CompTIA

CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas, ranging from the skills that a PC support technician needs, which are covered in the A+ exam, to advanced certifications like the CompTIA Advanced Security Practitioner (CASP) certification.

CompTIA recommends that practitioners follow a cybersecurity career path as shown here:

The Cybersecurity Analyst+ exam is a more advanced exam, intended for professionals with hands-on experience and who possess the knowledge covered by the prior exams.

CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. In addition, CompTIA certifications, including the CySA+, the Security+, and the CASP certifications, have been approved by the U.S. government as Information Assurance baseline certifications and are included in the State Department's Skills Incentive Program.

The Cybersecurity Analyst+ Exam

The Cybersecurity Analyst+ exam, which CompTIA refers to as CySA+, is designed to be a vendor-neutral certification for cybersecurity, threat, and vulnerability analysts. The CySA+ certification is designed for security analysts and engineers as well as security operations center (SOC) staff, vulnerability analysts, and threat intelligence analysts. It focuses on security analytics and practical use of security tools in real-world scenarios. It covers five major domains: Threat and Vulnerability Management, Software and Systems Security, Security Operations and Monitoring, Incident Response, and Compliance and Assessment. These five areas include a range of topics, from reconnaissance to incident response and forensics, while focusing heavily on scenario-based learning.

The CySA+ exam fits between the entry-level Security+ exam and the CompTIA Advanced Security Practitioner (CASP) certification, providing a mid-career certification for those who are seeking the next step in their certification and career path.

The CySA+ exam is conducted in a format that CompTIA calls “performance-based assessment.” This means that the exam uses hands-on simulations using actual security tools and scenarios to perform tasks that match those found in the daily work of a security practitioner. Exam questions may include multiple types of questions such as multiple-choice, fill-in-the-blank, multiple-response, drag-and-drop, and image-based problems.

CompTIA recommends that test takers have four years of information security–related experience before taking this exam. The exam costs $359 in the United States, with roughly equivalent prices in other locations around the globe. More details about the CySA+ exam and how to take it can be found at certification.comptia.org/certifications/cybersecurity-analyst.

Study and Exam Preparation Tips

A test preparation book like this cannot teach you every possible security software package, scenario, or specific technology that may appear on the exam. Instead, you should focus on whether you are familiar with the type or category of technology, tool, process, or scenario as you read the book. If you identify a gap, you may want to find additional tools to help you learn more about those topics.

CompTIA recommends the use of NetWars-style simulations, penetration testing and defensive cybersecurity simulations, and incident response training to prepare for the CySA+.

Additional resources for hands-on exercises include the following:

• Exploit-Exercises.com provides virtual machines, documentation, and challenges covering a wide range of security issues at exploit-exercises.lains.space.
• Hacking-Lab provides capture the flag (CTF) exercises in a variety of fields at www.hacking-lab.com/index.html.
• PentesterLab provides a subscription-based access to penetration testing exercises at www.pentesterlab.com/exercises/.
• The InfoSec Institute provides online CTF activities with bounties for written explanations of successful hacks at ctf.infosecinstitute.com.

Since the exam uses scenario-based learning, expect the questions to involve analysis and thought, rather than relying on simple memorization. As you might expect, it is impossible to replicate that experience in a book, so the questions here are intended to help you be confident that you know the topic well enough to think through hands-on exercises.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:

www.comptiastore.com/Articles.asp?ID=265&category=vouchers

CompTIA partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the Pearson Vue website, where you will need to navigate to “Find a test center.”

www.pearsonvue.com/comptia/

Now that you know where you'd like to take the exam, simply set up a Pearson VUE testing account and schedule an exam:

https://www.comptia.org/testing/testing-options/take-in-person-exam

On the day of the test, take two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.

After the Cybersecurity Analyst+ Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Study Guide Elements

This study guide uses a number of common elements to help you prepare. These include the following:

• Summaries The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.
• Exam Essentials The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by CompTIA.
• Review Questions A set of questions at the end of each chapter will help you assess your knowledge and if you are ready to take the exam based on your knowledge of that chapter's topics.
• Lab Exercises The written labs provide more in-depth practice opportunities to expand your skills and to better prepare for performance-based testing on the Cybersecurity Analyst+ exam.

