SANS SEC530 COMPREHENSIVE
EVALUATION 2026 QUESTIONS WITH
ANSWERS GRADED A+
●● 802.11 x Standards.
Answer: 802.11 n, w, ac [p95 / b1]
●● 802.11W Protected Management Frames.
Answer: (PMF) Protected Management Frames; add encryption to
management frames. Key SHA256, broad/multi cast cryptography /
integrity, blocked spoofing attacks. [p96 / b1]
●● DMARC.
Answer: Domain-Based Message Authentication Reporting and
Compliance - Differs from SPF and DKIM both verify if email came
from sending owner domain, don't verify the display 'from' header
address if from the verified domain. functionality can be used to force
alignment of visible 'from' in emails DMARC requires another DNS
TXT record to establish the policy and alignment. [p167 / b2]
●● DHCP Rogue Server.
Answer: Follows a DHCP starvation attack in which the rogue DHCP
server serves up addresses, launch man-in-the-middle attacks, forged
DNS responses. [p121 / b1]
,●● File classification & File protection.
Answer: File classification is not directly securing the data it is
classifying. If anything, file classification is more closely akin to an
access control list. File classification exists to label data to guide
systems and software on how to handle the data. It can be used to
enforce data policies, but classification properties may be removed by a
malicious insider or hacker. Yet the misconception is that file
classification is intended to keep a hacker from stealing data. File
classification is primarily to help organizations properly manage their
data rather than keep a hacker from stealing it [p88 / b4]
●● Granular Auditing.
Answer: Can apply conditional access settings with the auditing tab of a
file or folder and monitor the logs to see if access be accidentally denied.
Allows for testing and rule staging. [p116 / b4]
●● Hyper-converged Storage.
Answer: A virtualization platform integrates CPU, memory, and disks,
controlled by a hypervisor. These solutions use a virtual machine to
control local disks or PCI storage cards for high-speed storage.
Continuous network operations between controller VMs are necessary.
Compromise of a single controller can provide access to all disks. To
secure this, limit SSH and other network communications to only the
controllers. Console-level access should be restricted to prevent
unauthorized access. [p154 / b4]
,●● IPv6 (Duplicate Address Detection).
Answer: IPv6 hosts using privacy extension addresses also perform
duplicate address detection (DAD), per RFC 4941: The node MUST
perform duplicate address detection on the generated temporary address.
If DAD indicates the address is already in use, the node MUST generate
a new randomized interface identifier. Privacy-enhanced IPv6 addresses
are used when systems use SLAAC to generate an IP address. This is
because SLAAC uses the system's globally unique MAC address to
define the IPv6 address. This is a privacy concern. The privacy
extensions generate a random host portion of the IPv6 address. This
raises a (very small) risk of duplicate addresses. [p90 / b2]
●● Physical Access (Switch Router Pots, SSHd).
Answer: Secure locations such as locked mgmt. closets, AUX secured
w/ password or disabled if console is used for terminal access, force
SSHv2 only, default key 512, use , ssh authentication retries
to 3 drop connection after 3 failed logins. [p16 / b2]
●● Segmentation.
Answer: Segmentation must include authentication and access control
per user/device. Segmentation refers to the ability to enforce separation
either logically or physically. In security, segmentation is interpreted as
network segmentation. Organizations spend enormous amounts of time
planning out networks, subnets, and methods to control access between
each layer within their design. The problem, however, is that
segmentation at the network alone is insufficient. Organizations need to
plan and design how segmentation is implemented at each endpoint and
, between systems authorized via network segmentation to communicate.
Access controls should not stop at the network. Access controls should
include user and device authentication and validation. [p119 / b2]
●● Virtualization (Segmentation productivity applications and privileged
applications).
Answer: Virtualization software such as VirtualBox or VMware
Workstation/Fusion can be used to implement a local version of jump
boxes. The solution involves using the host operating system for
administrative or business tasks and using a local virtual machine for
productivity access. With this design, compromise will likely be limited
to the local VM. While it is possible for an attacker to escape the virtual
machine to attack the host, it is much less likely to happen compared to
having a user run both administrative tasks and productivity applications
directly on one system [p132 / b3]
●● A_Content Discovery (SQL Query IF EXISTS).
Answer: Creating a stored SQL procedure to use. [p0 / b0]
●● A_Privileged Access (View Console Permissions).
Answer: View Console: gaining local admin access, Copy & Paste
possible use of data exfiltration, Clone allows creating offline copies of
systems, DVD/USB: autorun attacks or mounting malware, Snapshots:
denial of service to storage space. [p0 / b0]
●● Access Controls Mapping.
EVALUATION 2026 QUESTIONS WITH
ANSWERS GRADED A+
●● 802.11 x Standards.
Answer: 802.11 n, w, ac [p95 / b1]
●● 802.11W Protected Management Frames.
Answer: (PMF) Protected Management Frames; add encryption to
management frames. Key SHA256, broad/multi cast cryptography /
integrity, blocked spoofing attacks. [p96 / b1]
●● DMARC.
Answer: Domain-Based Message Authentication Reporting and
Compliance - Differs from SPF and DKIM both verify if email came
from sending owner domain, don't verify the display 'from' header
address if from the verified domain. functionality can be used to force
alignment of visible 'from' in emails DMARC requires another DNS
TXT record to establish the policy and alignment. [p167 / b2]
●● DHCP Rogue Server.
Answer: Follows a DHCP starvation attack in which the rogue DHCP
server serves up addresses, launch man-in-the-middle attacks, forged
DNS responses. [p121 / b1]
,●● File classification & File protection.
Answer: File classification is not directly securing the data it is
classifying. If anything, file classification is more closely akin to an
access control list. File classification exists to label data to guide
systems and software on how to handle the data. It can be used to
enforce data policies, but classification properties may be removed by a
malicious insider or hacker. Yet the misconception is that file
classification is intended to keep a hacker from stealing data. File
classification is primarily to help organizations properly manage their
data rather than keep a hacker from stealing it [p88 / b4]
●● Granular Auditing.
Answer: Can apply conditional access settings with the auditing tab of a
file or folder and monitor the logs to see if access be accidentally denied.
Allows for testing and rule staging. [p116 / b4]
●● Hyper-converged Storage.
Answer: A virtualization platform integrates CPU, memory, and disks,
controlled by a hypervisor. These solutions use a virtual machine to
control local disks or PCI storage cards for high-speed storage.
Continuous network operations between controller VMs are necessary.
Compromise of a single controller can provide access to all disks. To
secure this, limit SSH and other network communications to only the
controllers. Console-level access should be restricted to prevent
unauthorized access. [p154 / b4]
,●● IPv6 (Duplicate Address Detection).
Answer: IPv6 hosts using privacy extension addresses also perform
duplicate address detection (DAD), per RFC 4941: The node MUST
perform duplicate address detection on the generated temporary address.
If DAD indicates the address is already in use, the node MUST generate
a new randomized interface identifier. Privacy-enhanced IPv6 addresses
are used when systems use SLAAC to generate an IP address. This is
because SLAAC uses the system's globally unique MAC address to
define the IPv6 address. This is a privacy concern. The privacy
extensions generate a random host portion of the IPv6 address. This
raises a (very small) risk of duplicate addresses. [p90 / b2]
●● Physical Access (Switch Router Pots, SSHd).
Answer: Secure locations such as locked mgmt. closets, AUX secured
w/ password or disabled if console is used for terminal access, force
SSHv2 only, default key 512, use , ssh authentication retries
to 3 drop connection after 3 failed logins. [p16 / b2]
●● Segmentation.
Answer: Segmentation must include authentication and access control
per user/device. Segmentation refers to the ability to enforce separation
either logically or physically. In security, segmentation is interpreted as
network segmentation. Organizations spend enormous amounts of time
planning out networks, subnets, and methods to control access between
each layer within their design. The problem, however, is that
segmentation at the network alone is insufficient. Organizations need to
plan and design how segmentation is implemented at each endpoint and
, between systems authorized via network segmentation to communicate.
Access controls should not stop at the network. Access controls should
include user and device authentication and validation. [p119 / b2]
●● Virtualization (Segmentation productivity applications and privileged
applications).
Answer: Virtualization software such as VirtualBox or VMware
Workstation/Fusion can be used to implement a local version of jump
boxes. The solution involves using the host operating system for
administrative or business tasks and using a local virtual machine for
productivity access. With this design, compromise will likely be limited
to the local VM. While it is possible for an attacker to escape the virtual
machine to attack the host, it is much less likely to happen compared to
having a user run both administrative tasks and productivity applications
directly on one system [p132 / b3]
●● A_Content Discovery (SQL Query IF EXISTS).
Answer: Creating a stored SQL procedure to use. [p0 / b0]
●● A_Privileged Access (View Console Permissions).
Answer: View Console: gaining local admin access, Copy & Paste
possible use of data exfiltration, Clone allows creating offline copies of
systems, DVD/USB: autorun attacks or mounting malware, Snapshots:
denial of service to storage space. [p0 / b0]
●● Access Controls Mapping.
