You're reading from CompTIA CySA+ (CS0-003) Certification Guide Pass the CySA+ exam on your first attempt with complete topic coverage, expert tips, and practice resources

Product type Paperback

Published in Apr 2025

Publisher Packt

ISBN-13 9781835468920

Length 742 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Jonathan Isley

View More author details

Table of Contents (19) Chapters

Preface

1. Chapter 1: IAM, Logging, and Security Architecture

2. Chapter 2: Attack Frameworks FREE CHAPTER

3. Chapter 3: Incident Response Preparation and Detection

4. Chapter 4: Incident Response – Containment, Eradication, Recovery, and Post-Incident Activities

5. Chapter 5: Efficiency in Security Operations

6. Chapter 6: Threat Intelligence and Threat Hunting

7. Chapter 7: Indicators of Malicious Activity

8. Chapter 8: Tools and Techniques for Malicious Activity Analysis

9. Chapter 9: Attack Mitigations

10. Chapter 10: Risk Control and Analysis

11. Chapter 11: Vulnerability Management Program

12. Chapter 12: Vulnerability Assessment Tools

13. Chapter 13: Vulnerability Prioritization

14. Chapter 14: Incident Reporting and Communication

15. Chapter 15: Vulnerability Management Reporting and Communication

16. Chapter 16: Accessing the Online Practice Resources

17. Index

Why Subscribe?

18. Other Books You May Enjoy

Network Architecture

A security practitioner needs to have a thorough comprehension of the architecture of their network. In this section, you will learn about three architecture designs: on-premises, cloud, and hybrid. Network segmentation and zero-trust concepts will also be covered. Finally, two cloud-based network solutions, secure access secure edge (SASE) and software-defined networking (SDN), will be discussed. You may find one, multiple, or all these concepts present in your network, and it is important to understand the security considerations and potential impact of each.

Base network access includes media access control (MAC) addresses, Internet Protocol (IP) addresses, and Address Resolution Protocol (ARP) messages. A MAC address is a unique identifier for every device that allows connection to a network, such as for a network interface card (NIC). It is a 48-bit address represented with hexadecimal numbers, for example, 00:1A:2B:3C:4D:5E. A security concern is that it is possible to change or spoof these impersonating devices. Every device linked to a computer network is given a specific numerical identity called an IP address. Through the specification of their source and destination on the internet or a local network, it lets devices communicate with one another. ARP is used to allow network communication by mapping MAC addresses to IP addresses. Every device on a given network or subnetwork will send out messages asking Hey, who has this IP address? It will then use replied MAC addresses to make an ARP table for future communications. These requests would be dropped at the router level, keeping them only present on the local network.

There are several different types of networks, and here, you will read about three: local area network (LAN), virtual local area network (VLAN), and wide area network (WAN). A LAN is a limited-size network, connecting devices such as within a home, office building, or campus. A VLAN is a logical segmentation of a LAN, existing on the same hardware rather than creating another physical LAN with additional hardware. This allows additional security and traffic flow control. A WAN is a collection of multiple LANs over a bigger area, such as connecting multiple offices, often over wide distances such as in different states.

Two additional concepts assist in facilitating communication within these networks: Transmission Control Protocol (TCP) and Border Gateway Protocol (BGP). BGP is used to help connect LANs together to form the WAN. It assists in the routing process by maintaining a table of IP networks, such as other LANs, so that packets can be routed to the proper destination over the most effective path. TCP is one of the main protocols used for communication between network devices. It is connection-oriented with a three-way handshake allowing both sides to validate if they are connected and ready to communicate. This allows reliability in communication, as packets are sent, confirmed, and re-sent as necessary.

On-premises

On-premises (on-prem) network architecture is a traditional network design. This includes components such as cabling, routers, switches, and other security devices. On-prem networks are physical and possibly virtual assets contained on site within the organization. Today, many organizations may create their own on-prem virtualization setup through technologies such as ESXi from VMware, allowing the creation of organizationally controlled and maintained virtual assets. This includes some of the benefits of cloud provider virtualization, such as better resource utilization, but does not gain some of the cost benefits since the hardware is still maintained on-prem. Generally, on-prem networks carry higher costs and resource needs than other architectures, such as cloud computing and hybrid models. This is because an organization is responsible for all the maintenance of hardware including electricity, backup, and system support.

