Transcription
CompTIACybersecurity Analyst(CySA ) CS0-002Cert GuideTroy McMillan
CompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideCopyright 2021 by Pearson Education, Inc.Hoboken, New JerseyAll rights reserved. No part of this book shall be reproduced, stored ina retrieval system, or transmitted by any means, electronic, mechanical,photocopying, recording, or otherwise, without written permission fromthe publisher. No patent liability is assumed with respect to the use of theinformation contained herein. Although every precaution has been taken inthe preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damagesresulting from the use of the information contained herein.ISBN-13: 978-0-13-674716-1ISBN-10: 0-13-674716-7Library of Congress Control Number: in-ChiefMark TaubProduct Line ManagerBrett BartowExecutive EditorNancy DavisDevelopment EditorChristopher ClevelandManaging EditorSandra SchroederSenior Project EditorTonya SimpsonCopy EditorBill McManusAll terms mentioned in this book that are known to be trademarks or s ervicemarks have been appropriately capitalized. Pearson IT Certification cannotattest to the accuracy of this information. Use of a term in this book shouldnot be regarded as affecting the validity of any trademark or service mark.IndexerErika MillenWarning and DisclaimerTechnical EditorChris CraytonEvery effort has been made to make this book as complete and as accurateas possible, but no warranty or fitness is implied. The information providedis on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any lossor damages arising from the information contained in this book.Special SalesFor information about buying this title in bulk quantities, or for specialsales opportunities (which may include electronic versions; custom coverdesigns; and content particular to your business, training goals, marketingfocus, or branding interests), please contact our corporate sales departmentat corpsales@pearsoned.com or (800) 382-3419.For government sales inquiries, please contactgovernmentsales@pearsoned.com.For questions about sales outside the U.S., please contactintlcs@pearson.com.ProofreaderAbigail ManheimEditorial AssistantCindy TeetersCover DesignerChuti PrasertsithCompositorcodeMantra
Contents at a GlanceContents at a GlanceIntroductionxxxviiCHAPTER 1The Importance of Threat Data and IntelligenceCHAPTER 2Utilizing Threat Intelligence to Support Organizational SecurityCHAPTER 3Vulnerability Management ActivitiesCHAPTER 4Analyzing Assessment OutputCHAPTER 5Threats and Vulnerabilities Associated withSpecialized Technology 93CHAPTER 6Threats and Vulnerabilities Associated with Operating inthe Cloud 123CHAPTER 7Implementing Controls to Mitigate Attacks andSoftware Vulnerabilities 141CHAPTER 8Security Solutions for Infrastructure ManagementCHAPTER 9Software Assurance Best PracticesCHAPTER 10Hardware Assurance Best PracticesCHAPTER 11Analyzing Data as Part of Security Monitoring ActivitiesCHAPTER 12Implementing Configuration Changes to Existing Controlsto Improve Security 377CHAPTER 13The Importance of Proactive Threat HuntingCHAPTER 14Automation Concepts and TechnologiesCHAPTER 15The Incident Response ProcessCHAPTER 16Applying the Appropriate Incident Response ProcedureCHAPTER 17Analyzing Potential Indicators of Compromise 469CHAPTER 18Utilizing Basic Digital Forensics TechniquesCHAPTER 19The Importance of Data Privacy and ProtectionCHAPTER 20Applying Security Concepts in Support of OrganizationalRisk Mitigation 527CHAPTER 21The Importance of Frameworks, Policies, Procedures,and Controls 549CHAPTER 22Final 9iii
ivCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideAPPENDIX AAnswers to the “Do I Know This Already?” Quizzes andReview Questions 585APPENDIX BCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideExam Updates 651Glossary of Key TermsIndex653689Online Elements:APPENDIX CMemory TablesAPPENDIX DMemory Tables Answer KeyAPPENDIX EStudy PlannerGlossary of Key Terms
