Preparing for the CompTIA CyberSecurity Analyst CySA+ certification

  • Note: This article was originally published in Peerylst in April 2020 and received about 3.5k views before Peerlyst announced they were shutting down*

In this article I’m going to review the study method I used to prepare for, and pass, the CompTIA “CyberSecurity Analyst” aka “CySA+” certification in April 2020. I will start by giving some background to the CySA+ course content, the preparation I did before beginning study, the materials used and finally I’ll go through the day of the exam itself. I will mainly focus on my exam study style, which can be easily transferred to almost any other tech certification or exam process. Please note that the CySA+ CS0–001 is now being replaced by the CS0–002 however the methodology is the same, and I’ve updated the content where relevant.

Blue background with images of a keypad, streams of binary flowing in the foreground
Image by boroda003 at FreeImages

Saying that, as with any CompTIA exam I’ve sat, this is closed book exam. If you’re looking for an open-book exam type guide, for example for a SANS course you’ve recently taken, I must recommend the wonderful guide written by the brilliant Lesley Carhart aka HacksForPancakes located here.

If you like this, or found it beneficial, please hit the clap button and please leave a comment. I warmly welcome any questions, observations or critical feedback.

The CySA+ itself is meant to be a logical next step after attaining the Security+, and is aimed at people who have some experience in a ticket based Security Operations Centre (SOC) or general “Blue-team”, ie defensive IT security employee. It covers some slightly more advanced infosec concepts then the Security+, but as with most CompTIA exams it’s much more focused on the application of these concepts in a real world scenario. Common titles would include “SOC analyst”, “security engineer” and “vulnerability analyst”.

You must demonstrate that you have the knowledge to perform basic infrastructure and web application vulnerability scans using commonly available tools and interpret the results to locate security vulnerabilities. You need to have built up experience in reading log files, understanding the tell-tale signs of a malicious threat on your network or host devices, a solid knowledge of common ports and their uses, and general information security best practices. I don’t really want to go into too much detail about the CySA+ course objectives and content, that’s all fully available here.

I always used a basic template on Google Sheets to break down my available hours in the week, Monday through to Saturday, and set specific times to study. Recently though, I’ve switched to using Asana, which gives me greater visualisation of how I need to break everything down and map out my timeline better. I do my absolute best to ring-fence these hours, updating my friends and family, turning off my phones, and cancelling or refusing any nonessential plans that might overlap. I also update my Asana board as necessary to compensate for over or under achieving during my study times, or to make up for ones I’ve missed.

Having done this a few times for other exams, I acknowledge and repeatedly remind myself two very important things:

1. I am not a machine. This is very important. There’s no point creating a study block in your calendar that lasts for four hours straight. It’s impossible to maintain concentration that long, you won’t retain the majority of the new information you’re trying to learn, and you’re going to mentally feel defeated when you inevitably fail to maintain such demanding schedules. I use an online timer and set it to 25 minute intervals. Once the alarm goes, its hands off the keyboard. I make a light snack, do some squats or play with dumbbells (no, I’m not a gym person, but it helps battle my sedentary lifestyle a bit) for a few minutes to get the blood pumping oxygen to my brain, or do some housework. Anything to allow my brain process what I’ve taken in, mix things up a little bit, and prepare my concentration levels for the next 25 minute study block.

2. Life gets in the way. This plan is to be followed in a “best effort” kind of way. Things will crop up that demand your attention, and its ok to play a little loosey-goosey with the scheduling once you try to maintain the overall ideals of what you’re setting out to accomplish. Saying that, work hard to ring-fence your precious study time, and make sure you’re going into each session well rested, hydrated, and calm. Try not to be hungry, or haven eaten too big a meal beforehand, being distracted or sluggish doesn’t help you retain information.

Most importantly I made sure to include “off times” to unwind, do some housework, and try to exercise. I know it’s a bit overstated by some, but starting the something like that Couch25k program with this new study period acts as a great way to destress, maintain focus and positivity during this time of study, and foster a holistic program of self-improvement and advancement.

