CompTIA Cybersecurity Analyst CySA+ Certification Exam Preparation Tips and Tricks

So what is a Cybersecurity Analyst? 

A Cybersecurity Analyst is a professional who helps design and implement security systems to protect an organization's computer networks from cyber attacks.

The CompTIA Cybersecurity Analyst (CySA+) certification is an international, vendor-neutral cybersecurity certification that applies behavioral analytics to improve the overall state of IT security. CySA+ validates critical knowledge and skills that are required to prevent, detect and combat cybersecurity threats. 

Take the CySA Crash Course on TechCommanders 

What does the exam help you validate for skillsets? 

The CySA+ is for IT professionals looking to gain the following security analyst skills:

• Configure and use threat detection tools.
• Perform data analysis.
• Interpret the results to identify vulnerabilities, threats and risks to an organization.

• Identify tools and techniques to use to perform an environmental reconnaissance of a target network or security system.
• Collect, analyze, and interpret security data from multiple log and monitoring sources.
• Use network host and web application vulnerability assessment tools and interpret the results to provide effective mitigation.
• Understand and remediate identity management, authentication, and access control issues.
• Participate in a senior role within an incident response team and use forensic tools to identify the source of an attack.
• Understand the use of frameworks, policies, and procedures and report on security architecture with recommendations for effective compensating controls

Tips and Trick to know before taking the exam!

Tip # 1 GET TO KNOW NIST FRAMEWORK

• http://csrc.nist.gov/groups/SMA/fisma/assessment.html

• Guide for Assessing the Security Controls in Federal Information Systems and Organizations

• The purpose of NIST Special Publication 800-53A (as amended) is to establish common assessment procedures to assess the effectiveness of security controls in federal information systems, specifically those controls listed in NIST Special Publication 800-53 (as amended), 

Tip # 2 GET TO KNOW FIPS 200 FRAMEWORK

• ESSENCE OF FIPS 200 - MINIMUM SECURITY REQUIREMENTS FOR FEDERAL INFORMATION AND INFORMATION SYSTEMS
• FIPS 200 defines following 17 security areas covered under confidentiality, integrity, and availability (CIA) of federal information systems and the information processed, stored, and transmitted by those systems.
• For the actual requirements, it refers to NIST Special Publication 800-53 and says that federal agencies must meet its requirements. https://doi.org/10.6028/NIST.FIPS.200

Tip # 3 GET TO KNOW The Federal Information Security Management Act of 2002

This act was updated in Public Law 113 to Federal Information Security Modernization Act of 2014.  For more information, see http://csrc.nist.gov/groups/SMA/fisma/overview.html.

• Protecting the Nation's Critical Information Infrastructure

Take the CySA Crash Course on TechCommanders 

Tip # 4 GET TO KNOW SNORT

Snort is a packet sniffer that monitors network traffic, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.

Snort is one of the leading tools among enterprise intrusion prevention and detection tools, users can compile Snort on most Linux operating systems (OSes) or Unix.

Tip # 5 GET TO KNOW Wireshark 

https://wireshark.org 

 Wireshark is an open-source and free network analyzer. It’s a piece of software that allows you to capture data packets from a private or public network connection. Wireshark also gives you the freedom to browse the data traffic going through the network and interact with it in real-time.

Tip # 6 GET TO KNOW Solarwinds 

https://www.solarwinds.com/ 

SolarWinds, a major US information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months.

Foreign hackers, who some top US officials believe are from Russia, were able to use the hack to spy on private companies like the elite cybersecurity firm FireEye and the upper echelons of the US Government, including the Department of Homeland Security and Treasury Department. 

Tip # 7 GET TO KNOW SPLUNK

 https://www.splunk.com/ 

Splunk is an analytics-driven SIEM tool that collects, analyzes, and correlates high volumes of network and other machine data in real-time.

Tip # 8 GET TO NAGIOS 

https://www.nagios.org/ 

Nagios is a widely used open source monitoring system for computer systems. It was designed to run on the Linux operating system and can monitor devices running Linux, Windows and Unix operating systems (OSes). Nagios software runs periodic checks on critical parameters of application, network and server resources.

 Take the CySA Crash Course on TechCommanders 

Tip # 9 GET TO BRO

Tip # 10 GET TO LEARN NMAP Commands

https://nmap.org/ 

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

TCP SYN (-sS) - half-open scanning

TCP connect (-sT) - if privileged driver access is not available, Nmap has to use the OS to attempt a full TCP connection

TCP flags - set TCP headers in unusual ways

Null (-sN)

FIN (-sF)

Xmas scan (-sX)

UDP scans (-sU)

Port range (-p)

