GIAC GIAC Information Security GSNA Questions & Answers

• Question 1:

  Which of the following commands is most useful for viewing large files?

  A. cat

  B. less

  C. touch

  D. cp

  Correct Answer: B

  The less command is most useful for viewing large files. The less command displays the output of a file one page at a time. Viewing large files through cat may take more time to scroll pages, so it is better to use the less command to see the

  content of large files.

  Answer: A is incorrect. The cat command is also used to view the content of a file, but it is most useful for viewing short files.

  Answer: D is incorrect. The cp command is used to copy files and directories from one location to another. Answer: C is incorrect. The touch command is not used to view the content of a file. It is used to create empty files or to update file

  timestamps.

• Question 2:

  Which of the following is an attempt to give false information or to deny that a real event or transaction should have occurred?

  A. A DDoS attack

  B. A repudiation attack

  C. A reply attack

  D. A dictionary attack

  Correct Answer: B

  A repudiation attack is an attempt to give false information or to deny that a real event or transaction should have occurred. Answer: A is incorrect. In a distributed denial of service (DDOS) attack, an attacker uses multiple computers throughout the network that has been previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for a DDoS attack. Answer: C is incorrect. A replay attack is a type of attack in which attackers capture packets containing passwords or digital signatures whenever packets pass between two hosts on a network. In an attempt to obtain an authenticated connection, the attackers then resend the captured packet to the system. In this type of attack, the attacker does not know the actual password, but can simply replay the captured packet. Answer: D is incorrect. Dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs available on the Internet to automate and execute dictionary attacks.

• Question 3:

  Mark is an attacker. He wants to discover wireless LANs by listening to beacons or sending probe requests and thereby provide a launch point for further attacks.

  Which of the following tools can he use to accomplish the task?

  A. DStumbler

  B. Wellenreiter

  C. KisMAC

  D. Airmon-ng

  Correct Answer: ACD

  War driving is an attack in which the attacker discovers wireless LANs by listening to beacons or sending probe requests, thereby providing a launch point for further attacks. Airmon-ng, DStumbler, KisMAC, MacStumbler, NetStumbler,

  Wellenreiter, and WiFiFoFum are the tools that can be used to perform a war driving attack.

  Answer: B is incorrect. Wellenreiter is a tool that is used to perform MAC spoofing attacks.

• Question 4:

  Which of the following standards is used in wireless local area networks (WLANs)?

  A. IEEE 802.4

  B. IEEE 802.3

  C. IEEE 802.5

  D. IEEE 802.11b

  Correct Answer: D

  IEEE 802.11b is an extension of the 802.11 standard. It is used in wireless local area networks (WLANs) and provides 11 Mbps transmission speeds in the bandwidth of 2.4 GHz. Answer: B is incorrect. IEEE 802.3 is a standard for wired

  networks, which defines the media access control(MAC) layer for bus networks that use CSMA/CD.

  Answer: A is incorrect. IEEE 802.4 is a standard for wired networks, which defines the MAC layer for bus networks that use a token- passing mechanism.

  Answer: C is incorrect. IEEE 802.5 is a standard for wired networks, which defines the MAC layer for token-ring networks.

• Question 5:

  You are responsible for a number of Windows Server 2003 DNS servers on a large corporate network. You have decided to audit the DNS server logs.

  Which of the following are likely errors you could encounter in the log? (Choose two)

  A. The DNS server could not create FTP socket for address [IP address of server].

  B. The DNS server could not open socket for domain name [domain name of server].

  C. The DNS server could not create a Transmission Control Protocol (TCP) socket.

  D. The DNS server could not open socket for address [IP address of server].

  Correct Answer: CD

  There are a number of errors one could find in a Windows Server 2003 DNS log. They are as follows:

  The DNS server could not create a Transmission Control Protocol.

  The DNS server could not open socket for address.

  The DNS server could not initialize the Remote Procedure Call (RPC) service.

  The DNS server could not bind the main datagram socket.

  The DNS Server service relies on Active Directory to store and retrieve information for Active Directory- integrated zones.

  And several active directory errors are possible.

  Answer: A is incorrect. DNS Servers do not create FTP connections. Answer: B is incorrect. A DNS server looks up a name to return an IP, it would not and cannot connect to a domain name, it must connect to an IP address.

• Question 6:

  John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He finds that the We-are-secure server is vulnerable to attacks. As a countermeasure, he suggests that the Network Administrator should remove the IPP printing capability from the server.

