SANS 410 ACTUAL EXAM PAPER 2026
QUESTIONS WITH ANSWERS GRADED
A+
◍ Ack Piggybacking.
Answer: The Practice of sending an ACK inside another packet going to the
same destination
◍ Address resolution protocol.
Answer: Protocol for mapping an IP address to a physical machine address
that is recognized on the local network. A table, usually called the ARP
cache, is used to maintain a correlation between each MAC and its
corresponding IP address
◍ What are the five threat vectors?.
Answer: Outside attack from networkOutsider attack from telephoneInsider
attack from local networkinsider attack from local systemattack from
malicious code
◍ OT.
Answer: Operations Technology
◍ ICS.
Answer: Industrial Control Systems
◍ Control System.
Answer: * A device, or set of devices, that manages, commands, directs, or
regulates the behavior of other devices or systems * A device that can
influence the "real world" * A system that bridges cyber-to-physical
Example: Thermostat in our homes
◍ What are some external threat concerns?.
, Answer: -Malicious code might execute destructive overwrite to hard
disks-Malicious mas mailing code might expose sensitive information to the
internet- web server compromise might expose organization to ridicule-
Web server compromise might expose customer private data
◍ Controller.
Answer: Heart of a control system. The controller has the logic and makes
the decision. Interacts with a Process through Actuators and Sensors.
◍ Control Loop.
Answer: Control loops manage a Process * Controller takes input from
Sensors * Controller sends output to Actuators * Actuators change the
Process * Sensors measure the Process
◍ Process.
Answer: Examples of processes: * Manufacturing something * Maintaining
the water through Hoover Dam
◍ Actuator.
Answer: When the Controller determines that it needs to make some kind of
change to a Process, it does so through an Actuator. Actuators change the
real world.
◍ What are some ways to bypass firewall protections?.
Answer: - Worms and Wireless- modems- tunnel anything through HTTP-
social engineering
◍ What is social engineering?.
Answer: - attempt to manipulate or trick a person into providing information
or access- bypass network security by exploiting humans- vector is often
outside attack by telephone or visitor inside
◍ Sensor.
Answer: The eyes and the ears of the Controller. Will measure different
measurements from the Process. Sensors will feed those measurements into
the Controller.
,◍ Supervisor.
Answer: Different types of equipment for humans to be able to monitor
what's happening in the Controller
◍ Four Main ICS Process Models.
Answer: * Discrete - Several different components that create a product.
Usually relies on boolean digital measurements (Product #) * Batch -
Several different components that we mix together as a single batch. Usually
relies on analog measurements (Batch #) * Continuous - Something that
needs to keep going at all times (e.g. electric grid) * Hybrid - Most of the
time we aren't working at any of those first three processes. What we are
doing is much bigger and much more complex and can include many from
each model coming together.
◍ Purdue Level 4.
Answer: Business Network (Not a control network)
◍ Purdue Level 3.
Answer: Plant-Wide Control Network
◍ What is Hping?.
Answer: - a TCP version of ping- sends custom TCP packets to a host and
listens for replies- enables port scanning and spoofing simultaneously
◍ What is a group?.
Answer: A group means multiple iterations won't matter. If you encrypt with
a key, then re-encrypt, it's the same as using one key.
◍ Purdue Level 2.
Answer: Individual Process / Cell / Line Supervisory
◍ Purdue Level 1.
Answer: Individual Process / Cell / Line Controllers
◍ What is a port scan?.
Answer: - common backdoor to open a port- port scan scans for open ports
on remote host- scans 0 - 65,535 twice. TCP and UDP
, ◍ What is nmap?.
Answer: Network scanner.
◍ Purdue Level 0.
Answer: Individual Process / Cell / Line Sensors and Actuators
◍ What are nmap scanning techniques?.
Answer: - Full open- half open (stealth scan)- UDP- Ping
◍ Process Engineer.
Answer: Designs and optimizes process
◍ Field Technician.
Answer: Maintains and repairs process
◍ Programmer.
Answer: Writes control logic
◍ Operator.
Answer: Manages and controls process
◍ What is network stumbler?.
Answer: - free windows based wireless scanner for 802.1b- detects access
point settings- supports GSP integration- identifies networks as encrypted or
unencrypted
◍ ICS Professional Roles.
Answer: Process Engineer, Field Technician, Programmer and Operator
◍ What is Kismet?.
Answer: - Free linux WLAN analysis tool- completely passive, cannot be
detected- supports advanced GPS integration and mapping features- used for
wardriving, WLAN vulerability assessment
◍ ICS Organization Roles.
Answer: Owner/Operators, Vendors, Integrators and Government
◍ Owner/Operators.
