Professional Documents
Culture Documents
Casp Studyguide Cas-004 Samplelesson
Casp Studyguide Cas-004 Samplelesson
CASP+
Study Guide
Exam CAS-004
Acknowledgments
Notices
Disclaimer
While CompTIA, Inc. takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy,
and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose. The use of screenshots, photographs of another entity's products, or
another entity's product name or service in this book is for editorial purposes only. No such use should be construed to imply
sponsorship or endorsement of the book by nor any affiliation of such entity with CompTIA. This courseware may contain links
to sites on the Internet that are owned and operated by third parties (the "External Sites"). CompTIA is not responsible for
the availability of, or the content located on or through, any External Site. Please contact CompTIA if you have any concerns
regarding such links or External Sites.
Trademark Notice
CompTIA®, CASP+®, and the CompTIA logo are registered trademarks of CompTIA, Inc., in the U.S. and other countries. All
other product and service names used may be common law or registered trademarks of their respective proprietors.
Copyright Notice
Copyright © 2021 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software
proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed
in any form or by any means, or stored in a database or retrieval system, without the prior written permission of CompTIA,
3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software
or other products is the responsibility of the user according to terms and conditions of the owner. If you believe that this
book, related materials, or any other CompTIA materials are being reproduced or transmitted without permission, please call
1-866-835-8020 or visit https://help.comptia.org.
Table of Contents | iii
Table of Contents
Topic 5C: Analyze Access Control Models & Best Practices............................ 120
Table of Contents
iv | Table of Contents
Solutions......................................................................................................................... S-1
Glossary ..........................................................................................................................G-1
Table of Contents
1
About This Course
CompTIA is a not-for-profit trade association with the purpose of advancing the
interests of IT professionals and IT channel organizations; its industry-leading IT
certifications are an important part of that mission. CompTIA's CASP+ Certification
is an advanced skill level cybersecurity certification designed for professionals with
10 years of general hands-on IT experience, with at least five of those years being
broad hands-on IT security experience.
This exam will certify the successful candidate with the technical knowledge and
skills required to architect, engineer, integrate, and implement secure solutions
across complex environments to support a resilient enterprise while considering the
impact of governance, risk, and compliance requirements.
CompTIA CASP+ Exam Objectives
Course Description
Course Objectives
This course can benefit you in two ways. If you intend to pass the CompTIA CASP+
(Exam CAS-004) certification examination, this course can be a significant part of
your preparation. But certification is not the only key to professional success in the
field of cybersecurity. Today's job market demands individuals have demonstrable
skills, and the information and activities in this course can help you build your
information security skill set so that you can confidently perform your duties as an
advanced security practitioner.
On course completion, you will be able to:
• Perform risk management activities.
Target Student
The Official CompTIA CASP+ Guide (Exam CAS-004) is the primary course you will
need to take if your job responsibilities include risk management, enterprise
security operations, security engineering and security architecture, research and
collaboration, and integration of enterprise security. You can take this course to
prepare for the CompTIA CASP+ (Exam CAS-004) certification examination.
vi | Preface
Prerequisites
To ensure your success in this course, you should have minimum of ten years
of general hands-on IT experience, with at least five of those years being broad
hands-on IT security experience. CompTIA Network+, Security+, CySA+, Cloud+, and
PenTest+ certification, or the equivalent knowledge, is strongly recommended.
The prerequisites for this course might differ significantly from the prerequisites for
the CompTIA certification exams. For the most up-to-date information about the exam
prerequisites, complete the form on this page: www.comptia.org/training/resources/
exam-objectives.
As You Learn
At the top level, this course is divided into lessons, each representing an area of
competency within the target job roles. Each lesson is comprised of a number of
topics. A topic contains subjects that are related to a discrete job task, mapped
to objectives and content examples in the CompTIA exam objectives document.
