






























































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
SANS 401 EXAM ACTUAL EXAM | ALL QUESTIONS AND CORRECT ANSWERS WITH EXPLANATIONS (VERIFIED ANSWERS) | LATEST EXAM | JUST RELEASED | ALREADY GRADED A+
Typology: Exams
1 / 70
This page cannot be seen from the preview
Don't miss anything!
What term describes software products deployed directly on a computer that analyze system event logs and use signature matching to flag suspicious activity? Network based IDS - Antivirus scanner - Host based IDS - File integrity monitors ---------CORRECT ANSWER-----------------Host based IDS ( Explanation ) Instead of analyzing network traffic, host-based sensors (or host IDS) analyze the event logs from one or several hosts. By watching event logs, host-based sensors are able to catch some intrusion attempts network-based intrusion detection would miss. Network based sensor, antivirus software, and file integrity monitors do not check system event logs by definition. Why is the job of analyzing Network Intrusion Detection System (NIDS) logs more difficult than analyzing firewall logs? NIDS logs do not use standard syslog format - NIDS only creates Out-of- Baseline events - NIDS produces false positives - NIDS time signatures do not correlate with other device signatures ---------CORRECT ANSWER------ -----------NIDS produces false positives ( Explanation ) Reviewing Network IDS logs is extremely useful and is often a frustrating task because NIDSs sometimes produce false positives. Still, NIDS log analysis often comes second after firewalls; the value of such info for security is undeniable, and logs can, in most cases, be easily centralized for analysis. NIDS may or may not use syslog format, but collectors (or their pre- processors) normalize the logging differences of the logs they
aggregate. In situations where correlation is important, the time difference between a NIDS and another system is trivial in nearly all circumstances. Once properly tuned, NIDS produces routine, known bad, and out-of-baseline events. Which class of Windows Operating Systems are commonly referred to as "Windows IOT"? Windows Embedded - Windows Ultimate - Windows Client - Windows Server ---------CORRECT ANSWER-----------------Windows Embedded The Windows Embedded class is commonly referred to as Windows IOT. A Linux administrator ran the commands below. The content of each file is displayed after the command. What would cause the two files to have different hashes? root@system123:/tmp# cat example1.txt TEST FILE root@system123:/tmp# cat example99.txt TEST FILE root@system123:/tmp# md5sum example1.txt 5deffb997041bbb5f11bdcafdbb47975 - root@system123:/tmp# md5sum example99.txt 13927f6f0f7357427e8a32b5f4017edc - md5sum changes the salt each time it is run - One of the files has a hidden character - The two file names are different - The length of the file names is
(Explanation) A honeytoken is a file placed on the production system that is designed to look legitimate, but does not have any true value. Embedding a honeytoken with a specific string inside of it that can be detected by an intrusion detection system is a great way to detect attempted data exfiltration. With the rule in place, when the file attempts to traverse the IDS, it would immediately be detected. If this is implemented in an IPS, the connection could be closed automatically and the IP blocked. Which of the following statements best describes where a border router is normally placed? Between your ISP and your external firewall - Between your firewall and your internal network - Between your ISP and DNS server - Between your firewall and DNS server ---------CORRECT ANSWER-----------------Between your ISP and your external firewall (Explanation)A border router is normally placed between our Internet Service Provider (ISP) and our firewall. Which of the following Linux commands can change both the username and groupname a file belongs to? chown - chgrp - newgrp - chmod ---------CORRECT ANSWER----------------- chown (Explanation) The chown command can also be run to change both the user ownership and group ownership at the same time. For example to change the document 'file.txt' owner to a user 'jdoe' and the group identifier to 'marketing' you can issue this command: chown jdoe:marketing file.txt