Table of ContentsTable of ContentsIntroduction xxxviiChapter 1The Importance of Threat Data and Intelligence“Do I Know This Already?” QuizFoundation Topics336Intelligence Sources 6Open-Source Intelligence 6Proprietary/Closed-Source IntelligenceTimeliness67Relevancy 7Confidence LevelsAccuracy77Indicator Management 7Structured Threat Information eXpression (STIX)8Trusted Automated eXchange of Indicator Information (TAXII)OpenIOC9Threat Classification9Known Threat vs. Unknown ThreatZero-day10Advanced Persistent ThreatThreat Actors12Organized Crime12Terrorist Groups1212Insider nintentional13Intelligence Cycle 13Commodity Malware 14Information Sharing and Analysis CommunitiesExam Preparation Tasks16158v
viCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideReview All Key Topics 16Define Key Terms 16Review QuestionsChapter 217Utilizing Threat Intelligence to Support Organizational Security 19“Do I Know This Already?” QuizFoundation Topics1921Attack Frameworks21MITRE ATT&CK 21The Diamond Model of Intrusion AnalysisKill Chain23Threat Research23Reputational24Behavioral2224Indicator of Compromise (IoC)25Common Vulnerability Scoring System (CVSS)Threat Modeling MethodologiesAdversary Capability29Total Attack Surface31Attack VectorImpact25293132Probability32Threat Intelligence Sharing with Supported FunctionsIncident Response33Vulnerability ManagementRisk Management3333Security Engineering 33Detection and MonitoringExam Preparation TasksReview All Key TopicsChapter 3Define Key Terms35Review Questions35343434Vulnerability Management Activities“Do I Know This Already?” QuizFoundation Topics41393933
Table of ContentsVulnerability IdentificationAsset Criticality4142Active vs. Passive tion/Mitigation45Configuration BaselinePatching4546Hardening46Compensating ControlsRisk Acceptance4747Verification of Mitigation47Scanning Parameters and Criteria49Risks Associated with Scanning ActivitiesVulnerability FeedScope494949Credentialed vs. Non-credentialed 51Server-based vs. Agent-based52Internal vs. External 53Special ConsiderationsTypes of Data5353Technical Constraints 53Workflow 53Sensitivity Levels54Regulatory RequirementsSegmentation5556Intrusion Prevention System (IPS), Intrusion Detection System (IDS), andFirewall Settings 57Firewall59Inhibitors to RemediationExam Preparation TasksReview All Key TopicsDefine Key Terms64Review Questions64626363vii
viiiCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideChapter 4Analyzing Assessment Output67“Do I Know This Already?” Quiz67Foundation Topics69Web Application ScannerBurp Suite6969OWASP Zed Attack Proxy (ZAP)Nikto6970Arachni70Infrastructure Vulnerability ScannerNessus7171OpenVAS 71Software Assessment Tools and TechniquesStatic Analysis73Dynamic Analysis74Reverse EngineeringFuzzing75EnumerationNmap757676Host Scanninghping7980Active vs. PassiveResponder8282Wireless Assessment ToolsAircrack-ngReaver828384oclHashcat86Cloud Infrastructure Assessment ToolsScoutSuiteProwlerPacu878787Exam Preparation TasksReview All Key TopicsDefine Key Terms89Review Questions8988888672
Table of ContentsChapter 5 Threats and Vulnerabilities Associated with SpecializedTechnology 93“Do I Know This Already?” QuizFoundation TopicsMobile939797Unsigned Apps/System Apps98Security Implications/Privacy Concerns 99Data Storage 99Nonremovable Storage99Removable Storage 99Transfer/Back Up Data to Uncontrolled StorageUSB OTG9999Device Loss/Theft100Rooting/Jailbreaking100Push Notification Services 100Geotagging100OEM/Carrier Android FragmentationMobile PaymentNFC Enabled101101101Inductance Enabled 102Mobile Wallet 102Peripheral-Enabled Payments (Credit Card Reader)USB102Malware102Unauthorized Domain BridgingSMS/MMS/MessagingInternet of Things (IoT)IoT Examples103103103104Methods of Securing IoT DevicesEmbedded Systems104105Real-Time Operating System (RTOS)System-on-Chip (SoC)105105Field Programmable Gate Array (FPGA)105102ix
xCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuidePhysical Access g Automation SystemsIP Video109HVAC ControllersSensors109111111Vehicles and Drones 111CAN BusDrones112113Workflow and Process Automation SystemsIncident Command System (ICS)113114Supervisory Control and Data Acquisition (SCADA)Modbus114118Exam Preparation TasksReview All Key Topics118118Define Key Terms119Review Questions120Chapter 6 Threats and Vulnerabilities Associated with Operatingin the Cloud 123“Do I Know This Already?” QuizFoundation Topics123126Cloud Deployment Models126Cloud Service Models 127Function as a Service (FaaS)/Serverless ArchitectureInfrastructure as Code (IaC)130Insecure Application Programming Interface (API)Improper Key ManagementKey Escrow128131132133Key Stretching134Unprotected Storage 134Transfer/Back Up Data to Uncontrolled StorageBig Data135134
Table of ContentsLogging and Monitoring136Insufficient Logging and MonitoringInability to Access136136Exam Preparation Tasks137Review All Key Topics137Define Key Terms137Review Questions138Chapter 7 Implementing Controls to Mitigate Attacks and SoftwareVulnerabilities 141“Do I Know This Already?” QuizFoundation TopicsAttack Types141143143Extensible Markup Language (XML) Attack143Structured Query Language (SQL) Injection145Overflow Attacks147Buffer 147Integer OverflowHeap149150Remote Code Execution150Directory Traversal 151Privilege Escalation 152Password Spraying152Credential Stuffing152Impersonation154Man-in-the-Middle Attack 154VLAN-based AttacksSession HijackingRootkit156158159Cross-Site ScriptingReflected161Persistent161160Document Object Model (DOM) 162Vulnerabilities163Improper Error HandlingDereferencing 163163xi
xiiCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideInsecure Object ReferenceRace Condition163164Broken Authentication 164Sensitive Data ExposureInsecure Components165165Code Reuse 166Insufficient Logging and MonitoringWeak or Default ConfigurationsUse of Insecure Functions166167168strcpy 168Exam Preparation TasksReview All Key TopicsChapter 8Define Key Terms170Review Questions170169169Security Solutions for Infrastructure Management“Do I Know This Already?” QuizFoundation Topics173173177Cloud vs. On-premises177Cloud Mitigations177Asset Management 178Asset Tagging178Device-Tracking Technologies 178Geolocation/GPS Location179Object-Tracking and Object-Containment TechnologiesGeotagging/Geofencing 179RFID180Segmentation rtual182Jumpbox183179
Table of ContentsSystem Isolation184Air Gap 185Network ArchitecturePhysical185186Firewall Architecture188Software-Defined NetworkingVirtual SAN193194Virtual Private Cloud (VPC) 195Virtual Private Network (VPN)IPsec195197SSL/TLS 199Serverless 200Change Management 201Virtualization201Security Advantages and Disadvantages of VirtualizationType 1 vs. Type 2 Hypervisors203Virtualization Attacks and VulnerabilitiesVirtual Networks201203205Management Interface205Vulnerabilities Associated with a Single Physical Server Hosting MultipleCompanies’ Virtual Machines 206Vulnerabilities Associated with a Single Platform Hosting MultipleCompanies’ Virtual Machines 207Virtual Desktop Infrastructure (VDI)207Terminal Services/Application Delivery ServicesContainerization208Identity and Access ManagementIdentify ResourcesIdentify Users208209210210Identify Relationships Between Resources and UsersPrivilege Management 211Multifactor Authentication (MFA)Authentication211Authentication Factors212211210xiii
xivCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideKnowledge Factors213Ownership Factors213Characteristic Factors214Single Sign-On (SSO)Kerberos214215Active AML221OpenID222Shibboleth224Role-Based Access Control224Attribute-Based Access ControlMandatory Access ControlManual Review228229Cloud Access Security Broker (CASB)Honeypot230Monitoring and LoggingLog Management230230Audit Reduction Tools231NIST SP 800-137 232Encryption232Cryptographic Types233Symmetric Algorithms 233Asymmetric Algorithms 236Hybrid Encryption236Hashing Functions238One-way Hash 238Message Digest AlgorithmSecure Hash Algorithm240Transport Encryption240SSL/TLS 241225239229
Table of ContentsHTTP/HTTPS/SHTTP241SSH 242IPsec242Certificate Management 242Certificate Authority and Registration AuthorityCertificates243Certificate Revocation ListOCSP244244PKI Steps 245Cross-Certification 245Digital Signatures245Active Defense 246Hunt Teaming247Exam Preparation TasksReview All Key TopicsChapter 9247247Define Key Terms250Review Questions250Software Assurance Best Practices“Do I Know This Already?” QuizFoundation on256Configuration Profiles and PayloadsPersonally Owned, Corporate Enabled256256Corporate-Owned, Personally Enabled 257Application Wrapping257Application, Content, and Data ManagementRemote WipingSCEP257258NIST SP 800-163 Rev 1Web ApplicationMaintenance Hooks258260260Time-of-Check/Time-of-Use Attacks260257243xv
xviCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideCross-Site Request Forgery (CSRF)Click-Jacking261262Client/Server 263Embedded263Hardware/Embedded Device Analysis264System-on-Chip (SoC) 265Secure Booting265Central Security Breach ResponseFirmware265266Software Development Life Cycle (SDLC) Integration 267Step 1: Plan/Initiate Project267Step 2: Gather RequirementsStep 3: Design268268Step 4: Develop269Step 5: Test/Validate269Step 6: Release/MaintainStep 7: Certify/Accredit269270Step 8: Change Management and Configuration Management/Replacement 270DevSecOpsDevOps270270Software Assessment Methods272User Acceptance Testing 272Stress Test Application 272Security Regression TestingCode Review273273Security Testing274Code Review Process275Secure Coding Best Practices 275Input Validation275Output Encoding276Session ManagementAuthentication276277Context-based Authentication277
Table of ContentsNetwork Authentication MethodsIEEE 802.1X279281Biometric Considerations282Certificate-Based Authentication284Data Protection 285Parameterized Queries 285Static Analysis Tools286Dynamic Analysis Tools286Formal Methods for Verification of Critical Software286Service-Oriented Architecture 287Security Assertions Markup Language (SAML)Simple Object Access Protocol (SOAP)Representational State Transfer (REST)Microservices288288Exam Preparation TasksReview All Key TopicsChapter 10287289289Define Key Terms290Review Questions291Hardware Assurance Best Practices“Do I Know This Already?” QuizFoundation Topics295295298Hardware Root of Trust298Trusted Platform Module (TPM)Virtual TPM299300Hardware Security Module (HSM)MicroSD HSM302302eFuse 303Unified Extensible Firmware Interface (UEFI) 303Trusted FoundrySecure Processing304305Trusted Execution305Secure Enclave 307Processor Security ExtensionsAtomic Execution307307287xvii
xviiiCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideAnti-Tamper308Self-Encrypting Drives 308Trusted Firmware Updates308Measured Boot and AttestationMeasured Launch310311Integrity Measurement ArchitectureBus Encryption311Exam Preparation TasksReview All Key TopicsChapter 11311312312Define Key Terms312Review Questions313Analyzing Data as Part of Security Monitoring Activities“Do I Know This Already?” QuizFoundation TopicsHeuristics320321MalwareVirus320320Trend AnalysisEndpoint317323323Worm324Trojan HorseLogic are325326Reverse EngineeringMemory327329Memory ProtectionSecured Memory329330Runtime Data Integrity Check330Memory Dumping, Runtime DebuggingSystem and Application BehaviorKnown-good Behavior333333332317
Table of ContentsAnomalous BehaviorExploit TechniquesFile System334335339File Integrity Monitoring340User and Entity Behavior Analytics (UEBA)Network341342Uniform Resource Locator (URL) and Domain Name System (DNS)Analysis 342DNS Analysis342Domain Generation AlgorithmFlow Analysis345NetFlow Analysis346Packet and Protocol AnalysisPacket Analysis348348Log Review348Event LogsSyslog348348Protocol AnalysisMalware343349350Kiwi Syslog ServerFirewall Logs352353Windows Defender353Cisco Check Point 353Web Application Firewall (WAF)Proxy355356Intrusion Detection System (IDS)/Intrusion PreventionSystem (IPS) 357SourcefireSnortZeekHIPS358359360360Impact Analysis361Organization Impact vs. Localized ImpactImmediate Impact vs. Total Impact361361xix
xxCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideSecurity Information and Event Management (SIEM) ReviewRule Writing361362Known-Bad Internet Protocol (IP)Dashboard363Query Writing366363String Search 366Script366Piping367E-mail Analysis367E-mail Spoofing368Malicious Payload368DomainKeys Identified Mail (DKIM)Sender Policy Framework (SPF)368369Domain-based Message Authentication, Reporting, andConformance (DMARC) 369Phishing369Spear Phishing 369Whaling370Forwarding370Digital Signature371E-mail Signature BlockEmbedded LinksImpersonation372372372Exam Preparation TasksReview All Key Topics372372Define Key Terms374Review Questions374Chapter 12 Implementing Configuration Changes to Existing Controlsto Improve Security 377“Do I Know This Already?” QuizFoundation TopicsPermissions377381381Whitelisting and Blacklisting 381Application Whitelisting and BlacklistingInput Validation382382
