download.e-bookshelf.de · cybersecurity analyst (cysa + ... by any means, electronic, mechanical,...

CompTIA®

AACybersecurity Analyst (CySA+™)

Study Guide

CompTIA®

AACybersecurity Analyst (CySA+™)

Study Guide

Exam CS0-001

Mike Chapple

David Seidl

Senior Acquisitions Editor: Kenyon BrownDevelopment Editor: David ClarkTechnical Editor: Robin AbernathyProduction Editor: Rebecca AndersonCopy Editor: Elizabeth WelchEditorial Manager: Mary Beth WakefieldProduction Manager: Kathleen WisorExecutive Editor: Jim MinatelBook Designers: Judy Fung and Bill GibsonProofreader: Kim WimpsettIndexer: Ted LauxProject Coordinator, Cover: Brent SavageCover Designer: WileyCover Image: ©Getty Images Inc./Jeremy Woodhouse

Copyright © 2017 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-34897-9 ISBN: 978-1-119-34991-4 (ebk.)ISBN: 978-1-119-34988-4 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warrantymay be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or thepublisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, youmay download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2017935704

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA and CySA+ are trademarks or registered trademarks of CompTIA Properties, LLC. All other trademarks are the property of their respective owners. John Wiley & Sons,Inc. is not associated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

I dedicate this book to my father, who was a role model of the value of hard

work, commitment to family, and the importance of doing the right thing.

Rest in peace, Dad.

—Mike Chapple

This book is dedicated to Ric Williams, my friend, mentor, and partner in

crime through my first forays into the commercial IT world. Thanks for

making my job as a “network janitor” one of the best experiences of my life.

—David Seidl

Acknowledgments Books like this involve work from many people, and as authors, we truly appreciate the hard work and dedication that the team at Wiley shows. We would especially like to thank senior acquisitions editor Kenyon Brown. We have worked with Ken on multiple projects and consistently enjoy our work with him.

We also greatly appreciated the editing and production team for the book, including David Clark, our developmental editor, who brought years of experience and great talent to the project, Robin Abernathy, our technical editor, who provided insightful advice and gave wonderful feedback throughout the book, and Becca Anderson, our production editor, who guided us through layouts, formatting, and final cleanup to produce a great book. We would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a fin-ished product.

Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonder-ful opportunities, advice, and assistance throughout our writing careers.

Finally, we would like to thank our families and significant others who support us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Authors

Mike Chapple, Ph.D., CySA+ , is author of the best-selling CISSP (ISC)2 Certifi ed Information Systems Security Professional Offi cial Study Guide (Sybex, 2015) and theCISSP (ISC)2 Offi cial Practice Tests (Sybex 2016). He is an information security pro-fessional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as senior director for IT Service Delivery at the University of Notre Dame. In this role, he oversees the information security, data governance, IT archi-tecture, project management, strategic planning, and product management functionsfor Notre Dame. Mike also serves as Associate Teaching Professor in the university’s IT, Analytics, and Operations department, where he teaches undergraduate and graduatecourses on cybersecurity, data management, and business analytics.

Before returning to Notre Dame, Mike served as executive vice president and chief information offi cer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National SecurityAgency and served as an active duty intelligence offi cer in the U.S. Air Force.

Mike is technical editor for Information Security Magazine and has written more than 25 books. He earned both his B.S. and Ph.D. degrees from Notre Dame in computer science and engineering. Mike also holds an M.S. in computer science from the University of Idaho and an MBA from Auburn University. Mike holds the Cybersecurity Analyst+(CySA+), Security+, and Certifi ed Information Systems Security Professional (CISSP) certifi cations.

David Seidl is the senior director for Campus Technology Services at the University of Notre Dame. As the senior director for CTS, David is responsible for central platform andoperating system support, database administration and services, identity and access man-agement, application services, email and digital signage, and document management.

During his over 20 years in information technology, he has served in a variety of leader-ship, technical, and information security roles, including leading Notre Dame’s informa-tion security team as Notre Dame’s director of information security. He currently teaches a popular course on networking and security for Notre Dame’s Mendoza College of Businessand has written books on security certifi cation and cyberwarfare, including co-authoring CISSP (ISC)2 Offi cial Practice Tests (Sybex 2016).

David holds a bachelor’s degree in communication technology and a master’s degree in information security from Eastern Michigan University, as well as CISSP, GPEN, andGCIH certifi cations.

