38,99 €
This updated study guide by two security experts will help you prepare for the CompTIA CySA+ certification exam. Position yourself for success with coverage of crucial security topics! Where can you find 100% coverage of the revised CompTIA Cybersecurity Analyst+ (CySA+) exam objectives? It's all in the CompTIA CySA+ Study Guide Exam CS0-002, Second Edition! This guide provides clear and concise information on crucial security topics. You'll be able to gain insight from practical, real-world examples, plus chapter reviews and exam highlights. Turn to this comprehensive resource to gain authoritative coverage of a range of security subject areas. * Review threat and vulnerability management topics * Expand your knowledge of software and systems security * Gain greater understanding of security operations and monitoring * Study incident response information * Get guidance on compliance and assessment The CompTIA CySA+ Study Guide, Second Edition connects you to useful study tools that help you prepare for the exam. Gain confidence by using its interactive online test bank with hundreds of bonus practice questions, electronic flashcards, and a searchable glossary of key cybersecurity terms. You also get access to hands-on labs and have the opportunity to create a cybersecurity toolkit. Leading security experts, Mike Chapple and David Seidl, wrote this valuable guide to help you prepare to be CompTIA Security+ certified. If you're an IT professional who has earned your CompTIA Security+ certification, success on the CySA+ (Cybersecurity Analyst) exam stands as an impressive addition to your professional credentials. Preparing and taking the CS0-002exam can also help you plan for advanced certifications, such as the CompTIA Advanced Security Practitioner (CASP+).
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 1026
Veröffentlichungsjahr: 2020
Cover
Acknowledgments
About the Authors
About the Technical Editor
Introduction
What Does This Book Cover?
Objectives Map for CompTIA Cybersecurity Analyst (CySA+) Exam CS0-002
Setting Up a Kali and Metasploitable Learning Environment
Assessment Test
Answers to the Assessment Test
Chapter 1: Today's Cybersecurity Analyst
Cybersecurity Objectives
Privacy vs. Security
Evaluating Security Risks
Building a Secure Network
Secure Endpoint Management
Penetration Testing
Reverse Engineering
The Future of Cybersecurity Analytics
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 2: Using Threat Intelligence
Threat Data and Intelligence
Threat Classification
Attack Frameworks
Applying Threat Intelligence Organizationwide
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 3: Reconnaissance and Intelligence Gathering
Mapping and Enumeration
Passive Footprinting
Gathering Organizational Intelligence
Detecting, Preventing, and Responding to Reconnaissance
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 4: Designing a Vulnerability Management Program
Identifying Vulnerability Management Requirements
Configuring and Executing Vulnerability Scans
Developing a Remediation Workflow
Overcoming Risks of Vulnerability Scanning
Vulnerability Scanning Tools
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 5: Analyzing Vulnerability Scans
Reviewing and Interpreting Scan Reports
Validating Scan Results
Common Vulnerabilities
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 6: Cloud Security
Understanding Cloud Environments
Operating in the Cloud
Cloud Infrastructure Security
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 7: Infrastructure Security and Controls
Understanding Defense-in-Depth
Improving Security by Improving Controls
Analyzing Security Architecture
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 8: Identity and Access Management Security
Understanding Identity
Threats to Identity and Access
Identity as a Security Layer
Federation and Single Sign-On
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 9: Software and Hardware Development Security
Software Assurance Best Practices
Designing and Coding for Security
Software Security Testing
Hardware Assurance Best Practices
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 10: Security Operations and Monitoring
Security Monitoring
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 11: Building an Incident Response Program
Security Incidents
Phases of Incident Response
Building the Foundation for Incident Response
Creating an Incident Response Team
Coordination and Information Sharing
Classifying Incidents
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 12: Analyzing Indicators of Compromise
Analyzing Network Events
Investigating Host-Related Issues
Investigating Service and Application-Related Issues
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 13: Performing Forensic Analysis and Techniques
Building a Forensics Capability
Understanding Forensic Software
Conducting Endpoint Forensics
Network Forensics
Cloud, Virtual, and Container Forensics
Conducting a Forensic Investigation
Forensic Investigation: An Example
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 14: Containment, Eradication, and Recovery
Containing the Damage
Incident Eradication and Recovery
Wrapping Up the Response
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 15: Risk Management
Analyzing Risk
Managing Risk
Security Controls
Summary
Exam Essentials
Lab Exercises
Review Questions
