Comptia cybersecurity analyst (csa+) study guide pdf download

Comptia cybersecurity analyst (csa+) study guide pdf download

Comptia Cysa Guide To Cyber Security Analyst,0 Comments

WebComptia Cybersecurity Analyst (CSA+) Study Guide: Exam CS [PDF ed.] , Prepare yourself for the newest CompTIA WebCybersecurity Analyst (CySA+) Study Guide - PDF Free Download CompTIA A Cybersecurity Analyst (CySA+) Study Guide CompTIA A Cybersecurity Analyst WebCompTIA Cybersecurity Analyst (CySA+) CS Cert Guide (2nd Edition) (Certification Guide) [2 ed.] CompTIA Cybersecurity Analyst (CySA+) CS WebPDF Host read free online - This updated study guide by two security experts will help you prepare for the CompTIA CySA+ certification exam. Position yourself for success with WebMar 31,  · Where can you find % coverage of the revised CompTIA Cybersecurity Analyst+ (CySA+) exam objectives? It's all in the CompTIA CySA+ Study Guide Exam ... read more

Reinstall Which of the following actions is not a common activity during the recovery phase of an incident response process? Reviewing accounts and adding new privileges B. Validating that only authorized user accounts are on the systems C. Verifying that all systems are logging properly D. Performing vulnerability scans of all systems Policies B. Standards C. Procedures D. Guidelines Jim is concerned with complying with the U. federal law covering student educational records. Which of the following laws is he attempting to comply with? HIPAA B. GLBA C. SOX D. FERPA A fire suppression system is an example of what type of control? Logical B. Physical C. Administrative D. Operational Lauren is concerned that Danielle and Alex are conspiring to use their access to defraud their organization. What personnel control will allow Lauren to review their actions to find any issues? Dual control B. Separation of duties C. Background checks D. Cross training Joe wants to implement an authentication protocol that is well suited to untrusted networks.

Which of the following options is best suited to his needs in its default state? Kerberos B. RADIUS C. LDAP D. Which software development life cycle model uses linear development concepts in an iterative, four-phase process? Waterfall B. Agile C. RAD D. Spiral Answer to the Assessment Test 1. These three TCP ports are associated with SSH 22 , HTTPS , and Oracle databases Regional Internet registries like ARIN are best queried either via their websites or using tools like Whois. Nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor.

Honeypots are systems that are designed to look like attractive targets. When they are attacked, they simulate a compromise, providing defenders with a chance to see how attackers operate and what tools they use. DNS sinkholes provide false information to malicious software, redirecting queries about command and control systems to allow remediation. Darknets are segments of unused network space that are monitored to detect traffic— since legitimate traffic should never be aimed at the darknet, this can be used to detect attacks and other unwanted traffic.

Redundant systems, particularly when run in multiple locations and with other protections to ensure uptime, can help provide availability. An authenticated, or credentialed, scan provides the most detailed view of the system. Black-box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow. When reading the CVSS 3. Here, N means network. Confidentiality C , Integrity I , and Availability A are listed at the end of the listing, and all three are rated as High in this CVSS rating. When Alice encounters a false positive error in her scans, her first action should be to verify it. This may involve running a more in-depth scan like an authenticated scan, but could also involve getting assistance from system administrators, checking documentation, or other validation actions.

Once she is done, she should document the exception so that it is properly tracked. Implementing a workaround is not necessary for false positive vulnerabilities, and updating the scanner should be done before every vulnerability scan. Using an authenticated scan might help but does not cover all of the possibilities for validation she may need to use. The Containment, Eradication, and Recovery phase of an incident includes steps to limit damage and document what occurred, including potentially identifying the attacker and tools used for the attack. This means that information useful to legal actions is most likely to be gathered during this phase. Integrity breaches involve data being modified or deleted. Systems being taken offline is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches.

Active monitoring sends traffic like pings to remote devices as part of the monitoring process. RMON and netflows are both examples of routerbased monitoring, whereas network taps allow passive monitoring. Regular traffic from compromised systems to command and control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning behavior in some cases. The df command is used to show the amount of free and used disk space. Each of the other commands can show information about memory usage in Linux. FTK, EnCase, and dd all provide options that support their use for forensic disk image creation. Since xcopy cannot create a bitwise image of a drive, it should not be used to create forensic images.

Slack space is the space left when a file is written. Since the space may have previously been filled by another file, file fragments are likely to exist and be recoverable. The reserved space maintained by drives for wear leveling for SSDs or to replace bad blocks for spinning disks may contain data, but again, this was not part of her task. Sandboxes are used to isolate attackers, malicious code, and other untrusted applications. They allow defenders to monitor and study behavior in the sandbox without exposing systems or networks to potential attacks or compromise. The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. NIST SP defines three levels of action of increasing severity: clear, purge, and destroy. In this case, purging, which uses technical means to make data infeasible to recover, is appropriate for a high-security device.

Destruction might be preferable, but the reuse element of the question rules this out. Reinstallation is not an option in the NIST guidelines, and clearing is less secure. The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase. This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would include the step-by-step process, and a guideline describes a best practice or recommendation. The Family Educational Rights and Privacy Act FERPA requires educational institutions to implement security and privacy controls for student educational records.

HIPAA covers security and privacy for healthcare providers, health insurers, and health information clearinghouses; GLBA covers financial institutions; and SOX applies to financial records of publicly traded companies. Fire suppression systems are physical controls. Logical controls are technical controls that enforce confidentiality, integrity, and availability. Administrative controls are procedural controls, and operational controls are not a type of security control as used in security design. Lauren should implement separation of duties in a way that ensures that Danielle and Alex cannot abuse their rights without a third party being involved. This will allow review of their actions and should result in any issues being discovered.

Kerberos is designed to run on untrusted networks and encrypts authentication traffic by default. LDAP and RADIUS can be encrypted but are not necessarily encrypted by default and LDAP has limitations as an authentication mechanism. The Spiral model uses linear development concepts like those used in Waterfall but repeats four phases through its life cycle: requirements gathering, design, build, and evaluation. Cybersecurity analysts are responsible for protecting the confidentiality, integrity, and availability of information and information systems used by their organizations. Fulfilling this responsibility requires a commitment to a defense-in-depth approach to information security that uses multiple, overlapping security controls to achieve each cybersecurity objective. It also requires that analysts have a strong understanding of the threat environment facing their organization in order to develop a set of controls capable of rising to the occasion and answering those threats.

In the first section of this chapter, you will learn how to assess the cybersecurity threats facing your organization and determine the risk that they pose to the confidentiality, integrity, and availability of your operations. In the sections that follow, you will learn about some of the controls that you can put in place to secure networks and endpoints and evaluate the effectiveness of those controls over time. Although protecting sensitive information from unauthorized disclosure is certainly one element of a cybersecurity program, it is important to understand that cybersecurity actually has three complementary objectives, as shown in Figure 1.

Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. Cybersecurity professionals develop and implement security controls, including firewalls, access control lists, and encryption, to prevent unauthorized access to information. Attackers may seek to undermine confidentiality controls to achieve one of their goals: the unauthorized disclosure of sensitive information. Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Integrity controls, such as hashing and integrity monitoring solutions, seek to enforce this requirement. Integrity threats may come from attackers seeking the alteration of information Integrity threats may come from attackers seeking the alteration of information without authorization or nonmalicious sources, such as a power spike causing the corruption of information.

Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them. Availability controls, such as fault tolerance, clustering, and backups, seek to ensure that legitimate users may gain access as needed. Similar to integrity threats, availability threats may come either from attackers seeking the disruption of access or nonmalicious sources, such as a fire destroying a datacenter that contains valuable information or services. Cybersecurity analysts often refer to these three goals, known as the CIA Triad, when performing their work. They often characterize risks, attacks, and security controls as meeting one or more of the three CIA Triad goals when describing them.

Evaluating Security Risks Cybersecurity risk analysis is the cornerstone of any information security program. Analysts must take the time to thoroughly understand their own technology environments and the external threats that jeopardize their information security. A well-rounded cybersecurity risk assessment combines information about internal and external factors to help analysts understand the threats facing their organization and then design an appropriate set of controls to meet those threats. Before diving into the world of risk assessment, we must begin with a common vocabulary. You must know three important terms to communicate clearly with other risk analysts: vulnerabilities, threats, and risks. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. Vulnerabilities are internal factors that may be controlled by cybersecurity professionals.

For example, a web server that is running an outdated version of the Apache service may contain a vulnerability that would allow an attacker to conduct a denial-of-service DoS attack against the websites hosted on that server, jeopardizing their availability. Cybersecurity professionals within the organization have the ability to remediate this vulnerability by upgrading the Apache service to the most recent version that is not susceptible to the DoS attack. A threat in the world of cybersecurity is an outside force that may exploit a vulnerability. For example, a hacker who would like to conduct a DoS attack against a website and knows about an Apache vulnerability poses a clear cybersecurity threat. Although many threats are malicious in nature, this is not necessarily the case. For example, an earthquake may also disrupt the availability of a website by damaging the datacenter containing the web servers.

Earthquakes clearly do not have malicious intent. In most cases, cybersecurity professionals cannot do much to eliminate a threat. Hackers will hack and earthquakes will strike whether we like it or not. A risk is the combination of a threat and a corresponding vulnerability. Both of these factors must be present before a situation poses a risk to the security of an organization. Similarly, a datacenter may be vulnerable to earthquakes because the walls are not built to withstand the extreme movements present during an the walls are not built to withstand the extreme movements present during an earthquake, but it may be located in a region of the world where earthquakes do not occur. The datacenter may be vulnerable to earthquakes but there is little to no threat of earthquake in its location, so there is no risk.

Instead, it is meant to demonstrate the fact that risks exist only when there is both a threat and a corresponding vulnerability that the threat might exploit. If either the threat or vulnerability is zero, the risk is also zero. Organizations should routinely conduct risk assessments to take stock of their existing risk landscape. The National Institute of Standards and Technology NIST publishes a guide for conducting risk assessments that is widely used throughout the cybersecurity field as a foundation for risk assessments. The document, designated NIST Special Publication SP , suggests the risk assessment process shown in Figure 1.

Source: NIST SP Identify Threats Organizations begin the risk assessment process by identifying the types of threats that exist in their threat environment. Although some threats, such as malware and spam, affect all organizations, other threats are targeted against specific types of organizations. For example, government-sponsored advanced persistent threat APT attackers typically target government agencies, military organizations, and companies that operate in related fields. It is unlikely that an APT attacker would target an elementary school. NIST identifies four different categories of threats that an organization might face and should consider in its threat identification process: Adversarial threats are individuals, groups, and organizations that are attempting to deliberately undermine the security of an organization.

Adversaries may include trusted insiders, competitors, suppliers, customers, business partners, or even nation-states. When evaluating an adversarial threat, cybersecurity analysts should consider the capability of the threat actor to engage in attacks, the intent of the threat actor, and the likelihood that the threat will target the organization. Accidental threats occur when individuals doing their routine work mistakenly perform an action that undermines security. For example, a system administrator might accidentally delete a critical disk volume, causing a loss of availability. When evaluating an accidental threat, cybersecurity analysts should consider the possible range of effects that the threat might have on the organization. Structural threats occur when equipment, software, or environmental controls fail due to the exhaustion of resources such as running out of gas , exceeding their operational capability such as operating in extreme heat , or simply failing due to age.

Structural threats may come from IT components such as storage, servers, and network devices , environmental controls such as power and cooling infrastructure , and software such as operating systems and applications. When evaluating a structural threat, cybersecurity analysts should consider the possible range of effects that the threat might have on the organization. Environmental threats occur when natural or man-made disasters occur that are outside the control of the organization. These might include fires, flooding, severe storms, power failures, or widespread telecommunications disruptions. The nature and scope of the threats in each of these categories will vary depending on the nature of the organization, the composition of its technology infrastructure, and many other situation-specific circumstances.

The Insider Threat When performing a threat analysis, cybersecurity professionals must remember that threats come from both external and internal sources. In addition to the hackers, natural disasters, and other threats that begin outside the organization, rouge employees, disgruntled team members, and incompetent administrators also pose a significant threat to enterprise cybersecurity. As an organization designs controls, it must consider both internal and external threats. NIST SP provides a great deal of additional information to help organizations conduct risk assessments, including detailed tasks associated with each of these steps. Chapters 3 and 4 of this book focus extensively on the identification and management of vulnerabilities. Determine Likelihood, Impact, and Risk After identifying the threats and vulnerabilities facing an organization, risk assessors next seek out combinations of threat and vulnerability that pose a risk to the confidentiality, integrity, or availability of enterprise information and systems.

This requires assessing both the likelihood that a risk will materialize and the impact that the risk will have on the organization if it does occur. When determining the likelihood of a risk occurring, analysts should consider two factors. First, they should assess the likelihood that the threat source will initiate the risk. In the case of an adversarial threat source, this is the likelihood that the adversary will execute an attack against the organization. In the case of accidental, structural, or environmental threats, it is the likelihood that the threat accidental, structural, or environmental threats, it is the likelihood that the threat will occur. After considering each of these criteria, risk assessors assign an overall likelihood rating.

Risk assessors evaluate the impact of a risk using a similar rating scale. This evaluation should assume that a threat actually does take place and cause a risk to the organization and then attempt to identify the magnitude of the adverse impact that the risk will have on the organization. When evaluating this risk, it is helpful to refer to the three objectives of cybersecurity shown in Figure 1. Risk assessments also may use quantitative techniques that numerically assess the likelihood and impact of risks.

