CompTIA CySA+ Study Guide
CERTIFICATIONS
12/4/20234 min read
If you're considering the CySA+, my advice is to knock out the Sec+ first. It's not mandatory, but it definitely lays a good foundation for what's to come in CySA+. However, from my experience, CySA+ might even seem a bit easier, primarily because it's more focused.
I've already covered Sec+ basics in another guide on this blog, so consider this study guide as an extension of that.
Remember, this isn't an exhaustive list of what's on the exam. I found Professor Dion's practice exams on Udemy really helpful – take all six, understand the answers thoroughly. The Sybex study guide is also a solid resource, especially because it lets you focus on specific areas you might be weak in.
Just a heads-up: I took the CS0-002 version of the exam, and CompTIA is rolling out a new one, so there might be some new stuff to watch out for. And yeah, CompTIA suggests 4 years of SOC experience for this exam, but take that with a grain of salt. If only job recruiters saw it as equivalent to 4 years of experience, right?
1. Understanding Attack Surfaces and Vectors
- Attack Surface: The collection of all points from which an adversary could interact with a system.
- Attack Vector: Specific points an adversary chooses for an attack.
- Threat Model: The behavior of an adversary.
- Capability Set: List of items an adversary can use to attack.
2. Data Loss Prevention (DLP)
- Exact Data Match: A DLP concept utilized to alert patterns matching the format of sensitive data like social security numbers.
3. Access and Vulnerability Management
- Limited administrative access requires vulnerability scanning without the ability to update or patch.
4. File Systems and OS Compatibility
- macOS default storage system: HFS+.
- Compatibility with exFAT, FAT32, and limited support for NTFS.
5. Counterfeiting and Security
- Counterfeiting: Unauthorized replication of items, regardless of component authenticity.
6. Password Management
- Group policy: Effective for changing multiple passwords in Windows domain environments.
7. Tools for Network Security
- aircrack-ng: Wireless packet data collection.
- John the Ripper: Password cracking.
- Nessus: Vulnerability scanning.
- Netcat: Creating reverse shells.
8. VPN Security and Malware Prevention
- Network Access Control (NAC): Prevents malware download through VPN connections.
9. Incident Response Process Phases
- Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
- Importance of preparation in policy setting for hardware collection.
10. Personal Health Information (PHI) Protection
- PHI breaches affecting 500+ people must be reported to the US Department of Health.
11. Multifactor Authentication (MFA)
- MFA involves using two or more different forms of authentication.
- Example: PIN (Knowledge) + Smart Card (Possession).
12. Backup and Recovery Point Objective (RPO)
- RPO: Maximum acceptable amount of data loss measured in time.
- Daily incremental backups to cold storage for 24-hour RPO compliance.
13. Risk Response Types
- Mitigation, Acceptance, Transference, Avoidance.
14. Port and Vulnerability Scanners
- Techniques: Banner grabbing and response fingerprints.
15. Identifying Attack Types
- Multiple login attempts with different passwords indicate brute force attacks.
16. Security Team Roles
- Red Team: Attack simulation.
- Blue Team: Defense.
- Purple Team: Hybrid of Red and Blue.
- White Team: Oversight and management.
17. CAN Bus and UEBA
- CAN Bus: Controls critical vehicle functions.
- UEBA: User and Entity Behavior Analytics.
18. Redirecting Traffic in Linux
- `echo 127.0.0.1 bruh.com >> /etc/hosts`: Redirects traffic for `bruh.com` to the local machine.
19. Risk Components
- Combination of vulnerability and threat forms a risk.
20. Memory Forensics Tools
- Windows: Memdump, Volatility framework, DumpIt, EnCase.
- Linux: `dd` command.
21. tcpdump Syntax
- Command for filtering data to/from a specific IP: `tcpdump -i eth0 host 10.10.1.1`.
22. Behavioral Analysis Tools
- Detect unexpected output from monitored applications.
23. Privilege Escalation
- Importance of securing against unauthorized access elevation.
24. Base64 Encoding
- Commonly used for data transformation to bypass network detection mechanisms.