Chapter 16: Policy and Compliance
Understanding Policy Documents
Complying with Laws and Regulations
Adopting a Standard Framework
Implementing Policy-Based Controls
Security Control Verification and Quality Control
Summary
Exam Essentials
Lab Exercises
Review Questions
Appendix A: Practice Exam
Exam Questions
Appendix B: Answers to Review Questions and Practice Exam
Chapter 1: Today's Cybersecurity Analyst
Chapter 2: Using Threat Intelligence
Chapter 3: Reconnaissance and Intelligence Gathering
Chapter 4: Designing a Vulnerability Management Program
Chapter 5: Analyzing Vulnerability Scans
Chapter 6: Cloud Security
Chapter 7: Infrastructure Security and Controls
Chapter 8: Identity and Access Management Security
Chapter 9: Software and Hardware Development Security
Chapter 10: Security Operations and Monitoring
Chapter 11: Building an Incident Response Program
Chapter 12: Analyzing Indicators of Compromise
Chapter 13: Performing Forensic Analysis and Techniques
Chapter 14: Containment, Eradication, and Recovery
Chapter 15: Risk Management
Chapter 16: Policy and Compliance
Practice Exam Answers
Appendix C: Answers to Lab Exercises
Chapter 1: Today's Cybersecurity Analyst
Chapter 2: Using Threat Intelligence
Chapter 3: Reconnaissance and Intelligence Gathering
Chapter 5: Analyzing Vulnerability Scans
Chapter 7: Infrastructure Security and Controls
Chapter 8: Identity and Access Management Security
Chapter 9: Software and Hardware Development Security
Chapter 10: Security Operations and Monitoring
Chapter 11: Building an Incident Response Program
Chapter 12: Analyzing Indicators of Compromise
Chapter 13: Performing Forensic Analysis and Techniques
Chapter 14: Containment, Eradication, and Recovery
Chapter 15: Risk Management
Chapter 16: Policy and Compliance
Index
End User License Agreement
Introduction
TABLE I.1 Virtual machine network options
Chapter 1
TABLE 1.1 Common TCP ports
Chapter 3
TABLE 3.1 Cisco log levels
Chapter 5
TABLE 5.1 CVSS attack vector metric
TABLE 5.2 CVSS attack complexity metric
TABLE 5.3 CVSS privileges required metric
TABLE 5.4 CVSS user interaction metric
TABLE 5.5 CVSS confidentiality metric
TABLE 5.6 CVSS integrity metric
TABLE 5.7 CVSS availability metric
TABLE 5.8 CVSS scope metric
TABLE 5.9 CVSS Qualitative Severity Rating Scale
Chapter 8
TABLE 8.1 Comparison of federated identity technologies
Chapter 9
TABLE 9.1 Code review method comparison
Chapter 10
TABLE 10.1
grep
flags
Chapter 11
TABLE 11.1 NIST functional impact categories
TABLE 11.2 Economic impact categories
TABLE 11.3 NIST recoverability effort categories
TABLE 11.4 NIST information impact categories
TABLE 11.5 Private organization information impact categories
Chapter 12
TABLE 12.1 Unauthorized use and detection mechanisms
Chapter 13
TABLE 13.1 Forensic application of Windows system artifacts
TABLE 13.2 Key iOS file locations
Chapter 16
TABLE 16.1 NIST Cybersecurity framework implementation tiers
Introduction
FIGURE I.1 VirtualBox main screen
FIGURE I.2 Adding the Metasploitable VM
FIGURE I.3 Adding a NAT network
FIGURE I.4 Configuring VMs for the NAT network
Chapter 1
FIGURE 1.1 The three key objectives of cybersecurity programs are confidenti...
FIGURE 1.2 Risks exist at the intersection of threats and vulnerabilities. I...
FIGURE 1.3 The NIST SP 800-30 risk assessment process suggests that an organ...
FIGURE 1.4 Many organizations use a risk matrix to determine an overall risk...
FIGURE 1.5 In an 802.1x system, the device attempting to join the network ru...
FIGURE 1.6 A triple-homed firewall connects to three different networks, typ...
FIGURE 1.7 A triple-homed firewall may also be used to isolate internal netw...
FIGURE 1.8 Group Policy Objects (GPOs) may be used to apply settings to many...
FIGURE 1.9 NIST divides penetration testing into four phases.
FIGURE 1.10 The attack phase of a penetration test uses a cyclical process t...
Chapter 2
FIGURE 2.1 Recent alert listing from the CISA website
FIGURE 2.2 The threat intelligence cycle
FIGURE 2.3 A Talos reputation report for a single host
FIGURE 2.4 The ATT&CK definition for Cloud Instance Metadata API attacks
FIGURE 2.5 A Diamond Model analysis of a compromised system
FIGURE 2.6 The Cyber Kill Chain.
Chapter 3
FIGURE 3.1 Zenmap topology view
FIGURE 3.2 Nmap scan results
FIGURE 3.3 Nmap service and version detection
FIGURE 3.4 Nmap of a Windows 10 system
FIGURE 3.5 Angry IP Scanner
FIGURE 3.6 Cisco router log
FIGURE 3.7 SNMP configuration from a typical Cisco router
FIGURE 3.8 Linux
netstat -ta
output
FIGURE 3.9 Windows
netstat -o
output
FIGURE 3.10 Windows
netstat -e
output
FIGURE 3.11 Windows
netstat -nr
output
FIGURE 3.12 Linux
dhcpd.conf
file
FIGURE 3.13 Nslookup for google.com
FIGURE 3.14 Nslookup using Google's DNS with
MX
query flag
FIGURE 3.15 Traceroute for
bbc.co.uk
FIGURE 3.16 Whois query data for google.com
FIGURE 3.17
host
command response for google.com
FIGURE 3.18 Responder start-up screen
FIGURE 3.19 Packet capture data from an nmap scan
FIGURE 3.20 Demonstration account from
immersion.media.mit.edu
Chapter 4
FIGURE 4.1 FIPS 199 Standards
FIGURE 4.2 Qualys asset map
FIGURE 4.3 Configuring a Nessus scan
FIGURE 4.4 Sample Nessus scan report
FIGURE 4.5 Nessus scan templates
FIGURE 4.6 Disabling unused plug-ins
FIGURE 4.7 Configuring authenticated scanning
FIGURE 4.8 Choosing a scan appliance
FIGURE 4.9 Nessus vulnerability in the NIST National Vulnerability Database...
