The CompTIA Cybersecurity Analyst (CySA+) certification verifies that successful candidates have the knowledge and skills required to leverage intelligence and threat detection techniques, analyze and interpret data, identify and address vulnerabilities, suggest preventative measures, and effectively respond to and recover from incidents.
The CompTIA Cybersecurity Analyst (CySA+) examination is designed for IT security analysts, vulnerability analysts, or threat intelligence analysts. The exam will certify that the successful candidate has the knowledge and skills required to configure and use threat detection tools, perform data analysis, and interpret the results to identify vulnerabilities, threats, and risks to an organization with the end goal of securing and protecting applications and systems within an organization.
The CompTIA CySA+ certification is a vendor-neutral credential. The CompTIA CySA+ exam (Exam CS0-001) is an internationally targeted validation of intermediate-level security skills and knowledge. The course has a technical, “hands-on” focus on IT security analytics.
The CompTIA CySA+ exam is based on these objectives:
Cyber Incident Response
Security Architecture and Tool Sets
While there is no required prerequisite, the CompTIA CySA+ certification is intended to follow CompTIA Security+ or equivalent experience. It is recommended for CompTIA CySA+ certification candidates to have the following:
3-4 years of hands-on information security or related experience
Network+, Security+, or equivalent knowledge
Given a scenario, apply environmental reconnaissance techniques using appropriate tools and processes.
Router/firewall ACLs review
Social media profiling
Wireless vs. wired
Virtual vs. physical
Internal vs. external
On-premises vs. cloud
Firewall rule-based and logs
Given a scenario, analyze the results of a network reconnaissance.
Point-in-time data analysis:
Data correlation and analytics:
NMAP scan results
Resource monitoring tool
Given a network-based threat, implement or recommend the appropriate response and countermeasure.
Mandatory Access Control (MAC)
Blocking unused ports/services
Network Access Control (NAC):
Explain the purpose of practices used to secure a corporate environment.
Rules of engagement
Training and exercises:
Technical control review
Operational control review
Technical impact and likelihood
Given a scenario, implement an information security vulnerability management process.
Identification of requirements:
Establish scanning frequency:
Configure tools to perform scans according to specification:
Determine scanning criteria
Permissions and access
Automated vs. manual distribution
Inhibitors to remediation
Ongoing scanning and continuous monitoring
Given a scenario, analyze the output resulting from a vulnerability scan.
Analyze reports from a vulnerability scan:
Review and interpret scan results
Validate results and correlate other data points
Compare to best practices or compliance
Review related logs and/or other data sources
Compare and contrast common vulnerabilities found in the following targets within an organization.
Virtual private networks (VPNs)
Industrial Control Systems (ICSs)
Cyber Incident Response
Given a scenario, distinguish threat data or behaviour to determine the impact of an incident.
Known threats vs. unknown threats
Advanced persistent threat
Factors contributing to incident severity and prioritization:
Scope of impact
Types of data
Given a scenario, prepare a toolkit and use appropriate forensics tools during an investigation.
Digital forensics workstation
Wiped removable media
Forensic investigation suite:
Chain of custody
OS and process analysis
Mobile device forensics
Explain the importance of communication during the incident response process.
Purpose of communication processes:
Limit communication to trusted parties
Disclosure based on regulatory/legislative requirements
Prevent inadvertent release of information
Secure method of communication
Retain incident response provider
Given a scenario, analyze common symptoms to select the best course of action to support incident response.
Common network-related symptoms:
Irregular peer-to-peer communication
Rogue devices on the network
Unusual traffic spikes
Common host-related symptoms:
Drive capacity consumption
Common application-related symptoms:
Introduction of new accounts
Unexpected outbound communication
Summarize the incident recovery and post-incident response process.
Verify logging/communication to security monitoring
Lessons learned report
Change control process
Update incident response plan
Incident summary report
Security Architecture and Tool Sets
Explain the relationship between frameworks, common policies, controls, and procedures.
Acceptable use policy
Data ownership policy
Data retention policy
Account management policy
Data classification policy
Control selection based on criteria
Organizationally defined parameters
Compensating control development
Control testing procedures
Verifications and quality control:
Given a scenario, use data to recommend remediation of security issues related to identity and access management.
Security issues associated with context-based authentication:
Security issues associated with identities:
Security issues associated with identity repositories:
Security issues associated with federation and single sign-on:
Manual vs. automatic provisioning/deprovisioning
Self-service password reset
Given a scenario, review security architecture and make recommendations to implement compensating controls
Security data analytics:
Data aggregation and correlation
Defense in depth:
Other security concepts
Given a scenario, use application security best practices while participating in the Software Development Life Cycle (SDLC).
Best practices during software development:
Security requirements definition
Security testing phases
Manual peer reviews
User acceptance testing
Stress test application
Security regression testing
Secure coding best practices:
Center for Internet Security
Compare and contrast the general purpose and reasons for using various cybersecurity tools and technologies.
Web Application Firewall (WAF)
Command line/IP utilities
This course leads to exam CS0-001 CompTIA CySA+. CompTIA CySA+ certification is a vendor-neutral credential.
This training course provided by Skilltec is accredited through Global Knowledge Training Ltd. Global Knowledge Training Ltd are the authorised learning partner; all trademarks and partner statuses are provided through them.