Skip to main content


CompTIA CySA+ Study Guide: Exam CS0-001

Mike Chapple, David Seidl

ISBN: 978-1-119-34988-4 April 2017 560 Pages


NOTE: The name of the exam has changed from CSA+ to CySA+. However, the CS0-001 exam objectives are exactly the same. After the book was printed with CSA+ in the title, CompTIA changed the name to CySA+. We have corrected the title to CySA+ in subsequent book printings, but earlier printings that were sold may still show CSA+ in the title. Please rest assured that the book content is 100% the same.

Prepare yourself for the newest CompTIA certification

The CompTIA Cybersecurity Analyst+ (CySA+) Study Guide provides 100% coverage of all exam objectives for the new CySA+ certification. The CySA+ certification validates a candidate's skills to configure and use threat detection tools, perform data analysis, identify vulnerabilities with a goal of securing and protecting organizations systems. Focus your review for the CySA+ with Sybex and benefit from real-world examples drawn from experts, hands-on labs, insight on how to create your own cybersecurity toolkit, and end-of-chapter review questions help you gauge your understanding each step of the way. You also gain access to the Sybex interactive learning environment that includes electronic flashcards, a searchable glossary, and hundreds of bonus practice questions.

This study guide provides the guidance and knowledge you need to demonstrate your skill set in cybersecurity. Key exam topics include:

  • Threat management
  • Vulnerability management
  • Cyber incident response
  • Security architecture and toolsets

