CompTIA CySA+ Cybersecurity Analyst Certification Passport Exam CS0-002 (2021)
Get step-by-step guidance for your certification with CompTIA CySA+ Cybersecurity Analyst Certification Passport Exam CS0-002 (2021).
Sebastian Lopez
Contributor
4.8
86
about 2 months ago
Preview (31 of 658)
Sign in to access the full document!
About the Author
Bobby Rogers is a cybersecurity professional with over 30 years in the
information technology and cybersecurity fields. He currently works with a
major engineering company in Huntsville, Alabama, helping to secure
networks and manage cyber risk for its customers. Bobby’s customers
include the U.S. Army, NASA, the State of Tennessee, and
private/commercial companies and organizations. His specialties are
cybersecurity engineering, security compliance, and cyber risk management,
but he has worked in almost every area of cybersecurity, including network
defense, computer forensics and incident response, and penetration testing.
Bobby is a retired Master Sergeant from the U.S. Air Force, having served
for over 21 years. He has built and secured networks in the U.S., Chad,
Uganda, South Africa, Germany, Saudi Arabia, Pakistan, Afghanistan, and
several other remote locations. His decorations include two Meritorious
Service medals, three Air Force Commendation medals, the National Defense
Service medal, and several Air Force Achievement medals. He retired from
active duty in 2006.
Bobby has a Master of Science in Information Assurance and is currently
writing his dissertation for a doctoral degree in cybersecurity. He also has a
Bachelor of Science in Computer Information Systems (with a dual
concentration in Russian Language) and two Associate of Science degrees.
His many certifications include CISSP-ISSEP, CRISC, CySA+, CEH, and
MCSE: Security.
He has narrated and produced over 30 computer training videos for several
training companies, and currently produces them for Pluralsight
(www.pluralsight.com). He is also the author of CompTIA Mobility+ All-in-
One Exam Guide (Exam MB0-001), Certified in Risk and Information
Systems Control (CRISC) All-in-One Certification Guide, Mike Meyers’
CompTIA Security+ Certification Guide (Exam SY0-401), and contributing
author/technical editor for the popular CISSP All-in-One Exam Guide, Eighth
Edition, all from McGraw Hill.
Bobby Rogers is a cybersecurity professional with over 30 years in the
information technology and cybersecurity fields. He currently works with a
major engineering company in Huntsville, Alabama, helping to secure
networks and manage cyber risk for its customers. Bobby’s customers
include the U.S. Army, NASA, the State of Tennessee, and
private/commercial companies and organizations. His specialties are
cybersecurity engineering, security compliance, and cyber risk management,
but he has worked in almost every area of cybersecurity, including network
defense, computer forensics and incident response, and penetration testing.
Bobby is a retired Master Sergeant from the U.S. Air Force, having served
for over 21 years. He has built and secured networks in the U.S., Chad,
Uganda, South Africa, Germany, Saudi Arabia, Pakistan, Afghanistan, and
several other remote locations. His decorations include two Meritorious
Service medals, three Air Force Commendation medals, the National Defense
Service medal, and several Air Force Achievement medals. He retired from
active duty in 2006.
Bobby has a Master of Science in Information Assurance and is currently
writing his dissertation for a doctoral degree in cybersecurity. He also has a
Bachelor of Science in Computer Information Systems (with a dual
concentration in Russian Language) and two Associate of Science degrees.
His many certifications include CISSP-ISSEP, CRISC, CySA+, CEH, and
MCSE: Security.
He has narrated and produced over 30 computer training videos for several
training companies, and currently produces them for Pluralsight
(www.pluralsight.com). He is also the author of CompTIA Mobility+ All-in-
One Exam Guide (Exam MB0-001), Certified in Risk and Information
Systems Control (CRISC) All-in-One Certification Guide, Mike Meyers’
CompTIA Security+ Certification Guide (Exam SY0-401), and contributing
author/technical editor for the popular CISSP All-in-One Exam Guide, Eighth
Edition, all from McGraw Hill.
Loading page 4...
About the Technical Editor
Dawn Dunkerley, Ph.D., CISSP®, CSSLP®, CRISC™, Security+®, is a
leading cyberwarfare and cybersecurity researcher and author. She is an
editor for the U.S. Army Cyber Institute’s Cyber Defense Review and a
Fellow of the America’s Institute for Cybersecurity Leadership.
Dawn Dunkerley, Ph.D., CISSP®, CSSLP®, CRISC™, Security+®, is a
leading cyberwarfare and cybersecurity researcher and author. She is an
editor for the U.S. Army Cyber Institute’s Cyber Defense Review and a
Fellow of the America’s Institute for Cybersecurity Leadership.
Loading page 5...
Loading page 6...
Copyright © 2021 by McGraw Hill. All rights reserved. Except as permitted
under the United States Copyright Act of 1976, no part of this publication
may be reproduced or distributed in any form or by any means, or stored in a
database or retrieval system, without the prior written permission of the
publisher, with the exception that the program listings may be entered, stored,
and executed in a computer system, but they may not be reproduced for
publication.
ISBN: 978-1-26-046225-8
MHID: 1-26-046225-0
The material in this eBook also appears in the print version of this title:
ISBN: 978-1-26-046226-5, MHID: 1-26-046226-9.
eBook conversion by codeMantra
Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a
trademark symbol after every occurrence of a trademarked name, we use
names in an editorial fashion only, and to the benefit of the trademark owner,
with no intention of infringement of the trademark. Where such designations
appear in this book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to
use as premiums and sales promotions or for use in corporate training
programs. To contact a representative, please visit the Contact Us page at
www.mhprofessional.com.
