CompTIA CySA+ Certification

Questions and Answers

A security analyst notices unusual network traffic originating from a server that typically only communicates internally. Which of the following actions would be the MOST appropriate first step?

• Immediately isolate the server from the network.
• Analyze the network traffic to identify the destination and type of data being transmitted. (correct)
• Consult threat intelligence feeds for known malware signatures.
• Run a full antivirus scan on all systems on the network.

During a penetration test, a tester successfully exploits a vulnerability in a web application due to a publicly known exploit. What security practice would BEST prevent this type of incident in the future?

• Enforcing multi-factor authentication for all user accounts.
• Implementing a web application firewall (WAF).
• Regularly conducting vulnerability scans and patching systems. (correct)
• Implementing network segmentation to isolate the web server.

Following a successful phishing attack, an attacker gained access to an employee's email account and sent malicious emails to other employees. Which incident response phase should be prioritized FIRST?

• Identification
• Eradication
• Recovery
• Containment (correct)

An organization wants to improve its security posture by implementing the principle of least privilege. Which of the following actions BEST reflects this principle?

Providing users with only the minimum necessary access rights to perform their job duties. (D)

A security analyst is reviewing logs from a web server and notices a large number of failed login attempts from various IP addresses. What type of attack is MOST likely occurring?

Brute-force attack (C)

An organization is implementing a SIEM system. Which of the following data sources would provide the MOST valuable information for detecting security incidents?

Network firewall logs, intrusion detection system (IDS) alerts, and server audit logs (A)

During incident response, what is the PRIMARY purpose of maintaining a strict chain of custody for evidence?

To prevent unauthorized access, modification, or destruction of evidence, ensuring its admissibility in court. (A)

Which of the following security architecture principles involves implementing multiple layers of security controls to protect against a variety of threats?

Defense in depth (D)

A security analyst is tasked with improving the organization's vulnerability management program. Which of the following actions should be performed FIRST?

Perform a comprehensive vulnerability scan of all systems. (D)

An organization experienced a data breach. During the post-incident activity phase, what is the MOST important objective?

Implement improvements to prevent similar incidents from occurring in the future. (D)

Flashcards

CompTIA CySA+

A security analyst certification validating data analysis and threat intelligence skills.

Threat intelligence

Collecting, analyzing, and disseminating information about potential or current threats.

Threat hunting

Proactively searching for cyber threats that are lurking undetected in a network.

Indicators of Compromise (IOCs)

Artifacts on a network indicating a potential intrusion or malicious activity.

Vulnerability Management

Identifying, classifying, remediating, and mitigating vulnerabilities within an IT environment.

Penetration testing

Simulates a real-world attack to identify exploitable weaknesses in a system.

Remediation

Applying patches, configuration changes, or other measures to address identified vulnerabilities.

Cyber Incident Response

Identifying, containing, eradicating, and recovering from security incidents.

Security architecture

Principles include defense in depth, least privilege, and separation of duties.

Network segmentation

Dividing a network into smaller, isolated segments to limit the impact of a security breach.

Study Notes

• CompTIA CySA+ is a security analyst certification that validates the knowledge and skills required to perform data analysis and threat intelligence.
• Designed for IT professionals with 3-4 years of hands-on information security or related experience.
• Focuses on applying behavioral analytics to networks and devices to prevent, detect, and combat cybersecurity threats.

Exam Details

• The CySA+ exam code is CS0-003.
• It covers five domains: Threat Management, Vulnerability Management, Cyber Incident Response, Security Architecture and Tools, and Security Operations.
• The exam consists of a maximum of 85 multiple-choice and performance-based questions.
• Candidates have 165 minutes to complete the exam.
• A passing score is 750 (on a scale of 100-900).

