SANS 401 Practice Exam questions and
answers
1. In which directory can executable programs that are part of the
operating system be found?
(/) (/var) (/lib) (/dev) (/usr/bin) (/home)
INCORRECT ON PT: /usr/bin
2. The Windows Firewall (WF) provides a popup when a new service
attempts to listen on your machine. Which of the following should you
train users to select from a security perspective if they are unsure of
which option to select?
(Keep Blocking) (Increase Security Level) (Safe Mode) (Send Request to
Administrator): Keep Blocking
( Explanation )
The three available options for Windows Firewall are Keep Blocking,
Unblock and Ask Me Later. Keep Block does not allow the program to
acquire a listening port. You should train your users to choose this option
when there is any doubt as to what they should do. There are no Safe
Mode or Send Request to Admin options.
3. Which Threat will be reduced when avoiding system calls from
within a web app?: OS command injection
( Explanation )
,The primary way to avoid OS command injection attacks is to avoid
system calls from your web application, especially when the system call is
built based on user input. In most cases, you should be able to find a
function or library within your programming language that can perform
the same action.
4. How often by default does Windows Group Policy check for
updated policies?
(Once a day) (Within 30 minutes of an applied policy change) (Every
quarter hour) (Every 90-120 minutes)
INCORRECT ON PT: Every 90-120 minutes
( Explanation )
When a computer boots up, it downloads the GPO's assigned to it and
executes them automatically. Every 90-120 minutes thereafter, the
computer checks that none of the GPO's assigned to it have changed, if
any have, those are downloaded and run automatically even if the
computer has not rebooted. 0-30minutes, 30-60 minutes and 120-180
minutes are durations a group policy could possibly be modified to use,
the standard duration used by Group Policy is 90-120 minutes.
5. Which of the following best describes Defense-in-Depth?
Layered controls - Separation of duties - Hardened perimeter security -
Risk management: Layered controls
( Explanation )
Defense-in-depth is best characterized by layered defenses. The idea is
that any layer of defense may eventually fail, but a Layered Defense
offers better protection. Risk management, separation of duties, and
,hardened perimeters are part of a layered defense but do not describe the
full concept of DiD.
6. Which of the following is considered a recommended practice but not
a business requirement?
Guideline - Standard - Baseline - Procedure
INCORRECT ON PT: Guideline
( Explanation )
Guidelines, unlike standards and policies, are not mandatory. Guidelines
are more of a recommendation of how something should be done.
7. Which of the following is a characteristic of Quality Updates for
Windows?
Are released less frequently than Feature Updates - Support deferring
installation on Home edition devices - Include bug fixes and security
patches - Increment the version of Windows: Include bug fixes and
security patches
( Explanation )
Quality Updates are smaller improvements to already existing software
on Windows systems, and include bug fixes and security fixes. They are
released about every 30 days, whereas Feature Updates are released a
couple of times a year and increment the Windows version. Installation of
Quality Updates may be deferred for up to 30 days, except on Home
edition devices.
8. When does applying an encryption algorithm multiple times provide
additional security?
When the algorithm is a group - When the algorithm is not a group - The
algorithm uses xor - The algorithm is weak
, INCORRECT ON PT: When the algorithm is not a group
( Explanation )
Whether an algorithm is a group is an important statistical consideration.
If it is a group, then applying the algorithm multiple times is a waste of
time. In 1992, it was proven that DES is not a group, in fact, so encrypting
multiple times with DES is not equivalent to encrypting once.
9. How is a TCP/IP Packet generated as it moves down through the
TCP/IP stack?
(Network Layer -> Transport Layer -> Internet Layer -> Application
Layer ) (Network Layer -> Internet Layer -> Transport Layer ->
Application Layer) (Application Layer -> Transport Layer -> Internet
Layer -> Network Layer) (Application Layer -> Internet Layer ->
Transport Layer -> Network Layer): Application Layer -> Transport
Layer -> Internet Layer -> Network Layer
( Explanation )
As a packet is generated the packet goes from the Application Layer to the
Transport Layer to the Internet Layer and finally to the Network Layer.
10. Which type of event classification is missed by a NIDS and has the
most potential to be a serious event?
True positive - False positive - True negative - False negative: False
negative ( Explanation )
• False negative: A false negative event is when the IDS identifies data as
benign when, in fact, it is malicious. A false negative does not generate
an alert for the analyst and therefore these can be dangerous because the
analyst cannot take action.• True negative: A true negative event is what
we want the IDS to see, the cases where data does not indicate any
malicious activity, and the data is correct. In the case of a true negative,
answers
1. In which directory can executable programs that are part of the
operating system be found?