Information has been obtained by McGraw Hill from sources believed to be
reliable. However, because of the possibility of human or mechanical error by
our sources, McGraw Hill, or others, McGraw Hill does not guarantee the
accuracy, adequacy, or completeness of any information and is not
responsible for any errors or omissions or the results obtained from the use of
such information.
TERMS OF USE
under the United States Copyright Act of 1976, no part of this publication
may be reproduced or distributed in any form or by any means, or stored in a
database or retrieval system, without the prior written permission of the
publisher, with the exception that the program listings may be entered, stored,
and executed in a computer system, but they may not be reproduced for
publication.
ISBN: 978-1-26-046225-8
MHID: 1-26-046225-0
The material in this eBook also appears in the print version of this title:
ISBN: 978-1-26-046226-5, MHID: 1-26-046226-9.
eBook conversion by codeMantra
Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a
trademark symbol after every occurrence of a trademarked name, we use
names in an editorial fashion only, and to the benefit of the trademark owner,
with no intention of infringement of the trademark. Where such designations
appear in this book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to
use as premiums and sales promotions or for use in corporate training
programs. To contact a representative, please visit the Contact Us page at
www.mhprofessional.com.
Information has been obtained by McGraw Hill from sources believed to be
reliable. However, because of the possibility of human or mechanical error by
our sources, McGraw Hill, or others, McGraw Hill does not guarantee the
accuracy, adequacy, or completeness of any information and is not
responsible for any errors or omissions or the results obtained from the use of
such information.
TERMS OF USE
Loading page 7...
This is a copyrighted work and McGraw-Hill Education and its licensors
reserve all rights in and to the work. Use of this work is subject to these
terms. Except as permitted under the Copyright Act of 1976 and the right to
store and retrieve one copy of the work, you may not decompile, disassemble,
reverse engineer, reproduce, modify, create derivative works based upon,
transmit, distribute, disseminate, sell, publish or sublicense the work or any
part of it without McGraw-Hill Education’s prior consent. You may use the
work for your own noncommercial and personal use; any other use of the
work is strictly prohibited. Your right to use the work may be terminated if
you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION
AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES
AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR
RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING
ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE
WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY
DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
McGraw-Hill Education and its licensors do not warrant or guarantee that the
functions contained in the work will meet your requirements or that its
operation will be uninterrupted or error free. Neither McGraw-Hill Education
nor its licensors shall be liable to you or anyone else for any inaccuracy, error
or omission, regardless of cause, in the work or for any damages resulting
therefrom. McGraw-Hill Education has no responsibility for the content of
any information accessed through the work. Under no circumstances shall
McGraw-Hill Education and/or its licensors be liable for any indirect,
incidental, special, punitive, consequential or similar damages that result
from the use of or inability to use the work, even if any of them has been
advised of the possibility of such damages. This limitation of liability shall
apply to any claim or cause whatsoever whether such claim or cause arises in
contract, tort or otherwise.
reserve all rights in and to the work. Use of this work is subject to these
terms. Except as permitted under the Copyright Act of 1976 and the right to
store and retrieve one copy of the work, you may not decompile, disassemble,
reverse engineer, reproduce, modify, create derivative works based upon,
transmit, distribute, disseminate, sell, publish or sublicense the work or any
part of it without McGraw-Hill Education’s prior consent. You may use the
work for your own noncommercial and personal use; any other use of the
work is strictly prohibited. Your right to use the work may be terminated if
you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION
AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES
AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR
RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING
ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE
WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY
DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
McGraw-Hill Education and its licensors do not warrant or guarantee that the
functions contained in the work will meet your requirements or that its
operation will be uninterrupted or error free. Neither McGraw-Hill Education
nor its licensors shall be liable to you or anyone else for any inaccuracy, error
or omission, regardless of cause, in the work or for any damages resulting
therefrom. McGraw-Hill Education has no responsibility for the content of
any information accessed through the work. Under no circumstances shall
McGraw-Hill Education and/or its licensors be liable for any indirect,
incidental, special, punitive, consequential or similar damages that result
from the use of or inability to use the work, even if any of them has been
advised of the possibility of such damages. This limitation of liability shall
apply to any claim or cause whatsoever whether such claim or cause arises in
contract, tort or otherwise.
Loading page 8...
I’d like to dedicate this book to the cybersecurity professionals who
tirelessly, and sometimes thanklessly, protect our information and
systems from all who would do them harm. I also dedicate this book to
the people who serve in uniform as military personnel, public safety
professionals, police, firefighters, and medical professionals, sacrificing
sometimes all that they are and have so that we may all live in peace,
security, and safety.
tirelessly, and sometimes thanklessly, protect our information and
systems from all who would do them harm. I also dedicate this book to
the people who serve in uniform as military personnel, public safety
professionals, police, firefighters, and medical professionals, sacrificing
sometimes all that they are and have so that we may all live in peace,
security, and safety.
Loading page 9...
Contents at a Glance
1.0 Threat and Vulnerability Management
2.0 Software and Systems Security
3.0 Security Operations and Monitoring
4.0 Incident Response
5.0 Compliance and Assessment
A About the Online Content
Glossary
Index
1.0 Threat and Vulnerability Management
2.0 Software and Systems Security
3.0 Security Operations and Monitoring
4.0 Incident Response
5.0 Compliance and Assessment
A About the Online Content
Glossary
Index
Loading page 10...
