WIXLIB

xiiCompTIA Cybersecurity Analyst (CSA ) Cert GuideContainment Techniques 240Segmentation240Isolation240Removal241Reverse Engineering 241Eradication Techniques 242Sanitization242Reconstruction/Reimage 242Secure Disposal 242Validation 243Patching 243Permissions 244Scanning244Verify Logging/Communication to Security Monitoring 244Corrective Actions 245Lessons Learned Report 245Change Control Process 245Update Incident Response Plan 245Incident Summary Report 246Exam Preparation Tasks 246Review All Key Topics 246Define Key Terms 247Review Questions 247Chapter 10Frameworks, Policies, Controls, and Procedures 251“Do I Know This Already?” Quiz 251Foundation Topics 254Regulatory Compliance 254Frameworks 258National Institute of Standards and Technology (NIST) 258Framework for Improving Critical Infrastructure Cybersecurity 259ISO260Control Objectives for Information and Related Technology(COBIT) 263Sherwood Applied Business Security Architecture (SABSA) 265The Open Group Architecture Framework (TOGAF) 265Information Technology Infrastructure Library (ITIL) 2679780789756954 BOOK.indb xii5/19/17 1:39 PM

ContentsPoliciesxiii268Password Policy 268Acceptable Use Policy (AUP) 271Data Ownership Policy 272Data Retention Policy 272Account Management Policy 273Data Classification Policy 274Sensitivity and Criticality 275Commercial Business Classifications 276Military and Government Classifications 276Controls277Control Selection Based on Criteria 278Handling Risk 278Organizationally Defined Parameters 281Access Control Types 282Procedures284Continuous Monitoring 284Evidence Production 285Patching 285Compensating Control Development 286Control Testing Procedures 286Manage Exceptions 287Remediation Plans 287Verifications and Quality Control 288Audits288Evaluations290Assessments290Maturity Model 291CMMI291Certification291NIACAP292ISO/IEC 27001 292ISO/IEC 27002 294Exam Preparation Tasks 294Review All Key Topics 2949780789756954 BOOK.indb xiii5/19/17 1:39 PM

xivCompTIA Cybersecurity Analyst (CSA ) Cert GuideDefine Key Terms 295Review Questions 296Chapter 11Remediating Security Issues Related to Identity and AccessManagement 301“Do I Know This Already?” Quiz 301Foundation Topics 304Security Issues Associated with Context-Based Authentication 304Time304Location 304Frequency305Behavioral 305Security Issues Associated with Identities 305Personnel306Employment Candidate Screening 306Employment Agreement and Policies 308Periodic Review 308Proper Credential Management 308Creating Accountability 309Maintaining a Secure Provisioning Life Cycle 309Endpoints310Social Engineering Threats 310Malicious Software 311Rogue Endpoints 311Rogue Access Points 312Servers312ServicesRoles313315Applications316IAM Software 316Applications as Identities 317OAuth318OpenSSL319Security Issues Associated with Identity Repositories 319Directory Services 319LDAP319Active Directory (AD) 3209780789756954 BOOK.indb xiv5/19/17 1:39 PM

ContentsSESAMEDNSxv321322TACACS and RADIUS 323Security Issues Associated with Federation and Single Sign-on 325Identity Propagation ibboleth332Manual vs. Automatic Provisioning/Deprovisioning 333Self-Service Password Reset 334Exploits 334Impersonation334Man-in-the-Middle 334Session Hijack 335Cross-Site Scripting 335Privilege Escalation 335Rootkit335Exam Preparation Tasks 336Review All Key Topics 336Define Key Terms 337Review Questions 338Chapter 12Security Architecture and Implementing CompensatingControls 343“Do I Know This Already?” Quiz 343Foundation Topics 346Security Data Analytics 346Data Aggregation and Correlation 346Trend Analysis 346Historical Analysis 347Manual Review 348Firewall Log 348Syslogs9780789756954 BOOK.indb xv3505/19/17 1:39 PM

xviCompTIA Cybersecurity Analyst (CSA ) Cert GuideAuthentication Logs 351Event Logs 352Defense in Depth 353Personnel354Training354Dual Control 355Separation of Duties 355Split Knowledge 355Third Party/Consultants 355Cross-Training/Mandatory Vacations 356Succession Planning 356Processes 356Continual Improvement 356Scheduled Reviews/Retirement of Processes 357Technologies358Automated Reporting 358Security Appliances 358Security Suites 359OutsourcingCryptography360362Other Security Concepts 373Network Design 374Exam Preparation Tasks 379Review All Key Topics 379Define Key Terms 380Review Questions 380Chapter 13Application Security Best Practices 385“Do I Know This Already?” Quiz 385Foundation Topics 387Best Practices During Software Development 387Plan/Initiate Project 387Gather Requirements (Security Requirements Definition) 388DesignDevelop9780789756954 BOOK.indb xvi3883895/19/17 1:39 PM

