+353-1-416-8900REST OF WORLD
+44-20-3973-8888REST OF WORLD
1-917-300-0470EAST COAST U.S
1-800-526-8630U.S. (TOLL FREE)

CompTIA CySA+ Study Guide with Online Labs. Exam CS0-002. Edition No. 1

  • Book

  • 704 Pages
  • December 2020
  • John Wiley and Sons Ltd
  • ID: 5839160

Virtual, hands-on learning labs allow you to apply your technical skills using live hardware and software hosted in the cloud. So Sybex has bundled CompTIA CySA+ labs from Practice Labs, the IT Competency Hub, with our popular CompTIA CySA+ Study Guide, Second Edition.  Working in these labs gives you the same experience you need to prepare for the CompTIA CySA+ Exam CS0-002 that you would face in a real-life setting. Used in addition to the book, the labs are a proven way to prepare for the certification and for work in the cybersecurity field.

The CompTIA CySA+ Study Guide Exam CS0-002, Second Edition provides clear and concise information on crucial security topics and verified 100% coverage of the revised CompTIA Cybersecurity Analyst+ (CySA+) exam objectives. You’ll be able to gain insight from practical, real-world examples, plus chapter reviews and exam highlights. Turn to this comprehensive resource to gain authoritative coverage of a range of security subject areas.

  • Review threat and vulnerability management topics
  • Expand your knowledge of software and systems security
  • Gain greater understanding of security operations and monitoring
  • Study incident response information
  • Get guidance on compliance and assessment 

The CompTIA CySA+ Study Guide, Second Edition connects you to useful study tools that help you prepare for the exam. Gain confidence by using its interactive online test bank with hundreds of bonus practice questions, electronic flashcards, and a searchable glossary of key cybersecurity terms. You also get access to hands-on labs and have the opportunity to create a cybersecurity toolkit.

Leading security experts, Mike Chapple and David Seidl, wrote this valuable guide to help you prepare to be CompTIA Security+ certified. If you’re an IT professional who has earned your CompTIA Security+ certification, success on the CySA+ (Cybersecurity Analyst) exam stands as an impressive addition to your professional credentials. Preparing and taking the CS0-002 exam can also help you plan for advanced certifications, such as the CompTIA Advanced Security Practitioner (CASP+).

And with this edition you also get Practice Labs virtual labs that run from your browser. The registration code is included with the book and gives you 6 months unlimited access to Practice Labs CompTIA CySA+ Exam CS0-002 Labs with 30 unique lab modules to practice your skills.

 