Related Resources

Introduction xxvii

Assessment Test xlv

Chapter 1 Defending Against Cybersecurity Threats 1

Cybersecurity Objectives 2

Evaluating Security Risks 3

Identify Threats 5

Identify Vulnerabilities 7

Determine Likelihood, Impact, and Risk 7

Reviewing Controls 8

Building a Secure Network 8

Network Access Control 9

Firewalls and Network Perimeter Security 10

Network Segmentation 13

Defense through Deception 14

Secure Endpoint Management 15

Hardening System Configurations 15

Patch Management 15

Group Policies 16

Endpoint Security Software 17

Penetration Testing 17

Planning a Penetration Test 18

Conducting Discovery 18

Executing a Penetration Test 19

Communicating Penetration Test Results 20

Training and Exercises 20

Reverse Engineering 20

Isolation and Sandboxing 21

Reverse Engineering Software 21

Reverse Engineering Hardware 22

Summary 23

Exam Essentials 24

Lab Exercises 25

Activity 1.1: Create an Inbound Firewall Rule 25

Activity 1.2: Create a Group Policy Object 25

Activity 1.3: Write a Penetration Testing Plan 26

Activity 1.4: Security Tools 27

Review Questions 28

Chapter 2 Reconnaissance and Intelligence Gathering 33

Footprinting 34

Active Reconnaissance 35

Mapping Networks and Discovering Topology 35

Port Scanning and Service Discovery Techniques and Tools 37

Passive Footprinting 43

Log and Configuration Analysis 43

Harvesting Data from DNS and Whois 51

Information Aggregation and Analysis Tools 58

Information Gathering Using Packet Capture 58

Gathering Organizational Intelligence 59

Organizational Data 59

Electronic Document Harvesting 60

Detecting, Preventing, and Responding to Reconnaissance 63

Capturing and Analyzing Data to Detect Reconnaissance 63

Preventing Reconnaissance 65

Summary 66

Exam Essentials 67

Lab Exercises 68

Activity 2.1: Port Scanning 68

Activity 2.2: Write an Intelligence Gathering Plan 68

Activity 2.3: Intelligence Gathering Techniques 69

Review Questions 70

Chapter 3 Designing a Vulnerability Management Program 75

Identifying Vulnerability Management Requirements 76

Regulatory Environment 76

Corporate Policy 79

Identifying Scan Targets 80

Determining Scan Frequency 81

Configuring and Executing Vulnerability Scans 83

Scoping Vulnerability Scans 83

Configuring Vulnerability Scans 84

Scanner Maintenance 88

Developing a Remediation Workflow 90

Reporting and Communication 91

Prioritizing Remediation 94

Testing and Implementing Fixes 94

Overcoming Barriers to Vulnerability Scanning 95

Summary 96

Exam Essentials 97

Lab Exercises 98

Activity 3.1: Installing a Vulnerability Scanner 98

Activity 3.2: Running a Vulnerability Scan 98

Review Questions 99

Chapter 4 Analyzing Vulnerability Scans 103

Reviewing and Interpreting Scan Reports 104

Understanding CVSS 106

Validating Scan Results 111

False Positives 112

Documented Exceptions 112

Understanding Informational Results 112

Reconciling Scan Results with Other Data Sources 114

Trend Analysis 114

Common Vulnerabilities 115

Server and Endpoint Vulnerabilities 116

Network Vulnerabilities 123

Virtualization Vulnerabilities 129

Internet of Things (IoT) 130

Web Application Vulnerabilities 131

Summary 134

Exam Essentials 135

Lab Exercises 136

Activity 4.1: Interpreting a Vulnerability Scan 136

Activity 4.2: Analyzing a CVSS Vector 136

Activity 4.3: Remediating a Vulnerability 137

Review Questions 138

Chapter 5 Building an Incident Response Program 143

Security Incidents 144

Phases of Incident Response 145

Preparation 146

Detection and Analysis 146

Containment, Eradication, and Recovery 148

Post-Incident Activity 148

Building the Foundation for Incident Response 150

Policy 150

Procedures and Playbooks 151

Documenting the Incident Response Plan 151

Creating an Incident Response Team 152

Incident Response Providers 153

CSIRT Scope of Control 154

Coordination and Information Sharing 154

Internal Communications 155

External Communications 155

Classifying Incidents 155

Threat Classification 156

Severity Classification 157

Summary 160

Exam Essentials 161

Lab Exercises 162

Activity 5.1: Incident Severity Classification 162

Activity 5.2: Incident Response Phases 162

Activity 5.3: Developing an Incident Communications Plan 163

Review Questions 164

Chapter 6 Analyzing Symptoms for Incident Response 169

Analyzing Network Events 170

Capturing Network Events 170

Network Monitoring Tools 174

Detecting Common Network Issues 179

Handling Network Probes and Attacks 183

Detecting Scans and Probes 183

Detecting Denial-of-Service and Distributed Denial-of-Service Attacks 184

Detecting Other Network Attacks 186

Detecting and Finding Rogue Devices 187

Investigating Host Issues 188

System Resources 189

Malware and Unauthorized Software 192

Unauthorized Access, Changes, and Privileges 193

Investigating Service and Application Issues 194

Application and Service Monitoring 194

Application and Service Issue Response and Restoration 196

Detecting Attacks on Applications 197

Summary 198

