The Official

CompTIA
CySA+
Study Guide
(Exam CS0-003)

CS0-003_TTL_ACK_ppi-ii.indd 1 26/03/23 11:12 AM

 Course Edition: 2.0

Acknowledgments

Gareth Marchant, Author

Becky Mann, Senior Director, Product Development
James Chesterfield, Senior Manager, User Experience and Design
Danielle Andries, Senior Manager, Product Development

Notices
Disclaimer
While CompTIA, Inc. takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy,
and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose. The use of screenshots, photographs of another entity’s products, or
another entity’s product name or service in this book is for editorial purposes only. No such use should be construed to imply
sponsorship or endorsement of the book by nor any affiliation of such entity with CompTIA. This courseware may contain
links to sites on the Internet that are owned and operated by third parties (the “External Sites”). CompTIA is not responsible for
the availability of, or the content located on or through, any External Site. Please contact CompTIA if you have any concerns
regarding such links or External Sites.

Trademark Notice
CompTIA®, CySA+®, and the CompTIA logo are registered trademarks of CompTIA, Inc., in the United States and other
countries. All other product and service names used may be common law or registered trademarks of their respective
proprietors.

Copyright Notice
Copyright © 2023 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software
proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed
in any form or by any means, or stored in a database or retrieval system, without the prior written permission of CompTIA,
3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software
or other products is the responsibility of the user according to terms and conditions of the owner. If you believe that this
book, related materials, or any other CompTIA materials are being reproduced or transmitted without permission, please call
1-866-835-8020 or visit https://help.comptia.org.

CS0-003_TTL_ACK_ppi-ii.indd 2 26/03/23 11:12 AM

 Table of Contents | iii

Table of Contents

Lesson 1: Understanding Vulnerability Response, Handling, and Management...... 1

Topic 1A: Understanding Cybersecurity Leadership Concepts.......................... 2

Topic 1B: Exploring Control Types and Methods................................................. 8

Topic 1C: Explaining Patch Management Concepts.......................................... 15

Lesson 2: Exploring Threat Intelligence and Threat Hunting Concepts................... 21

Topic 2A: Exploring Threat Actor Concepts........................................................ 22

Topic 2B: Identifying Active Threats................................................................... 28

Topic 2C: Exploring Threat-Hunting Concepts................................................... 37

Lesson 3: Explaining Important System and Network Architecture Concepts....... 45

Topic 3A: Reviewing System and Network Architecture Concepts................. 46

Topic 3B: Exploring Identity and Access Management (IAM)........................... 59

Topic 3C: Maintaining Operational Visibility..................................................... 65

Lesson 4: Understanding Process Improvement in Security Operations................ 73

Topic 4A: Exploring Leadership in Security Operations................................... 74

Topic 4B: Understanding Technology for Security Operations....................... 80

Lesson 5: Implementing Vulnerability Scanning Methods........................................ 85

Topic 5A: Explaining Compliance Requirements............................................... 86

Topic 5B: Understanding Vulnerability Scanning Methods............................. 97

Topic 5C: Exploring Special Considerations in Vulnerability Scanning......... 108

Lesson 6: Performing Vulnerability Analysis............................................................. 115

Topic 6A: Understanding Vulnerability Scoring Concepts.............................. 116

Topic 6B: Exploring Vulnerability Context Considerations............................ 124

Table of Contents

CS0-003_TOC_ppiii-vi.indd 3 17/04/23 1:15 PM

 iv | Table of Contents

Lesson 7: Communicating Vulnerability Information.............................................. 131

Topic 7A: Explaining Effective Communication Concepts.............................. 132

Topic 7B: Understanding Vulnerability Reporting Outcomes

and Action Plans................................................................................. 140

Lesson 8: Explaining Incident Response Activities................................................... 149

Topic 8A: Exploring Incident Response Planning............................................ 150

Topic 8B: Performing Incident Response Activities........................................ 163

Lesson 9: Demonstrating Incident Response Communication............................... 175

Topic 9A: Understanding Incident Response Communication...................... 176

Topic 9B: Analyzing Incident Response Activities........................................... 180

Lesson 10: Applying Tools to Identify Malicious Activity......................................... 187

Topic 10A: Identifying Malicious Activity......................................................... 188

Topic 10B: Explaining Attack Methodology Frameworks............................... 202

Topic 10C: Explaining Techniques for Identifying Malicious Activity........... 209

Lesson 11: Analyzing Potentially Malicious Activity................................................. 221

Topic 11A: Exploring Network Attack Indicators............................................ 222

Topic 11B: Exploring Host Attack Indicators.................................................... 232

Topic 11C: Exploring Vulnerability Assessment Tools.................................... 241

Lesson 12: Understanding Application Vulnerability Assessment......................... 261

Topic 12A: Analyzing Web Vulnerabilities........................................................ 262

Topic 12B: Analyzing Cloud Vulnerabilities...................................................... 271

Lesson 13: Exploring Scripting Tools and Analysis Concepts................................... 279

Topic 13A: Understanding Scripting Languages.............................................. 280

Topic 13B: Identifying Malicious Activity Through Analysis.......................... 296

Table of Contents

CS0-003_TOC_ppiii-vi.indd 4 17/04/23 1:15 PM

 Table of Contents | v

Lesson 14: Understanding Application Security and Attack Mitigation

Best Practices............................................................................................. 305

Topic 14A: Exploring Secure Software Development Practices..................... 306

Topic 14B: Recommending Controls to Mitigate Successful

Application Attacks.......................................................................... 312

Topic 14C: Implementing Controls to Prevent Attacks.................................. 325

