SANS - SEC530 Flashcards for Defensible Security
Architecture and Engineering: Implementing Zero Trust for
the Hybrid Enterprise (SANS SEC530) Questions With
Complete Solutions
According to best practices, when should a root CA perform
certificate renewals and issuances? Correct Answers The root
CA should only perform certificate renewals and issuances when
they are needed for *other* certificate authorities.
After upgrading to a NGFW, Snort has been moved from an
inline tap to a mirror port on the firewall that is performing SSL
decrypt mirroring. What will need to be changed in order for
Snort to support this configuration?
A) Update GW_ADDR with the IP of the NGFW
B) Add 443 to $HTTP_PORTS
C) Set HTTP_PORTS = $HTTPS_PORTS
D) No change is required. Correct Answers B) Add 443 to
$HTTP_PORTS
An organization is implementing zero trust. Which of the
following will provide both encryption and authentication to
secure their transmissions?
A) Single packet authorization
B) TLS
C) 802.1X
D) WPA2 Correct Answers B) TLS
,An organization requires SNMP monitoring of Cisco network
devices; however, it does not have SNMPv3 capability. Which
of the following will prevent an attacker from gaining SNMP
access that enables them to download the Cisco IOS
configuration.
A) Disabling SNMP read access
B) Changing community strings frequently
C) Disabling SNMP write access
D) Using complex community strings Correct Answers C)
Disabling SNMP write access
BitLocker achieves disk encryption via issuing a public key to
which type of server? Correct Answers BitLocker issues a
public key to the *Windows Deployment Services* (WDS)
server, which can unlock encrypted client systems with the
public key.
Data governance is greatly impacted by which controls?
A) Data classification, data protection, data extortion detection
B) File classification, data loss prevention, information policy
enforcement
C) Data loss prevention, data extortion detection, data
classification
D) File classification, data in transit, data at rest Correct
Answers B) File classification, data loss prevention,
information policy enforcement
Deploying fake content or objects within an organization is a
form of what type of tripwire or red herring defense?
,A) Active deception
B) Easter egg
C) Honeytoken
D) Intrusion detection appliance Correct Answers C)
Honeytoken
Detecting insider threat activity in a Windows environment can
be accomplished by monitoring audit logs for which type of
activity?
A) Scanning in AV firewall logs
B) ICMP echo requests
C) Vulnerability scanning internally
D) Attempts to enumerate group membership Correct Answers
D) Attempts to enumerate group membership
Given Zeek is not multithreaded, what is the best rule of thumb
for deciding how many CPU cores will be required for traffic
analysis? Correct Answers There should be one core for every
250 Mbps monitored.
For example: If you were monitoring 4 Gbps (4096 Mbps), 17
cores will be required... 4 x = 16.384
The quick math for this is... x4 cores per gig of traffic, plus 1.
How can a router advertisement (RA) attack be prevented?
Correct Answers Configure all routers to send RA messages
with *priority* set to *high*.
, How can a web proxy help protect clients from malware?
Correct Answers A web proxy can hide or modify client data,
such as the client user-agent, to prevent targeted malware from
identifying client system specifications.
How can extension headers be used for malicious purposes?
Correct Answers Extension headers can be used to chain
fragmented packets together and avoid payload detection.
How could USB device product identifiers (PIDs) and vendor
identifiers (VIDs) used to secure architecture? Correct Answers
Systems could utilize an allow list to only allow authorized PIDs
and VIDs.
How do disk encryption solutions use both a symmetric key and
asymmetric key to secure a disk? Correct Answers A symmetric
key is used to encrypt the disk.
An asymmetric key is used to protect the symmetric key and
unlock it via authentication.
How does DHCP fingerprinting work? Correct Answers DHCP
fingerprinting is the process of analyzing DHCP Discover traffic
and parsing the option 55 fields to identify the sending system.
How does DHCP starvation work? Correct Answers A
malicious system attempts to request all available DHCP
addresses in the pool.
