CompTIA CySA+ (CS0-003) Certification Guide E-Book

CompTIA CySA+ (CS0-003) Certification Guide

Pass the CySA+ exam on your first attempt with complete topic coverage, expert tips, and practice resources

Jonathan Isley

CompTIA CySA+ (CS0-003) Certification Guide

Copyright © 2025 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Author: Jonathan Isley

Reviewers: Nishanth Kumar Pathi, Andrew Yao, and Joseph Tindi

Relationship Leads: Sneha Shinde and Niranjan Naikwadi

Content Engineer: Swathi Ajayakumar

Production Designer: Shantanu Zagade

Editorial Board: Vijin Boricha, Alex Mazonowicz, Aaron Nash, Gandhali Raut, and Ankita Thakur

First Published: April 2025

Production Reference: 1250425

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN 978-1-83546-892-0

www.packt.com

Contributors

About the Author

Jonathan Isley has worked as a Sr. Cybersecurity Analyst working to discover, analyze, and help remediate control gaps. His career in IT, over 20 years, has run the gamut, from pulling and installing low voltage cables, installing point of sale systems, working on a help desk, being a system administrator and shifting to the cybersecurity space with vulnerability management and cybersecurity analysis. Throughout this journey he has focused on continuing to learn and grow, earning a bachelor’s and master’s degree in information security and Awareness. He has earned several CompTIA, Cisco, EC-Council and AWS certifications. He also has his OSCP and CISSP certification and most recently earned his SANS GCFA and GMLE certifications. He has always enjoyed discussing his learning with others and trying to support them by sharing resources and tips. He hopes this book can be an asset to others as they continue their own learning journey and growth in the field of IT and Cybersecurity.

When he is not working and learning, he loves to travel. He has been fortunate to travel the world with his lovely friend and ex-wife, Daphnie, visiting over 30+ countries, 46 out of the 50 US states, and about 20 cruises all over the world. He likes to fly, having earned his single engine land pilot’s license in 2013. He also enjoys thrills, having skydived multiple times including a H.A.L.O skydive in Hawaii, jumped off the Las Vegas Stratosphere in a controlled free fall, and has visited over 20 theme parks across the US.

LinkedIn profile:https://www.linkedin.com/in/jonathan-isley/

Personal website: https://www.jonathanisley.com

Certifications:

CompTIA A+, Linux+, Project+, Security+, CySA+

Cisco CCNA, CCNA: Security, CCNP R&S

EC-Council CEH and CHFI

AWS CCP and SAA

ISC2 CISSP

OSCP

SANS GCFA and GMLE

To my dearest friend Daphnie,

Your unwavering support has been my anchor through every step of my cybersecurity journey. From late-night study sessions to long weekends filled with deadlines, you encouraged and believed in me, even when I struggled to believe in myself. Through degrees, certifications, and countless challenges, your steadfast presence and understanding have made all the difference. This book is a testament not only to the knowledge I’ve gained, but also to the strength I’ve drawn from your friendship.

Thank you for being you, and for being by my side through the good, the bad, and the ugly.

To my mother, father, and sister—

Mom, for your faith and belief in me.

Dad, for introducing me to technology.

And to my sister, for reminding me to keep pushing forward, even on the toughest days.

Your love and support formed the foundation of everything in these pages.

You were there before the first command line, the first vulnerability, and the first idea for this book.

This book was a team effort. Sincere thanks go out to the wonderful team at Packt Publishing for their dedication, professionalism, and support throughout this journey. I firstly want to thank Sneha Shinde for considering me for this important project.

A special thank-you to my technical reviewers—Nishanth Kumar Pathi, Andrew Yao, and Joseph Tindi—for offering their time, thoughts, and expertise to ensure the content was accurate, relevant, and insightful. Your feedback helped to strengthen this book.

Much appreciation goes to Swathi Ajayakumar, my content editor, whose detailed reviews and steady guidance greatly enhanced the clarity and flow of the material. I am also grateful to the Editorial Board—Vijin Boricha, Alex Mazonowicz, Aaron Nash, Gandhali Raut, and Ankita Thakur—for their oversight and support in shaping the overall project from concept to completion.

Thanks also to the production, layout, and design teams working behind the scenes. Your efforts in formatting, graphics, and final polish helped transform a manuscript into a professional, finished book.

To everyone involved in bringing this project to life— sincerely thank you.

May this book serve as a valuable resource for the growth of those who read it.

~Jonathan

About the Reviewers

Nishanth Kumar Pathi is an experienced professional with over 15 years of experience in technology and architecture, gained from working in various industries and across different countries. He specializes in Advisory, Consulting, Designing, Implementation, and Training, which helps him solve a wide range of business problems. His key areas of expertise include Cyber Security, Cloud Native Security Operations, Data Privacy, DevSecOps, Site Reliability Engineering, and Chaos Engineering.

Nishanth has also worked on several research papers and publications. Some of his work includes topics like PDF Guard – Advanced Malicious PDF Detection Tool, Governance & System Controls for BYOD to Secure Access to Corporate Resources, Security of a SaaS Application on AWS Cloud, Proactive Cyber Security, Risk Assessment and Implementation in ICS Protocols for Operational Technology, and Cyber Resilience for Containerized Workloads: A NIST-Based Approach to Incident Management and Recovery.

He has worked across various industries like Information Technology, Banking, Finance, Telecommunications, Transportation, and Industrial Manufacturing. His international experience, including countries like Algeria, Abu Dhabi, Bahrain, Dubai, Egypt, India, Qatar, Saudi Arabia, Singapore, has helped him understand the unique challenges and needs in these regions.

Nishanth’s skills and dedication are reflected in his numerous professional certifications, which include CIPM, CIPT, CISA, CISM, AWS Solutions Architect Professional, Azure Solutions Architect, Oracle Architect, and Gremlin Chaos Engineering Professional.

Apart from his experience and certifications, Nishanth is also a co-author of the OWASP Security Configuration Guide. He is an active member of the null Cyber Security Community and regularly organizes Cyber Security events, showing his passion for sharing knowledge and promoting best practices.

