CompTIA Cybersecurity Analyst CySA+ Certification Training
Level: Intermediate
Course #: 2047
Course info - Prices, Enrollment
Key Features of this CySA+ Training
CompTIA-approved CySA+ training programs
After-course instructor coaching benefit
Exam voucher included
You Will Learn How To:
Prepare for and pass the Cybersecurity Analyst (CySA+) exam
Threat and Vulnerability Management
Software and Systems Security
Security Operations and Monitoring
Incident Response
Compliance and Assessment
Choose the Training Solution That Best Fits Your Individual Needs
Important CySA+ Course Information
Requirements
IT Security Professionals must have 3-4 years of hands-on information security or related experience at the level of Network+ or Security+
Recommended Experience
It is recommended that you have the following skills and knowledge before starting this course:
Knowledge of basic network terminology and functions (such as OSI Model, Topology, Ethernet, Wi-Fi, switches, routers)
Understanding of TCP/IP addressing, core protocols, and troubleshooting tools
Network attack strategies and defenses
Knowledge of the technologies and uses of cryptographic standards and products
Network- and host-based security technologies and practices
Standards and products used to enforce security on web and communications technologies
Exam Information
Course tuition includes an exam voucher. The exam is offered through Pearson Vue.
Certification Information
To earn this certification, you must take and pass CompTIA exam CS0-002
CySA+ Course Outline
1.0 Threat and Vulnerability Management
1.1 Explain the importance of threat data and intelligence.
Intelligence sources
Open-source intelligence
Proprietary/closed-source intelligence
Timeliness
Relevancy
Accuracy
Indicator management
Structured Threat Information eXpression (STIX)
Trusted Automated eXchange of Indicator Information (TAXII) OpenIoC
Threat classification
Known threat vs. unknown threat
Zero-day
Advanced persistent threat
Threat actors
Nation-state
Hacktivist
Organized crime
Insider threat Intentional
Unintentional
Intelligence cycle
Requirements
Collection
Analysis
Dissemination
Feedback
Commodity malware
Information sharing and analysis communities
Healthcare
Financial
Aviation
Government
Critical infrastructure
1.2 Given a scenario, utilize threat intelligence to support organizational security.
Attack frameworks
MITRE ATT&CK
The Diamond Model of Intrusion Analysis Kill chain
Threat research
Reputational
Behavioral
Indicator of compromise (IoC)
Common vulnerability scoring system (CVSS)
Threat modeling methodologies
Adversary capability
Total attack surface
Attack vector
Impact
Liklihood
Threat intelligence sharing with supported functions
Incident response
Vulnerability management
Risk management
Security engineering
Detection and monitoring
1.3 Given a scenario, perform vulnerability management activities.
Vulnerability identification
Asset criticality
Active vs. passive scanning
Mapping/enumeration
Validation
True positive
False positive – True negative
False negative
Remediation/mitigation
Configuration baseline
Patching
Hardening
Compensating controls Risk acceptance
Verification of mitigation
Scanning parameters and criteria
Risks associated with scanning activities
Vulnerability feed
Scope
Credentialed vs. non-credentialed
Server-based vs. agent-based
Internal vs. external
Special considerations Types of data
Technical constraints
Workflow
Sensitivity levels
Regulatory requirements
Segmentation
Intrusion prevention system (IPS), intrusion detection system (IDS), and firewall settings
Inhibitors to remediation
Memorandum of understanding (MOU)
Service-level agreement (SLA)
Organizational governance
Business process interruption
Degrading functionality
Legacy systems
1.4 Given a scenario, analyze the output from common vulnerability assessment tools.
Web application scanner OWASP Zed Attack Proxy (ZAP)
Burp suite
Nikto
Arachni
Infrastructure vulnerability scanner
Nessus
OpenVAS
Qualys
Software assessment tools and techniques
Static analysis
Dynamic analysis
Reverse engineering
Fuzzing
Enumeration
Nmap
hping
Active vs. passive
Responder
Wireless assessment tools
Aircrack-ng Reaver oclHashcat
Cloud Infrastructure assessment tools
ScoutSuite
Prowler
Pacu
1.5 Explain the threats and vulnerabilities associated with specialized technology.
Mobile
Internet of Things (IoT)
Embedded
Real-time operating system (RTOS) System-on-Chip (SoC)
Field programmable gate array (FPGA)
Physical access control
Busiling automation systems
Vehicles and drones CAN bus
Workflow and process automation systems
Industrial control system
Supervisory control and data acquisition (SCADA) Modbus
1.6 Explain the threats and vulnerabilities associated with operating in the cloud.
Cloud service models
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Cloud deployment models
Public
Private
Community
Hybrid
Function as a Service (FaaS)/ serverless architecture
Infrastructure as code (IaC)
Insecure application programming interface (API)
Improper key management
Unprotected storage
Logging and monitoring
Insufficient logging and monitoring
Inability to access
1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities.