Exam Essentials 198

Lab Exercises 199

Activity 6.1: Identify a Network Scan 199

Activity 6.2: Write a Service Issue Response Plan 200

Activity 6.3: Security Tools 201

Review Questions 202

Chapter 7 Performing Forensic Analysis 207

Building a Forensics Capability 208

Building a Forensic Toolkit 208

Training and Certification 212

Understanding Forensic Software 212

Capabilities and Application 212

Conducting a Forensic Investigation 216

The Forensic Process 216

Target Locations 218

Acquiring and Validating Drive Images 219

Imaging Live Systems 224

Acquiring Other Data 225

Forensic Investigation: An Example 229

Importing a Forensic Image 229

Analyzing the Image 231

Reporting 234

Summary 236

Exam Essentials 236

Lab Exercises 237

Activity 7.1: Create a Disk Image 237

Activity 7.2: Conduct the NIST Rhino Hunt 238

Activity 7.3: Security Tools 239

Review Questions 240

Chapter 8 Recovery and Post-Incident Response 245

Containing the Damage 246

Segmentation 248

Isolation 249

Removal 251

Evidence Gathering and Handling 252

Identifying Attackers 253

Incident Eradication and Recovery 253

Reconstruction and Reimaging 255

Patching Systems and Applications 255

Sanitization and Secure Disposal 256

Validating the Recovery Effort 258

Wrapping Up the Response 258

Managing Change Control Processes 258

Conducting a Lessons-Learned Session 259

Developing a Final Report 259

Summary 260

Exam Essentials 260

Lab Exercises 261

Activity 8.1: Incident Containment Options 261

Activity 8.2: Incident Response Activities 263

Activity 8.3: Sanitization and Disposal Techniques 263

Review Questions 265

Chapter 9 Policy and Compliance 269

Understanding Policy Documents 270

Policies 270

Standards 273

Procedures 274

Guidelines 275

Exceptions and Compensating Controls 276

Complying with Laws and Regulations 277

Adopting a Standard Framework 278

NIST Cybersecurity Framework 279

ISO 27001 282

Control Objectives for Information and Related Technologies (COBIT) 282

Sherwood Applied Business Security Architecture (SABSA) 283

The Open Group Architecture Framework (TOGAF) 283

Information Technology Infrastructure Library (ITIL) 285

Implementing Policy-Based Controls 285

Security Control Verification and Quality Control 286

Summary 287

Exam Essentials 287

Lab Exercises 288

Activity 9.1: Policy Documents 288

Activity 9.2: Using a Cybersecurity Framework 288

Activity 9.3: Compliance Auditing Tools 288

Review Questions 289

Chapter 10 Defense-in-Depth Security Architectures 293

Understanding Defense in Depth 294

Layered Security 294

Control Types and Classification 298

Implementing Defense in Depth 299

Layered Security and Network Design 299

Layered Host Security 305

Logging, Monitoring, and Validation 306

Cryptography 307

Policy, Process, and Standards 308

Outsourcing and Personnel Security 310

Analyzing Security Architecture 311

Analyzing Security Requirements 312

Reviewing Architecture 312

Common Issues 313

Reviewing a Security Architecture 317

Maintaining a Security Design 319

Summary 320

Exam Essentials 320

Lab Exercises 321

Activity 10.1: Review an Application Using the OWASP

Application Security Architecture Cheat Sheet 321

Activity 10.2: Review a NIST Security Architecture 322

Activity 10.3: Security Architecture Terminology 323

Review Questions 324

Chapter 11 Identity and Access Management Security 329

Understanding Identity 330

Identity Systems and Security Design 332

Threats to Identity and Access 335

Understanding Security Issues with Identities 336

Attacking AAA Systems and Protocols 336

Targeting Account Creation, Provisioning, and Deprovisioning 341

Preventing Common Exploits of Identity and Authorization 343

Acquiring Credentials 343

Identity as a Security Layer 345

Identity and Defense-in-Depth 346

Securing Authentication and Authorization 346

Detecting Attacks and Security Operations 352

Understanding Federated Identity and Single Sign-On 353

Federated Identity Security Considerations 354

Federated Identity Design Choices 355

Federated Identity Technologies 357

Federation Incident Response 361

Summary 362

Exam Essentials 362

Lab Exercises 363

Activity 11.1: Federated Security Scenario 363

Activity 11.2: Onsite Identity Issues Scenario 364

Activity 11.3: Identity and Access Management Terminology 365

Review Questions 366

Chapter 12 Software Development Security 371

Understanding the Software Development Life Cycle 372

Software Development Phases 373

Software Development Models 375

Designing and Coding for Security 380

Common Software Development Security Issues 381

Secure Coding Best Practices 381

Application Testing 384

Information Security and the SDLC 384

Code Review Models 385

Formal Code Review 387

Software Security Testing 388

Analyzing and Testing Code 389

Web Application Vulnerability Scanning 391

Summary 394

Exam Essentials 394

Lab Exercises 395

Activity 12.1: Review an Application Using the Owasp Application Security Architecture Cheat Sheet 395