You are asked by your manager to run a vulnerability scan against the engineering department's network. What should you ensure you have before performing any scanning activity? Previous Scan Results - Commercial Vulnerability Scanner - Written Permission - Wireless Internet Scans - Root Access to Systems --------- CORRECT ANSWER-----------------Written Permission (Explanation) Note that vulnerability scanning can be hazardous to your career. The difference between a penetration tester and an attacker is permission! Be sure you have it. If you are just now coming up with a scanning policy in your organization, get written permission from the highest level possible in your organization Which of the following methods is part of the process of permitting remote access to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion even when restrictive permissions for remote access on all other keys has been set? Stop and disable the Remote Registry Service at the specific server. - Pause the Remote Registry Service at the specific server. - Add the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeS ervers\winreg\AllowedPaths subkey. - Add proper ACLs to access the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeS ervers\winreg\ key. INCORRECT ON PT ---------CORRECT ANSWER-----------------Add the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeS ervers\winreg\AllowedPaths subkey. (Explanation)You can add keys that will not be affected by the \winreg key ACL (which determines remote access permissions for the entire
Consistent permissions and rights - Simplicity of single sign-on - Lower initial cost - Centralized control INCORRECT ON PT ---------CORRECT ANSWER-----------------Lower initial cost ( Explanation )Workgroups do have lower initial costs. Disadvantages include no centralized control, difficulties with implementing single sign-on and no consistent permissions and rights. When the last command is run without any arguments, as shown in the image, what log file is it displaying? utmp - wtmp - btmp - syslog ---------CORRECT ANSWER-----------------wtmp ( Explanation ) When you are running last with no arguments, you will see the output of the wtmp log file. The last command, however, can read from utmp, wtmp, and btmp. Running the command last by itself will give you who logged in, when they logged in, and when they logged out, among other useful info on the screen, and it is historical data. If you pass the last command the - f switch, you also can tell last to read from the utmp or the btmp file. What is hashed to compute the IPSec Authentication Header's Integrity Check Value? Sender's public key - Source and destination addresses - Every field in the packet - Every field in the packet that will not change during transit --------- CORRECT ANSWER-----------------Every field in the packet that will not change during transit ( Explanation ) The IPSec Authentication Header adds a keyed hash of the message to the packet. This hash is referred to as the Integrity Check Value (ICV). In the ICV computation, AH includes every field that does not change during its
trip from source to destination. This includes the source address, destination address, length, and the data. This information is inserted into the packet after the regular IP header, but before the data. Which of the following is supported for multi-factor authentication on Microsoft Azure AD? RSA Token - Smart Card - Retinal Scan - SMS PIN INCORRECT ON PT ---------CORRECT ANSWER-----------------SMS PIN ( Explanation ) Of the choices, only SMS PIN is supported by Azure AD. Which of the problems below is tractable? Computing Data Encryption Standard ciphertext - Computing elliptic curves in a finite field - Solving the discrete logarithm problem - Factoring a large integer into its two prime factors ---------CORRECT ANSWER----------------- Computing Data Encryption Standard ciphertext ( Explanation ) Calculation of any standard encryption algorithm's ciphertext is a tractable problem. DES is an old algorithm with a small keyspace. The other problems are intractable. They can theoretically be solved. However, the enormous amount of time it will take to solve them makes them impractical to be solved. When analyzing an entire TCP session with TCPdump, which TCP flags are used in the three-way handshake? SYN,SYN+ACK,ACK - SYN,ACK,FIN - SYN,SYN,ACK - SYN,SYN+ACK,SYN ---------CORRECT ANSWER----------------- SYN,SYN+ACK,ACK
