Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

CompTIA® Advanced Security Practitioner (CASP) study guide mind map by Mind Map: CompTIA® Advanced Security
Practitioner (CASP) study guide mind
map
5.0 stars - 33 reviews range from 0 to 5

CompTIA® Advanced Security Practitioner (CASP) study guide mind map

CompTIA CASP is a trademark of the Computing Technology Industry Association, Inc. Trademarks are properties of the holders, who are not affiliated with mind map author.

Cryptography

@Domain 1.1 - CASP® Exam Relevance

1.1 Distinguish which cryptographic tools and techniques are appropriate for a given situation.

Asymmetric Encryption

Diffie Hellman

El Gamal

Elliptic Curve Cryptography

Merkle–Hellman Knapsack

RSA

Authenticity

Cipher Text

Code signing

Confidentiality

Cryptanalysis

Cryptographic Key

Cryptographic Solutions

Application Layer Encryption (examples), Secure Shell (SSH), Pretty Good Privacy (PGP), Secure Hypertext Transfer Protocol (S-HTTP)

Transport Layer Encryption, Secure Sockets Layer (SSL), Transport Layer Security (TLS), Wireless Transport Layer Security (WTLS)

Internet Layer Controls, Encapsulated Secure Payload (ESP), Authentication Header (AH), Security Association (SA), Transport and Tunnel Mode

Physical Layer Controls, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP)

Digital Signatures

@What is it?, Used to provide integrity, authenticity and non-repudiation.

Encryption

Hash collision

Issue when has function generates the same output for two or more different inputs.

Hash function

aka. "One-way function"

Hashing

@What is it?, aka. "digital fingerprints"

HAVAL

Hashed Message Authentication Code (HMAC)

MD (series)

Message Authentication Code (MAC)

Secure Hash Algorithm (SHA), SHA-0, SHA-1, SHA-2

Hybrid Encryption

Integrity

Non-repudiation

Nounces

Plain Text

Public Key Infrastructure (PKI)

Certificate Authority (CA)

Registration Authority (RA)

Certificate Revocation List (CRL)

Digital Certificates

Random numbers

Entropy

Pseudo Random Number Generation (PRNG), @What is it?, Algorithms that can produce random numbers based on an initial state, called the seed state.

Symmetric Encryption (Private-key cryptography)

2 types of ciphers, Ciphers in general share the following properties, Substitution, Transposition, Confusion, Diffusion, Block Ciphers, @What is it?, Block ciphers perform symmetric encryption on fixed-sized blocks of data., Encrypt block of data of fixed size., Advanced Encryption Standard (AES), Blowfish, Carlisle Adams/Stafford Tavares (CAST), Counter mode (CTR), Data Encryption Standard (DES), 4 primary modes of operation:, Electronic codebook (ECB) mode, Cipher block chaining (CBC) mode, Output feedback (OFB) mode, Cipher feedback (CFB) mode, Electronic Codebook (ECB), Initialization Vectors (IV), 2 primary modes of operation:, Cipher block chaining (CBC) mode, Cipher feedback (CFB) mode, International Data Encryption Algorithm (IDEA), Rijndael, Uses 3 layers of transformations to encrypt and decrypt blocks of message text:, Linear mix transform, Nonlinear transform, Key addition transform, Uses a 4-step, parallel series of rounds:, If both key and block size are 128 bit, there are 10 rounds., If both key and block size are 192 bit, there are 12 rounds., If both key and block size are 256 bit, there are 14 rounds., Secure and Fast Encryption Routine (SAFER), Skipjack, Triple DES (3DES), Twofish, XTS, Stream Ciphers, What is it?, Stream ciphers deal with the entire data set one unit at a time., Encrypt continuous streams of data., Rivest Cipher (algorithms), RC2, RC3, RC4, RC5, RC6, indirection, shift, accumulate, add, and count (ISAAC)

Interactive Acronyms

Interactive CASP Acronyms

download CASP Acronyms

Exam domains

Domain 1.0: Enterprise Security

1.1 Distinguish which cryptographic tools and techniques are appropriate for a given situation.

1.2 Distinguish and select among different types of virtualized, distributed and shared computing

1.3 Explain the security implications of enterprise storage

1.4 Integrate hosts, networks, infrastructures, applications and storage into secure comprehensive solutions

1.5 Distinguish among security controls for hosts

1.6 Explain the importance of application security

1.7 Given a scenario, distinguish and select the method or tool that is appropriate to conduct an assessment

Domain 2.0: Risk Management, Policy and Procedure, and Legal

2.1 Analyze the security risk implications associated with business decisions

2.2 Execute and implement risk mitigation strategies and controls

2.3 Explain the importance of preparing for and supporting the incident response and recovery process

2.4 Implement security and privacy policies and procedures based on organizational requirements

Domain 3.0: Research and Analysis

3.1 Analyze industry trends and outline potential impact to the enterprise

3.2 Carry out relevant analysis for the purpose of securing the enterprise

Domain 4.0: Integration of Computing, Communications, and Business Disciplines

4.1 Integrate enterprise disciplines to achieve secure solutions

4.2 Explain the security impact of inter-organizational change

4.3 Select and distinguish the appropriate security controls with regard to communications and collaboration

Security Solutions

Domain 1.4 - CASP® Exam Relevance

1.4 Integrate hosts, networks, infrastructures, applications and storage into secure comprehensive solutions

Advanced Network Design

SCADA

Remote Access

VoIP

TCP/IP, Network Interface Layer, Internet Layer, Transport Layer, Application Layer

Secure Communication Solutions

Secure Facility Solutions

Secure Network Infrastructure Solutions

Virtualization

Domain 1.4 - CASP® Exam Relevance

1.2 Distinguish and select among different types of virtualized, distributed and shared computing

1.3 Explain the security implications of enterprise storage

Enterprise Security

Holistic view of security

Implementing enterprise security accomplishes the following, Demonstrates due care, Helps provide assurance of policy compliance, Lowers risks to acceptable levels, Helps optimize allocation of scarce security resources, Improves trust in the governance system, May lead to a better organization reputation, Helps establish accountability

Cloud Computing

Cloud Computing Models, Backup as a Service (BaaS), Database as a Service (DaaS), Desktop as a Service (DaaS), Hardware as a Service (HaaS), Identity as a Service (IaaS), Infrastructure-as-a-Service (IaaS), Monitoring-as-a-Service (MaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), Storage as a Service (SaaS)

Cloud Computing Security

Cloud Computing Providers (selected), Amazon, Citrix, CohesiveFT, FlexScale, Google, IBM, iCloud, Joyent, Microsoft, MozyHome, Nivanix, Rackspace, Salesforce.com, Sun, VMware, 3tera

Cloud Computing Vulnerabilities

Benefits of Cloud Computing, Reduces Cost, Increases Storage, Provides High Degree of Automation, Offers Flexibility, Provides More Mobility, Allows the Company’s IT Department to Shift Focus

Virtualization

Virtual LANs

Enterprise Storage

Host Security

Domain 1.5 - CASP® Exam Relevance

1.5 Distinguish among security controls for hosts

Anti-malware

Antivirus

Anti-spyware

Spam Filters

Asset Management

Data Exfiltration

Endpoint Security Software

Firewalls and Access Control Lists (ACLs)

Host-Based Firewalls

Intrusion Detection and Prevention Systems (IDS and IPS)

OS Hardening

Trusted Operating System

Application Security (AppSec) and Penetration Testing (PenTest)

Domain 1.6 - CASP® Exam Relevance

1.6 Explain the importance of application security

1.7 Given a scenario, distinguish and select the method or tool that is appropriate to conduct an assessment

Application Security

Specific Application Issues

Cross-Site Scripting (XSS)

Clickjacking

Session Management

Input Validation

SQL Injection

Application Sandboxing

Application Security Framework

Standard Libraries

Secure Coding Standards

Application Exploits

Escalation of Privilege

Vertical Privilege Escalation

Horizontal Privilege Escalation

Improper Storage of Sensitive Data

Cookie Storage and Transmission

Process Handling at the Client and Server

Asynchronous JavaScript and XML (Ajax)

JavaScript

Buffer overflow

Memory leaks

Integer overflow

Race conditions (TOC/TOU)

Resource exhaustion

Security Assessments and Penetration Testing

Test Methods, Security Audit, Vulnerability Assessments, Penetration Testing

Penetration Testing Steps

1. Reconnaissance

2. Scanning

3. Gaining access

4. Escalation of privilege

5. Maintaining access

6. Covering, clearing tracks

7. Determine recommendations

8. Writing a report and presenting findings

Assessment Types

Black Box Testing

White Box Testing

Gray Box Testing

Assessment Areas

Denial of Service (DoS)

Wireless Networks

Telephony

Application and Security Code Review

Social Engineering Testing

Physical Testing

Security Assessment and Penetration Test Tools

Footprinting tools

Port scanning tools

Fingerprinting tools

Vulnerability scanning tools, software, LANguard, Nessus, Open Vulnerability Assessment System (OpenVAS), Retina, SAINT, Shadow Security Scanner

Network enumeration tools, OS Fingerprinting Tools, Simple Network Management Protocol (SNMP) Queries, Port Scanners, Classic the OS’s Command Line

Protocol analyzer tools

Password cracking tools, software, Cain, John the Ripper, L0phtcrack, Ophcrack, Dictionary Password Cracking, Hybrid Password Cracking, Brute-Force Password Cracking

Fuzzing and false injection tools, software, SPIKE, SPIKEFile, WebFuzzer, eFuzz, Mangle, Tag Brute Forcer, IP Stack Integrity & Stability Checker (ISIC)

Wireless tools

HTTP interceptors

Exploit framework and attack tools

This freeware, non-commercial mind map was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the CASP® certification and as a learning tool for candidates wanting to gain CASP® qualification. (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Please don't hesitate to contact me for :-) Mirosław Dąbrowski, Poland/Warsaw.

http://www.linkedin.com/in/miroslawdabrowski

https://www.google.com/+MiroslawDabrowski

https://play.spotify.com/user/miroslawdabrowski/

http://www.miroslawdabrowski.com

https://twitter.com/mirodabrowski

miroslaw_dabrowski