SANS - SEC 301 AND CCNA LEARNING
SET EXAM QUESTIONS AND ANSWERS
100% PASS
Everyone can do everything they need to do and nothing more. Bradley Manning - WikiLeaks
Target - HVAC hack - ANS Principle of Least Privilege
The cornerstone of all security: Everyting done in security addresses one or more of these three
things
Confidentiality, Integrity, availability
Confidentiality - Only those who need to access something can; ties into principle of least
privilege
Integrity - data is edited correctly and by the right people. Failure ex.: Delta $5 tickets round trip
tickets to anywhere Delta flies/attach on pricing database
Availability - If you cannot use it, why do you have it? - ANS CIA Triad
Pharmaceuticals and government, research - ANS Confidentiality
Financials maintained in part by confidentiality - ANS Integrity
eCommerce Ex. Amazon make $133,000/per minute thus denial of service is critical business
impact; power company need to keep lights on = availability issue - ANS Availability
Authentication, Authorization, Accountability - ANS AAA
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,Detailed steps to make policy happen - ANS Procedure
Policy, Procedure and Training - ANS PPT
Users must know what policies and procedures say to follow them. - ANS Training
Broad general statement of management's intent to protect information - ANS Policy
A security professional needs to be:
1/3 technologist
1/3 manager
1/3 lawyer
-Tkhis is the perfect summation of the career field.
-Technology supports security efforts
-Management decisions (and budgets) drive security
-Legal issues mandate security requirements - ANS Security by Thirds
Senior Mgmt:
-Has legal responsibility to protect the assets of the org:
That give him the ultimate responsibility for security
-Authority can be delegated - responsibility cannot be
Data owner - person or office with primary responsibility for data; owners determine
classification, protective measures and more
Data custodian - the person/group that implement the controls; make the decisions of the
owner happens
Users - use data; are also automatically data custodians - ANS Security Roles and
Responsiblities
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,safety of people - ANS Number 1 Goal of Security
years ago: teenagers
today: we face organized crime and nation states
-well funded
-highly motivated
disgruntled insider: difficult to counter; tends to be subtle; often damaging or even devastating
Accidental insider: common; also tend to be subtle; in aggregate - even ore damaging
Outsider threat source - inside threat actor: a growing proble, the current most-common attack
vector
2014 - 47% of U. S. adults had private data compromised in a breach (NBC News)
FBI can prove it was North Korea that attacked Sony - ANS Nature of the Threat
- ANS Security Policy
- ANS Separation of Duties
- ANS Acceptable Use Policy
verify identity; is Keith really Keith?
(1) Verifying the integrity of a transmitted message. See message integrity, e-mail
authentication and MAC.
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, (2) Verifying the identity of a user logging into a network. Passwords, digital certificates, smart
cards and biometrics can be used to prove the identity of the client to the network. Passwords
and digital certificates can also be used to identify the network to the client. The latter is
important in wireless networks to ensure that the desired network is being accessed. See
identity management, identity metasystem, OpenID, human authentication,
challenge/response, two-factor authentication, password, digital signature, IP spoofing,
biometrics and CAPTCHA.
Four Levels of Proof
There are four levels of proof that people are indeed who they say they are. None of them are
entirely foolproof, but in order of least to most secure, they are:
1 - What You Know
Passwords are - ANS Authentication
- ANS Biometric
Control what they are allowed to do. Although we know Keith is Keith, what can Keith do? -
ANS Authorization
- ANS Accountability
Harden, patch & monitor - ANS HPM
Monitor what has been done. Although we know Keith is Keith, what did Keith do? -
ANS Accountability
- ANS Awareness Training Programs
Prevent /defense as much as you can; detect for everything else; or if the preventive measures
fail, respond to what is detected
-Prevention is ideal
4 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
SET EXAM QUESTIONS AND ANSWERS
100% PASS
Everyone can do everything they need to do and nothing more. Bradley Manning - WikiLeaks
Target - HVAC hack - ANS Principle of Least Privilege
The cornerstone of all security: Everyting done in security addresses one or more of these three
things
Confidentiality, Integrity, availability
Confidentiality - Only those who need to access something can; ties into principle of least
privilege
Integrity - data is edited correctly and by the right people. Failure ex.: Delta $5 tickets round trip
tickets to anywhere Delta flies/attach on pricing database
Availability - If you cannot use it, why do you have it? - ANS CIA Triad
Pharmaceuticals and government, research - ANS Confidentiality
Financials maintained in part by confidentiality - ANS Integrity
eCommerce Ex. Amazon make $133,000/per minute thus denial of service is critical business
impact; power company need to keep lights on = availability issue - ANS Availability
Authentication, Authorization, Accountability - ANS AAA
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,Detailed steps to make policy happen - ANS Procedure
Policy, Procedure and Training - ANS PPT
Users must know what policies and procedures say to follow them. - ANS Training
Broad general statement of management's intent to protect information - ANS Policy
A security professional needs to be:
1/3 technologist
1/3 manager
1/3 lawyer
-Tkhis is the perfect summation of the career field.
-Technology supports security efforts
-Management decisions (and budgets) drive security
-Legal issues mandate security requirements - ANS Security by Thirds
Senior Mgmt:
-Has legal responsibility to protect the assets of the org:
That give him the ultimate responsibility for security
-Authority can be delegated - responsibility cannot be
Data owner - person or office with primary responsibility for data; owners determine
classification, protective measures and more
Data custodian - the person/group that implement the controls; make the decisions of the
owner happens
Users - use data; are also automatically data custodians - ANS Security Roles and
Responsiblities
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,safety of people - ANS Number 1 Goal of Security
years ago: teenagers
today: we face organized crime and nation states
-well funded
-highly motivated
disgruntled insider: difficult to counter; tends to be subtle; often damaging or even devastating
Accidental insider: common; also tend to be subtle; in aggregate - even ore damaging
Outsider threat source - inside threat actor: a growing proble, the current most-common attack
vector
2014 - 47% of U. S. adults had private data compromised in a breach (NBC News)
FBI can prove it was North Korea that attacked Sony - ANS Nature of the Threat
- ANS Security Policy
- ANS Separation of Duties
- ANS Acceptable Use Policy
verify identity; is Keith really Keith?
(1) Verifying the integrity of a transmitted message. See message integrity, e-mail
authentication and MAC.
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, (2) Verifying the identity of a user logging into a network. Passwords, digital certificates, smart
cards and biometrics can be used to prove the identity of the client to the network. Passwords
and digital certificates can also be used to identify the network to the client. The latter is
important in wireless networks to ensure that the desired network is being accessed. See
identity management, identity metasystem, OpenID, human authentication,
challenge/response, two-factor authentication, password, digital signature, IP spoofing,
biometrics and CAPTCHA.
Four Levels of Proof
There are four levels of proof that people are indeed who they say they are. None of them are
entirely foolproof, but in order of least to most secure, they are:
1 - What You Know
Passwords are - ANS Authentication
- ANS Biometric
Control what they are allowed to do. Although we know Keith is Keith, what can Keith do? -
ANS Authorization
- ANS Accountability
Harden, patch & monitor - ANS HPM
Monitor what has been done. Although we know Keith is Keith, what did Keith do? -
ANS Accountability
- ANS Awareness Training Programs
Prevent /defense as much as you can; detect for everything else; or if the preventive measures
fail, respond to what is detected
-Prevention is ideal
4 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
