SANS 410 PRACTICE EXAMINATION
2026 QUESTIONS WITH ANSWERS
GRADED A+
◍ In which directory can executable programs that are part of the operating
system be found?(/) (/var) (/lib) (/dev) (/usr/bin) (/home)INCORRECT ON
PT.
Answer: /usr/bin
◍ Network Topology.
Answer: The Physical/Logical shape of a network
◍ The Windows Firewall (WF) provides a popup when a new service attempts
to listen on your machine. Which of the following should you train users to
select from a security perspective if they are unsure of which option to
select?(Keep Blocking) (Increase Security Level) (Safe Mode) (Send
Request to Administrator).
Answer: Keep Blocking( Explanation )The three available options for
Windows Firewall are Keep Blocking, Unblock and Ask Me Later. Keep
Block does not allow the program to acquire a listening port. You should
train your users to choose this option when there is any doubt as to what
they should do. There are no Safe Mode or Send Request to Admin options.
◍ Logical Topology.
Answer: Gives the description for the physical layout, shows VLAN's and
where they are placed on the physical topology
◍ Which Threat will be reduced when avoiding system calls from within a
web app?.
Answer: OS command injection( Explanation )The primary way to avoid OS
command injection attacks is to avoid system calls from your web
, application, especially when the system call is built based on user input. In
most cases, you should be able to find a function or library within your
programming language that can perform the same action.
◍ Trunk Port.
Answer: Connects packets that travel to all VLAN's on a switch
◍ How often by default does Windows Group Policy check for updated
policies?(Once a day) (Within 30 minutes of an applied policy change)
(Every quarter hour) (Every 90-120 minutes)INCORRECT ON PT.
Answer: Every 90-120 minutes( Explanation )When a computer boots up, it
downloads the GPO's assigned to it and executes them automatically. Every
90-120 minutes thereafter, the computer checks that none of the GPO's
assigned to it have changed, if any have, those are downloaded and run
automatically even if the computer has not rebooted. 0-30minutes, 30-60
minutes and 120-180 minutes are durations a group policy could possibly be
modified to use, the standard duration used by Group Policy is 90-120
minutes.
◍ Baseband Systems.
Answer: Transmits one signal on the medium (fiber, copper, etc)
◍ Broadband.
Answer: Form of multiplexing to join multiple signals on a medium
◍ Ethernet.
Answer: Designed as baseband system that can be used in multiplexing
◍ Which of the following best describes Defense-in-Depth?Layered controls -
Separation of duties - Hardened perimeter security - Risk management.
Answer: Layered controls( Explanation )Defense-in-depth is best
characterized by layered defenses. The idea is that any layer of defense may
eventually fail, but a Layered Defense offers better protection. Risk
management, separation of duties, and hardened perimeters are part of a
layered defense but do not describe the full concept of DiD.
◍ Which of the following is considered a recommended practice but not a
, business requirement?Guideline - Standard - Baseline -
ProcedureINCORRECT ON PT.
Answer: Guideline( Explanation )Guidelines, unlike standards and policies,
are not mandatory. Guidelines are more of a recommendation of how
something should be done.
◍ Which of the following is a characteristic of Quality Updates for
Windows?Are released less frequently than Feature Updates - Support
deferring installation on Home edition devices - Include bug fixes and
security patches - Increment the version of Windows.
Answer: Include bug fixes and security patches( Explanation )Quality
Updates are smaller improvements to already existing software on Windows
systems, and include bug fixes and security fixes. They are released about
every 30 days, whereas Feature Updates are released a couple of times a
year and increment the Windows version. Installation of Quality Updates
may be deferred for up to 30 days, except on Home edition devices.
◍ CSMA/CD.
Answer: Carrier Sense Multiple Access/ Collision Detection
◍ When does applying an encryption algorithm multiple times provide
additional security?When the algorithm is a group - When the algorithm is
not a group - The algorithm uses xor - The algorithm is weakINCORRECT
ON PT.