Appendix A: Mapping Course Content to CompTIA CySA+........................................A-1

Solutions......................................................................................................................... S-1

Glossary...........................................................................................................................G-1

Index................................................................................................................................. I-1

Table of Contents

CS0-003_TOC_ppiii-vi.indd 5 17/04/23 1:15 PM

CS0-003_TOC_ppiii-vi.indd 6 17/04/23 1:15 PM
 1
About This Course
CompTIA is a not-for-profit trade association with the purpose of advancing the
interests of IT professionals and IT channel organizations; its industry-leading IT
certifications are an important part of that mission. CompTIA's CySA+ certification
is an intermediate-level certification designed for professionals with four years of
hands-on experience as an incident response analyst or security operations center
(SOC) analyst.
This exam will certify the successful candidate has the knowledge and skills
required to detect and analyze indicators of malicious activity; understand
threat hunting and threat intelligence concepts; use appropriate tools and
methods to manage, prioritize, and respond to attacks and vulnerabilities;
perform an incident response process; and understand reporting and
communication concepts related to vulnerability management and incident
response activities.
CompTIA CySA+ Exam Objectives
CompTIA CySA+ meets the ISO 17024 standard and is approved by U.S.
Department of Defense (DoD) to fulfill Directive 8570.01-M requirements.
It is compliant with government regulations under the Federal Information
Security Management Act (FISMA). Regulators and government rely on ANSI
accreditation because it provides confidence and trust in the outputs of an
accredited program. Over 3 million CompTIA ISO/ANSI-accredited exams have
been delivered since January 1, 2011.
comptia.org/certifications/cybersecurity-analyst

Course Description
Course Objectives
This course can benefit you in two ways. If you intend to pass the CompTIA CySA+
(Exam CS0-003) certification examination, this course can be a significant part of
your preparation. But certification is not the only key to professional success in the
field of security analyst. Today's job market demands individuals with demonstrable
skills, and the information and activities in this course can help you build your
security analyst skill set so that you can confidently perform your duties in any
security analyst role.
On course completion, you will be able to do the following:
• Understand vulnerability response, handling, and management

• Explore threat intelligence and threat hunting concepts

• Explain important system and network architecture concepts

• Understand process improvement in security operations

• Implement vulnerability scanning methods

• Perform vulnerability analysis

• Classify vulnerability information

• Explain incident response activities.Demonstrate incident response

communication

• Apply tools to identify malicious activity

• Analyze potentially malicious activity

CS0-003_Preface_ppvii-x.indd 7 26/03/23 11:00 AM

 viii | Preface

• Understand application vulnerability assessment

• Explore scripting tools and analysis concepts

• Understand application security and attack mitigation best practices

Target Student
The Official CompTIA CySA+ (Exam CS0-003) is the primary course you will need to
take if your job responsibilities include capturing, monitoring, and responding
to network traffic findings, software and application security, automation, threat
hunting, and IT regulatory compliance. You can take this course to prepare for the
CompTIA CySA+ (Exam CS0-003) certification examination.

Prerequisites
To ensure your success in this course, you should have four years of hands-on
experience as an incident response analyst or security operations center (SOC)
analyst. CompTIA Network+, Security+, or the equivalent knowledge is strongly
recommended.

The prerequisites for this course might differ significantly from the prerequisites for
the CompTIA certification exams. For the most up-to-date information about the exam
prerequisites, complete the form on this page: www.comptia.org/training/resources/
exam-objectives.

How to Use the Study Notes

The following notes will help you understand how the course structure and
components are designed to support mastery of the competencies and tasks
associated with the target job roles and will help you to prepare to take the
certification exam.

As You Learn
At the top level, this course is divided into lessons, each representing an area of
competency within the target job roles. Each lesson is composed of a number of
topics. A topic contains subjects that are related to a discrete job task, mapped
to objectives and content examples in the CompTIA exam objectives document.
Rather than follow the exam domains and objectives sequence, lessons and topics
are arranged in order of increasing proficiency. Each topic is intended to be studied
within a short period (typically 30 minutes at most). Each topic is concluded by one
or more activities, designed to help you to apply your understanding of the study
notes to practical scenarios and tasks.
In addition to the study content in the lessons, there is a glossary of the terms and
concepts used throughout the course. There is also an index to assist in locating
particular terminology, concepts, technologies, and tasks within the lesson and
topic content.

In many electronic versions of the book, you can click links on key words in the topic
content to move to the associated glossary definition, and on page references in the
index to move to that term in the content. To return to the previous location in the
document after clicking a link, use the appropriate functionality in your e-book
viewing software.

About This Course

CS0-003_Preface_ppvii-x.indd 8 26/03/23 11:00 AM

 Preface | ix

Watch throughout the material for the following visual cues.

Student Icon Student Icon Descriptive Text

A Note provides additional information, guidance, or hints about a
topic or task.

A Caution note makes you aware of places where you need to be

particularly careful with your actions, settings, or decisions so that
you can be sure to get the desired results of an activity or task.

As You Review
Any method of instruction is only as effective as the time and effort you, the
student, are willing to invest in it. In addition, some of the information that you
learn in class may not be important to you immediately, but it may become
important later. For this reason, we encourage you to spend some time reviewing
the content of the course after your time in the classroom.
Following the lesson content, you will find a table mapping the lessons and topics to the
exam domains, objectives, and content examples. You can use this as a checklist as you
prepare to take the exam and to review any content that you are uncertain about.

