SANS SEC401 COMPREHENSIVE EXAMS QUESTIONS AND
SOLUTIONS MARKED A+
✔✔Protected Enclaves - ✔✔An approach to defence-in-depth that involves segmenting
your network using multiple VPNs, VLAN segmentation, switches, or firewalls to
separate out networks. Reducing the exposure of a system can greatly reduce risk.
Restricting access to critical segments.
✔✔Information-centric - ✔✔An approach to defence-in-depth that you identify critical
assets and provide layered protection. Network -> Host -> Application -> Information.
Thoroughly checking the data leaving your network.
✔✔Vector-Oriented - ✔✔An approach to defense-in-depth in which the focus is on
preventing a threat from using a vector, such as malicious usb drives (disable usb),
email attachments (block or scan attachments), spoofed email (verify addresses)
✔✔Zero-Trust - ✔✔A different approach to defense-in-depth in which Every request,
regardless if internal or external, must be authenticated and authorized. This approach
is based on two key factors, authentication and encryption. Logging inspection is
essential.
✔✔Variable trust - ✔✔An implementation of zero trust model where the system scores a
trust level based on a number of factors. If you have a high enough score, then the user
is granted access. Factors include type of user access, correct username/password,
geo location, device compliancy, and type of application.
✔✔Web Application Firewall - ✔✔A special type of application-aware firewall that looks
at the applications using HTTP.
✔✔IAM - ✔✔Identity and access management
✔✔Azure IAM - ✔✔If/then rules allow the administrators to manage the system
✔✔AWS IAM - ✔✔Manages authorizations by policies, granular permissions. Can link
accounts with other platforms- google or Microsoft
✔✔GCP IAM - ✔✔Managed by group permission roles, members
✔✔Configuration Management - ✔✔The discipline of establishing a known baseline
condition and then managing that condition
✔✔Strategy for fixing an infected system - ✔✔Rebuild from scratch, never trust a
compromised system- start with a clean slate
,✔✔Digital Identity - ✔✔A set of data that uniquely describes a person or a thing.
✔✔Authorization - ✔✔The process of determining what a subject is allowed to do or
access after authentication
✔✔Authentication - ✔✔A process in which a subject proves they possess one or more
valid authenticators associated with an identity , includes three steps
1. Claimant presents authenticator to verifier
2. Verifier checks validity of authenticators
3. Verifier asserts the identity of the claimant
✔✔Accountability - ✔✔Process of identifying who did what on the system and when
✔✔identity management - ✔✔Organizational process for identifying, authenticating, and
authorizing individuals or groups of people to have access to applications, systems, or
networks by associating user rights and restrictions with established identities
✔✔Process of enrollment - ✔✔Identity proofing
Identity assurance level
Issuance of credentials
✔✔Identity proofing - ✔✔The process of proving that an applicant is who they claim to
be. Includes the following three steps...
1. Resolution (traveler giving passport to border agent, answering questions about
identity and purpose of travel.)
2. Validation (border agent inspection of passport to ensure it's not counterfeit)
3. Verification (border agent compares passport picture and data with the traveler)
✔✔IAL - ✔✔Identity assurance level .... level of confidence regarding an identity
Outlined in NIST 800-63
✔✔IAL 1 - ✔✔Self-asserted identity, not verified or validated
✔✔IAL 2 - ✔✔Evidence-based, verified by a credential service provider
✔✔IAL 3 - ✔✔Physical presence required for identity proofing
✔✔Authenticator Assurance Levels (3) - ✔✔AA1- Single factor at least
AA2- Any 2 factors plus strong crypto
AA3- Selected 2 factors plus strong crypto
✔✔Controlling access (4 steps) - ✔✔1. Least privilege
2. Need to know
3. Separation of duties
,4. Rotation of duties
✔✔Access control techniques (4) - ✔✔1. Discretionary Access Control, DAC
2. Mandatory Access Control, MAC
3. Role based Access Control, RBAC
4. Lattice based Access Control, LBAC
✔✔Discretionary Access Control (DAC) - ✔✔Control that the user can manage, such as
username, password and some file permissions
✔✔Mandatory Access Control (MAC) - ✔✔A type of control that applies to all resources
via system enforced credentials that are non transferable. MAC requires that all users
have clearance and all data have classification levels.
✔✔Role based access control (RBAC) - ✔✔a type of discretionary or mandatory access
control that assigns users to roles or groups based on organizational functions, each
group has authorization to to access certain resources
✔✔Lattice based access control ( LBAC) - ✔✔Mandatory access control that defines
restrictions on the interactions between subjects and objects. A subject can access an
object if the subject's security level is equal to or higher than the object.