Contents
Acknowledgments
Introduction
1.0 Threat and Vulnerability Management
Objective 1.1 Explain the importance of threat data and
intelligence
Intelligence Sources
Open-Source Intelligence
Proprietary and Closed-Source Intelligence
Timeliness
Relevancy
Accuracy
Confidence Levels
Indicator Management
Structured Threat Information eXpression (STIX)
Trusted Automated eXchange of Indicator Intelligence
(TAXII)
OpenIOC
Threat Classification
Known Threats vs. Unknown Threats
Zero-Day Threats
Advanced Persistent Threats
Threat Actors
Nation-States
Hacktivists
Acknowledgments
Introduction
1.0 Threat and Vulnerability Management
Objective 1.1 Explain the importance of threat data and
intelligence
Intelligence Sources
Open-Source Intelligence
Proprietary and Closed-Source Intelligence
Timeliness
Relevancy
Accuracy
Confidence Levels
Indicator Management
Structured Threat Information eXpression (STIX)
Trusted Automated eXchange of Indicator Intelligence
(TAXII)
OpenIOC
Threat Classification
Known Threats vs. Unknown Threats
Zero-Day Threats
Advanced Persistent Threats
Threat Actors
Nation-States
Hacktivists
Loading page 11...
Organized Crime
Insider Threats
Intelligence Cycle
Requirements
Collection
Analysis
Dissemination
Feedback
Commodity Malware
Information Sharing and Analysis Communities
Healthcare
Financial
Aviation
Government
Critical Infrastructure
REVIEW
1.1 QUESTIONS
1.1 ANSWERS
Objective 1.2 Given a scenario, utilize threat intelligence to
support organizational security
Attack Frameworks
MITRE ATT&CK
The Diamond Model of Intrusion Analysis
Cyber Kill Chain
Threat Research
Reputational
Behavioral
Indicators of Compromise (IOCs)
Common Vulnerability Scoring System (CVSS)
Threat Modeling Methodologies
Insider Threats
Intelligence Cycle
Requirements
Collection
Analysis
Dissemination
Feedback
Commodity Malware
Information Sharing and Analysis Communities
Healthcare
Financial
Aviation
Government
Critical Infrastructure
REVIEW
1.1 QUESTIONS
1.1 ANSWERS
Objective 1.2 Given a scenario, utilize threat intelligence to
support organizational security
Attack Frameworks
MITRE ATT&CK
The Diamond Model of Intrusion Analysis
Cyber Kill Chain
Threat Research
Reputational
Behavioral
Indicators of Compromise (IOCs)
Common Vulnerability Scoring System (CVSS)
Threat Modeling Methodologies
Loading page 12...
Common Threat Modeling Methodologies
Adversary Capability
Total Attack Surface
Attack Vector
Impact
Likelihood
Threat Intelligence Sharing with Supported Functions
Incident Response
Vulnerability Management
Risk Management
Security Engineering
Detection and Monitoring
REVIEW
1.2 QUESTIONS
1.2 ANSWERS
Objective 1.3 Given a scenario, perform vulnerability
management activities
Vulnerability Identification
Asset Criticality
Active vs. Passive Scanning
Mapping/Enumeration
Validation
True Positive
False Positive
True Negative
False Negative
Remediation/Mitigation
Configuration Baseline
Patching
Hardening
Adversary Capability
Total Attack Surface
Attack Vector
Impact
Likelihood
Threat Intelligence Sharing with Supported Functions
Incident Response
Vulnerability Management
Risk Management
Security Engineering
Detection and Monitoring
REVIEW
1.2 QUESTIONS
1.2 ANSWERS
Objective 1.3 Given a scenario, perform vulnerability
management activities
Vulnerability Identification
Asset Criticality
Active vs. Passive Scanning
Mapping/Enumeration
Validation
True Positive
False Positive
True Negative
False Negative
Remediation/Mitigation
Configuration Baseline
Patching
Hardening
Loading page 13...
Compensating Controls
Risk Acceptance
Verification of Mitigation
Scanning Parameters and Criteria
Risks Associated with Scanning Activities
Vulnerability Feed
Scope
Credentialed vs. Non-Credentialed
Server-Based vs. Agent-Based
Internal vs. External
Special Considerations
Inhibitors to Remediation
Memorandum of Understanding (MOU)
Service Level Agreement (SLA)
Organizational Governance
Business Process Interruption
Degrading Functionality
Legacy Systems
Proprietary Systems
REVIEW
1.3 QUESTIONS
1.3 ANSWERS
Objective 1.4 Given a scenario, analyze the output from common
vulnerability assessment tools
Vulnerability Assessment Tools
Application Tools
Web Application Scanners
Software Assessment Tools and Techniques
Infrastructure Tools
Network Enumeration
Risk Acceptance
Verification of Mitigation
Scanning Parameters and Criteria
Risks Associated with Scanning Activities
Vulnerability Feed
Scope
Credentialed vs. Non-Credentialed
Server-Based vs. Agent-Based
Internal vs. External
Special Considerations
Inhibitors to Remediation
Memorandum of Understanding (MOU)
Service Level Agreement (SLA)
Organizational Governance
Business Process Interruption
Degrading Functionality
Legacy Systems
Proprietary Systems
REVIEW
1.3 QUESTIONS
1.3 ANSWERS
Objective 1.4 Given a scenario, analyze the output from common
vulnerability assessment tools
Vulnerability Assessment Tools
Application Tools
Web Application Scanners
Software Assessment Tools and Techniques
Infrastructure Tools
Network Enumeration
Loading page 14...