FIGURE 4.10 Nessus Automatic Updates
FIGURE 4.11 Vulnerability management life cycle
FIGURE 4.12 Qualys dashboard example
FIGURE 4.13 Nessus report example by IP address
FIGURE 4.14 Nessus report example by criticality
FIGURE 4.15 Detailed vulnerability report
FIGURE 4.16 Qualys scan performance settings
FIGURE 4.17 Nikto web application scanner
FIGURE 4.18 Arachni web application scanner
FIGURE 4.19 Nessus web application scanner
FIGURE 4.20 Zed Attack Proxy (ZAP)
FIGURE 4.21 Burp Proxy
Chapter 5
FIGURE 5.1 Nessus vulnerability scan report
FIGURE 5.2 Qualys vulnerability scan report
FIGURE 5.3 Scan report showing vulnerabilities and best practices
FIGURE 5.4 Vulnerability trend analysis
FIGURE 5.5 Vulnerabilities exploited in 2015 by year of initial discovery
FIGURE 5.6 Missing patch vulnerability
FIGURE 5.7 Unsupported operating system vulnerability
FIGURE 5.8 Dirty COW website
FIGURE 5.9 Code execution vulnerability
FIGURE 5.10 FTP cleartext authentication vulnerability
FIGURE 5.11 Debug mode vulnerability
FIGURE 5.12 Outdated SSL version vulnerability
FIGURE 5.13 Insecure SSL cipher vulnerability
FIGURE 5.14 Invalid certificate warning
FIGURE 5.15 DNS amplification vulnerability
FIGURE 5.16 Internal IP disclosure vulnerability
FIGURE 5.17 Inside a virtual host
FIGURE 5.18 SQL injection vulnerability
FIGURE 5.19 Cross-site scripting vulnerability
FIGURE 5.20 Alice communicating with a bank web server
FIGURE 5.21 Man-in-the-middle attack
FIGURE 5.22 First vulnerability report
FIGURE 5.23 Second vulnerability report
Chapter 6
FIGURE 6.1 Google's Gmail is an example of SaaS computing.
FIGURE 6.2 Slate is a CRM tool designed specifically for higher education ad...
FIGURE 6.3 AWS provides customers with access to IaaS computing resources.
FIGURE 6.4 Heroku is a popular PaaS offering that supports many popular prog...
FIGURE 6.5 HathiTrust is an example of community cloud computing.
FIGURE 6.6 AWS Outposts offer hybrid cloud capability.
FIGURE 6.7 Shared responsibility model for cloud computing
FIGURE 6.8 Creating an EC2 instance through the AWS web interface
FIGURE 6.9 Creating an EC2 instance with CloudFormation JSON
FIGURE 6.10 Results of an AWS Inspector scan.
FIGURE 6.11 ScoutSuite dashboard from an AWS account scan
FIGURE 6.12 EC2 security issues reported during a ScoutSuite scan
FIGURE 6.13 Partial listing of the exploits available in Pacu
FIGURE 6.14 Partial results of a Prowler scan against an AWS account
Chapter 7
FIGURE 7.1 Layered security network design
FIGURE 7.2 Network segmentation with a protected network
FIGURE 7.3 Linux permissions
FIGURE 7.4 A fully redundant network edge design
FIGURE 7.5 Single points of failure in a network design
FIGURE 7.6 Single points of failure in a process flow
FIGURE 7.7 Sample security architecture
Chapter 8
FIGURE 8.1 A high-level logical view of identity management infrastructure
FIGURE 8.2 LDAP directory structure
FIGURE 8.3 Kerberos authentication flow
FIGURE 8.4 OAuth covert redirects
FIGURE 8.5 A sample account life cycle
FIGURE 8.6 Phishing for a PayPal ID
FIGURE 8.7 Authentication security model
FIGURE 8.8 Google Authenticator token
FIGURE 8.9 Context-based authentication
FIGURE 8.10 Federated identity high-level design
FIGURE 8.11 Attribute release request for
LoginRadius.com
FIGURE 8.12 Simple SAML transaction
FIGURE 8.13 OAuth authentication process
Chapter 9
FIGURE 9.1 High-level SDLC view
FIGURE 9.2 The Waterfall SDLC model
FIGURE 9.3 The Spiral SDLC model
FIGURE 9.4 Agile sprints
FIGURE 9.5 Rapid Application Development prototypes
FIGURE 9.6 The CI/CD pipeline
FIGURE 9.7 Fagan code review
FIGURE 9.8 Tamper Data session showing login data
Chapter 10
FIGURE 10.1 Windows Event Viewer entries
FIGURE 10.2 Linux syslog entries in
auth.log
with
sudo
events
FIGURE 10.3 UFW blocked connection firewall log entry examples
FIGURE 10.4 ModSecurity log entry examples
FIGURE 10.5 SIEM data acquisition, rule creation, and automation
FIGURE 10.6 The Windows 10 Resource Monitor
FIGURE 10.7 Linux
ps
output
FIGURE 10.8 SolarWinds network flow console
FIGURE 10.9 Wireshark packet analysis with packet content detail
FIGURE 10.10 Headers from a phishing email
Chapter 11
FIGURE 11.1 Incident response process
FIGURE 11.2 Incident response checklist
Chapter 12
FIGURE 12.1 Routers provide a central view of network traffic flow by sendin...
FIGURE 12.2 NetFlow data example
FIGURE 12.3 Passive monitoring between two systems
FIGURE 12.4 PRTG network overview
FIGURE 12.5 Beaconing in Wireshark
FIGURE 12.6 Unexpected network traffic shown in flows
FIGURE 12.7 nmap scan of a potential rogue system
FIGURE 12.8 The Windows Resource Monitor view of system resources
FIGURE 12.9 The Windows Performance Monitor view of system usage
FIGURE 12.10 The Windows Task Scheduler showing scheduled tasks and creation...
Chapter 13
FIGURE 13.1 Sample chain-of-custody form
FIGURE 13.2 Carving a JPEG file using HxD
FIGURE 13.3 Advanced Office Password Recovery cracking a Word DOC file
FIGURE 13.4 Wireshark view of network traffic
FIGURE 13.5 Tcpdump of network traffic
FIGURE 13.6 Virtualization vs. containerization
FIGURE 13.7 Order of volatility of common storage locations
FIGURE 13.8 dd of a volume
FIGURE 13.9 FTK image hashing and bad sector checking
FIGURE 13.10 USB Historian drive image
FIGURE 13.11 Initial case information and tracking
FIGURE 13.12 Case information and tracking partly through the indexing proce...