Photo of a open page of a day planner with pen lying on it
Photo by Charles Thompson from FreeImages

I heavily leveraged Udemy video courses for the bulk of study material. As I was going to be reviewing the content several times and was already pretty familiar with a few of the topics, I would watch at 1.5x the normal speed. This is great if you’re a natural English speaker without any hearing or cognitive difficulties, but if that’s not the case, definitely avail of the ability to slow down and individual speaker to 0.75x or even 0.5x, especially if you’re completely new to the topic or subject matter in general. Everyone learns and processes information at different speeds, so don’t benchmark yourself off of others. This is you vs the exam, take your time at your pace and you will master this.

I would watch an individual video once, just listening and making sure I understood what he was saying. I would then rewatch the video taking notes. If needs be, I would watch a third time, reviewing my notes to make sure I captured the information accurately and in a way I’ll be able to review without needing to watch the video. This varied from topic to topic, depending on my familiarity with the subject matter.

I would study in this method Monday to Friday, and then spend Saturday or Sunday reviewing my notes, keeping them clear and reorganising as necessary. The other day was for rest and relaxation. You need to schedule daily and weekly downtime. Burning out and ruining the whole study process isn’t worth the risk. Talk your time, you’ve your whole career ahead of you.

As I said, throughout this process I took a lot of notes. This not only ensures I’m paying attention through the course of the videos, but I’m also reinforcing my learning process and moving the information from short term to long term memory by reviewing, organising and referencing these notes many times during my study period.

There are MANY solutions out there to capture your notes with, such as Microsoft One note or the free alternatives such as Evernote, with several listed here: [I suggest you try several until you find the solution that best suits your needs and style of learning.] Leveraging these solutions allows to cross reference your notes, as each book and trainer break down the domains differently. It also helps you build up your own reference library over time that you can refer back to at work, when studying for later exams, or to assist others when you’re writing your future book on information security!

So for example I started with a page dedicated to “Standard Frameworks”, listing each one with a few bullet points underneath covering their sections, domains, or peculiarities. I then realised that I was writing a lot about, say, the “NIST cybersecurity framework”. I would then take the bulk of that content into a new page dedicated to “NIST cybersecurity framework” and add a note saying linking the mention in the main Frameworks page to the specific “NIST Cybersecurity Framework” page.

Obviously, everyone is starting at a different level of familiarity with the subject matter, so this may be too much for many. It may also not be enough for others, so it’s important for you to find the study methodology that works best for you.

A lot of people like to also make flashcards, either physical ones like these for in the office or at home, other these absolutely awesome ones that I carry with me at all times. Ideal for spontaneous review while queuing for groceries etc. Others prefer digital to use on their phone to study while on the go.

I started with the Brent Chapman Udemy course by Total Solutions. It’s a good, if a little shallow, introduction to each of the domains. However, it doesn’t seem that they’ve updated it for the CS0–002 version, so its going to be missing some key chapters, and therefore shouldn’t be considered suitable right now. What I liked about it is that it provided a very solid foundation for the terminology and concepts, covering both the theory and practical aspects of the course, demonstrating real-world command line usages of various tools. As above I watched each episode once at 1.5x, and again while taking notes, pausing as necessary to take down the content of individual slides. Total Solutions provide pdfs of the slides themselves, but I found manually typing out what I wanted to note as more beneficial than simply copying and pasting. Again, this is my style, and you’re perfectly entitled to do things another way.

Then I went through the Jason Dion Udemy course by Dion Training. Jason’s course is a lot longer and more in-depth in the theory of the subject matter, and I really like his style of speaking. There’s also mid- and end-of-chapter short quizzes, usually involving ~5 multiple choice questions. They’re not exactly the ones that would come up in the exam, but they were good for basic revision. Honestly, if you can only get one video course on a subject, I would always recommend Dion Training if it’s available. I’m a big fan and thing he does wonderful work. At the end of this Jason Dion course, there’s a multiple choice practice exam of 85 questions that are designed to mimic the real thing.

