< CASP

Distinguish which cryptographic tools and techniques are appropriate for a given situation.

Cryptographic applications and proper implementation

Advanced PKI concepts

Wild card

OCSP—Online Certificate Status Protocol VS CRL – Certification Revocation List

Issuance to entities

"RFC 2510 PKI Certificate Management Protocols". http://www.ietf.org/rfc/rfc2510.txt. Retrieved 12MAY2014. 

Users

"CERT issued certificate". https://pki.cert.org/help/pki_faq.html#certissuedcertificate. Retrieved 15MAY2014. 

Systems

"How IT Works: Certificate Services". http://technet.microsoft.com/en-us/magazine/2006.08.howitworks.aspx. Retrieved 15MAY2014. 

Applications

Implications of cryptographic methods and design

Strength vs. performance vs. feasibility to implement vs. interoperability

"Understanding Cryptographic Performance". http://cache.freescale.com/files/32bit/doc/app_note/AN2761.pdf. Retrieved 15MAY2014.  "Elliptic Curve". http://www.nsa.gov/business/programs/elliptic_curve.shtml. Retrieved 15MAY2014. 

Transport encryption

Digital signature

Hashing

Code signing

Non-repudiation

Entropy

Pseudo random number generation

Perfect forward secrecy

Confusion and Diffusion

Distinguish and select among different types of virtualized, distributed and shared computing

Advantages and disadvantages of virtualizing servers and minimizing physical space requirements

"Example of minimizing physical server space". http://arcserve.com/~/media/Files/SuccessStoryTechBriefs/patrick-air-force-base_219786.ashx. Retrieved 22MAY2014. 

VLAN – Virtual Local Area Network

Securing virtual environments, appliances and equipment

"Virtual Environment Security". https://www.bit9.com/solutions/virtual-environment-security. Retrieved 22MAY2014. 

Vulnerabilities associated with a single physical server hosting multiple companies’ virtual machines

Vulnerabilities associated with a single platform hosting multiple companies’ virtual machines

Secure use of on-demand / elastic cloud computing

Provisioning and De-provisioning

Data remnants

Vulnerabilities associated with co-mingling of hosts with different security requirements

Virtual Machine Escape

Privilege elevation

Virtual Desktop Infrastructure (VDI)

Terminal services

Explain the security implications of enterprise storage

Virtual storage

NAS- Network Attached Storage

SAN – Storage Area Network

vSAN – Virtual Storage Area Network

iSCSI - internet Small Computer System Interface

FCOE – Fiber Channel Over Ethernet

LUN – Logical Unit Number

HBA- Host Based Adapter allocation

Redundancy (location)

Secure storage management

Multipath

Snapshots

Deduplication

Integrate hosts, networks, infrastructures, applications and storage into secure comprehensive solutions

"Integrating Application Delivery Solutions into Data Center Infrastructure". http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/ace-application-control-engine-module/White_Paper_Integrating_Application_Delivery_Solutions_into_Data_Center_Infrastructure.html. Retrieved 28MAY2014. 

Advanced network design

Remote access

Placement of security devices

Critical infrastructure / Supervisory Control and Data Acquisition (SCADA)

VoIP - Voice over IP

IPv6

Complex network, Network security, solutions for data flow

Unified Threat Management

"Network Security Solutions". http://secunia.com/solutions/.  "High Performance Network Security, Enterprise and Data-Center Firewall". http://www.fortinet.com/solutions/. Retrieved 2014JUN02. 

Secure data flows to meet changing business needs

"Network Security". http://www.windstreambusiness.com/solutions/network-security. Retrieved 2014JUN02. 

Secure DNS – Domain Name Service (Server)

Securing zone transfer

TSIG- Transaction Signature Interoperability Group

Secure directory services

LDAP – Lightweight Directory Access Protocol

AD—Active Directory

Federated ID

Single sign on

Network design consideration

Building layouts

Facilities management

Multitier networking data design considerations

Logical deployment diagram and corresponding physical deployment diagram of all relevant devices

Distinguish among security controls for hosts

"Host Based Security Controls". http://www.networkworld.com/newsletters/2004/1101datacenter1.html. 

Host-based firewalls

Trusted OS – Operating System (e.g. how and when to use it)

End point security software

Anti-malware

Anti-virus

Anti-spyware

Spam filters

Host hardening

Standard operating environment

Security Policy / group policy implementation

Command shell restrictions

Warning banners

"System/Network Login Banners". https://security.tennessee.edu/Pages/login-banner.aspx. 

Restricted interfaces

"The Benefit of Structured Interfaces in Collaborative Communication". http://www.aaai.org/Papers/Symposia/Fall/2001/FS-01-05/FS01-05-009.pdf. Retrieved 2014JUN03. 

Asset management (inventory control)

Data exfiltration

HIDS – Host Based Intrusion Detection System/HIPS – Host Based Intrusion Prevention System

NIDS – Network Based Intrusion Detection System/NIPS – Network Based Intrusion Prevention System

Explain the importance of application security

Web application security design considerations

"Design Guidelines for Secure Web Applications". http://msdn.microsoft.com/en-us/library/ff648647.aspx. Retrieved 2014JUN16. 

Secure: by design, by default, by deployment

"A Look Inside the Security Development Lifecycle at Microsoft". http://msdn.microsoft.com/en-us/magazine/cc163705.aspx. Retrieved 2014JUN16. 

Specific application issues

XSS - Cross-Site Scripting

Click-jacking

Session management

Input validation

SQL injection

Application sandboxing

Application security frameworks

Standard libraries

Industry accepted approaches

Secure coding standards

"Secure Coding Standards". http://www.cert.org/secure-coding/research/secure-coding-standards.cfm?. Retrieved 2014JUN25. 

Exploits resulting from improper error and exception handling

"Improper error handling". https://www.owasp.org/index.php/Improper_error_handling. Retrieved 2014JUN25. 

Privilege escalation

Improper storage of sensitive data

"CWE-591: Sensitive Data Storage in Improperly Locked Memory". http://cwe.mitre.org/data/definitions/591.html. Retrieved 2014JUN25. 

Fuzzing/false injection

Client-side processing vs. server-side processing

AJAX

State management

JavaScript

Buffer overflow

Memory leaks

Integer overflows

Race conditions

Time of check to time of use

Resource exhaustion

Resource Management

Given a scenario, distinguish and select the method or tool that is appropriate to conduct an assessment

Tool type

Port scanners

Vulnerability scanners

Protocol analyzer

Switchport analyzer

Network enumerator

Password cracker

Fuzzer

"OWASP Testing Guide Appendix C: Fuzz Vectors". https://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors. Retrieved 2014JUN25. 

HTTP – Hypertext Transfer Protocol interceptor

"Intercepting Messages". 

Attacking tools/frameworks

"Black Hat: Top 20 hack-attack tools". 

Methods

"5 ways hackers attack you (and how to counter them)". 

Vulnerability assessment

Penetration testing

Black box

White box

Grey Box

Fingerprinting

Code review

Social engineering

This article is issued from Wikibooks. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.