Network Vulnerability Scanners
Wireless Assessment
Cloud Infrastructure Assessment
REVIEW
1.4 QUESTIONS
1.4 ANSWERS
Objective 1.5 Explain the threats and vulnerabilities associated
with specialized technology
Mobile Devices
Mobile Device Threats and Vulnerabilities
Corporate Device Considerations
Mobile Device Protections
Internet of Things (IoT)
Embedded Devices
Physical Access Controls
Building Automation Systems
Vehicles and Drones
Industrial Control Systems
Workflow and Process Automation Systems
Supervisory Control and Data Acquisition (SCADA)
REVIEW
1.5 QUESTIONS
1.5 ANSWERS
Objective 1.6 Explain the threats and vulnerabilities associated
with operating in the cloud
Cloud Service Models
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Serverless Architecture and Function as a Service (FaaS)
Wireless Assessment
Cloud Infrastructure Assessment
REVIEW
1.4 QUESTIONS
1.4 ANSWERS
Objective 1.5 Explain the threats and vulnerabilities associated
with specialized technology
Mobile Devices
Mobile Device Threats and Vulnerabilities
Corporate Device Considerations
Mobile Device Protections
Internet of Things (IoT)
Embedded Devices
Physical Access Controls
Building Automation Systems
Vehicles and Drones
Industrial Control Systems
Workflow and Process Automation Systems
Supervisory Control and Data Acquisition (SCADA)
REVIEW
1.5 QUESTIONS
1.5 ANSWERS
Objective 1.6 Explain the threats and vulnerabilities associated
with operating in the cloud
Cloud Service Models
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Serverless Architecture and Function as a Service (FaaS)
Loading page 15...
Infrastructure as Code (IaC)
Cloud Deployment Models
Public
Private
Community
Hybrid
Cloud Vulnerabilities
Insecure Application Programming Interface (API)
Improper Key Management
Unprotected Storage
Insufficient Logging and Monitoring
Inability to Access
REVIEW
1.6 QUESTIONS
1.6 ANSWERS
Objective 1.7 Given a scenario, implement controls to mitigate
attacks and software vulnerabilities
Vulnerabilities
Improper Error Handling
Dereferencing
Insecure Object Reference
Race Condition
Broken Authentication
Sensitive Data Exposure
Insecure Components
Insufficient Logging and Monitoring
Weak or Default Configurations
Use of Insecure Functions
Attack Types
Injection Attacks
Cloud Deployment Models
Public
Private
Community
Hybrid
Cloud Vulnerabilities
Insecure Application Programming Interface (API)
Improper Key Management
Unprotected Storage
Insufficient Logging and Monitoring
Inability to Access
REVIEW
1.6 QUESTIONS
1.6 ANSWERS
Objective 1.7 Given a scenario, implement controls to mitigate
attacks and software vulnerabilities
Vulnerabilities
Improper Error Handling
Dereferencing
Insecure Object Reference
Race Condition
Broken Authentication
Sensitive Data Exposure
Insecure Components
Insufficient Logging and Monitoring
Weak or Default Configurations
Use of Insecure Functions
Attack Types
Injection Attacks
Loading page 16...
Authentication Attacks
Overflow Attacks
REVIEW
1.7 QUESTIONS
1.7 ANSWERS
2.0 Software and Systems Security
Objective 2.1 Given a scenario, apply security solutions for
infrastructure management
Infrastructure Management
Cloud vs. On-Premises
Asset Management
Segmentation
Network Architecture
Change Management
Virtualization
Containerization
Identity and Access Management
Authentication Methods
Access Control Models
Cloud Access Security Broker (CASB)
Honeypot
Monitoring and Logging
Encryption
Certificate Management
Active Defense
REVIEW
2.1 QUESTIONS
2.1 ANSWERS
Objective 2.2 Explain software assurance best practices
Overflow Attacks
REVIEW
1.7 QUESTIONS
1.7 ANSWERS
2.0 Software and Systems Security
Objective 2.1 Given a scenario, apply security solutions for
infrastructure management
Infrastructure Management
Cloud vs. On-Premises
Asset Management
Segmentation
Network Architecture
Change Management
Virtualization
Containerization
Identity and Access Management
Authentication Methods
Access Control Models
Cloud Access Security Broker (CASB)
Honeypot
Monitoring and Logging
Encryption
Certificate Management
Active Defense
REVIEW
2.1 QUESTIONS
2.1 ANSWERS
Objective 2.2 Explain software assurance best practices
Loading page 17...
Platforms
Mobile
Web Application
Client/Server
Embedded Platforms
Firmware
System-on-Chip (SoC)
Service-Oriented Architecture
Security Assertions Markup Language (SAML)
Simple Object Access Protocol (SOAP)
Representational State Transfer (REST)
Microservices
Software Development Lifecycle (SDLC) Integration
DevSecOps
Secure Coding Best Practices
Input Validation
Output Encoding
Session Management
Authentication
Data Protection
Parameterized Queries
Software Assessment Methods
User Acceptance Testing
Stress Testing
Security Regression Testing
Code Review
Static Analysis Tools
Dynamic Analysis Tools
Formal Methods for Verification of Critical Software
REVIEW
Mobile
Web Application
Client/Server
Embedded Platforms
Firmware
System-on-Chip (SoC)
Service-Oriented Architecture
Security Assertions Markup Language (SAML)
Simple Object Access Protocol (SOAP)
Representational State Transfer (REST)
Microservices
Software Development Lifecycle (SDLC) Integration
DevSecOps
Secure Coding Best Practices
Input Validation
Output Encoding
Session Management
Authentication
Data Protection
Parameterized Queries
Software Assessment Methods
User Acceptance Testing
Stress Testing
Security Regression Testing
Code Review
Static Analysis Tools
Dynamic Analysis Tools
Formal Methods for Verification of Critical Software
REVIEW
Loading page 18...
