PDF CAS-004 Study Guide

Information Sharing and Analysis Centers (ISACs) are member-driven organizations, facilitated by the government, that gather and share information on cybersecurity threats, vulnerabilities, and incidents among their members. Engaging with an ISAC would enable the company to collaborate with others in the industry regarding emerging attacks and security threats.

Certificate pinning is a technique that embeds one or more trusted certificates or public keys inside an application, and verifies that any certificate presented by a server matches one of those certificates or public keys. Certificate pinning can prevent on-path attacks, such as man-in-the-middle (MITM) attacks, which intercept and modify the communication between a client and a server.

Configuring certificate pinning inside the application would allow the mobile application developer to create a global, highly scalable, secure chat application that is not susceptible to on-path attacks while the user is traveling in potentially hostile regions, because it would:

Ensure that only trusted servers can communicate with the application, by rejecting any server certificate that does not match one of the pinned certificates or public keys.

Protect the confidentiality, integrity, and authenticity of the chat messages, by preventing any attacker from intercepting, modifying, or impersonating them.

Enhance the security of the application by reducing its reliance on external factors, such as certificate authorities (CAs), certificate revocation lists (CRLs), or online certificate status protocol (OCSP).

In cloud computing models, the security of the physical data center is the responsibility of the Cloud Service Provider (CSP). The CSP is responsible for protecting the infrastructure that runs all of the services offered in the cloud, which includes the physical security of the data center.

Comprehensive and Detailed Step by Step Explanation:

Data masking obscures sensitive data displayed on screens, such as masking certain characters (e.g., showing *** for parts of SSNs).

It allows legitimate use while protecting the data from being misused or stolen.

Encryption is unrelated because it protects data in transit or at rest but does not address how it is displayed.

Tokenization replaces data with a token but is more relevant for storage and transactional systems, not screen data.

Scrubbing refers to cleansing datasets but does not address this scenario.

References:

CompTIA CASP+ Exam Objective 3.4: Implement controls to reduce privacy and information risks.

CASP+ Study Guide, 5th Edition, Chapter 8, Privacy Controls.