CompTIA CySA+ Study Guide E-Book

Table of Contents

Cover

Acknowledgments

About the Authors

About the Technical Editor

Introduction

What Does This Book Cover?

Objectives Map for CompTIA Cybersecurity Analyst (CySA+) Exam CS0-002

Setting Up a Kali and Metasploitable Learning Environment

Assessment Test

Answers to the Assessment Test

Chapter 1: Today's Cybersecurity Analyst

Cybersecurity Objectives

Privacy vs. Security

Evaluating Security Risks

Building a Secure Network

Secure Endpoint Management

Penetration Testing

Reverse Engineering

The Future of Cybersecurity Analytics

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 2: Using Threat Intelligence

Threat Data and Intelligence

Threat Classification

Attack Frameworks

Applying Threat Intelligence Organizationwide

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 3: Reconnaissance and Intelligence Gathering

Mapping and Enumeration

Passive Footprinting

Gathering Organizational Intelligence

Detecting, Preventing, and Responding to Reconnaissance

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 4: Designing a Vulnerability Management Program

Identifying Vulnerability Management Requirements

Configuring and Executing Vulnerability Scans

Developing a Remediation Workflow

Overcoming Risks of Vulnerability Scanning

Vulnerability Scanning Tools

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 5: Analyzing Vulnerability Scans

Reviewing and Interpreting Scan Reports

Validating Scan Results

Common Vulnerabilities

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 6: Cloud Security

Understanding Cloud Environments

Operating in the Cloud

Cloud Infrastructure Security

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 7: Infrastructure Security and Controls

Understanding Defense-in-Depth

Improving Security by Improving Controls

Analyzing Security Architecture

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 8: Identity and Access Management Security

Understanding Identity

Threats to Identity and Access

Identity as a Security Layer

Federation and Single Sign-On

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 9: Software and Hardware Development Security

Software Assurance Best Practices

Designing and Coding for Security

Software Security Testing

Hardware Assurance Best Practices

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 10: Security Operations and Monitoring

Security Monitoring

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 11: Building an Incident Response Program

Security Incidents

Phases of Incident Response

Building the Foundation for Incident Response

Creating an Incident Response Team

Coordination and Information Sharing

Classifying Incidents

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 12: Analyzing Indicators of Compromise

Analyzing Network Events

Investigating Host-Related Issues

Investigating Service and Application-Related Issues

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 13: Performing Forensic Analysis and Techniques

Building a Forensics Capability

Understanding Forensic Software

Conducting Endpoint Forensics

Network Forensics

Cloud, Virtual, and Container Forensics

Conducting a Forensic Investigation

Forensic Investigation: An Example

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 14: Containment, Eradication, and Recovery

