CASP+ Domain #3: Security Engineering and Cryptography [2022 update]

Greg Belding
March 9, 2022 by
Greg Belding

Are you an advanced-level security architect or senior security engineer and want to verify your high level of cyber security skills? Do you want to prove to hire organizations that you have the knowledge that is up to the task of leading and improving your organization’s cyber security readiness? If so, the CompTIA Advanced Security Practitioner, or CASP+, may be the certification for you. To earn the cert, you will first have to pass the certification exam covering four knowledge domains. 

Earn your CASP+, guaranteed!

Earn your CASP+, guaranteed!

Enroll in a CompTIA CASP+ boot camp and earn one of the industry’s most respected certifications — guaranteed.

What is CASP+?

CASP+ is an advanced-level cyber security certification intended for cyber security practitioners. Successful certification candidates will have the knowledge and skill required to:

  • Architect, engineer, integrate, and implement secure solutions across complex environments to support a resilient enterprise
  • Use monitoring, detection, incident response, and automation to proactively support ongoing security operations in an enterprise environment
  • Apply security practices to cloud, on-premises, endpoint, and mobile infrastructure, while considering cryptographic technologies and techniques
  • Consider the impact of governance, risk, and compliance requirements throughout the enterprise

What has changed since the last CASP+ exam version?

The latest CASP+ exam version is CAS-004, and much has changed since CAS-003. The CASP+ certification exam has dropped a Domain (down to 4), and all Domain names and respective percentages of exam material have all changed. Below is a comparison:

CAS-004 Exam Domains CAS-003 Exam Domains

1.0 Security Architecture (29%) 1.0 Risk Management (19%)

2.0 Security Operations (30%) 2.0 Enterprise Security Architecture (25%)

3.0 Security Engineering and Cryptography (26%) 3.0 Enterprise Security Operations (20%)

4.0 Governance, Risk and Compliance (15%) 4.0 Technical Integration of Enterprise Security (23%)

5.0 Research, Development, and Collaboration (13%)

CASP+ Domain 3: Security Engineering and Cryptography

3.1 Given a scenario, apply secure configurations to enterprise mobility

1. Managed configurations

  • Application control
  • Password
  • MFA requirements
  • Token-based access
  • Patch repository
  • Firmware Over-the-Air
  • Remote wipe
  • WiFi
  • Profiles
  • Bluetooth
  • Near-field communication (NFC)
  • Peripherals
  • Geofencing
  • VPN settings
  • Geotagging
  • Certificate management
  • Full device encryption
  • Tethering
  • Airplane mode
  • Location services
  • DNS over HTTPS (DoH)
  • Custom DNS

2. Deployment scenarios

  • Bring your own device (BYOD)
  • Corporate-owned
  • Corporate-owned, personally enabled (COPE)
  • Choose your own device (CYOD)

3. Security considerations

  • Unauthorized remote activation/deactivation of devices or features
  • Encrypted and unencrypted communication concerns
  • Physical reconnaissance
  • Personal data theft
  • Health privacy
  • Implications of wearable devices
  • Digital forensics of collected data
  • Unauthorized application stores
  • Jailbreaking/rooting
  • Side loading
  • Containerization
  • Original equipment manufacturer (OEM) and carrier differences
  • Supply chain issues
  • eFuse

3.2 Given a scenario, configure and implement endpoint security controls

1. Hardening techniques

  • Removing unneeded services
  • Disabling unused accounts
  • Images/templates
  • Remove end-of-life devices
  • Remove end-of-support devices
  • Local drive encryption
  • Enable no execute (NX)/execute never (XN) bit
  • Disabling central processing unit (CPU) virtualization support
  • Secure encrypted enclaves/memory encryption
  • Shell restrictions
  • Address space layout randomization (ASLR)

2. Processes

  • Patching
    • Firmware
    • Application
  • Logging
  • Monitoring

3. Mandatory access control

  • Security-Enhanced Linux (SELinux)/Security-Enhanced Android (SEAndroid)
  • Kernel vs. middleware

4. Trustworthy computing

  • Trusted Platform Module (TPM)
  • Secure Boot
  • Unified Extensible Firmware Interface (UEFI)/basic input/output system (BIOS) protection
  • Attestation services
  • Hardware security module (HSM)
  • Measured boot
  • Self-encrypting drives (SEDs)