2.2 QUESTIONS
2.2 ANSWERS
Objective 2.3 Explain hardware assurance best practices
Hardware Root of Trust
Trusted Platform Module (TPM)
Hardware Security Module (HSM)
eFuse
Unified Extensible Firmware Interface (UEFI)
Trusted Foundry
Secure Processing
Trusted Execution and Secure Enclave
Processor Security Extensions
Atomic Execution
Bus Encryption
Anti-Tamper
Self-Encrypting Drive (SED)
Trusted Firmware Updates
Measured Boot and Attestation
REVIEW
2.3 QUESTIONS
2.3 ANSWERS
3.0 Security Operations and Monitoring
Objective 3.1 Given a scenario, analyze data as part of security
monitoring activities
Heuristics
Trend Analysis
Endpoint Data
Known-Good vs. Anomalous Behavior Analysis
Malware Analysis and Reverse Engineering
2.2 ANSWERS
Objective 2.3 Explain hardware assurance best practices
Hardware Root of Trust
Trusted Platform Module (TPM)
Hardware Security Module (HSM)
eFuse
Unified Extensible Firmware Interface (UEFI)
Trusted Foundry
Secure Processing
Trusted Execution and Secure Enclave
Processor Security Extensions
Atomic Execution
Bus Encryption
Anti-Tamper
Self-Encrypting Drive (SED)
Trusted Firmware Updates
Measured Boot and Attestation
REVIEW
2.3 QUESTIONS
2.3 ANSWERS
3.0 Security Operations and Monitoring
Objective 3.1 Given a scenario, analyze data as part of security
monitoring activities
Heuristics
Trend Analysis
Endpoint Data
Known-Good vs. Anomalous Behavior Analysis
Malware Analysis and Reverse Engineering
Loading page 19...
Memory Analysis
File System Analysis
System and Application Behavior
User and Entity Behavior Analytics (UEBA)
Analysis of Endpoint Exploitation Techniques
Network
Uniform Resource Locator (URL) and Domain Name
System (DNS) Analysis
Domain Generation Algorithm
Flow Analysis
Packet and Protocol Analysis
Network-Based Malware Analysis
Log Review
Event Logs
Syslog
Firewall Logs
Web Application Firewall (WAF)
Proxy
Intrusion Detection System (IDS)/Intrusion Prevention
System (IPS)
Impact Analysis
Organization Impact vs. Localized Impact
Immediate vs. Total
Security Information and Event Management (SIEM) Review
Dashboard
Rule and Query Writing
String Search
Scripting and Piping
E-mail Analysis
Impersonation
File System Analysis
System and Application Behavior
User and Entity Behavior Analytics (UEBA)
Analysis of Endpoint Exploitation Techniques
Network
Uniform Resource Locator (URL) and Domain Name
System (DNS) Analysis
Domain Generation Algorithm
Flow Analysis
Packet and Protocol Analysis
Network-Based Malware Analysis
Log Review
Event Logs
Syslog
Firewall Logs
Web Application Firewall (WAF)
Proxy
Intrusion Detection System (IDS)/Intrusion Prevention
System (IPS)
Impact Analysis
Organization Impact vs. Localized Impact
Immediate vs. Total
Security Information and Event Management (SIEM) Review
Dashboard
Rule and Query Writing
String Search
Scripting and Piping
E-mail Analysis
Impersonation
Loading page 20...
Malicious Payload
Embedded Links
Phishing
Forwarding
Digital Signatures
Header
E-mail Signature Block
Domain Keys Identified Mail (DKIM)
Sender Policy Framework (SPF)
Domain-Based Message Authentication, Reporting, and
Conformance (DMARC)
REVIEW
3.1 QUESTIONS
3.1 ANSWERS
Objective 3.2 Given a scenario, implement configuration changes
to existing controls to improve security
Review of Control Concepts
Control Categories and Functions
Control Implementation and Risk
Permissions
Windows Permissions
Linux Permissions
Access Control Lists
Allow Lists
Deny Lists
Firewalls
Packet-Filtering Firewalls
Circuit-Level Gateways
Stateful Inspection Firewalls
Application-Level Gateways
Embedded Links
Phishing
Forwarding
Digital Signatures
Header
E-mail Signature Block
Domain Keys Identified Mail (DKIM)
Sender Policy Framework (SPF)
Domain-Based Message Authentication, Reporting, and
Conformance (DMARC)
REVIEW
3.1 QUESTIONS
3.1 ANSWERS
Objective 3.2 Given a scenario, implement configuration changes
to existing controls to improve security
Review of Control Concepts
Control Categories and Functions
Control Implementation and Risk
Permissions
Windows Permissions
Linux Permissions
Access Control Lists
Allow Lists
Deny Lists
Firewalls
Packet-Filtering Firewalls
Circuit-Level Gateways
Stateful Inspection Firewalls
Application-Level Gateways
Loading page 21...
Web Application Firewalls (WAFs)
Next-Generation Firewalls
Cloud-Based Firewalls
Intrusion Prevention System (IPS) Rules
Data Loss Prevention (DLP)
Endpoint Detection and Response (EDR)
Network Access Control (NAC)
Sinkholing
Malware Signatures
Development/Rule Writing
Sandboxing
Port Security
REVIEW
3.2 QUESTIONS
3.2 ANSWERS
Objective 3.3 Explain the importance of proactive threat hunting
Establishing a Hypothesis
Profiling Threat Actors and Activities
Threat Hunting Tactics
Executable Process Analysis
Reducing the Attack Surface Area
System Level
Network Level
Organization Level
Operating Environment
Bundling Critical Assets
Attack Vectors
Integrated Intelligence
Improving Detection Capabilities
Next-Generation Firewalls
Cloud-Based Firewalls
Intrusion Prevention System (IPS) Rules
Data Loss Prevention (DLP)
Endpoint Detection and Response (EDR)
Network Access Control (NAC)
Sinkholing
Malware Signatures
Development/Rule Writing
Sandboxing
Port Security
REVIEW
3.2 QUESTIONS
3.2 ANSWERS
Objective 3.3 Explain the importance of proactive threat hunting
Establishing a Hypothesis
Profiling Threat Actors and Activities
Threat Hunting Tactics
Executable Process Analysis
Reducing the Attack Surface Area
System Level
Network Level
Organization Level
Operating Environment
Bundling Critical Assets
Attack Vectors
Integrated Intelligence
Improving Detection Capabilities
Loading page 22...