Containing the Damage

Incident Eradication and Recovery

Wrapping Up the Response

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 15: Risk Management

Analyzing Risk

Managing Risk

Security Controls

Summary

Exam Essentials

Lab Exercises

Review Questions

Chapter 16: Policy and Compliance

Understanding Policy Documents

Complying with Laws and Regulations

Adopting a Standard Framework

Implementing Policy-Based Controls

Security Control Verification and Quality Control

Summary

Exam Essentials

Lab Exercises

Review Questions

Appendix A: Practice Exam

Exam Questions

Appendix B: Answers to Review Questions and Practice Exam

Chapter 1: Today's Cybersecurity Analyst

Chapter 2: Using Threat Intelligence

Chapter 3: Reconnaissance and Intelligence Gathering

Chapter 4: Designing a Vulnerability Management Program

Chapter 5: Analyzing Vulnerability Scans

Chapter 6: Cloud Security

Chapter 7: Infrastructure Security and Controls

Chapter 8: Identity and Access Management Security

Chapter 9: Software and Hardware Development Security

Chapter 10: Security Operations and Monitoring

Chapter 11: Building an Incident Response Program

Chapter 12: Analyzing Indicators of Compromise

Chapter 13: Performing Forensic Analysis and Techniques

Chapter 14: Containment, Eradication, and Recovery

Chapter 15: Risk Management

Chapter 16: Policy and Compliance

Practice Exam Answers

Appendix C: Answers to Lab Exercises

Chapter 1: Today's Cybersecurity Analyst

Chapter 2: Using Threat Intelligence

Chapter 3: Reconnaissance and Intelligence Gathering

Chapter 5: Analyzing Vulnerability Scans

Chapter 7: Infrastructure Security and Controls

Chapter 8: Identity and Access Management Security

Chapter 9: Software and Hardware Development Security

Chapter 10: Security Operations and Monitoring

Chapter 11: Building an Incident Response Program

Chapter 12: Analyzing Indicators of Compromise

Chapter 13: Performing Forensic Analysis and Techniques

Chapter 14: Containment, Eradication, and Recovery

Chapter 15: Risk Management

Chapter 16: Policy and Compliance

Index

End User License Agreement

List of Tables

Introduction

TABLE I.1 Virtual machine network options

Chapter 1

TABLE 1.1 Common TCP ports

Chapter 3

TABLE 3.1 Cisco log levels

Chapter 5

TABLE 5.1 CVSS attack vector metric

TABLE 5.2 CVSS attack complexity metric

TABLE 5.3 CVSS privileges required metric

TABLE 5.4 CVSS user interaction metric

TABLE 5.5 CVSS confidentiality metric

TABLE 5.6 CVSS integrity metric

TABLE 5.7 CVSS availability metric

TABLE 5.8 CVSS scope metric

TABLE 5.9 CVSS Qualitative Severity Rating Scale

Chapter 8

TABLE 8.1 Comparison of federated identity technologies

Chapter 9

TABLE 9.1 Code review method comparison

Chapter 10

TABLE 10.1

grep

flags

Chapter 11

TABLE 11.1 NIST functional impact categories

TABLE 11.2 Economic impact categories

TABLE 11.3 NIST recoverability effort categories

TABLE 11.4 NIST information impact categories

TABLE 11.5 Private organization information impact categories

Chapter 12

TABLE 12.1 Unauthorized use and detection mechanisms

Chapter 13

TABLE 13.1 Forensic application of Windows system artifacts

TABLE 13.2 Key iOS file locations

Chapter 16

TABLE 16.1 NIST Cybersecurity framework implementation tiers

List of Illustrations

Introduction

FIGURE I.1 VirtualBox main screen

FIGURE I.2 Adding the Metasploitable VM

FIGURE I.3 Adding a NAT network

FIGURE I.4 Configuring VMs for the NAT network

Chapter 1

FIGURE 1.1 The three key objectives of cybersecurity programs are confidenti...

FIGURE 1.2 Risks exist at the intersection of threats and vulnerabilities. I...

FIGURE 1.3 The NIST SP 800-30 risk assessment process suggests that an organ...

FIGURE 1.4 Many organizations use a risk matrix to determine an overall risk...

FIGURE 1.5 In an 802.1x system, the device attempting to join the network ru...

FIGURE 1.6 A triple-homed firewall connects to three different networks, typ...

FIGURE 1.7 A triple-homed firewall may also be used to isolate internal netw...

FIGURE 1.8 Group Policy Objects (GPOs) may be used to apply settings to many...

FIGURE 1.9 NIST divides penetration testing into four phases.

FIGURE 1.10 The attack phase of a penetration test uses a cyclical process t...

Chapter 2

FIGURE 2.1 Recent alert listing from the CISA website

FIGURE 2.2 The threat intelligence cycle

FIGURE 2.3 A Talos reputation report for a single host

FIGURE 2.4 The ATT&CK definition for Cloud Instance Metadata API attacks

FIGURE 2.5 A Diamond Model analysis of a compromised system

FIGURE 2.6 The Cyber Kill Chain.

Chapter 3

FIGURE 3.1 Zenmap topology view

FIGURE 3.2 Nmap scan results

FIGURE 3.3 Nmap service and version detection

FIGURE 3.4 Nmap of a Windows 10 system

FIGURE 3.5 Angry IP Scanner

FIGURE 3.6 Cisco router log

FIGURE 3.7 SNMP configuration from a typical Cisco router

FIGURE 3.8 Linux

netstat -ta

output

FIGURE 3.9 Windows

netstat -o

output

FIGURE 3.10 Windows

netstat -e

output

FIGURE 3.11 Windows

netstat -nr

output

FIGURE 3.12 Linux

dhcpd.conf

file

FIGURE 3.13 Nslookup for google.com

FIGURE 3.14 Nslookup using Google's DNS with

MX

query flag

FIGURE 3.15 Traceroute for

bbc.co.uk

FIGURE 3.16 Whois query data for google.com

FIGURE 3.17

host

command response for google.com

FIGURE 3.18 Responder start-up screen

FIGURE 3.19 Packet capture data from an nmap scan

FIGURE 3.20 Demonstration account from

immersion.media.mit.edu

Chapter 4

FIGURE 4.1 FIPS 199 Standards

FIGURE 4.2 Qualys asset map

FIGURE 4.3 Configuring a Nessus scan

FIGURE 4.4 Sample Nessus scan report

FIGURE 4.5 Nessus scan templates

FIGURE 4.6 Disabling unused plug-ins

FIGURE 4.7 Configuring authenticated scanning

FIGURE 4.8 Choosing a scan appliance

FIGURE 4.9 Nessus vulnerability in the NIST National Vulnerability Database...

FIGURE 4.10 Nessus Automatic Updates

FIGURE 4.11 Vulnerability management life cycle

FIGURE 4.12 Qualys dashboard example

FIGURE 4.13 Nessus report example by IP address

FIGURE 4.14 Nessus report example by criticality

FIGURE 4.15 Detailed vulnerability report

FIGURE 4.16 Qualys scan performance settings

FIGURE 4.17 Nikto web application scanner

FIGURE 4.18 Arachni web application scanner

FIGURE 4.19 Nessus web application scanner

FIGURE 4.20 Zed Attack Proxy (ZAP)

FIGURE 4.21 Burp Proxy

Chapter 5

FIGURE 5.1 Nessus vulnerability scan report

FIGURE 5.2 Qualys vulnerability scan report

FIGURE 5.3 Scan report showing vulnerabilities and best practices

FIGURE 5.4 Vulnerability trend analysis

FIGURE 5.5 Vulnerabilities exploited in 2015 by year of initial discovery

FIGURE 5.6 Missing patch vulnerability

FIGURE 5.7 Unsupported operating system vulnerability

FIGURE 5.8 Dirty COW website

FIGURE 5.9 Code execution vulnerability

FIGURE 5.10 FTP cleartext authentication vulnerability

FIGURE 5.11 Debug mode vulnerability

FIGURE 5.12 Outdated SSL version vulnerability

FIGURE 5.13 Insecure SSL cipher vulnerability

FIGURE 5.14 Invalid certificate warning

FIGURE 5.15 DNS amplification vulnerability

FIGURE 5.16 Internal IP disclosure vulnerability

FIGURE 5.17 Inside a virtual host

FIGURE 5.18 SQL injection vulnerability

FIGURE 5.19 Cross-site scripting vulnerability

FIGURE 5.20 Alice communicating with a bank web server

FIGURE 5.21 Man-in-the-middle attack

FIGURE 5.22 First vulnerability report

FIGURE 5.23 Second vulnerability report

Chapter 6

FIGURE 6.1 Google's Gmail is an example of SaaS computing.

