CompTIA CySA+ Certification Overview

Questions and Answers

CompTIA CySA+ is an intermediate level certification for ______ professionals.

IT

This certification focuses on capturing, monitoring, and responding to network ______ findings.

traffic

To take the exam, candidates typically need 3-4 years of ______ experience.

hands-on

CompTIA CySA+ consists of 4 domains, with the largest being Security ______.

Operations

The certification exam consists of 75 to 85 ______.

questions

To pass the exam, you must score at least ______ points out of 900.

750

You can purchase the exam voucher at ______.com.

storecomptia

The price of the exam voucher is around ______ dollars.

400

Exam tips include paying close attention to words in ______, italics, or all uppercase.

bold

Candidates are expected to know the proper syntax and how to use the ______ tool.

Nmap

The document has 18 families of ______ to make it easier to find controls.

controls

ISO 27001 is an international standard and a proprietary ______.

framework

Earlier versions of the NIST SP 800-53 used classes of ______.

controls

Technical Controls are implemented as a ______ (hardware, software, or firmware).

system

Operational Controls are implemented primarily by ______ rather than systems.

people

Preventative Control acts to eliminate or reduce the likelihood that an ______ can succeed.

attack

A ______ Control may not prevent access but will record any attempted or successful intrusion.

Detective

Corrective Controls act to eliminate or reduce the ______ of an intrusion event.

impact

A ______ Control discourages intrusion attempts.

Deterrent

Firewall is a system that monitors all incoming and outgoing ______.

network traffic

An Access Control List (ACL) specifies which network connections are ______ or denied.

permitted

Firewall logs can provide data on connections, port usage, bandwidth utilization, and ______ logs.

audit

Iptables is a Linux-based firewall that uses the ______ file format for its logs.

syslog

A Blinding Attack occurs when a firewall is ______ and cannot log data quickly enough.

under-resourced

A screened subnet exposes a company's external-facing services to an ______ network like the Internet.

untrusted

ACL rules are typically processed from ______-to-bottom, with more specific rules at the top.

top

Dropping traffic makes it harder for an adversary to identify ______ states accurately.

port

Egress Filtering applies ACL rules to traffic ______ a network.

leaving

Black Holes are used to mitigate ______ attacks by silently dropping traffic.

DoS

A Sinkhole directs flooding traffic to a different network for ______.

analysis

A forward proxy acts as an intermediary server, which can also filter or ______ communications.

modify

Web Application Firewalls are designed to protect web servers from attacks like ______ injection.

SQL

Intrusion Detection System (IDS) is used to scan and monitor for signs of ______.

attacks

Proxies set up to intercept traffic can record the rule that a request matched to determine an employee's ______.

intent

The logs from a reverse proxy can be analyzed for indicators of ______ or compromise.

attack

Threat modeling is the process of identifying and assessing possible threat ______ and attack vectors.

actors

The ______ web contains sensitive information that is not meant to be searchable by the general public.

deep

An ______ is used in cybersecurity to detect threats that have not been identified by normal security monitoring.

attack vector

Threat hunting is potentially less disruptive than ______ testing.

penetration

Acquired, developed, advanced, and integrated types of capabilities are part of adversary ______.

capability

Google hacking uses special search ______ to locate vulnerable web servers and applications.

operators

A ______ transfer is a method used to replicate DNS databases across a set of DNS servers.

DNS zone

The dark web refers to a part of the deep web used for ______ activities.

illegal

Email harvesting is an OSINT technique used to gather email ______ for a domain.

addresses

Threat modeling can be applied to assess risks against corporate ______ in general on a large scale.

networks

AbuseIPDB is a community-driven database that tracks IP addresses reported for abusive ______.

behavior

Profiling threat ______ and activities involves scenarios showing how attackers might attempt an intrusion.

actors

The likelihood of a threat being realized is usually expressed as a ______.

percentage

Bug bounty programs allow companies to crowdsource security testing of their ______ services.

software

Antivirus (AV) is software capable of detecting and removing ______ infections.

virus

A type of IDS or IPS that monitors a computer system for unexpected behavior is called ______.

