Page 1 of 114
SANS - SEC530 EXAM QUESTION BANK |
FREQUENTLY TESTED QUESTIONS WITH
CORRECT ANSWERS | BRAND NEW!
Defensible Security Architecture and Engineering: Implementing
Zero Trust for the Hybrid Enterprise (SANS SEC530)
Which Zeek configuration file determines which network
interface is monitored?
A) $PREFIX/etc/interface.cfg
B) $PREFIX/etc/broctl.cfg
C) $PREFIX/etc/networks.cfg
D) $PREFIX/etc/node.cfg - ✔✔✔ Correct Answer > D)
$PREFIX/etc/node.cfg
In which of the following circumstances would network DLP
likely detect a possible data exfiltration?
A) Encrypted file over an encrypted network protocol
,Page 2 of 114
B) Encrypted file over a cleartext network protocol
C) Network encryption with SSL inspection
D) Application-level compression - ✔✔✔ Correct Answer > C) Network
encryption with SSL inspection
Which of the following controls would be effective at detecting a
malicious executable that was specially crafted to evade
signature-based detection controls?
A) Intrusion prevention
B) Antivirus
C) Malware detonation
D) URL filtering - ✔✔✔ Correct Answer > C) Malware detonation
With aggregate network utilization at monitored choke points
projected at 4 Gbps, how many CPU cores will be required for
traffic analysis with Zeek?
A) 17
B) 4
C) 9
D) 21 - ✔✔✔ Correct Answer > A) 17
,Page 3 of 114
Which of the following describes the malware detonation
workflow?
A) Analyze the AV and reputation databases and detonate only if
the results are positive.
B) Analyze the AV reputation databases and detonate only if the
results are negative.
C) Detonate files only if a static analysis detects use of a packer
and/or high entropy.
D) Detonate all identified executables, documents, and URLs. -
✔✔✔ Correct Answer > A) Analyze the AV and reputation databases
and detonate only if the results are positive.
Which open-source tool is available for blue teamers to assess
organizations' detection and prevention capability against
password guessing from multiple IP addresses that rely on
Amazon EC2 instances?
A) IONCannon
B) BotNetCannon
C) ProxyCannon
D) ProxyBots - ✔✔✔ Correct Answer > C) ProxyCannon
, Page 4 of 114
What is a security consideration when implementing an Always
On VPN solution?
A) It requires a stored password or certificate on each system.
B) It creates a blind spot for centralized security solutions.
C) It only works on a split-tunnel VPN.
D) It uses less bandwidth. - ✔✔✔ Correct Answer > A) It requires a
stored password or certificate on each system.
Which Linux distro is an open-source platform for full-fledged
network security monitoring?
A) Kali
B) Suricata
C) Zeek
D) Security Onion - ✔✔✔ Correct Answer > D) Security Onion
Which configuration option can be used to prevent passive
TLS/SSL decryption?
A) Update all web servers to only support TLS 1.2 and above.
B) Update all web servers to only support elliptic curve-based
ciphers.
SANS - SEC530 EXAM QUESTION BANK |
FREQUENTLY TESTED QUESTIONS WITH
CORRECT ANSWERS | BRAND NEW!
Defensible Security Architecture and Engineering: Implementing
Zero Trust for the Hybrid Enterprise (SANS SEC530)
Which Zeek configuration file determines which network
interface is monitored?
A) $PREFIX/etc/interface.cfg
B) $PREFIX/etc/broctl.cfg
C) $PREFIX/etc/networks.cfg
D) $PREFIX/etc/node.cfg - ✔✔✔ Correct Answer > D)
$PREFIX/etc/node.cfg
In which of the following circumstances would network DLP
likely detect a possible data exfiltration?
A) Encrypted file over an encrypted network protocol
,Page 2 of 114
B) Encrypted file over a cleartext network protocol
C) Network encryption with SSL inspection
D) Application-level compression - ✔✔✔ Correct Answer > C) Network
encryption with SSL inspection
Which of the following controls would be effective at detecting a
malicious executable that was specially crafted to evade
signature-based detection controls?
A) Intrusion prevention
B) Antivirus
C) Malware detonation
D) URL filtering - ✔✔✔ Correct Answer > C) Malware detonation
With aggregate network utilization at monitored choke points
projected at 4 Gbps, how many CPU cores will be required for
traffic analysis with Zeek?
A) 17
B) 4
C) 9
D) 21 - ✔✔✔ Correct Answer > A) 17
,Page 3 of 114
Which of the following describes the malware detonation
workflow?
A) Analyze the AV and reputation databases and detonate only if
the results are positive.
B) Analyze the AV reputation databases and detonate only if the
results are negative.
C) Detonate files only if a static analysis detects use of a packer
and/or high entropy.
D) Detonate all identified executables, documents, and URLs. -
✔✔✔ Correct Answer > A) Analyze the AV and reputation databases
and detonate only if the results are positive.
Which open-source tool is available for blue teamers to assess
organizations' detection and prevention capability against
password guessing from multiple IP addresses that rely on
Amazon EC2 instances?
A) IONCannon
B) BotNetCannon
C) ProxyCannon
D) ProxyBots - ✔✔✔ Correct Answer > C) ProxyCannon
, Page 4 of 114
What is a security consideration when implementing an Always
On VPN solution?
A) It requires a stored password or certificate on each system.
B) It creates a blind spot for centralized security solutions.
C) It only works on a split-tunnel VPN.
D) It uses less bandwidth. - ✔✔✔ Correct Answer > A) It requires a
stored password or certificate on each system.
Which Linux distro is an open-source platform for full-fledged
network security monitoring?
A) Kali
B) Suricata
C) Zeek
D) Security Onion - ✔✔✔ Correct Answer > D) Security Onion
Which configuration option can be used to prevent passive
TLS/SSL decryption?
A) Update all web servers to only support TLS 1.2 and above.
B) Update all web servers to only support elliptic curve-based
ciphers.
