SANS - SEC530 FINAL EXAM
QUESTIONS WITH CORRECT
SOLUTIONS||100% GUARANTEED
PASS|| UPDATED 2026/2027
SYLLABUS||ALREADY A+
GRADED||<<RECENT VERSION>>
What is the Cisco IOS command to set SSH retries to 3? - ANSWER ✓ ip ssh
authentication-retries 3
What is the Cisco IOS command to disable the HTTP service? - ANSWER ✓ no
ip http server
T/F:
Routers and switches should run bootp and fingerd services. - ANSWER ✓ False.
It's best practice to disable bootp and fingerd, which are considered unnecessary
and/or legacy services.
What are the *five* ways Cisco routers log messages? - ANSWER ✓ 1) Console
logging
2) Terminal logging
3) Buffered logging
4) Syslog Server logging
5) SNMP trap logging
What is the default password security type for Cisco devices? - ANSWER ✓
Type 0 (plaintext)
What are the recommend password types for Cisco devices? - ANSWER ✓ Type
9 (SCRYPT), Type 8 (PBKDF2), or Type 5 (salted MD5)
,T/F:
The Cisco Smart Install protocol requires authentication. - ANSWER ✓ False
What is the Cisco IOS command to disable Smart Install? - ANSWER ✓ no
vstack
What does AutoSecure do for Cisco devices? - ANSWER ✓ AutoSecure
performs automatic hardening of the management plane, such as disabling CDP,
bootp, fingerd, httpd, etc.
What are the differences between Center for Internet Security (CIS) levels 1 and 2
benchmarks? - ANSWER ✓ CIS level 1 benchmarks focus on usability, while still
applying best practice security measures.
Governance - ANSWER ✓ What is the overall stance on defending against
cybersecurity? Is the focus compliance or defending against APT's?
Operations - ANSWER ✓ How integrated is cybersecurity staff? Are proactive
controls in place or are they reactive?
Architecture and Engineering - ANSWER ✓ How well defined and integrated
with mission operations are the organizations security architecture? Are
capabilities focused on some or all of the CSF?
ATT&CK - ANSWER ✓ (Adversarial Tactics, Techniques, and Common
Knowledge) A knowledge base maintained by the MITRE Corporation for listing
and explaining specific adversary tactics, techniques, and procedures.
Tool: Navigator - ANSWER ✓ Open source tool to visualize attacker tactics,
techniques, and procedures (TTP) to identify how your defenses are doing against
the ATT&CK matrix.
Tool: DETT&CT - ANSWER ✓ Open source tool that visualizes the connections
to ATT&CK
Pivot - ANSWER ✓ An attack from one system to another
, SOC Zones - ANSWER ✓ Easy containment of the various needs throughout the
business such as OT/ICS, Manufacturing, R&D, PCI Zones, business critical
applications, cloud critical hosting, and DMZ
Time Based Security - ANSWER ✓ How long protection works, and how long it
takes to detect and react. P > D + R
Cyber Killchain Countermeasures - ANSWER ✓ Detect, Deny, Disrupt, Degrade,
Decieve
Breakout Point - ANSWER ✓ The point in which lateral movement first occurs,
signaling the time in which the attack moves to more computers and becomes
exponentially more dangerous.
OODA Loop - ANSWER ✓ Observe. Orient. Decide. Act. A teaching tool
originating from military training that promotes the use of a constant cycle of
learning; in digital marketing, used to instill the use of hypothesizing,
experimentation, data capture and measurement, and then re-stating a new revised
hypothesis based on information gathered in previous experiments.
Exposure Time - ANSWER ✓ Exposure = Detection + Reaction
Visibility vs Detection - ANSWER ✓ Visibility is raw telemetry, and detection is
capability to alert on that raw telemetry.
Zero Trust 3 Concept - ANSWER ✓ Ensure all resources are accessed securely
regardless of location
Adopt a least privileged strategy and strategy enforce access control
Inspect and log all traffic
SABSA Framework Lifecycle - ANSWER ✓ Strategy and Planning > Design >
Implement > Manage & Measure
QUIC - ANSWER ✓ Quick UDP Internet Connections which can be used to
bypass scanning of items by operating over UDP port 443
Tool: Warberry - ANSWER ✓ Collection of scanning tools that run on a
raspberry PI
, Tool: USBDeview - ANSWER ✓ View the information on a USB stick such as
serial number and more
802.11w (Protected Management Frames PMF) - ANSWER ✓ An IEEE 802.11
amendment to increase security for the management frames. Upgrades SHA1 to
SHA256
Station Isolation - ANSWER ✓ Wireless clients can only speak to AP
WPA2 Personal vs Enterprise - ANSWER ✓ Personal uses a preshared key,
enterprise allows for the digital certificates and active directory (802.11x), and
higher transport security
WPA3-Enterprise - ANSWER ✓ Supports WPA2 + better authentication and
cryptographic strength.
Tool: macof - ANSWER ✓ Flood network with random MAC addresses
CAM Overflow - ANSWER ✓ Sending illegitimate MAC addresses into a
switch, which will fill the table and cause a hub operation that can expose traffic
destined to specific computers
ARP Spoofing - ANSWER ✓ Targets the endpoint such as computers and
routers, mapping new IP addresses to MAC addresses.
Tool: Ettercap - ANSWER ✓ Allows for the spoofing of ARP caches
Tool: Cain & Abel - ANSWER ✓ Allows for the spoofing of ARP caches
Dynamic ARP Inspection (DAI) - ANSWER ✓ A security feature on a switch
that monitors DHCP messages in order to detect faked ARP messages.
DHCP Starvation and Rogue DHCP - ANSWER ✓ Requests all of the DHCP
addresses, then becomes a DHCP server to give out IP addresses to act as a MITM.
