While there is no required prerequisite, the CompTIA CySA+ certification is intended to follow CompTIA Security+ or equivalent experience. It is recommended for CompTIA CySA+ certification candidates to have the following:
3-4 years of hands-on information security or related experience
Network+, Security+, or equivalent knowledge
Given a scenario, apply environmental reconnaissance techniques using appropriate tools and processes
Procedures/common tasks:
Topology discovery
OS fingerprinting
Service discovery
Packet capture
Log review
Router/firewall ACLs review
Email harvesting
Social media profiling
Social engineering
DNS harvesting
Phishing
Variables:
Wireless vs. wired
Virtual vs. physical
Internal vs. external
On-premises vs. cloud
Tools:
NMAP
Host scanning
Network mapping
NETSTAT
Packet analyzer
IDS/IPS
HIDS/NIDS
Firewall rule-based and logs
Syslog
Vulnerability scanner
Given a scenario, analyze the results of a network reconnaissance
Point-in-time data analysis:
Packet analysis
Protocol analysis
Traffic analysis
Netflow analysis
Wireless analysis
Data correlation and analytics:
Anomaly analysis
Trend analysis
Availability analysis
Heuristic analysis
Behavioral analysis
Data output:
Firewall logs
Packet captures
NMAP scan results
Event logs
Syslogs
IDS report
Tools:
SIEM
Packet analyzer
IDS
Resource monitoring tool
Netflow analyzer
Given a network-based threat, implement or recommend the appropriate response and countermeasure
Network segmentation:
System isolation
Jump box
Honeypot
Endpoint security
Group policies
ACLs:
Sinkhole
Hardening:
Mandatory Access Control (MAC)
Compensating controls
Blocking unused ports/services
Patching
Network Access Control (NAC):
Time-based
Rule-based
Role-based
Location-based
Explain the purpose of practices used to secure a corporate environment
Penetration testing:
Rules of engagement
Reverse engineering:
Isolation/sandboxing
Hardware
Software/malware
Training and exercises:
Red team
Blue team
White team
Risk evaluation:
Technical control review
Operational control review
Technical impact and likelihood
Given a scenario, implement an information security vulnerability management process
Identification of requirements:
Regulatory environments
Corporate policy
Data classification
Asset inventory
Establish scanning frequency:
Risk appetite
Regulatory requirements
Technical constraints
Workflow
Configure tools to perform scans according to specification:
Determine scanning criteria
Tool updates/plug-ins
Permissions and access
Execute scanning
Generate reports:
Automated vs. manual distribution
Remediation:
Prioritizing
Communication/change control
Sandboxing/testing
Inhibitors to remediation
Ongoing scanning and continuous monitoring
Given a scenario, analyze the output resulting from a vulnerability scan
Analyze reports from a vulnerability scan:
Review and interpret scan results
Validate results and correlate other data points
Compare to best practices or compliance
Reconcile results
Review related logs and/or other data sources
Determine trends
Compare and contrast common vulnerabilities found in the following targets within an organization
Servers
Endpoints
Network infrastructure
Network appliances
Virtual infrastructure:
Virtual hosts
Virtual networks
Management interface
Mobile devices
Interconnected networks
Virtual private networks (VPNs)
Industrial Control Systems (ICSs)
SCADA devices
Given a scenario, distinguish threat data or behavior to determine the impact of an incident
Threat classification:
Known threats vs. unknown threats
Zero day
Advanced persistent threat
Factors contributing to incident severity and prioritization:
Scope of impact
Types of data
Given a scenario, prepare a toolkit and use appropriate forensics tools during an investigation
Forensics kit:
Digital forensics workstation
Write blockers
Cables
Drive adapters
Wiped removable media
Cameras
Crime tape
Tamper-proof seals
Documentation/forms
Forensic investigation suite:
Imaging utilities
Analysis utilities
Chain of custody
Hashing utilities
OS and process analysis
Mobile device forensics
Password crackers
Cryptography tools
Log viewers
Explain the importance of communication during the incident response process
Stakeholders:
HR
Legal
Marketing
Management
Purpose of communication processes:
Limit communication to trusted parties
Disclosure based on regulatory/legislative requirements
Prevent inadvertent release of information
Secure method of communication
Role-based responsibilities:
Technical
Management
Law enforcement
Retain incident response provider
Given a scenario, analyze common symptoms to select the best course of action to support incident response
Common network-related symptoms:
Bandwidth consumption
Beaconing
Irregular peer-to-peer communication
Rogue devices on the network
Scan sweeps
Unusual traffic spikes
Common host-related symptoms:
Processor consumption
Memory consumption
Drive capacity consumption
Unauthorized software
Malicious processes
Unauthorized changes
Unauthorized privileges
Data exfiltration
Common application-related symptoms:
Anomalous activity
Introduction of new accounts
Unexpected output
Unexpected outbound communication
Service interruption
Memory overflows
Summarize the incident recovery and post-incident response process
Containment techniques:
Segmentation
Isolation
Removal
Reverse engineering
Eradication techniques:
Sanitization
Reconstruction/reimage
Secure disposal
Validation:
Patching
Permissions
Scanning
Verify logging/communication to security monitoring
Corrective actions:
Lessons learned report
Change control process
Update incident response plan
Incident summary report
Explain the relationship between frameworks, common policies, controls, and procedures
Regulatory compliance
Frameworks:
NIST
ISO
COBIT
SABSA
TOGAF
ITIL
Policies:
Password policy
Acceptable use policy
Data ownership policy
Data retention policy
Account management policy
Data classification policy
Controls:
Control selection based on criteria
Organizationally defined parameters
Physical controls
Logical controls
Administrative controls
Procedures:
Continuous monitoring
Evidence production
Patching
Compensating control development
Control testing procedures
Manage exceptions
Remediation plans
Verifications and quality control:
Audits
Evaluations
Assessments
Maturity model
Certification
Given a scenario, use data to recommend remediation of security issues related to identity and access management
Security issues associated with context-based authentication:
Time
Location
Frequency
Behavioral
Security issues associated with identities:
Personnel
Endpoints
Servers
Services
Roles
Applications
Security issues associated with identity repositories:
Directory services
TACACS+
RADIUS
Security issues associated with federation and single sign-on:
Manual vs. automatic provisioning/deprovisioning
Self-service password reset
Exploits:
Impersonation
Man-in-the-middle
Session hijack
Cross-site scripting
Privilege escalation
Rootkit
Given ascenario, review security architecture and make recommendations to implement compensating controls
Security data analytics:
Data aggregation and correlation
Trend analysis
Historical analysis
Manual review:
Firewall log
Syslogs
Authentication logs
Event logs
Defense in depth:
Personnel
Processes
Technologies
Other security concepts
Given a scenario, use application security best practices while participating in the Software Development Life Cycle (SDLC)
Best practices during software development:
Security requirements definition
Security testing phases
Manual peer reviews
User acceptance testing
Stress test application
Security regression testing
Input validation
Secure coding best practices:
OWASP
SANS
Center for Internet Security
Compare and contrast the general purpose and reasons for using various cybersecurity tools and technologies
Preventative:
IPS
HIPS
Firewall
Antivirus
Anti-malware
EMET
Web proxy
Web Application Firewall (WAF)
Collective:
SIEM
Network scanning
Vulnerability scanning
Packet capture
Command line/IP utilities
IDS/HIDS
Analytical:
Vulnerability scanning
-Monitoring tools
Interception proxy
Exploit:
Interception proxy
Exploit framework
Fuzzers
Forensics:
Forensic suites
Hashing
Password cracking
Imaging