LinkedIn profile: https://www.linkedin.com/in/nishanthkumarpathi/

Personal website: https://www.nishanthkp.com

Andrew Yao is an information security analyst with incident response and GRC duties who has performed cybersecurity consulting in both the public and private sector. In the past, he has worked as a public school teacher as well as in the managed services provider space providing IT and cybersecurity support. Among others, Andrew has earned certifications from CompTIA (A+, Data+, Network+, Security+, CySA+), ISC2 (CC), Cloud Security Alliance (CCSK), and PCI (ISA/PCIP).

LinkedIn profile: https://www.linkedin.com/in/ayao

Joseph Tindi, a seasoned IT professional with a diploma in Information Technology, boasts an impressive array of certifications, including A+, CCNA, Security+ and CySA+. With a diverse background spanning PC technician, network engineering, cybersecurity analysis, penetration testing, forensics analysis, malware analysis, cloud computing, and digital marketing, Joseph brings a unique blend of technical expertise and real-world experience. Currently, he works as a freelance penetration tester, leveraging his skills to help organizations strengthen their defenses. When not uncovering vulnerabilities, Joseph can be found on the soccer field.

LinkedIn profile: https://www.linkedin.com/in/joseph-tindi-57244b169

Table of Contents

Preface

1

IAM, Logging, and Security Architecture

Making the Most of This Book – Your Certification and Beyond

Infrastructure

Virtualization

Containerization

Serverless Computing

Activity 1.1: Set Up Your Virtual Environment

Part 1: Download VirtualBox

Part 2: Download VMs

Part 3: Set Up Your Downloaded VMs

Set Up Your Kali Linux VM

Set Up Metasploitable

Test Your VMs

Operating System

Hardware Architecture

Windows Registry

Activity 1.2: Explore Windows Registry

File Structure

Windows

Linux

Configuration File Locations

Windows

Linux

System Processes

Windows

Linux

System Hardening

Activity 1.3: CIS Benchmark and STIG Review

Logging and Log Ingestion

Time Synchronization

Logging Levels

Extra Logging Insights

Network Architecture

On-premises

Cloud Computing

Hybrid Model

Other Cloud Models

Network Segmentation

Zero Trust

SASE

SDN

IAM

MFA

Single Sign-On

Federation

Federated Identity System Design

Federated Identity System Technologies

Privileged Access Management

Passwordless Authentication

CASB

Encryption and Data Protection

Public Key Infrastructure

Secure Sockets Layer

Data Loss Prevention

Personally Identifiable Information

CHD

Summary

Exam Topics Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

2

Attack Frameworks

Cyber Kill Chain

Use Case Example for Cyber Kill Chain Mapping

Diamond Model of Intrusion Analysis

Use Case Example for a Diamond Event

Diamond Model Mapping to Cyber Kill Chain

Use Case Example for Diamond Event to Cyber Kill Chain Mapping

MITRE ATT&CK

Use Case Example for MITRE ATT&CK Framework Usage

Activity 2.1: MITRE ATT&CK Analysis

Solution

Unified Kill Chain

OSS TMM

OWASP Testing Guide

Activity 2.2: OWASP Testing Guide Scenario

Task 1: GitHub Desktop Installation

Task 2: Java JDK Installation

Task 3: Main Activity

Solution

Main Activity: Screen 2

Main Activity: Screen 3

Solution Summary of Documented Findings

Future

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

3

Incident Response Preparation and Detection

IR Foundations

IR Team

Incident Elements

Attack Vectors

Severity

Impact

Recoverability

Data Types

Notification and Reporting

Activity 3.1: Evaluating Impact and Severity

Solution

Preparation

IR Documents

IR Policy

IRP

Procedure

Playbook

Tabletop Exercises and Training

BC and DR Plans

Detection and Analysis

Detection

Analysis

Evidence Acquisition

Legal Hold

Preservation

Chain of Custody

Data Integrity Validation

Tools

Future

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

4

Incident Response – Containment, Eradication, Recovery, and Post-Incident Activities

Containment, Eradication, and Recovery

Containment

Use Case Example

Eradication

Use Case Example

Recovery

Use Case Example

Post-Incident Activity

Forensic Analysis

Approach

Forensic Tool Sets

Endpoint Forensics

Network Forensics

Cloud, Virtual, and Container Forensics

Modern Challenges in Forensic Analysis

Use Case Example

Root Cause Analysis

Use Case Example

Lessons Learned

Use Case Example

Activity 4.1: Mapping the Phases of IR – A Hands-On Matching Activity

Solution

Activity 4.2: Planning Containment, Eradication, and Recovery

Solution

How would you plan containment for this incident?

How would you plan eradication for this incident?

How would you plan recovery from this incident?