ContentsxviiTest/Validate 389Security Testing Phases 390Static Code Analysis 390Web App Vulnerability Scanning 391Fuzzing391Use Interception Proxy to Crawl Application 392Manual Peer Reviews 393User Acceptance Testing 393Stress Test Application 393Security Regression Testing 394Input Validation 394Release/Maintain395Certify/Accredit 395Change Management and Configuration Management/Replacement 395Secure Coding Best Practices 396OWASPSANS396396Center for Internet Security 397System Design Recommendations 397Benchmarks398Exam Preparation Tasks 398Review All Key Topics 398Define Key Terms 399Review Questions 399Chapter 14Using Cybersecurity Tools and Technologies 403“Do I Know This Already?” Quiz 403Foundation Topics 405Preventative Tools 405IPS405IDS405SourcefireSnortBro9780789756954 BOOK.indb xvii4054064075/19/17 1:39 PM

xviiiCompTIA Cybersecurity Analyst (CSA ) Cert GuideHIPS408Firewall408Firewall Architecture 410Cisco415Palo Alto 415Check Point 415Antivirus415Anti-malware 416Anti-spyware416Cloud Antivirus Services 417EMET418Web Proxy 418Web Application Firewall 418ModSecurity420NAXSI420Imperva421Collective Tools OSSIM422Kiwi Syslog 423Network Scanning 423Nmap423Vulnerability Scanning 423Qualys425Nessus425OpenVAS 426Nexpose 426Nikto427Microsoft Baseline Security Analyzer 427Packet Capture 428Wireshark428tcpdump 4299780789756954 BOOK.indb xviii5/19/17 1:39 PM

ContentsxixNetwork General 429Aircrack-ng429Command Line/IP Utilities 430Netstat 430ping431tracert/traceroute432ipconfig/ifconfig 433nslookup/dig 434SysinternalsOpenSSLIDS/HIDS435436436Analytical Tools 436Vulnerability Scanning 437Monitoring Tools 437MRTGNagios437438SolarWindsCacti438439NetFlow Analyzer 439Interception Proxy 439Burp Suite 440Zap440Vega 440Exploit Tools 440Interception Proxy 440Exploit Framework 441Metasploit441Nexpose 442Fuzzers 442Untidy/Peach Fuzzer 442Microsoft SDL File/Regex Fuzzer 442Forensics Tools 443Forensic Suites 443EnCaseFTK9780789756954 BOOK.indb xix4444445/19/17 1:39 PM

xxCompTIA Cybersecurity Analyst (CSA ) Cert 5MD5sum445SHAsum445Password Cracking 445John the Ripper 445Cain & Abel 446Imaging447DD447Exam Preparation Tasks 447Review All Key Topics 447Define Key Terms 448Review Questions 448Chapter 15Final Preparation 453Tools for Final Preparation 453Pearson Test Prep Practice Test Software and Questions on theWebsite 453Accessing the Pearson Test Prep Software Online 454Accessing the Pearson Test Prep Practice Test Software Offline 454Customizing Your Exams 455Updating Your Exams 456Premium Edition 456Chapter-Ending Review Tools 457Suggested Plan for Final Review/Study 457Summary457Appendix A Answers to the “Do I Know This Already?” Quizzes and ReviewQuestions 459Glossary 491Index 5269780789756954 BOOK.indb xx5/19/17 1:39 PM

About the AuthorxxiAbout the AuthorTroy McMillan is a product developer and technical editor for Kaplan IT as wellas a full-time trainer. He became a professional trainer 16 years ago, teaching Cisco,Microsoft, CompTIA, and wireless classes. He has written or contributed to morethan a dozen projects, including the following recent ones: Contributing subject matter expert for CCNA Cisco Certified NetworkAssociate Certification Exam Preparation Guide (Kaplan) Author of CISSP Cert Guide (Pearson) Prep test question writer for CCNA Wireless 640-722 (Cisco Press) Author of CASP Cert Guide (Pearson)Troy has also appeared in the following training videos for OnCourse Learning:Security ; Network ; Microsoft 70-410, 411, and 412 exam prep; ICND1; andICND2.He delivers CISSP training classes for CyberVista, authorized online training provider for (ISC)2.Troy now creates certification practice tests and study guides for the Transcenderand Self-Test brands. He lives in Pfafftown, North Carolina, with his wife, Heike.9780789756954 BOOK.indb xxi5/19/17 1:39 PM

xxiiCompTIA Cybersecurity Analyst (CSA ) Cert GuideDedicationI dedicate this book to my wife, Heike, who has supported me every time I’ve reinvented myself.9780789756954 BOOK.indb xxii5/19/17 1:39 PM