After assessing the likelihood and impact of a risk, risk assessors then combine those two evaluations to determine an overall risk rating. This may be as simple as using a matrix similar to the one shown in Figure 1. For example, an organization might decide that the likelihood of a hacker attack is medium whereas the impact would be high. Looking this combination up in Figure 1. Similarly, if an organization assesses the likelihood of a flood as medium and the impact as low, a flood scenario would have an overall risk of low. Reviewing Controls Cybersecurity professionals use risk management strategies, such as risk acceptance, risk avoidance, risk mitigation, and risk transference, to reduce the likelihood and impact of risks identified during risk assessments.

The most common way that organizations manage security risks is to develop sets of technical and operational security controls that mitigate those risks to acceptable levels. Examples of technical controls include building a secure network and implementing endpoint security, two topics discussed later in this chapter. Operational controls are practices and procedures that bolster cybersecurity. Examples of operational controls include conducting penetration testing and using reverse engineering to controls include conducting penetration testing and using reverse engineering to analyze acquired software. These two topics are also discussed later in this chapter. To help mitigate these risks, organizations should focus on building secure networks that keep attackers at bay. Examples of the controls that an organization may use to contribute to building a secure network include network access control NAC solutions; network perimeter security controls, such as firewalls; network segmentation; and the use of deception as a defensive measure.

The When a new device wishes to gain access to a network, either by connecting to a wireless access point or plugging into a wired network port, the network challenges that device to authenticate using the A special piece of software, known as a supplicant, resides on the device requesting to join the network. The supplicant communicates with a service known as the authenticator that runs on either the wireless access point or the network switch. The authenticator does not have the information necessary to validate the user itself, so it passes access requests along to an authentication server using the RADIUS protocol.

If the user correctly authenticates and is authorized to access the network, the switch or access point then joins the user to the network. If the user does not successfully complete this process, the device is denied access to the network or may be assigned to a special quarantine network for remediation. There are many different NAC solutions available on the market, and they differ in two major ways: Agent-Based vs. Agentless Agent-based solutions, such as Agentless approaches to NAC conduct authentication in the web browser and do not require special software. In-Band vs. Out-of-Band In-band or inline NAC solutions use dedicated appliances that sit in between devices and the resources that they wish to access. They deny or limit network access to devices that do not pass the NAC authentication process. Out-of-band NAC solutions, such as NAC solutions are often used simply to limit access to authorized users based on those users successfully authenticating, but they may also make network admission decisions based on other criteria.

Some of the criteria used by NAC solutions include: Time of Day Users may be authorized to access the network only during specific time periods, such as during business hours. Role Users may be assigned to particular network segments based on their role in the organization. For example, a college might assign faculty and staff to an administrative network that may access administrative systems while assigning students to an academic network that does not allow such access. Location Users may be granted or denied access to network resources based on their physical location. For example, access to the datacenter network may be limited to systems physically present in the datacenter. System Health NAC solutions may use agents running on devices to obtain configuration information from the device.

Administrators may create NAC rules that limit access based on any combination of these characteristics. Network Admission Control is a proprietary name used by Cisco for its network access control solutions. Network firewalls sit at the boundaries between networks and provide perimeter security. Much like a security guard might control the physical perimeter of a building, the network firewall controls the electronic perimeter. Firewalls are typically configured in the triple-homed fashion illustrated in Figure 1. Triplehomed simply means that the firewall connects to three different networks. The firewall in Figure 1. Any traffic that wishes to pass from one zone to another, such as between the Internet and the internal network, must pass through the firewall. The DMZ is a special network zone designed to house systems that receive connections from the outside world, such as web and email servers. Sound firewall designs place these systems on an isolated network where, if they become compromised, they pose little threat to the internal network because connections between the DMZ and the internal network must still pass through the firewall and are subject to its security policy.

This rule base is an access control list ACL that identifies the types of traffic permitted to pass through the firewall. The rules used by the firewall typically specify the source and destination IP addresses for traffic as well as the destination port corresponding to the authorized service. A list of common ports appears in Table 1. Firewalls follow the default deny principle, which says that if there is no rule explicitly allowing a connection, the firewall will deny that connection. Table 1. Packet filtering firewall capabilities are typically found in routers and other network devices and are very rudimentary firewalls. Stateful inspection firewalls go beyond packet filters and maintain information about the state of each connection passing through the firewall. These are the most basic firewalls sold as stand-alone products. Next-generation firewalls NGFWs incorporate even more information into their decision-making process, including contextual information about users, applications, and business processes.

They are the current state-of-the-art in network firewall protection and are quite expensive compared to stateful inspection devices. Web application firewalls WAFs are specialized firewalls designed to protect against web application attacks, such as SQL injection and cross-site scripting. This principle certainly applies to the example shown in Figure 1. The same principle may be applied to further segment the internal network into different zones of trust. For example, imagine an organization that has several hundred employees and a large datacenter located in its corporate headquarters.

The datacenter may house many sensitive systems, such as database servers that contain sensitive employee information, business plans, and other critical information assets. In this common example, security professionals would want to segment the datacenter network so that it is not directly accessible by systems on the corporate network. This can be accomplished using a firewall, as shown in Figure 1. The network shown in Figure 1. The concept is identical, except in this case the firewall is protecting the perimeter of the datacenter from the less trusted corporate network. Notice that the network in Figure 1. The purpose of this server is to act as a secure transition point between the corporate network and the datacenter network, providing a trusted path between the two zones. System administrators who need to access the datacenter network should not connect their laptops directly to the datacenter network but should instead initiate an administrative connection to the jump box, using secure shell SSH , the Remote Desktop Protocol RDP , or a similar secure remote administration protocol.

After successfully authenticating to the jump box, they may then connect from the jump box to the datacenter network, providing some isolation between their own systems and the datacenter network. Connections to the jump box should be carefully controlled and protected with strong multifactor authentication technology. Jump boxes may also be used to serve as a layer of insulation against systems that may only be partially trusted. Defense through Deception Cybersecurity professionals may wish to go beyond typical security controls and engage in active defensive measures that actually lure attackers to specific targets and seek to monitor their activity in a carefully controlled environment.

Honeypots are systems designed to appear to attackers as lucrative targets due to the services they run, vulnerabilities they contain, or sensitive information that they appear to host. The reality is that honeypots are designed by cybersecurity experts to falsely appear vulnerable and fool malicious individuals into attempting an attack against them. Honeypots may also be used to feed network blacklists, blocking all inbound activity from any IP address that attacks the honeypot. DNS sinkholes feed false information to malicious software that works its way onto the enterprise network. When a compromised system attempts to obtain information from a DNS server about its command-and-control server, the DNS server detects the suspicious request and, instead of responding with the correct answer, responds with the IP address of a sinkhole system designed to detect and remediate the botnet-infected system.

