SANS 511 - Book 5 UPDATED Exam
Questions and CORRECT Answers
Continuous Security Monitoring (CSM) - CORRECT ANSWER - Data at rest. Log files,
registry keys, system configuration and so on. CSM is primarily vulnerability focused and
focuses on data at rest. Log files and registry keys.
Network Security Monitoring (NSM) - CORRECT ANSWER - Data (in motion): Packets,
and data derived from packets, such as flow.
DoD Risk Management Framework - CORRECT ANSWER - 1. Categorize Information
Systems, 2. Select Security Controls, 3. Implement Security Controls, 4. Assess Security
Controls, 5. Authorize Information System, 6 Monitor Security Controls
Winning CSM Techniques - CORRECT ANSWER - Build a defensible network, focus on
critical data and systems, detect important changes, solve problems when they are discovered,
focus on high-value events, when faced with large amounts of data, focus on the outliers.
How to protect confidential data? - CORRECT ANSWER - Application whitelisting,
HIPS, dual-factor authentication
Windows server 2008r2 File Classification System (FCI) - CORRECT ANSWER - FCI
does not encrypt files, it simply labels them. Labels are stored in Alternate Data Streams (ADS),
which can be trivially removed.
Azure Information Protection (AIP) - CORRECT ANSWER - Superior to FCI. A random
symmetric AES key can be generated for each file, and then encrypted with the organization's
public key. The document is also signed with the user's private key so labels cannot be removed
or altered without detection.
Change requests - CORRECT ANSWER - Multiple small change requests tend to work
better than one large request.
, Long-tail analysis - CORRECT ANSWER - Long-tail analysis focuses on the leas frequent
occurrences. Allows analysis of large amounts of data without drowning. This approach works
well with Windows Event logs, Installed Software, Startup registry keys and DNS logs.
Long-Tail WEF - CORRECT ANSWER - Key migration operation, A member was added
to a security enabled global group, a user account was enabled, a user account was created, a
member was removed from a security-enabled global group, a user account was deleted
Software inventory is - CORRECT ANSWER - Critical for whitelisting. Know thy
software
Inventory for network assets - CORRECT ANSWER - DHCP logs, Switch CAM tables,
Active scanning, passive scanning, existing inventory database, purchasing data
Active Scanning - CORRECT ANSWER - Active scanning involves scanning a network to
discover connected systems. (includes Nmap). Many SNMP based system monitoring tools
include network discovery modes. Always get permission before performing any type of
scanning or sniffing. (in writing)
Before running active scans, always - CORRECT ANSWER - Always test scans before
running on production system. It is much safer to initially scan development systems. ensure all
active scanning occurs during an approved maintenance window. Begin scanning a limited
amount of systems and gradually increase the scope.
Nmap - CORRECT ANSWER - Active scanning tool. It began as a port scanner, but has
evolved into more. Nmap now provides OS and host detection. Nmap scripting engine (NSE)
extends Nmap's functionality to vuln scanning and even some lightweight exploitation.
Ndiff - CORRECT ANSWER - Nmap include a great asset inventory tool called ndiff.
Compares two scans and reports differences.
Questions and CORRECT Answers
Continuous Security Monitoring (CSM) - CORRECT ANSWER - Data at rest. Log files,
registry keys, system configuration and so on. CSM is primarily vulnerability focused and
focuses on data at rest. Log files and registry keys.
Network Security Monitoring (NSM) - CORRECT ANSWER - Data (in motion): Packets,
and data derived from packets, such as flow.
DoD Risk Management Framework - CORRECT ANSWER - 1. Categorize Information
Systems, 2. Select Security Controls, 3. Implement Security Controls, 4. Assess Security
Controls, 5. Authorize Information System, 6 Monitor Security Controls
Winning CSM Techniques - CORRECT ANSWER - Build a defensible network, focus on
critical data and systems, detect important changes, solve problems when they are discovered,
focus on high-value events, when faced with large amounts of data, focus on the outliers.
How to protect confidential data? - CORRECT ANSWER - Application whitelisting,
HIPS, dual-factor authentication
Windows server 2008r2 File Classification System (FCI) - CORRECT ANSWER - FCI
does not encrypt files, it simply labels them. Labels are stored in Alternate Data Streams (ADS),
which can be trivially removed.
Azure Information Protection (AIP) - CORRECT ANSWER - Superior to FCI. A random
symmetric AES key can be generated for each file, and then encrypted with the organization's
public key. The document is also signed with the user's private key so labels cannot be removed
or altered without detection.
Change requests - CORRECT ANSWER - Multiple small change requests tend to work
better than one large request.
, Long-tail analysis - CORRECT ANSWER - Long-tail analysis focuses on the leas frequent
occurrences. Allows analysis of large amounts of data without drowning. This approach works
well with Windows Event logs, Installed Software, Startup registry keys and DNS logs.
Long-Tail WEF - CORRECT ANSWER - Key migration operation, A member was added
to a security enabled global group, a user account was enabled, a user account was created, a
member was removed from a security-enabled global group, a user account was deleted
Software inventory is - CORRECT ANSWER - Critical for whitelisting. Know thy
software
Inventory for network assets - CORRECT ANSWER - DHCP logs, Switch CAM tables,
Active scanning, passive scanning, existing inventory database, purchasing data
Active Scanning - CORRECT ANSWER - Active scanning involves scanning a network to
discover connected systems. (includes Nmap). Many SNMP based system monitoring tools
include network discovery modes. Always get permission before performing any type of
scanning or sniffing. (in writing)
Before running active scans, always - CORRECT ANSWER - Always test scans before
running on production system. It is much safer to initially scan development systems. ensure all
active scanning occurs during an approved maintenance window. Begin scanning a limited
amount of systems and gradually increase the scope.
Nmap - CORRECT ANSWER - Active scanning tool. It began as a port scanner, but has
evolved into more. Nmap now provides OS and host detection. Nmap scripting engine (NSE)
extends Nmap's functionality to vuln scanning and even some lightweight exploitation.
Ndiff - CORRECT ANSWER - Nmap include a great asset inventory tool called ndiff.
Compares two scans and reports differences.