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

5

Efficiency in Security Operations

Standardize Processes

Automation and Orchestration Use Case Example

Streamline Operations

SOAR

SOAR Use Case Example

Orchestrating Threat Intelligence Data

Technology and Tool Integration

API/REST

Use Case Example

Webhooks

Use Case Example

JWT

Use Case Example

Plugins

Use Case Example

SOAP

Use Case Example

Single Pane of Glass

Activity 5.1: Case Study – Automated Incident Response Workflow

Solution

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

6

Threat Intelligence and Threat Hunting

Threat Intelligence

Threat Intelligence Lifecycle

Planning and Direction

Collection

Processing

Analysis and Production

Dissemination and Feedback

Use Case Example

Confidence Levels

Collection Methods and Sources

Open Source

Threat Feeds

Closed Source

Threat Intelligence Sharing

Threat Actors

Advanced Persistent Threats

Other Threat Actor Types

Tactics, Techniques, and Procedures

Supply Chain Risks

Case Study: Target’s Management of Supply Chain Risks

Cyberpsychology

Threat Hunting

Case Study: Threat Hunting for Ransomware Detection

Tools and Techniques

Cyber Deception and Active Defense for Threat Detection

Focus Areas

Indicators of Compromise

Activity 6.1: Yeti: Threat Intelligence Platform

Install WSL for Windows

Install Docker for Windows

Install and set up Yeti

Explore Yeti

Activity 6.2: AlienVault OTX Threat Feed

Solution

Bulletin 1 – An Android RAT targets Telegram Users

Bulletin 2 – Sakula Malware Family

Bulletin 3 – Linux Trojan – Xorddos with Filename eyshcjdmzg

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

7

Indicators of Malicious Activity

Network IOCs

NetFlow and SNMP

Bandwidth Consumption

Unusual Traffic Spikes

Beaconing

Irregular Peer-to-Peer Communication

Scans and Sweeps

Activity on Unexpected Ports

Rogue Devices on the Network

Host IOCs

System Resources

Processor (CPU) Consumption

Memory Consumption

Drive Capacity Consumption

Malicious Processes and System Anomalies

Abnormal OS Process Behavior

Malicious Processes

Filesystem Changes or Anomalies

Registry Changes or Anomalies

Unauthorized Actions

Unauthorized Changes

Unauthorized Software

Unauthorized Privileges

Unauthorized Scheduled Tasks

Data Exfiltration

Application IOCs

Introduction of New Accounts

Anomalous Activity

Service Interruption

Application Logs

Unexpected Output

Unexpected Outbound Communication

Other IOCs

Social Engineering Attacks

Obfuscated Links

Activity 7.1: Scenario-Based Analysis of IOCs

Instructions

Solution

Activity 7.2: Log Analysis, Privilege Escalation, Persistence and IOCs

Scenario

Questions

Solution

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

8

Tools and Techniques for Malicious Activity Analysis

Common Techniques for Malicious Activity Analysis

Email Analysis

Header

Impersonation

Email Authentication Mechanisms

Embedded Links

UEBA

Pattern Recognition

Interpreting Suspicious Commands

File Analysis

Hashing

Programming and Scripting

JSON

XML

Regex

Python

PowerShell

Shell Script

Activity 8.1: Program and Scripts Review

PowerShell Script

Questions

Python Script

Questions

Solutions

PowerShell Script

Questions and Answers

Python Script

Questions and Answers

Tools

Packets and Network

Wireshark and TShark

tcpdump

Activity 8.2: tcpdump – Capture and Analysis Practice

Solution

WHOIS

AbuseIPDB

Activity 8.3: WHOIS and AbuseIPDB

Step 1

Step 2

Linux whois

Website Tool

Step 3

AbuseIPDB

Endpoints and Files

EDR

File Analysis

STRINGS

VirusTotal

Logs

Sandbox

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

9

Attack Mitigations

Software Vulnerabilities

Insecure Design

Common Issues

Mitigation Techniques

Overflow Vulnerabilities

Overflow Attacks

Mitigation Techniques

Broken Access Control

Mitigation Techniques

Data Poisoning

Common Attacks

Mitigation Techniques

Injection Flaws

Injection Attack Types

Mitigation Techniques

Remote Code Execution

Mitigation Techniques

Privilege Escalation

Common Attack Vectors

Mitigation Techniques

Web Vulnerabilities

Cross-Site Scripting

Mitigation Techniques

File Inclusion (RFI/LFI)

Mitigation Techniques

Cross-Site Request Forgery

Mitigation Techniques

Directory Traversal

Mitigation Techniques

Server-Side Request Forgery

Common Attack Vectors

Mitigation Techniques

Security Management Vulnerabilities

Identification and Authentication Failures

Mitigation Techniques

Cryptographic Failures

Mitigation Techniques

Security Misconfiguration

Mitigation Techniques

End-of-Life and Outdated Components

Common Attack Vectors

Mitigation Techniques

Activity 9.1: Vulnerability Exploration and Mitigation

Step 1

Step 2

Step 3

Task 1

Task 2

Task 3

Solution

Task 1

Task 2

Task 3

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

10

Risk Control and Analysis

Risk Management

Risk Management Frameworks

Risk Identification

Risk Analysis

Qualitative Analysis

Quantitative Analysis

Risk Evaluation

Use Case Example

Risk Responses

Exceptions

Documentation and Reporting

Policies, Governance, and Service-Level Objectives

Policies

Governance

SLOs

Control Types

Control Type Categories

Control Types

Compensating Controls

Activity 10.1: Security Control Categorization and Typing

Solution

Patching and Configuration Management

Testing

Implementation

Rollback

Validation

Example Scenario: Updating Web Application Security

Maintenance Windows

Prioritization and Escalation

Attack Surface Management

Discovery Techniques

Testing and Evaluation

Disclosure Concerns

Mitigation Strategies

Secure Coding

Waterfall

Spiral

Agile

Rapid Application Development

Common Security Concerns in Software Development

Secure Software Development Life Cycle

Software Testing

Threat Modeling

Threat Modeling Methodologies

Threat Modeling Tools

Threat Model in Practice

Activity 10.2: Threat Modeling with STRIDE

Case Study

Activity Task 1

Activity Task 2

Activity Task 3

Activity Task 4

Solution

Identify Assets

Identify Attack Surfaces

Identify Threat Actors

Tasks 2, 3, and 4

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

11

Vulnerability Management Program

Inventory Management

Asset Discovery

Classification and Categorization

Vulnerability Scanning

Setup and Strategy

Scanning Techniques

Specialized Scanning Methods

Security Baseline Scanning

Activity 11.1: Nessus Vulnerability Scan

Starting the Metasploitable VM

Installing Tenable Nessus Essentials and Running a Vulnerability Scan

Installing Nessus Essentials

Exploring the Results

Industry Frameworks

Compliance and Standards

Activity 11.2: Exploring Controls and Industry Frameworks

Solution

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

12

Vulnerability Assessment Tools

Assessment Tools

Network Scanners

Angry IP Scanner

Maltego

Web Application Scanners

Burp Suite

Zed Attack Proxy (ZAP)

Arachni

Nikto

Activity 12.1: Nikto Vulnerability Scanning

Step 1: Start Up Your Metasploitable VM

Step 2: Start Up Your Kali Linux VM

Step 3: Start a Nikto Simple Default Scan

Step 4: Review Scan Output

Solution

Vulnerability Scanners

Nessus

OpenVAS

Cloud Infrastructure Assessment

Scout Suite

Common Usage and Output

Example Use Case

Prowler

Common Usage and Output

Example Use Case

Pacu

Common Usage and Output

Example Use Case

Other Tools

Debuggers

Immunity Debugger

GNU Debugger (GDB)

Multipurpose Tools

Nmap

Activity 12.2: Nmap Discovery

Step 1: Start Up Your Metasploitable VM

Step 2: Start Up Your Kali Linux VM

Step 3: Run Nmap Scans

Solution

Metasploit Framework (MSF)