✔✔Privileged Access - ✔✔Is access to a computer system with elevated access rights,
such as root or administrator, or access to service accounts
✔✔PAM - ✔✔Privileged Access management
✔✔PAM tools can do these 7 things - ✔✔1. Provide transparency to the user
2. Policy enforcement point
3. Generates strong shared secrets
4. Securely store credentials
5. Rotate credentials
6. Monitor and log privileged access
7. Generate reports
✔✔3 tiered Privileged Access Management - ✔✔Tier 0 - Active directory, critical and
secret servers (crown jewels)
Tier 1 - exchange servers, intranet servers
Tier 2 - user workstations, printers, mobile devices
✔✔Authentication types (3) - ✔✔Something you know (memorized password)
Something you have (token)
Something you are (fingerprint)
✔✔Strong password policy (4 do's) - ✔✔Length greater than 8
, Check for recognizable words or number sequences
Block after x failed attempts
Force change in case of suspected breach
✔✔Strong password policy (4 don't) - ✔✔Truncate passwords
Password hints
Force specific composition rules
Force periodic password changes
✔✔Storing passwords - ✔✔Clear text password -> Key derivation function-> hashed
password
Compare hashed password with the stored hashed password to authenticate
✔✔KDF - ✔✔Key derivation function
✔✔Characteristics of KDF (4) - ✔✔1. Irreversible hashing function
2. Input transformation, key stretching- so that keys can be in a specific format
3. Salt and pepper values, so that no two passwords can be the same before hashing
4. Difficulty factor - a value to intentionally make the hash more difficult to break, a value
of 10,000 means to repeat the has 10000 times before getting to the final hashed value
✔✔Salt and pepper values - ✔✔Salt is a string of random characters added to a
password before hashing it
Pepper is a salt that is kept secret and stored securely
✔✔What determines the strength of a password hash (4) - ✔✔1. Key derivation function
(KDF) quality
2. Password and derived key length
3. Character set support
4. Difficulty factor (CPU & GPU cycles needed to compute the password hash)
✔✔PBKDF2 - ✔✔Password-Based Key Derivation Function 2. A key stretching
technique that adds additional bits to a password as a salt. This method helps prevent
brute force and rainbow table attacks. Bcrypt is a similar key stretching technique.
✔✔Password dumps - ✔✔A list of hashed passwords that attackers reference
✔✔Password Cracking - general approach (5 steps) - ✔✔1. Obtain list of hashed
passwords
2. Determine the used KDF
3. Create list of possible password guesses
4. Calculate hashes for each guess
5. Try to match the hashes.
✔✔Password Cracking - 4 general methods - ✔✔1. Brute force attack
SOLUTIONS MARKED A+
✔✔Protected Enclaves - ✔✔An approach to defence-in-depth that involves segmenting
your network using multiple VPNs, VLAN segmentation, switches, or firewalls to
separate out networks. Reducing the exposure of a system can greatly reduce risk.
Restricting access to critical segments.
✔✔Information-centric - ✔✔An approach to defence-in-depth that you identify critical
assets and provide layered protection. Network -> Host -> Application -> Information.
Thoroughly checking the data leaving your network.
✔✔Vector-Oriented - ✔✔An approach to defense-in-depth in which the focus is on
preventing a threat from using a vector, such as malicious usb drives (disable usb),
email attachments (block or scan attachments), spoofed email (verify addresses)
✔✔Zero-Trust - ✔✔A different approach to defense-in-depth in which Every request,
regardless if internal or external, must be authenticated and authorized. This approach
is based on two key factors, authentication and encryption. Logging inspection is
essential.
✔✔Variable trust - ✔✔An implementation of zero trust model where the system scores a
trust level based on a number of factors. If you have a high enough score, then the user
is granted access. Factors include type of user access, correct username/password,
geo location, device compliancy, and type of application.
✔✔Web Application Firewall - ✔✔A special type of application-aware firewall that looks
at the applications using HTTP.
✔✔IAM - ✔✔Identity and access management
✔✔Azure IAM - ✔✔If/then rules allow the administrators to manage the system
✔✔AWS IAM - ✔✔Manages authorizations by policies, granular permissions. Can link
accounts with other platforms- google or Microsoft
✔✔GCP IAM - ✔✔Managed by group permission roles, members
✔✔Configuration Management - ✔✔The discipline of establishing a known baseline
condition and then managing that condition
✔✔Strategy for fixing an infected system - ✔✔Rebuild from scratch, never trust a
compromised system- start with a clean slate
,✔✔Digital Identity - ✔✔A set of data that uniquely describes a person or a thing.
✔✔Authorization - ✔✔The process of determining what a subject is allowed to do or
access after authentication
✔✔Authentication - ✔✔A process in which a subject proves they possess one or more
valid authenticators associated with an identity , includes three steps
1. Claimant presents authenticator to verifier
2. Verifier checks validity of authenticators
3. Verifier asserts the identity of the claimant
✔✔Accountability - ✔✔Process of identifying who did what on the system and when
✔✔identity management - ✔✔Organizational process for identifying, authenticating, and
authorizing individuals or groups of people to have access to applications, systems, or
networks by associating user rights and restrictions with established identities
✔✔Process of enrollment - ✔✔Identity proofing
Identity assurance level
Issuance of credentials
✔✔Identity proofing - ✔✔The process of proving that an applicant is who they claim to
be. Includes the following three steps...