FIGURE 13.13 Email extraction
FIGURE 13.14 Web search history
FIGURE 13.15 iCloud setup log with timestamp
FIGURE 13.16 CCleaner remnant data via the Index Search function
FIGURE 13.17 Resignation letter found based on document type
FIGURE 13.18 Sample forensic finding from Stroz Friedberg's Facebook contrac...
Chapter 14
FIGURE 14.1 Incident response process
FIGURE 14.2 Proactive network segmentation
FIGURE 14.3 Network segmentation for incident response
FIGURE 14.4 Network isolation for incident response
FIGURE 14.5 Network removal for incident response
FIGURE 14.6 Patching priorities
FIGURE 14.7 Sanitization and disposition decision flow
Chapter 15
FIGURE 15.1 Risk exists at the intersection of a threat and a corresponding ...
FIGURE 15.2 Qualitative risk assessments use subjective rating scales to eva...
FIGURE 15.3 (a) STOP tag attached to a device (b) Residue remaining on devic...
FIGURE 15.4 Cover sheets used to identify classified U.S. government informa...
Chapter 16
FIGURE 16.1 Excerpt from CMS roles and responsibilities chart
FIGURE 16.2 Excerpt from UC Berkeley Minimum Security Standards for Electron...
FIGURE 16.3 NIST Cybersecurity Framework Core Structure
FIGURE 16.4 Asset Management Cybersecurity Framework
FIGURE 16.5 ITIL service life cycle
Cover
Table of Contents
Begin Reading
iii
iv
v
vii
ix
xi
xxvii
xxviii
xxix
xxx
xxxi
xxxii
xxxiii
xxxiv
xxxv
xxxvi
xxxvii
xxxviii
xxxix
xl
xli
xlii
xliii
xliv
xlv
xlvi
xlvii
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
Second Edition
Mike Chapple
David Seidl
Copyright © 2020 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada and the United Kingdom
ISBN: 978-1-119-68405-3ISBN: 978-1-119-68408-4 (ebk.)ISBN: 978-1-119-68411-4 (ebk.)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2020937966
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA is a registered trademark of Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
I dedicate this book to my father, who was a role model of the value of hard work, commitment to family, and the importance of doing the right thing. Rest in peace, Dad.
—Mike Chapple
This book is dedicated to Ric Williams, my friend, mentor, and partner in crime through my first forays into the commercial IT world. Thanks for making my job as a “network janitor” one of the best experiences of my life.
—David Seidl
Books like this involve work from many people, and as authors, we truly appreciate the hard work and dedication that the team at Wiley shows. We would especially like to thank senior acquisitions editor Kenyon Brown. We have worked with Ken on multiple projects and consistently enjoy our work with him.
We also greatly appreciated the editing and production team for the book, including Kezia Endsley, our project editor, who brought years of experience and great talent to the project, Chris Crayton, our technical editor, who provided insightful advice and gave wonderful feedback throughout the book, Saravanan Dakshinamurthy, our production editor, who guided us through layouts, formatting, and final cleanup to produce a great book, and Liz Welch, our copy editor, who helped the text flow well. Thanks also to Runzhi “Tom” Song, Mike’s research assistant at Notre Dame who helped fact-check our work. We would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product.
Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout our writing careers.
Finally, we would like to thank our families and significant others who support us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.
Mike Chapple, Ph.D., CySA+, is author of the best-selling CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide (Sybex, 2018) and the CISSP (ISC)2Official Practice Tests (Sybex, 2018). He is an information security professional with two decades of experience in higher education, the private sector, and government.
Mike currently serves as Teaching Professor in the IT, Analytics, and Operations department at the University of Notre Dame's Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics.
Before returning to Notre Dame, Mike served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force.
Mike is technical editor for Information Security Magazine and has written more than 25 books. He earned both his B.S. and Ph.D. degrees from Notre Dame in computer science and engineering. Mike also holds an M.S. in computer science from the University of Idaho and an MBA from Auburn University. Mike holds certifications in Cybersecurity Analyst+ (CySA+), Security+, Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and Certified Information Systems Security Professional (CISSP).
David Seidl is Vice President for Information Technology and CIO at Miami University. During his IT career, he has served in a variety of technical and information security roles, including serving as the Senior Director for Campus Technology Services at the University of Notre Dame where he co-led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and service. He also served as Notre Dame's Director of Information Security and led Notre Dame's information security program. He has taught information security and networking undergraduate courses as an instructor for Notre Dame's Mendoza College of Business, and he has written books on security certification and cyberwarfare, including co-authoring CISSP (ISC)2Official Practice Tests (Sybex, 2018) as well as the previous editions of both this book and the companion CompTIA CySA+ Practice Tests: Exam CS0-001.
David holds a bachelor's degree in communication technology and a master's degree in information security from Eastern Michigan University, as well as certifications in CISSP, CySA+, Pentest+, GPEN, and GCIH.
Chris Crayton, MCSE, CISSP, CASP, CySA+, A+, N+, S+, is a technical consultant, trainer, author, and industry-leading technical editor. He has worked as a computer technology and networking instructor, information security director, network administrator, network engineer, and PC specialist. Chris has served as technical editor and content contributor on numerous technical titles for several of the leading publishing companies. He has also been recognized with many professional and teaching awards.
