 431
Containerization 432
Original Equipment Manufacturer (OEM) and Carrier Differences 432
Supply Chain Issues 432
eFuse 432
Exam Preparation Tasks 433
Chapter 19 Configuring and Implementing Endpoint Security Controls 437
Hardening Techniques 437
Removing Unneeded Services 437
Disabling Unused Accounts 438
Images/Templates 438
Removing End-of-Life Devices 438
Removing End-of-Support Device 438
Local Drive Encryption 439
Enabling No-Execute (NX)/Execute Never (XN) Bit 439
Disabling Central Processing Unit (CPU) Virtualization Support 439
Secure Encrypted Enclaves 440
Memory Encryption 440
Shell Restrictions 441
Address Space Layout Randomization (ASLR) 442
Processes 442
Patching 442
Logging 443
Monitoring 443
Mandatory Access Control 444
Security-Enhanced Linux (SELinux)/Security-Enhanced Android (SEAndroid) 444
Kernel vs. Middleware 445
Trustworthy Computing 445
Trusted Platform Module (TPM) 445
Secure Boot 446
Unified Extensible Firmware Interface (UEFI)/Basic Input/Output System (BIOS) Protection 447
Attestation Services 448
Hardware Security Module (HSM) 448
Measured Boot 449
Self-Encrypting Drives (SEDs) 450
Compensating Controls 450
Antivirus 450
Application Controls 451
Host-Based Intrusion Detection System (HIDS)/Host-Based Intrusion Prevention System (HIPS) 451
Host-Based Firewall 451
Endpoint Detection and Response (EDR) 451
Redundant Hardware 452
Self-Healing Hardware 452
User and Entity Behavior Analytics (UEBA) 452
Exam Preparation Tasks 452
Chapter 20 Security Considerations Impacting Specific Sectors and Operational Technologies 459
Embedded 459
Internet of Things (IoT) 459
System on a Chip (SoC) 461
Application-Specific Integrated Circuit (ASIC) and Field-Programmable Gate Array (FPGA) 461
ICS/Supervisory Control and Data Acquisition (SCADA) 462
Programmable Logic Controller (PLC) 463
Historian 463
Ladder Logic 463
Safety Instrumented System 464
Heating, Ventilation, and Air Conditioning (HVAC) 464
Protocols 465
Controller Area Network (CAN) Bus 465
Modbus 466
Distributed Network Protocol 3 (DNP3) 466
Zigbee 467
Common Industrial Protocol (CIP) 467
Data Distribution Service 468
Sectors 468
Energy 469
Manufacturing 469
Healthcare 470
Public Utilities 470
Public Services 470
Facility Services 471
Exam Preparation Tasks 472
Chapter 21 Cloud Technology's Impact on Organizational Security 477
Automation and Orchestration 477
Encryption Configuration 477
Logs 478
Availability 479
Collection 479
Monitoring 479
Configuration 480
Alerting 480
Monitoring Configurations 480
Key Ownership and Location 481
Key Life-Cycle Management 483
Backup and Recovery Methods 485
Cloud as Business Continuity and Disaster Recovery (BCDR) 486
Primary Provider BCDR 486
Alternative Provider BCDR 486
Infrastructure vs. Serverless Computing 486
Application Virtualization 487
Software-Defined Networking 488
Misconfigurations 488
Collaboration Tools 488
Web Conferencing 488
Video Conferencing 489
Audio Conferencing 491
Storage and Document Collaboration Tools 491
Storage Configurations 492
Bit Splitting 493
Data Dispersion 493
Cloud Access Security Broker (CASB) 493
Exam Preparation Tasks 494
Chapter 22 Implementing the Appropriate PKI Solution 499
PKI Hierarchy 499
Registration Authority (RA) 499
Certificate Authority (CA) 499
Subordinate/Intermediate CA 500
Certificate Types 501
Wildcard Certificate 501
Extended Validation 502
Multidomain 502
General Purpose 503