Rather than follow the exam domains and objectives sequence, lessons and topics
are arranged in order of increasing proficiency. Each topic is intended to be studied
within a short period (typically 30 minutes at most). Each topic is concluded by one
or more activities, designed to help you to apply your understanding of the study
notes to practical scenarios and tasks.
Additional to the study content in the lessons, there is a glossary of the terms and
concepts used throughout the course. There is also an index to assist in locating
particular terminology, concepts, technologies, and tasks within the lesson and
topic content.
In many electronic versions of the book, you can click links on key words in the topic
content to move to the associated glossary definition, and on page references in the
index to move to that term in the content. To return to the previous location in the
document after clicking a link, use the appropriate functionality in your eBook viewing
software.
As You Review
Any method of instruction is only as effective as the time and effort you, the
student, are willing to invest in it. In addition, some of the information that you
learn in class may not be important to you immediately, but it may become
important later. For this reason, we encourage you to spend some time reviewing
the content of the course after your time in the classroom.
Following the lesson content, you will find a table mapping the lessons and topics to
the exam domains, objectives, and content examples. You can use this as a checklist
as you prepare to take the exam, and review any content that you are uncertain
about.
As a Reference
The organization and layout of this book make it an easy-to-use resource for future
reference. Lesson summaries can be used during class and as after-class references
when you're back on the job and need to refresh your understanding. Taking
advantage of the glossary, index, and table of contents, you can use this book as a
first source of definitions, background information, and explanation of concepts.
LESSON INTRODUCTION
Risk is all around us. Sometimes risk is obvious and easy to identify, but many times
it is less obvious and demands careful analysis to properly identify. As organizations
grow and adapt to changing needs and strategic objectives, these adaptations
present new and evolving risk challenges. It is imperative to understand how
to identify and measure risk in order to formulate prioritized approaches for
managing it. In this lesson, we will frame risk from the viewpoint of an advanced
security practitioner and explore various mechanisms designed to assist us in
the identification and evaluation of risk and the essential components of a risk
management strategy.
Lesson Objectives
In this lesson, you will:
• Understand the role of Risk Management.
Topic 1A
Explain Risk Assessment Methods
2
Measuring Risk
Risk is a measure of the impact (or consequence) and likelihood of a threat
exploiting a vulnerability. To measure risk, it is essential to first identify known,
existing vulnerabilities and then evaluate the impacts realized by their exploitation.
Two additional, and critically important, variables considered in evaluating risk
are likelihood and impact. Some risks may be highly likely, or very probable, but
minimally impactful, and yet others may be incredibly impactful but very unlikely,
sometimes described as “statistically improbable” or as a “black swan event.” These
considerations play an important part in ranking and prioritizing risks in order to
appropriately focus financial and human resources in the most effective ways.
Likelihood of occurrence is the probability of the threat being realized.
Impact is the severity of the risk if realized. This may be determined by factors such
as the scope, the value of the asset, or the financial impacts of the event.
Risk Responses
Avoid
Risk avoidance means that you stop doing the activity that is risk-bearing. For
example, a company uses an in-house web application for managing inventory.
If the application is discovered to have numerous high-severity security
vulnerabilities, the company may decide that the cost of maintaining the application
is not worth the benefit it provides and decide to decommission it.
Accept
Risk acceptance means that an identified risk area has been evaluated and this
resulted in an agreement to continue operating the software, hardware, processes,
actions, or other type of similar tasks, despite the identified risks.
There is risk in all we do, even simple tasks in day to day life involve risks, but
despite this, we are still productive and largely safe so long as we are aware of risks
and act within safe limits. At some point, identified risks must all be accepted. It is
the task of risk management to help contain risks within carefully constructed and
mutually agreed-upon boundaries because risk cannot be eliminated.
