Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

SANS 401 EXAM ACTUAL EXAM | ALL QUESTIONS AND CORRECT ANSWERS WITH EXPLANATIONS (VERIFIED), Exams of Cybercrime, Cybersecurity and Data Privacy

SANS 401 EXAM ACTUAL EXAM | ALL QUESTIONS AND CORRECT ANSWERS WITH EXPLANATIONS (VERIFIED ANSWERS) | LATEST EXAM | JUST RELEASED | ALREADY GRADED A+

Typology: Exams

2024/2025

Available from 06/12/2025

rex-smith-1
rex-smith-1 🇺🇸

749 documents

1 / 70

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
SANS 401 EXAM ACTUAL EXAM | ALL QUESTIONS
AND CORRECT ANSWERS WITH EXPLANATIONS
(VERIFIED ANSWERS) | LATEST EXAM | JUST
RELEASED | ALREADY GRADED A+
What term describes software products deployed directly on a computer
that analyze system event logs and use signature matching to flag
suspicious activity?
Network based IDS - Antivirus scanner - Host based IDS - File integrity
monitors ---------CORRECT ANSWER-----------------Host based IDS
( Explanation )
Instead of analyzing network traffic, host-based sensors (or host IDS)
analyze the event logs from one or several hosts. By watching event
logs, host-based sensors are able to catch some intrusion attempts
network-based intrusion detection would miss. Network based
sensor, antivirus software, and file integrity monitors do not check
system event logs by definition.
Why is the job of analyzing Network Intrusion Detection System (NIDS)
logs more difficult than analyzing firewall logs?
NIDS logs do not use standard syslog format - NIDS only creates Out-of-
Baseline events - NIDS produces false positives - NIDS time signatures do
not correlate with other device signatures ---------CORRECT ANSWER------
-----------NIDS produces false positives
( Explanation )
Reviewing Network IDS logs is extremely useful and is often a
frustrating task because NIDSs sometimes produce false positives.
Still, NIDS log analysis often comes second after firewalls; the value
of such info for security is undeniable, and logs can, in most cases,
be easily centralized for analysis.
NIDS may or may not use syslog format, but collectors (or their pre-
processors) normalize the logging differences of the logs they
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46

Partial preview of the text

Download SANS 401 EXAM ACTUAL EXAM | ALL QUESTIONS AND CORRECT ANSWERS WITH EXPLANATIONS (VERIFIED) and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!

SANS 401 EXAM ACTUAL EXAM | ALL QUESTIONS

AND CORRECT ANSWERS WITH EXPLANATIONS

(VERIFIED ANSWERS) | LATEST EXAM | JUST

RELEASED | ALREADY GRADED A+

What term describes software products deployed directly on a computer that analyze system event logs and use signature matching to flag suspicious activity? Network based IDS - Antivirus scanner - Host based IDS - File integrity monitors ---------CORRECT ANSWER-----------------Host based IDS ( Explanation ) Instead of analyzing network traffic, host-based sensors (or host IDS) analyze the event logs from one or several hosts. By watching event logs, host-based sensors are able to catch some intrusion attempts network-based intrusion detection would miss. Network based sensor, antivirus software, and file integrity monitors do not check system event logs by definition. Why is the job of analyzing Network Intrusion Detection System (NIDS) logs more difficult than analyzing firewall logs? NIDS logs do not use standard syslog format - NIDS only creates Out-of- Baseline events - NIDS produces false positives - NIDS time signatures do not correlate with other device signatures ---------CORRECT ANSWER------ -----------NIDS produces false positives ( Explanation ) Reviewing Network IDS logs is extremely useful and is often a frustrating task because NIDSs sometimes produce false positives. Still, NIDS log analysis often comes second after firewalls; the value of such info for security is undeniable, and logs can, in most cases, be easily centralized for analysis. NIDS may or may not use syslog format, but collectors (or their pre- processors) normalize the logging differences of the logs they