QUESTIONS WITH CORRECT
SOLUTIONS||100% GUARANTEED
PASS|| UPDATED 2026/2027
SYLLABUS||ALREADY A+
GRADED||<<RECENT VERSION>>
What is the Cisco IOS command to set SSH retries to 3? - ANSWER ✓ ip ssh
authentication-retries 3
What is the Cisco IOS command to disable the HTTP service? - ANSWER ✓ no
ip http server
T/F:
Routers and switches should run bootp and fingerd services. - ANSWER ✓ False.
It's best practice to disable bootp and fingerd, which are considered unnecessary
and/or legacy services.
What are the *five* ways Cisco routers log messages? - ANSWER ✓ 1) Console
logging
2) Terminal logging
3) Buffered logging
4) Syslog Server logging
5) SNMP trap logging
What is the default password security type for Cisco devices? - ANSWER ✓
Type 0 (plaintext)
What are the recommend password types for Cisco devices? - ANSWER ✓ Type
9 (SCRYPT), Type 8 (PBKDF2), or Type 5 (salted MD5)
,T/F:
The Cisco Smart Install protocol requires authentication. - ANSWER ✓ False
What is the Cisco IOS command to disable Smart Install? - ANSWER ✓ no
vstack
What does AutoSecure do for Cisco devices? - ANSWER ✓ AutoSecure
performs automatic hardening of the management plane, such as disabling CDP,
bootp, fingerd, httpd, etc.
What are the differences between Center for Internet Security (CIS) levels 1 and 2
benchmarks? - ANSWER ✓ CIS level 1 benchmarks focus on usability, while still
applying best practice security measures.
Governance - ANSWER ✓ What is the overall stance on defending against
cybersecurity? Is the focus compliance or defending against APT's?
Operations - ANSWER ✓ How integrated is cybersecurity staff? Are proactive
controls in place or are they reactive?
Architecture and Engineering - ANSWER ✓ How well defined and integrated
with mission operations are the organizations security architecture? Are
capabilities focused on some or all of the CSF?
ATT&CK - ANSWER ✓ (Adversarial Tactics, Techniques, and Common
Knowledge) A knowledge base maintained by the MITRE Corporation for listing
and explaining specific adversary tactics, techniques, and procedures.
Tool: Navigator - ANSWER ✓ Open source tool to visualize attacker tactics,
techniques, and procedures (TTP) to identify how your defenses are doing against
the ATT&CK matrix.
Tool: DETT&CT - ANSWER ✓ Open source tool that visualizes the connections
to ATT&CK
Pivot - ANSWER ✓ An attack from one system to another
, SOC Zones - ANSWER ✓ Easy containment of the various needs throughout the
business such as OT/ICS, Manufacturing, R&D, PCI Zones, business critical
applications, cloud critical hosting, and DMZ
Time Based Security - ANSWER ✓ How long protection works, and how long it
takes to detect and react. P > D + R
Cyber Killchain Countermeasures - ANSWER ✓ Detect, Deny, Disrupt, Degrade,
Decieve
Breakout Point - ANSWER ✓ The point in which lateral movement first occurs,
signaling the time in which the attack moves to more computers and becomes
exponentially more dangerous.
OODA Loop - ANSWER ✓ Observe. Orient. Decide. Act. A teaching tool
originating from military training that promotes the use of a constant cycle of
learning; in digital marketing, used to instill the use of hypothesizing,
experimentation, data capture and measurement, and then re-stating a new revised
hypothesis based on information gathered in previous experiments.
Exposure Time - ANSWER ✓ Exposure = Detection + Reaction
Visibility vs Detection - ANSWER ✓ Visibility is raw telemetry, and detection is
capability to alert on that raw telemetry.
Zero Trust 3 Concept - ANSWER ✓ Ensure all resources are accessed securely
regardless of location
Adopt a least privileged strategy and strategy enforce access control
Inspect and log all traffic
SABSA Framework Lifecycle - ANSWER ✓ Strategy and Planning > Design >
Implement > Manage & Measure
QUIC - ANSWER ✓ Quick UDP Internet Connections which can be used to
bypass scanning of items by operating over UDP port 443
Tool: Warberry - ANSWER ✓ Collection of scanning tools that run on a
raspberry PI
, Tool: USBDeview - ANSWER ✓ View the information on a USB stick such as
serial number and more
802.11w (Protected Management Frames PMF) - ANSWER ✓ An IEEE 802.11
amendment to increase security for the management frames. Upgrades SHA1 to
SHA256
Station Isolation - ANSWER ✓ Wireless clients can only speak to AP
WPA2 Personal vs Enterprise - ANSWER ✓ Personal uses a preshared key,
enterprise allows for the digital certificates and active directory (802.11x), and
higher transport security
WPA3-Enterprise - ANSWER ✓ Supports WPA2 + better authentication and
cryptographic strength.
Tool: macof - ANSWER ✓ Flood network with random MAC addresses
CAM Overflow - ANSWER ✓ Sending illegitimate MAC addresses into a
switch, which will fill the table and cause a hub operation that can expose traffic
destined to specific computers
ARP Spoofing - ANSWER ✓ Targets the endpoint such as computers and
routers, mapping new IP addresses to MAC addresses.
Tool: Ettercap - ANSWER ✓ Allows for the spoofing of ARP caches
Tool: Cain & Abel - ANSWER ✓ Allows for the spoofing of ARP caches
Dynamic ARP Inspection (DAI) - ANSWER ✓ A security feature on a switch
that monitors DHCP messages in order to detect faked ARP messages.
DHCP Starvation and Rogue DHCP - ANSWER ✓ Requests all of the DHCP
addresses, then becomes a DHCP server to give out IP addresses to act as a MITM.
