Download SANS 401 Exam 2025: Cybersecurity Fundamentals Practice Questions and Answers and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
SANS 401 EXAM 2025 (NEWEST EXAM) | ALL QUESTIONS
AND CORRECT ANSWERS WITH EXPLANATIONS (VERIFIED
ANSWERS) | LATEST EXAM | JUST RELEASED | ALREADY
GRADED A+
What should be done before conducting a risk analysis? Understand business operations and the types of possible risk exposure - List the return on investment for each asset to calculate the quantitative risk
- Deploy security devices to discover security gaps in the network - Conduct a Business Impact Analysis to gauge revenue impact --------- CORRECT ANSWER-----------------Understand business operations and the types of possible risk exposure (Explanation) Typically, before a risk assessment can be conducted, one must understand the business operations and what type of risk that the business maybe exposed to. There are three key factors in selecting a biometric mechanism. What are they? User acceptance, encryption strength, and cost - Reliability, user acceptance, and cost - Encryption strength, authorization method, and cost
- Reliability, encryption strength, and cost ---------CORRECT ANSWER------ -----------Reliability, user acceptance, and cost (Explanation) The key factors in selecting a biometric mechanism are usually reliability, user acceptance, and cost. Together, Network Access Control (NAC) and a Virtual LAN (VLAN) can be used to achieve which objective?
To place systems on an isolated network segment until they are properly scanned and patched. - To authenticate users and determine what resources they are allowed to use. - To allow remote users to access resources on an internal LAN. - To allow several computers to work closely together so they seem to form a single computer. INCORRECT ON PT ---------CORRECT ANSWER-----------------To place systems on an isolated network segment until they are properly scanned and patched. (Explanation) Together, NAC and a VLAN can allow systems to be placed on isolated VLAN's until they have been scanned and properly patched, thus limiting their exposure to infecting other systems. Allowing remote users access to internal LAN resources is done through use of a VPN; authentication and authorization (and accounting - AAA) can be done with an LDAP server, RADIUS, or other protocol; several computers working together as one is an example of clustering technology. What feature is not available in 802.11i but is addressed by 802.1x? Network Authentication - Replay Protection - Integrity - Encryption INCORRECT ON PT ---------CORRECT ANSWER-----------------Network Authentication (Explanation) The 802.11i specification accommodated two replacement encryption mechanisms for WEP, one that could be retrofit into existing hardware, and a second design that would be a "completely secure" solution, requiring new hardware for implementation. Known as the Temporal Key Integrity Protocol (TKIP) and the Counter-Mode/CBC- MAC Protocol (CCMP), respectively, these algorithms represent a significantly more secure option for organizations to deploy wireless LANs. Both protocols protect information on the wireless network through strong encryption, replay protection and integrity protection.
not correlate with other device signatures ---------CORRECT ANSWER------ -----------NIDS produces false positives ( Explanation ) Reviewing Network IDS logs is extremely useful and is often a frustrating task because NIDSs sometimes produce false positives. Still, NIDS log analysis often comes second after firewalls; the value of such info for security is undeniable, and logs can, in most cases, be easily centralized for analysis. NIDS may or may not use syslog format, but collectors (or their pre- processors) normalize the logging differences of the logs they aggregate. In situations where correlation is important, the time difference between a NIDS and another system is trivial in nearly all circumstances. Once properly tuned, NIDS produces routine, known bad, and out-of-baseline events. Which class of Windows Operating Systems are commonly referred to as "Windows IOT"? Windows Embedded - Windows Ultimate - Windows Client - Windows Server ---------CORRECT ANSWER-----------------Windows Embedded The Windows Embedded class is commonly referred to as Windows IOT. A Linux administrator ran the commands below. The content of each file is displayed after the command. What would cause the two files to have different hashes? root@system123:/tmp# cat example1.txt TEST FILE root@system123:/tmp# cat example99.txt TEST FILE
root@system123:/tmp# md5sum example1.txt 5deffb997041bbb5f11bdcafdbb47975 - root@system123:/tmp# md5sum example99.txt 13927f6f0f7357427e8a32b5f4017edc - md5sum changes the salt each time it is run - One of the files has a hidden character - The two file names are different - The length of the file names is different ---------CORRECT ANSWER-----------------One of the files has a hidden character (Explanation) Hashing is based on the binary composition of the file, not the viewable ASCII characters. Even if the file visibility looks the same, if there are any hidden characters, the hashes will be different. A difference in file names, or lengths, of two files will not affect the hash. md5sum does not use a salt to hash files. Which description below is an example of an external threat to Acme Corporation? An Acme employee contracted to another company logging into Acme from a PC at the other company - A visitor to Acme who attempts to connect to Acme's enterprise network - A buggy software update that an Acme sys admin applied to an Acme server - An Acme employee returning from lunch and plugging in a USB drive she found INCORRECT ON PT ---------CORRECT ANSWER-----------------A visitor to Acme who attempts to connect to Acme's enterprise network (Explanation) The visitor attempting to access enterprise WiFi is the external threat. The other examples are insiders taking an action that poses a threat to Acme's information.
chown - chgrp - newgrp - chmod ---------CORRECT ANSWER----------------- chown (Explanation) The chown command can also be run to change both the user ownership and group ownership at the same time. For example to change the document 'file.txt' owner to a user 'jdoe' and the group identifier to 'marketing' you can issue this command: chown jdoe:marketing file.txt You are asked by your manager to run a vulnerability scan against the engineering department's network. What should you ensure you have before performing any scanning activity? Previous Scan Results - Commercial Vulnerability Scanner - Written Permission - Wireless Internet Scans - Root Access to Systems --------- CORRECT ANSWER-----------------Written Permission (Explanation) Note that vulnerability scanning can be hazardous to your career. The difference between a penetration tester and an attacker is permission! Be sure you have it. If you are just now coming up with a scanning policy in your organization, get written permission from the highest level possible in your organization Which of the following methods is part of the process of permitting remote access to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion even when restrictive permissions for remote access on all other keys has been set? Stop and disable the Remote Registry Service at the specific server. - Pause the Remote Registry Service at the specific server. - Add the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeS ervers\winreg\AllowedPaths subkey. - Add proper ACLs to access the key
value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeS ervers\winreg\ key. INCORRECT ON PT ---------CORRECT ANSWER-----------------Add the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeS ervers\winreg\AllowedPaths subkey. (Explanation)You can add keys that will not be affected by the \winreg key ACL (which determines remote access permissions for the entire registry) to the AllowedPaths subkey in the \winreg key. Stopping the Remote Registry Services will prevent any remote access to the remote registry at the specific host. Which Linux command below is similar to the Windows "dir" command? cd - ls - ls - ln - file - du ---------CORRECT ANSWER-----------------ls (Explanation) The ls command in Linux lists files and directory contents. The file command is used to describe what type of data is in a file. The cd command is used to change directories. The du command is used to describe how much space a file or directory takes. The ln command is used to create a shortcut. An organization is worried about malicious or unauthorized software being run on their network. What solution should they implement for the best security? VLANs - Blacklisting - Firewalls - Whitelisting ---------CORRECT ANSWER-- ---------------Whitelisting (Explanation) Whitelisting would be the best solution because it would ensure that only acceptable and authorized applications are being run. While
What is hashed to compute the IPSec Authentication Header's Integrity Check Value? Sender's public key - Source and destination addresses - Every field in the packet - Every field in the packet that will not change during transit --------- CORRECT ANSWER-----------------Every field in the packet that will not change during transit ( Explanation ) The IPSec Authentication Header adds a keyed hash of the message to the packet. This hash is referred to as the Integrity Check Value (ICV). In the ICV computation, AH includes every field that does not change during its trip from source to destination. This includes the source address, destination address, length, and the data. This information is inserted into the packet after the regular IP header, but before the data. Which of the following is supported for multi-factor authentication on Microsoft Azure AD? RSA Token - Smart Card - Retinal Scan - SMS PIN INCORRECT ON PT ---------CORRECT ANSWER-----------------SMS PIN ( Explanation ) Of the choices, only SMS PIN is supported by Azure AD. Which of the problems below is tractable? Computing Data Encryption Standard ciphertext - Computing elliptic curves in a finite field - Solving the discrete logarithm problem - Factoring a large integer into its two prime factors ---------CORRECT ANSWER----------------- Computing Data Encryption Standard ciphertext ( Explanation ) Calculation of any standard encryption algorithm's ciphertext is a tractable problem. DES is an old algorithm with a small keyspace.