Recon-ng

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

13

Vulnerability Prioritization

Common Vulnerability Scoring System

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Impact

Confidentiality

Integrity

Availability

CVSS Scoring Calculations

CVSS Example Use Case

Example Scenario: SQL Injection Vulnerability in a Web Application

Base CVSS Metrics Evaluation

Base CVSS Score Calculation

Activity 13.1: CVSS Scoring Practice

Scenario 1

Scenario 2

Tasks

Solutions

Scenario 1 Solution

Scenario 2 Solution

Context Awareness

Activity 13.2: Context Awareness Evaluation

Instructions

Scenario 1: Outdated Database Service

Scenario 2: Web Application Flaw

Scenario 3: Legacy Industrial Control System

Scenario 4: Remote Access VPN Configuration Flaw

Solutions

Scenario 1: Outdated Database Service Solution

Scenario 2: Web Application Flaw Solution

Scenario 3: Legacy Industrial Control System Solution

Scenario 4: Remote Access VPN Configuration Flaw Solution

Validation

Other Vulnerability Factors

Asset Value

Exploitability and Weaponization

Zero-Day

Example Use Case

Chained Exploitation of Low and Medium Vulnerabilities

Other Vulnerability Terms

Vulnerability Identification Standards

Platform and Configuration Standards

Automation and Assessment Standards

Compliance Checklist Standards

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

14

Incident Reporting and Communication

Stakeholder Identification and Communication

Incident Declaration and Escalation

Communication Channels

Legal

Public Relations

Regulatory Reporting

Law Enforcement

Incident Response Reporting

Report Sections

Root Cause Analysis

Lessons Learned

Example of a Cybersecurity Incident Report

Sample Cybersecurity Incident Report

Activity 14.1: Incident Report Simulation

Scenario Summary

Solution

Metrics and KPIs

Incident Metrics

Mean Time to Detect

Mean Time to Respond

Mean Time to Remediate

Alert Volume

Activity 14.2: Calculating Incident Metrics

Incident 1 Timeline

Incident 2 Timeline

Incident 3 Timeline

Solution

Incident 1 Timeline

Incident 2 Timeline

Incident 3 Timeline

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

15

Vulnerability Management Reporting and Communication

Vulnerability Management Reporting and Communication

Vulnerabilities

Identification and Categorization

Affected Hosts

Risk Score

Mitigation

Recurrence

Prioritization

Activity 15.1: Analysis of Vulnerability Report Data

Step 1: Review the Report

Step 2: Analyze the Data

Step 3: Document Findings

Solution

Step 1: Review the Report

Step 2: Analyze the Data

Step 3: Document Findings

Compliance Reports

Action Plans

Configuration Management

Patching

Compensating Controls

Awareness, Education, and Training

Changing Business Requirements

Inhibitors to Remediation

Business Process Interruption

Degrading Functionality

Legacy Systems

Proprietary Systems

Memorandum of Understanding (MOU)

Service-Level Agreement (SLA)

Organizational Governance

Activity 15.2: Investigate Inhibitors to Remediation

Task

Solution

Metrics and KPIs

Trends

Top 10

Critical Vulnerabilities and Zero-Days

Service-Level Objectives (SLOs)

Stakeholder Identification and Communication

Summary

Exam Topic Highlights

Exam Readiness Drill – Chapter Review Questions

HOW TO GET STARTED

16

Accessing the Online Practice Resources

Index

Other Books You May Enjoy

Preface

About the Exam

The CompTIA Cybersecurity Analyst (CySA+) exam is a globally recognized certification designed to validate your expertise in proactively defending against and responding to cybersecurity threats. Focused on applying threat detection techniques, analyzing data, and implementing strategies to secure systems, the exam equips you with the skills needed to manage and mitigate vulnerabilities. Covering critical areas like security operations, vulnerability management, incident response, and effective communication, CySA+ emphasizes real-world applications, preparing you to protect organizations in an ever-evolving threat landscape. It is ideal for professionals aiming to strengthen their role in cybersecurity and advance their careers.

Exam Structure

The CySA+ exam consists of 85 multiple choice questions with a 165-minute time limit. Each domain is weighed differently, dictating the number of questions that will appear for each domain. The exam is designed to assess your practical knowledge and analytical skills across various domains of cybersecurity. Its structure consists of two primary question types: multiple-choice questions and performance-based questions (PBQs).

The exam is structured to test both your theoretical knowledge and your ability to respond to hands-on cybersecurity challenges, preparing you for real-world situations.

Exam Cost

The full-price exam voucher, directly from CompTIA costs $404 USD. There is an option for a discounted student rate, if you have a valid student ID and .edu address, for $219 USD.

There are discounted voucher stores online and the following is recommended to be verified and trusted, currently offering an approximate 12% discount voucher: https://www.testforless.store/product-page/comptia-cysa-exam-voucher.

Testing Options

When you’re ready to take the CySA+ certification exam, you have a choice between in-person and online testing options, each offering its own benefits. Depending on your preferences, you can select the option that best suits your schedule, environment, and level of comfort. Below are the details for both testing formats.

In-Person Testing Centers

For those who prefer an in-person exam, you can schedule your CySA+ certification exam at an authorized Pearson VUE testing center. Simply log in to your CompTIA account and navigate to Pearson VUE’s website to locate a nearby testing center. During scheduling, you will have the option to select a convenient testing site, ensuring a controlled and supervised environment to take your exam.

Online Testing

Online testing provides a flexible and convenient alternative, allowing you to take your CySA+ exam from any secure, distraction-free location. Whether it is a home office or a private space, online testing lets you schedule your exam at any time, including evenings or weekends. With a reliable internet connection and a device meeting system requirement, you will experience a seamless testing session supported by Pearson VUE’s technical assistance in case of issues. Online testing is ideal for those needing maximum convenience without compromising security or supervision.

About the Book

The CompTIA CySA+ CS0-003 Certification Guide is designed to provide a comprehensive guide to prepare for the CompTIA CySA+ CS0-003 certification exam. It covers essential concepts, tools, and techniques needed to protect systems and networks from evolving security threats. Through practical exercises, real-world scenarios, and in-depth explanations, the book helps you develop the skills to analyze, mitigate, and manage vulnerabilities, as well as respond to and communicate effectively. Whether you’re a beginner or looking to expand your cybersecurity knowledge, this guide will help you build a strong foundation in threat management, vulnerability response, and security operations.