I highlighted the areas I scored poorly on and use the Sybex CompTIA CySA+ Study Guide written by Mike Chapple and David Seidl to review those sections, ensuring that my notes on the topic were complete. I’ve always been a big fan of the Sybex books, they maintain a solid but gentle learning curve, always leverage very high quality diagrams, and I just feel are brilliant for those not already well familiar with the course content. I also leveraged the Sybex books throughout my learning process while studying for the A+, Network+ and Security+ certifications.

One thing I wish I had but only found out about afterwards was a “cliff notes” style study book by Jason Dion “CompTIA CySA+ Practice Exams: A Time Compressed Resource to Passing the CompTIA CySA+ (CS0–002) Exam on the First Attempt”, which a friend of mine picked up after I had already sat the exam. Its a comprehensive breakdown along the lines of Eric Conrads “11th Hour CISSP” which has always been an integral part in peoples success with that particular exam.

Once this process was completed, CompTIA had launched their online proctored exam option, so I scheduled the exam for just under one week later rather than hope the pandemic played itself out and I could sit the exam in a proctored testing centre (it hasn’t).

That day, I downloaded Pearson Vue OnVUE app onto the laptop I was going to take the exam on eventually. In my case a MacBook Pro, but the hardware requirements aren’t that high so most laptops *should* be ok. They advise having any laptops plugged into the mains, and if possible, connected via cable to your home router rather than via WIFI, for obvious connection reasons. Then I went through their systems check and testing process. I’m really glad I did, because the application kept crashing at a certain point, giving me the dreaded pinwheel of death. After 3 reboots I eventually realised that OnVUE was opening up a permissions window behind the locked OnVUE screen that it was using as a desktop-lockdown, and needed to be allowed have access to various things (mic, speakers, desktop etc) to progress. To work around this I rebooted the laptop a fourth time, opened the System Security window, then launched the OnVUE app. This way I was able to see the popup and grant the necessary permissions to complete the install, setup and sample test to ensure it would all work on exam day.

For the final week, each morning I would do one of the CySA+ 5 practice Exams on Udemy, designed by Jason Dion, as a bundle. There’s 60 questions in each quiz, though a handful do occur in more than one quiz. Again, the results would point me to areas of revision for that day.

The day before the exam, I took the entire day off. I don’t know if that’s a good or bad idea, but I’d been studying hard for quite a while now, and my brain need to decompress a little so my focus would be sharp on the day in question. I’d scheduled for a 5pm exam anyway, so I knew I’d have time to review, revise and panic (hopefully not though) on the day of the exam itself.

That morning I had a short run, a good breakfast and studied for a few hours leading up to the exam time. My books were so covered in coloured page markers they looked like exotic birds, but it really helped me hone in on my problem areas and maintain my confidence in those areas.

I cleared my desk of *everything* (there was a lot of junk and little figurines and stuff as well as PostIT’s and notes, of which there were lots). I made sure my whole testing area was clear and clean, and there was no study posters or anything like that on the walls. (I’m a huge fan of the SANS educational posters as study aids in forensics, incident response etc)

At 4.15pm (with exam set for 5pm) I redid the systems check for the OnVUE application. I’m delighted I did, as it actually needed an updated version to be installed, so I was able to get that done and ensure everything was “green lights” with plenty of time to spare. This process includes using your cell phone to take a photo of your face, your passport/driver licence, and then 4 pictures (front, behind, left and right) of your desk to show the proctor that your testing area is completely clear of notes, other technology including monitors and all the rest they cover in your terms of use. You then put your phone away out of arm’s length, on silent if not totally powered off.

I had confirmed with my spouse that I would be taking the exam and total silence is necessary — the laptop webcam is used to record you at all times, and the onboard mic is also recording audio, so it’s vital they don’t hear anyone else voice, or see anyone else appear in the room you’re testing in. This really needs to be repeated: if you have housemates, or children etc in your house where you’re sitting the exam, make sure that they’re aware and under instructions to keep the noise down, that your door is closed, and that you’re clearly the only person in the room. If you have Amazon Echo or similar home automation devices etc that are voice activated, mute them or unplug them!