Certificate Usages/Profiles/Templates 504
Client Authentication 504
Server Authentication 504
Digital Signatures 504
Code Signing 505
Extensions 505
Common Name (CN) 505
Subject Alternate Name (SAN) 505
Trusted Providers 505
Trust Model 506
Cross-certification 506
Configure Profiles 507
Life-Cycle Management 507
Public and Private Keys 508
Digital Signature 512
Certificate Pinning 512
Certificate Stapling 512
Certificate Signing Requests (CSRs) 513
Online Certificate Status Protocol (OCSP) vs. Certificate Revocation List (CRL) 513
HTTP Strict Transport Security (HSTS) 514
Exam Preparation Tasks 514
Chapter 23 Implementing the Appropriate Cryptographic Protocols and Algorithms 519
Hashing 519
Secure Hashing Algorithm (SHA) 519
Hash-Based Message Authentication Code (HMAC) 520
Message Digest (MD) 521
RACE Integrity Primitives Evaluation Message Digest (RIPEMD) 521
Poly1305 521
Symmetric Algorithms 522
Modes of Operation 523
Stream and Block 526
Asymmetric Algorithms 528
Key Agreement 529
Signing 530
Known Flaws/Weaknesses 531
Protocols 532
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 532
Secure/Multipurpose Internet Mail Extensions (S/MIME) 533
Internet Protocol Security (IPsec) 534
Secure Shell (SSH) 534
EAP 535
Elliptic-Curve Cryptography 535
P256/P384 535
Forward Secrecy 536
Authenticated Encryption with Associated Data 536
Key Stretching 536
Password-Based Key Derivation Function 2 (PBKDF2) 537
Bcrypt 537
Exam Preparation Tasks 537
Implementation and Configuration Issues 542
Validity Dates 542
Chapter 24 Troubleshooting Issues with Cryptographic Implementations 543
Wrong Certificate Type 543
Revoked Certificates 543
Incorrect Name 543
Chain Issues 544
Weak Signing Algorithm 545
Weak Cipher Suite 545
Incorrect Permissions 546
Cipher Mismatches 546
Downgrade 546
Keys 546
Mismatched 547
Improper Key Handling 547
Embedded Keys 548
Rekeying 548
Exposed Private Keys 548
Crypto Shredding 548
Cryptographic Obfuscation 548
Key Rotation 549
Compromised Keys 549
Exam Preparation Tasks 549
Part IV: Governance, Risk, and Compliance
Chapter 25 Applying Appropriate Risk Strategies 555
Risk Assessment 555
Likelihood 556
Impact 556
Qualitative vs. Quantitative 557
Exposure Factor 558
Asset Value 558
Total Cost of Ownership (TCO) 559
Return on Investment (ROI) 560
Mean Time to Recovery (MTTR) 562
Mean Time Between Failure (MTBF) 562
Annualized Loss Expectancy (ALE)/Annualized Rate of Occurrence (ARO)/Single Loss Expectancy (SLE) 562
Gap Analysis 564
Risk Handling Techniques 565
Transfer 565
Accept 565
Avoid 566
Mitigate 566
Risk Types 566
Inherent 567
Residual 567
Exceptions 567
Risk Management Life Cycle 568
Identify 569
Assess 570
Control 570
Control Types 572
Review 573
Frameworks 573
Risk Tracking 590
Risk Register 590
Key Performance Indicators/Key Risk Indicators 591
Risk Appetite vs. Risk Tolerance 594
Tradeoff Analysis 595
Usability vs. Security Requirements 595
Policies and Security Practices 595
Separation of Duties 595
Job Rotation 596
Mandatory Vacation 596
Least Privilege 597
Employment and Termination Procedures 598
Training and Awareness for Users 599
Auditing Requirements and Frequency 601
Exam Preparation Tasks 601
Chapter 26 Managing and Mitigating Vendor Risk 607
Shared Responsibility Model (Roles/Responsibilities) 607
Cloud Service Provider (CSP) 607
Client 609
Vendor Lock-in and Vendor Lock-out 610
Vendor Viability 610
Financial Risk 610
