Page 1 of 98
SANS SEC410 EXAM COMPLETE QUESTIONS AND DETAILED
SOLUTIONS LATEST UPDATE THIS YEAR-JUST RELEASED
SUMMARIZED SANS 410 / GSEC STUDY COVERAGE
SANS SEC410 focuses on practical cybersecurity foundations: understanding how networks operate, how
attackers exploit weaknesses, and how defenders detect, prevent, and respond. It emphasizes
cryptography basics (hashing, encryption, PKI), traffic analysis, authentication security, endpoint
hardening, and incident response fundamentals. You must also understand Linux and Windows security
basics, access controls, malware behaviors, and common network attack patterns such as spoofing,
brute forcing, phishing, and lateral movement. The exam expects you to interpret logs, identify
suspicious behavior, apply least privilege, and choose appropriate security controls in real-world
scenarios.
1.
A security analyst notices outbound traffic to an unknown IP every 60 seconds from one workstation.
What is the most likely explanation?
A. Normal DNS resolution behavior
B. Command-and-control beaconing from malware
C. A TCP handshake retransmission issue
D. Legitimate NTP synchronization traffic
, Page 2 of 98
Answer: B
Rationale: Periodic, fixed-interval outbound communication is a classic sign of malware beaconing to a
C2 server.
2.
Your company wants to ensure confidentiality for stored database backups even if the disks are stolen.
Which control is best?
A. File integrity monitoring
B. Full-disk encryption
C. Host-based intrusion detection
D. Network segmentation
Answer: B
Rationale: Full-disk encryption protects data at rest, preventing attackers from reading backups if
storage is stolen.
3.
An administrator uses SSH keys instead of passwords for Linux server access. What security benefit is
most significant?
A. It guarantees encryption is disabled
B. It reduces risk of brute-force password attacks
C. It removes the need for access control policies
, Page 3 of 98
D. It prevents malware execution automatically
Answer: B
Rationale: SSH key authentication is resistant to brute-force password guessing and credential stuffing
attacks.
4.
A Windows administrator finds repeated failed logins across many accounts from one external IP. Which
attack is most likely occurring?
A. Credential stuffing against one user
B. Password spraying against multiple accounts
C. SQL injection against a web application
D. ARP spoofing against internal hosts
Answer: B
Rationale: Password spraying uses a few common passwords across many accounts, producing many
failures across users.
5.
A user receives an email that appears to come from the CEO asking for gift card purchases urgently.
What attack technique is being used?
A. DNS cache poisoning
B. Business Email Compromise (BEC) phishing
, Page 4 of 98
C. TCP session hijacking
D. Buffer overflow exploitation
Answer: B
Rationale: CEO impersonation for financial fraud is a typical BEC-style social engineering attack.
6.
A SOC team wants to verify that downloaded software has not been modified in transit. Which
cryptographic method is most appropriate?
A. Symmetric encryption with AES
B. Digital signatures using a trusted certificate
C. Password-based authentication
D. Key exchange using Diffie-Hellman only
Answer: B
Rationale: Digital signatures ensure integrity and authenticity, proving the file was not altered and came
from the signer.
7.
A network engineer wants to limit lateral movement by isolating finance systems from user
workstations. Which approach is best?
A. Disabling DNS
B. Implementing VLAN segmentation and firewall rules
SANS SEC410 EXAM COMPLETE QUESTIONS AND DETAILED
SOLUTIONS LATEST UPDATE THIS YEAR-JUST RELEASED
SUMMARIZED SANS 410 / GSEC STUDY COVERAGE
SANS SEC410 focuses on practical cybersecurity foundations: understanding how networks operate, how
attackers exploit weaknesses, and how defenders detect, prevent, and respond. It emphasizes
cryptography basics (hashing, encryption, PKI), traffic analysis, authentication security, endpoint
hardening, and incident response fundamentals. You must also understand Linux and Windows security
basics, access controls, malware behaviors, and common network attack patterns such as spoofing,
brute forcing, phishing, and lateral movement. The exam expects you to interpret logs, identify
suspicious behavior, apply least privilege, and choose appropriate security controls in real-world
scenarios.
1.
A security analyst notices outbound traffic to an unknown IP every 60 seconds from one workstation.
What is the most likely explanation?
A. Normal DNS resolution behavior
B. Command-and-control beaconing from malware
C. A TCP handshake retransmission issue
D. Legitimate NTP synchronization traffic
, Page 2 of 98
Answer: B
Rationale: Periodic, fixed-interval outbound communication is a classic sign of malware beaconing to a
C2 server.
2.
Your company wants to ensure confidentiality for stored database backups even if the disks are stolen.
Which control is best?
A. File integrity monitoring
B. Full-disk encryption
C. Host-based intrusion detection
D. Network segmentation
Answer: B
Rationale: Full-disk encryption protects data at rest, preventing attackers from reading backups if
storage is stolen.
3.
An administrator uses SSH keys instead of passwords for Linux server access. What security benefit is
most significant?
A. It guarantees encryption is disabled
B. It reduces risk of brute-force password attacks
C. It removes the need for access control policies
, Page 3 of 98
D. It prevents malware execution automatically
Answer: B
Rationale: SSH key authentication is resistant to brute-force password guessing and credential stuffing
attacks.
4.
A Windows administrator finds repeated failed logins across many accounts from one external IP. Which
attack is most likely occurring?
A. Credential stuffing against one user
B. Password spraying against multiple accounts
C. SQL injection against a web application
D. ARP spoofing against internal hosts
Answer: B
Rationale: Password spraying uses a few common passwords across many accounts, producing many
failures across users.
5.
A user receives an email that appears to come from the CEO asking for gift card purchases urgently.
What attack technique is being used?
A. DNS cache poisoning
B. Business Email Compromise (BEC) phishing
, Page 4 of 98
C. TCP session hijacking
D. Buffer overflow exploitation
Answer: B
Rationale: CEO impersonation for financial fraud is a typical BEC-style social engineering attack.
6.
A SOC team wants to verify that downloaded software has not been modified in transit. Which
cryptographic method is most appropriate?
A. Symmetric encryption with AES
B. Digital signatures using a trusted certificate
C. Password-based authentication
D. Key exchange using Diffie-Hellman only
Answer: B
Rationale: Digital signatures ensure integrity and authenticity, proving the file was not altered and came
from the signer.
7.
A network engineer wants to limit lateral movement by isolating finance systems from user
workstations. Which approach is best?
A. Disabling DNS
B. Implementing VLAN segmentation and firewall rules
