Oakcyber

My journey through CASP+ (CompTIA Advanced Security Practitioner+) (CAS-004) cert prep with Jason Dion LinkedIn Learning

Augustine Ogbodo's photo
Augustine Ogbodo
·

8 min read

Table of contents

About the Exam

CASP+ is an advanced-level cybersecurity certification covering technical skills in security architecture and senior security engineering in traditional, cloud, and hybrid environments, governance, risk, and compliance skills, assessing an enterprise’s cybersecurity readiness, and leading technical teams to implement enterprise-wide cybersecurity solutions. Successful candidates will have the knowledge required to:

  1. Architect, engineer, integrate, and implement secure solutions across complex environments to support a resilient enterprise
  2. Use monitoring, detection, incident response, and automation to proactively support ongoing security operations in an enterprise environment
  3. Apply security practices to cloud, on-premises, endpoint, and mobile infrastructure, while considering cryptographic technologies and techniques
  4. Consider the impact of governance, risk, and compliance requirements throughout the enterprise. ~comptia.org/certifications/comptia-advanced..

About the Instructor

Jason Dion specializes in providing actionable information you can use to further your cybersecurity and information technology career. His IT certification and training courses teach you real-world application of the skills needed to face today's cybersecurity challenges.

Dion is an instructor at Liberty University’s College of Engineering and Computational Science and Anne Arundel Community College’s Department of Computing Technologies with multiple information technology professional certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Network Defense Architect (CNDA), Digital Forensic Examiner (DFE), Digital Media Collector (DMC), Security+, Network+, A+, PRINCE2, PRINCE2 Agile and ITIL. ~infosecinstitute.com/authors/jason-dion

Introduction

It is recommended that before taking this exam, applicants are expected to have obtained CompTIA Security+, CySA+ and PenTest+ certifications.
The four domains for this exam are

i. Security Architecture

ii. Security Operations

iii. Security Engineering and Cryptography

iv. Governance, Risk and Compliance

The exam is made up of 90 questions to be answered in 165 minutes Now I will walk you through the nine modules in the this course.

The Learning Proper

Threat and Vulnerability Management

In this section, we will be focusing on domain 2 (security operation)

  • Threat intelligence is a continual process used to understand the threats faced by an organisation. Threat actors have moved from focusing on server-side attacks to client-side attacks.

Network Access Control (NAC) helps to scan client computers before allowing them to connect to an enterprise network. Enterprise also uses Mobile device management and Mobile application management software to help mitigate threats associated with mobile devices with standard OS like IOS and Android. The three categories of Threat intelligence are: Tactical, Strategic and Operational.

  • Threat hunting detects the presence of threats that have not been discovered by normal security monitoring.

  • The five-step process in security intelligence are planning & direction, collection & processing, analysis, dissemination and feedback. Intelligence can come from different sources such as intelligence feeds, deep web, open source intelligence or Human intelligence.

  • Threat Actor is a term used to describe those who wish to harm networks or steal secure data. Here the Instructor placed a disparity between “Hacker” and “Cracker”, as well as the similarity.

Categorization of hackers: Black hat, white hat and grey hat hackers. The six main types of threat actors are script kiddie, insider threat, competitor, organized crime, hacktivist and Nation-state actors (APT).

  • The instructor talked about the three Threat management frameworks as follows:

i. Lockheed Martin Cyber kill Chain which describes the stages by which a threat actor progresses a network intrusion. The seven stages involved are; Reconnaissance, weaponization, delivery, exploitation, installation, command & control (C2) and Action on objectives. The six D’s, detect, deny, disrupt, degrade, deceive destroy can help serve as responses on the cyber kill chain.

ii. Mitre ATT&CK framework is a knowledge base that's maintained by the MITRE Corporation, for the listing and explaining of common adversary tactics and techniques that are observed in the real world.

iii. Diamond Model of Intrusion Analysis can be used anytime you have an intrusion event and you want to visually depict it and represent that event. The four points on the diamond represent Victim, Capability, Adversary and Infrastructure.

  • Vulnerability assessment identifies and classifies vulnerabilities within a system. Some cooperate organisations can use tools like Nessus, QualysGuard, and Alien vault for vulnerability assessment.

    While conducting a vulnerability scan, there are four main elements to consider

    i. Credentialed vs non-credentialed scan
    ii. Agent vs agentless scan
    iii. Active vs passive scan
    iv. Criticality ranking

    One can gather vulnerability management details from;

    i. Advisory; provides specific information about an identified vulnerability
    ii. Bulletin; contains a listing of advisories across a wide range of products.
    iii. News; can be useful as a tipper but doesn’t contain enough details.
    iv. Information Sharing and Analysis Centers (ISACs); share sector-specific threat intelligence and security best practices among its members.
  • Security Content Automation Protocol (SCAP) standardizes the formatting and naming conventions used for software flaws, misconfigurations and vulnerabilities.

