Nadean H. Tanner - CASP+ CompTIA Advanced Security Practitioner Practice Tests

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2021938732

TRADEMARKS: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA and CASP+ are trademarks or registered trademarks of The Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

73c99f3c5cb19301ed9de1524c40a1b8

To my husband, no one I'd rather quarantine with.

To my children, who will never read this book.

To Kenyon Brown, for trusting me to do this again.

To Kelly Talbot, for gently reminding me of deadlines.

To Ryan Hendricks, your turn!

—Nadean H. Tanner

Nadean H. Tanneris the manager of Consulting – Education Services at FireEye/Mandiant, working most recently on building real-world cyber-range engagements to practice threat hunting and incident response. She has been in IT for more than 20 years and specifically in cybersecurity for over a decade. She holds over 30 industry certifications, including CompTIA CASP+, Security+, and (ISC) 2CISSP.

Tanner has trained and consulted for Fortune 500 companies and the U.S. Department of Defense in cybersecurity, forensics, analysis, red/blue teaming, vulnerability management, and security awareness.

She is the author of Cybersecurity Blue Team Toolkit , published by Wiley in 2019, and CASP+ Practice Tests: Exam CAS-003 , published by Sybex in 2020. She also was the technical editor for CompTIA Security+ Study Guide: Exam SY0-601 (Sybex, 2021) and CompTIA PenTest+ Study Guide: Exam PT0-002 (Sybex, 2021), both written by Mike Chapple and David Seidl.

In her spare time, Tanner enjoys speaking at technical conferences such as Black Hat, Wild West Hacking Fest, and OWASP events.

Ryan Hendricks(CISSP, CEH, CASP+, Security+) has more than 16 years of cybersecurity and intelligence experience. His first venture started while working intelligence operations for the U.S. Navy and then continued in the government and private sector as an educator, facilitator, consultant, and adviser on a multitude of information technology and cybersecurity principles.

Hendricks holds many certifications covering hardware, networking, operating systems, and cybersecurity. He worked as a trainer for the U.S. Department of Defense, educating hundreds of students on everything from military communication systems to the CompTIA CASP+ and (ISC) 2CISSP certifications.

Hendricks is a staff architect and manager at VMware. He currently supports all technical content creation for the VMware Carbon Black portfolio and additional VMware Security products. Additional responsibilities include developing labs, updating materials, piloting and expanding the certification programs, mentoring and managing the security technical content team, and educating anyone who is willing to learn. When not working, Hendricks tries to balance spending his time learning new security tools and attack techniques to feed his need for knowledge and playing video games with his kids.

CASP+ Advanced Security Practitioner Practice Tests is a companion volume to CASP+ Study Guide . If you're looking to test your knowledge before you take the CASP+ exam, this book will help you by providing a combination of 1,000 questions that cover the four CASP+ domains and by including easy-to-understand explanations of both right and wrong answers.

If you're just starting to prepare for the CASP+ exam, we highly recommend that you use CASP+ Study Guide: Exam CAS-004 by Jeff T. Parker to help you learn about each of the domains covered by the CASP+ exam. Once you're ready to test your knowledge, use this book to help find places where you might need to read a chapter again and study more.

Because this is a companion to the CASP+ Study Guide, this book is designed to be similar to taking the CASP+ exam. It contains multipart scenarios as well as standard multiple-choice questions similar to those you will encounter on the certification exam.

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

To submit your possible errata, please email it to our Customer Service Team at wileysupport@wiley.comwith the subject line “Possible Book Errata Submission.”