The other problems are intractable. They can theoretically be solved. However, the enormous amount of time it will take to solve them makes them impractical to be solved. When analyzing an entire TCP session with TCPdump, which TCP flags are used in the three-way handshake? SYN,SYN+ACK,ACK - SYN,ACK,FIN - SYN,SYN,ACK - SYN,SYN+ACK,SYN ---------CORRECT ANSWER----------------- SYN,SYN+ACK,ACK ( Explanation ) The TCP flags that make up a three-way handshake are SYN,SYN+ACK, and ACK. The other choices are incorrect sequences of SYN's and ACK's to initiate a TCP connection. Which encryption algorithm was selected as the official AES cipher? Twofish - 3DES - RC6 - Rijndael ---------CORRECT ANSWER----------------- Rijndael ( Explanation ) NIST selected the five AES finalists on August 9, 1999. In October 2000, Rijndael was announced as the winner and was approved as the official AES cipher Which of the following event classification types occurs when an activity is malicious but an alert is not generated by the Intrusion Detection System? False negative - False positive - True positive - True negative --------- CORRECT ANSWER-----------------False negative ( Explanation )
The primary way to avoid OS command injection attacks is to avoid system calls from your web application, especially when the system call is built based on user input. In most cases, you should be able to find a function or library within your programming language that can perform the same action. How often by default does Windows Group Policy check for updated policies? (Once a day) (Within 30 minutes of an applied policy change) (Every quarter hour) (Every 90-120 minutes) INCORRECT ON PT ---------CORRECT ANSWER-----------------Every 90- 120 minutes ( Explanation ) When a computer boots up, it downloads the GPO's assigned to it and executes them automatically. Every 90-120 minutes thereafter, the computer checks that none of the GPO's assigned to it have changed, if any have, those are downloaded and run automatically even if the computer has not rebooted. 0-30minutes, 30-60 minutes and 120- 180 minutes are durations a group policy could possibly be modified to use, the standard duration used by Group Policy is 90-120 minutes. Which of the following best describes Defense-in-Depth? Layered controls - Separation of duties - Hardened perimeter security - Risk management ---------CORRECT ANSWER-----------------Layered controls ( Explanation ) Defense-in-depth is best characterized by layered defenses. The idea is that any layer of defense may eventually fail, but a Layered Defense offers better protection. Risk management, separation of duties, and hardened perimeters are part of a layered defense but do not describe the full concept of DiD.
Which of the following is considered a recommended practice but not a business requirement? Guideline - Standard - Baseline - Procedure INCORRECT ON PT ---------CORRECT ANSWER-----------------Guideline ( Explanation ) Guidelines, unlike standards and policies, are not mandatory. Guidelines are more of a recommendation of how something should be done. Which of the following is a characteristic of Quality Updates for Windows? Are released less frequently than Feature Updates - Support deferring installation on Home edition devices - Include bug fixes and security patches - Increment the version of Windows ---------CORRECT ANSWER--- --------------Include bug fixes and security patches ( Explanation ) Quality Updates are smaller improvements to already existing software on Windows systems, and include bug fixes and security fixes. They are released about every 30 days, whereas Feature Updates are released a couple of times a year and increment the Windows version. Installation of Quality Updates may be deferred for up to 30 days, except on Home edition devices. When does applying an encryption algorithm multiple times provide additional security? When the algorithm is a group - When the algorithm is not a group - The algorithm uses xor - The algorithm is weak
cases, the IDS worked as intended and correctly flagged the activity asanomalous behavior that might be malicious. True positives generate alerts for the analyst to process.• False positive: A false positive case is where the IDS generates an alert flagging hostile activity,which was benign. False positives generate alerts for the analyst to process, who then must decide how to handle the activity. Which access control mechanism requires a high amount of maintenance since all data must be classified, and all users granted appropriate clearance? Mandatory - Role-Based - Ruleset-based - Discretionary INCORRECT ON PT ---------CORRECT ANSWER-----------------Mandatory Mandatory Access Control (MAC) is a control that is set by the system and cannot be overwritten by the administrator. MAC will require more effort to maintain, due to data classification requirements and user clearance. What is the preferred method of setting up decoy ports on a server? Set up the host to use a very small window size to manage flow control to the ports - Use software which makes ports appear to be open but is not related to the real services - Configure a host-based firewall to respond with RST packets when the decoy port is the destination port - Enable the actual services for the decoy ports and then keep them patched and up to date ---------CORRECT ANSWER-----------------Use software which makes ports appear to be open but is not related to the real services ( Explanation ) To set up decoy ports, the systems administrator should not enable the actual services. Even if fully patched, each additional service would make the system more vulnerable. Installing software which makes the ports appear to be open but are not running the actual services is a better option. Another recommended option is to set up a gateway device which would lead an outsider to believe more ports were open. Configuring a host based