Audience

This guide is designed for individuals aspiring to develop the skills and knowledge needed to successfully pass the CompTIA CySA+ CS0-003 exam and advance in the cybersecurity field. It is targeted at professionals with foundational experience in cybersecurity, such as those who have completed Network+ or Security+ certifications or who have at least four years of hands-on experience in incident response and security operations. While prior knowledge is advantageous, this guide provides a comprehensive roadmap to equip readers with essential cybersecurity skills and exam preparation strategies.

Readers of this guide are typically cybersecurity professionals eager to enhance their expertise in areas such as security operations, vulnerability management, threat intelligence, and cybersecurity analysis. Many seek this certification as a steppingstone toward roles requiring a more advanced understanding of cybersecurity concepts, including those approved for Department of Defense (DOD) 8140/8570 IAT Level II positions.

Whether motivated by career advancement, a passion for cybersecurity, or the desire to protect organizations in an evolving threat landscape, readers will find this guide an essential resource. It supports their journey not only as exam candidates but as growing professionals eager to contribute to the field with confidence.

About the Chapters

Chapter 1, IAM, Logging, and Security Architecture, introduces essential concepts related to the CIA triad, exploring infrastructure topics like virtualization, containerization, and network architecture. You will gain an understanding of operating system fundamentals, including system hardening, file structures, and processes, and learn about the importance of logging, time synchronization, and log ingestion for system security. The chapter emphasizes critical Identity and Access Management (IAM) concepts such as multifactor authentication (MFA), single sign-on (SSO), and privileged access management (PAM). Finally, it explores encryption, sensitive data protection, and methods to secure vital assets in dynamic environments.

Chapter 2, Attack Frameworks, provides an in-depth overview of attack frameworks designed to aid cybersecurity practitioners in defense, offense, and incident response. You will explore key methodologies such as the Cyber Kill Chain, Diamond Model of Intrusion Analysis, and MITRE ATT&CK framework, gaining insight into their application in real-world scenarios. Additionally, you will examine security testing principles through the Open Source Security Testing Methodology Manual (OSS TMM) and OWASP Testing Guide. Practical exercises will help you solidify your understanding of these frameworks and their use in enhancing security operations.

Chapter 3, Incident Response Preparation and Detection, explores the first two phases of the NIST Incident Response Life Cycle: preparation and detection and analysis. You will gain insights into building a robust incident response plan, leveraging tools, developing playbooks, and conducting training and tabletop exercises to enhance organizational readiness. The chapter then transitions to detection and analysis, focusing on identifying indicators of compromise (IOCs), acquiring and preserving evidence, maintaining chain of custody, and analyzing data. Forensics concepts and practical use cases are integrated to reinforce your understanding, ensuring you are well-equipped to handle incidents effectively.

Chapter 4, Incident Response – Containment, Eradication, Recovery, and Post-Incident Activities, investigates the final phases of the NIST Incident Response Life Cycle: containment, eradication, and recovery, followed by post-incident activities. You will learn strategies for limiting an incident’s impact, isolating affected systems, and restoring operations through remediation and re-imaging. The importance of post-incident reviews is emphasized, covering forensic analysis, root cause analysis, and documenting lessons learned to prevent future incidents. Practical exercises will enhance your understanding of these critical phases in incident management.

Chapter 5, Efficiency in Security Operations, highlights the importance of process improvement and efficiency in security operations, focusing on strategies to streamline workflows and optimize team performance. You will learn how to identify tasks suitable for automation, implement Security Orchestration, Automation, and Response (SOAR) technologies, and integrate tools and technologies through APIs and plugins. The concept of a “single pane of glass” is introduced, illustrating how to consolidate and visualize data for improved decision-making. A practical exercise allows you to apply SOAR principles and design a cohesive security operations workflow.

Chapter 6, Threat Intelligence and Threat Hunting, empowers you to take a proactive approach to security through the integration of threat intelligence and threat hunting practices. You will explore different types of threat actors, their tactics, techniques, and procedures (TTP), and learn how to evaluate intelligence based on confidence levels like timeliness and accuracy. By leveraging various collection methods and sources, you will understand how to enhance incident response, vulnerability management, and risk assessment. The chapter introduces threat hunting techniques, such as identifying indicators of compromise (IOCs), analyzing misconfigurations, and using active defense strategies like honeypots. Practical exercises tie these concepts together guiding you to install and use a threat intelligence platform and analyze intelligence data.

Chapter 7, Indicators of Malicious Activity, equips you with the knowledge to identify potential malicious activity within the vast amounts of data generated by systems and networks. You will explore network, host, and application-related indicators such as unusual traffic patterns, unauthorized software, and anomalous activities. Techniques for spotting social engineering attempts and obfuscated links are also covered. By understanding these indicators, you can enhance system protection and minimize the impact of malicious events. Practice exercises at the end of the chapter will refine your ability to analyze and pinpoint signs of threats.

Chapter 8, Tools and Techniques for Malicious Activity Analysis, introduces you to essential tools for packet analysis, log correlation, endpoint security, and sandboxing, along with techniques like email and file analysis. You will also explore scripting languages, such as Python and PowerShell, that can automate and enhance analysis workflows. By the end, you will practice using these tools and reviewing scripts to improve your analysis capabilities.

Chapter 9, Attack Mitigations, explores common vulnerabilities and attack types, along with the mitigation strategies and controls that can prevent or minimize their impact. Through hands-on scenarios, you will learn to identify and apply security measures to defend against attacks like cross-site scripting, buffer overflows, injection flaws, and privilege escalation. The chapter provides a practical approach, allowing you to conduct simulated attacks and analyze real-world scenarios to recommend the most effective defenses and security hardening techniques.

Chapter 10, Risk Control and Analysis, presents you with how to manage limited resources effectively by prioritizing security efforts through attack surface management, risk analysis, and threat modeling. You will explore key concepts in vulnerability response and risk management, such as compensating controls, patching, and configuration management. The chapter will also cover the secure software development life cycle (SDLC), emphasizing the importance of integrating security throughout the development and maintenance processes. Practical exercises will give you hands-on experience in applying risk analysis and threat modeling to real-world scenarios.

Chapter 11, Vulnerability Management Program, will dive into the foundational elements of a vulnerability management program, starting with asset discovery and progressing to vulnerability scanning. You will explore key topics such as asset mapping, device fingerprinting, and the various types of scans, including internal and external, credentialed vs. non-credentialed, and static vs. dynamic scans. The importance of patching and configuration management will be emphasized, along with security baselines and considerations for sensitive environments. Industry frameworks, like PCI DSS and CIS benchmarks, will also be introduced to guide your vulnerability management efforts.

