GIAC GIAC Information Security GCED Questions & Answers

• Question 41:

  Which type of attack could be used to obtain IOS router configuration files without a valid user password?

  A. ARP cache poisoning

  B. CDP sniffing

  C. SNMP man in the middle

  D. TFTP brute force

  Correct Answer: D

  Explanation: TFTP is a protocol to transfer files and commonly used with routers for configuration files, IOS images, and more. It requires no authentication. To download a file you need only know (or guess) its name. CDP, SNMP and ARP are not used for accessing or transferring IOS configuration files.

• Question 42:

  How would an attacker use the following configuration settings?

  

  A. A client based HIDS evasion attack

  B. A firewall based DDoS attack

  C. A router based MITM attack

  D. A switch based VLAN hopping attack

  Correct Answer: C

• Question 43:

  What is the most common read-only SNMP community string usually called?

  A. private

  B. mib

  C. open

  D. public

  Correct Answer: D

• Question 44:

  What would a penetration tester expect to access after the following metasploit payload is delivered successfully?

  Set PAYLOAD windows / shell / reverse _ tcp

  A. VNC server session on the target

  B. A netcat listener on the target

  C. A meterpreter prompt on the target

  D. A command prompt on the target

  Correct Answer: D

  Explanation: set PAYLOAD windows/shell/reverse_tcp should get you to a command prompt on the host system. A different payload is used to get a meterpreter session. This payload does not start a VNC server or netcat listener on the target system.

• Question 45:

  Requiring background checks for employees who access protected data is an example of which type of data loss control?

  A. Mitigation

  B. Prevention

  C. Monitoring

  D. Identification

  Correct Answer: B

  Explanation: Once sensitive data is identified and classified, preventive measures can be taken. Among these are software-based controls, such as auditing and access control, as well as human controls such as background checks, psychological examinations, and such.

• Question 46:

  Which of the following is an operational security control that is used as a prevention mechanism?

  A. Labeling of assets

  B. Heat detectors

  C. Vibration alarms

  D. Voltage regulators

  Correct Answer: A

  Explanation: The following are considered operational security prevention controls: Security gates, guards, and dogs; Heating, ventilation, and air conditioning (HVAC); Fire suppressant; Labeling of assets (classification and responsible agents); Off-site storage (recovery); Safes and locks. The other distractors are considered operational security detection controls.

• Question 47:

  Why would a Cisco network device with the latest updates and patches have the service config setting enabled, making the device vulnerable to the TFTP Server Attack?

  A. Disabling telnet enables the setting on the network device.

  B. This setting is enabled by default in the current Cisco IOS.

  C. Allowing remote administration using SSH under the Cisco IOS also enables the setting.

  D. An attack by Cisco Global Exploiter will automatically enable the setting.

  E. This older default IOS setting was inherited from an older configuration despite the upgrade.

  Correct Answer: B

  Explanation: Enabling the service config setting causes a Cisco router to be vulnerable to the TFTP Server Attack since it will actively try to retrieve a new configuration file from the nearest TFTP server. An attacker can insert a malicious update file in this process to compromise the Cisco router.

  The service config setting was disabled by default in the Cisco IOS in version 12.0, but had been enabled by default in the 11.x series of the IOS trains. This feature is often enabled in later versions since organizations don't always realize the risk of this setting and will leave it enabled as the migrate through multiple IOS upgrades.

  The other items listed don't enable the service config setting.

• Question 48:

  In order to determine if network traffic adheres to expected usage and complies with technical standards, an organization would use a device that provides which functionality?

  A. Stateful packet filtering

  B. Signature matching

  C. Protocol anomaly detection

  D. CRC checking

  E. Forward error correction

  Correct Answer: C

  Explanation: In addition to standards compliance, Protocol Anomaly Detection determines whether data within the protocol adheres to expected usage. Even if a communication stream complies with a protocol standard, the way in which the protocol is being used may be inconsistent with what is expected. Perimeter devices that perform protocol anomaly detection contain in-depth knowledge of protocol standards and expected usage and are able to detect traffic that does not comply with those guidelines.

• Question 49:

  Which of the following tools is the most capable for removing the unwanted add-on in the screenshot below?

  

  A. ProcessExplorer

  B. Taskkill

  C. Paros

  D. Hijack This

  Correct Answer: B

• Question 50:

  An analyst will capture traffic from an air-gapped network that does not use DNS. The analyst is looking for unencrypted Syslog data being transmitted. Which of the following is most efficient for this purpose?

  A. tcpdump –s0 –i eth0 port 514

  B. tcpdump –nnvvX –i eth0 port 6514

  C. tcpdump –nX –i eth0 port 514

  D. tcpdump –vv –i eth0 port 6514

  Correct Answer: B

  When using tcpdump, a –n switch will tell the tool to not resolve hostnames; as this network makes no use of DNS this is efficient. The –vv switch increases the tools output verbosity. The –s0 increases the snaplength to “all” rather than the default of 96 bytes. The –nnvvX would make sense here except that the port in the filter is 6514 which is the default port for encrypted Syslog transmissions.