Merger or Acquisition Risk 610
Meeting Client Requirements 610
Legal 610
Change Management 611
Staff Turnover 612
Device and Technical Configurations 612
Support Availability 615
Geographical Consideration 615
Supply Chain Visibility 615
Incident Reporting Requirements 616
Source Code Escrows 616
Ongoing Vendor Assessment Tools 616
Third-Party Dependencies 616
Code 617
Hardware 617
Modules 618
Technical Considerations 618
Technical Testing 618
Network Segmentation 618
Transmission Control 618
Shared Credentials 619
Exam Preparation Tasks 620
Chapter 27 The Organizational Impact of Compliance Frameworks and Legal Considerations 625
Security Concerns of Integrating Diverse Industries 625
Rules 625
Policies 626
Regulations 626
Data Considerations 626
Data Sovereignty 626
Data Ownership 627
Data Classifications 627
Data Retention 629
Data Types 629
Data Removal, Destruction, and Sanitization 634
Geographic Considerations 635
Location of Data 636
Location of Data Subject 636
Location of Cloud Provider 637
Third-Party Attestation of Compliance 637
Regulations, Accreditations, and Standards 637
Open Standards 638
Adherence to Standards 638
Competing Standards 639
Lack of Standards 639
De Facto Standards 639
Payment Card Industry Data Security Standard (PCI DSS) 639
General Data Protection Regulation (GDPR) 640
International Organization for Standardization (ISO) 641
Capability Maturity Model Integration (CMMI) 643
National Institute of Standards and Technology (NIST) 644
Children's Online Privacy Protection Act (COPPA) 644
Common Criteria 644
Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) 646
Legal Considerations 646
Due Diligence/Due Care 646
Export Controls 647
Legal Holds 648
E-Discovery 648
Contract and Agreement Types 648
Service-Level Agreement (SLA) 649
Master Service Agreement (MSA) 649
Non-disclosure Agreement (NDA) 650
Memorandum of Understanding (MOU) 650
Interconnection Security Agreement (ISA) 650
Operational-Level Agreement 651
Privacy-Level Agreement 651
Exam Preparation Tasks 651
Chapter 28 Business Continuity and Disaster Recovery Concepts 657
Develop Contingency Planning Policy 658
Conduct the BIA 658
Identify Critical Processes and Resources 659
Recovery Time Objective 659
Recovery Point Objective 659
Recovery Service Level 659
Mission Essential Functions 659
Privacy Impact Assessment 660
Disaster Recovery Plan (DRP)/Business Continuity Plan (BCP) 660
Personnel Components 661
Project Scope 661
Business Continuity Steps 662
Recovery and Multiple Site Strategies 662
Cold Site 663
Warm Site 663
Hot Site 663
Mobile Site 664
Incident Response Plan 664
Roles/Responsibilities 665
After-Action Reports 666
Testing Plans 666
Checklist 666
Walk-through 666
Tabletop Exercises 666
Full Interruption Test 667
Parallel Test/Simulation Test 667
Exam Preparation Tasks 667
Tools for Final Preparation 672
Pearson Test Prep Practice Test Software and Questions on the Website 672
Chapter 29 Final Preparation 673
Accessing the Pearson Test Prep Software Online 673
Accessing the Pearson Test Prep Practice Test Software Offline 673
Customizing Your Exams 674
Updating Your Exams 675
Premium Edition 676
Chapter-Ending Review Tools 676
Suggested Plan for Final Review/Study 676
Appendix A Answers to the Review Questions 679
Glossary 709
Online Elements
Appendix B Memory Tables
Appendix C Memory Tables Answer Key
Appendix D Study Planner
Glossary
9780137348954 TOC 5/26/2022