CompTIA Cybersecurity Analyst (CySA+) Study Guide, Second Edition, provides accessible explanations and real-world knowledge about the exam objectives that make up the Cybersecurity Analyst+ certification. This book will help you to assess your knowledge before taking the exam, as well as provide a stepping-stone to further learning in areas where you may want to expand your skillset or expertise.
Before you tackle the CySA+, you should already be a security practitioner. CompTIA suggests that test takers have about four years of existing hands-on information security experience. You should also be familiar with at least some of the tools and techniques described in this book. You don't need to know every tool, but understanding how to approach a new scenario, tool, or technology that you may not know using existing experience is critical to passing the CySA+ exam.
For up-to-the-minute updates covering additions or modifications to the CompTIA certification exams, as well as additional study tools, videos, practice questions, and bonus material, be sure to visit the Sybex website and forum at www.sybex.com.
CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas, ranging from the skills that a PC support technician needs, which are covered in the A+ exam, to advanced certifications like the CompTIA Advanced Security Practitioner (CASP) certification.
CompTIA recommends that practitioners follow a cybersecurity career path as shown here:
The Cybersecurity Analyst+ exam is a more advanced exam, intended for professionals with hands-on experience and who possess the knowledge covered by the prior exams.
CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. In addition, CompTIA certifications, including the CySA+, the Security+, and the CASP certifications, have been approved by the U.S. government as Information Assurance baseline certifications and are included in the State Department's Skills Incentive Program.
The Cybersecurity Analyst+ exam, which CompTIA refers to as CySA+, is designed to be a vendor-neutral certification for cybersecurity, threat, and vulnerability analysts. The CySA+ certification is designed for security analysts and engineers as well as security operations center (SOC) staff, vulnerability analysts, and threat intelligence analysts. It focuses on security analytics and practical use of security tools in real-world scenarios. It covers five major domains: Threat and Vulnerability Management, Software and Systems Security, Security Operations and Monitoring, Incident Response, and Compliance and Assessment. These five areas include a range of topics, from reconnaissance to incident response and forensics, while focusing heavily on scenario-based learning.
The CySA+ exam fits between the entry-level Security+ exam and the CompTIA Advanced Security Practitioner (CASP) certification, providing a mid-career certification for those who are seeking the next step in their certification and career path.
The CySA+ exam is conducted in a format that CompTIA calls “performance-based assessment.” This means that the exam uses hands-on simulations using actual security tools and scenarios to perform tasks that match those found in the daily work of a security practitioner. Exam questions may include multiple types of questions such as multiple-choice, fill-in-the-blank, multiple-response, drag-and-drop, and image-based problems.
CompTIA recommends that test takers have four years of information security–related experience before taking this exam. The exam costs $359 in the United States, with roughly equivalent prices in other locations around the globe. More details about the CySA+ exam and how to take it can be found at certification.comptia.org/certifications/cybersecurity-analyst.
A test preparation book like this cannot teach you every possible security software package, scenario, or specific technology that may appear on the exam. Instead, you should focus on whether you are familiar with the type or category of technology, tool, process, or scenario as you read the book. If you identify a gap, you may want to find additional tools to help you learn more about those topics.
CompTIA recommends the use of NetWars-style simulations, penetration testing and defensive cybersecurity simulations, and incident response training to prepare for the CySA+.
Additional resources for hands-on exercises include the following:
Exploit-Exercises.com
provides virtual machines, documentation, and challenges covering a wide range of security issues at
exploit-exercises.lains.space
.
Hacking-Lab provides capture the flag (CTF) exercises in a variety of fields at
www.hacking-lab.com/index.html
.
PentesterLab provides a subscription-based access to penetration testing exercises at
www.pentesterlab.com/exercises/
.
The InfoSec Institute provides online CTF activities with bounties for written explanations of successful hacks at
ctf.infosecinstitute.com
.
Since the exam uses scenario-based learning, expect the questions to involve analysis and thought, rather than relying on simple memorization. As you might expect, it is impossible to replicate that experience in a book, so the questions here are intended to help you be confident that you know the topic well enough to think through hands-on exercises.
Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:
www.comptiastore.com/Articles.asp?ID=265&category=vouchers
CompTIA partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the Pearson Vue website, where you will need to navigate to “Find a test center.”
www.pearsonvue.com/comptia/
Now that you know where you'd like to take the exam, simply set up a Pearson VUE testing account and schedule an exam:
https://www.comptia.org/testing/testing-options/take-in-person-exam
On the day of the test, take two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.
Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.
CompTIA certifications must be renewed on a periodic basis. To renew your certification, you can either pass the most current version of the exam, earn a qualifying higher-level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units (CEUs) to renew it.
CompTIA provides information on renewals via their website at
www.comptia.org/continuing-education
When you sign up to renew your certification, you will be asked to agree to the CE program's Code of Ethics, pay a renewal fee, and submit the materials required for your chosen renewal method.
A full list of the industry certifications you can use to acquire CEUs toward renewing the CySA+ can be found at
www.comptia.org/continuing-education/choose/renew-with-a-single-activity/earn-a-higher-level-comptia-certification
This book is designed to cover the five domains included in the CySA+.
Chapter 1
: Today's Cybersecurity Analyst
The book starts by teaching you how to assess cybersecurity threats, as well as how to evaluate and select controls to keep your networks and systems secure.
Chapter 2
: Using Threat Intelligence
Security professionals need to fully understand threats in order to prevent them or to limit their impact. In this chapter, you will learn about the many types of threat intelligence, including sources and means of assessing the relevance and accuracy of a given threat intelligence source. You'll also discover how to use threat intelligence in your organization.
Chapter 3
: Reconnaissance and Intelligence Gathering
Gathering information about an organization and its systems is one of the things that both attackers and defenders do. In this chapter, you will learn how to acquire intelligence about an organization using popular tools and techniques. You will also learn how to limit the impact of intelligence gathering performed against your own organization.
