SANS SEC530 EXAM STUDY GUIDE
2026/2027 COMPLETE QUESTIONS WITH
VERIFIED CORRECT ANSWERS ||
100% GUARANTEED PASS
<NEWEST VERSION>
1. Which of the following is a recommended USB keyboard mitigation for sites
requiring high security?
A) Disable USB ports in the system.
B) Restrict USB devices with approved PIDs and VIDs.
C) Block the USB devices physically.
D) Restrict USB devices with approved user accounts. - ANSWER ✔ C)
Block the USB devices physically.
2. Which of the following Cisco IOS commands is used to shut the port down
automatically when the maximum number of MAC addresses is exceeded?
A) switchport port-security violation shutdown
B) switchport port-security limit rate source-mac-shutdown
C) switchport port-security violation auto-shutdown
D) switchport port-security mac-exceed-port-shutdown - ANSWER ✔ A)
switchport port-security violation shutdown
,3. What does DAI stand for, and what does it do? - ANSWER ✔ Dynamic ARP
Inspection (DAI) prevents ARP spoofing at the switch level, by checking a
database of bindings before forwarding an ARP response.
4. How does DHCP starvation work? - ANSWER ✔ A malicious system
attempts to request all available DHCP addresses in the pool.
5. What is the best way to mitigate DHCP starvation attacks? - ANSWER ✔
Most DHCP servers do not have a built-in defense for this type of attack. A
*switch* must be configured to stop this type of attack.
6. What type of attack tends to follow a DHCP starvation attack? - ANSWER
✔ A rouge DHCP server attack.
7. What is the name of the Windows 10 P2P software update setting? -
ANSWER ✔ Delivery Optimization
8. What is the more secure alternative to Windows 10 delivery optimization? -
ANSWER ✔ *WSUS*
Windows Server Update Services
9. What are the *three* types of VLAN ports? - ANSWER ✔ 1) Promiscuous
2) Isolated
3) Community
10.T/F:
, A system on the primary VLAN can also be part of a secondary VLAN, such
as isolated or community VLANS. - ANSWER ✔ True.
11.What type of information is available via NetFlow version 9 logs? -
ANSWER ✔ 1) Byte and packet count
2) Protocol
3) Source and destination IP address
4) IP and TCP flags
5) TCP and UDP ports
6) ICMP types and codes
7) Interface
8) BGP information
and more...
12.SOC Zones - ANSWER ✔ Easy containment of the various needs
throughout the business such as OT/ICS, Manufacturing, R&D, PCI Zones,
business critical applications, cloud critical hosting, and DMZ
13.Time Based Security - ANSWER ✔ How long protection works, and how
long it takes to detect and react. P > D + R
14.Cyber Killchain Countermeasures - ANSWER ✔ Detect, Deny, Disrupt,
Degrade, Decieve
15.Breakout Point - ANSWER ✔ The point in which lateral movement first
occurs, signaling the time in which the attack moves to more computers and
becomes exponentially more dangerous.
, 16.OODA Loop - ANSWER ✔ Observe. Orient. Decide. Act. A teaching tool
originating from military training that promotes the use of a constant cycle
of learning; in digital marketing, used to instill the use of hypothesizing,
experimentation, data capture and measurement, and then re-stating a new
revised hypothesis based on information gathered in previous experiments.
17.Exposure Time - ANSWER ✔ Exposure = Detection + Reaction
18.Visibility vs Detection - ANSWER ✔ Visibility is raw telemetry, and
detection is capability to alert on that raw telemetry.
19.Zero Trust 3 Concept - ANSWER ✔ Ensure all resources are accessed
securely regardless of location
Adopt a least privileged strategy and strategy enforce access control
Inspect and log all traffic
20.SABSA Framework Lifecycle - ANSWER ✔ Strategy and Planning >
Design > Implement > Manage & Measure
21.QUIC - ANSWER ✔ Quick UDP Internet Connections which can be used to
bypass scanning of items by operating over UDP port 443
22.Tool: Warberry - ANSWER ✔ Collection of scanning tools that run on a
raspberry PI
23.Tool: USBDeview - ANSWER ✔ View the information on a USB stick such
as serial number and more
2026/2027 COMPLETE QUESTIONS WITH
VERIFIED CORRECT ANSWERS ||
100% GUARANTEED PASS
<NEWEST VERSION>
1. Which of the following is a recommended USB keyboard mitigation for sites
requiring high security?
