SANS - SEC530 EXAM QUESTIONS & ANSWERS
Which of the following is a recommended USB keyboard mitigation for sites requiring
high security?
A) Disable USB ports in the system.
B) Restrict USB devices with approved PIDs and VIDs.
C) Block the USB devices physically.
D) Restrict USB devices with approved user accounts. - Answers :C) Block the USB
devices physically.
Which of the following is the best practice to mitigate against the Cisco Discovery
Protocol (CDP) information leakage attack?
A) Disable the CDP unless expressly required.
B) No mitigations are needed since CDP is secure by default.
C) Schedule the CDP patch regularly.
D) Enable the SECDP feature in the CDP to secure the CDP. - Answers :A) Disable the
CDP unless expressly required.
Which of the following prevents physical access to the network when plugging in an
unauthorized device?
A) MAC address filtering
B) Packet filtering firewall
C) Background checks
D) Two-factor authentication - Answers :A) MAC address filtering
What would be one of the first steps for a security architect when building or redesigning
a security architecture to secure an organization?
A) Remove unnecessary egress traffic
B) Perform a perimeter pen test
C) Deploy patches to external systems
D) Identify critical assets - Answers :D) Identify critical assets
Which of the following is a method of detecting a BYOAP problem on a network?
A) Multiple VPN connections from the internal network.
B) Multiple URL requests from the same source IP.
C) Multiple SSIDs in the area.
D) Multiple user agent strings from the same IP address. - Answers :D) Multiple user
agent strings from the same IP address.
What could be implemented to mitigate the risk of one client pivoting to another on the
same network?
,A) Host-based antipivot
B) Next-gen antivirus
C) NAC controls
D) Private VLANs - Answers :D) Private VLANs
What is the term used for when the red team is working together with the blue team
through simulation of specific threat scenarios?
A) Purple teaming
B) Black-hat teaming
C) Defensive teaming
D) Multi-front teaming - Answers :A) Purple teaming
When discussing Prevention (P), Detection (D), and Response (R) in a time-based
security model, which of the following must be true to achieve a possible effective
security?
A) P<D+R
B) P=D+R
C) P>D+R
D) P=D=R - Answers :C) P>D+R
Which of the following is known as a Rubber Ducky?
A) USB keyboard
B) Respberry Pi device
C) Trojan horse executable
D) Rogue AP - Answers :A) USB keyboard
Which OSI layer would include ARP cache poisoning and MAC address spoofing
attacks?
A) Layer 4
B) Layer 3
C) Layer 2
D) Layer 5 - Answers :C) Layer 2
Which of these methods for delivering software patches in a Windows enterprise should
an organization utilize?
A) Windows Server Update Services
B) Windows Update Delivery Optimization
C) Windows 10 P2P Patching
D) System Patch Management Services - Answers :B) Windows Update Delivery
Optimization
,Which project documents common tactics, techniques, and procedures that advanced
persistent threat groups used against enterprise networks?
A) DEF3NSE
B) DET3CT
C) ATP&CK
D) ATT&CK - Answers :D) ATT&CK
Which type of analysis is less common and is based around presumption of
compromise that the network is already owned?
A) Perimeter analysis
B) Infection analysis
C) Risk analysis
D) Egress analysis - Answers :D) Egress analysis
Which of the following Cisco IOS commands is used to shut the port down automatically
when the maximum number of MAC addresses is exceeded?
A) switchport port-security violation shutdown
B) switchport port-security limit rate source-mac-shutdown
C) switchport port-security violation auto-shutdown
D) switchport port-security mac-exceed-port-shutdown - Answers :A) switchport port-
security violation shutdown
What is a common failing associated with focusing only on compliance-drive security?
A) Compliance-driven security tends to focus only on hardening internal systems.
B) Compliance-driven security tends to focus only on hardening the perimeter.
C) Compliance-driven security tends to be costly in terms of solutions and resources.
D) Compliance-driven security tends to fail in the face of a persistent adversary. -
Answers :D) Compliance-driven security tends to fail in the face of a persistent
adversary.
Which of the following is described by Lockheed Martin as a countermeasure action to
the Kill Chain?
A) Disrupt
B) Prevent
C) React
D) Remove - Answers :A) Disrupt
What is an easy to implement and effective control an organization can leverage to
make pivoting more difficult for an attacker?
, A) WPA2
B) P2P patching
C) Private VLAN
D) VPN - Answers :C) Private VLAN
Which type of private VLAN ports may only communicate with promiscuous ports?
A) Isolated
B) Promiscuous
C) Network
D) Community - Answers :A) Isolated
Which of the following wireless standards supports up to 1300 Mbps?
A) 802.11b
B) 802.11ac
C) 802.11n
D) 802.11w - Answers :B) 802.11ac
In which phase of the security architecture design lifecycle is threat modeling and attack
surface analysis conducted?
A) Scan
B) Discover and Assess
C) Plan
D) Design - Answers :C) Plan
Which of the following tools is used by attackers to perform ARP spoofing?
A) Burp Suite
B) Aircrack
C) Ettercap
D) Snort - Answers :C) Ettercap
What does ARP spoofing require that makes many organizations consider it low
probability / low risk?
A) ARP spoofing is an antiquated attack and is no longer a risk for organizations.
B) ARP spoofing only works on network switches.
C) ARP spoofing requires local Layer 2 access.
D) ARP spoofing only works on wireless network. - Answers :C) ARP spoofing requires
local Layer 2 access.
Which of the following strategies can eliminate duplicate flow logs?
