CASP+ Advanced Security: Enterprise Architecture, Risk, and Incident Response

CASP+ expects you to design security architectures that balance risk, business requirements, and technical constraints. Key frameworks: SABSA (Sherwood Applied Business Security Architecture) — a risk-driven framework that starts with business attributes and derives security requirements top-down; TOGAF (The Open Group Architecture Framework) — enterprise architecture framework used to align IT and security with business goals; DoDAF (Department of Defense Architecture Framework) — used in government and defence contexts. Zero Trust Architecture: verify every user, device, and connection regardless of network location. Components: identity provider (MFA-enforced), device posture assessment (MDM compliance), micro-segmentation (east-west traffic control), continuous monitoring (UEBA, SIEM). Software-defined perimeter (SDP) implements Zero Trust by making the network invisible to unauthorised users — you cannot attack what you cannot see.

CASP+ tests practical cryptography implementation decisions. Algorithm selection: AES-256-GCM for symmetric encryption (GCM mode provides authenticated encryption — integrity built in), RSA-4096 for key exchange and signatures (being replaced by ECC in modern systems), ECDSA/ECDH for elliptic-curve operations (same security as RSA with smaller key sizes — critical for IoT and mobile), SHA-256 minimum for hashing (SHA-1 deprecated, MD5 broken). PKI architecture for enterprises: root CA (offline, hardware security module, air-gapped), intermediate CA (online, issues end-entity certificates), OCSP stapling (real-time certificate validity without privacy leakage), certificate transparency logs (public audit trail of issued certificates, prevents mis-issuance). Key management: HSMs protect private keys at rest, key escrow enables recovery, key ceremony documents key generation procedures, certificate lifecycle management automates renewal before expiry.

Enterprise vulnerability management is not just running a scanner — it is a programme with defined policies, SLAs, exception processes, and executive reporting. Phases: Asset discovery (know your attack surface — passive network scanning, CMDB integration, cloud asset APIs), Vulnerability scanning (authenticated scans for accurate results, CVSS scoring, false positive triage), Risk prioritisation (CVSS + threat intelligence + asset criticality = risk score — CISA KEV list for actively exploited vulnerabilities), Remediation (patching, compensating controls, risk acceptance with documentation), Verification (rescan to confirm fix). Threat modelling methodologies: STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege — good for application design), PASTA (Process for Attack Simulation and Threat Analysis — risk-centric, business impact focus), ATT&CK-based threat modelling (map controls to adversary TTPs).

At the CASP+ level, incident response is about building and running a programme, not just following a checklist. IR programme components: IR policy (legal authority and scope), IR plan (high-level process and roles), IR procedures (step-by-step for specific incident types — malware, data breach, insider threat), playbooks (automated or semi-automated response workflows in SOAR platforms). NIST SP 800-61 IR lifecycle: Preparation > Detection and Analysis > Containment, Eradication, and Recovery > Post-Incident Activity. Evidence handling: chain of custody documentation from first responder onwards, forensic imaging (dd or FTK Imager — bit-for-bit copy, hash-verified), memory acquisition before shutdown (volatile data: running processes, network connections, encryption keys in RAM), legal hold procedures. Threat hunting: hypothesis-driven search for adversaries that bypassed automated detection, using TI feeds, anomaly baselines, and ATT&CK TTPs as hunting hypotheses.

CASP+ covers cloud security at an architectural depth: shared responsibility matrix (IaaS — you own OS and above; PaaS — you own application and data; SaaS — you own identity and data configuration), cloud security posture management (CSPM — continuously checks cloud resource configs against benchmarks), cloud workload protection platforms (CWPP — runtime protection for VMs, containers, serverless), CASB (Cloud Access Security Broker — visibility and control for SaaS shadow IT). Container security: image scanning (registry vulnerability scan before deployment), runtime protection (Falco, Aqua — detect anomalous syscalls), Kubernetes RBAC (ClusterRole and ClusterRoleBinding), network policies (namespace isolation, pod-to-pod traffic control), secrets management (HashiCorp Vault, Kubernetes Secrets with encryption at rest). IoT security risks: default credentials, unencrypted protocols, long patch cycles, physical tampering — remediate with network segmentation, firmware verification, and certificate-based authentication.