A) Disable USB ports in the system.
B) Restrict USB devices with approved PIDs and VIDs.
C) Block the USB devices physically.
D) Restrict USB devices with approved user accounts. - ANSWER ✔ C)
Block the USB devices physically.
2. Which of the following Cisco IOS commands is used to shut the port down
automatically when the maximum number of MAC addresses is exceeded?
A) switchport port-security violation shutdown
B) switchport port-security limit rate source-mac-shutdown
C) switchport port-security violation auto-shutdown
D) switchport port-security mac-exceed-port-shutdown - ANSWER ✔ A)
switchport port-security violation shutdown
,3. What does DAI stand for, and what does it do? - ANSWER ✔ Dynamic ARP
Inspection (DAI) prevents ARP spoofing at the switch level, by checking a
database of bindings before forwarding an ARP response.
4. How does DHCP starvation work? - ANSWER ✔ A malicious system
attempts to request all available DHCP addresses in the pool.
5. What is the best way to mitigate DHCP starvation attacks? - ANSWER ✔
Most DHCP servers do not have a built-in defense for this type of attack. A
*switch* must be configured to stop this type of attack.
6. What type of attack tends to follow a DHCP starvation attack? - ANSWER
✔ A rouge DHCP server attack.
7. What is the name of the Windows 10 P2P software update setting? -
ANSWER ✔ Delivery Optimization
8. What is the more secure alternative to Windows 10 delivery optimization? -
ANSWER ✔ *WSUS*
Windows Server Update Services
9. What are the *three* types of VLAN ports? - ANSWER ✔ 1) Promiscuous
2) Isolated
3) Community
10.T/F:
, A system on the primary VLAN can also be part of a secondary VLAN, such
as isolated or community VLANS. - ANSWER ✔ True.
11.What type of information is available via NetFlow version 9 logs? -
ANSWER ✔ 1) Byte and packet count
2) Protocol
3) Source and destination IP address
4) IP and TCP flags
5) TCP and UDP ports
6) ICMP types and codes
7) Interface
8) BGP information
and more...
12.SOC Zones - ANSWER ✔ Easy containment of the various needs
throughout the business such as OT/ICS, Manufacturing, R&D, PCI Zones,
business critical applications, cloud critical hosting, and DMZ
13.Time Based Security - ANSWER ✔ How long protection works, and how
long it takes to detect and react. P > D + R
14.Cyber Killchain Countermeasures - ANSWER ✔ Detect, Deny, Disrupt,
Degrade, Decieve
15.Breakout Point - ANSWER ✔ The point in which lateral movement first
occurs, signaling the time in which the attack moves to more computers and
becomes exponentially more dangerous.
, 16.OODA Loop - ANSWER ✔ Observe. Orient. Decide. Act. A teaching tool
originating from military training that promotes the use of a constant cycle
of learning; in digital marketing, used to instill the use of hypothesizing,
experimentation, data capture and measurement, and then re-stating a new
revised hypothesis based on information gathered in previous experiments.
17.Exposure Time - ANSWER ✔ Exposure = Detection + Reaction
18.Visibility vs Detection - ANSWER ✔ Visibility is raw telemetry, and
detection is capability to alert on that raw telemetry.
19.Zero Trust 3 Concept - ANSWER ✔ Ensure all resources are accessed
securely regardless of location
Adopt a least privileged strategy and strategy enforce access control
Inspect and log all traffic
20.SABSA Framework Lifecycle - ANSWER ✔ Strategy and Planning >
Design > Implement > Manage & Measure
21.QUIC - ANSWER ✔ Quick UDP Internet Connections which can be used to
bypass scanning of items by operating over UDP port 443
22.Tool: Warberry - ANSWER ✔ Collection of scanning tools that run on a
raspberry PI
23.Tool: USBDeview - ANSWER ✔ View the information on a USB stick such
as serial number and more