FIGURE 6.2 Slate is a CRM tool designed specifically for higher education ad...

FIGURE 6.3 AWS provides customers with access to IaaS computing resources.

FIGURE 6.4 Heroku is a popular PaaS offering that supports many popular prog...

FIGURE 6.5 HathiTrust is an example of community cloud computing.

FIGURE 6.6 AWS Outposts offer hybrid cloud capability.

FIGURE 6.7 Shared responsibility model for cloud computing

FIGURE 6.8 Creating an EC2 instance through the AWS web interface

FIGURE 6.9 Creating an EC2 instance with CloudFormation JSON

FIGURE 6.10 Results of an AWS Inspector scan.

FIGURE 6.11 ScoutSuite dashboard from an AWS account scan

FIGURE 6.12 EC2 security issues reported during a ScoutSuite scan

FIGURE 6.13 Partial listing of the exploits available in Pacu

FIGURE 6.14 Partial results of a Prowler scan against an AWS account

Chapter 7

FIGURE 7.1 Layered security network design

FIGURE 7.2 Network segmentation with a protected network

FIGURE 7.3 Linux permissions

FIGURE 7.4 A fully redundant network edge design

FIGURE 7.5 Single points of failure in a network design

FIGURE 7.6 Single points of failure in a process flow

FIGURE 7.7 Sample security architecture

Chapter 8

FIGURE 8.1 A high-level logical view of identity management infrastructure

FIGURE 8.2 LDAP directory structure

FIGURE 8.3 Kerberos authentication flow

FIGURE 8.4 OAuth covert redirects

FIGURE 8.5 A sample account life cycle

FIGURE 8.6 Phishing for a PayPal ID

FIGURE 8.7 Authentication security model

FIGURE 8.8 Google Authenticator token

FIGURE 8.9 Context-based authentication

FIGURE 8.10 Federated identity high-level design

FIGURE 8.11 Attribute release request for

LoginRadius.com

FIGURE 8.12 Simple SAML transaction

FIGURE 8.13 OAuth authentication process

Chapter 9

FIGURE 9.1 High-level SDLC view

FIGURE 9.2 The Waterfall SDLC model

FIGURE 9.3 The Spiral SDLC model

FIGURE 9.4 Agile sprints

FIGURE 9.5 Rapid Application Development prototypes

FIGURE 9.6 The CI/CD pipeline

FIGURE 9.7 Fagan code review

FIGURE 9.8 Tamper Data session showing login data

Chapter 10

FIGURE 10.1 Windows Event Viewer entries

FIGURE 10.2 Linux syslog entries in

auth.log

with

sudo

events

FIGURE 10.3 UFW blocked connection firewall log entry examples

FIGURE 10.4 ModSecurity log entry examples

FIGURE 10.5 SIEM data acquisition, rule creation, and automation

FIGURE 10.6 The Windows 10 Resource Monitor

FIGURE 10.7 Linux

ps

output

FIGURE 10.8 SolarWinds network flow console

FIGURE 10.9 Wireshark packet analysis with packet content detail

FIGURE 10.10 Headers from a phishing email

Chapter 11

FIGURE 11.1 Incident response process

FIGURE 11.2 Incident response checklist

Chapter 12

FIGURE 12.1 Routers provide a central view of network traffic flow by sendin...

FIGURE 12.2 NetFlow data example

FIGURE 12.3 Passive monitoring between two systems

FIGURE 12.4 PRTG network overview

FIGURE 12.5 Beaconing in Wireshark

FIGURE 12.6 Unexpected network traffic shown in flows

FIGURE 12.7 nmap scan of a potential rogue system

FIGURE 12.8 The Windows Resource Monitor view of system resources

FIGURE 12.9 The Windows Performance Monitor view of system usage

FIGURE 12.10 The Windows Task Scheduler showing scheduled tasks and creation...

Chapter 13

FIGURE 13.1 Sample chain-of-custody form

FIGURE 13.2 Carving a JPEG file using HxD

FIGURE 13.3 Advanced Office Password Recovery cracking a Word DOC file

FIGURE 13.4 Wireshark view of network traffic

FIGURE 13.5 Tcpdump of network traffic

FIGURE 13.6 Virtualization vs. containerization

FIGURE 13.7 Order of volatility of common storage locations

FIGURE 13.8 dd of a volume

FIGURE 13.9 FTK image hashing and bad sector checking

FIGURE 13.10 USB Historian drive image

FIGURE 13.11 Initial case information and tracking

FIGURE 13.12 Case information and tracking partly through the indexing proce...

FIGURE 13.13 Email extraction

FIGURE 13.14 Web search history

FIGURE 13.15 iCloud setup log with timestamp

FIGURE 13.16 CCleaner remnant data via the Index Search function

FIGURE 13.17 Resignation letter found based on document type

FIGURE 13.18 Sample forensic finding from Stroz Friedberg's Facebook contrac...

Chapter 14

FIGURE 14.1 Incident response process

FIGURE 14.2 Proactive network segmentation

FIGURE 14.3 Network segmentation for incident response

FIGURE 14.4 Network isolation for incident response

FIGURE 14.5 Network removal for incident response

FIGURE 14.6 Patching priorities

FIGURE 14.7 Sanitization and disposition decision flow

Chapter 15

FIGURE 15.1 Risk exists at the intersection of a threat and a corresponding ...

