Virtual, hands-on learning labs allow you to apply your technical skills using live hardware and software hosted in the cloud. So Sybex has bundled CompTIA CySA+ labs from Practice Labs, the IT Competency Hub, with our popular CompTIA CySA+ Study Guide, Second Edition. Working in these labs gives you the same experience you need to prepare for the CompTIA CySA+ Exam CS0-002 that you would face in a real-life setting. Used in addition to the book, the labs are a proven way to prepare for the certification and for work in the cybersecurity field.
The CompTIA CySA+ Study Guide Exam CS0-002, Second Edition provides clear and concise information on crucial security topics and verified 100% coverage of the revised CompTIA Cybersecurity Analyst+ (CySA+) exam objectives. You’ll be able to gain insight from practical, real-world examples, plus chapter reviews and exam highlights. Turn to this comprehensive resource to gain authoritative coverage of a range of security subject areas.
- Review threat and vulnerability management topics
- Expand your knowledge of software and systems security
- Gain greater understanding of security operations and monitoring
- Study incident response information
- Get guidance on compliance and assessment
The CompTIA CySA+ Study Guide, Second Edition connects you to useful study tools that help you prepare for the exam. Gain confidence by using its interactive online test bank with hundreds of bonus practice questions, electronic flashcards, and a searchable glossary of key cybersecurity terms. You also get access to hands-on labs and have the opportunity to create a cybersecurity toolkit.
Leading security experts, Mike Chapple and David Seidl, wrote this valuable guide to help you prepare to be CompTIA Security+ certified. If you’re an IT professional who has earned your CompTIA Security+ certification, success on the CySA+ (Cybersecurity Analyst) exam stands as an impressive addition to your professional credentials. Preparing and taking the CS0-002 exam can also help you plan for advanced certifications, such as the CompTIA Advanced Security Practitioner (CASP+).
And with this edition you also get Practice Labs virtual labs that run from your browser. The registration code is included with the book and gives you 6 months unlimited access to Practice Labs CompTIA CySA+ Exam CS0-002 Labs with 30 unique lab modules to practice your skills.
Table of Contents
Introduction xxvii
Assessment Test xli
Chapter 1 Today’s Cybersecurity Analyst 1
Cybersecurity Objectives 2
Privacy vs. Security 3
Evaluating Security Risks 4
Identify Threats 6
Identify Vulnerabilities 8
Determine Likelihood, Impact, and Risk 8
Reviewing Controls 10
Building a Secure Network 10
Network Access Control 10
Firewalls and Network Perimeter Security 12
Network Segmentation 15
Defense Through Deception 16
Secure Endpoint Management 17
Hardening System Configurations 17
Patch Management 17
Group Policies 18
Endpoint Security Software 19
Penetration Testing 19
Planning a Penetration Test 20
Conducting Discovery 21
Executing a Penetration Test 21
Communicating Penetration Test Results 22
Training and Exercises 22
Reverse Engineering 22
Isolation and Sandboxing 23
Reverse-Engineering Software 23
Reverse-Engineering Hardware 24
The Future of Cybersecurity Analytics 25
Summary 26
Exam Essentials 26
Lab Exercises 28
Activity 1.1: Create an Inbound Firewall Rule 28
Activity 1.2: Create a Group Policy Object 28
Activity 1.3: Write a Penetration Testing Plan 30
Activity 1.4: Recognize Security Tools 30
Review Questions 30
Chapter 2 Using Threat Intelligence 35
Threat Data and Intelligence 36
Open Source Intelligence 37
Proprietary and Closed Source Intelligence 39
Assessing Threat Intelligence 39