AcknowledgmentsxxiiiAcknowledgmentsI must thank everyone on the Pearson team for all of their help in making thisbook better than it would have been without their help. That includes MichelleNewcomb, Eleanor Bru, Chris Crayton, and Robin Abernathy.9780789756954 BOOK.indb xxiii5/19/17 1:39 PM

xxivCompTIA Cybersecurity Analyst (CSA ) Cert GuideAbout the Technical ReviewersChris Crayton, MCSE, is an author, a technical consultant, and a trainer. He hasworked as a computer technology and networking instructor, information securitydirector, network administrator, network engineer, and PC specialist. Chris hasauthored several print and online books on PC repair, CompTIA A , CompTIASecurity , and Microsoft Windows. He has also served as technical editor and content contributor on numerous technical titles for several leading publishing companies. He holds numerous industry certifications, has been recognized with manyprofessional teaching awards, and has served as a state-level SkillsUSA competitionjudge.Robin M. Abernathy has been working in the IT certification preparation industry at Kaplan IT Certification Preparation, the owners of the Transcender and SelfTest brands, for more than a decade. Robin has written and edited certificationpreparation materials for many (ISC)2, Microsoft, CompTIA, PMI, Cisco, and ITILcertifications and holds multiple IT certifications from these vendors.Robin provides training on computer hardware and software, networking, security,and project management. Over the past couple years, she has ventured into the traditional publishing industry, technical editing several publications and coauthoringPearson’s CISSP Cert Guide and CASP Cert Guide. She presents at technical conferences and hosts webinars on IT certification topics.9780789756954 BOOK.indb xxiv5/19/17 1:39 PM

Reader ServicesxxvWe Want to Hear from You!As the reader of this book, you are our most important critic and commentator. Wevalue your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’rewilling to pass our way.We welcome your comments. You can e-mail or write to let us know what you didor didn’t like about this book—as well as what we can do to make our books better.Please note that we cannot help you with technical problems related to the topic of this book.When you write, please be sure to include this book’s title and author as well as yourname and e-mail address. We will carefully review your comments and share themwith the author and editors who worked on the book.E-mail: feedback@pearsonitcertification.comMail:Pearson IT CertificationATTN: Reader Feedback800 East 96th StreetIndianapolis, IN 46240 USAReader ServicesRegister your copy of CompTIA Cybersecurity Analyst (CSA ) Cert Guide atwww.pearsonitcertification.com for convenient access to downloads, updates, andcorrections as they become available. To start the registration process, go towww.pearsonitcertification.com/register and log in or create an account*. Enter theproduct ISBN 9780789756954 and click Submit. When the process is complete, youwill find any available bonus content under Registered Products.*Be sure to check the box that you would like to hear from us to receive exclusivediscounts on future editions of this product.9780789756954 BOOK.indb xxv5/19/17 1:39 PM

Becoming aCompTIA CertifiedIT Professional is EasyIt’s also the best way to reach greaterprofessional opportunities and rewards.Why Get CompTIA Certified?Growing DemandHigher SalariesVerified StrengthsUniversal SkillsLabor estimates predictsome technology fields willexperience growth of over 20%by the year 2020.* CompTIAcertification qualifies the skillsrequired to join this workforce.IT professionals withcertifications on their resumecommand better jobs, earnhigher salaries and have moredoors open to new multiindustry opportunities.91% of hiring managersindicate CompTIA certificationsare valuable in validating ITexpertise, making certificationthe best way to demonstrateyour competency andknowledge to employers.**CompTIA certifications arevendor neutral—which meansthat certified professionalscan proficiently work withan extensive variety ofhardware and software foundin most organizations.LearnCertifyLearn more about whatthe exam covers byreviewing the following:Purchase a voucher at aPearson VUE testing centeror at CompTIAstore.com. Exam objectives forkey study points. Register for your exam at aPearson VUE testing center: Sample questions for a generaloverview of what to expecton the exam and examplesof question format. Visit pearsonvue.com/CompTIA tofind the closest testing center to you. Visit online forums, like LinkedIn,to see what other IT professionalssay about CompTIA exams.WorkCongratulations on yourCompTIA certification! Make sure to add yourcertification to your resume. Check out the CompTIACertification Roadmap to planyour next career move. Schedule the exam online. You willbe required to enter your vouchernumber or provide paymentinformation at registration. Take your certification exam.Learn more: Certification.CompTIA.org/networkplus* Source: CompTIA 9th Annual Information Security Trends study: 500 U.S. IT and Business Executives Responsible for Security** Source: CompTIA Employer Perceptions of IT Training and Certification*** Source: 2013 IT Skills and Salary Report by CompTIA Authorized Partner 2014 CompTIA Properties, LLC, used under license by CompTIA Certifications, LLC. All rights reserved. All certification programs and education related to such programs are operated exclusively byCompTIA Certifications, LLC. CompTIA is a registered trademark of CompTIA Properties, LLC in the U.S. and internationally. Other brands and company names mentioned herein may be trademarks or servicemarks of CompTIA Properties, LLC or of their respective owners. Reproduction or dissemination prohibited without written consent of CompTIA Properties, LLC. Printed in the U.S. 01085-Sep20149780789756954 BOOK.indb xxvi5/19/17 1:39 PM