There are various security solutions available for on-prem networks. Some common solutions include the following:

Firewalls, such as next-generation firewalls (NGFWs), use an access control list (ACL) to help control traffic flow.
Network access control (NAC) enforces policies to control access to a network.
Intrusion detection systems (IDSs) are used to detect anomalies, and intrusion prevention systems (IPSs) are used to prevent attacks. These are also known as NIDS and NIPS, where the N stands for network, and their host-based counterparts are HIDS and HIPS, where the H stands for host.
Content filtering and caching devices, such as proxies, help regulate what data can reach protected devices.

Some devices combine several security functions onto one device, such as IDS/IPS, firewall, and content filtering, known as unified threat management (UTM) devices.

Cloud Computing

Cloud computing is a collection of networks and computing resources that are accessible over the internet. It has a shared responsibility design that can vary between providers and services. The main components of this design are information and data, application logic and code, identity and access, platform and resource configuration, and various other security items. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure are a few examples of cloud service providers.

There are various cloud service models, including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). These models have varying levels of services and maintenance provided by the cloud vendor. SaaS is a service model that provides software on the cloud and makes it accessible over the internet for the users. The cloud provider would be responsible for the full management of everything related to software, including the underlying hardware needs. An example of this is Google Workspace, which includes applications such as Gmail, Google, Drive, Google Docs, and Google Sheets, all accessible over the internet. In the IaaS service model, the cloud provider maintains hardware for the cloud and enables the users to install, configure, and maintain the OS and applications on it. An example of this is Amazon EC2, which allows the user or client to create virtual servers that can then have OS and applications installed. PaaS provides management by the cloud provider for the hardware and software environment in the cloud that allows users to create and manage applications to run on it. An example is Azure App Services, which is a platform that allows developers to build, deploy, and manage applications without any need to maintain the backend infrastructure.

Some additional cloud concepts to be aware of are SDNs, content delivery networks (CDNs), and cloud access security brokers (CASBs). CDNs help to effectively deliver web content such as text, images, videos, and other resources to users. CDNs consist of a distributed network of servers that are positioned strategically throughout various geographic regions. By caching and delivering content from the closest server to the end user, they reduce latency and improve user experience while enhancing website performance, dependability, and speed. You will learn about SDN and CASB later in this chapter.

There are several factors to be considered and weighed when considering using on-prem or cloud solutions. These include cost, control and customization, scalability, security, and compliance. It can often come down to a balance between risk and cost when choosing between the two. Some main security features to review with the cloud are access, key management, storage, logging, monitoring, privacy, and compliance.

Hybrid Model

A hybrid model is a combination of on-prem and cloud options. This model allows an organization to maintain greater control over sensitive data and critical applications while still gaining some cost and scalability benefits of the cloud. They are most often used when organizations are migrating their data and operations to the cloud serving as an intermediary state between fully on-prem and fully cloud-based. For example, a company might keep its sensitive customer data on-prem to comply with regulatory requirements while using the cloud for scalable web hosting and storage. Some use cases benefit from this model, such as backup and recovery, where critical data is stored both on-site and, in the cloud, to ensure redundancy and fast recovery times, and seasonal workloads, where cloud resources can be leveraged to handle peak demand periods without the need for permanent infrastructure investment. Additionally, hybrid models are beneficial for application development and testing, allowing developers to test new applications in a cloud environment while keeping production workloads on-prem for stability and control.

Other Cloud Models

Apart from the hybrid model, there are several other cloud deployment models, including public, private, and community models. In the public cloud model, the cloud service provider hosts and manages a shared pool of computer resources, including applications and storage. This is one of the most well-known models, providing the greatest flexibility at the lowest cost. It is offered by the major providers: AWS, GCP, and Azure. It can be an ideal option for start-ups and small businesses, allowing them to scale quickly, develop and deploy rapidly, and keep costs lower and more manageable.

The community cloud model is like the public model in that it uses a shared pool of resources, but they are restricted to specific groups such as those with similar security, compliance, or performance requirements. This can help them meet certain regulatory requirements by having a cloud environment specifically designed for the requirements of their business sector, such as for healthcare organizations. Another specific example of this from a cloud provider is GovCloud, found with AWS.

