CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0
Explain the purpose of practices used to secure a corporate environment.
Penetration testing is performed by security analysts to test a network to see where security improvements can be made. The testing could be external or internal and may vary in scope.
A definition of the scope is determined by the rules of engagement. The ROEs give parameters for the pen tester to follow.
- Timing: What day, and during what hours will the testing occur.
- Scope: What devices or networks should be part of the test.
- Authorization: Formal written permission to perform the test on the network.
- Exploitation: Should exploits be attempted if vulnerabilities are found.
- Communication: Determine how communication will occur between the testers and the company’s stakeholders. This should include both periodic reports along with a method for urgent communication if issues arise.
- Reporting: Determine what reports will be delivered and set timelines.
Sometimes it is necessary to reverse engineer software to determine how it functions. This can be to understand malware, or to locate bugs in software. Reverse engineering can also be applied to hardware to locate security vulnerabilities. There are several techniques and corresponding software for reverse engineering.
One tool that essential to malware analysis is a way to isolate or sandbox the malware such that it can be executed without harming any real systems. An example of a sandboxing tool is Cuckoo.
Another option for isolation is to create a “sheep dip” computer. This computer is isolated from any other systems and is setup with monitoring software. This allows the analyst to see what malware does when it is allowed to infect the computer.
Unfortunately even hardware is not immune from malicious actors. The integrity of hardware must be evaluated.
- Source authenticity: Is the hardware genuine and unaltered?
- Trusted Foundry: DoD program to ensure a trusted supply chain for hardware acquisition.
- OEM Verification: Many vendors have documented ways to validate hardware is genuine and unaltered.
Software can be checked for integrity and for potential security bugs. Fingerprints or hashing tools such as SHA256 sums can be used to validate a copy of software is identical to the known good software from the original source. Tools are also available to decompose software to determine potential threat indicators (PTI).
Security teams can conduct exercises, or war games to help improve their ability to defend the network. These exercises are divided into three teams.
- Red Team: This team is the attacking force. Its goal is to exploit the weaknesses of the network using penetration tests and exploitation according to the established rules of engagement.
- Blue Team: This team is the defending force. Its goal is to detect, mitigate and stop the Red Team.
- White Team: This team serves as the referees for the exercise. They enforce the rules of engagement and document the progress of both teams.
Part of protecting an enterprise network is knowing what risks are acceptable and what are not. Risk evaluation allows a company to evaluate risks based on probability and potential impact. The probability of an event ranges from Rare to Very Likely and the impact from Trivial to Extreme. A matrix of these two axis allows a company to establish the overall risk for each attack from low to high.
Technical controls are implemented using tools like firewalls, permissions and security appliances. They must be evaluated in the risk process to determine that they address the threat without exceeding the cost of a potential threat’s impact.
Operational controls are implemented to reduce the likeliness of a threat through policy and procedures.