Table of ContentsFirewall383NextGen Firewalls383Host-Based Firewalls384Intrusion Prevention System (IPS) RulesData Loss Prevention (DLP)386Endpoint Detection and Response (EDR)Network Access Control alware Signatures391Development/Rule WritingSandboxing387387Agent-Based vs. Agentless NAC802.1X386392392Port Security 394Limiting MAC Addresses395Implementing Sticky MACExam Preparation TasksReview All Key TopicsChapter 13Define Key Terms396Review Questions397395396396The Importance of Proactive Threat Hunting“Do I Know This Already?” QuizFoundation Topics401404Establishing a Hypothesis404Profiling Threat Actors and ActivitiesThreat Hunting TacticsHunt Teaming406Threat Model406406Executable Process AnalysisMemory Consumption407409Reducing the Attack Surface AreaSystem Hardening409410Configuration Lockdown410405401xxi
xxiiCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideBundling Critical Assets411Commercial Business Classifications411Military and Government ClassificationsDistribution of Critical AssetsAttack Vectors412412412Integrated Intelligence 413Improving Detection Capabilities 413Continuous ImprovementContinuous MonitoringExam Preparation TasksReview All Key TopicsChapter 14Define Key Terms415Review Questions415413414414414Automation Concepts and Technologies 419“Do I Know This Already?” QuizFoundation Topics422Workflow OrchestrationScripting419422423Application Programming Interface (API) IntegrationAutomated Malware Signature CreationData Enrichment424424425Threat Feed Combination 426Machine Learning426Use of Automation Protocols and Standards427Security Content Automation Protocol (SCAP)Continuous Integration428Continuous Deployment/DeliveryExam Preparation TasksReview All Key TopicsChapter 15Define Key Terms430Review Questions430429429The Incident Response Process“Do I Know This Already?” QuizFoundation Topics435428433433427
Table of ContentsCommunication Plan435Limiting Communication to Trusted Parties 435Disclosing Based on Regulatory/Legislative RequirementsPreventing Inadvertent Release of InformationUsing a Secure Method of CommunicationReporting Requirements435435436Response Coordination with Relevant EntitiesLegal435436436Human ResourcesPublic Relations437437Internal and External 437Law Enforcement437Senior Leadership438Regulatory Bodies438Factors Contributing to Data Criticality 439Personally Identifiable Information (PII)Personal Health Information (PHI)Sensitive Personal Information (SPI)High Value Assets441441Intellectual Property442442Trade SecretTrademarkCopyright443443444Securing Intellectual PropertyCorporate InformationExam Preparation TasksReview All Key TopicsChapter 16440441Financial InformationPatent439Define Key Terms446Review Questions446444444445445Applying the Appropriate Incident Response Procedure“Do I Know This Already?” QuizFoundation Topics452449449xxiii
xxivCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert ion of ProceduresDetection and Analysis453454Characteristics Contributing to Severity Level ClassificationDowntime and Recovery TimeData IntegrityEconomic455455456456System Process Criticality 457Reverse Engineering 457Data CorrelationContainment458458Segmentation 458Isolation459Eradication and Recovery459Vulnerability ngSecure DisposalPatching460460461Restoration of Permissions461Reconstitution of Resources462Restoration of Capabilities and Services 462Verification of Logging/Communication to Security MonitoringPost-Incident ActivitiesEvidence Retention463463Lessons Learned ReportChange Control Process463464Incident Response Plan UpdateIncident Summary Report464464Indicator of Compromise (IoC) GenerationMonitoring465Exam Preparation Tasks465465462
