SANS SEC530 COMPREHENSIVE EXAM UPDATED
QUESTIONS AND ANSWERS GUARANTEE A+
✔✔Which Zeek configuration file determines which network interface is monitored?
A) $PREFIX/etc/interface.cfg
B) $PREFIX/etc/broctl.cfg
C) $PREFIX/etc/networks.cfg
D) $PREFIX/etc/node.cfg - ✔✔D) $PREFIX/etc/node.cfg
✔✔Which of the following controls would be effective at detecting a malicious
executable that was specially crafted to evade signature-based detection controls?
A) Intrusion prevention
B) Antivirus
C) Malware detonation
D) URL filtering - ✔✔C) Malware detonation
✔✔With aggregate network utilization at monitored choke points projected at 4 Gbps,
how many CPU cores will be required for traffic analysis with Zeek?
A) 17
B) 4
C) 9
D) 21 - ✔✔A) 17
✔✔Given Zeek is not multithreaded, what is the best rule of thumb for deciding how
many CPU cores will be required for traffic analysis? - ✔✔There should be one core for
every 250 Mbps monitored.
For example: If you were monitoring 4 Gbps (4096 Mbps), 17 cores will be required... 4
x = 16.384
The quick math for this is... x4 cores per gig of traffic, plus 1.
✔✔Which of the following describes the malware detonation workflow?
A) Analyze the AV and reputation databases and detonate only if the results are
positive.
B) Analyze the AV reputation databases and detonate only if the results are negative.
C) Detonate files only if a static analysis detects use of a packer and/or high entropy.
D) Detonate all identified executables, documents, and URLs. - ✔✔A) Analyze the AV
and reputation databases and detonate only if the results are positive.
,✔✔Which open-source tool is available for blue teamers to assess organizations'
detection and prevention capability against password guessing from multiple IP
addresses that rely on Amazon EC2 instances?
A) IONCannon
B) BotNetCannon
C) ProxyCannon
D) ProxyBots - ✔✔C) ProxyCannon
✔✔What is a security consideration when implementing an Always On VPN solution?
A) It requires a stored password or certificate on each system.
B) It creates a blind spot for centralized security solutions.
C) It only works on a split-tunnel VPN.
D) It uses less bandwidth. - ✔✔A) It requires a stored password or certificate on each
system.
✔✔Which Linux distro is an open-source platform for full-fledged network security
monitoring?
A) Kali
B) Suricata
C) Zeek
D) Security Onion - ✔✔D) Security Onion
✔✔Which configuration option can be used to prevent passive TLS/SSL decryption?
A) Update all web servers to only support TLS 1.2 and above.
B) Update all web servers to only support elliptic curve-based ciphers.
C) Update all web browsers to only support TLS 1.2 and above.
D) Update all web servers to only support Perfect Forward Secrecy. - ✔✔D) Update all
web servers to only support Perfect Forward Secrecy.
✔✔The following command can be used by whom to do what?
* dig +bufsize=4096 +dnssec any se @dnsserver *
A) An attacker performing a protocol exhaustion DDoS attack.
B) An attacker performing application-based amplification attack.
C) A system admin verifying DNSSEC functionality.
D) A system admin testing the largest DNS query that a DNS server can process. -
✔✔B) An attacker performing application-based amplification attack.
✔✔What process does malware detonation use to determine whether a sample of code
is malicious?
,A) Behavior monitoring
B) Next-generation analysis
C) Signature analysis
D) Heuristics - ✔✔A) Behavior monitoring
✔✔Which of the following tools can be used to extract files as they are transferred
across the network?
A) Foremost
B) Snort
C) Zeek
D) Sguil - ✔✔C) Zeek
✔✔When deploying network monitoring solutions, what benefit does inline deployment
offer compared to out-of-band deployment?
A) Prevention capability
B) No single point of failure
C) No effect on production
D) Higher bandwidth - ✔✔A) Prevention capability
✔✔What does the following command try to achieve?
* find / -perm -4022 -exec ls -l {} \; 2>/dev/null *
A) Finds all files with group and other executable permission and setgid flag set.