aggregate. In situations where correlation is important, the time difference between a NIDS and another system is trivial in nearly all circumstances. Once properly tuned, NIDS produces routine, known bad, and out-of-baseline events. Which class of Windows Operating Systems are commonly referred to as "Windows IOT"? Windows Embedded - Windows Ultimate - Windows Client - Windows Server ---------CORRECT ANSWER-----------------Windows Embedded The Windows Embedded class is commonly referred to as Windows IOT. A Linux administrator ran the commands below. The content of each file is displayed after the command. What would cause the two files to have different hashes? root@system123:/tmp# cat example1.txt TEST FILE root@system123:/tmp# cat example99.txt TEST FILE root@system123:/tmp# md5sum example1.txt 5deffb997041bbb5f11bdcafdbb47975 - root@system123:/tmp# md5sum example99.txt 13927f6f0f7357427e8a32b5f4017edc - md5sum changes the salt each time it is run - One of the files has a hidden character - The two file names are different - The length of the file names is

(Explanation) A honeytoken is a file placed on the production system that is designed to look legitimate, but does not have any true value. Embedding a honeytoken with a specific string inside of it that can be detected by an intrusion detection system is a great way to detect attempted data exfiltration. With the rule in place, when the file attempts to traverse the IDS, it would immediately be detected. If this is implemented in an IPS, the connection could be closed automatically and the IP blocked. Which of the following statements best describes where a border router is normally placed? Between your ISP and your external firewall - Between your firewall and your internal network - Between your ISP and DNS server - Between your firewall and DNS server ---------CORRECT ANSWER-----------------Between your ISP and your external firewall (Explanation)A border router is normally placed between our Internet Service Provider (ISP) and our firewall. Which of the following Linux commands can change both the username and groupname a file belongs to? chown - chgrp - newgrp - chmod ---------CORRECT ANSWER----------------- chown (Explanation) The chown command can also be run to change both the user ownership and group ownership at the same time. For example to change the document 'file.txt' owner to a user 'jdoe' and the group identifier to 'marketing' you can issue this command: chown jdoe:marketing file.txt

You are asked by your manager to run a vulnerability scan against the engineering department's network. What should you ensure you have before performing any scanning activity? Previous Scan Results - Commercial Vulnerability Scanner - Written Permission - Wireless Internet Scans - Root Access to Systems --------- CORRECT ANSWER-----------------Written Permission (Explanation) Note that vulnerability scanning can be hazardous to your career. The difference between a penetration tester and an attacker is permission! Be sure you have it. If you are just now coming up with a scanning policy in your organization, get written permission from the highest level possible in your organization Which of the following methods is part of the process of permitting remote access to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion even when restrictive permissions for remote access on all other keys has been set? Stop and disable the Remote Registry Service at the specific server. - Pause the Remote Registry Service at the specific server. - Add the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeS ervers\winreg\AllowedPaths subkey. - Add proper ACLs to access the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeS ervers\winreg\ key. INCORRECT ON PT ---------CORRECT ANSWER-----------------Add the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeS ervers\winreg\AllowedPaths subkey. (Explanation)You can add keys that will not be affected by the \winreg key ACL (which determines remote access permissions for the entire

Consistent permissions and rights - Simplicity of single sign-on - Lower initial cost - Centralized control INCORRECT ON PT ---------CORRECT ANSWER-----------------Lower initial cost ( Explanation )Workgroups do have lower initial costs. Disadvantages include no centralized control, difficulties with implementing single sign-on and no consistent permissions and rights. When the last command is run without any arguments, as shown in the image, what log file is it displaying? utmp - wtmp - btmp - syslog ---------CORRECT ANSWER-----------------wtmp ( Explanation ) When you are running last with no arguments, you will see the output of the wtmp log file. The last command, however, can read from utmp, wtmp, and btmp. Running the command last by itself will give you who logged in, when they logged in, and when they logged out, among other useful info on the screen, and it is historical data. If you pass the last command the - f switch, you also can tell last to read from the utmp or the btmp file. What is hashed to compute the IPSec Authentication Header's Integrity Check Value? Sender's public key - Source and destination addresses - Every field in the packet - Every field in the packet that will not change during transit --------- CORRECT ANSWER-----------------Every field in the packet that will not change during transit ( Explanation ) The IPSec Authentication Header adds a keyed hash of the message to the packet. This hash is referred to as the Integrity Check Value (ICV). In the ICV computation, AH includes every field that does not change during its