FIGURE 15.2 Qualitative risk assessments use subjective rating scales to eva...

FIGURE 15.3 (a) STOP tag attached to a device (b) Residue remaining on devic...

FIGURE 15.4 Cover sheets used to identify classified U.S. government informa...

Chapter 16

FIGURE 16.1 Excerpt from CMS roles and responsibilities chart

FIGURE 16.2 Excerpt from UC Berkeley Minimum Security Standards for Electron...

FIGURE 16.3 NIST Cybersecurity Framework Core Structure

FIGURE 16.4 Asset Management Cybersecurity Framework

FIGURE 16.5 ITIL service life cycle

Guide

Cover

Table of Contents

Begin Reading

Pages

iii

iv

v

vii

ix

xi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

xliii

xliv

xlv

xlvi

xlvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

CompTIA®Cybersecurity Analyst (CySA+) Study GuideExam CS0-002

Second Edition

Copyright © 2020 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada and the United Kingdom

ISBN: 978-1-119-68405-3ISBN: 978-1-119-68408-4 (ebk.)ISBN: 978-1-119-68411-4 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2020937966

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA is a registered trademark of Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

I dedicate this book to my father, who was a role model of the value of hard work, commitment to family, and the importance of doing the right thing. Rest in peace, Dad.

—Mike Chapple

This book is dedicated to Ric Williams, my friend, mentor, and partner in crime through my first forays into the commercial IT world. Thanks for making my job as a “network janitor” one of the best experiences of my life.

—David Seidl

Acknowledgments

Books like this involve work from many people, and as authors, we truly appreciate the hard work and dedication that the team at Wiley shows. We would especially like to thank senior acquisitions editor Kenyon Brown. We have worked with Ken on multiple projects and consistently enjoy our work with him.

We also greatly appreciated the editing and production team for the book, including Kezia Endsley, our project editor, who brought years of experience and great talent to the project, Chris Crayton, our technical editor, who provided insightful advice and gave wonderful feedback throughout the book, Saravanan Dakshinamurthy, our production editor, who guided us through layouts, formatting, and final cleanup to produce a great book, and Liz Welch, our copy editor, who helped the text flow well. Thanks also to Runzhi “Tom” Song, Mike’s research assistant at Notre Dame who helped fact-check our work. We would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product.

Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout our writing careers.

Finally, we would like to thank our families and significant others who support us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Authors

Mike Chapple, Ph.D., CySA+, is author of the best-selling CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide (Sybex, 2018) and the CISSP (ISC)2Official Practice Tests (Sybex, 2018). He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as Teaching Professor in the IT, Analytics, and Operations department at the University of Notre Dame's Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics.

Before returning to Notre Dame, Mike served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force.

Mike is technical editor for Information Security Magazine and has written more than 25 books. He earned both his B.S. and Ph.D. degrees from Notre Dame in computer science and engineering. Mike also holds an M.S. in computer science from the University of Idaho and an MBA from Auburn University. Mike holds certifications in Cybersecurity Analyst+ (CySA+), Security+, Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and Certified Information Systems Security Professional (CISSP).

David Seidl is Vice President for Information Technology and CIO at Miami University. During his IT career, he has served in a variety of technical and information security roles, including serving as the Senior Director for Campus Technology Services at the University of Notre Dame where he co-led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and service. He also served as Notre Dame's Director of Information Security and led Notre Dame's information security program. He has taught information security and networking undergraduate courses as an instructor for Notre Dame's Mendoza College of Business, and he has written books on security certification and cyberwarfare, including co-authoring CISSP (ISC)2Official Practice Tests (Sybex, 2018) as well as the previous editions of both this book and the companion CompTIA CySA+ Practice Tests: Exam CS0-001.

David holds a bachelor's degree in communication technology and a master's degree in information security from Eastern Michigan University, as well as certifications in CISSP, CySA+, Pentest+, GPEN, and GCIH.

About the Technical Editor

Chris Crayton, MCSE, CISSP, CASP, CySA+, A+, N+, S+, is a technical consultant, trainer, author, and industry-leading technical editor. He has worked as a computer technology and networking instructor, information security director, network administrator, network engineer, and PC specialist. Chris has served as technical editor and content contributor on numerous technical titles for several of the leading publishing companies. He has also been recognized with many professional and teaching awards.

Introduction

CompTIA Cybersecurity Analyst (CySA+) Study Guide, Second Edition, provides accessible explanations and real-world knowledge about the exam objectives that make up the Cybersecurity Analyst+ certification. This book will help you to assess your knowledge before taking the exam, as well as provide a stepping-stone to further learning in areas where you may want to expand your skillset or expertise.

Before you tackle the CySA+, you should already be a security practitioner. CompTIA suggests that test takers have about four years of existing hands-on information security experience. You should also be familiar with at least some of the tools and techniques described in this book. You don't need to know every tool, but understanding how to approach a new scenario, tool, or technology that you may not know using existing experience is critical to passing the CySA+ exam.

For up-to-the-minute updates covering additions or modifications to the CompTIA certification exams, as well as additional study tools, videos, practice questions, and bonus material, be sure to visit the Sybex website and forum at www.sybex.com.

CompTIA

CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas, ranging from the skills that a PC support technician needs, which are covered in the A+ exam, to advanced certifications like the CompTIA Advanced Security Practitioner (CASP) certification.

CompTIA recommends that practitioners follow a cybersecurity career path as shown here:

The Cybersecurity Analyst+ exam is a more advanced exam, intended for professionals with hands-on experience and who possess the knowledge covered by the prior exams.

CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. In addition, CompTIA certifications, including the CySA+, the Security+, and the CASP certifications, have been approved by the U.S. government as Information Assurance baseline certifications and are included in the State Department's Skills Incentive Program.

The Cybersecurity Analyst+ Exam

The Cybersecurity Analyst+ exam, which CompTIA refers to as CySA+, is designed to be a vendor-neutral certification for cybersecurity, threat, and vulnerability analysts. The CySA+ certification is designed for security analysts and engineers as well as security operations center (SOC) staff, vulnerability analysts, and threat intelligence analysts. It focuses on security analytics and practical use of security tools in real-world scenarios. It covers five major domains: Threat and Vulnerability Management, Software and Systems Security, Security Operations and Monitoring, Incident Response, and Compliance and Assessment. These five areas include a range of topics, from reconnaissance to incident response and forensics, while focusing heavily on scenario-based learning.

The CySA+ exam fits between the entry-level Security+ exam and the CompTIA Advanced Security Practitioner (CASP) certification, providing a mid-career certification for those who are seeking the next step in their certification and career path.

The CySA+ exam is conducted in a format that CompTIA calls “performance-based assessment.” This means that the exam uses hands-on simulations using actual security tools and scenarios to perform tasks that match those found in the daily work of a security practitioner. Exam questions may include multiple types of questions such as multiple-choice, fill-in-the-blank, multiple-response, drag-and-drop, and image-based problems.

CompTIA recommends that test takers have four years of information security–related experience before taking this exam. The exam costs $359 in the United States, with roughly equivalent prices in other locations around the globe. More details about the CySA+ exam and how to take it can be found at certification.comptia.org/certifications/cybersecurity-analyst.

Study and Exam Preparation Tips

A test preparation book like this cannot teach you every possible security software package, scenario, or specific technology that may appear on the exam. Instead, you should focus on whether you are familiar with the type or category of technology, tool, process, or scenario as you read the book. If you identify a gap, you may want to find additional tools to help you learn more about those topics.

CompTIA recommends the use of NetWars-style simulations, penetration testing and defensive cybersecurity simulations, and incident response training to prepare for the CySA+.

Additional resources for hands-on exercises include the following:

Exploit-Exercises.com

provides virtual machines, documentation, and challenges covering a wide range of security issues at

exploit-exercises.lains.space

.

Hacking-Lab provides capture the flag (CTF) exercises in a variety of fields at

www.hacking-lab.com/index.html

.

PentesterLab provides a subscription-based access to penetration testing exercises at

www.pentesterlab.com/exercises/

.

The InfoSec Institute provides online CTF activities with bounties for written explanations of successful hacks at

ctf.infosecinstitute.com

.

Since the exam uses scenario-based learning, expect the questions to involve analysis and thought, rather than relying on simple memorization. As you might expect, it is impossible to replicate that experience in a book, so the questions here are intended to help you be confident that you know the topic well enough to think through hands-on exercises.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:

www.comptiastore.com/Articles.asp?ID=265&category=vouchers

CompTIA partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the Pearson Vue website, where you will need to navigate to “Find a test center.”

www.pearsonvue.com/comptia/

Now that you know where you'd like to take the exam, simply set up a Pearson VUE testing account and schedule an exam:

https://www.comptia.org/testing/testing-options/take-in-person-exam

On the day of the test, take two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.

After the Cybersecurity Analyst+ Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Maintaining Your Certification

CompTIA certifications must be renewed on a periodic basis. To renew your certification, you can either pass the most current version of the exam, earn a qualifying higher-level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units (CEUs) to renew it.

CompTIA provides information on renewals via their website at

www.comptia.org/continuing-education

When you sign up to renew your certification, you will be asked to agree to the CE program's Code of Ethics, pay a renewal fee, and submit the materials required for your chosen renewal method.

A full list of the industry certifications you can use to acquire CEUs toward renewing the CySA+ can be found at

www.comptia.org/continuing-education/choose/renew-with-a-single-activity/earn-a-higher-level-comptia-certification

What Does This Book Cover?

This book is designed to cover the five domains included in the CySA+.

Chapter 1

: Today's Cybersecurity Analyst

 The book starts by teaching you how to assess cybersecurity threats, as well as how to evaluate and select controls to keep your networks and systems secure.

Chapter 2

: Using Threat Intelligence

 Security professionals need to fully understand threats in order to prevent them or to limit their impact. In this chapter, you will learn about the many types of threat intelligence, including sources and means of assessing the relevance and accuracy of a given threat intelligence source. You'll also discover how to use threat intelligence in your organization.

Chapter 3

: Reconnaissance and Intelligence Gathering

 Gathering information about an organization and its systems is one of the things that both attackers and defenders do. In this chapter, you will learn how to acquire intelligence about an organization using popular tools and techniques. You will also learn how to limit the impact of intelligence gathering performed against your own organization.

Chapter 4

: Designing a Vulnerability Management Program

 Managing vulnerabilities helps to keep your systems secure. In this chapter, you will learn how to identify, prioritize, and remediate vulnerabilities using a well-defined workflow and continuous assessment methodologies.

Chapter 5

: Analyzing Vulnerability Scans

 Vulnerability reports can contain huge amounts of data about potential problems with systems. In this chapter, you will learn how to read and analyze a vulnerability scan report, what CVSS scoring is and what it means, as well as how to choose the appropriate actions to remediate the issues you have found. Along the way, you will explore common types of vulnerabilities and their impact on systems and networks.