firewall to send reset packets for ports would not give the illusion the ports were open. Changing the window size to manage flow control could be used to tie up an attacker's resources, but would have nothing to do with decoy ports. A system administrator thinks an attacker is sending malicious data to a router. Which tool will help show this? Router configuration guide - Packet sniffer - Remote access tool - NTP device ---------CORRECT ANSWER-----------------Packet sniffer ( Explanation ) Sniffers can be hardware devices that physically attach to the network, but more commonly, they are software programs that run on networked computers. The sniffers that come bundled with your operating system are designed as tools for the system administrator. Which item, when created with default options, is ciphertext? An automobile license plate - An Apple Lossless audio file - A ZIP file - A Windows executable file - A digital signature ---------CORRECT ANSWER-- ---------------A digital signature ( Explanation ) To digitally sign a message (that is, give some type of "digital proof" as to the signer's identity), we might choose an asymmetric algorithm, such as RSA or ECC with a hashing algorithm. The .exe, .m4a, and .zip files are able to be encrypted, some by using options when the file is created and others by a separate program. However, by default they are all not encrypted and therefore plaintext. The automobile license plate is also plaintext - it is a sequence that passes no information and is loosely coupled to the auto.
The CIS Critical Security Controls are prioritized technical security controls that was designed to prevent currently known high-priority attacks as well as future attacks. Which objective can be met by using CFEngine or Puppet? Network Activity Baselining - Mandatory Access Control - Configuration Management - Log Analysis ---------CORRECT ANSWER----------------- Configuration Management ( Explanation ) Puppet and CFEngine are configuration management tools. They make it easier to apply a consistent secure configuration among Linux hosts. What is a benefit of running virtual instances in a public cloud environment? Physical hardware flaws such as those involving processors do not affect virtual instances - Cloud APIs have stronger authentication than those written for traditional environments - Incident Responders can more effectively and efficiently handle containment and recovery - Network traffic between virtual machines is more secure because it can not be captured on a virtual switch ---------CORRECT ANSWER-----------------Incident Responders can more effectively and efficiently handle containment and recovery ( Explanation ) Virtualization technologies and the elasticity inherent in cloud platforms allows for more efficient and effective containment and recovery with less service interruption than with more traditional technologies. Virtual machine traffic sniffing occurs when an adversary has gained access to a victim network and starts sniffing and monitoring VM traffic. This is especially effective if the attacker can gain access to the vSwitch. Successful exploitation of physical flaws that reside on a computer's processor can result in kernel level permissions and root-level file access. Most Cloud APIs are written with weak authentication due to the desire for simplicity.
Windows IoT is a version of which Windows OS? Windows 8 - Windows 10 - Windows Server 2019 - Windows Hyper-V Server ---------CORRECT ANSWER-----------------Windows 10 ( Explanation ) Starting with Windows 10, Microsoft changed the name of Windows Embedded to Windows IoT to capitalize on the Internet of Things trend. Windows IOT operating systems are intended for dedicated-use appliances in industries such as utilities, manufacturing, retail, and healthcare. Windows IOT is also intended for all the small and inexpensive devices used for the "Internet of Things" (IoT), such as robots, quadcopters, sensors, toys, and 3D printers. Windows IOT is intended for industry-specific hardware appliances, such as ICS/SCADA equipment, retail point-of-sale, MRI scanners, robotics, digital signs, drones, 3D printers, and more. It supports the ARM platform, as well as x86 and x64 CPUs. It runs on Raspberry Pi, MinnowBoard, and Arduino devices. It is a rebranding of Windows Embedded version that was part of earlier OS's. Which fact is associated with the RSA cryptosystem? It is useful in resource-constrained environments - The algorithm is primarily based on symmetric permutation - Vulnerabilities have been found in some implementations - It can be used for encryption, digital signatures, and hashing INCORRECT ON PT ---------CORRECT ANSWER----------------- Vulnerabilities have been found in some implementations Although there have been a large number of claims to having cracked the RSA algorithm, they have all turned out to be false. Vulnerabilities have been found in certain RSA implementations, however. Poor implementations of the RSA algorithm can be compromised but it does not mean the algorithm itself has been cracked.