25. Output Encoding
- Prevents execution of injection scripts by converting special characters into HTML-encoded equivalents.
26. Data Management Roles
- Data Steward, Privacy Officer, Data Custodian, Data Owner.
27. Stress Testing
- Determines system limits under extreme conditions.
28. Reverse Proxy
- Directs traffic to internal services, acting as an intermediary.
29. Shodan.io
- Tool for assessing publicly facing attack surfaces.
30. Software Development Lifecycle (SDLC)
- Phases: Planning, Requirements, Design, Implementation, Testing, Deployment, Maintenance.
31. Zero-Day Vulnerabilities
- Importance of understanding that zero-days cannot be patched immediately.
32. Patch Management
- Validate patch installations in staging environments and communicate outages.
33. Netflow Analysis
- Sampling data to manage analysis load.
34. Linux Permissions
- Notation: Read (4), Write (2), Execute (1).
35. Data Loss
Prevention (DLP)
- Importance in detecting potential data breaches or exfiltration.
36. Endpoint Security in SaaS
- Beyond the scope of SaaS provider responsibilities.
37. Securing PLCs
- Isolation from internet access if vulnerable.
38. Data Volatility Levels
- Order: CPU, RAM, Swap, Hard Drive.
39. Web Encryption
- TLS as the preferred secure protocol over SSLv3.
40. Email Investigation
- Importance of analyzing email headers.
41. Regular Expressions (Regex)
- Essential for pattern matching in various security contexts.
42. File Recovery Techniques
- File Carving: Extracting data from unallocated disk space.
43. eFUSE Technology
- Prevents firmware downgrades by permanently altering chip behavior.
44. Insecure Direct Object References
- Security risks in web applications.
45. Lost PII
- Considered a privacy breach.
46. Security through Obscurity
- Not a recommended security practice.
47. Locating Bash Shell in Linux
- `which bash`: Identifies execution path of bash shell.
48. Data Remanence Mitigation
- Full disk encryption as an effective strategy.
49. False Positive in Security Systems
- Incorrect identification of benign activities as threats.
50. Data Transfer Anomalies
- Sudden changes as indicators of potential security issues.
51. Enumeration in Reconnaissance
- First step in information gathering.
52. DevSecOps
- Integrates security into software development and system operations.
53. IP Syntax and ACLs
- Understanding correct syntax and the use of CIDR in access control lists.
54. Trusted Platform Modules (TPM)
- Provides hardware-based security, not user authentication.
55. Hybrid Attack Strategies
- Combining different attack methods for effectiveness.
56. Virustotal
- Tool for assessing file safety.
57. Email Authentication Technologies
- DKIM and DMARC for validating sender identity and domain protection.
58. URL Encoding
- `%40` represents the `@` symbol in hex code.
59. Compromised Email Servers
- Alternative communication methods if email security is breached.
60. Data Criticality Assessment
- Consider the type of data being processed.
61. Impossible Travel in Authentication
- Context-based authentication mechanism.
62. Cyber Kill Chain Phases
- Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.
63. Encryption Key Security
- Prioritizing the protection of encryption keys.
64. Configuration Scans
- Require proper credentials for thorough analysis.
65. Behavioral Anomalies
- Detection through indicators like impossible travel.
66. Vulnerability Reports
- Should include both physical and virtual hosts.
67. Network Connection States
- "ESTABLISHED" indicates an active connection.
68. svchost.exe and Unauthorized Privileges
- Identification of abnormal processes and privilege escalations.
69. Impact Levels
- Limited Adverse Effect (Low), Serious (Medium), Severe (High).
70. Systemd and Log Analysis
- `journalctl` for viewing logs collected by systemd.
71. Organizational Policy Hierarchy
- Policy, Guideline, Standard, Procedure.
72. SDLC Model's Impact
- Not directly affecting attack surface; focuses on internal processes.
73. Tombstone Remediation
- Replacing policy-violating files in email DLP.
74. Server Criticality Assessment
- Importance of analysis beyond server names.
75. Race Conditions
- Output dependency on process timing.