GIAC GIAC Information Security GCED Questions & Answers

• Question 11:

  Which statement below is the MOST accurate about insider threat controls?

  A. Classification of information assets helps identify data to protect.

  B. Security awareness programs have a minimal impact on reducing the insider threat.

  C. Both detective and preventative controls prevent insider attacks.

  D. Rotation of duties makes an insider threat more likely.

  E. Separation of duties encourages one employee to control a great deal of information.

  Correct Answer: A

  A company needs to classify its information as a key step in valuing it and knowing where to focus its protection. Rotation of duties and separation of duties are both key elements in reducing the scope of information access and the ability to conceal malicious behavior. Separation of duties helps minimize "empire building" within a company, keeping one individual from controlling a great deal of information, reducing the insider threat. Security awareness programs can help other employees notice the signs of an insider attack and thus reduce the insider threat. Detection is a reactive method and only occurs after an attack occurs. Only preventative methods can stop or limit an attack.

• Question 12:

  The creation of a filesystem timeline is associated with which objective?

  A. Forensic analysis

  B. First response

  C. Access control

  D. Incident eradication

  Correct Answer: A

• Question 13:

  How does data classification help protect against data loss?

  A. DLP systems require classification in order to protect data

  B. Data at rest is easier to protect than data in transit

  C. Digital watermarks can be applied to sensitive data

  D. Resources and controls can be appropriately allocated

  Correct Answer: A

• Question 14:

  Enabling port security prevents which of the following?

  A. Using vendors other than Cisco for switching equipment as they don't offer port security

  B. Spoofed MAC addresses from being used to cause a Denial of Service condition

  C. Legitimate MAC addresses from being used to cause a Denial of Service condition

  D. Network Access Control systems from functioning properly

  Correct Answer: C

• Question 15:

  How does an Nmap connect scan work?

  A. It sends a SYN, waits for a SYN/ACK, then sends a RST.

  B. It sends a SYN, waits for a ACK, then sends a RST.

  C. It sends a SYN, waits for a ACK, then sends a SYN/ACK.

  D. It sends a SYN, waits for a SYN/ACK, then sends a ACK

  Correct Answer: A

  Explanation: An Nmap connect scan sends a SYN, waits for a SYN/ACK, then sends a ACK to complete the three-way handshake. A Nmap half-open scan sends a SYN, waits for a SYN/ACK, then sends a RST.

• Question 16:

  When running a Nmap UDP scan, what would the following output indicate?

  

  A. The port may be open on the system or blocked by a firewall

  B. The router in front of the host accepted the request and sent a reply

  C. An ICMP unreachable message was received indicating an open port

  D. An ACK was received in response to the initial probe packet

  Correct Answer: A

  Explanation: When Nmap shows an "open filtered" response for the scan results, this indicates a couple of different reasons. The port could be open but a firewall could be blocking the use ACK flags; only TCP

  packets do.

• Question 17:

  Which of the following would be used in order to restrict software form performing unauthorized operations, such as invalid access to memory or invalid calls to system access?

  A. Perimeter Control

  B. User Control

  C. Application Control

  D. Protocol Control

  E. Network Control

  Correct Answer: C

• Question 18:

  What attack was indicated when the IDS system picked up the following text coming from the Internet to

  the web server?

  select user, password from user where user= "jdoe" and password= `myp@55!' union select "text",2 into

  outfile "/tmp/file1.txt" - - '

  A. Remote File Inclusion

  B. URL Directory Traversal

  C. SQL Injection

  D. Binary Code in HTTP Headers

  Correct Answer: C

  Explanation: An example of manipulating SQL statements to perform SQL injection includes using the

  semi-colon to perform multiple queries. The following example would delete the users table:

  Username: ` or 1=1; drop table users; - Password: [Anything]

• Question 19:

  Which of the following applies to newer versions of IOS that decrease their attack surface?

  A. Telnet cannot be enabled or used

  B. The Cisco Discovery Protocol has been removed

  C. More services are disabled by default

  D. Two-factor authentication is default required

  Correct Answer: C

  Explanation: Recent versions of IOS have less services enabled by default, older versions vary but generally have more services (even those not needed) enabled by default; this increases the attack surface on the device.

• Question 20:

  The security team wants to detect connections that can compromise credentials by sending them in plaintext across the wire. Which of the following rules should they enable on their IDS sensor?

  A. alert tcp any 22 < > any 22 (msg:SSH connection; class type:misc-attack;sid: 122:rev:1;)

  B. alert tcp any any < > any 6000: (msg:X-Windows session; flow:from_server,established;nocase;classtype:misc-attack;sid:101;rev:1;)

  C. alert tcp any 23 < > any 23 (msg:Telnet shell; class type:misc-attack;sid:100; rev:1;)

  D. alert udp any any < > any 5060 (msg:VOIP message; classtype:misc-attack;sid:113; rev:2;)

  Correct Answer: C