Table of Contents

Introduction xxvii

Assessment Test xli

Chapter 1 Today’s Cybersecurity Analyst 1

Cybersecurity Objectives 2

Privacy vs. Security 3

Evaluating Security Risks 4

Identify Threats 6

Identify Vulnerabilities 8

Determine Likelihood, Impact, and Risk 8

Reviewing Controls 10

Building a Secure Network 10

Network Access Control 10

Firewalls and Network Perimeter Security 12

Network Segmentation 15

Defense Through Deception 16

Secure Endpoint Management 17

Hardening System Configurations 17

Patch Management 17

Group Policies 18

Endpoint Security Software 19

Penetration Testing 19

Planning a Penetration Test 20

Conducting Discovery 21

Executing a Penetration Test 21

Communicating Penetration Test Results 22

Training and Exercises 22

Reverse Engineering 22

Isolation and Sandboxing 23

Reverse-Engineering Software 23

Reverse-Engineering Hardware 24

The Future of Cybersecurity Analytics 25

Summary 26

Exam Essentials 26

Lab Exercises 28

Activity 1.1: Create an Inbound Firewall Rule 28

Activity 1.2: Create a Group Policy Object 28

Activity 1.3: Write a Penetration Testing Plan 30

Activity 1.4: Recognize Security Tools 30

Review Questions 30

Chapter 2 Using Threat Intelligence 35

Threat Data and Intelligence 36

Open Source Intelligence 37

Proprietary and Closed Source Intelligence 39

Assessing Threat Intelligence 39

Threat Indicator Management and Exchange 41

The Intelligence Cycle 42

The Threat Intelligence Community 43

Threat Classification 44

Threat Actors 44

Threat Classification 45

Threat Research and Modeling 46

Attack Frameworks 48

MITRE’s ATT&CK Framework 48

The Diamond Model of Intrusion Analysis 50

Lockheed Martin’s Cyber Kill Chain 51

The Unified Kill Chain 53

Common Vulnerability Scoring System (CVSS) 53

Applying Threat Intelligence Organizationwide 53

Proactive Threat Hunting 54

Summary 55

Exam Essentials 56

Lab Exercises 57

Activity 2.1: Explore the ATT&CK Framework 57

Activity 2.2: Set Up a STIX/TAXII Feed 58

Activity 2.3: Intelligence Gathering Techniques 58

Review Questions 59

Chapter 3 Reconnaissance and Intelligence Gathering 63

Mapping and Enumeration 64

Active Reconnaissance 65

Mapping Networks and Discovering Topology 65

Pinging Hosts 67

Port Scanning and Service Discovery Techniques and Tools 69

Passive Footprinting 75

Log and Configuration Analysis 76

Harvesting Data from DNS and Whois 84

Responder 91

Information Aggregation and Analysis Tools 92

Information Gathering Using Packet Capture 92

Gathering Organizational Intelligence 92

Organizational Data 93

Electronic Document Harvesting 94

Detecting, Preventing, and Responding to Reconnaissance 97

Capturing and Analyzing Data to Detect Reconnaissance 97

Preventing Reconnaissance 99

Summary 100

Exam Essentials 101

Lab Exercises 102

Activity 3.1: Port Scanning 102

Activity 3.2: Write an Intelligence Gathering Plan 102

Activity 3.3: Intelligence Gathering Techniques 103

Review Questions 103

Chapter 4 Designing a Vulnerability Management Program 109

Identifying Vulnerability Management Requirements 110

Regulatory Environment 110

Corporate Policy 114

Identifying Scan Targets 114

Determining Scan Frequency 115

Active vs. Passive Scanning 117

Configuring and Executing Vulnerability Scans 118

Scoping Vulnerability Scans 118

Configuring Vulnerability Scans 119

Scanner Maintenance 123

Developing a Remediation Workflow 126

Reporting and Communication 127

Prioritizing Remediation 129

Testing and Implementing Fixes 130

Delayed Remediation Options 131

Overcoming Risks of Vulnerability Scanning 131

Vulnerability Scanning Tools 133

Infrastructure Vulnerability Scanning 133

Web Application Scanning 133

Interception Proxies 134

Wireless Assessment Tools 136

Summary 137

Exam Essentials 138

Lab Exercises 139

Activity 4.1: Install a Vulnerability Scanner 139

Activity 4.2: Run a Vulnerability Scan 140

Review Questions 140

Chapter 5 Analyzing Vulnerability Scans 145

Reviewing and Interpreting Scan Reports 146

Understanding CVSS 148

Validating Scan Results 155

False Positives 156

Documented Exceptions 156

Understanding Informational Results 157