Answer: When the algorithm is not a group( Explanation )Whether an
algorithm is a group is an important statistical consideration. If it is a group,
then applying the algorithm multiple times is a waste of time. In 1992, it
was proven that DES is not a group, in fact, so encrypting multiple times
with DES is not equivalent to encrypting once.
◍ How is a TCP/IP Packet generated as it moves down through the TCP/IP
stack?(Network Layer -> Transport Layer -> Internet Layer -> Application
Layer ) (Network Layer -> Internet Layer -> Transport Layer -> Application
Layer) (Application Layer -> Transport Layer -> Internet Layer -> Network
Layer) (Application Layer -> Internet Layer -> Transport Layer -> Network
, Layer).
Answer: Application Layer -> Transport Layer -> Internet Layer -> Network
Layer( Explanation )As a packet is generated the packet goes from the
Application Layer to the Transport Layer to the Internet Layer and finally to
the Network Layer.
◍ Unicast.
Answer: Broadcast for a single device
◍ Multicast.
Answer: Broadcast for a specific group or multiple devices
◍ Broadcast.
Answer: Message for everyone to receive and process
◍ Hub.
Answer: Broadcasts packets to every single port
◍ Which type of event classification is missed by a NIDS and has the most
potential to be a serious event?True positive - False positive - True negative
- False negative.
Answer: False negative( Explanation )• False negative: A false negative
event is when the IDS identifies data as benign when, in fact, it is malicious.
A false negative does not generate an alert for the analyst and therefore
these can be dangerous because the analyst cannot take action.• True
negative: A true negative event is what we want the IDS to see, the cases
where data does not indicate any malicious activity, and the data is correct.
In the case of a true negative, the IDS does notgenerate an alert for the
analyst.• True positive: In these cases, the IDS worked as intended and
correctly flagged the activity asanomalous behavior that might be malicious.
True positives generate alerts for the analyst to process.• False positive: A
false positive case is where the IDS generates an alert flagging hostile
activity,which was benign. False positives generate alerts for the analyst to
process, who then must decide how to handle the activity.
◍ Which access control mechanism requires a high amount of maintenance
2026 QUESTIONS WITH ANSWERS
GRADED A+
◍ In which directory can executable programs that are part of the operating
system be found?(/) (/var) (/lib) (/dev) (/usr/bin) (/home)INCORRECT ON
PT.
Answer: /usr/bin
◍ Network Topology.
Answer: The Physical/Logical shape of a network
◍ The Windows Firewall (WF) provides a popup when a new service attempts
to listen on your machine. Which of the following should you train users to
select from a security perspective if they are unsure of which option to
select?(Keep Blocking) (Increase Security Level) (Safe Mode) (Send
Request to Administrator).
Answer: Keep Blocking( Explanation )The three available options for
Windows Firewall are Keep Blocking, Unblock and Ask Me Later. Keep
Block does not allow the program to acquire a listening port. You should
train your users to choose this option when there is any doubt as to what
they should do. There are no Safe Mode or Send Request to Admin options.
◍ Logical Topology.
Answer: Gives the description for the physical layout, shows VLAN's and
where they are placed on the physical topology
◍ Which Threat will be reduced when avoiding system calls from within a
web app?.
Answer: OS command injection( Explanation )The primary way to avoid OS
command injection attacks is to avoid system calls from your web
, application, especially when the system call is built based on user input. In
most cases, you should be able to find a function or library within your
programming language that can perform the same action.
◍ Trunk Port.
Answer: Connects packets that travel to all VLAN's on a switch
◍ How often by default does Windows Group Policy check for updated
policies?(Once a day) (Within 30 minutes of an applied policy change)
(Every quarter hour) (Every 90-120 minutes)INCORRECT ON PT.
Answer: Every 90-120 minutes( Explanation )When a computer boots up, it
downloads the GPO's assigned to it and executes them automatically. Every
90-120 minutes thereafter, the computer checks that none of the GPO's
assigned to it have changed, if any have, those are downloaded and run
automatically even if the computer has not rebooted. 0-30minutes, 30-60
minutes and 120-180 minutes are durations a group policy could possibly be
modified to use, the standard duration used by Group Policy is 90-120
minutes.