Chapter 12, Vulnerability Assessment Tools, covers a variety of vulnerability assessment tools used in different domains, including network, web application, general vulnerability, and cloud infrastructure. You will learn about the application and basic usage of popular tools such as Angry IP Scanner, Burp Suite, Nessus, and others. The chapter also introduces debuggers like Immunity Debugger and GNU Debugger, highlighting their importance from a security perspective. With practical exercises, you will analyze the output from these tools, apply it to common use cases, and generate actionable security recommendations based on your findings.

Chapter 13, Vulnerability Prioritization, explores the essential concepts of vulnerability prioritization, focusing on the Common Vulnerability Scoring System (CVSS). CVSS provides a standardized method for scoring and prioritizing vulnerabilities based on factors such as attack vectors, impact, and exploitability. Additionally, the chapter delves into context awareness, asset value, and how to handle true/false positives and negatives. You will apply this knowledge through practice scenarios to effectively analyze data and make informed decisions when prioritizing vulnerabilities.

Chapter 14, Incident Reporting and Communication, focuses on the importance of clear and effective incident reporting and communication. You will learn how to identify key stakeholders and ensure incidents are properly escalated to the right parties. The chapter covers the key components of incident response reporting, including executive summaries, timelines, impact assessments, and evidence documentation. It also explores communications strategies for legal, public relations, and regulatory needs. In addition, you will practice drafting incident reports, calculating key performance indicators (KPIs), and analyzing metrics to measure the efficiency of response efforts.

Chapter 15, Vulnerability Management Reporting and Communication, will explore how to effectively document and report vulnerabilities, including risk scores, mitigation strategies, and prioritization. The chapter also covers compliance reports and action plans, with a focus on configuration management, patching, and addressing remediation inhibitors. You will learn how to navigate challenges like business process interruptions, legacy systems, and organizational governance. Additionally, the chapter includes an overview of metrics, key performance indicators (KPIs), and communication strategies for effectively engaging stakeholders in the vulnerability management process.

Online Practice Resources

With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This is your place to practice everything you learn in the book.

How to Access These Materials

To learn how to access the online resources, refer to Chapter 16, Accessing the Online Practice Resources at the end of this book.

Figure 0.1 – Online exam-prep platform on a desktop device

Sharpen your knowledge of CySA+ concepts with multiple sets of mock exams, interactive flashcards, and practical exercises that are accessible from all modern web browsers. If you get stuck, you can raise your concerns with the author directly through the website. Before doing that, go through the list of resolved questions as well. These are based on questions asked by other users. Finally, review the exam tips on the website to ensure you are well prepared.

Objectives to Chapter Mapping

The content of this exam guide is thoughtfully structured to present the material in a logical progression to enhance understanding and retention. However, if you need to navigate specific exam objectives for quick reference, you can make use of the following table. Table 0.1provides the mapping of the CySA+ exam objectives to the relevant chapters and sections of this book.

Table 0.1: Chapter Mapping of CySA+ Exam Objectives

The CIA Triad: A Foundation for Cybersecurity

The Confidentiality, Integrity, and Availability (CIA) triad serves as the cornerstone of cybersecurity. Confidentiality ensures that sensitive information is accessible only to authorized individuals, preventing unauthorized access or data breaches. Integrity protects the accuracy and trustworthiness of data, ensuring it remains unaltered unless modified through legitimate means. Lastly, Availability ensures that systems, applications, and data are accessible whenever needed by authorized users. These three principles work together to provide a holistic approach to securing assets and mitigating risks.

As you prepare for the CySA+ certification, the CIA triad is more than just theory, it is the lens through which you analyze threats, assess vulnerabilities, and recommend controls. Whether investigating an attack, configuring security tools, or developing incident response strategies, every action ties back to upholding confidentiality, integrity, and availability. The triad offers a practical framework to understand the impact of potential risks and prioritize resources effectively.

By keeping the CIA triad at the forefront of your thinking, you can make informed decisions and approach real-world scenarios with clarity and confidence. Every question, tool, and concept you encounter in the CySA+ exam is underpinned by the need to protect these core elements. Let it guide you not only in your studies but also throughout your career in cybersecurity.

Setting up Your Environment

This book includes hands-on exercises that utilize several software programs including Kali Linux, Metasploitable, and VirtualBox. Listed here are the minimum suggested system requirements for each of these:

Kali Linux

Metasploitable

VirtualBox

Since these software products will be running in parallel with some of the activities the overall suggested minimum requirements are:

GitHub Repository

You can check the GitHub repository of this book at https://github.com/PacktPublishing/CompTIA-CySA---CSO-003--Certification-Guide. If there's an update to the code, it will be updated in the GitHub repository. Check here often for updates and new content related to the book, cheat sheets, reference materials, and new exercises.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing. Check them out!

Conventions

There are several text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and X handles. Here is an example: “Navigate to where you unzipped your Kali Linux files and choose the .vbox file.“

A block of code is set as follows:

Any command-line input or output is written as follows:

Bold: Indicates a new term or an important word. Here is an example: “Organizations can also utilize a virtual desktop infrastructure (VDI) setup.”

Tips or Important Notes

Appear like this.

Get in Touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, select your book, click on the errata submission form link, and enter the details. We ensure that all valid errata are promptly updated in the GitHub repository at https://github.com/PacktPublishing/CompTIA-CySA---CSO-003--Certification-Guide.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read CompTIA CySA+ (CS0-003) Certification Guide, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a Free PDF Copy of This Book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781835468920

1

IAM, Logging, and Security Architecture

Identity and access management (IAM), logging, and security are the three major concepts that serve as the main building blocks of an organization’s security. In today’s ever-evolving security landscape, these concepts (if properly implemented) can secure the base of an organization’s environment. If absent or improperly implemented, it can expose an organization to many IAM issues, such as unauthorized access due to inadequate role-based permissions, potentially allowing access to sensitive data, and ineffective or missing multi-factor authentication (MFA) implementation, which may increase the risk of account compromise and unauthorized access. It can also cause logging issues such as insufficient logging details, causing incomplete records of security events and making it difficult to investigate and respond to incidents effectively, and lack of centralized log management, which can complicate incident investigation and response, making it slower and less effective. There is also the risk of security architecture issues such as inadequate network segmentation arising, which can expose lateral movement threats within the network and increased risk of a wider impact and poorly configured firewalls and access controls, potentially leaving open vulnerabilities that attackers could exploit to gain unauthorized access to the system.