(/) (/var) (/lib) (/dev) (/usr/bin) (/home) INCORRECT ON PT ---------CORRECT ANSWER-----------------/usr/bin The Windows Firewall (WF) provides a popup when a new service attempts to listen on your machine. Which of the following should you train users to select from a security perspective if they are unsure of which option to select? (Keep Blocking) (Increase Security Level) (Safe Mode) (Send Request to Administrator) ---------CORRECT ANSWER-----------------Keep Blocking ( Explanation ) The three available options for Windows Firewall are Keep Blocking, Unblock and Ask Me Later. Keep Block does not allow the program to acquire a listening port. You should train your users to choose this option when there is any doubt as to what they should do. There are no Safe Mode or Send Request to Admin options. Which Threat will be reduced when avoiding system calls from within a web app? ---------CORRECT ANSWER-----------------OS command injection ( Explanation ) The primary way to avoid OS command injection attacks is to avoid system calls from your web application, especially when the system call is built based on user input. In most cases, you should be able to find a function or library within your programming language that can perform the same action. How often by default does Windows Group Policy check for updated policies? (Once a day) (Within 30 minutes of an applied policy change) (Every quarter hour) (Every 90-120 minutes)
INCORRECT ON PT ---------CORRECT ANSWER-----------------Every 90- 120 minutes ( Explanation ) When a computer boots up, it downloads the GPO's assigned to it and executes them automatically. Every 90-120 minutes thereafter, the computer checks that none of the GPO's assigned to it have changed, if any have, those are downloaded and run automatically even if the computer has not rebooted. 0-30minutes, 30-60 minutes and 120- 180 minutes are durations a group policy could possibly be modified to use, the standard duration used by Group Policy is 90-120 minutes. Which of the following best describes Defense-in-Depth? Layered controls - Separation of duties - Hardened perimeter security - Risk management ---------CORRECT ANSWER-----------------Layered controls ( Explanation ) Defense-in-depth is best characterized by layered defenses. The idea is that any layer of defense may eventually fail, but a Layered Defense offers better protection. Risk management, separation of duties, and hardened perimeters are part of a layered defense but do not describe the full concept of DiD. Which of the following is considered a recommended practice but not a business requirement? Guideline - Standard - Baseline - Procedure INCORRECT ON PT ---------CORRECT ANSWER-----------------Guideline ( Explanation ) Guidelines, unlike standards and policies, are not mandatory. Guidelines are more of a recommendation of how something should be done.
(Network Layer - > Transport Layer - > Internet Layer - > Application Layer ) (Network Layer - > Internet Layer - > Transport Layer - > Application Layer) (Application Layer - > Transport Layer - > Internet Layer - > Network Layer) (Application Layer - > Internet Layer - > Transport Layer - > Network Layer) -- -------CORRECT ANSWER-----------------Application Layer - > Transport Layer - > Internet Layer - > Network Layer ( Explanation ) As a packet is generated the packet goes from the Application Layer to the Transport Layer to the Internet Layer and finally to the Network Layer. Which type of event classification is missed by a NIDS and has the most potential to be a serious event? True positive - False positive - True negative - False negative --------- CORRECT ANSWER-----------------False negative ( Explanation )
INCORRECT ON PT ---------CORRECT ANSWER-----------------Mandatory Mandatory Access Control (MAC) is a control that is set by the system and cannot be overwritten by the administrator. MAC will require more effort to maintain, due to data classification requirements and user clearance. What is the preferred method of setting up decoy ports on a server? Set up the host to use a very small window size to manage flow control to the ports - Use software which makes ports appear to be open but is not related to the real services - Configure a host-based firewall to respond with RST packets when the decoy port is the destination port - Enable the actual services for the decoy ports and then keep them patched and up to date ---------CORRECT ANSWER-----------------Use software which makes ports appear to be open but is not related to the real services ( Explanation ) To set up decoy ports, the systems administrator should not enable the actual services. Even if fully patched, each additional service would make the system more vulnerable. Installing software which makes the ports appear to be open but are not running the actual services is a better option. Another recommended option is to set up a gateway device which would lead an outsider to believe more ports were open. Configuring a host based firewall to send reset packets for ports would not give the illusion the ports were open. Changing the window size to manage flow control could be used to tie up an attacker's resources, but would have nothing to do with decoy ports. A system administrator thinks an attacker is sending malicious data to a router. Which tool will help show this? Router configuration guide - Packet sniffer - Remote access tool - NTP device ---------CORRECT ANSWER-----------------Packet sniffer ( Explanation )