Contents at a GlanceIntroduction xxvii

Assessment Test xlv

Chapter 1 Defending Against Cybersecurity Threats 1

Chapter 2 Reconnaissance and Intelligence Gathering 33

Chapter 3 Designing a Vulnerability Management Program 75

Chapter 4 Analyzing Vulnerability Scans 103

Chapter 5 Building an Incident Response Program 143

Chapter 6 Analyzing Symptoms for Incident Response 169

Chapter 7 Performing Forensic Analysis 207

Chapter 8 Recovery and Post-Incident Response 245

Chapter 9 Policy and Compliance 269

Chapter 10 Defense-in-Depth Security Architectures 293

Chapter 11 Identity and Access Management Security 329

Chapter 12 Software Development Security 371

Chapter 13 Cybersecurity Toolkit 401

Appendix A Answers to the Review Questions 437

Appendix B Answers to the Lab Exercises 461

Index 475

ContentsIntroduction xxvii

Assessment Test xlv

Chapter 1 Defending Against Cybersecurity Threats 1

Cybersecurity Objectives 2Evaluating Security Risks 3

Identify Threats 5Identify Vulnerabilities 7Determine Likelihood, Impact, and Risk 7Reviewing Controls 8

Building a Secure Network 8Network Access Control 9Firewalls and Network Perimeter Security 10Network Segmentation 13Defense through Deception 14

Secure Endpoint Management 15Hardening System Configurations 15Patch Management 15Group Policies 16Endpoint Security Software 17

Penetration Testing 17Planning a Penetration Test 18Conducting Discovery 18Executing a Penetration Test 19Communicating Penetration Test Results 20Training and Exercises 20

Reverse Engineering 20Isolation and Sandboxing 21Reverse Engineering Software 21Reverse Engineering Hardware 22

Summary 23Exam Essentials 24Lab Exercises 25

Activity 1.1: Create an Inbound Firewall Rule 25Activity 1.2: Create a Group Policy Object 25Activity 1.3: Write a Penetration Testing Plan 26Activity 1.4: Security Tools 27

Review Questions 28

xvi Contents

Chapter 2 Reconnaissance and Intelligence Gathering 33

Footprinting 34Active Reconnaissance 35Mapping Networks and Discovering Topology 35Port Scanning and Service Discovery Techniques and Tools 37

Passive Footprinting 43Log and Configuration Analysis 43Harvesting Data from DNS and Whois 51Information Aggregation and Analysis Tools 58Information Gathering Using Packet Capture 58

Gathering Organizational Intelligence 59Organizational Data 59Electronic Document Harvesting 60

Detecting, Preventing, and Responding to Reconnaissance 63Capturing and Analyzing Data to Detect Reconnaissance 63Preventing Reconnaissance 65


Activity 2.1: Port Scanning 68Activity 2.2: Write an Intelligence Gathering Plan 68Activity 2.3: Intelligence Gathering Techniques 69

Review Questions 70

Chapter 3 Designing a Vulnerability Management Program 75

Identifying Vulnerability Management Requirements 76Regulatory Environment 76Corporate Policy 79Identifying Scan Targets 80Determining Scan Frequency 81

Configuring and Executing Vulnerability Scans 83Scoping Vulnerability Scans 83Configuring Vulnerability Scans 84Scanner Maintenance 88

Developing a Remediation Workflow 90Reporting and Communication 91Prioritizing Remediation 94Testing and Implementing Fixes 94

Overcoming Barriers to Vulnerability Scanning 95Summary 96Exam Essentials 97Lab Exercises 98

Activity 3.1: Installing a Vulnerability Scanner 98Activity 3.2: Running a Vulnerability Scan 98

Review Questions 99

Contents xvii

Chapter 4 Analyzing Vulnerability Scans 103

Reviewing and Interpreting Scan Reports 104Understanding CVSS 106

Validating Scan Results 111False Positives 112Documented Exceptions 112Understanding Informational Results 112Reconciling Scan Results with Other Data Sources 114Trend Analysis 114

Common Vulnerabilities 115Server and Endpoint Vulnerabilities 116Network Vulnerabilities 123Virtualization Vulnerabilities 129Internet of Things (IoT) 130Web Application Vulnerabilities 131


Activity 4.1: Interpreting a Vulnerability Scan 136Activity 4.2: Analyzing a CVSS Vector 136Activity 4.3: Remediating a Vulnerability 137