Chapter 4
: Designing a Vulnerability Management Program
Managing vulnerabilities helps to keep your systems secure. In this chapter, you will learn how to identify, prioritize, and remediate vulnerabilities using a well-defined workflow and continuous assessment methodologies.
Chapter 5
: Analyzing Vulnerability Scans
Vulnerability reports can contain huge amounts of data about potential problems with systems. In this chapter, you will learn how to read and analyze a vulnerability scan report, what CVSS scoring is and what it means, as well as how to choose the appropriate actions to remediate the issues you have found. Along the way, you will explore common types of vulnerabilities and their impact on systems and networks.
Chapter 6
: Cloud Security
The widespread adoption of cloud computing dramatically impacts the work of cybersecurity analysts who must now understand how to gather, correlate, and interpret information coming from many different cloud sources. In this chapter, you'll learn about how cloud computing impacts businesses and how you can perform threat management in the cloud.
Chapter 7
: Infrastructure Security and Controls
A strong security architecture requires layered security procedures, technology, and processes to provide defense in depth, ensuring that a single failure won't lead to a failure. In this chapter, you will learn how to design a layered security architecture and how to analyze security designs for flaws, including single points of failure and gaps.
Chapter 8
: Identity and Access Management Security
The identities that we rely on to authenticate and authorize users, services, and systems are a critical layer in a defense-in-depth architecture. This chapter explains identity, authentication, and authorization concepts and systems. You will learn about the major threats to identity and identity systems as well as how to use identity as a defensive layer.
Chapter 9
: Software and Hardware Development Security
Creating, testing, and maintaining secure software, from simple scripts to complex applications, is critical for security analysts. In this chapter, you will learn about the software development life cycle, including different methodologies, testing and review techniques, and how secure software is created. In addition, you will learn about industry standards for secure software to provide you with the foundation you need to help keep applications and services secure. You'll also learn about tools and techniques you can use to protect hardware in your organization, including hardware assurance best practices.
Chapter 10
: Security Operations and Monitoring
Monitoring systems, devices, and events throughout an organization can be a monumental task. Security logs can be an invaluable resource for security analysts, allowing detection of misuse and compromise, but they can also bury important information in mountains of operational data. In this chapter, you'll learn how to analyze data from many diverse sources. You'll learn about techniques including email header analysis, rule writing for event management systems, and basic scripting and query writing.
Chapter 11
: Building an Incident Response Program
This chapter focuses on building a formal incident response handling program and team. You will learn the details of each stage of incident handling from preparation, to detection and analysis, to containment, eradication, and recovery, to the final postincident recovery, as well as how to classify incidents and communicate about them.
Chapter 12
: Analyzing Indicators of Compromise
Responding appropriately to an incident requires understanding how incidents occur and what symptoms may indicate that an event has occurred. To do that, you also need the right tools and techniques. In this chapter, you will learn about three major categories of symptoms. First, you will learn about network events, including malware beaconing, unexpected traffic, and link failures, as well as network attacks. Next, you will explore host issues, ranging from system resource consumption issues to malware defense and unauthorized changes. Finally, you will learn about service- and application-related problems.
Chapter 13
: Performing Forensic Analysis and Techniques
Understanding what occurred on a system, device, or network, either as part of an incident or for other purposes, frequently involves forensic analysis. In this chapter, you will learn how to build a forensic capability and how the key tools in a forensic toolkit are used.
Chapter 14
: Containment, Eradication, and Recovery
Once an incident has occurred and the initial phases of incident response have taken place, you will need to work on recovering from it. That process involves containing the incident to ensure that no further issues occur and then working on eradicating malware, rootkits, and other elements of a compromise. Once the incident has been cleaned up, the recovery stage can start, including reporting and preparation for future issues.
Chapter 15
: Risk Management
In this chapter, we look at the big picture of cybersecurity in a large organization. How do we evaluate and manage risks to ensure that we're spending our limited time and money on the controls that will have the greatest effect? That's where risk management comes into play.
Chapter 16
: Policy and Compliance
Policy provides the foundation of any cybersecurity program, and building an effective set of policies is critical to a successful program. In this chapter, you will acquire the tools to build a standards-based set of security policies, standards, and procedures. You will also learn how to leverage industry best practices by using guidelines and benchmarks from industry experts.
Appendix A
: Practice Exam
Once you have completed your studies, the practice exam will provide you with a chance to test your knowledge. Use this exam to find places where you may need to study more or to verify that you are ready to tackle the exam. We'll be rooting for you!
Appendix B
: Answers to Review Questions and Practice Exam
The appendix has answers to the review questions you will find at the end of each chapter and answers to the practice exam in Appendix A.
Appendix C
: Answers to Lab Exercises
This appendix has answers to the lab exercises you will find at the end of each chapter.
This study guide uses a number of common elements to help you prepare. These include the following:
Summaries
The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.
Exam Essentials
The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by CompTIA.
Review Questions
A set of questions at the end of each chapter will help you assess your knowledge and if you are ready to take the exam based on your knowledge of that chapter's topics.
Lab Exercises
The written labs provide more in-depth practice opportunities to expand your skills and to better prepare for performance-based testing on the Cybersecurity Analyst+ exam.
These special notes call out issues that are found on the exam and relate directly to CySA+ exam objectives. They help you prepare for the why and how.
This book comes with a number of additional study tools to help you prepare for the exam. They include the following.
Go to www.wiley.com/go/Sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.
Sybex's test preparation software lets you prepare with electronic test versions of the review questions from each chapter, the practice exam, and the bonus exam that are included in this book. You can build and take tests on specific domains, by chapter, or cover the entire set of Cybersecurity Analyst+ exam objectives using randomized tests.