The private cloud model includes more isolation and dedicated resources for a specific client. It includes the concept of a virtual private cloud (VPC) that would exist on an isolated subnet and have additional measures to further isolate client data and network traffic from other clients. This isolation can provide dedicated resources, help enhance security, improve privacy, and meet regulatory requirements. It helps to further strengthen the cloud design by preventing cloud clients from impacting each other in any way. This cloud model can be ideal for larger enterprises that have bigger budgets and stricter regulatory controls. These entities want to maintain control over their data. As the AWS offering name suggests, it is also used by government agencies to help ensure data sovereignty, security, and compliance with local laws and regulations. The choice of which model to use should be based on a thorough review of costs, risks, and threats from a risk-based approach.

Network Segmentation

Segmentation is a key concept for security. The process of segmenting an organization’s infrastructure helps in several ways. It helps to reduce the impact of any issues, security or operational. It also reduces the attack surface, making segments secure from other segments, and reducing exposure of systems to attackers by requiring attackers to compromise multiple segments to get greater control over the overall organization. Some segments can have extra security capabilities deployed to further secure them while making cost investments more efficient. It can also help to reduce the scope for audits and compliance.

Physical segmentation can be accomplished by air-gapping systems and networks. This would mean no physical or virtual connections would be established between the segments. Physical segmentation increases security but also the complexity of administration. However, it does not fully prevent attacks as there are several other ways to attack these setups, such as supply chain attacks, infected USB keys, and more. Segmentation can also be done at a virtual level such as by running VMs that are not connected to each other, running containers, or even using separate, unconnected, physical machines to run the VMs.

Without segmentation, network devices can experience latency due to congestion. Segmenting the network reduces the traffic to only what is necessary for specific subsets of machines, increasing the overall efficiency and speed of network communication. This level of segmentation can be accomplished simply with the use of routers, switches, and subnetting.

Network segmentation is most often accomplished using firewalls. With the use of ACLs, traffic flow can be restricted. This only allows traffic to cross from one segment to the other when explicitly allowed but prevents the crossing otherwise. Security solutions for network segmentation also include NGFWs that offer additional security functions such as intrusion detection and prevention systems (IDPSs), application awareness and control, SSL/TLS decryption and inspection, user and identity-based controls, and advanced threat intelligence.

A combination of firewalls, routers, switches, and subnets can be used to help segment with operational and security benefits in mind. This is often done with VLAN tagging, allowing further control of data flow between different segments.

To ensure a secure design, these segments must have secure access methods. This access is often done via a jump box or virtual private network (VPN) connection. A jump box’s specific function is to exist between segments with connections to those segments. A user would first connect to the jump box and then access the resources as necessary on the connected segments. Due to their connection setup, these boxes need to be highly secure, maintained, and monitored.

VPNs facilitate the secure connection of remote users or branch offices to a corporate network by establishing a secure and encrypted tunnel over the public internet. Users can access network resources through this tunnel as if they were physically on the company’s LAN. More advanced capabilities, including micro-segmentation, further divide traffic into subgroups based on parameters such as user roles, device kinds, or apps.

Figure 1.33 shows an example of a segmented network. The user has a VPN client used to connect to the internal VPN server, flowing through the firewall. Segment 1 and Segment 2 are divided, not depicted by a specific device. It could be done with another firewall, NGFW, or router. To access Segment 2, a user in Segment 1 must connect to the jump box, which would then allow access to Segment 2 devices.

Figure 1.33: Simple segmented network

Cloud computing also has capabilities to facilitate network segmentation. They can utilize the concept of VPCs, as discussed in the Other Cloud Models section of this chapter. This concept is furthered using subnets and different VPCs to isolate devices and traffic. VPCs and devices within them can be further traffic controlled with ACLs and network ACLs (NACLs). They also commonly use jump boxes to facilitate communication and often administration of these segments.

Zero Trust

Zero trust is a modern security principle that emphasizes a “never trust, always verify” mindset. Every user and every device accessing a network must be verified, regardless of previous permissions. It has a main premise that threats can come from both inside and outside the network. This verification ensures better security and reduced risk. For example, an employee working remotely must authenticate through multiple layers, such as MFA and device health checks, before gaining access to internal systems. This ensures that even if a device is compromised or credentials are leaked, the system remains secure as it enforces strict verification protocols for every access attempt.