REVIEW
3.3 QUESTIONS
3.3 ANSWERS
Objective 3.4 Compare and contrast automation concepts and
technologies
Automation Concepts
Workflow Orchestration
Security Orchestration, Automation, and Response
(SOAR)
Scripting
Application Programming Interface (API) Integration
Automated Malware Signature Creation
Data Enrichment
Threat Feed Combination
Machine Learning
Use of Automation Protocols and Standards
Automating Software Integration, Delivery, and
Deployment
REVIEW
3.4 QUESTIONS
3.4 ANSWERS
4.0 Incident Response
Objective 4.1 Explain the importance of the incident response
process
Critical Incident Response Processes
Communications Plan
Response Coordination with Relevant Entities
Factors Contributing to Data Criticality
REVIEW
4.1 QUESTIONS
3.3 QUESTIONS
3.3 ANSWERS
Objective 3.4 Compare and contrast automation concepts and
technologies
Automation Concepts
Workflow Orchestration
Security Orchestration, Automation, and Response
(SOAR)
Scripting
Application Programming Interface (API) Integration
Automated Malware Signature Creation
Data Enrichment
Threat Feed Combination
Machine Learning
Use of Automation Protocols and Standards
Automating Software Integration, Delivery, and
Deployment
REVIEW
3.4 QUESTIONS
3.4 ANSWERS
4.0 Incident Response
Objective 4.1 Explain the importance of the incident response
process
Critical Incident Response Processes
Communications Plan
Response Coordination with Relevant Entities
Factors Contributing to Data Criticality
REVIEW
4.1 QUESTIONS
Loading page 23...
4.1 ANSWERS
Objective 4.2 Given a scenario, apply the appropriate incident
response procedure
Incident Response Procedures
Preparation
Detection and Analysis
Containment
Eradication and Recovery
Post-Incident Activities
REVIEW
4.2 QUESTIONS
4.2 ANSWERS
Objective 4.3 Given an incident, analyze potential indicators of
compromise
Analyzing Indicators of Compromise
Network-Related IOCs
Host-Related IOCs
Application-Related IOCs
REVIEW
4.3 QUESTIONS
4.3 ANSWERS
Objective 4.4 Given a scenario, utilize basic digital forensics
techniques
Forensics Considerations
Forensics Foundations
Network
Endpoint Forensics Considerations
Mobile Forensics
Cloud Forensics
Virtualization Forensics
Objective 4.2 Given a scenario, apply the appropriate incident
response procedure
Incident Response Procedures
Preparation
Detection and Analysis
Containment
Eradication and Recovery
Post-Incident Activities
REVIEW
4.2 QUESTIONS
4.2 ANSWERS
Objective 4.3 Given an incident, analyze potential indicators of
compromise
Analyzing Indicators of Compromise
Network-Related IOCs
Host-Related IOCs
Application-Related IOCs
REVIEW
4.3 QUESTIONS
4.3 ANSWERS
Objective 4.4 Given a scenario, utilize basic digital forensics
techniques
Forensics Considerations
Forensics Foundations
Network
Endpoint Forensics Considerations
Mobile Forensics
Cloud Forensics
Virtualization Forensics
Loading page 24...
Key Forensic Procedures
REVIEW
4.4 QUESTIONS
4.4 ANSWERS
5.0 Compliance and Assessment
Objective 5.1 Understand the importance of data privacy and
protection
Privacy vs. Security
Nontechnical Controls
Technical Controls
REVIEW
5.1 QUESTIONS
5.1 ANSWERS
Objective 5.2 Given a scenario, apply security concepts in
support of organizational risk mitigation
Organizational Risk Mitigation
Business Impact Analysis (BIA)
Risk Identification Process
Risk Calculation
Communication of Risk Factors
Risk Prioritization
Systems Assessment
Documented Compensating Controls
Training and Exercises
Supply Chain Assessment
REVIEW
5.2 QUESTIONS
5.2 ANSWERS
Objective 5.3 Explain the importance of frameworks, policies,
REVIEW
4.4 QUESTIONS
4.4 ANSWERS
5.0 Compliance and Assessment
Objective 5.1 Understand the importance of data privacy and
protection
Privacy vs. Security
Nontechnical Controls
Technical Controls
REVIEW
5.1 QUESTIONS
5.1 ANSWERS
Objective 5.2 Given a scenario, apply security concepts in
support of organizational risk mitigation
Organizational Risk Mitigation
Business Impact Analysis (BIA)
Risk Identification Process
Risk Calculation
Communication of Risk Factors
Risk Prioritization
Systems Assessment
Documented Compensating Controls
Training and Exercises
Supply Chain Assessment
REVIEW
5.2 QUESTIONS
5.2 ANSWERS
Objective 5.3 Explain the importance of frameworks, policies,
Loading page 25...
procedures, and controls
Organizational Governance Flow
Frameworks
Policies and Procedures
Control Categories
Control Types
Audits and Assessments
REVIEW
5.3 QUESTIONS
5.3 ANSWERS
A About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Privacy Notice
Single User License Terms and Conditions
TotalTester Online
Performance-Based Questions
Technical Support
Glossary
Index
Organizational Governance Flow
Frameworks
Policies and Procedures
Control Categories
Control Types
Audits and Assessments
REVIEW
5.3 QUESTIONS
5.3 ANSWERS
A About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Privacy Notice
Single User License Terms and Conditions
TotalTester Online
Performance-Based Questions
Technical Support
Glossary
Index
Loading page 26...