Chapter 6

: Cloud Security

 The widespread adoption of cloud computing dramatically impacts the work of cybersecurity analysts who must now understand how to gather, correlate, and interpret information coming from many different cloud sources. In this chapter, you'll learn about how cloud computing impacts businesses and how you can perform threat management in the cloud.

Chapter 7

: Infrastructure Security and Controls

 A strong security architecture requires layered security procedures, technology, and processes to provide defense in depth, ensuring that a single failure won't lead to a failure. In this chapter, you will learn how to design a layered security architecture and how to analyze security designs for flaws, including single points of failure and gaps.

Chapter 8

: Identity and Access Management Security

 The identities that we rely on to authenticate and authorize users, services, and systems are a critical layer in a defense-in-depth architecture. This chapter explains identity, authentication, and authorization concepts and systems. You will learn about the major threats to identity and identity systems as well as how to use identity as a defensive layer.

Chapter 9

: Software and Hardware Development Security

 Creating, testing, and maintaining secure software, from simple scripts to complex applications, is critical for security analysts. In this chapter, you will learn about the software development life cycle, including different methodologies, testing and review techniques, and how secure software is created. In addition, you will learn about industry standards for secure software to provide you with the foundation you need to help keep applications and services secure. You'll also learn about tools and techniques you can use to protect hardware in your organization, including hardware assurance best practices.

Chapter 10

: Security Operations and Monitoring

 Monitoring systems, devices, and events throughout an organization can be a monumental task. Security logs can be an invaluable resource for security analysts, allowing detection of misuse and compromise, but they can also bury important information in mountains of operational data. In this chapter, you'll learn how to analyze data from many diverse sources. You'll learn about techniques including email header analysis, rule writing for event management systems, and basic scripting and query writing.

Chapter 11

: Building an Incident Response Program

 This chapter focuses on building a formal incident response handling program and team. You will learn the details of each stage of incident handling from preparation, to detection and analysis, to containment, eradication, and recovery, to the final postincident recovery, as well as how to classify incidents and communicate about them.

Chapter 12

: Analyzing Indicators of Compromise

 Responding appropriately to an incident requires understanding how incidents occur and what symptoms may indicate that an event has occurred. To do that, you also need the right tools and techniques. In this chapter, you will learn about three major categories of symptoms. First, you will learn about network events, including malware beaconing, unexpected traffic, and link failures, as well as network attacks. Next, you will explore host issues, ranging from system resource consumption issues to malware defense and unauthorized changes. Finally, you will learn about service- and application-related problems.

Chapter 13

: Performing Forensic Analysis and Techniques

 Understanding what occurred on a system, device, or network, either as part of an incident or for other purposes, frequently involves forensic analysis. In this chapter, you will learn how to build a forensic capability and how the key tools in a forensic toolkit are used.

Chapter 14

: Containment, Eradication, and Recovery

 Once an incident has occurred and the initial phases of incident response have taken place, you will need to work on recovering from it. That process involves containing the incident to ensure that no further issues occur and then working on eradicating malware, rootkits, and other elements of a compromise. Once the incident has been cleaned up, the recovery stage can start, including reporting and preparation for future issues.

Chapter 15

: Risk Management

 In this chapter, we look at the big picture of cybersecurity in a large organization. How do we evaluate and manage risks to ensure that we're spending our limited time and money on the controls that will have the greatest effect? That's where risk management comes into play.

Chapter 16

: Policy and Compliance

 Policy provides the foundation of any cybersecurity program, and building an effective set of policies is critical to a successful program. In this chapter, you will acquire the tools to build a standards-based set of security policies, standards, and procedures. You will also learn how to leverage industry best practices by using guidelines and benchmarks from industry experts.

Appendix A

: Practice Exam

 Once you have completed your studies, the practice exam will provide you with a chance to test your knowledge. Use this exam to find places where you may need to study more or to verify that you are ready to tackle the exam. We'll be rooting for you!

Appendix B

: Answers to Review Questions and Practice Exam

 The appendix has answers to the review questions you will find at the end of each chapter and answers to the practice exam in Appendix A.

Appendix C

: Answers to Lab Exercises

 This appendix has answers to the lab exercises you will find at the end of each chapter.

Study Guide Elements

This study guide uses a number of common elements to help you prepare. These include the following:

Summaries

 The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials

 The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by CompTIA.

Review Questions

 A set of questions at the end of each chapter will help you assess your knowledge and if you are ready to take the exam based on your knowledge of that chapter's topics.

Lab Exercises

 The written labs provide more in-depth practice opportunities to expand your skills and to better prepare for performance-based testing on the Cybersecurity Analyst+ exam.

Exam Note

These special notes call out issues that are found on the exam and relate directly to CySA+ exam objectives. They help you prepare for the why and how.

Additional Study Tools

This book comes with a number of additional study tools to help you prepare for the exam. They include the following.

Go to www.wiley.com/go/Sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

Sybex Test Preparation Software

Sybex's test preparation software lets you prepare with electronic test versions of the review questions from each chapter, the practice exam, and the bonus exam that are included in this book. You can build and take tests on specific domains, by chapter, or cover the entire set of Cybersecurity Analyst+ exam objectives using randomized tests.

Electronic Flashcards

Our electronic flashcards are designed to help you prepare for the exam. Over 100 flashcards will ensure that you know critical terms and concepts.

Glossary of Terms

Sybex provides a full glossary of terms in PDF format, allowing quick searches and easy reference to materials in this book.

Bonus Practice Exam

In addition to the practice questions for each chapter, this book includes a full 85-question practice exam, found in Appendix A. We recommend that you use it to test your preparedness for the certification exam.