I had a 32" Samsung curved monitor (which I adore) behind my laptop that wasn’t going to be used in this testing, so I knew I’d have to demonstrate to the proctor that this was disconnected/off. Sure enough the proctor first communicated with my via a chat window, and then with permission via my laptop speaker to demonstrate to her that the monitor was powered off. I turned the laptop to show via webcam that the monitor was unplugged from the power cable, and so was any other computer equipment near my desk etc.

Once all this admin was done and dusted, I read the terms of service again, and clicked through into the exam.

As with all such exams, I recommend skipping the initial PBQ’s (performance based questions) at that start for a number of reasons. Firstly, they’re difficult. They’re essentially, to quote Tess in their breakdown of sitting the CySA+ beta exam, multi-layered puzzles. This means they are demanding, both in terms of brainpower and time, and if you hit a snag or find one difficult so early in the testing experience, it may have a negative psychological effect on you. Secondly, they’re complex, so you might accidentally spend too long on one to verify, and suddenly you’re racing against time for the rest of the entire exam, making you prone to many mistakes. A third reason, genuinely, is that later questions my provide memory prompt s on the subject matter these PBQ’s are testing you on. In short, flag them for later, and immediately move onto the main MCQ’s (multiple choice questions).

The wording of many of the MCQ’s are tricky, awkward, or even a little misleading. This is to test your comprehension abilities, your logical problem solving, and your attention to detail just as much as your knowledge of the specific subject matter. So here’s how to do it: read the question slowly, highlighting key words such as “most”, “least”, “best” etc. Under pressure, when reading quickly, we have a tendency to skip the sentence and let or brains fill in the rest. Make sure that’s not happening. Quite often the question will not be asking the specific thing you initially presume itself asking.

Then go through each of the various answers. Make sure you know for certain if its only one answer you’re supposed to tick, or two. Make certain you know if you’re supposed to pick, say, the BEST TWO OPTIONS, or if its “PICK THE BEST OPTION, AND ITS RESULTING EFFECT”. If you think it’s asking for the best two solutions when its actually asking to point out the initial control and the controls resulting effect on the system, say, you’re going to end up with a wrong answer.

If you’re not sure, flag and move on.

Once all they MCQs are done, now go back to the PBQ’s. Take your time, read through the problem statement. You have the option of bringing up a whiteboard with which you can copy and paste log files in to etc. I used this heavily for all PBQs. For ones involving logs, I highlighted each of the individual data flows, or color coordinated each stream. I put colored boxes around different data flows from each device etc. I did everything I could to ensure that I teased out each individual unique server/network flow etc until I was certain which object was talking to which other object.

Once these were done and I was happy, I moved back to review the MCQs I’d flagged along the way. Amazingly, some later questions had actually refreshed my memory and understanding of earlier questions, so I was able to answer with more confidence. If there was one or two I truly couldn’t understand, as with every MCQ in my life, I selected “B” and moved on. (Still letting it flagged though, just in case inspiration hit me).

Finally, as I had time, I went through every single question again, making sure I was comfortable with each answer. Then, with maybe 5 minutes to go, I clicked “finish review” and ended my exam.

At the end there’s a short survey on how your experience was, I’m not sure if that came before or after the result. I remember I was so drained at this stage I had to reread the splash page two or three times to confirm it said I had successfully passed the exam.

It was probably 12 hours afterwards my results began to populated into my CompTIA profile, showing in the certifications page that I did indeed now have the qualification, could download the logo, etc.

I really enjoyed writing this article, and would love to hear your feedback! Please hit the “upvote” button if you enjoyed this or found it helpful. I’d love to hear your thoughts, so please comment below. If you really liked this, consider buying me a cup of coffee by clicking here.

If you liked this please hit that “clap” button, and don’t forget you can give me up to 50 claps! If you would like me to write more about other exams and subjects, please make sure to leave a comment on what you’d like to see me write about next.

As always, stay safe out there. In case you haven’t noticed, the pandemic hasn’t gone away. Wash your hands, wear a mask, and make sure to phone or video chat your family and elderly neighbours. Isolation takes different tolls on people, so be kind to each other.

#Isolate-Educate-Excel

I’m passionate about cybersecurity, cloud technology and houseplants | Twitter @2wiredSecurity | Awesome August: https://bit.ly/33hVzJ7