5. Compensating controls

  • Antivirus
  • Application controls
  • Host-based intrusion detection system (HIDS)/Host-based intrusion prevention system (HIPS)
  • Host-based firewall
  • Endpoint detection and response (EDR)
  • Redundant hardware
  • Self-healing hardware
  • User and entity behavior analytics (UEBA)

3.3 Explain security considerations impacting specific sectors and operational technologies

1. Embedded

  • Internet of Things (IoT)
  • System on a chip (SoC)
  • Application-specific integrated circuit (ASIC)
  • Field-programmable gate array (FPGA)

2. ICS/supervisory control and data acquisition (SCADA)

  • Programmable logic controller (PLC)
  • Historian
  • Ladder logic
  • Safety instrumented system
  • Heating, ventilation, and air conditioning *HVAC)

3. Protocols

  • Controller Area Network (CAN) bus
  • Modbus
  • Distributed Network Protocol 3 (DNP3)
  • Zigbee
  • Common Industrial Protocol (CIP)
  • Data distribution service

4. Sectors

  • Energy
  • Manufacturing
  • Healthcare
  • Public utilities
  • Public services
  • Facility services

3.4 Explain how cloud technology adoption impacts organizational security

1. Automation and orchestration

2. Encryption and configuration

3. Logs

  • Availability
  • Collection
  • Monitoring
  • Configuration
  • Alerting

4. Monitoring configurations

5. Key ownership and location

6. Key life-cycle management

7. Backup and recovery methods

8. Infrastructure vs. serverless computing

9. Application virtualization

10. Software-defined networking

11. Misconfigurations

12. Collaboration tools

13. Storage configurations

14. Cloud access security broker (CASB)

3.5 Given a business requirement, implement the appropriate PKI solution

1. PKI hierarchy

  • Certificate authority (CA)
  • Subordinate/intermediate CA
  • Registration authority (RA)

2. Certificate types

  • Wildcard certificate
  • Extended validation
  • Multidomain
  • General purpose

3. Certificate usages/profiles/templates

  • Client authentication
  • Server authentication
  • Digital signatures
  • Code signing

4. Extensions

  • Common name (CN)
  • Subject alternate name (SAN)

5. Trusted providers

6. Trust model

7. Cross-certification

8. Configure profiles

9. Life-cycle management

10. Public and private keys

11. Digital signature

12. Certificate pinning

13. Certificate stapling

14. Certificate signing requests

3.6 Given a business requirement, implement the appropriate cryptographic protocols and algorithms

1. Hashing

  • Secure Hashing Algorithm (SHA)
  • Hash-based message authentication code (HMAC)
  • Message digest (MD)
  • RACE integrity primitives evaluation message digest (RIPEMD)
  • Poly1305

2. Symmetric algorithms

  • Modes of operation
  • Stream and block

3. Asymmetric algorithms

  • Key agreement
  • Signing

4. Protocols

  • Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
  • Secure/Multipurpose Internet Mail Extensions (S/MIME)
  • Internet Protocol Security (IPSec)
  • Secure Shell (SSH)
  • EAP

5. Elliptic curve cryptography

  • P256
  • P384

6. Forward secrecy

7. Authenticated encryption with associated data

8. Key stretching

3.7 Given a scenario, troubleshoot issues with cryptographic implementations

1. Implementation and configuration issues

  • Validity dates
  • Wrong certificate type
  • Revoked certificates
  • Incorrect name
  • Chain issues
    • Invalid root or intermediate Cas
    • Self-signed
  • Weak signing algorithm
  • Weak cipher suite
  • Incorrect permissions
  • Cipher mismatches
  • Downgrade

2. Keys

  • Mismatched
  • Improper key handling
  • Embedded keys
  • Rekeying
  • Exposed private keys
  • Crypto shredding
  • Cryptographic obfuscation
  • Key rotation
  • Compromised keys

Earn your CASP+, guaranteed!

Earn your CASP+, guaranteed!

Enroll in a CompTIA CASP+ boot camp and earn one of the industry’s most respected certifications — guaranteed.

CASP+ Domain 3

CASP+ is an advanced-level security architecture and senior security engineering cybersecurity certification. To earn this cert, you will have to pass the CASP+ certification exam covering four Domains of knowledge. Use this article to help you map out your study outline for Domain 3, and you will be one step closer to earning the CASP+ cert for yourself.



Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.