Objectives Map for CompTIA Cybersecurity Analyst (CySA+) Exam CS0-002

The following objective map for the CompTIA Cybersecurity Analyst (CySA+) certification exam will enable you to find the chapter in this book, which covers each objective for the exam.

Objectives Map

Objective

Chapter(s)

1.0 Threat and Vulnerability Management

1.1 Explain the importance of threat data and intelligence.

Chapter 2

1.2 Given a scenario, utilize threat intelligence to support organizational security.

Chapter 2

1.3 Given a scenario, perform vulnerability management activities.

Chapters 4

,

5

1.4 Given a scenario, analyze the output from common vulnerability assessment tools.

Chapters 3

,

5

,

6

,

9

1.5 Explain the threats and vulnerabilities associated with specialized technology.

Chapter 5

1.6 Explain the threats and vulnerabilities associated with operating in the cloud.

Chapter 6

1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities.

Chapters 5

,

9

2.0 Software and Systems Security

2.1 Given a scenario, apply security solutions for infrastructure management.

Chapters 6

,

7

,

8

2.2 Explain software assurance best practices.

Chapter 9

2.3 Explain hardware assurance best practices.

Chapter 9

3.0 Security Operations and Monitoring

3.1 Given a scenario, analyze data as part of security monitoring activities.

Chapters 3

,

10

3.2 Given a scenario, implement configuration changes to existing controls to improve security.

Chapter 7

3.3 Explain the importance of proactive threat hunting.

Chapter 2

3.4 Compare and contrast automation concepts and technologies.

Chapters 1

,

2

,

4

,

7

,

9

,

10

4.0 Incident Response

4.1 Explain the importance of the incident response process.

Chapter 11

4.2 Given a scenario, apply the appropriate incident response procedure.

Chapters 11

,

14

4.3 Given an incident, analyze potential indicators of compromise.

Chapter 12

4.4 Given a scenario, utilize basic digital forensic techniques.

Chapter 13

5.0 Compliance and Assessment

5.1 Understand the importance of data privacy and protection.

Chapters 1

,

15

5.2 Given a scenario, apply security concepts in support of organizational risk mitigation.

Chapter 15

5.3 Explain the importance of frameworks, policies, procedures, and controls.

Chapter 16

Setting Up a Kali and Metasploitable Learning Environment

You can practice many of the techniques found in this book using open source and free tools. This section provides a brief “how to” guide to set up a Kali Linux, a Linux distribution built as a broad security toolkit, and Metasploitable, an intentionally vulnerable Linux virtual machine.

What You Need

To build a basic virtual security lab environment to run scenarios and to learn applications and tools used in this book, you will need a virtualization program and virtual machines. There are many excellent security-oriented distributions and tools beyond those in this example, and you may want to explore tools like Security Onion, the SANS SIFT forensic distribution, and CAINE as you gain experience.

Running virtual machines can require a reasonably capable PC. We like to recommend an i5 or i7 (or equivalent) CPU, at least 8 GB of RAM, and 20 GB of open space on your hard drive. If you have an SSD instead of a hard drive, you'll be much happier with the performance of your VMs.

VirtualBox

VirtualBox is a virtualization software package for x86 computers, and is available for Windows, MacOS, and Linux. You can download VirtualBox at www.virtualbox.org/wiki/VirtualBox.

If you are more familiar with another virtualization tool like VMWare or HyperV, you can also use those tools; however, you may have to adapt or modify these instructions to handle differences in how your preferred virtualization environment works.

Making It Portable

You can also build your lab so you can take it on the road by using a portable version of VirtualBox from www.vbox.me. Just follow the instructions on the site and put your virtual machines on an external drive of your choice. Note that this is typically a bit slower unless you have a fast USB drive.

Kali Linux

Multiple versions of Kali Linux are available at www.kali.org/downloads/ and prebuilt Kali Linux virtual machines can be downloaded at www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/. We suggest downloading the most recent version of the Kali Linux 64-bit VBox virtual machine.

Metasploitable

You can download the Metasploitable virtual machine at sourceforge.net/projects/metasploitable/.

Usernames and Passwords

Kali's default username is root with the toor password.

The Metasploitable virtual machine uses the username msfadmin and the msfadmin password.

If you will ever expose either system to a live network, or you aren't sure if you will, you should change the passwords immediately after booting the virtual machines the first time!

Setting Up Your Environment

Setting up VirtualBox is quite simple. First, install the VirtualBox application. Once it is installed and you select your language, you should see a VirtualBox window like the one in Figure I.1.

To add the Kali Linux virtual machine, choose File, then Import Appliance. Navigate to the directory where you downloaded the Kali VM and import the virtual machine. Follow the wizard as it guides you through the import process, and when it is complete, you can continue with these instructions.

The Metasploitable virtual machine comes as a zip file, so you'll need to extract it first. Inside, you'll see a VMDK instead of the OVA file that VirtualBox uses for its native virtual machines. This means you have to do a little more work.

Click New in the VirtualBox main window.

Click Expert Mode and name your system; then select Linux for the type. You can leave the default alone for Version, and you can leave the memory default alone as well. See

Figure I.2

.

Select Use An Existing Virtual Hard Disk File and navigate to the location where you unzipped the

Metasploitable.vmdk

file to and select it. Then click Create.

FIGURE I.1 VirtualBox main screen

FIGURE I.2 Adding the Metasploitable VM

Now that you have both virtual machines set up, you should verify their network settings. VirtualBox allows multiple types of networks.

Table I.1

shows the critical types of network connections you are likely to want to use with this environment.