Additional Study Tools

This book comes with a number of additional study tools to help you prepare for the exam. They include the following.

Objectives Map

What You Need

To build a basic virtual security lab environment to run scenarios and to learn applications and tools used in this book, you will need a virtualization program and virtual machines. There are many excellent security-oriented distributions and tools beyond those in this example, and you may want to explore tools like Security Onion, the SANS SIFT forensic distribution, and CAINE as you gain experience.

Running virtual machines can require a reasonably capable PC. We like to recommend an i5 or i7 (or equivalent) CPU, at least 8 GB of RAM, and 20 GB of open space on your hard drive. If you have an SSD instead of a hard drive, you'll be much happier with the performance of your VMs.

Setting Up Your Environment

Setting up VirtualBox is quite simple. First, install the VirtualBox application. Once it is installed and you select your language, you should see a VirtualBox window like the one in Figure I.1.

To add the Kali Linux virtual machine, choose File, then Import Appliance. Navigate to the directory where you downloaded the Kali VM and import the virtual machine. Follow the wizard as it guides you through the import process, and when it is complete, you can continue with these instructions.

The Metasploitable virtual machine comes as a zip file, so you'll need to extract it first. Inside, you'll see a VMDK instead of the OVA file that VirtualBox uses for its native virtual machines. This means you have to do a little more work.

1. Click New in the VirtualBox main window.
2. Click Expert Mode and name your system; then select Linux for the type. You can leave the default alone for Version, and you can leave the memory default alone as well. See Figure I.2.
3. Select Use An Existing Virtual Hard Disk File and navigate to the location where you unzipped the Metasploitable.vmdk file to and select it. Then click Create.

   

   

4. Now that you have both virtual machines set up, you should verify their network settings. VirtualBox allows multiple types of networks. Table I.1 shows the critical types of network connections you are likely to want to use with this environment.

   You may want to have Internet connectivity for some exercises, or to update software packages. If you are reasonably certain you know what you are doing, using a NAT Network can be very helpful. To do so, you will need to click the File ➢ Preferences menu of VirtualBox; then select Network and set up a NAT network, as shown in Figure I.3, by clicking the network card with a + icon.

5. Once your NAT network exists, you can set both machines to use it by clicking on them, then clicking the Settings gear icon in the VirtualBox interface. From there, click Network, and set the network adapter to be attached to the NAT network you just set up. See Figure I.4.

   

6. Now you're all set! You can start both machines and test that they can see each other. To do this, simply log in to the Metasploitable box and run ifconfig to find its IP address. Use SSH to connect from the Kali Linux system to the Metasploitable system using ssh [ip address] -l msfadmin. If you connect and can log in, you're ready to run exercises between the two systems!

1. After running an nmap scan of a system, you receive scan data that indicates the following three ports are open:
   • 22/TCP
   • 443/TCP
   • 1521/TCP

   What services commonly run on these ports?

   1. SMTP, NetBIOS, MySQL
   2. SSH, Microsoft DS, WINS
   3. SSH, HTTPS, Oracle
   4. FTP, HTTPS, MS-SQL
2. Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise?
   1. nmap
   2. traceroute
   3. regmon
   4. whois
3. What type of system allows attackers to believe they have succeeded with their attack, thus providing defenders with information about their attack methods and tools?
   1. A honeypot
   2. A sinkhole
   3. A crackpot
   4. A darknet
4. What cybersecurity objective could be achieved by running your organization's web servers in redundant, geographically separate datacenters?
   1. Confidentiality
   2. Integrity
   3. Immutability
   4. Availability
5. Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?
   1. Black box
   2. Authenticated
   3. Internal view
   4. External view
6. Security researchers recently discovered a flaw in the Chakra JavaScript scripting engine in Microsoft's Edge browser that could allow remote execution or denial of service via a specifically crafted website. The CVSS 3.0 score for this vulnerability reads

    CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

   What is the attack vector and the impact to integrity based on this rating?