Zero trust network access (ZTNA) is a streamlined application of the zero trust principle. It requires authentication at every access point for both external and internal connections. To have greater value, it relies on micro-segmentation, segmenting the network at the application and workload level. With ZTNA, lateral movement threats are significantly reduced and attacks can be more contained. It makes authentication and authorization identity-centric, using unique identities, roles, and permissions before granting access to resources. It allows trust to be dynamic and continuously verified, based on specific parameters and context-aware policies.

Some of the main advantages of ZTNA are the following:

Enhanced security – Greater enforcement of the least privilege principle
Reduced insider threats – Limited impact potential and reduced lateral movement capabilities
Remote work enablement – Enhanced identities for authentication and authorization
Compliance with regulations – Some compliance frameworks are starting to require zero trust

Consider a scenario where a company has implemented ZTNA to manage remote access, requiring users to authenticate at each access point. To limit lateral movement, the company uses micro-segmentation to isolate applications and workloads. A developer accessing the development environment must pass role-specific authentication checks and is restricted from accessing other parts of the network. This approach reduces the risk of a compromised account spreading to other systems, enhances security, and supports remote work by continuously verifying user identities and permissions.

ZTNA can be complex and costly to implement and is also resource intensive. It has a strong dependency on connectivity, and instability can impact access to critical resources.

SASE

SASE is a framework that combines security and network functionalities into a unified, cloud-native solution. It provides secure access solutions for an organization’s WAN. It also helps provide network edge protection. It can also be referred to as secure access service edge (SASE).

Some key components include the following:

Software-defined wide-area networking (SD-WAN)

CASBs
Secure web gateways (SWGs)
Firewall as a service (FWaaS)
ZTNA

You will review CASB and SD-WAN later in this chapter. SWGs can be a cloud service or network security appliances that enforce security policies for web usage and protect a network from internet-based threats. It does this by intercepting and inspecting web traffic for malicious identifiers. It can integrate with other security solutions, such as firewalls, to further enhance capabilities on both sides. Zscaler, Cisco Umbrella, and McAfee Web Gateway are some examples of SWG vendors. Some use case examples include the following:

A financial institution uses SWG to filter web traffic and block access to malicious websites that could compromise sensitive data
A technology company utilizes a cloud-based SWG to secure the browsing activities of remote employees

SASE shares some of the same benefits as ZTNA, such as enhanced security and remote work enablement, as well as cost efficiency, simplified security architecture, and scalability. Using cloud solutions can reduce hardware and operating costs. It combines multiple security solutions into a single platform. Being cloud-native allows simpler scalability.

SASE is not without potential cons. It can be complex to initially transition and integrate on-prem solutions with cloud solutions. There are potential privacy and compliance issues when storing and processing sensitive data in the cloud and it can introduce latency in processes depending on the overall network design. There is also an availability risk with a heavy dependency on cloud vendor solutions.

SDN

SDN is a method that divides the control plane (which determines where traffic is routed) from the data plane (which forwards traffic) in networking devices. Using software programs, SDN enables network managers to control and manage network resources, enhancing networks’ flexibility, programmability, and responsiveness to changing requirements. It uses application programming interfaces (APIs) and standard protocols, such as OpenFlow, to facilitate this control via software programs. Some examples of this software are OpenDaylight, Cisco ACI, and VMware NSX.

Since this control is done over APIs, it is important to ensure that these APIs are designed, implemented, and managed securely. If they are breached, they can allow an attacker access to alter the network, causing outages, moving laterally, or gaining additional privileges.

SDN is also used for WANs (SDN-WAN or SD-WAN), as referenced in the previous section. In these cases, outside vendors utilize the SDN model to facilitate connectivity between sites. While these configurations typically contain encryption, there are other security factors to consider, such as SDN software flaws, a lack of organization direct control, and availability and integrity issues when data transits over different network channels.

This section presented various network architecture models, including on-prem, cloud computing, and hybrid configurations. You learned about the benefits and challenges of each model, with an emphasis on how hybrid setups can offer a balance between control and flexibility. Network segmentation was highlighted as a key practice for enhancing security, and the zero-trust model, with ZTNA, was discussed for its rigorous approach to verifying every access request. Additionally, you explored SASE for integrated security and networking, and SDN for improved network management and agility. Next, you will examine IAM, focusing on the strategies and technologies used to manage user identities and control access to resources.