B) Lists all insecure executable files with setguid flag set.
C) Finds all insecure executable files with setgid flag set.
D) Lists all files with group and other writable permission and setuid flag set. - ✔✔D)
Lists all files with group and other writable permission and setuid flag set.
✔✔What is the basic difference between data-centric and network-centric security
architecture?
A) The network-centric focus is on securing what matters most to an organization.
B) Network-centric defense focuses heavily on securing traffic on the perimeter, rather
than inside the network.
C) Data-centric solutions are geared more toward centralized security control.
D) The data-centric approach focuses on how to secure key data specifically, rather
than all assets. - ✔✔D) The data-centric approach focuses on how to secure key data
specifically, rather than all assets.
✔✔Which open-source, deceptive tool is used to create a bogus web structure to
confuse and exhaust automated web scanners?
, A) Honeynet
B) HoneyBadger
C) ModSecurity
D) WebLabyrinth - ✔✔D) WebLabyrinth
✔✔What is the term for Microsoft's data protection architecture that integrates with both
SCCM and third-party MDM solutions?
A) MAC
B) Conditional access
C) BYOD
D) WIP - ✔✔*D) WIP*
(Windows Information Protection)
✔✔In the context of securing data, which practice needs to be done on a regular basis
to locate sensitive data where they should not be?
A) Operating System Patching
B) Content discovery
C) Behavior monitoring
D) Database indexing - ✔✔B) Content discovery
✔✔What is another name for the Windows protocol translation?
A) U&DC
B) S4U2Self
C) Kerberoasting
D) Kerberos armoring - ✔✔B) S4U2Self
✔✔What are the different deployment modes of database activity monitoring?
A) Reverse proxy, forward proxy, passive monitor
B) Local software, network appliance
C) Active inline, passive monitor
D) Local software, reverse proxy, passive monitor - ✔✔D) Local software, reverse
proxy, passive monitor
✔✔What is the term for a security solution that integrates with cloud services through
their APIs to enforce security policies?
A) WAF
B) SIEM
C) MitM
D) CASB - ✔✔D) CASB
QUESTIONS AND ANSWERS GUARANTEE A+
✔✔Which Zeek configuration file determines which network interface is monitored?
A) $PREFIX/etc/interface.cfg
B) $PREFIX/etc/broctl.cfg
C) $PREFIX/etc/networks.cfg
D) $PREFIX/etc/node.cfg - ✔✔D) $PREFIX/etc/node.cfg
✔✔Which of the following controls would be effective at detecting a malicious
executable that was specially crafted to evade signature-based detection controls?
A) Intrusion prevention
B) Antivirus
C) Malware detonation
D) URL filtering - ✔✔C) Malware detonation
✔✔With aggregate network utilization at monitored choke points projected at 4 Gbps,
how many CPU cores will be required for traffic analysis with Zeek?
A) 17
B) 4
C) 9
D) 21 - ✔✔A) 17
✔✔Given Zeek is not multithreaded, what is the best rule of thumb for deciding how
many CPU cores will be required for traffic analysis? - ✔✔There should be one core for
every 250 Mbps monitored.
For example: If you were monitoring 4 Gbps (4096 Mbps), 17 cores will be required... 4
x = 16.384
The quick math for this is... x4 cores per gig of traffic, plus 1.
✔✔Which of the following describes the malware detonation workflow?
A) Analyze the AV and reputation databases and detonate only if the results are
positive.
B) Analyze the AV reputation databases and detonate only if the results are negative.
C) Detonate files only if a static analysis detects use of a packer and/or high entropy.
D) Detonate all identified executables, documents, and URLs. - ✔✔A) Analyze the AV
and reputation databases and detonate only if the results are positive.
,✔✔Which open-source tool is available for blue teamers to assess organizations'
detection and prevention capability against password guessing from multiple IP
addresses that rely on Amazon EC2 instances?
A) IONCannon
B) BotNetCannon
C) ProxyCannon
D) ProxyBots - ✔✔C) ProxyCannon
✔✔What is a security consideration when implementing an Always On VPN solution?