Secure Endpoint Management Laptop and desktop computers, tablets, smartphones, and other endpoint devices are a constant source of security threats on a network. These systems interact directly with end users and require careful configuration management to ensure that they remain secure and do not serve as the entry point for a security vulnerability on enterprise networks. Fortunately, by taking some simple security precautions, technology professionals can secure these devices against most attacks. Hardening System Configurations Operating systems are extremely complex pieces of software designed to perform thousands of different functions. The large code bases that make up modern operating systems are a frequent source of vulnerabilities, as evidenced by the frequent security patches issued by operating system vendors.

One of the most important ways that system administrators can protect endpoints is by hardening their configurations, making them as attack-resistant as possible. This includes disabling any unnecessary services or ports on the endpoints to reduce their susceptibility to attack, ensuring that secure configuration settings exist on devices and centrally controlling device security settings. Patch Management System administrators must maintain current security patch levels on all operating systems and applications under their care. Once the vendor releases a security patch, attackers are likely already aware of a vulnerability and may immediately begin preying on susceptible systems.

The longer an organization waits to apply security patches, the more likely it becomes that they will fall victim to an attack. That said, enterprises should always test patches prior to deploying them on production systems and networks. Fortunately, patch management software makes it easy to centrally distribute and monitor the patch level of systems throughout the enterprise. Compensating Controls In some cases, security professionals may not be able to implement all of the desired security controls due to technical, operational, or financial reasons. For example, an organization may not be able to upgrade the operating system on retail point-of-sale terminals due to an incompatibility with the point-of-sale software. In these cases, security professionals should seek out compensating controls designed to provide a similar level of security using alternate means.

In the point-of-sale example, administrators might place the point-of-sale terminals on a segmented, isolated network and use intrusion prevention systems to monitor network traffic for any attempt to exploit an unpatched vulnerability and block it from reaching the vulnerable host. This meets the same objective of protecting the point-of-sale terminal from compromise and serves as a compensating control. Group Policies Group Policies provide administrators with an efficient way to manage security and other system configuration settings across a large number of devices. For example, Figure 1. This GPO is configured to require the use of Windows Firewall and block all inbound connections. Administrators may use GPOs to control a wide variety of Windows settings and create different policies that apply to different classes of system. At a minimum, this should include antivirus software designed to scan the system for signs of malicious software that might jeopardize the security of the endpoint.

Administrators may also choose to install host firewall software that serves as a basic firewall for that individual system, complementing network-based firewall controls or host intrusion prevention systems HIPSs that block suspicious network activity. Endpoint security software should report its status to a centralized management system that allows security administrators to monitor the entire enterprise from a single location. Mandatory Access Controls In highly secure environments, administrators may opt to implement a In highly secure environments, administrators may opt to implement a mandatory access control MAC approach to security. In a MAC system, administrators set all security permissions, and end users cannot modify those permissions.

This stands in contrast to the discretionary access control DAC model found in most modern operating systems where the owner of a file or resource controls the permissions on that resource and can delegate them at his or her discretion. MAC systems are very unwieldy and, therefore, are rarely used outside of very sensitive government and military applications. Security Enhanced Linux SE Linux , an operating system developed by the U. National Security Agency, is an example of a system that enforces mandatory access controls. Penetration Testing In addition to bearing responsibility for the design and implementation of security controls, cybersecurity analysts are responsible for monitoring the ongoing effectiveness of those controls. Penetration testing is one of the techniques they use to fulfill this obligation. During a penetration test, the testers simulate an attack against the organization using the same information, tools, and techniques available to real attackers.

They seek to gain access to systems and information and then report their findings to management. In the case of internal tests, they require highly skilled individuals and are quite time-consuming. External tests mitigate these concerns but are often quite expensive to conduct. NIST divides penetration testing into the four phases shown in Figure 1. Source: NIST SP Technical Guide to Information Security Testing and Assessment Planning a Penetration Test The planning phase of a penetration test lays the administrative groundwork for The planning phase of a penetration test lays the administrative groundwork for the test. No technical work is performed during the planning phase, but it is a critical component of any penetration test. There are three important rules of engagement to finalize during the planning phase: Timing When will the test take place?

Will technology staff be informed of the test? Can it be timed to have as little impact on business operations as possible? Scope What is the agreed-upon scope of the penetration test? Are any systems, networks, personnel, or business processes off-limits to the testers? Authorization Who is authorizing the penetration test to take place? What should testers do if they are confronted by an employee or other individual who notices their suspicious activity? These details are administrative in nature, but it is important to agree on them up front and in writing to avoid problems during and after the penetration test. You should never conduct a penetration test without permission. Not only is an unauthorized test unethical, it may be illegal. Conducting Discovery The technical work of the penetration test begins during the discovery phase when attackers conduct reconnaissance and gather as much information as possible about the targeted network, systems, users, and applications.

This may include conducting reviews of publicly available material, performing port scans of systems, using network vulnerability scanners and web application testers to probe for vulnerabilities, and performing other information gathering. Vulnerability scanning is an important component of penetration testing. This topic is covered extensively in Chapters 3 and 4. Testers often follow the NIST attack process shown in Figure 1. Source: NIST SP Technical Guide to Information Security Testing and Assessment In this process, attackers use the information gathered during the discovery phase to gain initial access to a system. Once they establish a foothold, they then seek to escalate their access until they gain complete administrative control of the system. From there, they can scan for additional system on the network, install additional penetration testing tools, and begin the cycle anew, seeking to expand their footprint within the targeted organization.

They continue this cycle until they exhaust the possibilities or the time allotted for the test expires. The attack phase of a penetration test is also known as the exploitation phase. Questions on the exam referring to test execution, the attack phase, and the exploitation phase are all referring to the same thing. Communicating Penetration Test Results At the conclusion of the penetration test, the testers prepare a detailed report communicating the access they were able to achieve and the vulnerabilities they exploited to gain this access.

The results of penetration tests are valuable exploited to gain this access. The results of penetration tests are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. Penetration testing reports typically contain detailed appendixes that include the results of various tests and may be shared with system administrators responsible for remediating issues. Training and Exercises In addition to performing penetration tests, some organizations choose to run wargame exercises that pit teams of security professionals against each other in a cyberdefense scenario.

These exercises are typically performed in simulated environments, rather than on production networks, and seek to improve the skills of security professionals on both sides by exposing them to the tools and techniques used by attackers. Three teams are involved in most cybersecurity wargames: The red team plays the role of the attacker and uses reconnaissance and exploitation tools to attempt to gain access to the protected network. The blue team is responsible for securing the targeted environment and keeping the red team out by building, maintaining, and monitoring a comprehensive set of security controls. The white team coordinates the exercise and serves as referees, arbitrating disputes between the team, maintaining the technical environment, and monitoring the results. Cybersecurity wargames can be an effective way to educate security professionals on modern attack and defense tactics. Reverse Engineering In many cases, vendors do not release the details of how hardware and software work.