THE CASP+ EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Domain 1: Security Architecture1.1 Given a scenario, analyze the security requirements and objectives to ensure an appropriate, secure network architecture for a new or existing network.ServicesLoad balancerIntrusion detection system (IDS)/network intrusion detection system (NIDS)/wireless intrusion detection system (WIDS)Intrusion prevention system (IPS)/network intrusion prevention system (NIPS)/wireless intrusion prevention system (WIPS)Web application firewall (WAF)Network access control (NAC)Virtual private network (VPN)Domain Name System Security Extensions (DNSSEC)Firewall/unified threat management (UTM)/next-generation firewall (NGFW)Network address translation (NAT) gatewayInternet gatewayForward/transparent proxyReverse proxyDistributed denial-of-service (DDoS) protectionRoutersMail securityApplication programming interface (API) gateway/Extensible Markup Language (XML) gatewayTraffic mirroringSwitched port analyzer (SPAN) portsPort mirroringVirtual private cloud (VPC)Network tapSensorsSecurity information and event management (SIEM)File integrity monitoring (FIM)Simple Network Management Protocol (SNMP) trapsNetFlowData loss prevention (DLP)AntivirusSegmentationMicrosegmentationLocal area network (LAN)/virtual local area network (VLAN)Jump boxScreened subnetData zonesStaging environmentsGuest environmentsVPC/virtual network (VNET)Availability zoneNAC listsPolicies/security groupsRegionsAccess control lists (ACLs)Peer-to-peerAir gap Deperimeterization/zero trustCloudRemote workMobileOutsourcing and contractingWireless/radio frequency (RF) networksMerging of networks from various organizationsPeeringCloud to on premisesData sensitivity levelsMergers and acquisitionsCross-domainFederationDirectory servicesSoftware-defined networking (SDN)Open SDNHybrid SDNSDN overlay1.2 Given a scenario, analyze the organizational requirements to determine the proper infrastructure security design.ScalabilityVerticallyHorizontallyResiliencyHigh availabilityDiversity/heterogeneityCourse of action orchestrationDistributed allocationRedundancyReplicationClustering AutomationAutoscalingSecurity Orchestration, Automation and Response (SOAR)BootstrappingPerformanceContainerizationVirtualizationContent delivery networkCaching1.3 Given a scenario, integrate software applications securely into an enterprise architecture.Baseline and templatesSecure design patterns/types of web technologiesStorage design patternsContainer APIsSecure coding standardsApplication vetting processesAPI managementMiddlewareSoftware assuranceSandboxing/development environmentValidating third-party librariesDefined DevOps pipelineCode signingInteractive application security testing (IAST) vs. dynamic application security testing (DAST) vs. static application security testing (SAST)Considerations of integrating enterprise applicationsCustomer relationship management (CRM)Enterprise resource planning (ERP)Configuration management database (CMDB)Content management system (CMS)Integration enablersDirectory servicesDomain name system (DNS)Service-oriented architecture (SOA)Enterprise service bus (ESB)Integrating security into development life cycleFormal methodsRequirementsFieldingInsertions and upgradesDisposal and reuseTestingRegressionUnit testingIntegration testingDevelopment approachesSecDevOpsAgileWaterfallSpiralVersioningContinuous integration/continuous delivery (CI/CD) pipelinesBest practicesOpen Web Application Security Project (OWASP)Proper Hypertext Transfer Protocol (HTTP) headers 1.4 Given a scenario, implement data security techniques for securing enterprise architecture.Data loss preventionBlocking use of external mediaPrint blockingRemote Desktop Protocol (RDP) blockingClipboard privacy controlsRestricted virtual desktop infrastructure (VDI) implementationData classification blockingData loss detectionWatermarkingDigital rights management (DRM)Network traffic decryption/deep packet inspectionNetwork traffic analysisData classification, labeling, and taggingMetadata/attributesObfuscationTokenizationScrubbingMaskingAnonymizationEncrypted vs. unencryptedData life cycleCreateUseShareStoreArchiveDestroyData inventory and mappingData integrity managementData storage, backup, and recoveryRedundant array of inexpensive disks (RAID)1.5 Given a scenario, analyze the security requirements and objectives to provide the appropriate authentication and authorization controls.Credential managementPassword repository applicationEnd-user password storageOn premises vs. cloud repositoryHardware key managerPrivileged access managementPassword policiesComplexityLengthCharacter classesHistoryMaximum/minimum ageAuditingReversable encryptionFederationTransitive trustOpenIDSecurity Assertion Markup Language (SAML)ShibbolethAccess controlMandatory access control (MAC)Discretionary access control (DAC)Role-based access controlRule-based access controlAttribute-based access controlProtocolsRemote Authentication Dial-in User Server (RADIUS)Terminal Access Controller Access Control System (TACACS)DiameterLightweight Directory Access Protocol (LDAP)KerberosOAuth802.1XExtensible Authentication Protocol (EAP)Multifactor authentication (MFA)Two-factor authentication (2FA)2-Step VerificationIn-bandOut-of-bandOne-time password (OTP)HMAC-based one-time password (HOTP)Time-based one-time password (TOTP)Hardware root of trustSingle sign-on (SSO)JavaScript Object Notation (JSON) web token (JWT)Attestation and identity proofing1.6 Given a set of requirements, implement secure cloud and virtualization solutions.Virtualization strategiesType 1 vs. Type 2 hypervisorsContainersEmulationApplication virtualizationVDIProvisioning and deprovisioningMiddlewareMetadata and tagsDeployment models and considerationsBusiness directivesCostScalabilityResourcesLocationData protectionCloud deployment modelsPrivatePublicHybridCommunityHosting modelsMultitenantSingle-tenantService modelsSoftware as a service (SaaS)Platform as a service (PaaS)Infrastructure as a service (IaaS)Cloud provider limitationsInternet Protocol (IP) address schemeVPC peeringExtending appropriate on-premises controls Storage modelsObject storage/file-based storageDatabase storageBlock storageBlob storageKey-value pairs1.7 Explain how cryptography and public key infrastructure (PKI) support security objectives and requirements.Privacy and confidentiality requirementsIntegrity requirementsNon-repudiationCompliance and policy requirementsCommon cryptography use casesData at restData in transitData in process/data in useProtection of web servicesEmbedded systemsKey escrow/managementMobile securitySecure authenticationSmart cardCommon PKI use casesWeb servicesEmailCode signingFederationTrust modelsVPNEnterprise and security automation/orchestration 1.8 Explain the impact of emerging technologies on enterprise security and privacy.Artificial intelligenceMachine learningQuantum computingBlockchainHomomorphic encryptionPrivate information retrievalSecure function evaluationPrivate function evaluationSecure multiparty computationDistributed consensusBig DataVirtual/augmented reality3D printingPasswordless authenticationNano technologyDeep learningNatural language processingDeep fakesBiometric impersonation