Threat Management

• Involves understanding threat intelligence, threat hunting, and security information and event management (SIEM).
• Threat intelligence is the process of collecting, analyzing, and disseminating information about potential or current threats.
• Threat hunting proactively searches for cyber threats that are lurking undetected in a network.
• SIEM systems aggregate and analyze log data from various sources to identify security incidents.
• Security analysts use threat models such as MITRE ATT&CK to better understand adversary tactics and techniques.
• Indicators of Compromise (IOCs) are artifacts observed on a network or in a system that indicate a potential intrusion or malicious activity.
• Examples of IOCs include unusual network traffic, unexpected registry changes, and the presence of malware signatures.
• Behavioral analysis is used to identify anomalous activity that may indicate a security threat.

Vulnerability Management

• The process of identifying, classifying, remediating, and mitigating vulnerabilities within an IT environment.
• Vulnerability scanning tools are used to identify known vulnerabilities in systems and applications.
• Penetration testing simulates a real-world attack to identify exploitable weaknesses in a system.
• Risk assessments are conducted to evaluate the potential impact and likelihood of a security breach.
• Remediation involves applying patches, configuration changes, or other measures to address identified vulnerabilities.
• Mitigation involves implementing controls to reduce the likelihood or impact of a successful attack.
• Configuration management ensures that systems are configured securely and in accordance with security policies.
• Common vulnerabilities include software flaws, misconfigurations, and weak passwords.
• Security analysts must understand the different types of vulnerabilities and how to prioritize remediation efforts.

Cyber Incident Response

• Involves identifying, containing, eradicating, and recovering from security incidents.
• Incident response plans define the roles, responsibilities, and procedures for responding to security incidents.
• The incident response process typically involves the following stages: preparation, identification, containment, eradication, recovery, and lessons learned.
• Forensics is the process of collecting and analyzing evidence to determine the cause and scope of a security incident.
• Chain of custody ensures that evidence is properly handled and preserved to maintain its admissibility in court.
• Communication is a critical aspect of incident response, involving internal stakeholders, external parties, and law enforcement.
• Post-incident activity involves documenting lessons learned and implementing improvements to prevent future incidents.

Security Architecture and Tools

• Designing and implementing secure network architectures, selecting and deploying security tools, and integrating security controls.
• Security architecture principles include defense in depth, least privilege, and separation of duties.
• Security tools include firewalls, intrusion detection/prevention systems (IDS/IPS), antivirus software, and endpoint detection and response (EDR) solutions.
• Network segmentation involves dividing a network into smaller, isolated segments to limit the impact of a security breach.
• Access control mechanisms enforce policies that restrict access to sensitive resources.
• Encryption is used to protect data at rest and in transit.
• Security analysts must understand how to select, configure, and manage security tools to protect the organization's assets.
• Cloud security involves implementing security controls to protect data and applications in cloud environments.

Security Operations

• Daily activities involved in monitoring, analyzing, and responding to security events.
• Log management involves collecting, storing, and analyzing log data from various sources.
• Security monitoring tools provide real-time visibility into network and system activity.
• SIEM systems correlate and analyze security events to identify potential threats.
• Security analysts use threat intelligence feeds to stay informed about the latest threats and vulnerabilities.
• Automation can be used to streamline security operations and improve efficiency.
• Key performance indicators (KPIs) are used to measure the effectiveness of security operations.
• Security analysts must be able to identify and respond to security incidents in a timely and effective manner.
• Compliance is an important consideration in security operations, ensuring that the organization meets regulatory requirements.

Key Skills for CySA+ Professionals

• Data analysis: Analyzing security data to identify trends, patterns, and anomalies.
• Threat intelligence: Gathering and analyzing information about potential or current threats.
• Vulnerability management: Identifying and remediating vulnerabilities in systems and applications.
• Incident response: Responding to security incidents in a timely and effective manner.
• Security architecture: Designing and implementing secure network architectures.
• Security tools: Selecting, configuring, and managing security tools.
• Communication: Communicating effectively with stakeholders about security issues.
• Problem-solving: Identifying and solving complex security problems.
• Critical thinking: Evaluating information and making informed decisions.
• Collaboration: Working effectively with other IT professionals and business stakeholders.