As a Reference
The organization and layout of this book make it an easy-to-use resource for future
reference. Guidelines can be used during class and as after-class references when
you're back on the job and need to refresh your understanding. Taking advantage
of the glossary, index, and table of contents, you can use this book as a first source
of definitions, background information, and summaries.

About This Course

CS0-003_Preface_ppvii-x.indd 9 26/03/23 11:00 AM

CS0-003_Preface_ppvii-x.indd 10 26/03/23 11:00 AM
 Lesson 1
Understanding Vulnerability
Response, Handling, and Management
1

LESSON INTRODUCTION
The role of leadership in cybersecurity operations cannot be understated. This
lesson will review typical leadership responsibilities such as developing policies and
procedures, managing risk, developing controls, managing attack surfaces, routine
patching, and effective configuration management practices.

Lesson Objectives
In this lesson, you will do the following:
• Review policies and governance.

• Explore risk management principles.

• Understand different types of controls.

• Review attack surface management.

• Explore patch and configuration management.

• Review the importance of maintenance windows.

CS0-003_Lesson01_pp001-020.indd 1 4/5/23 9:35 AM

 2 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

Topic 1A
Understanding Cybersecurity
Leadership Concepts
2

EXAM OBJECTIVES COVERED

2.5 Explain concepts related to vulnerability response, handling, and management.

It is essential to understand the basic concept of leadership in the cybersecurity

field. A cybersecurity leader is responsible for creating a vision and setting goals
for a team to secure an organization’s assets. Additionally, they must understand
the technical and legal aspects of the industry and be able to advise on the best
approaches for providing appropriate levels of protection. Leaders must have
a deep understanding of the industry and its nuances and the ability to make
decisions quickly and confidently. A leader in cybersecurity must also possess
strong interpersonal skills to communicate effectively with a wide range of technical
and non-technical stakeholders.

Explore Policy and Governance Topics

The Role of Governance
It is easy for technologists to overlook the impact and importance of effective
leadership. While technology is at the heart of a security program, selecting
appropriate technologies designed to address carefully analyzed problems is
critically important. Looking for quick fixes is understandable, considering the
potential impact of cybersecurity incidents. The reality is that when technology
projects are driven by emotion, poorly planned, poorly designed, and implemented
in a rush, they do little to improve the organization’s security posture in a
meaningful way. It does not take much research to identify that data breaches
continue to increase rapidly but that spending on cybersecurity products is
also growing in parallel. One very reasonable conclusion to this disunion is that
technology alone is ineffective. Spending money on technology alone does
very little. Only when technology is properly managed are its actual impacts
realized. Regardless of the technology brand or its features, proper planning and
management are necessary to succeed!
The desire for successful technology implementation outcomes drives the need
for a program designed to provide critical risk information to leadership teams. In
turn, leadership teams are responsible for crafting effective responses by changing
policies and processes to reflect their objectives. Establishing governance, risk,
and compliance (GRC) teams is a common strategy used to accomplish this goal.
Governance teams drive the company’s direction and respond to risks. Decisions
made by governance teams are grounded in the information provided by risk
managers. Risk managers look to compliance teams to help identify if observed
business practices align with established rules.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1A

CS0-003_Lesson01_pp001-020.indd 2 4/5/23 9:35 AM

 The Official CompTIA CySA+ Study Guide (Exam CS0-003) | 3

Ultimately, governance teams are responsible for creating and maintaining

organizational policies used to direct the work of technical teams. Governance
defines the organization’s expectations of its employees and its approach to
cybersecurity.

The Importance of Policy

With this in mind, policy and procedure documents become “roadmaps.” When
properly constructed, policy and procedure documents provide guidance and clear
direction. Clear guidance and rules are critically important in cyber operations
where one decision or omission can differentiate between effective incident
response or disaster. Security operations centers (SOC) depend upon well-
established, incident-handling practices and clearly defined responses. It is easy to
make mistakes when working under pressure. Well-crafted policies and procedures
define response actions and often remove much of the judgment needed when
making decisions under pressure. Additionally, policies and procedures steer
employees’ work to ensure consistent and reliable performance.
Cybersecurity service-level objectives (SLOs) are the standards that organizations
and their leadership must meet to ensure the security of their network. These
objectives help measure and assess how well security operations protect the
organization’s assets and assure its customers and stakeholders that systems and
data are safe and secure. These objectives must be realistic and achievable, and
the organization often reflects the latest security trends and best practices. Some
common security-related SLOs include mean time to detect (MTTD), Mean Time to
Recover (MTTR), and time to patch.
Compliance teams depend upon policy documents and SLOs to measure work
performance and conformance. Actionable statements can be extracted from
policies and used to determine if work is being performed in a compliant manner.
Furthermore, when risk managers identify new risks, the expectation is that
governance teams will codify responses designed to address them by updating
policy. This entire process is dependent upon the written rules established in policy
documents!
For example, compliance teams may review patch management activities and
report back to risk managers regarding the time between the issuance of a security
patch and the time taken to apply it. Risk managers use this data to create a trend
report that identifies that “time to patch” has increased steadily over the last several
months. In response to this new risk item, risk managers work to determine that
several change requests related to security patching had their implementation
dates pushed back by department leaders. This information is provided to the
governance team, who are responsible for crafting a response. The governance
team’s response might be to establish that any requests to delay security patching
require two levels of management approval. The governance team would
then codify this decision in the existing change management policy, enabling
enforcement.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1A

CS0-003_Lesson01_pp001-020.indd 3 4/5/23 9:35 AM

 4 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

Explain Risk Management Principles

A risk management program works to identify risks and determine how to minimize
their likelihood or impact. After identifying risks, the next step is to handle them
using different responses. Responses to risk fall into four distinct categories.

