SANS SEC530 UPDATED QUESTIONS AND ANSWERS
GUARANTEE A+
✔✔The Metasploit Browser Autopwn plugin delivers the appropriate exploit based on
what?
A) X-Powered-By
B) User-Agent
C) GET request
D) HTTP header structure - ✔✔B) User-Agent
✔✔In addition to the /etc/passwd file, where else do Unix/Linux systems store password
hashes?
A) /etc/hashes
B) /var/shadow
C) /var/passwd
D) /etc/shadow - ✔✔D) /etc/shadow
✔✔With regard to *dynamic authorization*, which of the following would be an example
of a behavioral anomaly?
A) A user logging in from home and then logging in from another country.
B) A user accessing a system legitimately that they have never used before.
C) A user login at 10:00PM when she works from 8:00AM-5:00PM.
D) A high number of data sources being accessed at a give time. - ✔✔B) A user
accessing a system legitimately that they have never used before.
✔✔Which type of anomaly would include a user logging in at 2:00AM when they
normally work from 8:00AM-5:00PM?
A) Temporal
B) Geographical
C) Behavioral
D) Frequency - ✔✔A) Temporal
✔✔Which type of anomaly would include a user logging in from home and then
suddenly having a login from another country?
A) Temporal
B) Geographical
C) Behavioral
D) Frequency - ✔✔B) Geographical
,✔✔Which type of anomaly would include monitoring data assets and flagging access
denied errors or accessing a system legitimately that the user has never used before?
A) Temporal
B) Geographical
C) Behavioral
D) Frequency - ✔✔C) Behavioral
✔✔Which type of anomaly would include number of user logins or how many data
sources are being accessed at a given time?
A) Temporal
B) Geographical
C) Behavioral
D) Frequency - ✔✔D) Frequency
✔✔What is the problem most companies deal with when managing security alerts?
A) False positives
B) Poorly trained users
C) False negatives
D) Volume - ✔✔D) Volume
✔✔What is the maximum log size of syslog in bytes, when using UDP?
A) 512
B) 1024
C) 4096
D) 1500 - ✔✔B) 1024
✔✔T/F:
When using UDP, many systems will either drop or truncate a syslog log packet over
1024 bytes. - ✔✔True.
Given syslog over UDP cannot handle fragmentation, most systems will drop or truncate
syslog packets that exceed the RFC defined 1024 byte limit.
✔✔Which syslog field stores the facility and severity codes?
A) TTY
B) Sev ID
C) Message ID
D) PRI - ✔✔D) PRI
✔✔What is Fingerbank?
, A) An online DNS fingerprint database.
B) An online MAC fingerprint database.
C) An online MD5 fingerprint database.
D) An online DHCP fingerprint database. - ✔✔D) An online DHCP fingerprint database.
✔✔With regard to the zero trust model, which of the following is a combination of user
and device?
A) Network agent
B) Device agent
C) User agent
D) Security agent - ✔✔A) Network agent
✔✔Why is MAC authentication a weak authentication method?
A) OUIs can have duplicates
B) MAC addresses can be spoofed
C) MAC addresses change when plugged into a different switch
D) MAC addresses can have duplicates - ✔✔B) MAC addresses can be spoofed
✔✔What is Hypponen's law? - ✔✔Whenever an appliance is described as being
"smart," it's vulnerable.
✔✔What are the *five* NIST cybersecurity framework (CSF) core functions? -
✔✔Identify, Protect, Detect, Respond, and Recover.
✔✔Which other cybersecurity frameworks does NIST cybersecurity framework align
with? - ✔✔CSC, COBIT, ISO 27001, and NIST SP 800-53
✔✔What does MITRE "ATT&CK" stand for? - ✔✔Adversarial Tactics, Techniques, and
Advanced Common Knowledge.
✔✔What is the formula for exposure? - ✔✔Exposure = Detection + Reaction
✔✔When a solution is tuned for low false positives, inevitably it will suffer from
___________. - ✔✔*false negatives*
The solution is to also architect for visibility.
✔✔What is at the base of the incident response hierarchy of needs? - ✔✔"Can you
name the assets you are defending?"