Acknowledgments
This book wasn’t simply written by one person; so many people had key
roles in the production of this guide, so I’d like to take this opportunity to
acknowledge and thank them. First and foremost, I would like to thank the
folks at McGraw Hill, and in particular Lisa McClain and Emily Walters.
Both had the unenviable role of keeping me on track and leading me to see
their vision of what this book is supposed to be. They are both awesome
people to work with, and I’m grateful they had the faith to entrust this project
to me!
I’d also like to thank Nicholas Lane for his great early work on the first
three objectives of Domain 1.0; he did a great job in helping set the tone for
the book and getting it off on the right track.
I owe a debt of thanks to the project manager, Garima Poddar of
KnowledgeWorks Global Ltd, and Bart Reed, the copy editor. Both were
great people to work with. Bart did a great job of turning my butchered
attempts at style and grammar into a smooth-flowing, understandable book.
I also want to thank my family for their patience and understanding as I
took time away from them to write this book. I owe them a great deal of time
I can never pay back, and I am very grateful for their love and support.
And last, but certainly not least, I want to thank the technical editor, Dr.
Dawn Dunkerley. Dawn has been my friend, partner-in-crime, and coworker
at times for 14 years now. I’ve lost count of how many projects she has
suffered through with me, yet she still immediately volunteers to work with
me whenever I get a hairbrained idea to do another project that neither one of
us appears to have the time or patience for. Dawn is truly the smartest person
I know in cybersecurity, and this book is scores better for having her there to
correct my mistakes, ask critical questions, make me do more research, and
add a different and unique perspective to the process. Thank you, my friend!
This book wasn’t simply written by one person; so many people had key
roles in the production of this guide, so I’d like to take this opportunity to
acknowledge and thank them. First and foremost, I would like to thank the
folks at McGraw Hill, and in particular Lisa McClain and Emily Walters.
Both had the unenviable role of keeping me on track and leading me to see
their vision of what this book is supposed to be. They are both awesome
people to work with, and I’m grateful they had the faith to entrust this project
to me!
I’d also like to thank Nicholas Lane for his great early work on the first
three objectives of Domain 1.0; he did a great job in helping set the tone for
the book and getting it off on the right track.
I owe a debt of thanks to the project manager, Garima Poddar of
KnowledgeWorks Global Ltd, and Bart Reed, the copy editor. Both were
great people to work with. Bart did a great job of turning my butchered
attempts at style and grammar into a smooth-flowing, understandable book.
I also want to thank my family for their patience and understanding as I
took time away from them to write this book. I owe them a great deal of time
I can never pay back, and I am very grateful for their love and support.
And last, but certainly not least, I want to thank the technical editor, Dr.
Dawn Dunkerley. Dawn has been my friend, partner-in-crime, and coworker
at times for 14 years now. I’ve lost count of how many projects she has
suffered through with me, yet she still immediately volunteers to work with
me whenever I get a hairbrained idea to do another project that neither one of
us appears to have the time or patience for. Dawn is truly the smartest person
I know in cybersecurity, and this book is scores better for having her there to
correct my mistakes, ask critical questions, make me do more research, and
add a different and unique perspective to the process. Thank you, my friend!
Loading page 27...
Introduction
The Certification Passport Series
The Certification Passports are self-study certification guides that take an
accelerated approach to reviewing the objectives and preparing to sit for the
exam. The Passport series is designed to provide a concise review of the key
information candidates need to know to pass the test, with learning elements
that enables readers to focus their studies and quickly drill down into specific
exam objectives.
In This Book
This Passport is divided into “Domains” that follow the exam domains. Each
Domain is divided into “Objective” modules covering each of the top-level
certification objectives.
We’ve created a set of learning elements that call your attention to
important items, reinforce important points, and provide helpful exam-taking
hints. Take a look at what you’ll find in every module:
• Every domain and module begins with Certification Objectives—what
you need to know in order to pass the section on the exam dealing with
the module topic.
• The following elements highlight key information throughout the
modules:
EXAM TIP The Exam Tip element focuses on information that
pertains directly to the test, such as a wording preference that is a hint to an
The Certification Passport Series
The Certification Passports are self-study certification guides that take an
accelerated approach to reviewing the objectives and preparing to sit for the
exam. The Passport series is designed to provide a concise review of the key
information candidates need to know to pass the test, with learning elements
that enables readers to focus their studies and quickly drill down into specific
exam objectives.
In This Book
This Passport is divided into “Domains” that follow the exam domains. Each
Domain is divided into “Objective” modules covering each of the top-level
certification objectives.
We’ve created a set of learning elements that call your attention to
important items, reinforce important points, and provide helpful exam-taking
hints. Take a look at what you’ll find in every module:
• Every domain and module begins with Certification Objectives—what
you need to know in order to pass the section on the exam dealing with
the module topic.
• The following elements highlight key information throughout the
modules:
EXAM TIP The Exam Tip element focuses on information that
pertains directly to the test, such as a wording preference that is a hint to an
Loading page 28...
answer These helpful hints are written by authors who have taken the exam
and received their certification—who better to tell you what to worry
about? They know what you’re about to go through!
CAUTION These cautionary notes address common pitfalls or
“real-world” issues as well as warnings about the exam.
KEY TERM This element highlights specific terms or acronyms
that are essential to know in order to pass the exam.
NOTE This element calls out any ancillary but pertinent information.
Cross-Reference
This element points to related topics covered in other Objective modules
or Domains.
• Tables allow for a quick reference to help you quickly navigate
quantitative data or lists of technical information.
and received their certification—who better to tell you what to worry
about? They know what you’re about to go through!
CAUTION These cautionary notes address common pitfalls or
“real-world” issues as well as warnings about the exam.