Risk Responses

The four types of risk responses.

Avoid
Risk avoidance often means that you stop doing an activity that is risk-bearing.
For instance, risk managers may discover that a software application has
numerous high-severity security vulnerabilities. After reporting this new finding
and providing context to the risks, the governance team may decide that the cost
of maintaining the application, or the probability of catastrophic failure due to the
newly discovered vulnerabilities, is not worth its benefit and so choose to have it
decommissioned.

Accept
Risk acceptance means continuing to operate without change after evaluating
an identified risk item. The risk item could be related to software, hardware, or
existing processes. It is important to consider that there is risk in all we do; even
simple tasks in day-to-day life involve risks. But despite this, we are still productive
and largely safe so long as we are aware of risks and act within safe limits. Helping
organizations operate in this way is precisely the goal of risk management—to help
contain risks within carefully constructed and mutually agreed-upon boundaries
because it is impossible to eliminate risk.

Mitigate
Risk mitigation describes reducing exposure to risk items by implementing
mitigating controls to ensure that technical business operations are safe. For
example, there are many potential security issues associated with web applications.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1A

CS0-003_Lesson01_pp001-020.indd 4 4/5/23 9:35 AM

 The Official CompTIA CySA+ Study Guide (Exam CS0-003) | 5

Since web applications are a critical component of many business processes,

we must determine how to operate them safely while meeting the organization’s
needs. To do this, we use various means to improve the web application’s safety
and security through mitigating controls.
By implementing effective mitigating controls, we can reduce the overall risk.
We implement mitigating controls until risk levels are reduced to a level deemed
“acceptable” by risk managers and governance teams.

Transfer
Risk transference (or sharing) means assigning risk to a third party, which is most
typically accomplished through insurance policies. Insurance transfers financial
risks to a third party. This is an important strategy as the cost of data breaches, and
other cybersecurity events, can be extremely high and result in bankruptcy.

Risk Management Exceptions

Despite the presence of mitigating controls, some risks may still be troublesome.
It could also be that mitigating controls are not available to help reduce the risk
level. For example, a different risk response might be warranted, like avoidance.
Circumstances may warrant a risk exception if a different risk response is not
reasonable or feasible. Issuing a risk exception is a serious decision and must
include careful documentation identifying why the risks are concerning and specific
justifications describing why an exception is warranted. The explanation should
document the dates when the decision to issue an exception was made and include
the signatures of all involved.

Explore Threat Modeling

Threat Modeling
When considering appropriate risk responses, it is essential to understand
precisely which threat actors are in scope for the organization. The most advanced
adversaries typically focus on military, federal-level government agencies, high-tech
companies, and large financial institutions. Accurately identifying threat actors that
may turn their attention to the organization helps shape appropriate response and
detection capabilities. Many organizations need only foundational levels of cyber
capability because the resources required to resist an advanced adversary typically
outstrip the resources available to most organizations.
Threat modeling is designed to identify the principal risks and tactics, techniques
and procedures (TTPs) that a system may be subject to by evaluating the system
both from an attacker’s point of view and from the defender’s point of view. For
each scenario-based threat situation, the model asks whether defensive systems
are sufficient to repel an attack perpetrated by an adversary with a given level of
capability. Threat modeling can be used to assess risks against corporate networks
and business systems, and it can also be performed against more specific targets,
such as a website or software deployment. The outputs from threat modeling
can be used to build use cases for security monitoring and detection systems.
Threat modeling is typically a collaborative process, with inputs from a variety of
stakeholders. In addition to cybersecurity experts with knowledge of the relevant
threat intelligence and research, stakeholders can include nonexperts, such as
users and customers, and persons with different priorities to the technical side,
such as those who represent financial, marketing, and legal concerns.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1A

CS0-003_Lesson01_pp001-020.indd 5 4/5/23 9:35 AM

 6 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

Threat Model diagram using Microsoft Threat Modeling Tool. (Used with permission from
Microsoft.)

This diagram shows how a system can be deconstructed to its functional parts
so that each area can be analyzed for potential weaknesses. Descriptions can be
added to the diagram to aid the project management team and help measure
progress.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1A

CS0-003_Lesson01_pp001-020.indd 6 4/5/23 9:35 AM

 The Official CompTIA CySA+ Study Guide (Exam CS0-003) | 7

Review Activity:
3

Cybersecurity Leadership Concepts

Answer the following questions:

1. True or false. Cybersecurity operations are driven by technical

implementers.

2. What is the name of the team that risk managers depend upon to assess
whether work is being performed in accordance to policy?

3. Risk ____________________ requires that activities with high levels of risk are
stopped.

4. What activity is focused on deconstructing a system to better

understand the threats and exploits that might impact it?

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1A

CS0-003_Lesson01_pp001-020.indd 7 4/5/23 9:35 AM

 8 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

Topic 1B
Exploring Control Types and Methods
5

EXAM OBJECTIVES COVERED

2.5 Explain concepts related to vulnerability response, handling, and management.

Security controls are an integral part of any organization’s security strategy. They
help reduce risk by minimizing the attack surface and addressing vulnerabilities.
Security controls can include technical measures, such as firewalls and encryption,
and nontechnical measures, such as employee training and awareness. Security
controls can help protect an organization’s valuable assets and data from
unauthorized access, theft, and destruction when implemented correctly.