IDS Intrusion Detection Systems

• Snort

      Open-source with binaries for most OS

     Subscription-based or community-authored ruleset updates

     IPS capabilities

• Sourcefire
• Bro Network Security Monitor
• Using regular expressions (regex

Types of IDS

• Signature-based
• Behavior-based (baseline and heuristics)
• Anomaly-based

Comparing Analysis Methods

• Signature-based detection

Only as good as last update

Malware can use code obfuscation / encryption to evade detection

Signatures do not identify every tool available to adversaries

• Behavior-based detection

More comprehensive response

Difficult to tune (eliminate false positives)

 Firewall Tasks

• Know what are the basics of Firewall Configurations
• Types of firewall to deploy (perimeter, LAN segment, host, application)
• Ruleset (tuples) and implicit deny (drop / reject)
• Firewalking

Know the Firewall Protocols

• IP (Internet Protocol) - the main delivery system for information over the Internet
• TCP (Transmission Control Protocol) - used to break apart and rebuild information that travels over the Internet
• HTTP (Hyper Text Transfer Protocol) - used for Web pages
• FTP (File Transfer Protocol) - used to download and upload files
• UDP (User Datagram Protocol) - used for information that requires no response, such as streaming audio and video
• ICMP (Internet Control Message Protocol) - exchange the information with other routers
• SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
• SNMP (Simple Network Management Protocol) - used to collect system information from a remote computer
• Telnet - used to perform commands on a remote computer

 Firewall Logging

• Incoming and outgoing logging review
• What do you log.. Do you Log everything?
• Events per second
• Storage capacity
• Denied incoming – identify attempted scans and intrusions
• Accepted incoming – identify suspicious traffic patterns
• Accepted outgoing – identify malware operating on the local network / data breach, …
• Denied outgoing – identify malware attempting to connect to the Internet
• Check Resources, filter verbose events (debug, informational, notifications)

 https://www.techcommanders.com/IT-security-courses

Firewall Vendors

• Cisco

     - PIX (Private Internet eXchange)

     -  Adaptive Security Appliance (ASA)

• Juniper Networks (SRX)
• Vendors (IBM, HP, Dell)
• Check Point
• Palo Alto

Firewall Proxy 

• Outbound proxy
• Force clients to connect to web / mail services via the proxy
• Proxy can filter traffic and strip out malformed packets
• Transparent or non-transparent (client must be configured with proxy IP and port)
• Inbound (reverse) proxy
• Publishes content from a protected private server to a public (internet-facing) server
• Again, can filter requests for malicious content

DOD and ISO

• CySA+ is ISO/ANSI 17024 accredited and is approved by the U.S. Department of Defense (DoD) for directive 8140/8570.01-M requirements. 
• https://certification.comptia.org/it-career-news/post/view/2015/09/11/what-are-u-s-dod-8140-8570-and-8570-01-m-and-what-do-they-mean-for-your-career-
• The DoD 8570 Information Assurance Training, Certification and Workforce Management program addresses this threat by proactively educating and certifying commercial contractors, and military and civilian personnel to perform their critical duties as Information Assurance professionals.
• Under the 8570 Mandate, all personnel with "privileged access" to DoD systems must obtain an ANSI-approved commercial certification.

Take the CySA Crash Course on TechCommanders 

 Review Questions

1. What are the six rules of engagement for pen testing?

  ---   Timing, scope, authorization, exploitation, communication, and reporting

2. What classes of security control are identified by the CSA+ syllabus? ------

   --- Physical, logical, and administrative

3. What is firewalking in the security industry?

--- Its a technique for probing the rules configured on a firewall.

4. What are the TWO principal factors involved in calculating risk?

--- Likelihood

----Impact

5. What type of policy might include or supplement a BYOD policy?

----  AUP Acceptable Use Policy

6. What part of the NIST Cybersecurity Framework is used to provide a statement of current cybersecurity outcomes?

----  Framework Profile

Test Tips

Know the correct flow of the Kill Chain.

• Planning, reconnaissance, weaponization / exploit, lateral discovery, data exfiltration, retreat

Know the function –A in NMAP.

• Performs service detection (verify that the packets delivered over a port correspond to the "well known" protocol associated with that port) and version detection (using the scripts marked "default").

Know the tools for passive social recon

• Web search ("Google Hacking"), email harvesting, social media harvesting, DNS harvesting, and website ripping

Know the Security Controls

• Physical, Logical and administrative

Know the Security Controls defined as:

• Terms of their function (preventive, detective, deterring, and so on). A Course of Action matrix maps the controls available for each type of function to adversary tools and tactics.

What are the three main types of fuzzer?

• Application UI, protocol, and file format.

What type of reverse engineering tool recovers the programming language source code from a binary file?

• Decompiler

What is Firewalking

•  A technique for probing the rules configured on a firewall 

Know about why to use Sysinternals.

•  Sysinternals Suite contains a number of tools for investigating the properties of Windows hosts. You can use the tools to investigate processes, autoruns, access permissions, and so on.

END  comptia cybersecurity analyst (cysa+) exam cost  comptia cysa+ exam objectives