Threat Indicator Management and Exchange 41
The Intelligence Cycle 42
The Threat Intelligence Community 43
Threat Classification 44
Threat Actors 44
Threat Classification 45
Threat Research and Modeling 46
Attack Frameworks 48
MITRE’s ATT&CK Framework 48
The Diamond Model of Intrusion Analysis 50
Lockheed Martin’s Cyber Kill Chain 51
The Unified Kill Chain 53
Common Vulnerability Scoring System (CVSS) 53
Applying Threat Intelligence Organizationwide 53
Proactive Threat Hunting 54
Summary 55
Exam Essentials 56
Lab Exercises 57
Activity 2.1: Explore the ATT&CK Framework 57
Activity 2.2: Set Up a STIX/TAXII Feed 58
Activity 2.3: Intelligence Gathering Techniques 58
Review Questions 59
Chapter 3 Reconnaissance and Intelligence Gathering 63
Mapping and Enumeration 64
Active Reconnaissance 65
Mapping Networks and Discovering Topology 65
Pinging Hosts 67
Port Scanning and Service Discovery Techniques and Tools 69
Passive Footprinting 75
Log and Configuration Analysis 76
Harvesting Data from DNS and Whois 84
Responder 91
Information Aggregation and Analysis Tools 92
Information Gathering Using Packet Capture 92
Gathering Organizational Intelligence 92
Organizational Data 93
Electronic Document Harvesting 94
Detecting, Preventing, and Responding to Reconnaissance 97
Capturing and Analyzing Data to Detect Reconnaissance 97
Preventing Reconnaissance 99
Summary 100
Exam Essentials 101
Lab Exercises 102
Activity 3.1: Port Scanning 102
Activity 3.2: Write an Intelligence Gathering Plan 102
Activity 3.3: Intelligence Gathering Techniques 103
Review Questions 103
Chapter 4 Designing a Vulnerability Management Program 109
Identifying Vulnerability Management Requirements 110
Regulatory Environment 110
Corporate Policy 114
Identifying Scan Targets 114
Determining Scan Frequency 115
Active vs. Passive Scanning 117
Configuring and Executing Vulnerability Scans 118
Scoping Vulnerability Scans 118
Configuring Vulnerability Scans 119
Scanner Maintenance 123
Developing a Remediation Workflow 126
Reporting and Communication 127
Prioritizing Remediation 129
Testing and Implementing Fixes 130
Delayed Remediation Options 131
Overcoming Risks of Vulnerability Scanning 131
Vulnerability Scanning Tools 133
Infrastructure Vulnerability Scanning 133
Web Application Scanning 133
Interception Proxies 134
Wireless Assessment Tools 136
Summary 137
Exam Essentials 138
Lab Exercises 139
Activity 4.1: Install a Vulnerability Scanner 139
Activity 4.2: Run a Vulnerability Scan 140
Review Questions 140
Chapter 5 Analyzing Vulnerability Scans 145
Reviewing and Interpreting Scan Reports 146
Understanding CVSS 148
Validating Scan Results 155
False Positives 156
Documented Exceptions 156
Understanding Informational Results 157
Reconciling Scan Results with Other Data Sources 158
Trend Analysis 158
Common Vulnerabilities 158
Server and Endpoint Vulnerabilities 159
Network Vulnerabilities 168
Virtualization Vulnerabilities 173
Internet of Things (IoT) 176
Web Application Vulnerabilities 177
Authentication Vulnerabilities 181
Summary 183
Exam Essentials 184
Lab Exercises 185
Activity 5.1: Interpret a Vulnerability Scan 185
Activity 5.2: Analyze a CVSS Vector 185
Activity 5.3: Remediate a Vulnerability 185
Review Questions 187
Chapter 6 Cloud Security 191
Understanding Cloud Environments 192
The Case for Cloud Computing 193
Cloud Service Models 194
Cloud Deployment Models 200
Operating in the Cloud 204
DevOps Strategies 205
Infrastructure as Code (IaC) 206
Application Programming Interfaces 207
Cloud Monitoring 208
Cloud Infrastructure Security 208
Cloud Infrastructure Security Tools 209
Cloud Access Security Brokers (CASB) 213
Summary 214
Exam Essentials 215
Lab Exercises 216
Activity 6.1: Run a ScoutSuite Assessment 216