Security Control Categories

It is common to identify that many security controls are deployed quickly, often as
a reactive response to newly identified threats. In the early years of cyber defense,
this approach was practical. For example, firewalls provided quick and effective
protection and were straightforward to deploy; the level of protection a simple
firewall provided was much more comprehensive compared to what is needed
today. As viruses and worms began to infect computer systems through the 1990s,
organizations deployed antivirus software on workstations and servers. This
approach was simple, effective, and solely focused on preventative measures.
At the time, this approach worked.
As modern cyber threats have become increasingly sophisticated, the ability to
implement relatively simple controls with high levels of protection is becoming
much rarer. Current infrastructures are complicated and require layered security
controls deployed in a structured and systematic way. Additionally, in the early
years of computing, organizations were far less dependent on technology
resources, and technology risks were less severe.
A modern approach to security requires integrating several different types of
controls, not only preventative but also detective, corrective, compensating, and
responsive. Several standards and frameworks exist to help practitioners better
understand practical control types. Some examples include NIST Special Publication
800-53 Security and Privacy Controls for Federal Information Systems and
Organizations (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
53r5.pdf), NIST Special Publication 800-171 Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations (https://nvlpubs.nist.gov/
nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf), the ISO 27001 standards
(https://www.iso.org/isoiec-27001-information-security.html), and the CIS Controls
(https://www.cisecurity.org/controls).

The National Institute of Standards and Technology (NIST) Special Publications

discussed in this course are available at csrc.nist.gov/publications/sp. ISO 27001 is a
proprietary standard (iso.org/standard/54534.html).

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1B

CS0-003_Lesson01_pp001-020.indd 8 4/5/23 9:35 AM

 The Official CompTIA CySA+ Study Guide (Exam CS0-003) | 9

Each control is also organized into different classes, based on the dominant
characteristics of the control. The three classes are as follows:
• Technical—The control is implemented as a system (hardware, software, or
firmware). For example, firewalls, antivirus software, and OS access control
models are technical controls. Technical controls may also be described as
logical controls.

• Operational—The control is implemented primarily by people rather than

systems. For example, security guards and training programs are operational
controls rather than technical controls.

• Managerial—The control gives oversight of the information system. Examples

could include risk identification or a tool allowing the evaluation and selection of
other security controls.

The significance of these classes is that they are referenced when measuring
how effectively assets are protected. The objective is to implement controls in
each of the three classes; for example, to identify that a system is protected by
preventative, detective, corrective, compensating, and responsive controls in each
of the three classes.

Security Control Functional Types

However they are classified, as a category or family, controls can also be described
according to the goal or function they perform:
• Preventative—The control acts to eliminate or reduce the likelihood that an
attack can succeed. A preventative control operates before an attack can take
place. Access control lists (ACL) configured on firewalls and file system objects
are preventative-type controls. Anti-malware software also acts as a preventative
control, by blocking processes identified as malicious from executing. Directives
and standard operating procedures (SOPs) can be thought of as administrative
versions of preventative controls.

• Detective—The control may not prevent or deter access, but it will identify and
record any attempted or successful intrusion. A detective control operates during
the progress of an attack. Logs provide one of the best examples of detective-
type controls.

• Corrective—The control acts to eliminate or reduce the impact of an intrusion

event. A corrective control is used after an attack. A good example is a backup
system that can restore data that was damaged during an intrusion. Another
example is a patch management system that acts to eliminate the vulnerability
exploited during the attack.

• Compensating—The control serves as a substitute for a principal control, as

recommended by a security standard, and affords the same (or better) level of
protection but uses a different methodology or technology.

As no single security control provides complete protection, each is like a link in a

chain, with each control contributing to the overall strength of the chain. A link’s
weakness impacts the overall effectiveness of the chain, but unlike an actual chain,
a failure in one control should not result in a complete loss. It might be practical to
think of each control type as an individual chain comprised of a series of individual
controls of that same type.
Often overlooked and underestimated, responsive controls are designed to assist
in the event of an incident. Protection and detection go a long way to defend a
network, but at some point bad things are going to happen. Without responsive
controls, a security event can spiral out of control very quickly.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1B

CS0-003_Lesson01_pp001-020.indd 9 4/5/23 9:35 AM

 10 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

• Responsive—These controls serve to direct corrective actions enacted after an

incident has been confirmed. In a Security Operations Center (SOC), responsive
controls might include several very well-defined actions to be taken by an
analyst after identifying a specific issue. These actions are often documented in a
playbook.

Adopting a functional approach to security control selection allows you to devise

a Course of Action (CoA) matrix that maps security controls to known adversary
tools and tactics, matching your cybersecurity defensive capabilities to the offensive
capabilities of potential cyber adversaries.

Prioritization & Escalation

Vulnerability response prioritization and escalation are integral to managing
security risks. After identifying vulnerabilities, they must be classified according
to their severity and potential impact on the organization. Vulnerabilities with
the highest severity and potential impact must be prioritized and addressed first,
while those with lower severity and potential impact can be addressed later. It is
also important to ensure that any high-severity vulnerabilities are escalated to
all relevant stakeholders to ensure they are informed and can contribute to the
response as necessary. Additionally, it is vital to have an established process for
escalating vulnerabilities in case the severity of the vulnerability changes or the
vulnerability is exploited before remediations are implemented.