trip from source to destination. This includes the source address, destination address, length, and the data. This information is inserted into the packet after the regular IP header, but before the data. Which of the following is supported for multi-factor authentication on Microsoft Azure AD? RSA Token - Smart Card - Retinal Scan - SMS PIN INCORRECT ON PT ---------CORRECT ANSWER-----------------SMS PIN ( Explanation ) Of the choices, only SMS PIN is supported by Azure AD. Which of the problems below is tractable? Computing Data Encryption Standard ciphertext - Computing elliptic curves in a finite field - Solving the discrete logarithm problem - Factoring a large integer into its two prime factors ---------CORRECT ANSWER----------------- Computing Data Encryption Standard ciphertext ( Explanation ) Calculation of any standard encryption algorithm's ciphertext is a tractable problem. DES is an old algorithm with a small keyspace. The other problems are intractable. They can theoretically be solved. However, the enormous amount of time it will take to solve them makes them impractical to be solved. When analyzing an entire TCP session with TCPdump, which TCP flags are used in the three-way handshake? SYN,SYN+ACK,ACK - SYN,ACK,FIN - SYN,SYN,ACK - SYN,SYN+ACK,SYN ---------CORRECT ANSWER----------------- SYN,SYN+ACK,ACK

(/) (/var) (/lib) (/dev) (/usr/bin) (/home) INCORRECT ON PT ---------CORRECT ANSWER-----------------/usr/bin The Windows Firewall (WF) provides a popup when a new service attempts to listen on your machine. Which of the following should you train users to select from a security perspective if they are unsure of which option to select? (Keep Blocking) (Increase Security Level) (Safe Mode) (Send Request to Administrator) ---------CORRECT ANSWER-----------------Keep Blocking ( Explanation ) The three available options for Windows Firewall are Keep Blocking, Unblock and Ask Me Later. Keep Block does not allow the program to acquire a listening port. You should train your users to choose this option when there is any doubt as to what they should do. There are no Safe Mode or Send Request to Admin options. Which Threat will be reduced when avoiding system calls from within a web app? ---------CORRECT ANSWER-----------------OS command injection ( Explanation ) The primary way to avoid OS command injection attacks is to avoid system calls from your web application, especially when the system call is built based on user input. In most cases, you should be able to find a function or library within your programming language that can perform the same action. How often by default does Windows Group Policy check for updated policies? (Once a day) (Within 30 minutes of an applied policy change) (Every quarter hour) (Every 90-120 minutes)

INCORRECT ON PT ---------CORRECT ANSWER-----------------Every 90- 120 minutes ( Explanation ) When a computer boots up, it downloads the GPO's assigned to it and executes them automatically. Every 90-120 minutes thereafter, the computer checks that none of the GPO's assigned to it have changed, if any have, those are downloaded and run automatically even if the computer has not rebooted. 0-30minutes, 30-60 minutes and 120- 180 minutes are durations a group policy could possibly be modified to use, the standard duration used by Group Policy is 90-120 minutes. Which of the following best describes Defense-in-Depth? Layered controls - Separation of duties - Hardened perimeter security - Risk management ---------CORRECT ANSWER-----------------Layered controls ( Explanation ) Defense-in-depth is best characterized by layered defenses. The idea is that any layer of defense may eventually fail, but a Layered Defense offers better protection. Risk management, separation of duties, and hardened perimeters are part of a layered defense but do not describe the full concept of DiD. Which of the following is considered a recommended practice but not a business requirement? Guideline - Standard - Baseline - Procedure INCORRECT ON PT ---------CORRECT ANSWER-----------------Guideline ( Explanation ) Guidelines, unlike standards and policies, are not mandatory. Guidelines are more of a recommendation of how something should be done.

