Security first: An overview of CompTIA CASP and SMSP certification
When it comes to IT-related certifications that are a mouthful, CompTIA wins at both ends of the spectrum. On one end, they have what is commonly known merely as “A+,” though it consists of multiple exams intended to authenticate entry-level hardware and operating system skills.
At the opposite end, there is the relatively new “Social Media Security Professional Powered by CompTIA” certification (SMSP) that is administered through Ultimate Knowledge Institute (UKI).
CompTIA also now has impressive security breadth in its certification portfolio, with the popular Security+ credential serving as a foundational certification. Security+ is now complemented by SMSP and the CompTIA Advanced Security Practitioner (CASP) credential, two completely different specialty offerings.
Since most people in IT readily associate Security+ with CompTIA, but are less familiar with the other two, we will focus on those complementary offerings in this overview.
The Social Media Security Professional certification is the “industry’s first social media security certification” and is good for life (no three-year limit or need for renewal). It requires passing a single exam of 65 questions, which must be answered in 90 minutes with a passing score of 700.
Training courses taken through UKI qualify candidates to sit for the exam. Otherwise, one year of verified cybersecurity work experience is needed. If you take the standard exam, the cost is $275.
If you take the three-day self-paced exam, the cost is $799, but you get the added benefit of earning 24 continuing education units (CEUs). These can be applied to keeping other CompTIA certifications (such as A+, Network+, or Security+) up-to-date.
The SMSP exam has five domains, each encompassing various objectives. The following table shows the domains and objectives. The topics beneath each objective are listed in the Common Body of Knowledge (CBK) which can be requested here.
|Understand Social Media Theory|
|Understand Social Media Typing|
|Social Media Implementations and Use Cases|
|Understand Social Media Capabilities|
|Understand Social Hosting Platforms|
|Understand Social Media End User Platforms and Applications|
|Understand Social Media Standards and Protocols|
|Understand Social Media Threats|
|Understand Social Media Common Attack Characteristics|
|Understand Foundational Detection and Protection Strategies|
|Understand Common Social Media Security Settings|
|Understand Social Media Incident Response Strategies|
|Understand Social Media Policy Framework|
|Understand Social Media Terms of Service|
|Understand Social Media Privacy Statements – Policy|
In addition to the Common Body of Knowledge, you can also request sample questions. More information about the exam and certification can be obtained by contacting UKI at 888.677.5696 or firstname.lastname@example.org.
The CompTIA Advanced Security Practitioner credential is still a relative newcomer to the IT certification scene. Launched in the fall of 2011, the CASP is intended to build on the cybersecurity knowledge of individuals whose initial exposure to cybersecurity skills and concepts is rooted in CompTIA’s popular Security+ certification.
CompTIA describes the CASP — which some in the cybersecurity community view as being a comparable alternative to the more widely-recognized CISSP certification sponsored by (ISC)² — in the following terms
“CompTIA Advanced Security Practitioner (CASP) meets the growing demand for advanced IT security in the enterprise. Recommended for IT professionals with at least 5 years of experience, CASP certifies critical thinking and judgment across a broad spectrum of security disciplines and requires candidates to implement clear solutions in complex environments.”
The latest version of the CASP exam (CAS-002) requires answering up to 90 questions in 165 minutes. Those questions combine multiple-choice with performance-based questions and candidate either pass or fail and a passing score isn’t revealed.
The cost is currently $414. It is recommended that candidates have 10 years of experience with IT administration, five of which are directly related to security. This is not a lifetime certification. Credential holders must keep their skills current either by recertifying or via continuing education units (CEUs).
Like the SMSP exam, the CASP exam has five domains, each of which encompasses various objectives. Unlike SMSP, however, the weighting of each domain is known and noted in the following table that shows those domains and objectives.
Note: While there is not a Common Body of Knowledge for this exam, there is a more detailed list of what topics are beneath each domain that includes a glossary of acronyms, which can be accessed from the CompTIA website.
|Given a scenario, select appropriate cryptographic concepts and techniques|
|Explain the security implications associated with enterprise storage|
|Given a scenario, analyze network and security components, concepts and architectures|
|Given a scenario, select and troubleshoot security controls for hosts|
|Differentiate application vulnerabilities and select appropriate security controls|
|Interpret business and industry influences and explain associated risks|
|Given a scenario, execute risk mitigation planning, strategies and controls|
|Compare and contrast security, privacy policies and procedures based on organizational requirements|
|Given a scenario, conducts incident response and recovery procedures|
|Apply research methods to determine industry trends and impacts to the enterprise|
|Analyze scenarios to secure the enterprise|
|Given a scenario, select methods or tools appropriate to conduct an assessment and analyze results|
|Given a scenario, facilitate collaboration across diverse business units to achieve security goals|
|Given a scenario, select the appropriate control to secure communications and collaboration solutions|
|Implement security activities across the technology life cycle|
|Given a scenario, integrate hosts, storage, networks and applications into a secure enterprise architecture|
|Given a scenario, integrate advanced authentication and authorization technologies to support enterprise objectives|
We will explore the subjects covered on the exam in more detail in future articles, but following are five questions to test your knowledge of CASP-related topics. These questions are not intended to mirror those on the exam, but merely to test your knowledge of similar topics.
1) Melanie regularly encrypted a folder full of files with her public key to keep them safe from prying eyes. Jerry, an administrator, thought Melanie had been fired when actually it was Melody in Sales who was let go. Erroneously, Jerry deleted Melanie’s account, which had exclusive access to the private key. What can be used to remedy this situation?
A. The same public key used to encrypt the files can be used to decrypt them.
B. A recovery agent can be used to decrypt the files and/or the private key.
C. A steganography key, often referred to as a bump key, can be used to decrypt the files.
D. The files cannot be recovered.
2) EAD Enterprises has numerous branch offices and a skeleton crew of IT professionals at each to support operations. If configured correctly, what type of Incident Response Team should exist at the main office to help guide those at the branch offices responsible for each of their locations?
3) Log files point to the possibility that someone is using a port scanner on your servers looking for a weakness. Which of the following would NOT be a good way to minimize the vulnerabilities port scanning could uncover?
A. Disable unnecessary ports and services.
B. Use TCP wrappers on services that are vulnerable and cannot be otherwise protected
C. Implement grid computing
D. Remove banners as much as possible
4) The Security Development Lifecycle (SDL) helps developers build more secure software. During which phase of SDL would threat modeling be first used?
5) Which of the following is a cross-domain, browser-based, Single Sign-On (SSO) framework and extension of the SAML (Security Assertion Markup Language) 1.1 standard?
1) B. If the recovery agent is available, it can be used to help in this situation to recover/decrypt either the private key or use a different one to decrypt the data. This topic is covered in the Enterprise Security domain.
2) B. A coordinating incident response team combines features from the central and distributed model. Their role is to help guide those at the branch offices responsible for each of their locations. This topic is covered in the Risk Management and Incident Response domain.
3) C. Grid computing would do nothing to minimize the possibility of a port scan showing vulnerabilities. Disabling ports that are not needed, using TCP wrappers, and removing banners from applications and OSes that create them would all help minimize the risk. This topic is covered in the Research, Analysis, and Assessment domain.
4) C. Threat modeling would be used during the Design phase of SDL. During this step, they goal would be to identify security vulnerabilities and design ways to eliminate or mitigate them. This topic is covered in the Integration of Computing, Communications and Business Disciplines domain.
5) D. Shibboleth is a cross-domain, browser-based, Single Sign-On (SSO) framework and extension of the SAML (Security Assertion Markup Language) 1.1 standard. This topic is covered in the Technical Integration of Enterprise Components domain.