HIDS

Endpoint Protection Platform (EPP) performs multiple security tasks such as anti-virus, HIDS, and ______.

firewall

Sandboxing is a computing environment isolated from a ______ system.

host

Common sandbox tools include FLARE VM, Cuckoo, and ______.

Joe Sandbox

Reverse engineering involves analyzing the structure of ______ or software to understand how it functions.

hardware

Machine code is the binary code executed by the ______.

processor

A disassembler translates machine language into ______ language.

assembly

Strings in malware can be used as ______ for rule-based detection.

signature

A program packer compresses an executable and contains code to ______ the executable.

decompress

Malware exploitation describes the specific ______ by which malware code infects a target host.

method

Advanced threat protection (ATP) is a hybrid of EPP, EDR, and ______.

UEBA

Reverse engineers often learn patterns used by ______ in malware to trace code origins.

writers

File signatures, or magic numbers, indicate the type of ______ being processed.

file

Many proprietary software applications also use packing to deter theft and ______.

piracy

Study Notes

CompTIA CySA+ Overview

• CompTIA CySA+ is an intermediate-level certification for IT Professionals focusing on network traffic analysis, software and application security, threat hunting, and IT regulatory compliance.
• Designed for IT or Cybersecurity professionals with experience in Network+, Security+, or equivalent.
• Certification requires at least 3-4 years of hands-on experience in Cybersecurity.
• Includes 4 domains: Security Operations (33%), Vulnerability Management (30%), Incident Response Management (20%), Reporting and Communication (17%).

Certification Exam

• Exam includes multiple-choice and performance-based questions (PBQs)
• 75 to 85 questions in total
• To pass, a score of at least 750 points out of 900 possible points is required.
• Exam vouchers can be purchased from CompTIA store for around $400.
• Discounts may be available through third-party providers.
• Exam vouchers are valid for 11-12 months after purchase.

Exam Tips

• Pay close attention to bolded, italicized, or capitalized words.
• Select answers that are correct for the most cases.
• Avoid fighting with the questions.
• Focus on understanding concepts and tools, not just memorizing terms.
• Familiarize yourself with the purpose, syntax, and output of the Nmap tool.

NIST SP 800-53

• A cybersecurity framework that uses 18 families of controls to help classify controls
• Example families include: Access Control (AC), Accountability (AA), Incident Response (IR), Risk Management (RA)
• ISO 27001 is an international standard and proprietary framework
• Older versions of NIST SP 800-53 used classifications (technical, operational, and managerial), newer versions do not

Technical Controls

• A category of security control that is implemented as a system (hardware, software, or firmware)

Operational Controls

• A category of security control that is implemented primarily by people rather than systems

Managerial Controls

• A category of security control that provides oversight of the information system

Security Controls Functional Types

• A control that reduces the likelihood that an attack can succeed is a preventative control
• A control that identifies and records any attempted or successful intrusion is a detective control
• A control that eliminates or reduces the impact of an intrusion event is a corrective control

Additional Control Types

• A type of security control that acts against in-person intrusion attempts is a physical control
• A type of security control that discourages intrusion attempts is a deterrent control
• A type of security control that acts as a substitute for a principal control is a compensating control
• System that actively monitors for potential vulnerabilities or attacks, and then takes action to mitigate them before they can cause damage is a responsive control

Firewall

• A system that monitors all incoming and outgoing network traffic and blocks suspicious traffic

Intrusion Prevention System (IPS)

• A device that monitors network traffic for patterns that indicate an intrusion is occurring such as a repeated failed log-on attempt

Threat Modeling

• The process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system
• It considers both the defender’s point of view and the attacker’s point of view

Main Areas to Consider During Threat Modeling

• Adversary Capability is a formal classification of the resources and expertise available to a threat actor
  • Types of capabilities include acquired and augmented, developed, advanced, and integrated
• Attack Surface is the point at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor
  • Areas to consider when modeling your attack surfaces include the holistic network, websites or cloud-services, and custom software applications
• Attack Vector is a specific path by which a threat actor gains unauthorized access to a system
  • Types of attack vectors include cyber, human, and physical

Additional Considerations During Threat Modeling

• Likelihood is the chance of a threat being realized which is usually expressed as a percentage
• Impact is the cost of a security incident or disaster scenario which is usually expressed in cost (dollars)