Mitigate
Risk mitigation is the overall process of reducing exposure to, or the effects of, risk
factors. This is where the work of risk management really comes into focus. As risks
are identified, we must address them in a measured way. As security practitioners,
we are tasked with making technical business operations safe. This is accomplished
through the implementation of mitigating controls. For example, when considering
web applications, the number of potential security issues is long but the need for
the web application is identified as essential or critical to the business, and so we
must determine ways in which the web application can be operated as safely as
possible while still meeting the needs of the business. To do this we use various
means to improve the safety and security of the web application through the
implementation of mitigating controls.
By implementing effective mitigating controls we can reduce the overall risk. We
continue to implement mitigating controls until risk is reduced to a level deemed
“acceptable.”
Transfer
Risk transference (or sharing) means assigning risk to a third party, which is
most typically exemplified through the purchase of an insurance policy. Insurance
transfers financial risks to a third party. This is an important strategy as the cost of
data breaches, and other cybersecurity events, can be extremely high and result in
bankruptcy.
Residual Risk
Where inherent risk is the risk before mitigation, residual risk is the likelihood
and impact after specific mitigation, transference, or acceptance measures have
been applied. Risk appetite is a strategic assessment of what level of residual risk
is tolerable for an organization. Some organizations, like a start-up for example,
have very high risk appetites. Everything about a start-up involves risk and so the
threshold by which risk is measured will be categorically different than how risk is
measured at a 200 year-old insurance company.
It is important to note that residual risk and acceptable risk are not always equivalent. It
might be that a certain identified risk area cannot be mitigated to an acceptable level.
Review Activity:
3
Risk Management
Topic 1B
Summarize the Risk Life Cycle
5
It is essential that risks are formally identified and documented so that they can
be properly analyzed and prioritized by leadership teams. There are many risks to
consider but only a finite set of resources available to address them. Through the
clear identification, analysis, and prioritization of risk, the most pressing risk items
can be addressed and, by focusing the work effort on the most pressing items, the
organization’s overall risk level can be more effectively reduced.
Risk management describes the set of policies and processes used by an
organization to help it locate, describe, prioritize, and mitigate risks in a
consistent and repeatable way. Put another way, risk management formalizes
the identification and control of risks. Formalizing the risk management process
ensures that all stakeholders are aware of existing risks, the potential impacts these
risks may impose, and also the agreed upon methods used to mitigate them.
NIST CSF
The NIST Cybersecurity Framework is an incredibly popular framework and is widely
adopted in the United States. The NIST CSF helps organizations define five core
functions within a cybersecurity program.
The five core functions are:
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
In addition, the NIST CSF defines several required steps when performing risk
management.
2. Orient
More details regarding the NIST CSF can be obtained via: https://www.nist.gov/itl/
smallbusinesscyber/nist-cybersecurity-framework
NIST RMF
The NIST RMF defines standards that US Federal Agencies must use to assess and
manage cybersecurity risks. NIST RMF defines several distinct steps required in an
effective risk management program.
The RMF steps are:
1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor
More details regarding the NIST RMF can be obtained via: https://www.nist.gov/
cyberframework/risk-management-framework
ISO 31000
The International Organization for Standardization is one of the world’s largest
developers of standards. ISO standards are adopted by many international
organizations to establish a common taxonomy among diverse industries. ISO
31000, also known as ISO 31k, is a very comprehensive framework and considers
risks outside of cybersecurity, including risks to financial, legal, competitive, and
customer service functions.
More details regarding ISO 31000 can be obtained via: https://www.iso.org/iso-
31000-risk-management.html
COBIT
A framework created and maintained by ISACA, the Control Objectives for
Information and Related Technologies frames IT risk from the viewpoint of business
leadership. The COBIT framework is composed of five major components:
1. Framework
2. Process descriptions
3. Control objectives
4. Management guidelines
5. Maturity models
COSO
The Committee of Sponsoring Organizations of the Treadway Commission,
or COSO, is an initiative of five private sector organizations collaborating on
the development of risk management frameworks. The Enterprise Risk
Management — Integrated Framework defines an approach to managing risk from
a strategic leadership point of view.