Activity 6.2: Explore the Exploits Available with Pacu 216
Activity 6.3: Scan an AWS Account with Prowler 216
Review Questions 217
Chapter 7 Infrastructure Security and Controls 221
Understanding Defense-in-Depth 222
Layered Security 222
Zero Trust 223
Segmentation 224
Network Architecture 226
Physical Network Architectures 227
Software-Defined Networks 227
Virtualization 228
Asset and Change Management 229
Logging, Monitoring, and Validation 229
Encryption 230
Active Defense 231
Infrastructure Security and the Cloud 231
Improving Security by Improving Controls 233
Layered Host Security 234
Permissions 235
Whitelisting and Blacklisting 235
Technical Controls 236
Policy, Process, and Standards 238
Analyzing Security Architecture 240
Analyzing Security Requirements 240
Reviewing Architecture 241
Common Issues 242
Reviewing a Security Architecture 246
Maintaining a Security Design 248
Summary 249
Exam Essentials 249
Lab Exercises 250
Activity 7.1: Review an Application Using the OWASP Attack Surface Analysis Cheat Sheet 250
Activity 7.2: Review a NIST Security Architecture 251
Activity 7.3: Security Architecture Terminology 252
Review Questions 253
Chapter 8 Identity and Access Management Security 259
Understanding Identity 260
Identity Systems and Security Design 261
Threats to Identity and Access 269
Understanding Security Issues with Identities 269
Attacking AAA Systems and Protocols 270
Targeting Account Creation, Provisioning, and Deprovisioning 275
Preventing Common Exploits of Identity and Authorization 276
Acquiring Credentials 277
Identity as a Security Layer 280
Identity and Defense-in-Depth 280
Securing Authentication and Authorization 281
Detecting Attacks and Security Operations 288
Federation and Single Sign-On 289
Federated Identity Security Considerations 289
Federated Identity Design Choices 291
Federated Identity Technologies 293
Federation Incident Response 297
Summary 297
Exam Essentials 298
Lab Exercises 299
Activity 8.1: Federated Security Scenario 299
Activity 8.2: On-site Identity Issues Scenario 300
Activity 8.3: Identity and Access
Management Terminology 301
Review Questions 303
Chapter 9 Software and Hardware Development Security 307
Software Assurance Best Practices 308
The Software Development Life Cycle 309
Software Development Phases 310
Software Development Models 311
DevSecOps and DevOps 317
Designing and Coding for Security 318
Common Software Development Security Issues 319
Security Implications of Target Platforms 321
Secure Coding Best Practices 322
API Security 325
Service-Oriented Architectures 325
Application Testing 327
Information Security and the SDLC 327
Code Review Models 328
Software Security Testing 331
Software Assessment: Testing and Analyzing Code 332
Web Application Vulnerability Scanning 335
Hardware Assurance Best Practices 337
Cryptographic Hardware 337
Firmware Security 338
Hardware Security 339
Summary 340
Exam Essentials 341
Lab Exercises 342
Activity 9.1: Review an Application Using the OWASP Application Security Architecture Cheat Sheet 342
Activity 9.2: Learn About Web Application Exploits from WebGoat 342
Activity 9.3: SDLC Terminology 343
Review Questions 344
Chapter 10 Security Operations and Monitoring 349
Security Monitoring 350
Analyzing Security Data 350
Logs 351
Endpoint Data Analysis 358
Network Data Analysis 362
Protecting and Analyzing Email 365
Scripting, Searching, and Text Manipulation 369
Summary 371
Exam Essentials 371
Lab Exercises 372
Activity 10.1: Analyze a Network Capture File 372
Activity 10.2: Analyze a Phishing Email 373
Activity 10.3: Security Architecture Terminology 373
Review Questions 374
Chapter 11 Building an Incident Response Program 379
Security Incidents 380
