CompTIA Cybersecurity Analyst (CySA+) Study Guide, Second Edition, provides accessible explanations and real-world knowledge about the exam objectives that make up the Cybersecurity Analyst+ certification. This book will help you to assess your knowledge before taking the exam, as well as provide a stepping-stone to further learning in areas where you may want to expand your skillset or expertise.
Before you tackle the CySA+, you should already be a security practitioner. CompTIA suggests that test takers have about four years of existing hands-on information security experience. You should also be familiar with at least some of the tools and techniques described in this book. You don't need to know every tool, but understanding how to approach a new scenario, tool, or technology that you may not know using existing experience is critical to passing the CySA+ exam.
CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas, ranging from the skills that a PC support technician needs, which are covered in the A+ exam, to advanced certifications like the CompTIA Advanced Security Practitioner (CASP) certification.
CompTIA recommends that practitioners follow a cybersecurity career path as shown here:
The Cybersecurity Analyst+ exam is a more advanced exam, intended for professionals with hands-on experience and who possess the knowledge covered by the prior exams.
CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. In addition, CompTIA certifications, including the CySA+, the Security+, and the CASP certifications, have been approved by the U.S. government as Information Assurance baseline certifications and are included in the State Department's Skills Incentive Program.
The Cybersecurity Analyst+ exam, which CompTIA refers to as CySA+, is designed to be a vendor-neutral certification for cybersecurity, threat, and vulnerability analysts. The CySA+ certification is designed for security analysts and engineers as well as security operations center (SOC) staff, vulnerability analysts, and threat intelligence analysts. It focuses on security analytics and practical use of security tools in real-world scenarios. It covers five major domains: Threat and Vulnerability Management, Software and Systems Security, Security Operations and Monitoring, Incident Response, and Compliance and Assessment. These five areas include a range of topics, from reconnaissance to incident response and forensics, while focusing heavily on scenario-based learning.
The CySA+ exam fits between the entry-level Security+ exam and the CompTIA Advanced Security Practitioner (CASP) certification, providing a mid-career certification for those who are seeking the next step in their certification and career path.
The CySA+ exam is conducted in a format that CompTIA calls “performance-based assessment.” This means that the exam uses hands-on simulations using actual security tools and scenarios to perform tasks that match those found in the daily work of a security practitioner. Exam questions may include multiple types of questions such as multiple-choice, fill-in-the-blank, multiple-response, drag-and-drop, and image-based problems.
CompTIA recommends that test takers have four years of information security–related experience before taking this exam. The exam costs $359 in the United States, with roughly equivalent prices in other locations around the globe. More details about the CySA+ exam and how to take it can be found at certification.comptia.org/certifications/cybersecurity-analyst
.
A test preparation book like this cannot teach you every possible security software package, scenario, or specific technology that may appear on the exam. Instead, you should focus on whether you are familiar with the type or category of technology, tool, process, or scenario as you read the book. If you identify a gap, you may want to find additional tools to help you learn more about those topics.
CompTIA recommends the use of NetWars-style simulations, penetration testing and defensive cybersecurity simulations, and incident response training to prepare for the CySA+.
Additional resources for hands-on exercises include the following:
Exploit-Exercises.com
provides virtual machines, documentation, and challenges covering a wide range of security issues at exploit-exercises.lains.space
.www.hacking-lab.com/index.html
.www.pentesterlab.com/exercises/
.ctf.infosecinstitute.com
.Since the exam uses scenario-based learning, expect the questions to involve analysis and thought, rather than relying on simple memorization. As you might expect, it is impossible to replicate that experience in a book, so the questions here are intended to help you be confident that you know the topic well enough to think through hands-on exercises.
Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:
www.comptiastore.com/Articles.asp?ID=265&category=vouchers
CompTIA partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the Pearson Vue website, where you will need to navigate to “Find a test center.”