IntroductionxxviiIntroductionCompTIA CSA bridges the skills gap between CompTIA Security and CompTIAAdvanced Security Practitioner (CASP). Building on CSA , IT professionals canpursue CASP to prove their mastery of the hands-on cybersecurity skills required atthe 5- to 10-year experience level. Earn the CSA certification to grow your careerwithin the CompTIA recommended cybersecurity career pathway.CompTIA CSA certification is designed to be a “vendor-neutral” exam that measures your knowledge of industry-standard technology.Goals and MethodsThe number-one goal of this book is a simple one: to help you pass the 2017 versionof the CompTIA CSA certification exam CS0-001.Because the CompTIA CSA certification exam stresses problem-solving abilitiesand reasoning more than memorization of terms and facts, our goal is to help youmaster and understand the required objectives for each exam.To aid you in mastering and understanding the CSA certification objectives, thisbook uses the following methods: The beginning of each chapter defines the topics to be covered in the chapter;it also lists the corresponding CompTIA CSA objectives. The body of the chapter explains the topics from a hands-on and theory-basedstandpoint. This includes in-depth descriptions, tables, and figures that aregeared toward building your knowledge so that you can pass the exam. Thechapters are broken down into several topics each. The key topics indicate important figures, tables, and lists of information thatyou should know for the exam. They are interspersed throughout the chapterand are listed in a table at the end of the chapter. Key terms without definitions are listed at the end of each chapter. Writedown the definition of each term and check your work against the completekey terms in the glossary.Who Should Read This Book?The CompTIA CSA examination is designed for IT security analysts, vulnerability analysts, and threat intelligence analysts. The exam certifies that a successfulcandidate has the knowledge and skills required to configure and use threat detection tools, perform data analysis, and interpret the results to identify vulnerabilities,9780789756954 BOOK.indb xxvii5/19/17 1:39 PM

xxviiiCompTIA Cybersecurity Analyst (CSA ) Cert Guidethreats, and risks to an organization, with the end goal of securing and protectingapplications and systems in an organization.The recommended experience for taking the CompTIA CSA exam includesNetwork , Security , or equivalent knowledge as well as a minimum of three orfour years of hands-on information security or related experience. While there is norequired prerequisite, CSA is intended to follow CompTIA Security or equivalentexperience and has a technical, hands-on focus.This book is for you if you are attempting to attain a position in the cybersecurityfield. It is also for you if you want to keep your skills sharp or perhaps retain yourjob due to a company policy that mandates that you update security skills.This book is also for you if you want to acquire additional certifications beyondSecurity . The book is designed to offer easy transition to future certificationstudies.Strategies for Exam PreparationStrategies for exam preparation vary depending on your existing skills, knowledge,and equipment available. Of course, the ideal exam preparation would consist ofthree or four years of hands-on security or related experience followed by rigorousstudy of the exam objectives.After you have read through the book, have a look at the current exam objectives forthe CompTIA CSA Certification Exams, listed at ybersecurity-analyst#tab4. If there are any areas shown in the certification exam outline that you would still like to study, find those sections in the bookand review them.When you feel confident in your skills, attempt the practice exams found on thewebsite that accompanies this book. As you work through the practice exam, notethe areas where you lack confidence and review those concepts or configurations inthe book. After you ha

800 East 96th Street Indianapolis, Indiana 46240 USA CompTIA Cybersecurity Analyst (CSA ) Cert Guide