Reconciling Scan Results with Other Data Sources 158

Trend Analysis 158

Common Vulnerabilities 158

Server and Endpoint Vulnerabilities 159

Network Vulnerabilities 168

Virtualization Vulnerabilities 173

Internet of Things (IoT) 176

Web Application Vulnerabilities 177

Authentication Vulnerabilities 181

Summary 183

Exam Essentials 184

Lab Exercises 185

Activity 5.1: Interpret a Vulnerability Scan 185

Activity 5.2: Analyze a CVSS Vector 185

Activity 5.3: Remediate a Vulnerability 185

Review Questions 187

Chapter 6 Cloud Security 191

Understanding Cloud Environments 192

The Case for Cloud Computing 193

Cloud Service Models 194

Cloud Deployment Models 200

Operating in the Cloud 204

DevOps Strategies 205

Infrastructure as Code (IaC) 206

Application Programming Interfaces 207

Cloud Monitoring 208

Cloud Infrastructure Security 208

Cloud Infrastructure Security Tools 209

Cloud Access Security Brokers (CASB) 213

Summary 214

Exam Essentials 215

Lab Exercises 216

Activity 6.1: Run a ScoutSuite Assessment 216

Activity 6.2: Explore the Exploits Available with Pacu 216

Activity 6.3: Scan an AWS Account with Prowler 216

Review Questions 217

Chapter 7 Infrastructure Security and Controls 221

Understanding Defense-in-Depth 222

Layered Security 222

Zero Trust 223

Segmentation 224

Network Architecture 226

Physical Network Architectures 227

Software-Defined Networks 227

Virtualization 228

Asset and Change Management 229

Logging, Monitoring, and Validation 229

Encryption 230

Active Defense 231

Infrastructure Security and the Cloud 231

Improving Security by Improving Controls 233

Layered Host Security 234

Permissions 235

Whitelisting and Blacklisting 235

Technical Controls 236

Policy, Process, and Standards 238

Analyzing Security Architecture 240

Analyzing Security Requirements 240

Reviewing Architecture 241

Common Issues 242

Reviewing a Security Architecture 246

Maintaining a Security Design 248

Summary 249

Exam Essentials 249

Lab Exercises 250

Activity 7.1: Review an Application Using the OWASP Attack Surface Analysis Cheat Sheet 250

Activity 7.2: Review a NIST Security Architecture 251

Activity 7.3: Security Architecture Terminology 252

Review Questions 253

Chapter 8 Identity and Access Management Security 259

Understanding Identity 260

Identity Systems and Security Design 261

Threats to Identity and Access 269

Understanding Security Issues with Identities 269

Attacking AAA Systems and Protocols 270

Targeting Account Creation, Provisioning, and Deprovisioning 275

Preventing Common Exploits of Identity and Authorization 276

Acquiring Credentials 277

Identity as a Security Layer 280

Identity and Defense-in-Depth 280

Securing Authentication and Authorization 281

Detecting Attacks and Security Operations 288

Federation and Single Sign-On 289

Federated Identity Security Considerations 289

Federated Identity Design Choices 291

Federated Identity Technologies 293

Federation Incident Response 297

Summary 297

Exam Essentials 298

Lab Exercises 299

Activity 8.1: Federated Security Scenario 299

Activity 8.2: On-site Identity Issues Scenario 300

Activity 8.3: Identity and Access

Management Terminology 301

Review Questions 303

Chapter 9 Software and Hardware Development Security 307

Software Assurance Best Practices 308

The Software Development Life Cycle 309

Software Development Phases 310

Software Development Models 311

DevSecOps and DevOps 317

Designing and Coding for Security 318

Common Software Development Security Issues 319

Security Implications of Target Platforms 321

Secure Coding Best Practices 322

API Security 325

Service-Oriented Architectures 325

Application Testing 327

Information Security and the SDLC 327

Code Review Models 328

Software Security Testing 331

Software Assessment: Testing and Analyzing Code 332

Web Application Vulnerability Scanning 335

Hardware Assurance Best Practices 337

Cryptographic Hardware 337

Firmware Security 338

Hardware Security 339

Summary 340

Exam Essentials 341

Lab Exercises 342

Activity 9.1: Review an Application Using the OWASP Application Security Architecture Cheat Sheet 342