Review Questions 138

Chapter 5 Building an Incident Response Program 143

Security Incidents 144Phases of Incident Response 145

Preparation 146Detection and Analysis 146Containment, Eradication, and Recovery 148Post-Incident Activity 148

Building the Foundation for Incident Response 150Policy 150Procedures and Playbooks 151Documenting the Incident Response Plan 151

Creating an Incident Response Team 152Incident Response Providers 153CSIRT Scope of Control 154

Coordination and Information Sharing 154Internal Communications 155External Communications 155

Classifying Incidents 155Threat Classification 156Severity Classification 157

Summary 160Exam Essentials 161

xviii Contents

Lab Exercises 162Activity 5.1: Incident Severity Classification 162Activity 5.2: Incident Response Phases 162Activity 5.3: Developing an Incident Communications Plan 163


Chapter 6 Analyzing Symptoms for Incident Response 169

Analyzing Network Events 170Capturing Network Events 170Network Monitoring Tools 174Detecting Common Network Issues 179

Handling Network Probes and Attacks 183Detecting Scans and Probes 183Detecting Denial-of-Service and Distributed

Denial-of-Service Attacks 184Detecting Other Network Attacks 186Detecting and Finding Rogue Devices 187

Investigating Host Issues 188System Resources 189Malware and Unauthorized Software 192Unauthorized Access, Changes, and Privileges 193

Investigating Service and Application Issues 194Application and Service Monitoring 194Application and Service Issue Response and Restoration 196Detecting Attacks on Applications 197


Activity 6.1: Identify a Network Scan 199Activity 6.2: Write a Service Issue Response Plan 200Activity 6.3: Security Tools 201


Chapter 7 Performing Forensic Analysis 207

Building a Forensics Capability 208Building a Forensic Toolkit 208Training and Certification 212

Understanding Forensic Software 212Capabilities and Application 212

Conducting a Forensic Investigation 216The Forensic Process 216Target Locations 218Acquiring and Validating Drive Images 219

Contents xix

Imaging Live Systems 224Acquiring Other Data 225

Forensic Investigation: An Example 229Importing a Forensic Image 229Analyzing the Image 231Reporting 234


Activity 7.1: Create a Disk Image 237Activity 7.2: Conduct the NIST Rhino Hunt 238Activity 7.3: Security Tools 239


Chapter 8 Recovery and Post-Incident Response 245

Containing the Damage 246Segmentation 248Isolation 249Removal 251Evidence Gathering and Handling 252Identifying Attackers 253

Incident Eradication and Recovery 253Reconstruction and Reimaging 255Patching Systems and Applications 255Sanitization and Secure Disposal 256Validating the Recovery Effort 258

Wrapping Up the Response 258Managing Change Control Processes 258Conducting a Lessons-Learned Session 259Developing a Final Report 259


Activity 8.1: Incident Containment Options 261Activity 8.2: Incident Response Activities 263Activity 8.3: Sanitization and Disposal Techniques 263


Chapter 9 Policy and Compliance 269

Understanding Policy Documents 270Policies 270Standards 273Procedures 274

xx Contents

Guidelines 275Exceptions and Compensating Controls 276

Complying with Laws and Regulations 277Adopting a Standard Framework 278

NIST Cybersecurity Framework 279ISO 27001 282Control Objectives for Information and Related

Technologies (COBIT) 282Sherwood Applied Business Security Architecture (SABSA) 283The Open Group Architecture Framework (TOGAF) 283Information Technology Infrastructure Library (ITIL) 285

Implementing Policy-Based Controls 285Security Control Verification and Quality Control 286Summary 287Exam Essentials 287Lab Exercises 288

Activity 9.1: Policy Documents 288Activity 9.2: Using a Cybersecurity Framework 288Activity 9.3: Compliance Auditing Tools 288


Chapter 10 Defense-in-Depth Security Architectures 293

Understanding Defense in Depth 294Layered Security 294Control Types and Classification 298

Implementing Defense in Depth 299Layered Security and Network Design 299Layered Host Security 305Logging, Monitoring, and Validation 306Cryptography 307Policy, Process, and Standards 308Outsourcing and Personnel Security 310

Analyzing Security Architecture 311Analyzing Security Requirements 312Reviewing Architecture 312Common Issues 313Reviewing a Security Architecture 317Maintaining a Security Design 319


Activity 10.1: Review an Application Using the OWASP Application Security Architecture Cheat Sheet 321

Activity 10.2: Review a NIST Security Architecture 322Activity 10.3: Security Architecture Terminology 323