Managing Attack Surfaces

As previously described, threat models are valuable tools that allow a system to be
deconstructed into its functional parts to understand better how a threat actor
might exploit it. Furthermore, threat models seek to identify which threat actors
are likely to attempt to exploit the system. The goal of the threat model is to help
determine how to improve a system’s security posture, and part of this exercise
often includes attack surface management and hardening.
An attack surface describes all potential pathways a threat actor could use
to gain unauthorized access or control. Each piece of software, service, and
every enabled protocol on an endpoint offers a unique opportunity for attack.
Removing or disabling as many of these as possible can significantly reduce the
number of (potentially) exploitable pathways into a system. Additionally, default
configurations typically favor functionality and compatibility over security, so it is
essential to understand how to customize a system to allow for the most secure
type of operation, not necessarily the most convenient. Several hardening guides
are available that outline secure configurations in precise detail. Two popular
sources of best practice configuration include the Center for Internet Security
Benchmarks and the Department of Defense’s Security Technical Implementation
Guides (STIGs.) As of this writing, the CIS Benchmark for Windows 10 had over 1,000
pages of recommended configuration changes!

More information about DoD STIGs is available at https://public.cyber.mil/stigs/, and CIS

Benchmarks are available at https://www.cisecurity.org/cis-benchmarks/.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1B

CS0-003_Lesson01_pp001-020.indd 10 4/5/23 9:35 AM

 The Official CompTIA CySA+ Study Guide (Exam CS0-003) | 11

An organization’s attack surface is broad, and every asset is interconnected. The

overall attack surface is composed of every asset’s attack surface. To keep this
in perspective, every on-premises device, cloud resource, external service (i.e.,
software as a service (SaaS), online storage, or software repository), or external
network configured to access the organization is part of the attack surface. Attack
surface management describes the methods used to continuously monitor
an environment to quickly identify changes to its attack surface. This type of
monitoring seeks to continuously locate shadow-IT and other unknown devices,
weak or default passwords, misconfigurations, missing patches, and many other
items of concern.

Managing the Attack Surface

Managing the attack surface means maintaining awareness of exposed services and
ensuring they operate securely per organizational policy. Maintaining awareness
necessitates continuous discovery and routine evaluation of configurations to
ensure they are secure and working as intended. The most attack-prone area of an
organization’s infrastructure is the edge, which includes any services exposed to the
Internet. In 2007, a University of Maryland study identified that Internet-connected
services experience an attack every 39 seconds, and these numbers are likely worse
today (https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds).
With these numbers in mind, it is critically important to quantify services exposed to
the Internet and to identify any changes to this footprint quickly.
Passive discovery can be a practical approach to managing the attack surface.
Passive discovery describes the methods used to identify systems, services, and
protocols indirectly. Passive discovery, such as network packet capture, can reveal
information about network-connected hosts, communications channels, protocols
in use, and activity patterns. Passive discovery is beneficial as it leverages careful
observation to show characteristics of network-connected software and devices.
Edge discovery seeks to define the “edge” of the network fully. It is easy to assume
that the edge is composed only of Internet-facing servers. The edge is instead
composed of every device with Internet connectivity. Assuming that attacks will
occur from the Internet, anything accessible to it must be considered as part of the
edge. The US Cybersecurity & Infrastructure Security Agency (CISA) identified that
90% of successful cyberattacks start with a phishing email (https://www.cisa.gov/
shields-up). This fact underscores that an organization’s edge is much broader than
is often assumed.

Evaluating the Attack Surface

Sometimes, security controls do not operate as expected; therefore, it is crucial to
perform testing to ensure that they are working correctly. Also, security controls
are often modified or disabled by support staff while working to resolve trouble
tickets. For these reasons, a testing plan must be in place and designed to validate
controls are functioning as intended. For example, validating that firewalls only
allow the right traffic to pass, that endpoint protection is operating properly on
employee workstations, and that web application firewalls correctly identify and
block injection attacks name just a few.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1B

CS0-003_Lesson01_pp001-020.indd 11 4/5/23 9:35 AM

 12 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

Not all control weaknesses or misconfigurations are easy to identify. In the same
regard, having confidence that sufficient controls are in place is challenging.
Leveraging the analytical skills of an expert practitioner is irreplaceable. Adversary
emulation, penetration testing, and bug bounty programs are all designed to
assess an organization’s security posture as thoroughly as possible. A penetration
test involves hiring a trusted offensive security expert to fill the role of an attacker,
tasking them to exploit the environment and evaluate the effectiveness of existing
protections. The penetration test includes a findings report crafted with details
regarding identified weaknesses and recommended remediations. Another type
of penetration test, referred to as adversary emulation, seeks to mimic the actions
of known threat actor groups. The MITRE ATT&CK® framework typically forms the
basis of this type of assessment. After a threat assessment identifies threat actor
groups, the ATT&CK framework provides details regarding their tactics, techniques,
and procedures (TTPs). Emulating these TTPs helps assess whether existing
protections are sufficient to stop attacks characteristic of the threat actor.
One last assessment method involves offering rewards for responsible disclosure
of vulnerabilities. Bug bounties allow organizations to define areas of their
environment they would like help protecting. The bug bounty identifies elements
of the environment that are in scope for testing and the rewards available for
reporting issues. This approach incentivizes offensive security professionals to
assess controls on an ongoing basis and can also help identify unknown and
undocumented vulnerabilities. Bugcrowd (https://www.bugcrowd.com/) and
HackerOne (https://www.hackerone.com/) are popular bug bounty platforms.