Now that you know where you'd like to take the exam, simply set up a Pearson VUE testing account and schedule an exam:
https://www.comptia.org/testing/testing-options/take-in-person-exam
On the day of the test, take two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.
Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.
CompTIA certifications must be renewed on a periodic basis. To renew your certification, you can either pass the most current version of the exam, earn a qualifying higher-level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units (CEUs) to renew it.
CompTIA provides information on renewals via their website at
www.comptia.org/continuing-education
When you sign up to renew your certification, you will be asked to agree to the CE program's Code of Ethics, pay a renewal fee, and submit the materials required for your chosen renewal method.
A full list of the industry certifications you can use to acquire CEUs toward renewing the CySA+ can be found at
This book is designed to cover the five domains included in the CySA+.
This study guide uses a number of common elements to help you prepare. These include the following:
This book comes with a number of additional study tools to help you prepare for the exam. They include the following.
Sybex's test preparation software lets you prepare with electronic test versions of the review questions from each chapter, the practice exam, and the bonus exam that are included in this book. You can build and take tests on specific domains, by chapter, or cover the entire set of Cybersecurity Analyst+ exam objectives using randomized tests.
Our electronic flashcards are designed to help you prepare for the exam. Over 100 flashcards will ensure that you know critical terms and concepts.
Sybex provides a full glossary of terms in PDF format, allowing quick searches and easy reference to materials in this book.
In addition to the practice questions for each chapter, this book includes a full 85-question practice exam, found in Appendix A. We recommend that you use it to test your preparedness for the certification exam.
The following objective map for the CompTIA Cybersecurity Analyst (CySA+) certification exam will enable you to find the chapter in this book, which covers each objective for the exam.
Objective | Chapter(s) |
1.0 Threat and Vulnerability Management | |
1.1 Explain the importance of threat data and intelligence. | Chapter 2 |
1.2 Given a scenario, utilize threat intelligence to support organizational security. | Chapter 2 |
1.3 Given a scenario, perform vulnerability management activities. | Chapters 4, 5 |
1.4 Given a scenario, analyze the output from common vulnerability assessment tools. | Chapters 3, 5, 6, 9 |
1.5 Explain the threats and vulnerabilities associated with specialized technology. | Chapter 5 |
1.6 Explain the threats and vulnerabilities associated with operating in the cloud. | Chapter 6 |
1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities. | Chapters 5, 9 |
2.0 Software and Systems Security | |
2.1 Given a scenario, apply security solutions for infrastructure management. | Chapters 6, 7, 8 |
2.2 Explain software assurance best practices. | Chapter 9 |
2.3 Explain hardware assurance best practices. | Chapter 9 |
3.0 Security Operations and Monitoring | |
3.1 Given a scenario, analyze data as part of security monitoring activities. | Chapters 3, 10 |
3.2 Given a scenario, implement configuration changes to existing controls to improve security. | Chapter 7 |
3.3 Explain the importance of proactive threat hunting. | Chapter 2 |
3.4 Compare and contrast automation concepts and technologies. | Chapters 1, 2, 4, 7, 9, 10 |
4.0 Incident Response | |
4.1 Explain the importance of the incident response process. | Chapter 11 |
4.2 Given a scenario, apply the appropriate incident response procedure. | Chapters 11, 14 |
4.3 Given an incident, analyze potential indicators of compromise. | Chapter 12 |
4.4 Given a scenario, utilize basic digital forensic techniques. | Chapter 13 |
5.0 Compliance and Assessment | |
5.1 Understand the importance of data privacy and protection. | Chapters 1, 15 |
5.2 Given a scenario, apply security concepts in support of organizational risk mitigation. | Chapter 15 |
5.3 Explain the importance of frameworks, policies, procedures, and controls. | Chapter 16 |
You can practice many of the techniques found in this book using open source and free tools. This section provides a brief “how to” guide to set up a Kali Linux, a Linux distribution built as a broad security toolkit, and Metasploitable, an intentionally vulnerable Linux virtual machine.
To build a basic virtual security lab environment to run scenarios and to learn applications and tools used in this book, you will need a virtualization program and virtual machines. There are many excellent security-oriented distributions and tools beyond those in this example, and you may want to explore tools like Security Onion, the SANS SIFT forensic distribution, and CAINE as you gain experience.
Running virtual machines can require a reasonably capable PC. We like to recommend an i5 or i7 (or equivalent) CPU, at least 8 GB of RAM, and 20 GB of open space on your hard drive. If you have an SSD instead of a hard drive, you'll be much happier with the performance of your VMs.
VirtualBox is a virtualization software package for x86 computers, and is available for Windows, MacOS, and Linux. You can download VirtualBox at www.virtualbox.org/wiki/VirtualBox
.
If you are more familiar with another virtualization tool like VMWare or HyperV, you can also use those tools; however, you may have to adapt or modify these instructions to handle differences in how your preferred virtualization environment works.
Multiple versions of Kali Linux are available at www.kali.org/downloads/
and prebuilt Kali Linux virtual machines can be downloaded at www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/
. We suggest downloading the most recent version of the Kali Linux 64-bit VBox virtual machine.
You can download the Metasploitable virtual machine at sourceforge.net/projects/metasploitable/
.
Setting up VirtualBox is quite simple. First, install the VirtualBox application. Once it is installed and you select your language, you should see a VirtualBox window like the one in Figure I.1.
To add the Kali Linux virtual machine, choose File, then Import Appliance. Navigate to the directory where you downloaded the Kali VM and import the virtual machine. Follow the wizard as it guides you through the import process, and when it is complete, you can continue with these instructions.
The Metasploitable virtual machine comes as a zip file, so you'll need to extract it first. Inside, you'll see a VMDK instead of the OVA file that VirtualBox uses for its native virtual machines. This means you have to do a little more work.
Metasploitable.vmdk
file to and select it. Then click Create.
You may want to have Internet connectivity for some exercises, or to update software packages. If you are reasonably certain you know what you are doing, using a NAT Network can be very helpful. To do so, you will need to click the File ➢ Preferences menu of VirtualBox; then select Network and set up a NAT network, as shown in Figure I.3, by clicking the network card with a + icon.
TABLE I.1 Virtual machine network options
Network Name | Description |
NAT | Connect the VM to your real network, through a protected NAT |
NAT Network | Connect the VM and other VMs together on a protected network segment, which is also NAT'ed out to your real network |
Bridged | Directly connect your VM to your actual network (possibly allowing it to get a DHCP address, be scanned, or for you to connect to it remotely) |
Internal | Connect the VM to a network that exists only for virtual machines |
Host Only | Connect the VM to a network that only allows it to see the VM host |
ifconfig
to find its IP address. Use SSH to connect from the Kali Linux system to the Metasploitable system using ssh [ip address] -l msfadmin
. If you connect and can log in, you're ready to run exercises between the two systems!If you're considering taking the Cybersecurity Analyst+ exam, you should have already taken and passed the CompTIA Security+ and Network+ exams and should have four years of experience in the field. You may also already hold other equivalent certifications. The following assessment test help to make sure that you have the knowledge that you should have before you tackle the Cybersecurity Analyst+ certification and will help you determine where you may want to spend the most time with this book.
What services commonly run on these ports?
nmap
traceroute
regmon
whois
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
What is the attack vector and the impact to integrity based on this rating?
df
top
ps
free
xcopy
dd
whois
. nmap
is a useful port scanning utility, traceroute
is used for testing the path packets take to a remote system, and regmon
is an outdated Windows Registry tool that has been supplanted by Process Monitor.df
command is used to show the amount of free and used disk space. Each of the other commands can show information about memory usage in Linux.dd
all provide options that support their use for forensic disk image creation. Since xcopy
cannot create a bitwise image of a drive, it should not be used to create forensic images.