Contents xxi

Chapter 11 Identity and Access Management Security 329

Understanding Identity 330Identity Systems and Security Design 332

Threats to Identity and Access 335Understanding Security Issues with Identities 336Attacking AAA Systems and Protocols 336Targeting Account Creation, Provisioning,

and Deprovisioning 341Preventing Common Exploits of Identity

and Authorization 343Acquiring Credentials 343

Identity as a Security Layer 345Identity and Defense-in-Depth 346Securing Authentication and Authorization 346Detecting Attacks and Security Operations 352

Understanding Federated Identity and Single Sign-On 353Federated Identity Security Considerations 354Federated Identity Design Choices 355Federated Identity Technologies 357Federation Incident Response 361


Activity 11.1: Federated Security Scenario 363Activity 11.2: Onsite Identity Issues Scenario 364Activity 11.3: Identity and Access Management Terminology 365


Chapter 12 Software Development Security 371

Understanding the Software Development Life Cycle 372Software Development Phases 373Software Development Models 375

Designing and Coding for Security 380Common Software Development Security Issues 381Secure Coding Best Practices 381Application Testing 384Information Security and the SDLC 384Code Review Models 385Formal Code Review 387

Software Security Testing 388Analyzing and Testing Code 389Web Application Vulnerability Scanning 391

Summary 394Exam Essentials 394

xxii Contents

Lab Exercises 395Activity 12.1: Review an Application Using the

Owasp Application Security Architecture Cheat Sheet 395Activity 12.2: Learn about Web Application Exploits

from WebGoat 396Activity 12.3: SDLC Terminology 396


Chapter 13 Cybersecurity Toolkit 401

Host Security Tools 402Antimalware and Antivirus 402EMET 403Sysinternals 404

Monitoring and Analysis Tools 405Syslog 406Security Information and Event Management (SIEM) 407Network Monitoring 409

Scanning and Testing Tools 411Network Scanning 412Vulnerability Scanning 412Exploit Frameworks 415Password Cracking and Recovery 416

Network Security Tools 418Firewalls 418Network Intrusion Detection and Prevention 418Host Intrusion Prevention 420Packet Capture 421Command-Line Network Tools 423Web Proxies 426OpenSSL 428

Web Application Security Tools 429Web Application Firewalls 429Interception Proxies 430Fuzzers 431

Forensics Tools 433Hashing 433Imaging 434Forensic Suites 435Mobile Forensics 436

Summary 436

Appendix A Answers to the Review Questions 437

Chapter 1: Defending Against Cybersecurity Threats 438Chapter 2: Reconnaissance and Intelligence Gathering 439

Contents xxiii

Chapter 3: Designing a Vulnerability Management Program 441Chapter 4: Analyzing Vulnerability Scans 443Chapter 5: Building an Incident Response Program 444Chapter 6: Analyzing Symptoms for Incident Response 446Chapter 7: Performing Forensic Analysis 448Chapter 8: Recovery and Post-Incident Response 449Chapter 9: Policy and Compliance 451Chapter 10: Defense-in-Depth Security Architectures 453Chapter 11: Identity and Access Management Security 456Chapter 12: Software Development Security 458

Appendix B Answers to the Lab Exercises 461

Chapter 1: Defending Against Cybersecurity Threats 462Chapter 2: Reconnaissance and Intelligence Gathering 462Chapter 4: Analyzing Vulnerability Scans 463Chapter 5: Building an Incident Response Program 464Chapter 6: Analyzing Symptoms for Incident Response 465Chapter 7: Performing Forensic Analysis 466Chapter 8: Recovery and Post-Incident Response 467Chapter 9: Policy and Compliance 470Chapter 10: Defense-in-Depth Security Architectures 471Chapter 11: Identity and Access Management Security 472Chapter 12: Software Development Security 473

Index 475

Learn Certify Work

* Source: CompTIA 9th Annual Information Security Trends study: 500 U.S. IT and Business Executives Responsible for Security** Source: CompTIA Employer Perceptions of IT Training and Certi�cation

© 2016 CompTIA Properties, LLC, used under license by CompTIA Certi�cations, LLC. All rights reserved. All certi�cation programs and education related to suchprograms are operated exclusively by CompTIA Certi�cations, LLC. CompTIA is a registered trademark of CompTIA Properties, LLC in the U.S. and internationally.Other brands and company names mentioned herein may be trademarks or service marks of CompTIA Properties, LLC or of their respective owners. Reproductionor dissemination prohibited without written consent of CompTIA Properties, LLC. Printed in the U.S. 03288-Nov2016

Why Get CompTIA Certified?Growing DemandLabor estimates predict some technology fields will experience growth of over 20% by the year 2020.* CompTIA certification qualifies the skills required to join this workforce.