Phases of Incident Response 381
Preparation 382
Detection and Analysis 383
Containment, Eradication, and Recovery 384
Postincident Activity 385
Building the Foundation for Incident Response 387
Policy 387
Procedures and Playbooks 387
Documenting the Incident Response Plan 388
Creating an Incident Response Team 389
Incident Response Providers 391
CSIRT Scope of Control 391
Coordination and Information Sharing 391
Internal Communications 392
External Communications 392
Classifying Incidents 393
Threat Classification 393
Severity Classification 394
Summary 398
Exam Essentials 398
Lab Exercises 399
Activity 11.1: Incident Severity Classification 399
Activity 11.2: Incident Response Phases 400
Activity 11.3: Develop an Incident Communications Plan 400
Review Questions 401
Chapter 12 Analyzing Indicators of Compromise 405
Analyzing Network Events 406
Capturing Network-Related Events 407
Network Monitoring Tools 411
Detecting Common Network Issues 413
Detecting Scans and Probes 417
Detecting Denial-of-Service and Distributed Denial-of-Service Attacks 417
Detecting Other Network Attacks 420
Detecting and Finding Rogue Devices 420
Investigating Host-Related Issues 422
System Resources 422
Malware, Malicious Processes, and Unauthorized Software 426
Unauthorized Access, Changes, and Privileges 428
Investigating Service and Application-Related Issues 430
Application and Service Monitoring 431
Application and Service Issue Response and Restoration 433
Detecting Attacks on Applications 434
Summary 435
Exam Essentials 436
Lab Exercises 436
Activity 12.1: Identify a Network Scan 436
Activity 12.2: Write a Service Issue Response Plan 437
Activity 12.3: Security Tools 438
Review Questions 439
Chapter 13 Performing Forensic Analysis and Techniques 443
Building a Forensics Capability 444
Building a Forensic Toolkit 444
Understanding Forensic Software 448
Capabilities and Application 448
Conducting Endpoint Forensics 452
Operating System, Process, and Memory Dump Analysis 452
Network Forensics 455
Cloud, Virtual, and Container Forensics 458
Conducting a Forensic Investigation 460
Forensic Procedures 460
Target Locations 462
Acquiring and Validating Drive Images 463
Imaging Live Systems 467
Acquiring Other Data 467
Forensic Investigation: An Example 471
Importing a Forensic Image 471
Analyzing the Image 473
Reporting 476
Summary 478
Exam Essentials 478
Lab Exercises 479
Activity 13.1: Create a Disk Image 479
Activity 13.2: Conduct the NIST Rhino Hunt 480
Activity 13.3: Security Tools 481
Review Questions 482
Chapter 14 Containment, Eradication, and Recovery 487
Containing the Damage 489
Segmentation 490
Isolation 492
Removal 493
Evidence Gathering and Handling 495
Identifying Attackers 495
Incident Eradication and Recovery 496
Reconstruction and Reimaging 497
Patching Systems and Applications 497
Sanitization and Secure Disposal 498
Validating the Recovery Effort 500
Wrapping Up the Response 500
Managing Change Control Processes 501
Conducting a Lessons Learned Session 501
Developing a Final Report 501
Evidence Retention 502
Summary 502
Exam Essentials 502
Lab Exercises 503
Activity 14.1: Incident Containment Options 503
Activity 14.2: Incident Response Activities 505
Activity 14.3: Sanitization and Disposal Techniques 506
Review Questions 507
Chapter 15 Risk Management 511
Analyzing Risk 512
Risk Identification 513
Risk Calculation 514
Business Impact Analysis 515
Managing Risk 518
Risk Mitigation 519
Risk Avoidance 520
Risk Transference 520
Risk Acceptance 521
Security Controls 522
Nontechnical Controls 522
Technical Controls 526
Summary 528
Exam Essentials 529
Lab Exercises 529
Activity 15.1: Risk Management Strategies 529
Activity 15.2: Risk Identification and Assessment 530
