SANS SEC401 EXAM STUDY GUIDE
2026/2027 COMPLETE QUESTIONS WITH
VERIFIED CORRECT ANSWERS ||
100% GUARANTEED PASS
<NEWEST VERSION>
1. Industrial Control System (ICS) - ANSWER ✔ A device, or set of devices,
that manages, commands, directs, or regulates the behavior of other devices
or systems.
2. ICS technology drivers - ANSWER ✔ Reliability, efficiency, safety, and
ease of use.
3. Discrete Process - ANSWER ✔ A process where a specified quantity of
material moves as a unit between workstations and each unit maintains it's
unique identity.
4. Batch Process - ANSWER ✔ A process that requires the mixing of raw
materials, usually in a heated vessel.
5. Continuous Process - ANSWER ✔ A physical system that is represented
through variables that are smooth an uninterrupted in time.
6. Hybrid Process - ANSWER ✔ reactive systems that intermix discrete and
continuous processes
,7. Process Engineer - ANSWER ✔ Designs the systems and processes used in
the control environment.
8. Field Technician - ANSWER ✔ Maintains and repairs field devices
9. IPv6 Addressing - ANSWER ✔ Divided into 3 portions Network Prefix
(48bits) - defines organization, Subnet ID (16bits) - Internal to organization,
Interface ID (64bits) - Defined by MAC Address
10.Security Advice for IPv6 - ANSWER ✔ Disable IPv6 on workstations and
servers; disable protocols not in use on all servers and workstations; analyze
network traffic to discover miss-configured devices; From network
enforcement zones deny unnecessary traffic and protocols.
11.ICMP - ANSWER ✔ Internet Control Message Protocol. Used for
diagnostics such as ping. Many DoS attacks use ICMP. It is common to
block ICMP at firewalls and routers. If ping fails, but other connectivity to a
server succeeds, it indicates that ICMP is blocked.
12.UDP (User Datagram Protocol) - ANSWER ✔ connection-less protocol that
does not require a connection to send a packet and does not guarantee that
the packet arrives at its destination
13.TCP (Transmission Control Protocol) - ANSWER ✔ A connection-oriented,
guaranteed-delivery
protocol used to send data packets between computers over a network like
the Internet.
14.DNP3 - ANSWER ✔ - DNP = Distributed Network Protocol
, - Mainly used by Electric, Gas and Water utilities
- Originally developed by Westronic - Open standard
- IEEE 1815-2010 Standard
- Up to 65,000 devices per network
- Event time stamping
- RS232, RS485 -- Can be encapsulated in TCP/IP or backhauled via
radio and modem.
- Master-slave protocol - but Slave can report without request
- Master (HMI, FEP) to Slave (RTU, PLC, IED) communication
- Functions include send request, accept response, confirmation, time-
outs, error recovery
15.Modbus TCP - ANSWER ✔ TCP/502 - Designed in the late 70s to provide
simple and robust communications from master to slave devices.
16.Network Diagram - Conceptual Design - ANSWER ✔ HIgh-level
Core components
helps to understand a picture of the overall purpose of the network and why
the solution was designed.
Required for integration or general functionality, data flow, and high-level
system behvior.
Utilizes "black box" diagramming.
17.Network Diagram - Logical Design - ANSWER ✔ Reprsents each logical
fuction in the system
more detailed
include dall the major components in teh network pu
18.What is Threat Enumeration? - ANSWER ✔ The process of tracking and
understanding critical threats to your system or network.
, 19.Router attacks - ANSWER ✔ Denial of Service (DOS)
Distributed Denial of Service (DDOS)
Packet Sniffing
Packet Misrouting
Routing Table Poisoning
Malicious Insider/Disgruntled Employee
20.What's a solution to a prevent a DOS? - ANSWER ✔ Patch the router.
21.Switch attacks - ANSWER ✔ DCP Manipulation
MAC Flooding
DHCP Spoofing
STP Attacks
VLAN Hopping Attack
Telnet Attack
22.Which of the following is true regarding a TCP/IP packet being generated as
it travels down the stack? (Book 1 Page 62)
The packet directly connects to the peer layer on the target device.
Each layer removes a header.
Each layer adds a header.