Design and planning are the key first steps to creating a secure environment. First, a cybersecurity analyst must choose between infrastructure models, such as virtualization, containerization, on-premises, cloud, or hybrid. During this process, you must be aware of and understand common operating system (OS) concepts, including system hardening, filesystems, system processes, logging, and underlying hardware architecture. You must then include network design concepts to integrate these systems while continuing to keep security in mind. After the systems and networks are designed, you must be able to use and manage them securely. This is where access concepts and technologies will be integrated into the design to further facilitate an overall secure organization.

This chapter will discuss the CIA triad, teaching about infrastructure concepts, such as virtualization and containerization, alongside operating system concepts and network architecture. You will learn about the logging setup and its importance as related to system security and health. IAM criticality and concepts will be examined. The chapter will end by discussing encryption and sensitive data protection.

This chapter covers Domain 1.0: Security Operations, objective 1.1 Explain the importance of system and network architecture concepts in security operations in the CompTIA CySA+ CS0-003 exam.

The exam topics covered are as follows:

Making the Most of This Book – Your Certification and Beyond

This book and its accompanying online resources are designed to be a complete preparation tool for your CySA+ exam.

The book is written in a way that means you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, chapter review questions, interactive flashcards, case studies, and exam tips to help you work on your exam readiness from now till your test day.

Before You Proceed

To learn how to access these resources, head over to Chapter 16, Accessing the Online Practice Resources, at the end of the book.

s

Figure 1.1: Dashboard interface of the online practice resources

Here are some tips on how to make the most of this book so that you can clear your certification and retain your knowledge beyond your exam:

Infrastructure

Information technology infrastructure forms the fundamental structure of an organization to support its operation. It can include aspects around hardware, software, and networking. It provides the backbone for an organization to function and provide services to its customers. In a traditional design, these would be physical components (such as cabling, routers, switches, servers, and racks) acquired, provisioned, and maintained directly by the organization.

In this section, you will learn about three evolved infrastructure concepts:

Virtualization has enhanced physical machine resource utilization. Containerization has provided a portable solution for packaging applications and their dependencies. Meanwhile, serverless computing has allowed developers to focus only on code. Together, these innovations redefine the approach, development, and deployment of applications in today’s world. As you read this section, make sure to understand the advantages and disadvantages of each concept as well as security concerns to be aware of when using them.

Virtualization

Virtualization utilizes software to allow a single physical machine to run multiple independent machines on the same hardware. The machine run by this software is called a virtual machine (VM). A VM is isolated and self-contained, allowing it to run an OS that can differ from the physical machine. An example would be running a Linux VM on a Windows physical machine.

This concept allows more efficient usage of hardware as, typically, much of an individual machine’s hardware goes unused, such as memory, CPU, and disk space. In standard physical computing, a server is often dedicated to a single application or group of applications. To account for potential periods of higher usage, memory and CPU are provisioned that may sit idle for periods of time. For example, an application may peak and need 8 GB of memory, but only peak for an hour each day. For the rest of the day, it only uses 2 GB, which causes wasted usage from the idle unused 6 GB of memory for 23 hours a day. Virtualization also expands the software capabilities of physical hardware. A single physical machine can run multiple VMs, each of which can run different OS and software configurations.

Many organizations utilize virtualization in their server infrastructure. They run large physical machines, with many CPUs and lots of memory and disk space. Numerous VMs called clusters are then created for each physical machine. These VMs and their settings are centrally managed by a hypervisor. This allows the dynamic allocation of system resources based on need. Using the example mentioned previously about system resource wastage, an additional VM could be set up to use 4 GB of memory for 23 hours of the day, creating more efficient overall usage for the physical machine.

Figure 1.2 depicts a simple architecture for a VM.

Figure 1.2: VM architecture

It starts at the base layer with physical hardware running a host OS of Windows Server 2019. The next layer represents the hypervisor to control and create the VMs. There are two VMs depicted, each running its own guest OS – one running Linux and the other running Windows 11. Any number of applications can then be installed and run. Depending on the resource needs of each VM and application, and the hardware available on the physical server, multiple VMs can be created and run alongside each other. Each VM can have a different OS or version of an OS to best meet the business needs.

Organizations can also utilize a virtual desktop infrastructure (VDI) setup. This is where a desktop environment is streamed to individual external machines while contained and maintained internally. The desktop environment runs virtually, in a dynamic or persistent manner. In the dynamic method, VMs are created and destroyed as users connect to a desktop environment. For the persistent method, machines are pre-created and sit idle waiting for usage. This method is less efficient than dynamic but still more efficient than standard physical computing since it still allows dynamic resource allocation to the VMs based on real-time needs.

Virtualized machines and environments can be complex to design, build, manage, and secure. Organizations will have to manage patching at multiple layers, each layer having the potential to adversely affect the others. For example, if Windows server is running a Linux guest OS VM, and Windows Server is patched, it could cause the Linux VM to no longer function or to run slower. This means patching requires more planning and testing. It is critical to secure the hypervisor as there is a single dependency on it. If the hypervisor is compromised, it can provide an avenue for attackers to impact or compromise all VMs running under its management. Isolation and segmentation between VMs and clusters can help to reduce the attack surface and prevent wider impact from issues and attacks such as from VM escape vulnerabilities.

Containerization

Containerization is a form of virtualization that creates an isolated unit called a container. This is a standardized unit that contains software, including all the requirements needed to function and run, such as code, libraries, and dependencies. In standard computing, these requirements may come from other installed software or components. A container essentially brings its own environment with the software. Some examples of container technologies are Docker and Kubernetes.

Using containers provides several benefits. They have portability and isolation, allowing them consistent performance wherever they are run. Their design is often lightweight, using less resources than VMs. They are created from images, generally making them immutable read-only copies, increasing security.

They also fit neatly into the microservices architecture concept by facilitating breaking an application into smaller, manageable services, each in its own container. These smaller units allow enhanced agility, scalability, and ease of management. They often have quick development and deployment timelines.