Activity 9.2: Learn About Web Application Exploits from WebGoat 342

Activity 9.3: SDLC Terminology 343

Review Questions 344

Chapter 10 Security Operations and Monitoring 349

Security Monitoring 350

Analyzing Security Data 350

Logs 351

Endpoint Data Analysis 358

Network Data Analysis 362

Protecting and Analyzing Email 365

Scripting, Searching, and Text Manipulation 369

Summary 371

Exam Essentials 371

Lab Exercises 372

Activity 10.1: Analyze a Network Capture File 372

Activity 10.2: Analyze a Phishing Email 373

Activity 10.3: Security Architecture Terminology 373

Review Questions 374

Chapter 11 Building an Incident Response Program 379

Security Incidents 380

Phases of Incident Response 381

Preparation 382

Detection and Analysis 383

Containment, Eradication, and Recovery 384

Postincident Activity 385

Building the Foundation for Incident Response 387

Policy 387

Procedures and Playbooks 387

Documenting the Incident Response Plan 388

Creating an Incident Response Team 389

Incident Response Providers 391

CSIRT Scope of Control 391

Coordination and Information Sharing 391

Internal Communications 392

External Communications 392

Classifying Incidents 393

Threat Classification 393

Severity Classification 394

Summary 398

Exam Essentials 398

Lab Exercises 399

Activity 11.1: Incident Severity Classification 399

Activity 11.2: Incident Response Phases 400

Activity 11.3: Develop an Incident Communications Plan 400

Review Questions 401

Chapter 12 Analyzing Indicators of Compromise 405

Analyzing Network Events 406

Capturing Network-Related Events 407

Network Monitoring Tools 411

Detecting Common Network Issues 413

Detecting Scans and Probes 417

Detecting Denial-of-Service and Distributed Denial-of-Service Attacks 417

Detecting Other Network Attacks 420

Detecting and Finding Rogue Devices 420

Investigating Host-Related Issues 422

System Resources 422

Malware, Malicious Processes, and Unauthorized Software 426

Unauthorized Access, Changes, and Privileges 428

Investigating Service and Application-Related Issues 430

Application and Service Monitoring 431

Application and Service Issue Response and Restoration 433

Detecting Attacks on Applications 434

Summary 435

Exam Essentials 436

Lab Exercises 436

Activity 12.1: Identify a Network Scan 436

Activity 12.2: Write a Service Issue Response Plan 437

Activity 12.3: Security Tools 438

Review Questions 439

Chapter 13 Performing Forensic Analysis and Techniques 443

Building a Forensics Capability 444

Building a Forensic Toolkit 444

Understanding Forensic Software 448

Capabilities and Application 448

Conducting Endpoint Forensics 452

Operating System, Process, and Memory Dump Analysis 452

Network Forensics 455

Cloud, Virtual, and Container Forensics 458

Conducting a Forensic Investigation 460

Forensic Procedures 460

Target Locations 462

Acquiring and Validating Drive Images 463

Imaging Live Systems 467

Acquiring Other Data 467

Forensic Investigation: An Example 471

Importing a Forensic Image 471

Analyzing the Image 473

Reporting 476

Summary 478

Exam Essentials 478

Lab Exercises 479

Activity 13.1: Create a Disk Image 479

Activity 13.2: Conduct the NIST Rhino Hunt 480

Activity 13.3: Security Tools 481

Review Questions 482

Chapter 14 Containment, Eradication, and Recovery 487

Containing the Damage 489

Segmentation 490

Isolation 492

Removal 493

Evidence Gathering and Handling 495

Identifying Attackers 495

Incident Eradication and Recovery 496

Reconstruction and Reimaging 497

Patching Systems and Applications 497

Sanitization and Secure Disposal 498

Validating the Recovery Effort 500

Wrapping Up the Response 500

Managing Change Control Processes 501

Conducting a Lessons Learned Session 501

Developing a Final Report 501

Evidence Retention 502

Summary 502

Exam Essentials 502

Lab Exercises 503

Activity 14.1: Incident Containment Options 503

Activity 14.2: Incident Response Activities 505

Activity 14.3: Sanitization and Disposal Techniques 506

Review Questions 507

Chapter 15 Risk Management 511

Analyzing Risk 512

Risk Identification 513

Risk Calculation 514

Business Impact Analysis 515