A) It requires a stored password or certificate on each system.
B) It creates a blind spot for centralized security solutions.
C) It only works on a split-tunnel VPN.
D) It uses less bandwidth. - ✔✔A) It requires a stored password or certificate on each
system.
✔✔Which Linux distro is an open-source platform for full-fledged network security
monitoring?
A) Kali
B) Suricata
C) Zeek
D) Security Onion - ✔✔D) Security Onion
✔✔Which configuration option can be used to prevent passive TLS/SSL decryption?
A) Update all web servers to only support TLS 1.2 and above.
B) Update all web servers to only support elliptic curve-based ciphers.
C) Update all web browsers to only support TLS 1.2 and above.
D) Update all web servers to only support Perfect Forward Secrecy. - ✔✔D) Update all
web servers to only support Perfect Forward Secrecy.
✔✔The following command can be used by whom to do what?
* dig +bufsize=4096 +dnssec any se @dnsserver *
A) An attacker performing a protocol exhaustion DDoS attack.
B) An attacker performing application-based amplification attack.
C) A system admin verifying DNSSEC functionality.
D) A system admin testing the largest DNS query that a DNS server can process. -
✔✔B) An attacker performing application-based amplification attack.
✔✔What process does malware detonation use to determine whether a sample of code
is malicious?
,A) Behavior monitoring
B) Next-generation analysis
C) Signature analysis
D) Heuristics - ✔✔A) Behavior monitoring
✔✔Which of the following tools can be used to extract files as they are transferred
across the network?
A) Foremost
B) Snort
C) Zeek
D) Sguil - ✔✔C) Zeek
✔✔When deploying network monitoring solutions, what benefit does inline deployment
offer compared to out-of-band deployment?
A) Prevention capability
B) No single point of failure
C) No effect on production
D) Higher bandwidth - ✔✔A) Prevention capability
✔✔What does the following command try to achieve?
* find / -perm -4022 -exec ls -l {} \; 2>/dev/null *
A) Finds all files with group and other executable permission and setgid flag set.
B) Lists all insecure executable files with setguid flag set.
C) Finds all insecure executable files with setgid flag set.
D) Lists all files with group and other writable permission and setuid flag set. - ✔✔D)
Lists all files with group and other writable permission and setuid flag set.
✔✔What is the basic difference between data-centric and network-centric security
architecture?
A) The network-centric focus is on securing what matters most to an organization.
B) Network-centric defense focuses heavily on securing traffic on the perimeter, rather
than inside the network.
C) Data-centric solutions are geared more toward centralized security control.
D) The data-centric approach focuses on how to secure key data specifically, rather
than all assets. - ✔✔D) The data-centric approach focuses on how to secure key data
specifically, rather than all assets.
✔✔Which open-source, deceptive tool is used to create a bogus web structure to
confuse and exhaust automated web scanners?
, A) Honeynet
B) HoneyBadger
C) ModSecurity
D) WebLabyrinth - ✔✔D) WebLabyrinth
✔✔What is the term for Microsoft's data protection architecture that integrates with both
SCCM and third-party MDM solutions?
A) MAC
B) Conditional access
C) BYOD
D) WIP - ✔✔*D) WIP*
(Windows Information Protection)
✔✔In the context of securing data, which practice needs to be done on a regular basis
to locate sensitive data where they should not be?
A) Operating System Patching
B) Content discovery
C) Behavior monitoring
D) Database indexing - ✔✔B) Content discovery
✔✔What is another name for the Windows protocol translation?
A) U&DC
B) S4U2Self
C) Kerberoasting
D) Kerberos armoring - ✔✔B) S4U2Self
✔✔What are the different deployment modes of database activity monitoring?
A) Reverse proxy, forward proxy, passive monitor
B) Local software, network appliance
C) Active inline, passive monitor
D) Local software, reverse proxy, passive monitor - ✔✔D) Local software, reverse
proxy, passive monitor
✔✔What is the term for a security solution that integrates with cloud services through
their APIs to enforce security policies?
A) WAF
B) SIEM
C) MitM
D) CASB - ✔✔D) CASB