Higher SalariesIT professionals with certifications on their resume command better jobs, earn higher salaries and have more doors open to new multi-industry opportunities.

Verified Strengths91% of hiring managers indicate CompTIA certifications are valuable in validating IT expertise, making certification the best way to demonstrate your competency and knowledge to employers.**

Universal SkillsCompTIA certifications are vendor neutral—which means that certified professionals can proficiently work with an extensive variety of hardware and software found in most organizations.

Certification.CompTIA.org/certifications/cybersecurity-analyst

Becoming aCompTIA CertifiedIT Professional is EasyIt’s also the best way to reach greater professional opportunities and rewards.

Learn more about whatthe exam covers byreviewing the following:

• Exam objectives for key study points.

• Sample questions for a general overview of what to expect on the exam and examples of question format.

• Visit online forums, like LinkedIn, to see what other IT professionals say about CompTIA exams.

Purchase a voucher at aPearson VUE testing centeror at CompTIAstore.com.

• Register for your exam at a Pearson VUE testing center:

• Visit pearsonvue.com/CompTIA to find the closest testing center to you.

• Schedule the exam online. You will be required to enter your voucher number or provide payment information at registration.

• Take your certification exam.

Congratulations on your CompTIA certification!

• Make sure to add your certification to your resume.

• Check out the CompTIA Certification Roadmap to plan your next career move.

Introduction

CompTIA Cybersecurity Analyst (CySA+) Study Guide provides accessible explanationsand real-world knowledge about the exam objectives that make up the Cybersecurity Analyst+ certifi cation. This book will help you to assess your knowledge before taking the exam, as well as provide a stepping-stone to further learning in areas where you may want to expand your skillset or expertise.

Before you tackle the CySA+, you should already be a security practitioner. CompTIA suggests that test takers have between 3 and 4 years of existing hands-on information security experience. You should also be familiar with at least some of the tools and techniques described in this book. You don’t need to know every tool, but understanding how to approach a new scenario, tool, or technology that you may not know using existingexperience is critical to passing the CySA+ exam.

For up-to-the-minute updates covering additions or modifications to the

CompTIA certification exams, as well as additional study tools, videos,

practice questions, and bonus material, be sure to visit the Sybex website

and forum at www.sybex.com .

CompTIA CompTIA is a nonprofi t trade organization that offers certifi cation in a variety of ITareas, ranging from the skills that a PC support technical needs, which are covered in theA+ exam, to advanced certifi cations like the CompTIA Advanced Security Practitioner,or CASP certifi cation. CompTIA divides its exams into four different categories based onthe skill level required for the exam and what topics it covers, as shown in the following table:

Foundational Professional Specialty Mastery

IT Fundamentals A+

Cloud+ with Virtualization

CySA+

Linux+

Mobility+

Network+

Security+

Project+

Server+

CDIA+

CTT+

Cloud Essentials

Healthcare IT Tech

CASP

xxviii Introduction

CompTIA recommends that practitioners follow a cybersecurity career path as shown here:

CompTIAIT

Fundamentals

CompTIAA+

CompTIANetwork+

CompTIASecurity+

CompTIACySA+

CompTIACASP

As you can see, despite the A+, Network+, and Security+ falling into the Professional certification category, the Cybersecurity Analyst+ exam is a more advanced exam, intended for professionals with hands-on experience and who possess the knowledge covered by the prior exams.

CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. In addition, CompTIA certifications, including the Security+ and the CASP, have been approved by the U.S. government as Information Assuance baseline certifications and are included in the State Department’s Skills Incentive Program.

The Cybersecurity Analyst+ ExamThe Cybersecurity Analyst+ exam, which CompTIA refers to as the CySA+, is designed to be a vendor-neutral certification for cybersecurity, threat, and vulnerability analysts. The CySA+ certification is designed for security analysts and engineers as well as Security Operations Center (SOC) staff, vulnerability analysts, and threat intelligence analysts. It focuses on security analytics and practical use of security tools in real-world scenarios. It covers four major domains: Threat Management, Vulnerability Management, Cyber

flast.indd 28 2/10/2018 5:08:17 PM