(/) (/var) (/lib) (/dev) (/usr/bin) (/home)
INCORRECT ON PT: /usr/bin
2. The Windows Firewall (WF) provides a popup when a new service
attempts to listen on your machine. Which of the following should you
train users to select from a security perspective if they are unsure of
which option to select?
(Keep Blocking) (Increase Security Level) (Safe Mode) (Send Request to
Administrator): Keep Blocking
( Explanation )
The three available options for Windows Firewall are Keep Blocking,
Unblock and Ask Me Later. Keep Block does not allow the program to
acquire a listening port. You should train your users to choose this option
when there is any doubt as to what they should do. There are no Safe
Mode or Send Request to Admin options.
3. Which Threat will be reduced when avoiding system calls from
within a web app?: OS command injection
( Explanation )
,The primary way to avoid OS command injection attacks is to avoid
system calls from your web application, especially when the system call is
built based on user input. In most cases, you should be able to find a
function or library within your programming language that can perform
the same action.
4. How often by default does Windows Group Policy check for
updated policies?
(Once a day) (Within 30 minutes of an applied policy change) (Every
quarter hour) (Every 90-120 minutes)
INCORRECT ON PT: Every 90-120 minutes
( Explanation )
When a computer boots up, it downloads the GPO's assigned to it and
executes them automatically. Every 90-120 minutes thereafter, the
computer checks that none of the GPO's assigned to it have changed, if
any have, those are downloaded and run automatically even if the
computer has not rebooted. 0-30minutes, 30-60 minutes and 120-180
minutes are durations a group policy could possibly be modified to use,
the standard duration used by Group Policy is 90-120 minutes.
5. Which of the following best describes Defense-in-Depth?
Layered controls - Separation of duties - Hardened perimeter security -
Risk management: Layered controls
( Explanation )
Defense-in-depth is best characterized by layered defenses. The idea is
that any layer of defense may eventually fail, but a Layered Defense
offers better protection. Risk management, separation of duties, and
,hardened perimeters are part of a layered defense but do not describe the
full concept of DiD.
6. Which of the following is considered a recommended practice but not
a business requirement?
Guideline - Standard - Baseline - Procedure
INCORRECT ON PT: Guideline
( Explanation )
Guidelines, unlike standards and policies, are not mandatory. Guidelines
are more of a recommendation of how something should be done.
7. Which of the following is a characteristic of Quality Updates for
Windows?
Are released less frequently than Feature Updates - Support deferring
installation on Home edition devices - Include bug fixes and security
patches - Increment the version of Windows: Include bug fixes and
security patches
( Explanation )
Quality Updates are smaller improvements to already existing software
on Windows systems, and include bug fixes and security fixes. They are
released about every 30 days, whereas Feature Updates are released a
couple of times a year and increment the Windows version. Installation of
Quality Updates may be deferred for up to 30 days, except on Home
edition devices.
8. When does applying an encryption algorithm multiple times provide
additional security?
When the algorithm is a group - When the algorithm is not a group - The
algorithm uses xor - The algorithm is weak
, INCORRECT ON PT: When the algorithm is not a group
( Explanation )
Whether an algorithm is a group is an important statistical consideration.
If it is a group, then applying the algorithm multiple times is a waste of
time. In 1992, it was proven that DES is not a group, in fact, so encrypting
multiple times with DES is not equivalent to encrypting once.
9. How is a TCP/IP Packet generated as it moves down through the
TCP/IP stack?
(Network Layer -> Transport Layer -> Internet Layer -> Application
Layer ) (Network Layer -> Internet Layer -> Transport Layer ->
Application Layer) (Application Layer -> Transport Layer -> Internet
Layer -> Network Layer) (Application Layer -> Internet Layer ->
Transport Layer -> Network Layer): Application Layer -> Transport
Layer -> Internet Layer -> Network Layer
( Explanation )
As a packet is generated the packet goes from the Application Layer to the
Transport Layer to the Internet Layer and finally to the Network Layer.
10. Which type of event classification is missed by a NIDS and has the
most potential to be a serious event?
True positive - False positive - True negative - False negative: False
negative ( Explanation )
• False negative: A false negative event is when the IDS identifies data as
benign when, in fact, it is malicious. A false negative does not generate
an alert for the analyst and therefore these can be dangerous because the
analyst cannot take action.• True negative: A true negative event is what
we want the IDS to see, the cases where data does not indicate any
malicious activity, and the data is correct. In the case of a true negative,