More details can be obtained via: https://www.coso.org/Pages/default.aspx.
Risk constantly evolves and shifts due to many factors such as changes in an
organization’s strategy, changes within the industry, changes by vendor partners,
and changes in the software and platforms used on a daily basis. Due to the
dynamic nature of risk, it must be managed on a continual basis.
Risk management tasks are defined by a life cycle. The four major phases common
to all risk management life cycles include:
• Identify—This phase includes the identification of risk items.
People
Those who perform the work in an organization. People ultimately are the ones
most directly impacted by technology. What sounds great on paper may not work
well in practice and this can result in unintended consequences - such as increased
calls to the help desk and/or drops in productivity. People are more likely to bypass
security controls when they are overly burdensome and/or are implemented
without adequate training on their purpose and proper use.
Processes
All important work must be defined and described in a process. The process
should include detailed descriptions of the necessary steps required to successfully
complete a task. Processes, just like instructions, drive consistency and reliability
and remove doubt and individual interpretations when completing a task. In
addition, processes should be periodically analyzed to ascertain that they are being
used consistently and that the outputs match expectations.
Technology
Technology alone does not solve any problems. Ultimately, technology needs the
people and processes in place around it in order for it to be effective. Only after
careful consideration of requirements and need should technology be selected.
Identify
This function involves the analysis and management of organizational risks.Risks
can be realized in many areas, including people, data, systems and processes and
this process works to help an organization locate, describe and analyze these risks
in order to develop a prioritized approach to their management.
Protect
This function describes the capabilities needed to ensure consistent operation of all
critical business functions and limit the impacts of any adverse events.
Detect
This function defines the capabilities needed for the timely discovery of security
incidents.
Respond
This function seeks to limit the impact of a cybersecurity incident by defining
appropriate actions to be taken upon its discovery.
Recover
This function defines the necessary activities for restoring any disrupted service to
their original, or intended state, following a cybersecurity incident.
More details regarding the five functions of the NIST CSF can be obtained via:
https://www.nist.gov/cyberframework/online-learning/five-functions
The iterative process of risk management includes periodic reviews of the risk register in
order to determine the implementation status of each item - for example, analyzing the
extent to which the identified controls have been implemented since the last review.
Risk Register
First identified as an effective tool in the ISO 27001 standard, risk registers
provide an effective visualization of identified risks and include descriptions and
information about mitigating controls. It can be considered as the most recognized
output of the risk management program. The creation of the risk register requires
collaboration between many departments and should be considered a working
document, meaning it is never “completed.”
Below is an example of a risk register. The examples included are for illustrative
purposes only as each item should be evaluated and ranked differently from one
organization to another.
Scalability
Scalability refers to the capability of a system to handle increases in workload.
A system that scales well can easily adapt to increases in workload in order to
maintain a consistent level of performance.
Reliability
Reliability refers to a capability of a system to perform without error and describes
a system that includes features to avoid, detect, and/or repair component failures.
Availability
Availability describes the probability that a system will be operating as expected at
any given point in time. Availability is typically measured as “uptime.”
Sometimes, as is the case for the financial sector, a formal cyber risk appetite statement
must be adopted to describe the amount of risk the organization is willing to accept in
order to accomplish its mission.
Risk Tolerance
Risk tolerance defines the thresholds that separate different levels of risk.
Thresholds may be defined by money, impact, scope, time, compliance, and privacy,
and describe the level of risk acceptable in order to achieve a goal.
Tradeoff Analysis
Tradeoff analysis describes how decisions are made after reviewing risks and
rewards, by comparing potential benefits to potential risks, and determining a
course of action based on adjusting factors that contribute to each area. The
Software Engineering Institute (SEI) at Carnegie Mellon University developed the
Architecture Tradeoff Analysis Method (ATAM), which allows formal evaluation of
architectures based upon the analysis of risks and desired outcomes.
