With the increase of cybersecurity threats worldwide, corporations are eager to recruit individuals with mastery-level skills in information security. This has resulted in a raised demand for CASP-certified professionals. Organizations that rely on CASP skills include DELTA Resources, U.S. Army, Penn State University and more.

When you consider that top organizations are looking for CASP-certified professionals, you will want to be prepared for CASP interview questions that C-level executives or hiring managers at these well-respected establishments may ask.

In this post, we have listed the top 10 CASP interview questions that aspiring CASP-certified professionals are likely to be asked in an interview – as well as which answers are the most effective.

1. What is a three-way handshake? Which authentication scheme uses it to validate the identity of originating clients?

The three-way handshake is a key part of the TCP (Transmission Control Protocol) suite – SYN, SYN/ACT, and ACK. SYN is a request for outgoing connection from client to server, ACK is the server’s acknowledgment back to the client (yes, I can hear you, let’s connect). SYN/ACK is the last connection that allows both client and server to speak.

CHAP is the authentication scheme that uses a three-way handshake to verify the identity of remote clients periodically. It sends a challenge to the client at the time of establishing the connection request. The challenge is then sent to the server, and the encryption outcome is compared. When the challenge is successful, the client can log in.

2. What is the difference between a Black Box test and a White Box test?

Black Box test refers to the testing of the structure or design of a part of software by a pen test team who is not familiar with the inner-workings of the software in question. In the world of cybersecurity, the term Black Box testing can be interchanged with external penetration testing methods. On the other hand, White Box testing is one where the pen test team is familiar with the software’s inner-workings and is given as much detail as possible pertaining to the environment. It is typically implemented in the form of SAST (Static Application Security Testing) and includes file-heavy code editing via behavioral and signature-based analysis.

3. What is data exfiltration?

Data exfiltration refers to getting sensitive information out of a location without anyone discovering the attempt. In a highly secure environment, exfiltration is a big challenge but is not impossible to achieve. Data exfiltration attempts can be supported by malicious insiders who can get in and out without being identified as a looming threat.

4. What is the difference between public-key and symmetric cryptography?

Both types of cryptography are used to encrypt data. However, there is a difference between two keys vs. a single key. Symmetric key cryptography relies on the same key for encryption and decryption, which makes it easier to implement. However, the two parties exchanging messages with each other must use the same private key before transmitting secure information. In public-key cryptography, there is a private and a public key. Encryption is carried out with the recipient’s public key, then the person initiating the transmission of secure information signs in with their own private key. The advantage of public-key cryptography is that the public key does not need to remain secure.

5. Can you explain the Chain of Custody?

Chain of Custody is the process of validating how any form of evidence has been documented, gathered and kept secure on its way to the court. When keeping tabs on equipment or data that will be used in legal proceedings, it should be kept in a pristine state. Hence, accurately documenting who was granted access to what and for how long is critical. Any inaccuracies or errors in the Chain of Custody can raise legal issues for the involved parties and can result in contempt or mistrial, depending on the situation.

Ethical Hacking Training – Resources (InfoSec)

6. What is OCSP?

When a website utilizes certificates to secure HTTPS connections, the OCSP (Online Certificate Status Protocol) enables clients to transmit a query to a CA with a certificate’s serial number, and the CA responds with the certificate’s status. The CA can also publish a CRL (certification revocation list), but CRL is not used for querying. Instead, it is the reply to a request for the CRL. A registration authority (RA) delivers registration services for a CA, but it does not verify certificates.

7. What is the difference between risk transference and risk mitigation?

Risk transference is the shifting of the load loss for a risk to a willing third party through contract, insurance, legislation or other means. This can be beneficial for an organization if the transferred risk is not its core competency. In contrast, risk mitigation refers to the steps taken by an organization to minimize its exposure to a risk. Risks cannot be entirely eliminated; the risk that remains after steps have been taken to manage it is called residual risk.

8. How does SCADA help in the management of HVAC controls?

SCADA (Supervisory Control and Data Acquisition) is a software application for process control. It gathers data from remote locations in real time to keep conditions and equipment in check. SCADA systems include HVAC (heat ventilation and air conditioning) controls that gather and feed data into SCADA software. The system then processes this data and delivers results promptly. The SCADA application gives off a warning during hazardous conditions by activating alarms.

9. Why do internal threats have a higher success rate than external threats?

Unlike hackers, employees have access to an organization’s most critical information on a daily

basis. Internal threats may be intentional or accidental, perhaps from a disgruntled current or former employee, or from a lack of attention to established security protocols. These threats are often more difficult to prevent and detect, as many of an organization’s external threat mitigation measures are ineffective for parties that are readily permitted access.

10. As a CASP professional, if you are asked to get more information for the security requirements related to a contract that your organization will bid on, what would you use, RFP or RFI?

You’re going to initiate an RFI (Request for Information). It’s a formal procedure of getting additional details on a contract. RFP, on the other hand, is the acronym for Request for Proposal and specifies the scope of tasks that need to be performed. Questions like these are an example of how vital it is to know acronyms when you go in for a CASP interview.

Companies looking for the top tier of CASP-certified professionals will expect you to answer these questions. Make sure you are up to date on the explanations so that you’re able to hold your own, especially if the HR manager decides to go a little deeper.