Activity 15.3: Risk Management 530
Review Questions 531
Chapter 16 Policy and Compliance 535
Understanding Policy Documents 536
Policies 536
Standards 539
Procedures 541
Guidelines 542
Exceptions and Compensating Controls 543
Complying with Laws and Regulations 545
Adopting a Standard Framework 546
NIST Cybersecurity Framework 546
ISO 27001 549
Control Objectives for Information and Related Technologies (COBIT) 550
Information Technology Infrastructure Library (ITIL) 551
Implementing Policy-Based Controls 552
Security Control Categories 552
Security Control Types 553
Security Control Verification and Quality Control 553
Summary 554
Exam Essentials 554
Lab Exercises 555
Activity 16.1: Policy Documents 555
Activity 16.2: Using a Cybersecurity Framework 556
Activity 16.3: Compliance Auditing Tools 556
Review Questions 557
Appendices 561
Appendix A Practice Exam 561
Exam Questions 562
Appendix B Answers to Review Questions and Practice Exam 581
Chapter 1: Today’s Cybersecurity Analyst 582
Chapter 2: Using Threat Intelligence 583
Chapter 3: Reconnaissance and Intelligence Gathering 585
Chapter 4: Designing a Vulnerability Management Program 587
Chapter 5: Analyzing Vulnerability Scans 589
Chapter 6: Cloud Security 590
Chapter 7: Infrastructure Security and Controls 592
Chapter 8: Identity and Access Management Security 595
Chapter 9: Software and Hardware Development Security 597
Chapter 10: Security Operations and Monitoring 599
Chapter 11: Building an Incident Response Program 601
Chapter 12: Analyzing Indicators of Compromise 603
Chapter 13: Performing Forensic Analysis and Techniques 605
Chapter 14: Containment, Eradication, and Recovery 607
Chapter 15: Risk Management 609
Chapter 16: Policy and Compliance 610
Practice Exam Answers 612
Appendix C Answers to Lab Exercises 621
Chapter 1: Today’s Cybersecurity Analyst 622
Solution to Activity 1.4: Recognize Security Tools 622
Chapter 2: Using Threat Intelligence 622
Solution to Activity 2.3: Intelligence Gathering Techniques 622
Chapter 3: Reconnaissance and Intelligence Gathering 623
Solution to Activity 3.3: Intelligence Gathering Tools 623
Chapter 5: Analyzing Vulnerability Scans 623
Solution to Activity 5.2: Analyze a CVSS Vector 623
Chapter 7: Infrastructure Security and Controls 624
Solution to Activity 7.3: Security Architecture Terminology 624
Chapter 8: Identity and Access Management Security 625
Solution to Activity 8.1: Federated Security Scenario 625
Solution to Activity 8.2: On-site Identity Issues Scenario 625
Solution to Activity 8.3: Identity and Access Management Terminology 626
Chapter 9: Software and Hardware Development Security 627
Solution to Activity 9.3: Security Tools 627
Chapter 10: Security Operations and Monitoring 627
Solution to Activity 10.3: Security Architecture Terminology 627
Chapter 11: Building an Incident Response Program 628
Solution to Activity 11.1: Incident Severity Classification 628
Solution to Activity 11.2: Incident Response Phases 629
Chapter 12: Analyzing Indicators of Compromise 629
Solution to Activity 12.3: Security Tools 629
Chapter 13: Performing Forensic Analysis and Techniques 630
Solution to Activity 13.2: Conduct the NIST Rhino Hunt 630
Solution to Activity 13.3: Security Tools 630
Chapter 14: Containment, Eradication, and Recovery 631
Solution to Activity 14.1: Incident Containment Options 631
Solution to Activity 14.2: Incident Response Activities 632
Solution to Activity 14.3: Sanitization and Disposal Techniques 633
Chapter 15: Risk Management 633
Solution to Activity 15.1: Risk Management Strategies 633
Chapter 16: Policy and Compliance 634
Solution to Activity 16.1: Policy Documents 634
Solution to Activity 16.3: Compliance Auditing Tools 634
Index 635