Managing Risk 518

Risk Mitigation 519

Risk Avoidance 520

Risk Transference 520

Risk Acceptance 521

Security Controls 522

Nontechnical Controls 522

Technical Controls 526

Summary 528

Exam Essentials 529

Lab Exercises 529

Activity 15.1: Risk Management Strategies 529

Activity 15.2: Risk Identification and Assessment 530

Activity 15.3: Risk Management 530

Review Questions 531

Chapter 16 Policy and Compliance 535

Understanding Policy Documents 536

Policies 536

Standards 539

Procedures 541

Guidelines 542

Exceptions and Compensating Controls 543

Complying with Laws and Regulations 545

Adopting a Standard Framework 546

NIST Cybersecurity Framework 546

ISO 27001 549

Control Objectives for Information and Related Technologies (COBIT) 550

Information Technology Infrastructure Library (ITIL) 551

Implementing Policy-Based Controls 552

Security Control Categories 552

Security Control Types 553

Security Control Verification and Quality Control 553

Summary 554

Exam Essentials 554

Lab Exercises 555

Activity 16.1: Policy Documents 555

Activity 16.2: Using a Cybersecurity Framework 556

Activity 16.3: Compliance Auditing Tools 556

Review Questions 557

Appendices 561

Appendix A Practice Exam 561

Exam Questions 562

Appendix B Answers to Review Questions and Practice Exam 581

Chapter 1: Today’s Cybersecurity Analyst 582

Chapter 2: Using Threat Intelligence 583

Chapter 3: Reconnaissance and Intelligence Gathering 585

Chapter 4: Designing a Vulnerability Management Program 587

Chapter 5: Analyzing Vulnerability Scans 589

Chapter 6: Cloud Security 590

Chapter 7: Infrastructure Security and Controls 592

Chapter 8: Identity and Access Management Security 595

Chapter 9: Software and Hardware Development Security 597

Chapter 10: Security Operations and Monitoring 599

Chapter 11: Building an Incident Response Program 601

Chapter 12: Analyzing Indicators of Compromise 603

Chapter 13: Performing Forensic Analysis and Techniques 605

Chapter 14: Containment, Eradication, and Recovery 607

Chapter 15: Risk Management 609

Chapter 16: Policy and Compliance 610

Practice Exam Answers 612

Appendix C Answers to Lab Exercises 621

Chapter 1: Today’s Cybersecurity Analyst 622

Solution to Activity 1.4: Recognize Security Tools 622

Chapter 2: Using Threat Intelligence 622

Solution to Activity 2.3: Intelligence Gathering Techniques 622

Chapter 3: Reconnaissance and Intelligence Gathering 623

Solution to Activity 3.3: Intelligence Gathering Tools 623

Chapter 5: Analyzing Vulnerability Scans 623

Solution to Activity 5.2: Analyze a CVSS Vector 623

Chapter 7: Infrastructure Security and Controls 624

Solution to Activity 7.3: Security Architecture Terminology 624

Chapter 8: Identity and Access Management Security 625

Solution to Activity 8.1: Federated Security Scenario 625

Solution to Activity 8.2: On-site Identity Issues Scenario 625

Solution to Activity 8.3: Identity and Access Management Terminology 626

Chapter 9: Software and Hardware Development Security 627

Solution to Activity 9.3: Security Tools 627

Chapter 10: Security Operations and Monitoring 627

Solution to Activity 10.3: Security Architecture Terminology 627

Chapter 11: Building an Incident Response Program 628

Solution to Activity 11.1: Incident Severity Classification 628

Solution to Activity 11.2: Incident Response Phases 629

Chapter 12: Analyzing Indicators of Compromise 629

Solution to Activity 12.3: Security Tools 629

Chapter 13: Performing Forensic Analysis and Techniques 630

Solution to Activity 13.2: Conduct the NIST Rhino Hunt 630

Solution to Activity 13.3: Security Tools 630

Chapter 14: Containment, Eradication, and Recovery 631

Solution to Activity 14.1: Incident Containment Options 631

Solution to Activity 14.2: Incident Response Activities 632

Solution to Activity 14.3: Sanitization and Disposal Techniques 633

Chapter 15: Risk Management 633

Solution to Activity 15.1: Risk Management Strategies 633

Chapter 16: Policy and Compliance 634

Solution to Activity 16.1: Policy Documents 634

Solution to Activity 16.3: Compliance Auditing Tools 634

Index 635

Authors

Mike Chapple University of Notre Dame.