GUARANTEE A+
✔✔The Metasploit Browser Autopwn plugin delivers the appropriate exploit based on
what?
A) X-Powered-By
B) User-Agent
C) GET request
D) HTTP header structure - ✔✔B) User-Agent
✔✔In addition to the /etc/passwd file, where else do Unix/Linux systems store password
hashes?
A) /etc/hashes
B) /var/shadow
C) /var/passwd
D) /etc/shadow - ✔✔D) /etc/shadow
✔✔With regard to *dynamic authorization*, which of the following would be an example
of a behavioral anomaly?
A) A user logging in from home and then logging in from another country.
B) A user accessing a system legitimately that they have never used before.
C) A user login at 10:00PM when she works from 8:00AM-5:00PM.
D) A high number of data sources being accessed at a give time. - ✔✔B) A user
accessing a system legitimately that they have never used before.
✔✔Which type of anomaly would include a user logging in at 2:00AM when they
normally work from 8:00AM-5:00PM?
A) Temporal
B) Geographical
C) Behavioral
D) Frequency - ✔✔A) Temporal
✔✔Which type of anomaly would include a user logging in from home and then
suddenly having a login from another country?
A) Temporal
B) Geographical
C) Behavioral
D) Frequency - ✔✔B) Geographical
,✔✔Which type of anomaly would include monitoring data assets and flagging access
denied errors or accessing a system legitimately that the user has never used before?
A) Temporal
B) Geographical
C) Behavioral
D) Frequency - ✔✔C) Behavioral
✔✔Which type of anomaly would include number of user logins or how many data
sources are being accessed at a given time?
A) Temporal
B) Geographical
C) Behavioral
D) Frequency - ✔✔D) Frequency
✔✔What is the problem most companies deal with when managing security alerts?
A) False positives
B) Poorly trained users
C) False negatives
D) Volume - ✔✔D) Volume
✔✔What is the maximum log size of syslog in bytes, when using UDP?
A) 512
B) 1024
C) 4096
D) 1500 - ✔✔B) 1024
✔✔T/F:
When using UDP, many systems will either drop or truncate a syslog log packet over
1024 bytes. - ✔✔True.
Given syslog over UDP cannot handle fragmentation, most systems will drop or truncate
syslog packets that exceed the RFC defined 1024 byte limit.
✔✔Which syslog field stores the facility and severity codes?
A) TTY
B) Sev ID
C) Message ID
D) PRI - ✔✔D) PRI
✔✔What is Fingerbank?
, A) An online DNS fingerprint database.
B) An online MAC fingerprint database.
C) An online MD5 fingerprint database.
D) An online DHCP fingerprint database. - ✔✔D) An online DHCP fingerprint database.
✔✔With regard to the zero trust model, which of the following is a combination of user
and device?
A) Network agent
B) Device agent
C) User agent
D) Security agent - ✔✔A) Network agent
✔✔Why is MAC authentication a weak authentication method?
A) OUIs can have duplicates
B) MAC addresses can be spoofed
C) MAC addresses change when plugged into a different switch
D) MAC addresses can have duplicates - ✔✔B) MAC addresses can be spoofed
✔✔What is Hypponen's law? - ✔✔Whenever an appliance is described as being
"smart," it's vulnerable.
✔✔What are the *five* NIST cybersecurity framework (CSF) core functions? -
✔✔Identify, Protect, Detect, Respond, and Recover.
✔✔Which other cybersecurity frameworks does NIST cybersecurity framework align
with? - ✔✔CSC, COBIT, ISO 27001, and NIST SP 800-53
✔✔What does MITRE "ATT&CK" stand for? - ✔✔Adversarial Tactics, Techniques, and
Advanced Common Knowledge.
✔✔What is the formula for exposure? - ✔✔Exposure = Detection + Reaction
✔✔When a solution is tuned for low false positives, inevitably it will suffer from
___________. - ✔✔*false negatives*
The solution is to also architect for visibility.
✔✔What is at the base of the incident response hierarchy of needs? - ✔✔"Can you
name the assets you are defending?"