Our electronic flashcards are designed to help you prepare for the exam. Over 100 flashcards will ensure that you know critical terms and concepts.
Sybex provides a full glossary of terms in PDF format, allowing quick searches and easy reference to materials in this book.
In addition to the practice questions for each chapter, this book includes a full 85-question practice exam, found in Appendix A. We recommend that you use it to test your preparedness for the certification exam.
The following objective map for the CompTIA Cybersecurity Analyst (CySA+) certification exam will enable you to find the chapter in this book, which covers each objective for the exam.
Objective
Chapter(s)
1.0 Threat and Vulnerability Management
1.1 Explain the importance of threat data and intelligence.
Chapter 2
1.2 Given a scenario, utilize threat intelligence to support organizational security.
Chapter 2
1.3 Given a scenario, perform vulnerability management activities.
Chapters 4
,
5
1.4 Given a scenario, analyze the output from common vulnerability assessment tools.
Chapters 3
,
5
,
6
,
9
1.5 Explain the threats and vulnerabilities associated with specialized technology.
Chapter 5
1.6 Explain the threats and vulnerabilities associated with operating in the cloud.
Chapter 6
1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities.
Chapters 5
,
9
2.0 Software and Systems Security
2.1 Given a scenario, apply security solutions for infrastructure management.
Chapters 6
,
7
,
8
2.2 Explain software assurance best practices.
Chapter 9
2.3 Explain hardware assurance best practices.
Chapter 9
3.0 Security Operations and Monitoring
3.1 Given a scenario, analyze data as part of security monitoring activities.
Chapters 3
,
10
3.2 Given a scenario, implement configuration changes to existing controls to improve security.
Chapter 7
3.3 Explain the importance of proactive threat hunting.
Chapter 2
3.4 Compare and contrast automation concepts and technologies.
Chapters 1
,
2
,
4
,
7
,
9
,
10
4.0 Incident Response
4.1 Explain the importance of the incident response process.
Chapter 11
4.2 Given a scenario, apply the appropriate incident response procedure.
Chapters 11
,
14
4.3 Given an incident, analyze potential indicators of compromise.
Chapter 12
4.4 Given a scenario, utilize basic digital forensic techniques.
Chapter 13
5.0 Compliance and Assessment
5.1 Understand the importance of data privacy and protection.
Chapters 1
,
15
5.2 Given a scenario, apply security concepts in support of organizational risk mitigation.
Chapter 15
5.3 Explain the importance of frameworks, policies, procedures, and controls.
Chapter 16
You can practice many of the techniques found in this book using open source and free tools. This section provides a brief “how to” guide to set up a Kali Linux, a Linux distribution built as a broad security toolkit, and Metasploitable, an intentionally vulnerable Linux virtual machine.
To build a basic virtual security lab environment to run scenarios and to learn applications and tools used in this book, you will need a virtualization program and virtual machines. There are many excellent security-oriented distributions and tools beyond those in this example, and you may want to explore tools like Security Onion, the SANS SIFT forensic distribution, and CAINE as you gain experience.
Running virtual machines can require a reasonably capable PC. We like to recommend an i5 or i7 (or equivalent) CPU, at least 8 GB of RAM, and 20 GB of open space on your hard drive. If you have an SSD instead of a hard drive, you'll be much happier with the performance of your VMs.
VirtualBox is a virtualization software package for x86 computers, and is available for Windows, MacOS, and Linux. You can download VirtualBox at www.virtualbox.org/wiki/VirtualBox.
If you are more familiar with another virtualization tool like VMWare or HyperV, you can also use those tools; however, you may have to adapt or modify these instructions to handle differences in how your preferred virtualization environment works.
You can also build your lab so you can take it on the road by using a portable version of VirtualBox from www.vbox.me. Just follow the instructions on the site and put your virtual machines on an external drive of your choice. Note that this is typically a bit slower unless you have a fast USB drive.
Multiple versions of Kali Linux are available at www.kali.org/downloads/ and prebuilt Kali Linux virtual machines can be downloaded at www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/. We suggest downloading the most recent version of the Kali Linux 64-bit VBox virtual machine.
You can download the Metasploitable virtual machine at sourceforge.net/projects/metasploitable/.
Kali's default username is root with the toor password.
The Metasploitable virtual machine uses the username msfadmin and the msfadmin password.
If you will ever expose either system to a live network, or you aren't sure if you will, you should change the passwords immediately after booting the virtual machines the first time!
Setting up VirtualBox is quite simple. First, install the VirtualBox application. Once it is installed and you select your language, you should see a VirtualBox window like the one in Figure I.1.
To add the Kali Linux virtual machine, choose File, then Import Appliance. Navigate to the directory where you downloaded the Kali VM and import the virtual machine. Follow the wizard as it guides you through the import process, and when it is complete, you can continue with these instructions.
The Metasploitable virtual machine comes as a zip file, so you'll need to extract it first. Inside, you'll see a VMDK instead of the OVA file that VirtualBox uses for its native virtual machines. This means you have to do a little more work.
Click New in the VirtualBox main window.
Click Expert Mode and name your system; then select Linux for the type. You can leave the default alone for Version, and you can leave the memory default alone as well. See
Figure I.2
.
Select Use An Existing Virtual Hard Disk File and navigate to the location where you unzipped the
Metasploitable.vmdk
file to and select it. Then click Create.
FIGURE I.1 VirtualBox main screen
FIGURE I.2 Adding the Metasploitable VM
Now that you have both virtual machines set up, you should verify their network settings. VirtualBox allows multiple types of networks.