You may want to have Internet connectivity for some exercises, or to update software packages. If you are reasonably certain you know what you are doing, using a NAT Network can be very helpful. To do so, you will need to click the File ➢ Preferences menu of VirtualBox; then select Network and set up a NAT network, as shown in Figure I.3, by clicking the network card with a + icon.

TABLE I.1 Virtual machine network options

Network Name

Description

NAT

Connect the VM to your real network, through a protected NAT

NAT Network

Connect the VM and other VMs together on a protected network segment, which is also NAT'ed out to your real network

Bridged

Directly connect your VM to your actual network (possibly allowing it to get a DHCP address, be scanned, or for you to connect to it remotely)

Internal

Connect the VM to a network that exists only for virtual machines

Host Only

Connect the VM to a network that only allows it to see the VM host

FIGURE I.3 Adding a NAT network

Warning: Dangerous Traffic!

If you are not comfortable with your virtual machines having outbound network access, think you may do something dangerous with them, or want to avoid any other potential issues, you should set up both virtual machines to use Internal Network instead.

Once your NAT network exists, you can set both machines to use it by clicking on them, then clicking the Settings gear icon in the VirtualBox interface. From there, click Network, and set the network adapter to be attached to the NAT network you just set up. See

Figure I.4

.

FIGURE I.4 Configuring VMs for the NAT network

Now you're all set! You can start both machines and test that they can see each other. To do this, simply log in to the Metasploitable box and run

ifconfig

to find its IP address. Use SSH to connect from the Kali Linux system to the Metasploitable system using

ssh [ip address] -l msfadmin

. If you connect and can log in, you're ready to run exercises between the two systems!

Assessment Test

If you're considering taking the Cybersecurity Analyst+ exam, you should have already taken and passed the CompTIA Security+ and Network+ exams and should have four years of experience in the field. You may also already hold other equivalent certifications. The following assessment test help to make sure that you have the knowledge that you should have before you tackle the Cybersecurity Analyst+ certification and will help you determine where you may want to spend the most time with this book.

After running an nmap scan of a system, you receive scan data that indicates the following three ports are open:

22/TCP

443/TCP

1521/TCP

What services commonly run on these ports?

SMTP, NetBIOS, MySQL

SSH, Microsoft DS, WINS

SSH, HTTPS, Oracle

FTP, HTTPS, MS-SQL

Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise?

nmap

traceroute

regmon

whois

What type of system allows attackers to believe they have succeeded with their attack, thus providing defenders with information about their attack methods and tools?

A honeypot

A sinkhole

A crackpot

A darknet

What cybersecurity objective could be achieved by running your organization's web servers in redundant, geographically separate datacenters?

Confidentiality

Integrity

Immutability

Availability

Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?

Black box

Authenticated

Internal view

External view

Security researchers recently discovered a flaw in the Chakra JavaScript scripting engine in Microsoft's Edge browser that could allow remote execution or denial of service via a specifically crafted website. The CVSS 3.0 score for this vulnerability reads

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What is the attack vector and the impact to integrity based on this rating?

System, 9, 8

Browser, High

Network, High

None, High

Alice is a security engineer tasked with performing vulnerability scans for her organization. She encounters a false positive error in one of her scans. What should she do about this?

Verify that it is a false positive, and then document the exception.

Implement a workaround.

Update the vulnerability scanner.

Use an authenticated scan, and then document the vulnerability.

Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action?

Preparation

Detection and Analysis

Containment, Eradication, and Recovery

Postincident Activity and Reporting

Which of the following descriptions explains an integrity loss?

Systems were taken offline, resulting in a loss of business income.

Sensitive or proprietary information was changed or deleted.

Protected information was accessed or exfiltrated.

Sensitive personally identifiable information was accessed or exfiltrated.

Which of the following techniques is an example of active monitoring?

Ping

RMON

NetFlows

A network tap

Abdul's monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called?

Anomalous pings

Probing

Zombie chatter

Beaconing

Which of the following tools is not useful for monitoring memory usage in Linux?

df

top

ps

free

Which of the following tools cannot be used to make a forensic disk image?

xcopy

FTK

dd

EnCase

During a forensic investigation, Maria is told to look for information in slack space on the drive. Where should she look, and what is she likely to find?

She should look at unallocated space, and she is likely to find file fragments from deleted files.

She should look at unused space where files were deleted, and she is likely to find complete files hidden there by the individual being investigated.

She should look in the space reserved on the drive for spare blocks, and she is likely to find complete files duplicated there.

She should look at unused space left when a file is written, and she is likely to find file fragments from deleted files.

What type of system is used to contain an attacker to allow them to be monitored?

A white box

A sandbox

A network jail

A VLAN

Oscar's manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Oscar's best course of action?

Use an antivirus tool to remove any associated malware

Use an antimalware tool to completely scan and clean the system

Wipe and rebuild the system

Restore a recent backup

What level of secure media disposition as defined by NIST SP 800-88 is best suited to a hard drive from a high-security system that will be reused in the same company by an employee of a different level or job type?

Clear

Purge

Destroy

Reinstall

Which of the following actions is not a common activity during the recovery phase of an incident response process?

Reviewing accounts and adding new privileges

Validating that only authorized user accounts are on the systems

Verifying that all systems are logging properly

Performing vulnerability scans of all systems

A statement like “Windows workstations must have the current security configuration template applied to them before being deployed” is most likely to be part of which document?

Policies

Standards

Procedures

Guidelines

Jamal is concerned with complying with the U.S. federal law covering student educational records. Which of the following laws is he attempting to comply with?

HIPAA

GLBA

SOX

FERPA