Penetration Testing and Adversary Emulation

Penetration testing and adversary emulation are techniques used to assess
an organization’s attack surface and identify vulnerabilities. Both techniques
supplement attack surface management and help improve an organization’s
security posture.
Penetration testing involves simulating an attack on an organization’s network to
identify vulnerabilities and weaknesses. The goal is to identify the most vulnerable
components within an organization’s environment and determine how an attacker
could exploit them. The penetration test results are then used to prioritize risk
mitigation efforts and reduce the attack surface.
Adversary emulation, on the other hand, involves simulating a real-world cyber
attack by an actual adversary to assess an organization’s defenses. This technique
involves a more comprehensive and realistic simulation of a targeted attack. The
goal is to identify gaps and weaknesses in an organization’s security infrastructure
that a known threat actor typically targets. Doing so helps the organization improve
its ability to detect and respond to specific attacks associated with the threat actor
instead of generalized attacks used in penetration testing.
Organizations can reduce their risk of a successful cyber attack by identifying and
mitigating vulnerabilities before attackers exploit them. Attack surface management
provides a framework for organizations to assess and manage their attack surface,
and penetration testing and adversary emulation are techniques used to evaluate
the effectiveness of the organization’s security measures.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1B

CS0-003_Lesson01_pp001-020.indd 12 4/5/23 9:35 AM

 The Official CompTIA CySA+ Study Guide (Exam CS0-003) | 13

Reducing the Attack Surface

Some methods commonly incorporated to reduce the attack surface include the
following:
• Asset inventory—Conducting an inventory of all hardware and software
assets and user accounts in the environment. Once identified, the team must
determine which assets are essential for business operations and which can be
removed.

• Access control—Implementing strict access control measures, such as

multifactor authentication, can reduce the attack surface significantly. Limiting
access to sensitive data and systems reduces the risk of unauthorized access.

• Patching and updating—Regularly patching and updating software and

firmware can prevent attackers from exploiting known vulnerabilities. Patching
should be performed via automated patch management systems.

• Network segmentation—Segmenting a large network into smaller subnets

can limit the damage an attacker can cause. By segmenting the network, the
breaches and infections can be more effectively contained, thereby reducing the
attack surface.

• Removing unnecessary components—Removing hardware or software

components reduces the attack surface. By removing software, the organization
eliminates a pathway that attackers can exploit.

• Employee training—Employee training can help reduce the attack surface

by raising awareness of the potential risks and the importance of security
measures. Regular training can help employees recognize and report potential
security threats, reducing the likelihood of successful attacks.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1B

CS0-003_Lesson01_pp001-020.indd 13 4/5/23 9:35 AM

 14 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

Review Activity:
Control Types and Methods
6

Answer the following questions:

1. The leadership teams would like to develop controls designed to provide

oversight of various information systems. What type of control does this
describe?

2. A web application firewall identifies and records any attempted or

successful intrusion to a log file. What category of control does this
describe?

3. After identifying that a port scan was performed on an internal database

system, a security analyst performs a series of well-defined steps to
further investigate the issue. What type of control objective does this
describe?

4. What is being analyzed when all potential pathways a threat actor could
use to gain unauthorized access or control of a system are identified and
documented?

5. Systems, services, and protocols are discovered and characterized by

analyzing network packet captures. What type of discovery technique
does this describe?

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1B

CS0-003_Lesson01_pp001-020.indd 14 4/5/23 9:35 AM

 The Official CompTIA CySA+ Study Guide (Exam CS0-003) | 15

Topic 1C
Explaining Patch Management
Concepts
6

EXAM OBJECTIVES COVERED

2.5 Explain concepts related to vulnerability response, handling, and management.

Patch management is an essential part of IT security. It involves regularly

monitoring, assessing, and updating an organization’s software, such as operating
systems, applications, and device drivers. Patch management aims to ensure
organizations have the latest security updates and patches to protect their systems
from potential vulnerabilities. It should also include a plan for applying these
patches promptly and a backup plan in case of disruptions. Patch management
requires an ongoing effort, but it is an integral part of an organization’s security
posture.

Explain Software Patching and Host Protections

Operating System, Application, and Firmware Patching
The volume of software vulnerabilities and related patches and updates continues
to expand at an ever-increasing pace. Managing and applying patches is time-
consuming and necessitates a centralized patch management system.
Patches are inevitable and apply to a wide variety of operating systems, application
software, cloud instances, and device firmware. Patch management can be
a manual process, an automated process, or a combination of both. Patch
automation is essential but often requires occasional manual work to address
problems related to deployment or installation errors. For example, administrators
might develop custom scripts designed to help patch management systems more
accurately identify missing patches, search for specific hardware information, or
gracefully stop and start system services prior to patching.
An effective patch management strategy requires patch management software to
be configured based on the risks associated with each system and its applications.
Mission-critical systems need to be treated differently than less critical ones to
support availability requirements. Desktops are often patched as quickly as possible
after a brief testing phase.
Important patch management considerations include the following:
• An individual or task-specific team responsible for reviewing vendor-supplied
newsletters and security patch bulletins

• Mechanisms to patch operating systems and all applications running on it,

regardless of application vendor

• Patch management principles that incorporate cloud resources

• Assigning updates into urgent, important, and noncritical categories

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1C

CS0-003_Lesson01_pp001-020.indd 15 4/5/23 9:35 AM

 16 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

• A patch test environment where urgent and important patches can be installed
and tested and analyzed prior to deployment into production

• Detailed logging designed to support monitoring and troubleshooting of patch

deployment activities

• A method to evaluate firmware updates prior to deployment

• Immediate push delivery of critical security patches

• A routine schedule for the rollout of noncritical patches

Patch testing aims to determine whether a software patch creates problems with
the organization’s unique mix of hardware, software, and configuration settings.
Patch testing should primarily involve testing a patch on a single isolated system
to determine whether a patch causes problems, such as software crashes or
system instability. Additionally, testing should validate that issues addressed by
the software patch work as expected—for example, a patch successfully removes
a vulnerability. A common way to test a patch is by setting up a non-production
environment hosting like-for-like mission-critical applications, including enterprise
applications and networking systems (where available). Doing this allows patches
to be deployed by infrastructure teams, validated by software support staff, and
assessed by security teams before deployment into the production environment.
Additionally, vulnerability scans should verify that patches only resolve
vulnerabilities and do not introduce any new ones!

Image of AWS Patch Manager compliance report. (Screenshot courtesy of Amazon.com.)

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1C

CS0-003_Lesson01_pp001-020.indd 16 4/5/23 9:35 AM

 The Official CompTIA CySA+ Study Guide (Exam CS0-003) | 17

Explore Configuration Management

Centralized Operating System, Application, and
Device Management
Control over endpoint configuration is the role of centralized configuration
management systems. Centralized configuration management plays a critical role in
infrastructure as code, CI/CD, and DevOps environments but also plays a vital role
in traditional environments. A centralized configuration management system allows
an administrator to define device configuration settings on a management server
and then push the settings to endpoints in an automated way.
Centralizing configurations enables consistency as the configuration is defined once
and applied to many systems. Additionally, the configuration is enforced, meaning
the central management server will overwrite changes made to an individual
endpoint’s configuration. As a result, the central management server can provide
near real-time visibility into configuration changes. Near-real time visibility into
device configurations enables continuous compliance monitoring. When a secure
configuration is centrally configured and controlled in this way, any changes to it
(on an endpoint) will generate an immediate alert.
Examples of configuration management tools include the following:
• Chef - https://www.chef.io/

• Puppet - https://puppet.com/

• Ansible - https://www.ansible.com/

• Terraform - https://www.terraform.io/

Image of Chef iptables cookbook. (Screenshot used with permission from Progress
Software Corporation).

This diagram shows a Chef cookbook for the iptables firewall software. Chef
cookbooks include everything needed to install and configure the software.
Cookbooks are often shared to benefit the community of Chef users.

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1C

CS0-003_Lesson01_pp001-020.indd 17 4/5/23 9:35 AM

 18 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

Understand Maintenance Windows

Many organizations adopt routine maintenance windows so administrators can
perform maintenance tasks during these pre-established times. Maintenance
windows enable preventative maintenance and consistent deployment of
noncritical patches. All work planned during maintenance windows should comply
with change management policies. Computers and devices are often restarted
during maintenance windows, and various services are also modified, restarted,
and added. Monitoring infrastructure must be able to correlate events like these to
a scheduled maintenance window to adjust alert severity ratings.

Maintenance tasks typically fall into one of two categories, reactive and proactive.
Administrators perform reactive maintenance in response to a problem or an outage.
Proactive maintenance is designed to prevent future issues or safely perform work that
may impact system performance. Maintenance windows are generally associated with
preventative maintenance tasks, as reactive maintenance typically cannot be delayed!

Analysis of events occurring during maintenance is essential, as a savvy attacker

might try to avoid detection by performing actions during these times. Knowing
what will happen in a maintenance window is critical to help discern between
authorized and unauthorized events. A poorly planned and managed maintenance
window can be a nightmare for the SOC as it tries to manage a sudden surge in
alerts and warnings generated by numerous services as they are added, modified,
and restarted!
Patch management teams rely on maintenance windows to complete patch
rollouts. The duration of the maintenance window can be a significant constraint.
Change management policy dictates that patching must finish quickly enough
to accommodate rollback plans if trouble occurs—without overrunning the
maintenance window. Change management rollback is the process of undoing a
system’s changes to restore the system to an earlier, pre-change state. Rollbacks
can be performed manually or automatically, depending on the system, and are
done to return a system to its previous state. The need for a rollback is not always
obvious. Even after passing initial tests, some changes introduce issues that may
not become apparent until after a system is subjected to heavy workloads or
scenarios that are not easy to test. After changes have been made to a system,
analysts must monitor it to verify it is operating as expected. Monitoring often
involves log monitoring (looking for errors or warnings) and performance
monitoring (comparing characteristics against an established baseline).

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1C

CS0-003_Lesson01_pp001-020.indd 18 4/5/23 9:35 AM

 The Official CompTIA CySA+ Study Guide (Exam CS0-003) | 19

Review Activity:
Patch Management Concepts
7

Answer the following questions:

1. True or False. Advanced endpoint protection tools eliminate the need for
operating system patching.

2. True or False. Critical security patches are best implemented during the
next most convenient maintenance window.

3. What tool allows administrators to centrally create and enforce software

settings?

4. True or False. Systems should not be monitored during maintenance

windows to avoid confusion.

5. Which policy dictates how work is completed during a maintenance

window?

Lesson 1: Understanding Vulnerability Response, Handling, and Management | Topic 1C

CS0-003_Lesson01_pp001-020.indd 19 4/5/23 9:35 AM

 20 | The Official CompTIA CySA+ Study Guide (Exam CS0-003)

Lesson 1
Summary
6

This lesson explored the role of leadership in cybersecurity operations and many
methods used to organize, plan, and prioritize work. The lesson reviewed many
leadership responsibilities, including developing policies and procedures, managing
risk, developing controls, managing attack surfaces, routine patching, and effective
configuration management practices.

Guidelines
• Policies are produced by governance teams and dictate how work tasks are
performed.

• Risk management is a specialized discipline that advises governance teams.

• Attack surfaces are complicated and require continuous management and

monitoring.

• Patch and configuration management play a significant role in protecting

endpoints.

Lesson 1: Understanding Vulnerability Response, Handling, and Management

CS0-003_Lesson01_pp001-020.indd 20 4/5/23 9:35 AM