Table I.1
shows the critical types of network connections you are likely to want to use with this environment.
You may want to have Internet connectivity for some exercises, or to update software packages. If you are reasonably certain you know what you are doing, using a NAT Network can be very helpful. To do so, you will need to click the File ➢ Preferences menu of VirtualBox; then select Network and set up a NAT network, as shown in Figure I.3, by clicking the network card with a + icon.
TABLE I.1 Virtual machine network options
Network Name
Description
NAT
Connect the VM to your real network, through a protected NAT
NAT Network
Connect the VM and other VMs together on a protected network segment, which is also NAT'ed out to your real network
Bridged
Directly connect your VM to your actual network (possibly allowing it to get a DHCP address, be scanned, or for you to connect to it remotely)
Internal
Connect the VM to a network that exists only for virtual machines
Host Only
Connect the VM to a network that only allows it to see the VM host
FIGURE I.3 Adding a NAT network
If you are not comfortable with your virtual machines having outbound network access, think you may do something dangerous with them, or want to avoid any other potential issues, you should set up both virtual machines to use Internal Network instead.
Once your NAT network exists, you can set both machines to use it by clicking on them, then clicking the Settings gear icon in the VirtualBox interface. From there, click Network, and set the network adapter to be attached to the NAT network you just set up. See
Figure I.4
.
FIGURE I.4 Configuring VMs for the NAT network
Now you're all set! You can start both machines and test that they can see each other. To do this, simply log in to the Metasploitable box and run
ifconfig
to find its IP address. Use SSH to connect from the Kali Linux system to the Metasploitable system using
ssh [ip address] -l msfadmin
. If you connect and can log in, you're ready to run exercises between the two systems!
If you're considering taking the Cybersecurity Analyst+ exam, you should have already taken and passed the CompTIA Security+ and Network+ exams and should have four years of experience in the field. You may also already hold other equivalent certifications. The following assessment test help to make sure that you have the knowledge that you should have before you tackle the Cybersecurity Analyst+ certification and will help you determine where you may want to spend the most time with this book.
After running an nmap scan of a system, you receive scan data that indicates the following three ports are open:
22/TCP
443/TCP
1521/TCP
What services commonly run on these ports?
SMTP, NetBIOS, MySQL
SSH, Microsoft DS, WINS
SSH, HTTPS, Oracle
FTP, HTTPS, MS-SQL
Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise?
nmap
traceroute
regmon
whois
What type of system allows attackers to believe they have succeeded with their attack, thus providing defenders with information about their attack methods and tools?
A honeypot
A sinkhole
A crackpot
A darknet
What cybersecurity objective could be achieved by running your organization's web servers in redundant, geographically separate datacenters?
Confidentiality
Integrity
Immutability
Availability
Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?
Black box
Authenticated
Internal view
External view
Security researchers recently discovered a flaw in the Chakra JavaScript scripting engine in Microsoft's Edge browser that could allow remote execution or denial of service via a specifically crafted website. The CVSS 3.0 score for this vulnerability reads
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
What is the attack vector and the impact to integrity based on this rating?
System, 9, 8
Browser, High
Network, High
None, High
Alice is a security engineer tasked with performing vulnerability scans for her organization. She encounters a false positive error in one of her scans. What should she do about this?
Verify that it is a false positive, and then document the exception.
Implement a workaround.
Update the vulnerability scanner.
Use an authenticated scan, and then document the vulnerability.
Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action?
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Postincident Activity and Reporting
Which of the following descriptions explains an integrity loss?
Systems were taken offline, resulting in a loss of business income.
Sensitive or proprietary information was changed or deleted.
Protected information was accessed or exfiltrated.
Sensitive personally identifiable information was accessed or exfiltrated.
Which of the following techniques is an example of active monitoring?
Ping
RMON
NetFlows
A network tap
Abdul's monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called?
Anomalous pings
Probing
Zombie chatter
Beaconing
Which of the following tools is not useful for monitoring memory usage in Linux?
df
top
ps
free
Which of the following tools cannot be used to make a forensic disk image?
xcopy
FTK
dd
EnCase
During a forensic investigation, Maria is told to look for information in slack space on the drive. Where should she look, and what is she likely to find?
She should look at unallocated space, and she is likely to find file fragments from deleted files.
She should look at unused space where files were deleted, and she is likely to find complete files hidden there by the individual being investigated.
She should look in the space reserved on the drive for spare blocks, and she is likely to find complete files duplicated there.
She should look at unused space left when a file is written, and she is likely to find file fragments from deleted files.
What type of system is used to contain an attacker to allow them to be monitored?
A white box
A sandbox
A network jail
A VLAN
Oscar's manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Oscar's best course of action?
Use an antivirus tool to remove any associated malware
Use an antimalware tool to completely scan and clean the system
Wipe and rebuild the system
Restore a recent backup
What level of secure media disposition as defined by NIST SP 800-88 is best suited to a hard drive from a high-security system that will be reused in the same company by an employee of a different level or job type?
Clear
Purge
Destroy
Reinstall
Which of the following actions is not a common activity during the recovery phase of an incident response process?
Reviewing accounts and adding new privileges
Validating that only authorized user accounts are on the systems
Verifying that all systems are logging properly
Performing vulnerability scans of all systems
A statement like “Windows workstations must have the current security configuration template applied to them before being deployed” is most likely to be part of which document?
Policies
Standards
Procedures
Guidelines
Jamal is concerned with complying with the U.S. federal law covering student educational records. Which of the following laws is he attempting to comply with?
HIPAA
GLBA
SOX
FERPA
Tausende von E-Books und Hörbücher
Ihre Zahl wächst ständig und Sie haben eine Fixpreisgarantie.
Sie haben über uns geschrieben: