CompTIA® Cybersecurity Analyst (CSA+) Cert Guide Troy McMillan 800 East 96th Street Indianapolis, Indiana 46240 USA 99778800778899775566995544__BBOOOOKK..iinnddbb ii 55//1199//1177 11::3399 PPMM CompTIA Cybersecurity Analyst (CSA+) Cert Guide Editor-in-Chief Mark Taub Copyright © 2017 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in Product Line Manager a retrieval system, or transmitted by any means, electronic, mechanical, Brett Bartow photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the Acquisitions Editor information contained herein. Although every precaution has been taken in Michelle Newcomb the preparation of this book, the publisher and author assume no respon- Development Editor sibility for errors or omissions. Nor is any liability assumed for damages Ellie Bru resulting from the use of the information contained herein. ISBN-13: 978-0-7897-5695-4 Managing Editor ISBN-10: 0-7897-5695-1 Sandra Schroeder Library of Congress Control Number: 2017938509 Senior Project Editor Printed in the United States of America Tonya Simpson First Printing: June 2017 Copy Editor Kitty Wilson Trademarks All terms mentioned in this book that are known to be trademarks or ser- Indexer vice marks have been appropriately capitalized. Pearson IT Certifi cation Publishing Works, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service Proofreader mark. Chuck Hutchinson Technical Editors Warning and Disclaimer Chris Crayton Every effort has been made to make this book as complete and as accurate Robin Abernathy as possible, but no warranty or fi tness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither li- Publishing Coordinator ability nor responsibility to any person or entity with respect to any loss or Vanessa Evans damages arising from the information contained in this book. Cover Designer Special Sales Chuti Prasertsith For information about buying this title in bulk quantities, or for special Compositor sales opportunities (which may include electronic versions; custom cover Bronkella Publishing designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at [email protected] or (800) 382-3419. For government sales inquiries, please contact [email protected]. For questions about sales outside the U.S., please contact [email protected]. 99778800778899775566995544__BBOOOOKK..iinnddbb iiii 55//1199//1177 11::3399 PPMM Contents at a Glance Introduction xxvii CHAPTER 1 Applying Environmental Reconnaissance Techniques 3 CHAPTER 2 Analyzing the Results of Network Reconnaissance 37 CHAPTER 3 Recommending and Implementing the Appropriate Response and Countermeasure 69 CHAPTER 4 Practices Used to Secure a Corporate Environment 95 CHAPTER 5 Implementing an Information Security Vulnerability Management Process 113 CHAPTER 6 Analyzing Scan Output and Identifying Common Vulnerabilities 141 CHAPTER 7 Identifying Incident Impact and Assembling a Forensic Toolkit 187 CHAPTER 8 The Incident Response Process 213 CHAPTER 9 Incident Recovery and Post-Incident Response 237 CHAPTER 10 Frameworks, Policies, Controls, and Procedures 251 CHAPTER 11 Remediating Security Issues Related to Identity and Access Management 301 CHAPTER 12 Security Architecture and Implementing Compensating Controls 343 CHAPTER 13 Application Security Best Practices 385 CHAPTER 14 Using Cybersecurity Tools and Technologies 403 CHAPTER 15 Final Preparation 453 APPENDIX A Answers to the “Do I Know This Already?” Quizzes and Review Questions 459 Glossary 491 Index 526 99778800778899775566995544__BBOOOOKK..iinnddbb iiiiii 55//1199//1177 11::3399 PPMM Table of Contents Introduction xxvii Chapter 1 Applying Environmental Reconnaissance Techniques 3 “Do I Know This Already?” Quiz 3 Foundation Topics 5 Procedures/Common Tasks 5 Topology Discovery 5 OS Fingerprinting 5 Service Discovery 6 Packet Capture 6 Log Review 6 Router/Firewall ACLs Review 6 E-mail Harvesting 7 Social Media Profiling 7 Social Engineering 8 DNS Harvesting 8 Phishing 11 Variables 11 Wireless vs. Wired 12 Virtual vs. Physical 13 Internal vs. External 14 On-premises vs. Cloud 15 Tools 16 Nmap 16 Host Scanning 19 Network Mapping 20 Netstat 21 Packet Analyzer 23 IDS/IPS 25 HIDS/NIDS 27 Firewall Rule-Based and Logs 27 Firewall Types 27 Firewall Architecture 29 Syslog 30 Vulnerability Scanner 30 99778800778899775566995544__BBOOOOKK..iinnddbb iivv 55//1199//1177 11::3399 PPMM Exam Preparation Tasks 31 Review All Key Topics 31 Define Key Terms 32 Review Questions 32 Chapter 2 Analyzing the Results of Network Reconnaissance 37 “Do I Know This Already?” Quiz 37 Foundation Topics 40 Point-in-Time Data Analysis 40 Packet Analysis 40 Protocol Analysis 40 Traffic Analysis 40 NetFlow Analysis 41 Wireless Analysis 43 CSMA/CA 43 Data Correlation and Analytics 45 Anomaly Analysis 45 Trend Analysis 46 Availability Analysis 46 Heuristic Analysis 46 Behavioral Analysis 47 Data Output 47 Firewall Logs 47 Packet Captures 49 Nmap Scan Results 52 Port Scans 52 Event Logs 53 Syslog 55 IDS Report 56 Tools 57 SIEM 57 Packet Analyzer 59 IDS 60 Resource Monitoring Tool 61 NetFlow Analyzer 61 Exam Preparation Tasks 62 99778800778899775566995544__BBOOOOKK..iinnddbb vv 55//1199//1177 11::3399 PPMM vi CompTIA Cybersecurity Analyst (CSA+) Cert Guide Review All Key Topics 62 Define Key Terms 63 Review Questions 63 Chapter 3 R ecommending and Implementing the Appropriate Response and Countermeasure 69 “Do I Know This Already?” Quiz 69 Foundation Topics 72 Network Segmentation 72 LAN 72 Intranet 72 Extranet 72 DMZ 73 VLANs 73 System Isolation 75 Jump Box 76 Honeypot 77 Endpoint Security 77 Group Policies 78 ACLs 80 Sinkhole 81 Hardening 82 Mandatory Access Control (MAC) 82 Compensating Controls 83 Control Categories 83 Access Control Types 84 Administrative (Management) Controls 85 Logical (Technical) Controls 85 Physical Controls 85 Blocking Unused Ports/Services 86 Patching 86 Network Access Control 86 Quarantine/Remediation 88 Agent-Based vs. Agentless NAC 88 802.1x 88 Exam Preparation Tasks 90 99778800778899775566995544__BBOOOOKK..iinnddbb vvii 55//1199//1177 11::3399 PPMM Contents vii Review All Key Topics 90 Define Key Terms 91 Review Questions 91 Chapter 4 Practices Used to Secure a Corporate Environment 95 “Do I Know This Already?” Quiz 95 Foundation Topics 98 Penetration Testing 98 Rules of Engagement 100 Reverse Engineering 101 Isolation/Sandboxing 101 Hardware 103 Software/Malware 104 Training and Exercises 105 Risk Evaluation 106 Technical Impact and Likelihood 106 Technical Control Review 107 Operational Control Review 107 Exam Preparation Tasks 107 Review All Key Topics 108 Define Key Terms 108 Review Questions 108 Chapter 5 I mplementing an Information Security Vulnerability Management Process 113 “Do I Know This Already?” Quiz 113 Foundation Topics 117 Identification of Requirements 117 Regulatory Environments 117 Corporate Policy 119 Data Classification 119 Asset Inventory 120 Establish Scanning Frequency 