How does Kerberos armoring work? Correct Answers When a
domain-joined system boots, a domain controller send a session
Architecture and Engineering: Implementing Zero Trust for
the Hybrid Enterprise (SANS SEC530) Questions With
Complete Solutions
According to best practices, when should a root CA perform
certificate renewals and issuances? Correct Answers The root
CA should only perform certificate renewals and issuances when
they are needed for *other* certificate authorities.
After upgrading to a NGFW, Snort has been moved from an
inline tap to a mirror port on the firewall that is performing SSL
decrypt mirroring. What will need to be changed in order for
Snort to support this configuration?
A) Update GW_ADDR with the IP of the NGFW
B) Add 443 to $HTTP_PORTS
C) Set HTTP_PORTS = $HTTPS_PORTS
D) No change is required. Correct Answers B) Add 443 to
$HTTP_PORTS
An organization is implementing zero trust. Which of the
following will provide both encryption and authentication to
secure their transmissions?
A) Single packet authorization
B) TLS
C) 802.1X
D) WPA2 Correct Answers B) TLS
,An organization requires SNMP monitoring of Cisco network
devices; however, it does not have SNMPv3 capability. Which
of the following will prevent an attacker from gaining SNMP
access that enables them to download the Cisco IOS
configuration.
A) Disabling SNMP read access
B) Changing community strings frequently
C) Disabling SNMP write access
D) Using complex community strings Correct Answers C)
Disabling SNMP write access
BitLocker achieves disk encryption via issuing a public key to
which type of server? Correct Answers BitLocker issues a
public key to the *Windows Deployment Services* (WDS)
server, which can unlock encrypted client systems with the
public key.
Data governance is greatly impacted by which controls?
A) Data classification, data protection, data extortion detection
B) File classification, data loss prevention, information policy
enforcement
C) Data loss prevention, data extortion detection, data
classification
D) File classification, data in transit, data at rest Correct
Answers B) File classification, data loss prevention,
information policy enforcement
Deploying fake content or objects within an organization is a
form of what type of tripwire or red herring defense?
,A) Active deception
B) Easter egg
C) Honeytoken
D) Intrusion detection appliance Correct Answers C)
Honeytoken
Detecting insider threat activity in a Windows environment can
be accomplished by monitoring audit logs for which type of
activity?
A) Scanning in AV firewall logs
B) ICMP echo requests
C) Vulnerability scanning internally
D) Attempts to enumerate group membership Correct Answers
D) Attempts to enumerate group membership
Given Zeek is not multithreaded, what is the best rule of thumb
for deciding how many CPU cores will be required for traffic
analysis? Correct Answers There should be one core for every
250 Mbps monitored.
For example: If you were monitoring 4 Gbps (4096 Mbps), 17
cores will be required... 4 x = 16.384
The quick math for this is... x4 cores per gig of traffic, plus 1.
How can a router advertisement (RA) attack be prevented?
Correct Answers Configure all routers to send RA messages
with *priority* set to *high*.
, How can a web proxy help protect clients from malware?
Correct Answers A web proxy can hide or modify client data,
such as the client user-agent, to prevent targeted malware from
identifying client system specifications.
How can extension headers be used for malicious purposes?
Correct Answers Extension headers can be used to chain
fragmented packets together and avoid payload detection.
How could USB device product identifiers (PIDs) and vendor
identifiers (VIDs) used to secure architecture? Correct Answers
Systems could utilize an allow list to only allow authorized PIDs
and VIDs.
How do disk encryption solutions use both a symmetric key and
asymmetric key to secure a disk? Correct Answers A symmetric
key is used to encrypt the disk.
An asymmetric key is used to protect the symmetric key and
unlock it via authentication.
How does DHCP fingerprinting work? Correct Answers DHCP
fingerprinting is the process of analyzing DHCP Discover traffic
and parsing the option 55 fields to identify the sending system.
How does DHCP starvation work? Correct Answers A
malicious system attempts to request all available DHCP
addresses in the pool.
How does Kerberos armoring work? Correct Answers When a
domain-joined system boots, a domain controller send a session