(Network Layer - > Transport Layer - > Internet Layer - > Application Layer ) (Network Layer - > Internet Layer - > Transport Layer - > Application Layer) (Application Layer - > Transport Layer - > Internet Layer - > Network Layer) (Application Layer - > Internet Layer - > Transport Layer - > Network Layer) -- -------CORRECT ANSWER-----------------Application Layer - > Transport Layer - > Internet Layer - > Network Layer ( Explanation ) As a packet is generated the packet goes from the Application Layer to the Transport Layer to the Internet Layer and finally to the Network Layer. Which type of event classification is missed by a NIDS and has the most potential to be a serious event? True positive - False positive - True negative - False negative --------- CORRECT ANSWER-----------------False negative ( Explanation )

  • False negative: A false negative event is when the IDS identifies data as benign when, in fact, it is malicious. A false negative does not generate an alert for the analyst and therefore these can be dangerous because the analyst cannot take action.• True negative: A true negative event is what we want the IDS to see, the cases where data does not indicate any malicious activity, and the data is correct. In the case of a true negative, the IDS does notgenerate an alert for the analyst.• True positive: In these cases, the IDS worked as intended and correctly flagged the activity asanomalous behavior that might be malicious. True positives generate alerts for the analyst to process.• False positive: A false positive case is where the IDS generates an alert flagging hostile activity,which was benign. False positives generate alerts for the analyst to process, who then must decide how to handle the activity. Which access control mechanism requires a high amount of maintenance since all data must be classified, and all users granted appropriate clearance? Mandatory - Role-Based - Ruleset-based - Discretionary

INCORRECT ON PT ---------CORRECT ANSWER-----------------Mandatory Mandatory Access Control (MAC) is a control that is set by the system and cannot be overwritten by the administrator. MAC will require more effort to maintain, due to data classification requirements and user clearance. What is the preferred method of setting up decoy ports on a server? Set up the host to use a very small window size to manage flow control to the ports - Use software which makes ports appear to be open but is not related to the real services - Configure a host-based firewall to respond with RST packets when the decoy port is the destination port - Enable the actual services for the decoy ports and then keep them patched and up to date ---------CORRECT ANSWER-----------------Use software which makes ports appear to be open but is not related to the real services ( Explanation ) To set up decoy ports, the systems administrator should not enable the actual services. Even if fully patched, each additional service would make the system more vulnerable. Installing software which makes the ports appear to be open but are not running the actual services is a better option. Another recommended option is to set up a gateway device which would lead an outsider to believe more ports were open. Configuring a host based firewall to send reset packets for ports would not give the illusion the ports were open. Changing the window size to manage flow control could be used to tie up an attacker's resources, but would have nothing to do with decoy ports. A system administrator thinks an attacker is sending malicious data to a router. Which tool will help show this? Router configuration guide - Packet sniffer - Remote access tool - NTP device ---------CORRECT ANSWER-----------------Packet sniffer ( Explanation )

The concept of integrity means determining if data has been altered or modified. Setting up a process that detects unauthorized changes to files is one step an administrator could take to determine this. Identifying private traffic that is passed in the clear is a step an administrator should take to ensure confidentiality. Determining if malicious packets are coming into the site, or if known bad sites are trying to connect to servers on the site's network, are good security practices, but they do not indicate the site's data has been altered. Kevin wants to accomplish the following tasks:

  1. Inventory all devices
  2. Inventory all software
  3. Secure Configurations on all devices
  4. Constant Vulnerability Assessment and Remediation How should Kevin prioritize this list of tasks?? Using the CIS Critical Security Controls - Using the US-CERT Incident handling Guideline - Using the Verizon Data Breach Report - Using the Penetration Testing Framework ---------CORRECT ANSWER----------------- Using the CIS Critical Security Controls ( Explanation ) The CIS Critical Security Controls are prioritized technical security controls that was designed to prevent currently known high-priority attacks as well as future attacks. Which objective can be met by using CFEngine or Puppet? Network Activity Baselining - Mandatory Access Control - Configuration Management - Log Analysis ---------CORRECT ANSWER----------------- Configuration Management ( Explanation ) Puppet and CFEngine are configuration management tools. They make it easier to apply a consistent secure configuration among Linux hosts.