   1. System, 9, 8
   2. Browser, High
   3. Network, High
   4. None, High
7. Alice is a security engineer tasked with performing vulnerability scans for her organization. She encounters a false positive error in one of her scans. What should she do about this?
   1. Verify that it is a false positive, and then document the exception.
   2. Implement a workaround.
   3. Update the vulnerability scanner.
   4. Use an authenticated scan, and then document the vulnerability.
8. Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action?
   1. Preparation
   2. Detection and Analysis
   3. Containment, Eradication, and Recovery
   4. Postincident Activity and Reporting
9. Which of the following descriptions explains an integrity loss?
   1. Systems were taken offline, resulting in a loss of business income.
   2. Sensitive or proprietary information was changed or deleted.
   3. Protected information was accessed or exfiltrated.
   4. Sensitive personally identifiable information was accessed or exfiltrated.
10. Which of the following techniques is an example of active monitoring?
    1. Ping
    2. RMON
    3. NetFlows
    4. A network tap
11. Abdul's monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called?
    1. Anomalous pings
    2. Probing
    3. Zombie chatter
    4. Beaconing
12. Which of the following tools is not useful for monitoring memory usage in Linux?
    1. df
    2. top
    3. ps
    4. free
13. Which of the following tools cannot be used to make a forensic disk image?
    1. xcopy
    2. FTK
    3. dd
    4. EnCase
14. During a forensic investigation, Maria is told to look for information in slack space on the drive. Where should she look, and what is she likely to find?
    1. She should look at unallocated space, and she is likely to find file fragments from deleted files.
    2. She should look at unused space where files were deleted, and she is likely to find complete files hidden there by the individual being investigated.
    3. She should look in the space reserved on the drive for spare blocks, and she is likely to find complete files duplicated there.
    4. She should look at unused space left when a file is written, and she is likely to find file fragments from deleted files.
15. What type of system is used to contain an attacker to allow them to be monitored?
    1. A white box
    2. A sandbox
    3. A network jail
    4. A VLAN
16. Oscar's manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Oscar's best course of action?
    1. Use an antivirus tool to remove any associated malware
    2. Use an antimalware tool to completely scan and clean the system
    3. Wipe and rebuild the system
    4. Restore a recent backup
17. What level of secure media disposition as defined by NIST SP 800-88 is best suited to a hard drive from a high-security system that will be reused in the same company by an employee of a different level or job type?
    1. Clear
    2. Purge
    3. Destroy
    4. Reinstall
18. Which of the following actions is not a common activity during the recovery phase of an incident response process?
    1. Reviewing accounts and adding new privileges
    2. Validating that only authorized user accounts are on the systems
    3. Verifying that all systems are logging properly
    4. Performing vulnerability scans of all systems
19. A statement like “Windows workstations must have the current security configuration template applied to them before being deployed” is most likely to be part of which document?
    1. Policies
    2. Standards
    3. Procedures
    4. Guidelines
20. Jamal is concerned with complying with the U.S. federal law covering student educational records. Which of the following laws is he attempting to comply with?
    1. HIPAA
    2. GLBA
    3. SOX
    4. FERPA
21. A fire suppression system is an example of what type of control?
    1. Logical
    2. Physical
    3. Administrative
    4. Operational
22. Suki is concerned that a user might abuse their privileges to create a new vendor in the accounting system and then issue that vendor a check. What security control would best protect against this risk?
    1. Dual control
    2. Separation of duties
    3. Background checks
    4. Cross training
23. Joe wants to implement an authentication protocol that is well suited to untrusted networks. Which of the following options is best suited to his needs in its default state?
    1. Kerberos
    2. RADIUS
    3. LDAP
    4. TACACS+
24. Which software development life cycle model uses linear development concepts in an iterative, four-phase process?
    1. Waterfall
    2. Agile
    3. RAD
    4. Spiral