The concept of integrity means determining if data has been altered or modified. Setting up a process that detects unauthorized changes to files is one step an administrator could take to determine this. Identifying private traffic that is passed in the clear is a step an administrator should take to ensure confidentiality. Determining if malicious packets are coming into the site, or if known bad sites are trying to connect to servers on the site's network, are good security practices, but they do not indicate the site's data has been altered. Kevin wants to accomplish the following tasks:
What is a benefit of running virtual instances in a public cloud environment? Physical hardware flaws such as those involving processors do not affect virtual instances - Cloud APIs have stronger authentication than those written for traditional environments - Incident Responders can more effectively and efficiently handle containment and recovery - Network traffic between virtual machines is more secure because it can not be captured on a virtual switch ---------CORRECT ANSWER-----------------Incident Responders can more effectively and efficiently handle containment and recovery ( Explanation ) Virtualization technologies and the elasticity inherent in cloud platforms allows for more efficient and effective containment and recovery with less service interruption than with more traditional technologies. Virtual machine traffic sniffing occurs when an adversary has gained access to a victim network and starts sniffing and monitoring VM traffic. This is especially effective if the attacker can gain access to the vSwitch. Successful exploitation of physical flaws that reside on a computer's processor can result in kernel level permissions and root-level file access. Most Cloud APIs are written with weak authentication due to the desire for simplicity. Windows IoT is a version of which Windows OS? Windows 8 - Windows 10 - Windows Server 2019 - Windows Hyper-V Server ---------CORRECT ANSWER-----------------Windows 10 ( Explanation ) Starting with Windows 10, Microsoft changed the name of Windows Embedded to Windows IoT to capitalize on the Internet of Things trend. Windows IOT operating systems are intended for dedicated-use appliances in industries such as utilities, manufacturing, retail, and healthcare. Windows IOT is also intended for all the small and inexpensive devices used for the "Internet of Things" (IoT), such as robots, quadcopters, sensors, toys, and 3D printers.
way handshake.. It will be responded to with a SYN/ACK packet. No other combinations of SYN with any other flag are allowed. What should be done before conducting a risk analysis? Understand business operations and the types of possible risk exposure - List the return on investment for each asset to calculate the quantitative risk
resources they are allowed to use. - To allow remote users to access resources on an internal LAN. - To allow several computers to work closely together so they seem to form a single computer. INCORRECT ON PT ---------CORRECT ANSWER-----------------To place systems on an isolated network segment until they are properly scanned and patched. ( Explanation ) Together, NAC and a VLAN can allow systems to be placed on isolated VLAN's until they have been scanned and properly patched, thus limiting their exposure to infecting other systems. Allowing remote users access to internal LAN resources is done through use of a VPN; authentication and authorization (and accounting - AAA) can be done with an LDAP server, RADIUS, or other protocol; several computers working together as one is an example of clustering technology. What feature is not available in 802.11i but is addressed by 802.1x? Network Authentication - Replay Protection - Integrity - Encryption INCORRECT ON PT ---------CORRECT ANSWER-----------------Network Authentication ( Explanation ) The 802.11i specification accommodated two replacement encryption mechanisms for WEP, one that could be retrofit into existing hardware, and a second design that would be a "completely secure" solution, requiring new hardware for implementation. Known as the Temporal Key Integrity Protocol (TKIP) and the Counter-Mode/CBC-MAC Protocol (CCMP), respectively, these algorithms represent a significantly more secure option for organizations to deploy wireless LANs. Both protocols protect information on the wireless network through strong encryption, replay protection and integrity protection. While 802.11i accommodates privacy and encryption for network traffic, it does not address the issue of authentication.