Answer: Purchase and use the system
QUESTIONS WITH ANSWERS GRADED
A+
◍ Ack Piggybacking.
Answer: The Practice of sending an ACK inside another packet going to the
same destination
◍ Address resolution protocol.
Answer: Protocol for mapping an IP address to a physical machine address
that is recognized on the local network. A table, usually called the ARP
cache, is used to maintain a correlation between each MAC and its
corresponding IP address
◍ What are the five threat vectors?.
Answer: Outside attack from networkOutsider attack from telephoneInsider
attack from local networkinsider attack from local systemattack from
malicious code
◍ OT.
Answer: Operations Technology
◍ ICS.
Answer: Industrial Control Systems
◍ Control System.
Answer: * A device, or set of devices, that manages, commands, directs, or
regulates the behavior of other devices or systems * A device that can
influence the "real world" * A system that bridges cyber-to-physical
Example: Thermostat in our homes
◍ What are some external threat concerns?.
, Answer: -Malicious code might execute destructive overwrite to hard
disks-Malicious mas mailing code might expose sensitive information to the
internet- web server compromise might expose organization to ridicule-
Web server compromise might expose customer private data
◍ Controller.
Answer: Heart of a control system. The controller has the logic and makes
the decision. Interacts with a Process through Actuators and Sensors.
◍ Control Loop.
Answer: Control loops manage a Process * Controller takes input from
Sensors * Controller sends output to Actuators * Actuators change the
Process * Sensors measure the Process
◍ Process.
Answer: Examples of processes: * Manufacturing something * Maintaining
the water through Hoover Dam
◍ Actuator.
Answer: When the Controller determines that it needs to make some kind of
change to a Process, it does so through an Actuator. Actuators change the
real world.
◍ What are some ways to bypass firewall protections?.
Answer: - Worms and Wireless- modems- tunnel anything through HTTP-
social engineering
◍ What is social engineering?.
Answer: - attempt to manipulate or trick a person into providing information
or access- bypass network security by exploiting humans- vector is often
outside attack by telephone or visitor inside
◍ Sensor.
Answer: The eyes and the ears of the Controller. Will measure different
measurements from the Process. Sensors will feed those measurements into
the Controller.
,◍ Supervisor.
Answer: Different types of equipment for humans to be able to monitor
what's happening in the Controller
◍ Four Main ICS Process Models.
Answer: * Discrete - Several different components that create a product.
Usually relies on boolean digital measurements (Product #) * Batch -
Several different components that we mix together as a single batch. Usually
relies on analog measurements (Batch #) * Continuous - Something that
needs to keep going at all times (e.g. electric grid) * Hybrid - Most of the
time we aren't working at any of those first three processes. What we are
doing is much bigger and much more complex and can include many from
each model coming together.
◍ Purdue Level 4.
Answer: Business Network (Not a control network)
◍ Purdue Level 3.
Answer: Plant-Wide Control Network
◍ What is Hping?.
Answer: - a TCP version of ping- sends custom TCP packets to a host and
listens for replies- enables port scanning and spoofing simultaneously
◍ What is a group?.
Answer: A group means multiple iterations won't matter. If you encrypt with
a key, then re-encrypt, it's the same as using one key.
◍ Purdue Level 2.
Answer: Individual Process / Cell / Line Supervisory
◍ Purdue Level 1.
Answer: Individual Process / Cell / Line Controllers
◍ What is a port scan?.
Answer: - common backdoor to open a port- port scan scans for open ports
on remote host- scans 0 - 65,535 twice. TCP and UDP
, ◍ What is nmap?.
Answer: Network scanner.
◍ Purdue Level 0.
Answer: Individual Process / Cell / Line Sensors and Actuators
◍ What are nmap scanning techniques?.
Answer: - Full open- half open (stealth scan)- UDP- Ping
◍ Process Engineer.
Answer: Designs and optimizes process
◍ Field Technician.
Answer: Maintains and repairs process
◍ Programmer.
Answer: Writes control logic
◍ Operator.
Answer: Manages and controls process
◍ What is network stumbler?.
Answer: - free windows based wireless scanner for 802.1b- detects access
point settings- supports GSP integration- identifies networks as encrypted or
unencrypted
◍ ICS Professional Roles.
Answer: Process Engineer, Field Technician, Programmer and Operator
◍ What is Kismet?.
Answer: - Free linux WLAN analysis tool- completely passive, cannot be
detected- supports advanced GPS integration and mapping features- used for
wardriving, WLAN vulerability assessment
◍ ICS Organization Roles.
Answer: Owner/Operators, Vendors, Integrators and Government
◍ Owner/Operators.
Answer: Purchase and use the system