What is a benefit of running virtual instances in a public cloud environment? Physical hardware flaws such as those involving processors do not affect virtual instances - Cloud APIs have stronger authentication than those written for traditional environments - Incident Responders can more effectively and efficiently handle containment and recovery - Network traffic between virtual machines is more secure because it can not be captured on a virtual switch ---------CORRECT ANSWER-----------------Incident Responders can more effectively and efficiently handle containment and recovery ( Explanation ) Virtualization technologies and the elasticity inherent in cloud platforms allows for more efficient and effective containment and recovery with less service interruption than with more traditional technologies. Virtual machine traffic sniffing occurs when an adversary has gained access to a victim network and starts sniffing and monitoring VM traffic. This is especially effective if the attacker can gain access to the vSwitch. Successful exploitation of physical flaws that reside on a computer's processor can result in kernel level permissions and root-level file access. Most Cloud APIs are written with weak authentication due to the desire for simplicity. Windows IoT is a version of which Windows OS? Windows 8 - Windows 10 - Windows Server 2019 - Windows Hyper-V Server ---------CORRECT ANSWER-----------------Windows 10 ( Explanation ) Starting with Windows 10, Microsoft changed the name of Windows Embedded to Windows IoT to capitalize on the Internet of Things trend. Windows IOT operating systems are intended for dedicated-use appliances in industries such as utilities, manufacturing, retail, and healthcare. Windows IOT is also intended for all the small and inexpensive devices used for the "Internet of Things" (IoT), such as robots, quadcopters, sensors, toys, and 3D printers.

way handshake.. It will be responded to with a SYN/ACK packet. No other combinations of SYN with any other flag are allowed. What should be done before conducting a risk analysis? Understand business operations and the types of possible risk exposure - List the return on investment for each asset to calculate the quantitative risk

  • Deploy security devices to discover security gaps in the network - Conduct a Business Impact Analysis to gauge revenue impact --------- CORRECT ANSWER-----------------Understand business operations and the types of possible risk exposure ( Explanation ) Typically, before a risk assessment can be conducted, one must understand the business operations and what type of risk that the business maybe exposed to. There are three key factors in selecting a biometric mechanism. What are they? User acceptance, encryption strength, and cost - Reliability, user acceptance, and cost - Encryption strength, authorization method, and cost
  • Reliability, encryption strength, and cost ---------CORRECT ANSWER------ -----------Reliability, user acceptance, and cost ( Explanation ) The key factors in selecting a biometric mechanism are usually reliability, user acceptance, and cost. Together, Network Access Control (NAC) and a Virtual LAN (VLAN) can be used to achieve which objective? To place systems on an isolated network segment until they are properly scanned and patched. - To authenticate users and determine what

resources they are allowed to use. - To allow remote users to access resources on an internal LAN. - To allow several computers to work closely together so they seem to form a single computer. INCORRECT ON PT ---------CORRECT ANSWER-----------------To place systems on an isolated network segment until they are properly scanned and patched. ( Explanation ) Together, NAC and a VLAN can allow systems to be placed on isolated VLAN's until they have been scanned and properly patched, thus limiting their exposure to infecting other systems. Allowing remote users access to internal LAN resources is done through use of a VPN; authentication and authorization (and accounting - AAA) can be done with an LDAP server, RADIUS, or other protocol; several computers working together as one is an example of clustering technology. What feature is not available in 802.11i but is addressed by 802.1x? Network Authentication - Replay Protection - Integrity - Encryption INCORRECT ON PT ---------CORRECT ANSWER-----------------Network Authentication ( Explanation ) The 802.11i specification accommodated two replacement encryption mechanisms for WEP, one that could be retrofit into existing hardware, and a second design that would be a "completely secure" solution, requiring new hardware for implementation. Known as the Temporal Key Integrity Protocol (TKIP) and the Counter-Mode/CBC-MAC Protocol (CCMP), respectively, these algorithms represent a significantly more secure option for organizations to deploy wireless LANs. Both protocols protect information on the wireless network through strong encryption, replay protection and integrity protection. While 802.11i accommodates privacy and encryption for network traffic, it does not address the issue of authentication.