Threat Hunting

• A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring
• It is potentially less disruptive than penetration testing

Steps Involved in Threat Hunting

• Hypothesis is derived from the threat modeling and is based on potential events with higher likelihood and higher impact
• Profiling Threat Actors and Activities involves the creation of scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be

Threat Hunting Process

• Analyze network traffic
• Analyze the executable process list
• Analyze other infected hosts
• Identify how the malicious process was executed

Benefits of Threat Hunting

• Improve detection capabilities
• Integrate intelligence
• Reduce attack surface
• Block attack vectors
• Identify critical assets

Open-Source Intelligence (OSINT)

• Publicly available information plus the tools used to aggregate and search it

OSINT Uses

• Publicly Available Information
• Social Media
• Dating Sites
• HTML Code
• Metadata

Google Hacking

• Open-source intelligence techniques that uses Google search operators to locate vulnerable web servers and applications

Google Hacking Methods

• Quotes “ ”
• NOT
• AND/OR
• Scope
• URL Modifier

Google Hacking Database (GHDB)

• Provides a database of search strings optimized for locating vulnerable websites and services

Shodan

• Search engine optimized for identifying vulnerable Internet-attached devices

Profiling Techniques

• Email Harvesting is an Open-Source Intelligence (OSINT) technique used to gather email addresses for a domain
• Once a list has been created, it can be used in social engineering attempts

Email Harvesting Tools

• Pipl.com
• Peekyou.com
• Echosec.net

The Harvester

• A command line tool used by penetration testers

Harvesting Techniques

• Whois is a public listing of all registered domains and their registered administrators
• DNS Zone Transfer is a method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack
• DNS Harvesting uses Open-Source Intelligence (OSINT) to gather information about a domain, such as any subdomains, the hosting provider, the administrative contacts, and so on

Website Harvesting

• A technique used to copy the source code of website files to analyze for information and vulnerabilities

AbuseIPDB

• A community-driven database that keeps track of IP addresses reported for abusive behavior

Benefits of AbuseIPDB

• Enables organizations to take a proactive approach to their cybersecurity
• Database is constantly being updated with new information from a global community of users
• Monitors for suspicious activity
• Individuals can use the database to research IP addresses

AbuseIPDB Considerations

• Information in the AbuseIPDB is not considered to be 100% reliable
• Use cautiously in conjunction with other security measures

Deep Web

• Portion of the Internet not indexed by search engines, which includes private databases, subscription-based websites, and other content that is not publicly accessible
• Includes medical and scientific research, university libraries, and government databases
• Can contain sensitive information that is not meant to be searchable by the general public
• Can be used as a source of information to gather intelligence on potential threats

Dark Web

• Refers to a specific part of the deep web that's used for illegal activities, such as the buying and selling of drugs, weapons, and stolen personal information, such as credit card data
• Considered a criminal haven and a high-risk area where hacking and illicit activities occur
• Accessing the dark web without proper knowledge and precautions can put the user at risk of encountering illegal activities, malware, or being targeted by cyber criminals
• Can be used to monitor stolen data or information related to the organization
• Can also be used to track the activities of known or suspected cybercriminal groups, to identify any patterns or trends in their methods and techniques
• Can track the prices and availability of tools and services commonly used in cyber attacks
• Monitors for stolen data and tracks the activities of cybercriminals

Bug Bounty

• A way for companies to crowdsource security testing of their software services and applications to identify and address potential security issues

Ways to Participate in Bug Bounty

• Find and report problems in your own systems
• Show your skills and gain recognition in the cyber security community

Bug Bounty Considerations

• Approach testing in a responsible and ethical manner
• Avoid causing harm or disruption to systems, applications, or services
• Obtain necessary permissions (legal agreements like NDAs), and use a robust system for tracking, triaging, and remediating vulnerabilities
• Register with the company ahead of time, otherwise you could be considered a malicious hacker

Description

Explore the CompTIA CySA+ certification, designed for IT and Cybersecurity professionals with a focus on threat detection and compliance. This quiz covers exam details, domains included, and essential tips for preparation. Ideal for those with prior experience in Network+ or Security+.