A) Switching to NetFlow V9.
Which of the following is a recommended USB keyboard mitigation for sites requiring
high security?
A) Disable USB ports in the system.
B) Restrict USB devices with approved PIDs and VIDs.
C) Block the USB devices physically.
D) Restrict USB devices with approved user accounts. - Answers :C) Block the USB
devices physically.
Which of the following is the best practice to mitigate against the Cisco Discovery
Protocol (CDP) information leakage attack?
A) Disable the CDP unless expressly required.
B) No mitigations are needed since CDP is secure by default.
C) Schedule the CDP patch regularly.
D) Enable the SECDP feature in the CDP to secure the CDP. - Answers :A) Disable the
CDP unless expressly required.
Which of the following prevents physical access to the network when plugging in an
unauthorized device?
A) MAC address filtering
B) Packet filtering firewall
C) Background checks
D) Two-factor authentication - Answers :A) MAC address filtering
What would be one of the first steps for a security architect when building or redesigning
a security architecture to secure an organization?
A) Remove unnecessary egress traffic
B) Perform a perimeter pen test
C) Deploy patches to external systems
D) Identify critical assets - Answers :D) Identify critical assets
Which of the following is a method of detecting a BYOAP problem on a network?
A) Multiple VPN connections from the internal network.
B) Multiple URL requests from the same source IP.
C) Multiple SSIDs in the area.
D) Multiple user agent strings from the same IP address. - Answers :D) Multiple user
agent strings from the same IP address.
What could be implemented to mitigate the risk of one client pivoting to another on the
same network?
,A) Host-based antipivot
B) Next-gen antivirus
C) NAC controls
D) Private VLANs - Answers :D) Private VLANs
What is the term used for when the red team is working together with the blue team
through simulation of specific threat scenarios?
A) Purple teaming
B) Black-hat teaming
C) Defensive teaming
D) Multi-front teaming - Answers :A) Purple teaming
When discussing Prevention (P), Detection (D), and Response (R) in a time-based
security model, which of the following must be true to achieve a possible effective
security?
A) P<D+R
B) P=D+R
C) P>D+R
D) P=D=R - Answers :C) P>D+R
Which of the following is known as a Rubber Ducky?
A) USB keyboard
B) Respberry Pi device
C) Trojan horse executable
D) Rogue AP - Answers :A) USB keyboard
Which OSI layer would include ARP cache poisoning and MAC address spoofing
attacks?
A) Layer 4
B) Layer 3
C) Layer 2
D) Layer 5 - Answers :C) Layer 2
Which of these methods for delivering software patches in a Windows enterprise should
an organization utilize?
A) Windows Server Update Services
B) Windows Update Delivery Optimization
C) Windows 10 P2P Patching
D) System Patch Management Services - Answers :B) Windows Update Delivery
Optimization
,Which project documents common tactics, techniques, and procedures that advanced
persistent threat groups used against enterprise networks?
A) DEF3NSE
B) DET3CT
C) ATP&CK
D) ATT&CK - Answers :D) ATT&CK
Which type of analysis is less common and is based around presumption of
compromise that the network is already owned?
A) Perimeter analysis
B) Infection analysis
C) Risk analysis
D) Egress analysis - Answers :D) Egress analysis
Which of the following Cisco IOS commands is used to shut the port down automatically
when the maximum number of MAC addresses is exceeded?
A) switchport port-security violation shutdown
B) switchport port-security limit rate source-mac-shutdown
C) switchport port-security violation auto-shutdown
D) switchport port-security mac-exceed-port-shutdown - Answers :A) switchport port-
security violation shutdown
What is a common failing associated with focusing only on compliance-drive security?
A) Compliance-driven security tends to focus only on hardening internal systems.
B) Compliance-driven security tends to focus only on hardening the perimeter.
C) Compliance-driven security tends to be costly in terms of solutions and resources.
D) Compliance-driven security tends to fail in the face of a persistent adversary. -
Answers :D) Compliance-driven security tends to fail in the face of a persistent
adversary.
Which of the following is described by Lockheed Martin as a countermeasure action to
the Kill Chain?
A) Disrupt
B) Prevent
C) React
D) Remove - Answers :A) Disrupt
What is an easy to implement and effective control an organization can leverage to
make pivoting more difficult for an attacker?
, A) WPA2
B) P2P patching
C) Private VLAN
D) VPN - Answers :C) Private VLAN
Which type of private VLAN ports may only communicate with promiscuous ports?
A) Isolated
B) Promiscuous
C) Network
D) Community - Answers :A) Isolated
Which of the following wireless standards supports up to 1300 Mbps?
A) 802.11b
B) 802.11ac
C) 802.11n
D) 802.11w - Answers :B) 802.11ac
In which phase of the security architecture design lifecycle is threat modeling and attack
surface analysis conducted?
A) Scan
B) Discover and Assess
C) Plan
D) Design - Answers :C) Plan
Which of the following tools is used by attackers to perform ARP spoofing?
A) Burp Suite
B) Aircrack
C) Ettercap
D) Snort - Answers :C) Ettercap
What does ARP spoofing require that makes many organizations consider it low
probability / low risk?
A) ARP spoofing is an antiquated attack and is no longer a risk for organizations.
B) ARP spoofing only works on network switches.
C) ARP spoofing requires local Layer 2 access.
D) ARP spoofing only works on wireless network. - Answers :C) ARP spoofing requires
local Layer 2 access.
Which of the following strategies can eliminate duplicate flow logs?
A) Switching to NetFlow V9.