Table of ContentsReview All Key Topics 465Define Key Terms 466Review QuestionsChapter 17466Analyzing Potential Indicators of Compromise 469“Do I Know This Already?” QuizFoundation Topics469472Network-Related Indicators of CompromiseBandwidth Consumption472472Beaconing 473Irregular Peer-to-Peer CommunicationRogue Device on the NetworkScan/Sweep473475476Unusual Traffic Spike476Common Protocol over Non-standard PortHost-Related Indicators of CompromiseProcessor ConsumptionMemory Consumption477477477Drive Capacity ConsumptionUnauthorized SoftwareMalicious Process477477478Unauthorized Change479Unauthorized PrivilegeData Exfiltration479479Abnormal OS Process Behavior479File System Change or Anomaly479Registry Change or Anomaly480Unauthorized Scheduled Task480Application-Related Indicators of CompromiseAnomalous ActivityUnexpected Output480480Introduction of New Accounts480480Unexpected Outbound CommunicationService InterruptionApplication Log476481481481xxv
xxviCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideExam Preparation Tasks 482Review All Key TopicsChapter 18482Define Key Terms482Review Questions482Utilizing Basic Digital Forensics Techniques“Do I Know This Already?” QuizFoundation TopicsNetwork485488488Wireshark word tualization497Legal Hold497Procedures497EnCase Forensic 498Sysinternals498Forensic Investigation SuiteHashing499Hashing Utilities499Changes to BinariesCarving500500Data Acquisition501Exam Preparation TasksReview All Key TopicsDefine Key Terms501Review Questions502501501498485
Table of ContentsChapter 19The Importance of Data Privacy and Protection 505“Do I Know This Already?” QuizFoundation Topics505508Privacy vs. Security 508Non-technical 09Data Types509Personally Identifiable Information (PII)Personal Health Information (PHI)Payment Card InformationRetention StandardsConfidentiality509510510510510Legal RequirementsData Sovereignty510514Data Minimization 515Purpose Limitation515Non-disclosure agreement (NDA)Technical ControlsEncryption516516Data Loss Prevention (DLP)Data Digital Rights Management (DRM)Document DRM520Music DRM520Movie DRM520Video Game DRME-Book DRM517520521Watermarking 521Geographic Access RequirementsAccess Controls521521xxvii
xxviiiCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideExam Preparation Tasks 521Review All Key Topics522Define Key Terms522Review Questions523Chapter 20 Applying Security Concepts in Support of Organizational RiskMitigation 527“Do I Know This Already?” QuizFoundation Topics527530Business Impact Analysis530Identify Critical Processes and Resources530Identify Outage Impacts and Estimate DowntimeIdentify Resource RequirementsIdentify Recovery PrioritiesRecoverability531531531532Fault Tolerance532Risk Identification Process532Make Risk Determination Based upon Known MetricsQualitative Risk Analysis533Quantitative Risk AnalysisRisk cation of Risk FactorsRisk Prioritization537Security Controls538Engineering TradeoffsMOUsSLAs536538538538Organizational Governance539Business Process InterruptionDegrading FunctionalitySystems Assessment539ISO/IEC 27001539ISO/IEC 27002541539539533
Table of ContentsDocumented Compensating ControlsTraining and ExercisesRed Team541542542Blue Team542White Team543Tabletop Exercise543Supply Chain Assessment543Vendor Due Diligence 543OEM Documentation543Hardware Source Authenticity544Trusted Foundry 544Exam Preparation TasksReview All Key Topics544544Define Key Terms545Review Questions545Chapter 21 The Importance of Frameworks, Policies, Procedures,and Controls 549“Do I Know This Already?” QuizFoundation TopicsFrameworks549552552Risk-Based Frameworks552National Institute of Standards and Technology (NIST)COBIT553The Open Group Architecture Framework (TOGAF)Prescriptive Frameworks555NIST Cybersecurity Framework Version 1.1ISO 27000 SeriesSABSAITIL552556559559Maturity Models 559ISO/IEC 27001 562Policies and Procedures562Code of Conduct/Ethics563Acceptable Use Policy (AUP)563555554xxix
xxxCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuidePassword Policy564Data Ownership 567Data Retention567Account Management568Continuous Monitoring569Work Product Retention 571Control Type nt 572DirectivePhysical572572Audits and AssessmentsRegulatory573Compliance575573Exam Preparation TasksReview All Key TopicsChapter 22Define Key Terms576Review Questions576Final PreparationExam Information575575579579Getting Ready 580Tools for Final Preparation 582Pearson Test Prep Practice Test Software and Questions on theWebsite 582Memory Tables 582Chapter-Ending Review Tools582Suggested Plan for Final Review/Study 583Summary583
Table of ContentsAppendix A Answers to the “Do I Know This Already?” Quizzes andReview Questions 585Appendix B CompTIA Cybersecurity Analyst (CySA ) CS0-002Cert Guide Exam Updates 651Glossary of Key TermsIndex653689Online Elements:Appendix C Memory TablesAppendix D Memory Tables Answer KeyAppendix EStudy PlannerGlossary of Key Termsxxxi
xxxiiCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideAbout the AuthorTroy McMillan is a product developer and technical editor for Kaplan IT as wellas a full-time trainer. He became a professional trainer 20 years ago, teaching Cisco,Microsoft, CompTIA, and wireless classes. He has written or contributed to morethan a dozen projects, including the following recent ones: Contributing subject matter expert for CCNA Cisco Certified Network AssociateCertification Exam Preparation Guide (Kaplan) Author of CISSP Cert Guide (Pearson) Prep test question writer for CCNA Wireless 640-722 Official Cert Guide(Cisco Press) Author of CompTIA Advanced Security Practitioner (CASP) Cert Guide (Pearson)Troy has also appeared in the following training videos for OnCourse Learning:Security ; Network ; Microsoft 70-410, 411, and 412 exam prep; ICND1; andICND2.He delivers CISSP training classes for CyberVista, and is an authorized onlinetraining provider for (ISC)2.Troy also creates certification practice tests and study guides for CyberVista. Helives in Asheville, North Carolina, with his wife, Heike.
DedicationDedicationI dedicate this book to my wife, Heike, who has supported me when I needed it most.xxxiii
xxxivCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideAcknowledgmentsI must thank everyone on the Pearson team for all of their help in making this bookbetter than it would have been without their help. That includes Chris Cleveland,Nancy Davis, Chris Crayton, Tonya Simpson, and Mudita Sonar.
About the Technical ReviewerAbout the Technical ReviewerChris Crayton (MCSE) is an author, technical consultant, and trainer. He hasworked as a computer technology and networking instructor, information securitydirector, network administrator, network engineer, and PC specialist. Chris hasauthored several print and online books on PC repair, CompTIA A , CompTIA Security , and Microsoft Windows. He has also served as technical editor and content contributor on numerous technical titles for several of the leading publishing companies. He holds numerous industry certifications, has been recognizedwith many professional teaching awards, and has served as a state-level SkillsUSA competition judge.xxxv
xxxviCompTIA Cybersecurity Analyst (CySA ) CS0-002 Cert GuideWe Want to Hear from You!As the reader of this book, you are our most important critic and commentator. Wevalue your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdomyou’re willing to pass our way.We welcome your comments. You can email to let us know what you did or didn’tlike about this book—as well as what we can do to make our books better.Please note that we cannot help you with technical problems related to the topic of this book.When you write, please be sure to include this book’s title and author as well as yourname and email address. We will carefully review your comments and share themwith the author and editors who worked on the book.Email:community@informit.com
IntroductionIntroductionCompTIA CySA bridges the skills gap between CompTIA Security and CompTIA Advanced Security Practitioner (CASP ). Building on CySA , IT p
Infrastructure Vulnerability Scanner 71 Nessus 71 OpenVAS 71 Software Assessment Tools and Techniques 72 Static Analysis 73 Dynamic Analysis 74 Reverse Engineering 75 Fuzzing 75 Enumeration 76 Nmap 76 Host Scanning 79 hping 80 Active vs. Passive 82 Responder 82 Wireless Assessment Tools 82 Aircrack-ng 83 Reaver 84 oclHashcat 86 Cloud .