Attack types
Extensible markup language (XML) attack Structured query language (SQL) injection
Overflow attack Buffer
Integer
Heap
Remote code execution
Directory traversal
Privilege escalation
Password spraying
Credential stuffing
Impersonation
Man-in-the-middle attack
Session hijacking
Rootkit
Cross-site scripting
Reflected
Persistent
Document object model (DOM)
Improper error handling
Dereferencing
Insecure object reference Race condition
Broken authentication
Sensitive data exposure
Insecure components – Insufficient logging and monitoring – Weak or default configurations – Use of insecure functions – strcpy
2.0 Software and Systems Security
2.1 Given a scenario, apply security solutions for infrastructure management.
Cloud vs. on-premises
Asset management Asset tagging
Segmentation Physical
Virtual
Jumpbox
System isolation
Air gap
Network architecture Physical
Software-define
Virtual private cloud (VPC)
Virtual private network (VPN)
Serverless
Change management
Virtualization
Virtual desktop infrastructure (VDI)
Containerization
Identity and access management
Privilege management
Multifactor authentication (MFA)
Single sign-on (SSO)
Federation
Role-based
Attribute-based
Mandatory
Manual review
Cloud access security broker (CASB)
Honeypot
Monitoring and logging
Encryption
Certificate management
Active defense
2.2 Explain software assurance best practices.
Platforms Mobile
Web application
Client/server
Embedded
System-on-chip (SoC)
Firmware
Software development life cycle (SDLC) integration
DevSecOps
Software assessment methods User acceptance testing Stress test application
Security regression testing
Code review
Secure coding best practices
Input validation
Output encoding
Session management
Authentication
Data protection
Parameterized queries Static analysis tools
Dynamic analysis tools
Formal methods for verification of critical software
Service-oriented architecture
Security Assertions Markup Language (SAML)
Simple Object Access Protocol (SOAP)
Representational State Transfer (REST)
Microservices
2.3 Explain hardware assurance best practices.
Hardware root of trust
Trusted platform module (TPM)
Hardware security module (HSM)
Unified Extensible Firmware Interface (UEFI)
Trusted foundry
Secure processing Trusted execution
Secure enclave
Processor security extensions
Atomic execution Anti-tamper
Self-encrypting drive
Trusted firmware updates
Measured boot and attestation
Bus encryption
3.0 Security Operations and Monitoring
3.1 Given a scenario, analyze data as part of security monitoring activities.
Heuristics
Trend analysis
Endpoint Malware
Reverse engineering
Memory
System and application behavior
Known-good behavior
Anomalous behavior
Exploit techniques
File system
User and entity behavior analytics (UEBA)
Uniform Resource Locator (URL) and domain name system (DNS) analysis
Domain generation algorithm
Flow analysis
Packet and protocol analysis
Malware
Log review Event logs
Syslog
Firewall logs
Web application firewall (WAF)
Proxy
Intrusion detection system (IDS)/ Intrusion prevention system (IPS)
Impact analysis
Organization impact vs. localized impact
Immediate vs. total
Security information and event management (SIEM) review
Rule writing
Known-bad Internet protocol (IP)
Dashboard
Query writing String search
Script
Piping
E-mail analysis Malicious payload
Domain Keys Identified Mail (DKIM)
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Sender Policy Framework (SPF)