1. Resolution (traveler giving passport to border agent, answering questions about
identity and purpose of travel.)
2. Validation (border agent inspection of passport to ensure it's not counterfeit)
3. Verification (border agent compares passport picture and data with the traveler)
✔✔IAL - ✔✔Identity assurance level .... level of confidence regarding an identity
Outlined in NIST 800-63
✔✔IAL 1 - ✔✔Self-asserted identity, not verified or validated
✔✔IAL 2 - ✔✔Evidence-based, verified by a credential service provider
✔✔IAL 3 - ✔✔Physical presence required for identity proofing
✔✔Authenticator Assurance Levels (3) - ✔✔AA1- Single factor at least
AA2- Any 2 factors plus strong crypto
AA3- Selected 2 factors plus strong crypto
✔✔Controlling access (4 steps) - ✔✔1. Least privilege
2. Need to know
3. Separation of duties
,4. Rotation of duties
✔✔Access control techniques (4) - ✔✔1. Discretionary Access Control, DAC
2. Mandatory Access Control, MAC
3. Role based Access Control, RBAC
4. Lattice based Access Control, LBAC
✔✔Discretionary Access Control (DAC) - ✔✔Control that the user can manage, such as
username, password and some file permissions
✔✔Mandatory Access Control (MAC) - ✔✔A type of control that applies to all resources
via system enforced credentials that are non transferable. MAC requires that all users
have clearance and all data have classification levels.
✔✔Role based access control (RBAC) - ✔✔a type of discretionary or mandatory access
control that assigns users to roles or groups based on organizational functions, each
group has authorization to to access certain resources
✔✔Lattice based access control ( LBAC) - ✔✔Mandatory access control that defines
restrictions on the interactions between subjects and objects. A subject can access an
object if the subject's security level is equal to or higher than the object.
✔✔Privileged Access - ✔✔Is access to a computer system with elevated access rights,
such as root or administrator, or access to service accounts
✔✔PAM - ✔✔Privileged Access management
✔✔PAM tools can do these 7 things - ✔✔1. Provide transparency to the user
2. Policy enforcement point
3. Generates strong shared secrets
4. Securely store credentials
5. Rotate credentials
6. Monitor and log privileged access
7. Generate reports
✔✔3 tiered Privileged Access Management - ✔✔Tier 0 - Active directory, critical and
secret servers (crown jewels)
Tier 1 - exchange servers, intranet servers
Tier 2 - user workstations, printers, mobile devices
✔✔Authentication types (3) - ✔✔Something you know (memorized password)
Something you have (token)
Something you are (fingerprint)
✔✔Strong password policy (4 do's) - ✔✔Length greater than 8
, Check for recognizable words or number sequences
Block after x failed attempts
Force change in case of suspected breach
✔✔Strong password policy (4 don't) - ✔✔Truncate passwords
Password hints
Force specific composition rules
Force periodic password changes
✔✔Storing passwords - ✔✔Clear text password -> Key derivation function-> hashed
password
Compare hashed password with the stored hashed password to authenticate
✔✔KDF - ✔✔Key derivation function
✔✔Characteristics of KDF (4) - ✔✔1. Irreversible hashing function
2. Input transformation, key stretching- so that keys can be in a specific format
3. Salt and pepper values, so that no two passwords can be the same before hashing
4. Difficulty factor - a value to intentionally make the hash more difficult to break, a value
of 10,000 means to repeat the has 10000 times before getting to the final hashed value
✔✔Salt and pepper values - ✔✔Salt is a string of random characters added to a
password before hashing it
Pepper is a salt that is kept secret and stored securely
✔✔What determines the strength of a password hash (4) - ✔✔1. Key derivation function
(KDF) quality
2. Password and derived key length
3. Character set support
4. Difficulty factor (CPU & GPU cycles needed to compute the password hash)
✔✔PBKDF2 - ✔✔Password-Based Key Derivation Function 2. A key stretching
technique that adds additional bits to a password as a salt. This method helps prevent
brute force and rainbow table attacks. Bcrypt is a similar key stretching technique.
✔✔Password dumps - ✔✔A list of hashed passwords that attackers reference
✔✔Password Cracking - general approach (5 steps) - ✔✔1. Obtain list of hashed
passwords
2. Determine the used KDF
3. Create list of possible password guesses
4. Calculate hashes for each guess
5. Try to match the hashes.
✔✔Password Cracking - 4 general methods - ✔✔1. Brute force attack