KEY TERM This element highlights specific terms or acronyms
that are essential to know in order to pass the exam.
NOTE This element calls out any ancillary but pertinent information.
Cross-Reference
This element points to related topics covered in other Objective modules
or Domains.
• Tables allow for a quick reference to help you quickly navigate
quantitative data or lists of technical information.
Loading page 29...
• Each Objective module ends with a brief Review, which begins by
repeating the official exam objective number and text, followed by a
succinct and useful summary, geared toward quick review and
retention.
• Review Questions are intended to be similar to those found on the
exam. Explanations of the correct answer are provided.
Online Content
For more information on the practice exams included with the book, please
see the “About the Online Content” appendix at the back of the book.
Introduction
Welcome to the CompTIA CySA+™ Cybersecurity Analyst Certification
Passport! This book is focused on helping you pass CompTIA’s CySA+
certification examination. The idea behind the Passport series is to give you a
concise study guide for learning the key elements of the certification exam
repeating the official exam objective number and text, followed by a
succinct and useful summary, geared toward quick review and
retention.
• Review Questions are intended to be similar to those found on the
exam. Explanations of the correct answer are provided.
Online Content
For more information on the practice exams included with the book, please
see the “About the Online Content” appendix at the back of the book.
Introduction
Welcome to the CompTIA CySA+™ Cybersecurity Analyst Certification
Passport! This book is focused on helping you pass CompTIA’s CySA+
certification examination. The idea behind the Passport series is to give you a
concise study guide for learning the key elements of the certification exam
Loading page 30...
from the perspective of the required objectives published by CompTIA. This
book is intended for mid-level cybersecurity analysts who have a few years
of experience under their belt. While CompTIA has no specific mandatory
experience or certification prerequisites, they do recommend that you have at
least four years of hands-on experience in a technical cybersecurity job role,
as well as the Security+ and Network+ certifications, or equivalent
knowledge and experience.
I recommend you use this book for learning key terms and concepts as
well as for studying in the final few days before your CySA+ exam, possibly
after you’ve done all of your “deep” studying. This guide will help you
memorize fast facts, as well as refresh you on topics you may not have
studied for a while. This book is meant to be a “no fluff” concise guide with
quick facts, definitions, memory aids, charts, and brief explanations, but
nothing too in depth. This guide assumes you have already studied long and
hard for your exam, and you just need a quick refresher before you test.
Because it gives you the key concepts and facts, and not necessarily the in-
depth explanations surrounding those facts, it should not be used as your only
study source to prepare for the exam. There are numerous books you can use
for your deep studying, such as the CompTIA CySA+ Cybersecurity Analyst
Certification All-in-One Exam Guide, Second Edition (Exam CS0-002), also
from McGraw Hill.
This guide is organized around the most recent exam domains and
objectives released by CompTIA as of the publishing date of this book. Keep
in mind that CompTIA reserves the right to change or update the exam
objectives at its sole discretion anytime without any prior notice, so you
should check for the most recent objectives before you take the exam to make
sure you are studying the most updated materials. CompTIA has published
five domains for this exam; they are organized in numerical order in the
book, with individual domain objectives also ordered by objective number in
each domain. These domains are equivalent to regular book “chapters,” so
you have five considerably large chapters in the book with individual sections
devoted to the objective numbers. Hopefully, this organization will help you
learn and master each objective in a logical way. Because domain objectives
can overlap sometimes, you may see a bit of redundancy in topics discussed
throughout the book; where this is the case, we have tried to put the topic in
its proper context within the domain objective where it resides and cross-
reference it to the same topic discussed in other parts of the book in other
book is intended for mid-level cybersecurity analysts who have a few years
of experience under their belt. While CompTIA has no specific mandatory
experience or certification prerequisites, they do recommend that you have at
least four years of hands-on experience in a technical cybersecurity job role,
as well as the Security+ and Network+ certifications, or equivalent
knowledge and experience.
I recommend you use this book for learning key terms and concepts as
well as for studying in the final few days before your CySA+ exam, possibly
after you’ve done all of your “deep” studying. This guide will help you
memorize fast facts, as well as refresh you on topics you may not have
studied for a while. This book is meant to be a “no fluff” concise guide with
quick facts, definitions, memory aids, charts, and brief explanations, but
nothing too in depth. This guide assumes you have already studied long and
hard for your exam, and you just need a quick refresher before you test.
Because it gives you the key concepts and facts, and not necessarily the in-
depth explanations surrounding those facts, it should not be used as your only
study source to prepare for the exam. There are numerous books you can use
for your deep studying, such as the CompTIA CySA+ Cybersecurity Analyst
Certification All-in-One Exam Guide, Second Edition (Exam CS0-002), also
from McGraw Hill.
This guide is organized around the most recent exam domains and
objectives released by CompTIA as of the publishing date of this book. Keep
in mind that CompTIA reserves the right to change or update the exam
objectives at its sole discretion anytime without any prior notice, so you
should check for the most recent objectives before you take the exam to make
sure you are studying the most updated materials. CompTIA has published
five domains for this exam; they are organized in numerical order in the
book, with individual domain objectives also ordered by objective number in
each domain. These domains are equivalent to regular book “chapters,” so
you have five considerably large chapters in the book with individual sections
devoted to the objective numbers. Hopefully, this organization will help you
learn and master each objective in a logical way. Because domain objectives
can overlap sometimes, you may see a bit of redundancy in topics discussed
throughout the book; where this is the case, we have tried to put the topic in
its proper context within the domain objective where it resides and cross-
reference it to the same topic discussed in other parts of the book in other
Loading page 31...
30 more pages available. Scroll down to load them.
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
AI Assistant
Document Details
Subject
CompTIA Certifications