Phishing
Forwarding
Digital signature
E-mail signature block
Embedded links
Impersonation
Header
3.2 Given a scenario, implement configuration changes to existing controls to improve security.
Permissions
Whitelisting
Blacklisting
Firewall
Intrusion prevention system (IPS) rules
Data loss prevention (DLP)
Endpoint detection and response (EDR)
Network access control (NAC)
Sinkholing
Malware signatures
Development/rule writing
Sandboxing
Port security
3.3 Explain the importance of proactive threat hunting
Establishing a hypothesis
Profiling threat actors and activities
Threat hunting tactics
Executable process analysis
Reducing the attack surface area
Bundling critical assets
Attack vectors
Integrated intelligence
Improving detection capabilities
3.4 Compare and contrast automation concepts and technologies.
Workflow orchestration
Security Orchestration, Automation, and Response (SOAR)
Application programming interface (API) integration
Automated malware signature creation
Data enrichment
Threat feed combination
Machine learning
Use of automation protocols and standards Security Content Automation Protocol (SCAP)
Continuous integration
Continuous deployment/delivery
4.0 Incident Response
4.1 Explain the importance of the incident response process.
Communication plan
Limiting communication to trusted parties
Disclosing based on regulatory/ legislative requirements
Preventing inadvertent release of information
Using a secure method of communication
Reporting requirements
Response coordination with relevant entities
Legal Human resources Public relations
Internal and external
Law enforcement Senior leadership
Regulatory bodies
Factors contributing to data criticality
Personally identifiable information (PII)
Personal health information (PHI)
Sensitive personal information (SPI)
High value asset
Financial information
Intellectual property
Corporate information
4.2 Given a scenario, apply the appropriate incident response procedure.
Preparation Training
Testing
Documentation of procedures
Detection and analysis
Characteristics contributing to severity level classification
Downtime
Recovery time
Data integrity
Economic
System process criticality
Reverse engineering
Data correlation
Containment Segmentation
Isolation
Eradication and recovery Vulnerability mitigation
Sanitization
Reconstruction/reimaging
Secure disposal
Patching
Restoration of permissions
Reconstitution of resources
Restoration of capabilities and services
Verification of logging/ communication to security monitoring
Post-incident activities
Evidence retention
Lessons learned report
Change control process
Incident response plan update
Incident summary report
IoC generation
Monitoring
4.3 Given an incident, analyze potential indicators of compromise.
Network-related Bandwidth consumption
Beaconing
Irregular peer-to-peer communication
Rogue device on the network
Scan/sweep
Unusual traffic spike
Common protocol over non-standard port
Host-related
Processor consumption
Memory consumption
Drive capacity consumption
Unauthorized software
Malicious process
Unauthorized change
Unauthorized privilege
Data exfiltration
Abnormal OS process behavior
File system change or anomaly
Registry change or anomaly
Unauthorized scheduled task
Application-related Anomalous activity
Introduction of new accounts
Unexpected output
Hashing
Carving
5.1 Understand the importance of data privacy and protection.
Privacy vs. security
Non-technical controls
Classification
Ownership
Retention
Data types
Retention standards Confidentiality
Legal requirements
Data sovereignty
Data minimization
Purpose limitation
Non-disclosure agreement (NDA)
Technical controls
Encryption
Data loss prevention (DLP)
Data masking
Deidentification
Tokenization
Digital rights management (DRM) ?
Watermarking
Geographic access requirements
Access controls
5.2 Given a scenario, apply security concepts in support of organizational risk mitigation.
Business impact analysis
Risk identification process
Risk calculation Probability
Magnitude
Communication of risk factors
Risk prioritization Security controls –
Engineering tradeoffs
Systems assessment
Documented compensating controls
Training and exercises Red team
Blue team
White team
Tabletop exercise
Supply chain assessment
Vendor due diligence
Hardware source authenticity
5.3 Explain the importance of frameworks, policies, procedures, and controls.
Frameworks Risk-based
Prescriptive
Policies and procedures Code of conduct/ethics
Acceptable use policy (AUP)
Password policy
Data ownership
Data retention
Account management
Continuous monitoring
Work product retention
Category Managerial
Operational
Technical
Control type Preventative
Detective
Corrective
Deterrent
Compensating
Physical
Audits and assessments
Regulatory
Compliance
Team Training
CySA+ Training FAQs
What is CompTIA CySA+ certification?
Cybersecurity Analyst (CySA+) is an IT workforce certfication. It applies behavioral analytics to networks and devices to help prevent, detect and combat cyber threats.
How do I earn CompTIA CySA+ certification?
To earn this certification, you must take and pass CompTIA exam CS0-002.
How do I take the CySA+ exam (CS0-002)?
Course tuition includes an exam voucher. The exam is offered through Pearson Vue.