    Three main languages used in SCAP are

    i. Open Vulnerability and Assessment Language (OVAL); an XML schema for describing system security states and querying vulnerability reports and information.
    ii. Extensible Configuration Checklist Description Format (XCCDF); an XML schema for developing and auditing best-practice configuration checklists and rules.
    iii. Asset Reporting Format (ARF); an XML schema for expressing information about assets and the relationships between assets and reports.

    It will also support three methods of enumeration namely

    i. Common Configuration Enumeration (CCE) is a scheme for provisioning secure configuration checks across multiple sources.
    ii. Common Platform Enumeration (CPE) is a scheme for identifying hardware devices, Oss and applications.
    iii. Common Vulnerabilities and Exposure (CVE) is a list of records where each item contains a unique identifier used to describe publicly known vulnerabilities.

    It will also provide a metric system called

    I. Common Vulnerability Scoring System (CVSS) provides a numerical score to reflect the severity of a given vulnerability.

Module1.jpg

Vulnerability assessments

  • In this section, the instructor focused on domain2.
  • Penetration Test is the process of simulating an attack on a network, its system or application.
  • Vulnerability assessment is a credentialed scan where the tools used are provided with a username and password which gives the assessor an insider look at the network. While in penetration testing the pentester tries to break into the network without being provided with the credentials. Here the instructor spoke about considering some strategies while starting up a penetration test, if it’s going to be a blind test, double-blind test or target test.
  • Three types of penetration testing discussed were unknown, partially-known and known penetration tests.

The five basic steps of pen-test are:

i. Get permission and document information about the target network.
ii. Gather information about the target through reconnaissance.
iii. Enumerate the target to identify known vulnerabilities.
iv. Exploit the network to gain user or privileged access.
v. Document the results of the test and report them to the organization.

  • The three major factors to consider while planning a penetration test are Time, cost and quality.
  • Scope of work (SOW) details the tasks to be performed which will include all the rules of engagement that will be followed.
  • Rules of Engagement (ROE) are the ground rules both parties must abide by. Here I learned that timeline, location, time restrictions, transparency and boundaries should be included in ROE.
  • Test Invasiveness refers to the type of actions you can perform on a target.

The types of code analysis we have are;

  1. Static analysis is a type of code analysis that is performed without executing the program. This can be done manually or automated.
  2. Dynamic analysis is the type of code analysis that is performed while executing the program.
  3. Side-channel analysis is a type of code analysis that is done while inspecting a system or software as it operates.
  4. Reverse engineering is the type of code analysis used to analyse the structure of a piece of hardware or software to reveal more about its functions. On software, you will use one of these;
    Decompiler – IDA Pro: Displays the low-level programming language representation of the malware.
    And
    Debugger – OllyDbg: Runs the malware sample step-by-step through its program.
  5. Software composition analysis is a type of code analysis that inspects the source code to identify any open-source components.
  6. Fuzz testing/fuzzing is a process used to inject invalid or unexpected inputs into an application to determine its reaction. Some fuzzers are JBroFuzz, WSFuzzer, Peachg and StringMutator. A fuzz can test large sample sets of data in a very short period to determine any coding errors and bugs in software.

The five types of protocol analysis tools are

  1. Wireless vulnerability scanner: identifies the configuration and signal coverage of a given organization’s wireless network.
  2. Protocol analyser: collects raw packets from the network. E.g. Wireshark and TCPdump.
  3. Network Traffic Analyzer: samples the network packets and allows us to conduct flow analysis. E.g Netflow and Zeek.
  4. Port Scanner: discovers what access points are open in each host or server. E.g Zenmap. Nmap, Angry IP Scanner, Metasploit, QualysGuard's Vulnerability Management software and Tenable's Nessus Vulnerability Scanner.
  5. HTTP Interceptor: Intercepts web traffic between a browser and the web server. E.g Burp Suite

Types of Analysis utilities

  1. SCAP Scanner: compares a software configuration and patch level against predetermined settings contained within a SCAP content baseline. E.g open-scap.org.
  2. Vulnerability scanner: discovers security weaknesses in a host, or system across the enterprise network. E.g Nessus, OpenVAS. QualysGuard, Nexpose and Nikto.
  3. Exploitation Tools and Frameworks: a grouping of software that is used to exploit security holes in an enterprise network. E.g Metasploit, Armitage and BeEF.
  4. Password cracker: brute force attacks and dictionary attacks are both password cracking attacks. Some of the password cracking tools are “John the Ripper” and “Cain and Abel”.
  5. Dependency Management tool: identifies dependencies that are met or which third-party libraries may be missing and need to be installed.

Module2.jpg