However, containers can have compatibility issues, with some OSs requiring additional configuration. Networking and storage configurations can be complex, especially as containers scale. They are stateless, much like serverless functions, so they would not work with applications that require state management.

Since they run on an OS, it is important to use the principle of least privilege, granting only what is necessary for the container to run. Containers share the host’s kernel, so any vulnerabilities in how they run can pose a risk to the entire system, including the host OS. The images they are created from must be reviewed for security; otherwise, any security issues, such as misconfigurations, will proliferate into the container unit. It is also important to secure the hosts that containers are deployed on, or the containers may be impacted by security issues of the host. Network segmentation and traffic flow control should be used to protect containers from each other and only allow communication when necessary. This helps to reduce the impact of vulnerabilities such as container escapes.

Serverless Computing

Serverless computing leverages the dynamic nature of the cloud to create functions without an organization having to perform infrastructure management. When an organization owns physical hardware, it must handle all management functions for the hardware, such as provisioning, maintenance, scaling, and security. Also, in some cloud setups, these responsibilities can still be with the organizations. With serverless computing, the cloud provider is responsible for handling the need-based dynamic allocation and provisioning of servers. These needs can be statically defined directly by the organization or based on dynamic application demand. All required management, including security, for these servers would also be supplied by the cloud provider. This removes the organizational responsibility of infrastructure design, building, and management of physical or virtual devices. High availability becomes easier to design and achieve with the cloud provider managing the infrastructure.

Function as a service (FaaS) is a common implementation within serverless computing, where developers can create discrete functions. These custom-designed functions are often event-driven, executing on demand. There can be any number of trigger events, such as HTTP requests, uploads, and timers. They are also stateless, retaining no information about previous invocations. This event-driven and stateless nature further allows functions to auto-scale as needed. These function designs can facilitate the underlying operation of an application or service offering. Some example offerings in support of FaaS from cloud providers are AWS Lambda, Google App Engine, and Azure Functions. Consider an online photo-sharing service that allows user uploads that are then displayed in different formats, such as thumbnails, medium size, and full size. A developer can create a function to work with the uploaded images. When the picture is uploaded and stored, an event can be triggered that pulls the original upload from storage, creating multiple resized versions, and then places them back in storage for user usage.

Secure design and coding for serverless functions have the same importance as standard applications. They have many of the same security considerations, such as authentication and authorization, data security and privacy, deployment, and communication. Another common attack vector is denial of service (DoS) and resource exhaustion, which can take advantage of the event-driven nature of FaaS, triggering events in high amounts, and overwhelming workloads. A large security trade-off is having no visibility into infrastructure and how it is being secured or managed. This makes a FaaS user dependent on the cloud provider’s security.

Serverless computing provides several benefits to organizations. It uses a pay-per-use model for cost efficiency. Functions only run when needed, using only the resources necessary during the invocation. There is no charge for idle resources when functions are not running. Resources are elastic and auto-scaled, increasing or decreasing based on demand and maintaining a consistent level of performance. It also provides high availability and fault tolerance through the dynamic management of resources, ensuring that applications remain up and running. Finally, there can be rapid development and creation of applications by allowing attention to be focused on development, without the organizational responsibility of infrastructure management.

However, serverless computing may not always be the best solution for all situations. Invocations can often have a small start delay. This can be a disadvantage if an application requires real-time processing, such as with video conferencing. A function execution can be constrained by a maximum runtime, affecting long-running processes. This can be a disadvantage for applications such as those that work with databases that extract, transform, and load large volumes of data. As pricing is based on usage, resource efficiency and low workloads lead to better cost efficiency. This can be lost with heavy workloads that run more often, such as when working with machine learning and big data analytics.

Table 1.1 provides a summary of items discussed in this Infrastructure section. It covers virtualization, containerization, and serverless computing. Advantages, disadvantages, security concerns, and other topics are compared across all three subjects.

Aspect

Virtualization

Containerization

Serverless Computing

Definition

Running multiple VMs on a single physical server

Running multiple isolated containers on a single OS instance

Running functions or services without managing the underlying infrastructure

Advantages

Disadvantages

Security Concerns

Use Cases

Resource Efficiency

Moderate efficiency due to full OS instances

High efficiency due to sharing the OS kernel

Isolation Level

Strong isolation between VMs

Moderate isolation; containers share the same OS kernel

Startup Time

Slow (minutes)

Fast (seconds)

Very fast (milliseconds)

Management Overhead

High; requires managing VMs and OS updates

Moderate; requires managing containers and dependencies

Low; provider handles infrastructure management

Table 1.1: Comparison of virtualization, containerization, and serverless computing

Now that you have reviewed infrastructure design choices, you will learn about the systems that will operate within those designs. You will explore OS concepts and security considerations including hardware architecture, filesystem structure, configuration files, system processes, and secure system hardening.

Activity 1.1: Set Up Your Virtual Environment

This activity guides you through setting up a virtualized environment using VirtualBox, Kali Linux, and Metasploitable. These tools are essential for practicing cybersecurity concepts in a safe and controlled setting. By the end of this activity, you will have a functional virtual environment ready for hands-on exercises.

You will begin by downloading and installing VirtualBox, followed by obtaining and setting up the required VMs. Finally, you will verify that your setup is complete by testing the functionality of each VM.

Part 1: Download VirtualBox

Before you can start working with VMs, you need a virtualization platform. VirtualBox is a free and reliable tool that enables you to create and manage VMs on your system. Follow these steps to download and install it.

To download and install VirtualBox, follow these steps:

Part 2: Download VMs

You will be using VMs for Kali Linux and Metasploitable. To perform the exercises in this book, you will need to download specific VMs, including Kali Linux and Metasploitable. These downloads can be quite large and may take a long time depending on your connection speed. These will provide the environments required for hands-on learning. You can follow these steps to download the VM files:

Part 3: Set Up Your Downloaded VMs

Both of your downloads will need to be unzipped. You can use your preferred ZIP program, such as 7zip found at https://www.7-zip.org/download.html. Windows has a ZIP program built in as well. Unzip the images and place them in a folder to store your VirtualBox images. They will both be used in the next steps.

Set Up Your Kali Linux VM

Kali Linux is penetration testing and ethical hacking distribution. Follow these steps to configure it in VirtualBox and ensure it is ready for exercises in this book:

Figure 1.3: VirtualBox Add button