INTRODUCTION

This second edition of the CompTIA CySA+ Certification All-in-One Exam Guide represents a major overhaul of the material covered in the previous edition. Fully updated to reflect the new objectives for exam number CS0-002, this new book will not only prepare you for your certification but also serve as a desktop reference in your daily job as a cybersecurity analyst. Our ultimate goal, as before, is to ensure that you will be equipped to know and be able to take the right steps to improve the security posture of your organization immediately upon arrival. But how do you convey these skills to a prospective employer within the confines of a one- or two-page resume? Using the title CySA+, like a picture, can be worth a thousand words.

Why Become a CySA+?

To answer that question simply, having CySA+ at the end of your signature will elevate employers’ expectations. Hiring officials oftentimes screen resumes by looking for certain key terms, such as CySA+, before referring them to technical experts for further review. Attaining this certification improves your odds of making it past the first filters and also sets a baseline for what the experts can expect from you during an interview. It lets them know they can get right to important parts of the conversation without first having to figure out how much you know about the role of a cybersecurity analyst. The certification sets you up for success.

It also sets you up for lifelong self-learning and development. Preparing for and passing this exam will not only elevate your knowledge, but it will also reveal to you how much you still have to learn. Cybersecurity analysts never reach a point where they know enough. Instead, this is a role that requires continuous learning, because both the defenders and attackers are constantly evolving their tools and techniques. The CySA+ domains and objectives provide you a framework of knowledge and skills on which you can plan your own professional development.

The CySA+ Exam

CompTIA indicates the relative importance of each domain with these weightings on the exam:

The CySA+ exam is administered at authorized testing centers or via remote online proctoring and presently will cost you $359. It consists of a minimum of 85 questions, which must be answered in no more than 165 minutes. To pass, you must score 750 points out of a maximum possible 900 points. The test is computer-based and adaptive, which means different questions will earn you different numbers of points. The bulk of the exam consists of short, multiple-choice questions with four or five possible responses. In some cases, you will have to select multiple answers to receive full credit. Most questions are fairly straightforward, so you should not expect a lot of “trick” questions or ambiguity. Still, you should not be surprised to find yourself debating between two responses that both seem correct at some point.

A unique aspect of the exam is its use of scenario questions. You may see only a few of these, but they will require a lot of time to complete. In these questions, you will be given a short scenario and a network map. There will be hotspots in the map that you can click to obtain detailed information about a specific node. For example, you might click a host and see log entries or the output of a command-line tool. You will have to come up with multiple actions that explain an observation, mitigate threats, or handle incidents. Deciding which actions are appropriate will require that you look at the whole picture, so be sure to click every hotspot before attempting to answer any of these questions.

Your exam will be scored on the spot, so you will know whether you passed before you leave the test center. You will be given your total score, but not a breakdown by domain. If you fail the exam, you will have to pay the exam fee again, but you may retake the test as soon as you’d like. Unlike other exams, there is no waiting period for your second attempt, though you will have to wait 14 calendar days between your second and third attempts if you fail twice.

What Does This Book Cover?

This book covers everything you need to know to become a CompTIA-certified Cybersecurity Analyst (CySA+). It teaches you how successful organizations manage cyber threats to their systems. These threats will attempt to exploit weaknesses in the systems, so the book also covers the myriad of issues that go into effective vulnerability management. As we all know, no matter how well we manage both threats and vulnerabilities, we will eventually have to deal with a security incident. The book next delves into cyber incident response, including forensic analysis. Finally, it covers security architectures and tools with which every cybersecurity analyst should be familiar.

Though the book gives you all the information you need to pass the test and be a successful CySA+, you will have to supplement this knowledge with hands-on experience on at least some of the more popular tools. It is one thing to read about Wireshark and Snort, but you will need practical experience with these tools to know how best to apply them in the real world. The book guides you in this direction, but you will have to get the tools as well as practice the material covered in these pages.

Tips for Taking the CySA+ Exam

Though the CySA+ exam has some unique aspects, it is not entirely unlike any other computer-based test you may have taken. The following is a list of tips in increasing order of specificity. Some may seem like common sense to you, but we still think they’re important enough to highlight.

•   Get lots of rest the night before.

•   Arrive early at the exam site.

•   Read all possible responses before making your selection, even if you are “certain” that you’ve already read the correct option.

•   If the question seems like a trick one, you may be overthinking it.

•   Don’t second-guess yourself after choosing your responses.

•   Take notes on the dry-erase sheet (which will be provided by the proctor) whenever you have to track multiple data points.

•   If you are unsure about an answer, give it your best shot, mark it for review, and then go on to the next question; you may find a hint in a later question.

•   When dealing with a scenario question, read all available information at least once before you attempt to provide any responses.

•   Don’t stress if you seem to be taking too long on the scenario questions; you will get only a handful of those.

•   Don’t expect the exhibits (for example, log files) to look like real ones; they will be missing elements you’d normally expect but contain all the information you need to respond.

How to Use This Book

Much effort has gone into putting all the necessary information into this book. Now it’s up to you to study and understand the material and its various concepts. To benefit the most from this book, you may want to use the following study method:

•   Study each chapter carefully and make sure you understand each concept presented. Many concepts must be fully understood, and glossing over a couple here and there could be detrimental to you.

•   Make sure to study and answer all the questions. If any questions confuse you, go back and study those sections again.

•   If you are not familiar with specific topics, such as firewalls, reverse engineering, and protocol functionality, use other sources of information (books, articles, and so on) to attain a more in-depth understanding of those subjects. Don’t just rely on what you think you need to know to pass the CySA+ exam.

•   If you are not familiar with a specific tool, download the tool (if open source) or a trial version (if commercial) and play with it a bit. Since we cover dozens of tools, you should prioritize them based on how unfamiliar you are with them.

Using the Objective Map

The table in Appendix A has been constructed to help you cross-reference the official exam objectives from CompTIA with the relevant coverage in the book. Each objective is listed along with the corresponding chapter number and heading that provides coverage of that objective.

Online Practice Exams

This book includes access to practice exams that feature the TotalTester Online exam test engine, which enables you to generate a complete practice exam or to generate quizzes by chapter module or by exam domain. See Appendix B for more information and instructions on how to access the exam tool.