A practical example of tradeoff analysis also includes the constant battle between
usability versus security requirements. Establishing a balance between “secure”
and “usable” can be difficult. By over-accommodating one factor the other is
compromised. Put differently, implementing the highest levels of security in all
scenarios will result in unintended consequences. When considering usernames
and passwords for example, very long and complex password requirements often
result in lost productivity and high call volumes to the help desk.
Employment Policies
The following strategies are designed to reduce the likelihood of fraud and limit the
impacts of insider threat.
Separation of Duties
Separation of duties is a means of establishing checks and balances against the
possibility that critical systems or procedures can be compromised by insider
threats. Duties and responsibilities should be divided among individuals to prevent
ethical conflicts or abuse of powers.
Job Rotation
Job rotation (or rotation of duties) means that no one person is permitted to remain
in the same job for an extended period. For example, managers may be moved to
different departments periodically, or employees may perform more than one job role,
switching between them throughout the year. Rotating individuals into and out of roles,
such as the firewall administrator or access control specialist, helps an organization
ensure that it is not tied too firmly to any one individual because vital institutional
knowledge is spread among trusted employees. Job rotation also helps prevent abuse
of power, reduces boredom, and enhances individuals’ professional skills.
Mandatory Vacation
Mandatory vacation means that employees are forced to take their vacation time,
during which someone else fulfills their duties. The typical mandatory vacation
policy requires that employees take at least one vacation a year in a full-week
increment so that they are away from work for at least five days in a row. During
that time, the corporate audit and security employees have time to investigate and
discover any discrepancies in employee activity.
Least Privilege
Least privilege means that a user is granted sufficient rights to perform his or her job
and no more. This mitigates risk if the account should be compromised and fall under
the control of a threat actor. Authorization creep refers to a situation where a user
acquires more and more rights, either directly or by being added to security groups
and roles. Least privilege should be ensured by closely analyzing business workflows to
assess what privileges are required and by performing regular account audits.
Review Activity:
6
The Risk Life Cycle
Answer the following questions:
2. This phase of the risk management life cycle identifies effective means
by which identified risks can be reduced.
4. This function of the NIST CSF defines capabilities needed for the timely
discovery of security incidents.
Topic 1C
Assess & Mitigate Vendor Risk
6
The shared responsibility model describes the relationship between customer and CSP.
Security Responsibilities
In general terms, the responsibilities between customer and cloud provider include
the following areas:
Cloud Service Provider
• Physical security of the infrastructure
• Configuring the geographic location for storing data and running services
Additional Resources
NIST Cloud Computing Reference Architecture SP 500-292
https://www.nist.gov/publications/nist-cloud-computing-reference-architecture
Microsoft Shared Responsibility for Cloud Computing (White Paper)
https://azure.microsoft.com/en-us/resources/shared-responsibility-for-cloud-
computing/
Cloud Security Alliance Shared Responsibility Model Explained
https://cloudsecurityalliance.org/blog/2020/08/26/shared-responsibility-model-
explained/
• Support Availability—Defines the steps taken to verify the type and level of
support to be provided by the vendor in support of their product or service. It
is common for support performance and maintenance fees to be defined via
a service level agreement (SLA.) Definitions contained within the description
of support services should include details regarding how to obtain support,
response times, level of support (for example the boundary between product
support and professional services engagements), from what location support
services will be provided, descriptions regarding escalation, the use of account
managers, and other related items.
Geographical Considerations
Globalization
Organizations are very likely to use multiple vendors located in many geographically
diverse locations across the world. Globalization of the economy is a fascinating and
dynamic topic, and in terms of cybersecurity presents many unique challenges. The
most apparent issues when working with a vendor located in a different country
include time zone differences, language barriers, social and moral norms, as well
as legal jurisdiction. It is the latter issue that becomes much more pressing when
considering the use of cloud service providers. While a more straightforward vendor
relationship requires careful management of team interactions and the governance
of data access, remote access, contracts and service level agreements, cloud service
providers increase the complexities and risk of geographical considerations in a
very unique way.
A cloud service provider arrangement requires an organization to relocate its
core information technology applications, data, and infrastructure to the CSP.
Handing over much of the control of these items presents many tactical risks, but
from a geographic viewpoint, legal jurisdiction becomes much more complicated
as the customer and CSP are most often located in different cities, regions, and/
or countries. Determining which laws are applicable in various scenarios, defining
boundaries around how and where cloud services can be provisioned, and training
staff on these requirements becomes much more critical.
The United States, Europe, Asia, South and Central America, Australia, and New
Zealand all have divergent laws protecting intellectual property, privacy, the use of
encryption, and law enforcement cooperation.
Supply Chain Visibility (SCV) - Describes the capacity to understand how all vendor
hardware, software, and services are produced and delivered as well as how they
impact an organization’s operations or finished products. This is a daunting task, as
full visibility requires a comprehensive understanding of all levels of the supply chain,
to include the vendors and suppliers of an organization’s vendors and suppliers - or
put another way, the 1st, 2nd, 3rd,... nth level suppliers in the supply chain.
Third-Party Dependencies
Supply chain generally refers to the use and distribution of materials comprising
a finished product. Third-parties form part of the supply chain but describe a far
broader set of relationships such as vendors, suppliers, service providers, credit card
processors, utilities, contractors, affiliates, trade associations, government agencies,
and many others. Understanding and documenting these relationships, including
an assessment of the level of risk the third-party poses to the organization can help
identify sources of trouble. Some elements specific to securing IT operations include
identifying the code, hardware, and modules used within the environment and
provided by third-parties. These elements can introduce vulnerabilities and should be
assessed to determine their security level and capabilities.
Network Segmentation
Vendor products and/or the systems managed by vendors should be sufficiently
isolated from the rest of the organization’s environment to provide a distinct
containment layer for any exploitable vulnerabilities within the vendor product
and also to limit the vendor’s access to the larger network. Segmentation can
be performed logically, for example implementing virtual local area networks
(VLAN), or physically, for example separating networks and communications at the
equipment level. Network segmentation designs should be periodically re-evaluated
to verify they are still operating as originally designed.
Transmission Control
Transmission control defines how communication channels are protected from
infiltration, exploitation, and interception. Accomplished by many mechanisms,
transmission control can be realized through the application of access control lists
and rules on network equipment, limiting host and protocol access to essential
components only, mutual authentication, and encryption.
Shared Credentials
In order for vendor software and vendor support staff to work in an organization’s
environment, credentials will need to be provisioned. Some credentials will be
associated with software and services and others assigned to individuals. It is
imperative to maintain a one-to-one relationship between vendor employees
and credentials in order to establish clear accountability and an effective means
to revoke individual access. In addition, credentials associated with software and
services should be provisioned in a way that prevents them from being used as a
standard account, for example by removing the ability for the account to obtain an
“interactive logon” in Microsoft Windows.
An example of shared credentials are those provisioned and provided for any
vendor support staff to use. While this is convenient, it becomes practically
impossible to determine precisely who at the vendor location accessed a system
and performed specific actions. In addition, creating shared credentials in this
way fosters a lax security mindset as there is a lack of enforceable accountability.
Furthermore, vendor support may create shared credentials within the equipment
and/or software they support in order to more easily allow staff to quickly access
these items and provide support. Frequently, these credentials are used at all
vendor customer locations and a breach at any vendor customer site can result in
the theft of these credentials, which in-turn provide access to all vendor customer
locations.
Use of vendor credentials must be well-governed, and carefully monitored. Ideally,
vendor credentials should require multi-factor authentication, be disabled by
default, and only enabled for the duration required to provide support.
Review Activity:
7
Vendor Risk
Answer the following questions:
Lesson 1
Summary
6
Key Takeaways
• Risk management requires the involvement of inter-departmental groups.