Each layer removes the previous header and adds its own. - ANSWER ✔
Each layer adds a header
23.What is a rough entry-level cost estimate of the hardware and software
required for performing sniffing of wireless traffic? (Book 1 Page 185)
US $5,000
US $2,000,000
US $50
2026/2027 COMPLETE QUESTIONS WITH
VERIFIED CORRECT ANSWERS ||
100% GUARANTEED PASS
<NEWEST VERSION>
1. Industrial Control System (ICS) - ANSWER ✔ A device, or set of devices,
that manages, commands, directs, or regulates the behavior of other devices
or systems.
2. ICS technology drivers - ANSWER ✔ Reliability, efficiency, safety, and
ease of use.
3. Discrete Process - ANSWER ✔ A process where a specified quantity of
material moves as a unit between workstations and each unit maintains it's
unique identity.
4. Batch Process - ANSWER ✔ A process that requires the mixing of raw
materials, usually in a heated vessel.
5. Continuous Process - ANSWER ✔ A physical system that is represented
through variables that are smooth an uninterrupted in time.
6. Hybrid Process - ANSWER ✔ reactive systems that intermix discrete and
continuous processes
,7. Process Engineer - ANSWER ✔ Designs the systems and processes used in
the control environment.
8. Field Technician - ANSWER ✔ Maintains and repairs field devices
9. IPv6 Addressing - ANSWER ✔ Divided into 3 portions Network Prefix
(48bits) - defines organization, Subnet ID (16bits) - Internal to organization,
Interface ID (64bits) - Defined by MAC Address
10.Security Advice for IPv6 - ANSWER ✔ Disable IPv6 on workstations and
servers; disable protocols not in use on all servers and workstations; analyze
network traffic to discover miss-configured devices; From network
enforcement zones deny unnecessary traffic and protocols.
11.ICMP - ANSWER ✔ Internet Control Message Protocol. Used for
diagnostics such as ping. Many DoS attacks use ICMP. It is common to
block ICMP at firewalls and routers. If ping fails, but other connectivity to a
server succeeds, it indicates that ICMP is blocked.
12.UDP (User Datagram Protocol) - ANSWER ✔ connection-less protocol that
does not require a connection to send a packet and does not guarantee that
the packet arrives at its destination
13.TCP (Transmission Control Protocol) - ANSWER ✔ A connection-oriented,
guaranteed-delivery
protocol used to send data packets between computers over a network like
the Internet.
14.DNP3 - ANSWER ✔ - DNP = Distributed Network Protocol
, - Mainly used by Electric, Gas and Water utilities
- Originally developed by Westronic - Open standard
- IEEE 1815-2010 Standard
- Up to 65,000 devices per network
- Event time stamping
- RS232, RS485 -- Can be encapsulated in TCP/IP or backhauled via
radio and modem.
- Master-slave protocol - but Slave can report without request
- Master (HMI, FEP) to Slave (RTU, PLC, IED) communication
- Functions include send request, accept response, confirmation, time-
outs, error recovery
15.Modbus TCP - ANSWER ✔ TCP/502 - Designed in the late 70s to provide
simple and robust communications from master to slave devices.
16.Network Diagram - Conceptual Design - ANSWER ✔ HIgh-level
Core components
helps to understand a picture of the overall purpose of the network and why
the solution was designed.
Required for integration or general functionality, data flow, and high-level
system behvior.
Utilizes "black box" diagramming.
17.Network Diagram - Logical Design - ANSWER ✔ Reprsents each logical
fuction in the system
more detailed
include dall the major components in teh network pu
18.What is Threat Enumeration? - ANSWER ✔ The process of tracking and
understanding critical threats to your system or network.
, 19.Router attacks - ANSWER ✔ Denial of Service (DOS)
Distributed Denial of Service (DDOS)
Packet Sniffing
Packet Misrouting
Routing Table Poisoning
Malicious Insider/Disgruntled Employee
20.What's a solution to a prevent a DOS? - ANSWER ✔ Patch the router.
21.Switch attacks - ANSWER ✔ DCP Manipulation
MAC Flooding
DHCP Spoofing
STP Attacks
VLAN Hopping Attack
Telnet Attack
22.Which of the following is true regarding a TCP/IP packet being generated as
it travels down the stack? (Book 1 Page 62)
The packet directly connects to the peer layer on the target device.
Each layer removes a header.
Each layer adds a header.
Each layer removes the previous header and adds its own. - ANSWER ✔
Each layer adds a header
23.What is a rough entry-level cost estimate of the hardware and software
required for performing sniffing of wireless traffic? (Book 1 Page 185)
US $5,000
US $2,000,000
US $50