◍ Baseband Systems.
Answer: Transmits one signal on the medium (fiber, copper, etc)
◍ Broadband.
Answer: Form of multiplexing to join multiple signals on a medium
◍ Ethernet.
Answer: Designed as baseband system that can be used in multiplexing
◍ Which of the following best describes Defense-in-Depth?Layered controls -
Separation of duties - Hardened perimeter security - Risk management.
Answer: Layered controls( Explanation )Defense-in-depth is best
characterized by layered defenses. The idea is that any layer of defense may
eventually fail, but a Layered Defense offers better protection. Risk
management, separation of duties, and hardened perimeters are part of a
layered defense but do not describe the full concept of DiD.
◍ Which of the following is considered a recommended practice but not a
, business requirement?Guideline - Standard - Baseline -
ProcedureINCORRECT ON PT.
Answer: Guideline( Explanation )Guidelines, unlike standards and policies,
are not mandatory. Guidelines are more of a recommendation of how
something should be done.
◍ Which of the following is a characteristic of Quality Updates for
Windows?Are released less frequently than Feature Updates - Support
deferring installation on Home edition devices - Include bug fixes and
security patches - Increment the version of Windows.
Answer: Include bug fixes and security patches( Explanation )Quality
Updates are smaller improvements to already existing software on Windows
systems, and include bug fixes and security fixes. They are released about
every 30 days, whereas Feature Updates are released a couple of times a
year and increment the Windows version. Installation of Quality Updates
may be deferred for up to 30 days, except on Home edition devices.
◍ CSMA/CD.
Answer: Carrier Sense Multiple Access/ Collision Detection
◍ When does applying an encryption algorithm multiple times provide
additional security?When the algorithm is a group - When the algorithm is
not a group - The algorithm uses xor - The algorithm is weakINCORRECT
ON PT.
Answer: When the algorithm is not a group( Explanation )Whether an
algorithm is a group is an important statistical consideration. If it is a group,
then applying the algorithm multiple times is a waste of time. In 1992, it
was proven that DES is not a group, in fact, so encrypting multiple times
with DES is not equivalent to encrypting once.
◍ How is a TCP/IP Packet generated as it moves down through the TCP/IP
stack?(Network Layer -> Transport Layer -> Internet Layer -> Application
Layer ) (Network Layer -> Internet Layer -> Transport Layer -> Application
Layer) (Application Layer -> Transport Layer -> Internet Layer -> Network
Layer) (Application Layer -> Internet Layer -> Transport Layer -> Network
, Layer).
Answer: Application Layer -> Transport Layer -> Internet Layer -> Network
Layer( Explanation )As a packet is generated the packet goes from the
Application Layer to the Transport Layer to the Internet Layer and finally to
the Network Layer.
◍ Unicast.
Answer: Broadcast for a single device
◍ Multicast.
Answer: Broadcast for a specific group or multiple devices
◍ Broadcast.
Answer: Message for everyone to receive and process
◍ Hub.
Answer: Broadcasts packets to every single port
◍ Which type of event classification is missed by a NIDS and has the most
potential to be a serious event?True positive - False positive - True negative
- False negative.
Answer: False negative( Explanation )• False negative: A false negative
event is when the IDS identifies data as benign when, in fact, it is malicious.
A false negative does not generate an alert for the analyst and therefore
these can be dangerous because the analyst cannot take action.• True
negative: A true negative event is what we want the IDS to see, the cases
where data does not indicate any malicious activity, and the data is correct.
In the case of a true negative, the IDS does notgenerate an alert for the
analyst.• True positive: In these cases, the IDS worked as intended and
correctly flagged the activity asanomalous behavior that might be malicious.
True positives generate alerts for the analyst to process.• False positive: A
false positive case is where the IDS generates an alert flagging hostile
activity,which was benign. False positives generate alerts for the analyst to
process, who then must decide how to handle the activity.
◍ Which access control mechanism requires a high amount of maintenance