120 Risk Appetite 120 Regulatory Requirements 121 Technical Constraints 121 Workflow 121 99778800778899775566995544__BBOOOOKK..iinnddbb vviiii 55//1199//1177 11::3399 PPMM viii CompTIA Cybersecurity Analyst (CSA+) Cert Guide Configure Tools to Perform Scans According to Specification 122 Determine Scanning Criteria 122 Sensitivity Levels 122 Vulnerability Feed 123 Scope 123 Credentialed vs. Non-credentialed 125 Types of Data 126 Server-Based vs. Agent-Based 126 Tool Updates/Plug-ins 128 SCAP 128 Permissions and Access 131 Execute Scanning 131 Generate Reports 132 Automated vs. Manual Distribution 132 Remediation 133 Prioritizing 133 Criticality 134 Difficulty of Implementation 134 Communication/Change Control 134 Sandboxing/Testing 134 Inhibitors to Remediation 134 MOUs 134 SLAs 135 Organizational Governance 135 Business Process Interruption 135 Degrading Functionality 135 Ongoing Scanning and Continuous Monitoring 135 Exam Preparation Tasks 136 Review All Key Topics 136 Define Key Terms 136 Review Questions 137 Chapter 6 Analyzing Scan Output and Identifying Common Vulnerabilities 141 “Do I Know This Already?” Quiz 141 Foundation Topics 143 99778800778899775566995544__BBOOOOKK..iinnddbb vviiiiii 55//1199//1177 11::3399 PPMM Contents ix Analyzing Output Resulting from a Vulnerability Scan 143 Analyze Reports from a Vulnerability Scan 143 Review and Interpret Scan Results 145 Validate Results and Correlate Other Data Points 147 Common Vulnerabilities Found in Targets Within an Organization 148 Servers 148 Web Servers 149 Database Servers 160 Endpoints 161 Network Infrastructure 162 Switches 163 MAC Overflow 164 ARP Poisoning 164 VLANs 165 Routers 168 Network Appliances 169 Virtual Infrastructure 169 Virtual Hosts 169 Virtual Networks 170 Management Interface 171 Mobile Devices 173 Interconnected Networks 174 Virtual Private Networks 175 Industrial Control Systems/SCADA Devices 179 Exam Preparation Tasks 180 Review All Key Topics 181 Define Key Terms 182 Review Questions 182 Chapter 7 Identifying Incident Impact and Assembling a Forensic Toolkit 187 “Do I Know This Already?” Quiz 187 Foundation Topics 189 Threat Classification 189 Known Threats vs. Unknown Threats 190 Zero Day 190 Advanced Persistent Threat 191 99778800778899775566995544__BBOOOOKK..iinnddbb iixx 55//1199//1177 11::3399 PPMM x CompTIA Cybersecurity Analyst (CSA+) Cert Guide Factors Contributing to Incident Severity and Prioritization 191 Scope of Impact 191 Downtime and Recovery Time 191 Data Integrity 193 Economic 193 System Process Criticality 193 Types of Data 194 Personally Identifiable Information (PII) 194 Personal Health Information (PHI) 195 Payment Card Information 195 Intellectual Property 197 Corporate Confidential 199 Forensics Kit 201 Digital Forensics Workstation 202 Forensic Investigation Suite 206 Exam Preparation Tasks 208 Review All Key Topics 208 Define Key Terms 208 Review Questions 209 Chapter 8 The Incident Response Process 213 “Do I Know This Already?” Quiz 213 Foundation Topics 216 Stakeholders 216 HR 216 Legal 217 Marketing 217 Management 217 Purpose of Communication Processes 217 Limit Communication to Trusted Parties 218 Disclosure Based on Regulatory/Legislative Requirements 218 Prevent Inadvertent Release of Information 218 Secure Method of Communication 218 Role-Based Responsibilities 218 Technical 219 Management 219 99778800778899775566995544__BBOOOOKK..iinnddbb xx 55//1199//1177 11::3399 PPMM
Description: