Science Computer Science
SANS 401 PRACTICE EXAM 2025 ACTUAL
EXAM QUESTIONS WITH DETAILED VERIFIED
ANSWERS AND RATIONALES /ALREADY
GRADED A+
Save
Students also studied
Flashcard sets Study guides
FCCS Certification MSIS 2013 Bahr OKstate module qui... CS II Chapter 10 Quiz
159 terms Teacher 60 terms 46 terms
joyce_wambugu18 Preview Martin_Raymond2 Preview Preview
In which directory can /usr/bin
executable programs that are
part of the operating system be
found?
(/) (/var) (/lib) (/dev) (/usr/bin)
(/home)
INCORRECT ON PT
The Windows Firewall (WF) Keep Blocking
provides a popup when a new
service attempts to listen on ( Explanation )
your machine. Which of the The three available options for Windows Firewall are Keep
following should you train users Blocking, Unblock and Ask Me Later. Keep Block does not allow
to select from a security the program to acquire a listening port. You should train your
perspective if they are unsure of users to choose this option when there is any doubt as to what
which option to select? they should do. There are no Safe Mode or Send Request to
Admin options.
(Keep Blocking) (Increase
Security Level) (Safe Mode)
(Send Request to Administrator)
OS command injection
( Explanation )
Which Threat will be reduced
The primary way to avoid OS command injection attacks is to
when avoiding system calls from
avoid system calls from your web application, especially when
within a web app?
the system call is built based on user input. In most cases, you
should be able to find a function or library within your
programming language that can perform the same action.
, Every 90-120 minutes
How often by default does
Windows Group Policy check for
( Explanation )
updated policies?
When a computer boots up, it downloads the GPO's assigned to
it and executes them automatically. Every 90-120 minutes
(Once a day) (Within 30 minutes
thereafter, the computer checks that none of the GPO's assigned
of an applied policy change)
to it have changed, if any have, those are downloaded and run
(Every quarter hour) (Every 90-
automatically even if the computer has not rebooted. 0-
120 minutes)
30minutes, 30-60 minutes and 120-180 minutes are durations a
group policy could possibly be modified to use, the standard
INCORRECT ON PT
duration used by Group Policy is 90-120 minutes.
Layered controls
Which of the following best
describes Defense-in-Depth? ( Explanation )
Defense-in-depth is best characterized by layered defenses. The
Layered controls - Separation of idea is that any layer of defense may eventually fail, but a
duties - Hardened perimeter Layered Defense offers better protection. Risk management,
security - Risk management separation of duties, and hardened perimeters are part of a
layered defense but do not describe the full concept of DiD.
Which of the following is Guideline
considered a recommended
practice but not a business ( Explanation )
requirement? Guidelines, unlike standards and policies, are not mandatory.
Guidelines are more of a recommendation of how something
Guideline - Standard - Baseline - should be done.
Procedure
INCORRECT ON PT
Which of the following is a Include bug fixes and security patches
characteristic of Quality
Updates for Windows? ( Explanation )
Quality Updates are smaller improvements to already existing
Are released less frequently software on Windows systems, and include bug fixes and
than Feature Updates - Support security fixes. They are released about every 30 days, whereas
deferring installation on Home Feature Updates are released a couple of times a year and
edition devices - Include bug increment the Windows version. Installation of Quality Updates
fixes and security patches - may be deferred for up to 30 days, except on Home edition
Increment the version of devices.
Windows
When does applying an When the algorithm is not a group
encryption algorithm multiple
times provide additional ( Explanation )
security? Whether an algorithm is a group is an important statistical
consideration. If it is a group, then applying the algorithm
When the algorithm is a group - multiple times is a waste of time. In 1992, it was proven that DES is
When the algorithm is not a not a group, in fact, so encrypting multiple times with DES is not
group - The algorithm uses xor - equivalent to encrypting once.
The algorithm is weak
INCORRECT ON PT
, How is a TCP/IP Packet Application Layer -> Transport Layer -> Internet Layer -> Network
generated as it moves down Layer
through the TCP/IP stack?
( Explanation )
(Network Layer -> Transport As a packet is generated the packet goes from the Application
Layer -> Internet Layer -> Layer to the Transport Layer to the Internet Layer and finally to
Application Layer ) (Network the Network Layer.
Layer -> Internet Layer ->
Transport Layer -> Application
Layer) (Application Layer ->
Transport Layer -> Internet Layer
-> Network Layer) (Application
Layer -> Internet Layer ->
Transport Layer -> Network
Layer)
False negative
( Explanation )
• False negative: A false negative event is when the IDS identifies
data as benign when, in fact, it is malicious. A false negative does
not generate an alert for the analyst and therefore these can be
Which type of event dangerous because the analyst cannot take action.• True
classification is missed by a negative: A true negative event is what we want the IDS to see,
NIDS and has the most potential the cases where data does not indicate any malicious activity,
to be a serious event? and the data is correct. In the case of a true negative, the IDS
does notgenerate an alert for the analyst.• True positive: In these
True positive - False positive - cases, the IDS worked as intended and correctly flagged the
True negative - False negative activity asanomalous behavior that might be malicious. True
positives generate alerts for the analyst to process.• False
positive: A false positive case is where the IDS generates an alert
flagging hostile activity,which was benign. False positives
generate alerts for the analyst to process, who then must decide
how to handle the activity.
Which access control Mandatory
mechanism requires a high
amount of maintenance since all Mandatory Access Control (MAC) is a control that is set by the
data must be classified, and all system and cannot be overwritten by the administrator. MAC will
users granted appropriate require more effort to maintain, due to data classification
clearance? requirements and user clearance.
Mandatory - Role-Based -
Ruleset-based - Discretionary
INCORRECT ON PT
SANS 401 PRACTICE EXAM 2025 ACTUAL
EXAM QUESTIONS WITH DETAILED VERIFIED
ANSWERS AND RATIONALES /ALREADY
GRADED A+
Save
Students also studied
Flashcard sets Study guides
FCCS Certification MSIS 2013 Bahr OKstate module qui... CS II Chapter 10 Quiz
159 terms Teacher 60 terms 46 terms
joyce_wambugu18 Preview Martin_Raymond2 Preview Preview
In which directory can /usr/bin
executable programs that are
part of the operating system be
found?
(/) (/var) (/lib) (/dev) (/usr/bin)
(/home)
INCORRECT ON PT
The Windows Firewall (WF) Keep Blocking
provides a popup when a new
service attempts to listen on ( Explanation )
your machine. Which of the The three available options for Windows Firewall are Keep
following should you train users Blocking, Unblock and Ask Me Later. Keep Block does not allow
to select from a security the program to acquire a listening port. You should train your
perspective if they are unsure of users to choose this option when there is any doubt as to what
which option to select? they should do. There are no Safe Mode or Send Request to
Admin options.
(Keep Blocking) (Increase
Security Level) (Safe Mode)
(Send Request to Administrator)
OS command injection
( Explanation )
Which Threat will be reduced
The primary way to avoid OS command injection attacks is to
when avoiding system calls from
avoid system calls from your web application, especially when
within a web app?
the system call is built based on user input. In most cases, you
should be able to find a function or library within your
programming language that can perform the same action.
, Every 90-120 minutes
How often by default does
Windows Group Policy check for
( Explanation )
updated policies?
When a computer boots up, it downloads the GPO's assigned to
it and executes them automatically. Every 90-120 minutes
(Once a day) (Within 30 minutes
thereafter, the computer checks that none of the GPO's assigned
of an applied policy change)
to it have changed, if any have, those are downloaded and run
(Every quarter hour) (Every 90-
automatically even if the computer has not rebooted. 0-
120 minutes)
30minutes, 30-60 minutes and 120-180 minutes are durations a
group policy could possibly be modified to use, the standard
INCORRECT ON PT
duration used by Group Policy is 90-120 minutes.
Layered controls
Which of the following best
describes Defense-in-Depth? ( Explanation )
Defense-in-depth is best characterized by layered defenses. The
Layered controls - Separation of idea is that any layer of defense may eventually fail, but a
duties - Hardened perimeter Layered Defense offers better protection. Risk management,
security - Risk management separation of duties, and hardened perimeters are part of a
layered defense but do not describe the full concept of DiD.
Which of the following is Guideline
considered a recommended
practice but not a business ( Explanation )
requirement? Guidelines, unlike standards and policies, are not mandatory.
Guidelines are more of a recommendation of how something
Guideline - Standard - Baseline - should be done.
Procedure
INCORRECT ON PT
Which of the following is a Include bug fixes and security patches
characteristic of Quality
Updates for Windows? ( Explanation )
Quality Updates are smaller improvements to already existing
Are released less frequently software on Windows systems, and include bug fixes and
than Feature Updates - Support security fixes. They are released about every 30 days, whereas
deferring installation on Home Feature Updates are released a couple of times a year and
edition devices - Include bug increment the Windows version. Installation of Quality Updates
fixes and security patches - may be deferred for up to 30 days, except on Home edition
Increment the version of devices.
Windows
When does applying an When the algorithm is not a group
encryption algorithm multiple
times provide additional ( Explanation )
security? Whether an algorithm is a group is an important statistical
consideration. If it is a group, then applying the algorithm
When the algorithm is a group - multiple times is a waste of time. In 1992, it was proven that DES is
When the algorithm is not a not a group, in fact, so encrypting multiple times with DES is not
group - The algorithm uses xor - equivalent to encrypting once.
The algorithm is weak
INCORRECT ON PT
, How is a TCP/IP Packet Application Layer -> Transport Layer -> Internet Layer -> Network
generated as it moves down Layer
through the TCP/IP stack?
( Explanation )
(Network Layer -> Transport As a packet is generated the packet goes from the Application
Layer -> Internet Layer -> Layer to the Transport Layer to the Internet Layer and finally to
Application Layer ) (Network the Network Layer.
Layer -> Internet Layer ->
Transport Layer -> Application
Layer) (Application Layer ->
Transport Layer -> Internet Layer
-> Network Layer) (Application
Layer -> Internet Layer ->
Transport Layer -> Network
Layer)
False negative
( Explanation )
• False negative: A false negative event is when the IDS identifies
data as benign when, in fact, it is malicious. A false negative does
not generate an alert for the analyst and therefore these can be
Which type of event dangerous because the analyst cannot take action.• True
classification is missed by a negative: A true negative event is what we want the IDS to see,
NIDS and has the most potential the cases where data does not indicate any malicious activity,
to be a serious event? and the data is correct. In the case of a true negative, the IDS
does notgenerate an alert for the analyst.• True positive: In these
True positive - False positive - cases, the IDS worked as intended and correctly flagged the
True negative - False negative activity asanomalous behavior that might be malicious. True
positives generate alerts for the analyst to process.• False
positive: A false positive case is where the IDS generates an alert
flagging hostile activity,which was benign. False positives
generate alerts for the analyst to process, who then must decide
how to handle the activity.
Which access control Mandatory
mechanism requires a high
amount of maintenance since all Mandatory Access Control (MAC) is a control that is set by the
data must be classified, and all system and cannot be overwritten by the administrator. MAC will
users granted appropriate require more effort to maintain, due to data classification
clearance? requirements and user clearance.
Mandatory - Role-Based -
Ruleset-based - Discretionary
INCORRECT ON PT