1. C. These three TCP ports are associated with SSH (22), HTTPS (443), and Oracle databases (1521). Other ports mentioned in the potential answers are SMTP (25), NetBIOS (137–139), MySQL (3306), WINS (1512), FTP (20 and 21), and MS-SQL (1433/1434).
2. D. Regional Internet registries like ARIN are best queried either via their websites or using tools like whois. nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor.
3. A. Honeypots are systems that are designed to look like attractive targets. When they are attacked, they simulate a compromise, providing defenders with a chance to see how attackers operate and what tools they use. DNS sinkholes provide false information to malicious software, redirecting queries about command and control systems to allow remediation. Darknets are segments of unused network space that are monitored to detect traffic—since legitimate traffic should never be aimed at the darknet, this can be used to detect attacks and other unwanted traffic. Crackpots are eccentric people—not a system you'll run into on a network.
4. D. Redundant systems, particularly when run in multiple locations and with other protections to ensure uptime, can help provide availability.
5. B. An authenticated, or credentialed, scan provides the most detailed view of the system. Black-box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow.
6. C. When reading the CVSS 3.0 score, AV is the attack vector. Here, N means network. Confidentiality (C), integrity (I), and availability (A) are listed at the end of the listing, and all three are rated as High in this CVSS rating.
7. A. When Alice encounters a false positive error in her scans, her first action should be to verify it. This may involve running a more in-depth scan like an authenticated scan, but it could also involve getting assistance from system administrators, checking documentation, or other validation actions. Once she is done, she should document the exception so that it is properly tracked. Implementing a workaround is not necessary for false positive vulnerabilities, and updating the scanner should be done before every vulnerability scan. Using an authenticated scan might help but does not cover all the possibilities for validation she may need to use.
8. C. The Containment, Eradication, and Recovery phase of an incident includes steps to limit damage and document what occurred, including potentially identifying the attacker and tools used for the attack. This means that information useful to legal actions is most likely to be gathered during this phase.
9. B. Integrity breaches involve data being modified or deleted. Systems being taken offline is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches.
10. A. Active monitoring sends traffic like pings to remote devices as part of the monitoring process. RMON and NetFlows are both examples of router-based monitoring, whereas network taps allow passive monitoring.
11. D. Regular traffic from compromised systems to command and control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning behavior in some cases.
12. A. The df command is used to show the amount of free and used disk space. Each of the other commands can show information about memory usage in Linux.
13. A. FTK, EnCase, and dd all provide options that support their use for forensic disk image creation. Since xcopy cannot create a bitwise image of a drive, it should not be used to create forensic images.
14. D. Slack space is the space left when a file is written. Since the space may have previously been filled by another file, file fragments are likely to exist and be recoverable. Unallocated space is space that has not been partitioned and could contain data, but looking there isn't part of Maria's task. The reserved space maintained by drives for wear leveling (for SSDs) or to replace bad blocks (for spinning disks) may contain data, but again, this was not part of her task.
15. B. Sandboxes are used to isolate attackers, malicious code, and other untrusted applications. They allow defenders to monitor and study behavior in the sandbox without exposing systems or networks to potential attacks or compromise.
16. C. The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. Without full knowledge of when the compromise occurred, restoring a backup may not help, and both antimalware and antivirus software packages cannot always ensure that no remnant of the compromise remains, particularly if the attacker created accounts or otherwise made changes that wouldn't be detected as malicious software.
17. B. NIST SP 800-88 defines three levels of action of increasing severity: clear, purge, and destroy. In this case, purging, which uses technical means to make data infeasible to recover, is appropriate for a high-security device. Destruction might be preferable, but the reuse element of the question rules this out. Reinstallation is not an option in the NIST guidelines, and clearing is less secure.
18. A. The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase.
19. B. This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would include the step-by-step process, and a guideline describes a best practice or recommendation.
20. D. The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to implement security and privacy controls for student educational records. HIPAA covers security and privacy for healthcare providers, health insurers, and health information clearinghouses; GLBA covers financial institutions; and SOX applies to financial records of publicly traded companies.
21. B. Fire suppression systems are physical controls. Logical controls are technical controls that enforce confidentiality, integrity, and availability. Administrative controls are procedural controls, and operational controls are not a type of security control as used in security design.
22. B. Suki should implement separation of duties in a way that ensures that the same individual does not have rights to both create a new vendor and issue a check to that vendor. This approach would require the collusion of two individuals to defraud the organization.
23. A. Kerberos is designed to run on untrusted networks and encrypts authentication traffic by default. LDAP and RADIUS can be encrypted but are not necessarily encrypted by default (and LDAP has limitations as an authentication mechanism). It is recommended that TACACS+ be run only on isolated administrative networks.
24. D. The Spiral model uses linear development concepts like those used in Waterfall but repeats four phases through its life cycle: requirements gathering, design, build, and evaluation.