Activity 12.2: Learn about Web Application Exploits from WebGoat 396

Activity 12.3: SDLC Terminology 396

Review Questions 397

Chapter 13 Cybersecurity Toolkit 401

Host Security Tools 402

Antimalware and Antivirus 402

EMET 403

Sysinternals 404

Monitoring and Analysis Tools 405

Syslog 406

Security Information and Event Management (SIEM) 407

Network Monitoring 409

Scanning and Testing Tools 411

Network Scanning 412

Vulnerability Scanning 412

Exploit Frameworks 415

Password Cracking and Recovery 416

Network Security Tools 418

Firewalls 418

Network Intrusion Detection and Prevention 418

Host Intrusion Prevention 420

Packet Capture 421

Command-Line Network Tools 423

Web Proxies 426

OpenSSL 428

Web Application Security Tools 429

Web Application Firewalls 429

Interception Proxies 430

Fuzzers 431

Forensics Tools 433

Hashing 433

Imaging 434

Forensic Suites 435

Mobile Forensics 436

Summary 436

Appendix A Answers to the Review Questions 437

Chapter 1: Defending Against Cybersecurity Threats 438

Chapter 2: Reconnaissance and Intelligence Gathering 439

Chapter 3: Designing a Vulnerability Management Program 441

Chapter 4: Analyzing Vulnerability Scans 443

Chapter 5: Building an Incident Response Program 444

Chapter 6: Analyzing Symptoms for Incident Response 446

Chapter 7: Performing Forensic Analysis 448

Chapter 8: Recovery and Post-Incident Response 449

Chapter 9: Policy and Compliance 451

Chapter 10: Defense-in-Depth Security Architectures 453

Chapter 11: Identity and Access Management Security 456

Chapter 12: Software Development Security 458

Appendix B Answers to the Lab Exercises 461

Chapter 1: Defending Against Cybersecurity Threats 462

Chapter 2: Reconnaissance and Intelligence Gathering 462

Chapter 4: Analyzing Vulnerability Scans 463

Chapter 5: Building an Incident Response Program 464

Chapter 6: Analyzing Symptoms for Incident Response 465

Chapter 7: Performing Forensic Analysis 466

Chapter 8: Recovery and Post-Incident Response 467

Chapter 9: Policy and Compliance 470

Chapter 10: Defense-in-Depth Security Architectures 471

Chapter 11: Identity and Access Management Security 472

Chapter 12: Software Development Security 473

Index 475 Sybex Online Test Prep & Certification Products
Errata in text
Corrections PDF On page xxxiii in the Introduction is attached here
Errata in text
Correction to back-of-book ad attached
CompTIA Discount Voucher
The CompTIA Discount Voucher is now hosted within the test bank. Please login to the test bank to access the voucher.
ChapterPageDetailsDatePrint Run
xlvErrata in Text
Question 10. C is not the correct answer.

Question 10. A is the correct answer.

xlvErrata in text
Answer to the Assessment Test
page xlv
Question 10 - C.
Question 10 - A.
Question 12 - C.
Question 12 - A.

xlv - FMErrata in Text
Question 11 on xli:
11. Ben's monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called?
A. Anomalous pings
B. Probing
C. Zombie chatter
D. Beaconing

Answer 11 on xlv:
Incorrect text:
C. Regular traffic from compromised systems to command and control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning behavior in some cases.

Correct text:
D. Regular traffic from compromised systems to command and control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning behavior in some cases.

IntroxxxiiiErrata in text
On page xxxiii in the Introduction, a NOTE includes the URL However, if a customer types the URL exactly the way it appears in the print book, typing a capital "S" in "Sybextestprep," the person will get a "Page Not Found" error message.
The "S" should be lowercase, not uppercase. In the eBooks that are available, clicking the URL will take a customer to the same "Page Not Found" page. We need to make the correction as soon as possible.
Note: Corrections PDF is uploaded in download section

6Errata in text
The last sentences of bullet #2 and bullet #3 are identical.
Bullet #3 - Last sentence:
When evaluating a structural threat, cybersecurity analysts should consider the possible range of effects that the threat might have on the organization.
Bullet #3 - Last sentence:
When evaluating environmental threats, cybersecurity analysts should consider common natural environmental threats to their geographic region, as well as how to appropriately prevent or counter man-made environmental threats.

112Errata in text
Table 1.1, please correct the port for SQL Server.
It should be 1433, but the book incorrectly reads 1443.

402Errata in text
Antimalware and Antivirus Heading
Paragraph 2
".... with detection capabilities built into host-based tools, integrated into email appliances and similar products, or deployed as prat of network layer intrusion detection or prevention systems."
Change "prat" to "part"

Index484Errata in text
On p. 484 in Index, insert
input validation, 132-134
between "inline NAC solutions" and "Insecure Interaction Between Components software errors" entries.

12397Errata in text
INCORRECT: In Question #3. cost testing CORRECT: In Question #3. code testing