In these situations, security professionals may be in the dark about the security of their environments. Reverse engineering is a technique used to work backward from a finished product to figure out how it works. Security professionals sometimes use reverse engineering to learn the inner workings of suspicious software or inspect the integrity of hardware. Reverse engineering uses a philosophy known as decomposition where the reverse engineer starts with the finished product and works his or her way back to its component parts. Isolation and Sandboxing One of the most dangerous threats to the security of modern organizations is customized malware developed by APT actors who create specialized tools designed to penetrate a single target. Since they have never been used before, these tools are not detectable with the signature-detection technology used by traditional antivirus software. Sandboxing is an approach used to detect malicious software based on its behavior rather than its signatures.

Sandboxing systems watch systems and the network for unknown pieces of code and, when they detect an application that has not been seen before, immediately isolate that code in a special environment known as a sandbox where it does not have access to any other systems or applications. The sandboxing solution then executes the code and watches how it behaves, checking to see if it begins scanning the network for other systems, gathering sensitive information, communicating with a command-and-control server, or performing any other potentially malicious activity.

This process, also known as code detonation, is an example of an automated reverse engineering technique that takes action based on the observed behavior of software. Depending on the programming language, the computer may process this code in one of two ways. In interpreted languages, such as Ruby and Python, the computer works directly from the source code. Reverse engineers seeking to analyze code written in interpreted languages can simply read through the code and often get a good idea of what the code is attempting to accomplish. This binary code is what is often distributed to users of the software, and it is very difficult, if not impossible, to examine binary code and determine what it is doing, making the reverse engineering of compiled languages much more difficult. Technologists seeking to reverse engineer compiled code have two options. First, they can attempt to use a specialized program known as a decompiler to convert the binary code back to source code.

Unfortunately, however, this process usually does not work very well. Second, they can instrument a specialized environment and carefully monitor how software responds to different inputs in an attempt to discover its inner workings. In either case, reverse engineering compiled software is extremely difficult. Fingerprinting Software Although it is difficult to reverse engineer compiled code, technologists can easily detect whether two pieces of compiled code are identical or whether one has been modified. Hashing is a mathematical technique that analyzes a file and computes a unique fingerprint, known as a message digest or hash, for that file.

Analysts using hash functions, such as the Secure Hash Algorithm SHA , can compute the hashes of two files and compare the output values. If the hashes are identical, the file contents are identical. If the hashes differ, the two files contain at least one difference. Although organizations may perform a physical inspection of hardware to detect organizations may perform a physical inspection of hardware to detect tampering, it is important to verify that hardware has source authenticity, meaning that it comes from a trusted, reliable source, because it is simply too difficult to exhaustively test hardware. The U. government recognizes the difficulty of ensuring source authenticity and operates a trusted foundry program for critical defense systems.

The Department of Defense and National Security Agency NSA certify companies as trusted foundries that are approved to create sensitive integrated circuits for government use. Companies seeking trusted foundry status must show that they completely secure the production process, including design, prototyping, packing, assembly, and other elements of the process. Reverse engineers seeking to determine the function of hardware use some of the same techniques used for compiled software, particularly when it comes to observing behavior. Operating a piece of hardware in a controlled environment and observing how it responds to different inputs provides clues to the functions performed in the hardware.

Reverse engineers may also seek to obtain documentation from original equipment manufacturers OEMs that provide insight into how components of a piece of hardware function. Compromising Cisco Routers According to NSA documents released by Edward Snowden, the U. government has engaged in reverse engineering of hardware designed to circumvent security. org licensed under CC By 3. They then opened the packages and inserted covert firmware into the devices that facilitated government monitoring. Summary Cybersecurity professionals are responsible for ensuring the confidentiality, integrity, and availability of information and systems maintained by their organizations. Together, these three goals are known as the CIA Triad. As cybersecurity analysts seek to protect their organizations, they must evaluate risks to the CIA Triad.

This includes identifying vulnerabilities, recognizing corresponding threats, and determining the level of risk that results from vulnerability and threat combinations. Analysts must then evaluate each risk and identify appropriate risk management strategies to mitigate or otherwise address the risk. Cybersecurity analysts mitigate risks using security controls designed to reduce the likelihood or impact of a risk. Network security controls include network access control NAC systems, firewalls, and network segmentation. Secure endpoint controls include hardened system configurations, patch management, Group Policies, and endpoint security software. By following a careful risk analysis and control process, analysts significantly enhance the confidentiality, integrity, and availability of information and systems under their control. Exam Essentials The three objectives of cybersecurity are confidentiality, integrity, and availability.

Cybersecurity risks result from the combination of a threat and a vulnerability. Cybersecurity threats may be categorized as adversarial, accidental, structural, or environmental. Adversarial threats are individuals, groups, and organizations that are attempting to deliberately undermine the security of an organization. Structural threats occur when equipment, software, or environmental controls fail due to the exhaustion of resources, exceeding their operational capability or simply failing due to age. Networks are made more secure through the use of network access control, firewalls, and segmentation.

Network segmentation uses isolation to separate networks of differing security levels from each other. Endpoints are made more secure through the use of hardened configurations, patch management, Group Policy, and endpoint security software. Hardening configurations includes disabling any unnecessary services on the endpoints to reduce their susceptibility to attack, ensuring that secure configuration settings exist on devices and centrally controlling device security settings. Patch management ensures that operating systems and applications are not susceptible to known vulnerabilities. Group Policy allows the application of security settings to many devices simultaneously, and endpoint security software protects against malicious software and other threats.

The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The results of penetration tests are valuable security planning tools, since they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. Reverse engineering techniques attempt to determine how hardware and software functions internally. Other reverse engineering techniques are difficult to perform, are often unsuccessful, and are quite time-consuming. Lab Exercises Activity 1. This lab requires access to a system running Windows Server or Windows Server R2.

Part 1: Verify that Windows Firewall is enabled 1. Open the Control Panel for your Windows Server. Choose System And Security. Under Windows Firewall, click Check Firewall Status. Verify that the Windows Firewall state is set to On for Private networks. Part 2: Create an inbound firewall rule that blocks file and printer sharing 1. Scroll down the list of applications and find File And Printer Sharing. Uncheck the box to the left of that entry to block connections related to File And Printer Sharing. Click OK to apply the setting. Note: You should perform this lab on a test system. Disabling file and printer sharing on a production system may have undesired consequences. Activity 1. This lab requires access to a system running Windows Server or Windows This lab requires access to a system running Windows Server or Windows Server R2 that is configured as a domain controller.

Open the Group Policy Management Console. If you do not find this console on your Windows Server, it is likely that it is not configured as a domain controller. Expand the folder corresponding to your Active Directory forest. Expand the Domains folder. Expand the folder corresponding to your domain. Right-click the Group Policy Objects folder and click New on the pop-up menu. Name your new GPO Password Policy and click OK. Right-click the new Password Policy GPO and choose Edit from the pop-up menu. When Group Policy Editor opens, expand the Computer Configuration folder. Expand the Policies folder.

Expand the Windows Settings folder. Expand the Security Settings folder. Expand the Account Policies folder. Click on Password Policy. Double-click Maximum password age. In the pop-up window, select the Define This Policy Setting check box and set the expiration value to 90 days. Click OK to close the window. Click OK to accept the suggested change to the minimum password age. Double-click the Minimum Password Length option. As in the prior step, click the box to define the policy setting and set the minimum password length to 12 characters. Double-click the Password Must Meet Complexity Requirements option. Click the box to define the policy setting and change the value to Enabled. If you are a student, you may choose to create a plan for a penetration test of your school. Otherwise, you may choose any organization, real or fictitious, of your choice. Your penetration testing plan should cover the three main criteria required before initiating any penetration test: Timing Scope Authorization One word of warning: You should not conduct a penetration test without permission of the network owner.

This assignment only asks you to design the test on paper. Firewall Determines what clients may access a wired or wireless network Decompiler Creates a unique fingerprint of a file Antivirus Filters network connections based upon source, destination, and port NAC System intentionally created to appear vulnerable GPO Attempts to recover source code from binary code Hash Scans a system for malicious software Honeypot Protects against SQL injection attacks Honeypot WAF Protects against SQL injection attacks Deploys configuration settings to multiple Windows systems Review Questions 1. Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats? Integrity B. Nonrepudiation C. Availability D. Confidentiality 2. Tommy is assessing the security of several database servers in his datacenter and realizes that one of them is missing a critical Oracle security patch.

What type of situation has Tommy detected? Risk B. Vulnerability C. Hacker D. Threat 3. Ben is preparing to conduct a cybersecurity risk assessment for his organization. If he chooses to follow the standard process proposed by NIST, which one of the following steps would come first? Determine likelihood B. Determine impact C. Identify threats D. Identify vulnerabilities 4. What type of threat is she considering? Adversarial B. Accidental C. Structural D. Environmental 5. Which one of the following categories of threat requires that cybersecurity analysts consider the capability, intent, and targeting of the threat source? Environmental 6. What cybersecurity objective did this attack violate? Integrity D.

Availability 7. Which one of the following is an example of an operational security control? Encryption software B. Network firewall C. Antivirus software D. Penetration tests 8. Paul recently completed a risk assessment and determined that his network was vulnerable to hackers connecting to open ports on servers. He implemented a network firewall to reduce the likelihood of a successful attack. What risk management strategy did Paul choose to pursue? Risk mitigation B. Risk avoidance C. Risk transference D. Risk acceptance 9. What technology can best assist him with this goal? Network firewall B. Network access control C. Network segmentation D. Virtual private network When performing EAP C. PEAP D. RADIUS The wireless network uses What type of agent must be running on the device for it to join this network? Supplicant B. CompTIA is a registered trademark of Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners.

is not associated with any product or vendor mentioned in this book. I dedicate this book to my father, who was a role model of the value of hard work, commitment to family, and the importance of doing the right thing. Rest in peace, Dad. We would especially like to thank senior acquisitions editor Kenyon Brown. We have worked with Ken on multiple projects and consistently enjoy our work with him. We also greatly appreciated the editing and production team for the book, including Kezia Endsley, our project editor, who brought years of experience and great talent to the project, Chris Crayton, our technical editor, who provided insightful advice and gave wonderful feedback throughout the book, Saravanan Dakshinamurthy, our production editor, who guided us through layouts, formatting, and final cleanup to produce a great book, and Liz Welch, our copy editor, who helped the text flow well.

We would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product. Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout our writing careers. Finally, we would like to thank our families and significant others who support us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press. About the Authors Mike Chapple, Ph. He is an information security professional with two decades of experience in higher education, the private sector, and government. Mike currently serves as Teaching Professor in the IT, Analytics, and Operations department at the University of Notre Dame's Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics.

Before returning to Notre Dame, Mike served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U. Air Force. Mike is technical editor for Information Security Magazine and has written more than 25 books. He earned both his B. and Ph. degrees from Notre Dame in computer science and engineering. Mike also holds an M. in computer science from the University of Idaho and an MBA from Auburn University. David Seidl is Vice President for Information Technology and CIO at Miami University.

During his IT career, he has served in a variety of technical and information security roles, including serving as the Senior Director for Campus Technology Services at the University of Notre Dame where he co-led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and service. He also served as Notre Dame's Director of Information Security and led Notre Dame's information security program. He has worked as a computer technology and networking instructor, information security director, network administrator, network engineer, and PC specialist.

Chris has served as technical editor and content contributor on numerous technical titles for several of the leading publishing companies. He has also been recognized with many professional and teaching awards. This book will help you to assess your knowledge before taking the exam, as well as provide a stepping-stone to further learning in areas where you may want to expand your skillset or expertise. CompTIA suggests that test takers have about four years of existing hands-on information security experience. You should also be familiar with at least some of the tools and techniques described in this book.

For up-to-the-minute updates covering additions or modifications to the CompTIA certification exams, as well as additional study tools, videos, practice questions, and bonus material, be sure to visit the Sybex website and forum at www. CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. government as Information Assurance baseline certifications and are included in the State Department's Skills Incentive Program. It focuses on security analytics and practical use of security tools in real-world scenarios. It covers five major domains: Threat and Vulnerability Management, Software and Systems Security, Security Operations and Monitoring, Incident Response, and Compliance and Assessment.

These five areas include a range of topics, from reconnaissance to incident response and forensics, while focusing heavily on scenario-based learning. Exam questions may include multiple types of questions such as multiple-choice, fill-in-the-blank, multiple-response, drag-and-drop, and image-based problems. CompTIA recommends that test takers have four years of information security—related experience before taking this exam. Study and Exam Preparation Tips A test preparation book like this cannot teach you every possible security software package, scenario, or specific technology that may appear on the exam. Instead, you should focus on whether you are familiar with the type or category of technology, tool, process, or scenario as you read the book.

If you identify a gap, you may want to find additional tools to help you learn more about those topics. Additional resources for hands-on exercises include the following: Exploit-Exercises. com provides virtual machines, documentation, and challenges covering a wide range of security issues at exploit- exercises. Hacking-Lab provides capture the flag CTF exercises in a variety of fields at www. PentesterLab provides a subscription-based access to penetration testing exercises at www. The InfoSec Institute provides online CTF activities with bounties for written explanations of successful hacks at ctf. Since the exam uses scenario-based learning, expect the questions to involve analysis and thought, rather than relying on simple memorization. As you might expect, it is impossible to replicate that experience in a book, so the questions here are intended to help you be confident that you know the topic well enough to think through hands-on exercises. Taking the Exam Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher: www.

In the United States, you can do this based on your address or your ZIP code, while non-U. test takers may find it easier to enter their city and country. Remember that you will not be able to take your notes, electronic devices including smartphones and watches , or other materials in with you. You should keep track of your score report with your exam registration records and the email address you used to register for the exam. Maintaining Your Certification CompTIA certifications must be renewed on a periodic basis. To renew your certification, you can either pass the most current version of the exam, earn a qualifying higher-level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units CEUs to renew it.

CompTIA provides information on renewals via their website at www. Chapter 1: Today's Cybersecurity Analyst The book starts by teaching you how to assess cybersecurity threats, as well as how to evaluate and select controls to keep your networks and systems secure. Chapter 2: Using Threat Intelligence Security professionals need to fully understand threats in order to prevent them or to limit their impact. In this chapter, you will learn about the many types of threat intelligence, including sources and means of assessing the relevance and accuracy of a given threat intelligence source. You'll also discover how to use threat intelligence in your organization. Chapter 3: Reconnaissance and Intelligence Gathering Gathering information about an organization and its systems is one of the things that both attackers and defenders do. In this chapter, you will learn how to acquire intelligence about an organization using popular tools and techniques.

You will also learn how to limit the impact of intelligence gathering performed against your own organization. Chapter 4: Designing a Vulnerability Management Program Managing vulnerabilities helps to keep your systems secure. In this chapter, you will learn how to identify, prioritize, and remediate vulnerabilities using a well-defined workflow and continuous assessment methodologies. Chapter 5: Analyzing Vulnerability Scans Vulnerability reports can contain huge amounts of data about potential problems with systems. In this chapter, you will learn how to read and analyze a vulnerability scan report, what CVSS scoring is and what it means, as well as how to choose the appropriate actions to remediate the issues you have found.

Along the way, you will explore common types of vulnerabilities and their impact on systems and networks. Chapter 6: Cloud Security The widespread adoption of cloud computing dramatically impacts the work of cybersecurity analysts who must now understand how to gather, correlate, and interpret information coming from many different cloud sources. In this chapter, you'll learn about how cloud computing impacts businesses and how you can perform threat management in the cloud. Chapter 7: Infrastructure Security and Controls A strong security architecture requires layered security procedures, technology, and processes to provide defense in depth, ensuring that a single failure won't lead to a failure. In this chapter, you will learn how to design a layered security architecture and how to analyze security designs for flaws, including single points of failure and gaps. Chapter 8: Identity and Access Management Security The identities that we rely on to authenticate and authorize users, services, and systems are a critical layer in a defense-in-depth architecture.

This chapter explains identity, authentication, and authorization concepts and systems. You will learn about the major threats to identity and identity systems as well as how to use identity as a defensive layer. Chapter 9: Software and Hardware Development Security Creating, testing, and maintaining secure software, from simple scripts to complex applications, is critical for security analysts. In this chapter, you will learn about the software development life cycle, including different methodologies, testing and review techniques, and how secure software is created. In addition, you will learn about industry standards for secure software to provide you with the foundation you need to help keep applications and services secure. You'll also learn about tools and techniques you can use to protect hardware in your organization, including hardware assurance best practices. Chapter Security Operations and Monitoring Monitoring systems, devices, and events throughout an organization can be a monumental task.

Security logs can be an invaluable resource for security analysts, allowing detection of misuse and compromise, but they can also bury important information in mountains of operational data. In this chapter, you'll learn how to analyze data from many diverse sources. You'll learn about techniques including email header analysis, rule writing for event management systems, and basic scripting and query writing. Chapter Building an Incident Response Program This chapter focuses on building a formal incident response handling program and team. You will learn the details of each stage of incident handling from preparation, to detection and analysis, to containment, eradication, and recovery, to the final postincident recovery, as well as how to classify incidents and communicate about them. Chapter Analyzing Indicators of Compromise Responding appropriately to an incident requires understanding how incidents occur and what symptoms may indicate that an event has occurred.

To do that, you also need the right tools and techniques. In this chapter, you will learn about three major categories of symptoms. First, you will learn about network events, including malware beaconing, unexpected traffic, and link failures, as well as network attacks. Next, you will explore host issues, ranging from system resource consumption issues to malware defense and unauthorized changes. Finally, you will learn about service- and application-related problems. Chapter Performing Forensic Analysis and Techniques Understanding what occurred on a system, device, or network, either as part of an incident or for other purposes, frequently involves forensic analysis. In this chapter, you will learn how to build a forensic capability and how the key tools in a forensic toolkit are used. Chapter Containment, Eradication, and Recovery Once an incident has occurred and the initial phases of incident response have taken place, you will need to work on recovering from it. That process involves containing the incident to ensure that no further issues occur and then working on eradicating malware, rootkits, and other elements of a compromise.

Once the incident has been cleaned up, the recovery stage can start, including reporting and preparation for future issues. Chapter Risk Management In this chapter, we look at the big picture of cybersecurity in a large organization. How do we evaluate and manage risks to ensure that we're spending our limited time and money on the controls that will have the greatest effect? That's where risk management comes into play. Chapter Policy and Compliance Policy provides the foundation of any cybersecurity program, and building an effective set of policies is critical to a successful program. In this chapter, you will acquire the tools to build a standards-based set of security policies, standards, and procedures.

You will also learn how to leverage industry best practices by using guidelines and benchmarks from industry experts. Appendix A: Practice Exam Once you have completed your studies, the practice exam will provide you with a chance to test your knowledge. Use this exam to find places where you may need to study more or to verify that you are ready to tackle the exam. We'll be rooting for you! Appendix B: Answers to Review Questions and Practice Exam The appendix has answers to the review questions you will find at the end of each chapter and answers to the practice exam in Appendix A. Appendix C: Answers to Lab Exercises This appendix has answers to the lab exercises you will find at the end of each chapter. Study Guide Elements This study guide uses a number of common elements to help you prepare. These include the following: Summaries The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by CompTIA.

Table of Contents Cover Acknowledgments About the Authors About the Technical Editor Introduction What Does This Book Cover? FIGURE 1. Chapter 2 FIGURE 2. Chapter 3 FIGURE 3. conf file FIGURE 3. com FIGURE 3. uk FIGURE 3. edu Chapter 4 FIGURE 4. FIGURE 4. FIGURE 6. com FIGURE 8. log with sudo events FIGURE FIGURE Chapter 13 FIGURE containerization FIGURE Chapter 14 FIGURE government informa Chapter 16 FIGURE ISBN: ebk. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections or of the United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Rosewood Drive, Danvers, MA , , fax No warranty may be created or extended by sales or promotional materials.

The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U. at , outside the U. at or fax Wiley publishes in a variety of print and electronic formats and by print-on-demand.

Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. For more information about Wiley products, visit www. CompTIA is a registered trademark of Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners. is not associated with any product or vendor mentioned in this book. I dedicate this book to my father, who was a role model of the value of hard work, commitment to family, and the importance of doing the right thing. Rest in peace, Dad. We would especially like to thank senior acquisitions editor Kenyon Brown. We have worked with Ken on multiple projects and consistently enjoy our work with him. We also greatly appreciated the editing and production team for the book, including Kezia Endsley, our project editor, who brought years of experience and great talent to the project, Chris Crayton, our technical editor, who provided insightful advice and gave wonderful feedback throughout the book, Saravanan Dakshinamurthy, our production editor, who guided us through layouts, formatting, and final cleanup to produce a great book, and Liz Welch, our copy editor, who helped the text flow well.

We would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product. Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout our writing careers. Finally, we would like to thank our families and significant others who support us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press. About the Authors Mike Chapple, Ph. He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as Teaching Professor in the IT, Analytics, and Operations department at the University of Notre Dame's Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics. Before returning to Notre Dame, Mike served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U. Air Force. Mike is technical editor for Information Security Magazine and has written more than 25 books. He earned both his B. and Ph. degrees from Notre Dame in computer science and engineering. Mike also holds an M. in computer science from the University of Idaho and an MBA from Auburn University.

David Seidl is Vice President for Information Technology and CIO at Miami University. During his IT career, he has served in a variety of technical and information security roles, including serving as the Senior Director for Campus Technology Services at the University of Notre Dame where he co-led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and service. He also served as Notre Dame's Director of Information Security and led Notre Dame's information security program. He has worked as a computer technology and networking instructor, information security director, network administrator, network engineer, and PC specialist.

Chris has served as technical editor and content contributor on numerous technical titles for several of the leading publishing companies. He has also been recognized with many professional and teaching awards. This book will help you to assess your knowledge before taking the exam, as well as provide a stepping-stone to further learning in areas where you may want to expand your skillset or expertise. CompTIA suggests that test takers have about four years of existing hands-on information security experience. You should also be familiar with at least some of the tools and techniques described in this book. For up-to-the-minute updates covering additions or modifications to the CompTIA certification exams, as well as additional study tools, videos, practice questions, and bonus material, be sure to visit the Sybex website and forum at www.

CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. government as Information Assurance baseline certifications and are included in the State Department's Skills Incentive Program. It focuses on security analytics and practical use of security tools in real-world scenarios. It covers five major domains: Threat and Vulnerability Management, Software and Systems Security, Security Operations and Monitoring, Incident Response, and Compliance and Assessment.

These five areas include a range of topics, from reconnaissance to incident response and forensics, while focusing heavily on scenario-based learning. Exam questions may include multiple types of questions such as multiple-choice, fill-in-the-blank, multiple-response, drag-and-drop, and image-based problems. CompTIA recommends that test takers have four years of information security—related experience before taking this exam. Study and Exam Preparation Tips A test preparation book like this cannot teach you every possible security software package, scenario, or specific technology that may appear on the exam.

Instead, you should focus on whether you are familiar with the type or category of technology, tool, process, or scenario as you read the book. If you identify a gap, you may want to find additional tools to help you learn more about those topics. Additional resources for hands-on exercises include the following: Exploit-Exercises. com provides virtual machines, documentation, and challenges covering a wide range of security issues at exploit- exercises. Hacking-Lab provides capture the flag CTF exercises in a variety of fields at www.

PentesterLab provides a subscription-based access to penetration testing exercises at www. The InfoSec Institute provides online CTF activities with bounties for written explanations of successful hacks at ctf. Since the exam uses scenario-based learning, expect the questions to involve analysis and thought, rather than relying on simple memorization. As you might expect, it is impossible to replicate that experience in a book, so the questions here are intended to help you be confident that you know the topic well enough to think through hands-on exercises. Taking the Exam Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher: www. In the United States, you can do this based on your address or your ZIP code, while non-U. test takers may find it easier to enter their city and country. Remember that you will not be able to take your notes, electronic devices including smartphones and watches , or other materials in with you. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Maintaining Your Certification CompTIA certifications must be renewed on a periodic basis. To renew your certification, you can either pass the most current version of the exam, earn a qualifying higher-level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units CEUs to renew it. CompTIA provides information on renewals via their website at www. Chapter 1: Today's Cybersecurity Analyst The book starts by teaching you how to assess cybersecurity threats, as well as how to evaluate and select controls to keep your networks and systems secure. Chapter 2: Using Threat Intelligence Security professionals need to fully understand threats in order to prevent them or to limit their impact. In this chapter, you will learn about the many types of threat intelligence, including sources and means of assessing the relevance and accuracy of a given threat intelligence source.

You'll also discover how to use threat intelligence in your organization. Chapter 3: Reconnaissance and Intelligence Gathering Gathering information about an organization and its systems is one of the things that both attackers and defenders do. In this chapter, you will learn how to acquire intelligence about an organization using popular tools and techniques. You will also learn how to limit the impact of intelligence gathering performed against your own organization. Chapter 4: Designing a Vulnerability Management Program Managing vulnerabilities helps to keep your systems secure. In this chapter, you will learn how to identify, prioritize, and remediate vulnerabilities using a well-defined workflow and continuous assessment methodologies.

CompTIA Cybersecurity Analyst (PDF),Document details

WebCybersecurity Analyst (CySA+) Study Guide - PDF Free Download CompTIA A Cybersecurity Analyst (CySA+) Study Guide CompTIA A Cybersecurity Analyst Website to begin getting this info. acquire the Comptia Cybersecurity Analyst Csa Study Guide Comptia Cysa Study Guide Exam Cs0 Pdf Pdf associate that we give here WebMar 31,  · Where can you find % coverage of the revised CompTIA Cybersecurity Analyst+ (CySA+) exam objectives? It's all in the CompTIA CySA+ Study Guide Exam WebComptia Cybersecurity Analyst (CSA+) Study Guide: Exam CS [PDF ed.] , Prepare yourself for the newest CompTIA WebPDF Host read free online - This updated study guide by two security experts will help you prepare for the CompTIA CySA+ certification exam. Position yourself for success with WebCompTIA Cybersecurity Analyst (CySA+) CS Cert Guide (2nd Edition) (Certification Guide) [2 ed.] CompTIA Cybersecurity Analyst (CySA+) CS ... read more

Security data analytics using data aggregation and correlation, trend analysis, and historical analysis. Chapter 5: Building an Incident Response Program This chapter focuses on building a formal incident response handling program and team. Ethernet statistics on how many bytes and packets have been sent and received—In Figure 2. Internal scans from a trusted system or network will typically provide much more information than an external scan of a wellsecured network. Figure Minimum Qualifications Thomas K. Analysts must take the time to thoroughly understand their own technology environments and the external threats that jeopardize their information security.

Comptia cybersecurity analyst (csa+) study guide pdf download Essentials The exam essentials focus on major exam topics and critical knowledge that you should take into the test. uk Figure 2. Solution Brief CyberArk Privileged Threat Analytics Solution Brief Table of Contents The New Security Battleground: Inside Your Network He is an information security professional with two decades of experience in higher education, the private sector, and government. If the user does not successfully complete this process, the device is denied access to the network or may be assigned to a special quarantine network for remediation. For example, an earthquake may also disrupt the availability of a website by damaging the datacenter containing the web servers. Blue team C.