  He is suggesting this as a countermeasure against __________.

  A. NetBIOS NULL session

  B. DNS zone transfer

  C. IIS buffer overflow

  D. SNMP enumeration

  Correct Answer: C

  Removing the IPP printing capability from a server is a good countermeasure against an IIS buffer overflow attack. A Network Administrator should take the following steps to prevent a Web server from IIS buffer overflow attacks:

  Conduct frequent scans for server vulnerabilities.

  Install the upgrades of Microsoft service packs.

  Implement effective firewalls.

  Apply URLScan and IISLockdown utilities.

  Remove the IPP printing capability.

  Answer: B is incorrect. The following are the DNS zone transfer countermeasures:

  Do not allow

  DNS zone transfer using the DNS property sheet:

  a.

  Open DNS.

  b.

  Right-click a DNS zone and click Properties.

  c.

  On the Zone Transfer tab, clear the Allow zone transfers check box.

  Configure the master DNS server to allow zone transfers only from secondary DNS servers:

  a.

  Open DNS.

  b.

  Right-click a DNS zone and click Properties.

  c.

  On the zone transfer tab, select the Allow zone transfers check box, and then do one of the following:

  To allow zone transfers only to the DNS servers listed on the name servers tab, click on the Only to the servers listed on the Name Server tab.

  To allow zone transfers only to specific DNS servers, click Only to the following servers, and add the IP address of one or more servers.

  Deny all unauthorized inbound connections to TCP port 53.

  Implement DNS keys and encrypted DNS payloads.

  Answer: D is incorrect. The following are the countermeasures against SNMP enumeration:

  1.

  Removing the SNMP agent or disabling the SNMP service

  2.

  Changing the default PUBLIC community name when 'shutting off SNMP' is not an option

  3.

  Implementing the Group Policy security option called Additional restrictions for anonymous connections

  4.

  Restricting access to NULL session pipes and NULL session shares

  5.

  Upgrading SNMP Version 1 with the latest version

  6.

  Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets

  Answer: A is incorrect. NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities: 1.Removing the SNMP agent or disabling the SNMP service 2.Changing the default PUBLIC community name when 'shutting off SNMP' is not an option 3.Implementing the Group Policy security option called Additional restrictions for anonymous connections 4.Restricting access to NULL session pipes and NULL session shares 5.UpgradingSNMP Version 1 with the latest version 6.Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets answer option A is incorrect. NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities:

  1.

  Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a Network Administrator.

  2.

  A Network Administrator can also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.

  3.

  A Network Administrator can also restrict the anonymous user by editing the registry values:

  a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA. b. Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD Value: 2

• Question 7:

  You are tasked with configuring your routers with a minimum security standard that includes the following:

  A local Username and Password configured on the router A strong privilege mode password Encryption of user passwords Configuring telnet and ssh to authenticate against the router user database Choose the configuration that best meets

  these requirements.

  A. RouterA(config)#service password-encryption RouterA(config)#username cisco password PaS$w0Rd RouterA(config)#enable secret n56eand$te RouterA(config)#line vty 0 4 RouterA(config-line)#login

  B. RouterA(config)#service password-encryption RouterA(config)#username cisco password PaS$w0Rd RouterA(config)#enable password n56eand$te RouterA(config)#line vty 0 4 RouterA(config-line)#login local

  C. RouterA(config)#service password-encryption RouterA(config)#username cisco password PaS$w0Rd RouterA(config)#enable secret n56eand$te RouterA(config)#line vty 0 4 RouterA(config-line)#login local

  D. RouterA(config)#service enable-password-encryption RouterA(config)#username cisco password PaS$w0Rd RouterA(config)#enable secret n56eand$te RouterA(config)#line vty 0 4 RouterA(config-line)#login user

  Correct Answer: C

  In order to fulfill the requirements, you should use the following set of commands: RouterA(config)#service password-encryption RouterA(config)#username cisco password PaS$w0Rd RouterA(config)#enable secret n56eand$te RouterA (config)#line vty 0 4 RouterA(config-line)#login local Answer: D is incorrect. This configuration does not apply password encryption correctly. The command service enable-password- encryption is incorrect. The correct command is service password-encryption. Answer: A is incorrect. This configuration applies the login command to the VTY lines. This would require the password to be set at the VTY Line 0 4 level. This effectively will not configure user-level access for the VTY lines. Answer: B is incorrect. The enable password command is obsolete and considered insecure. The proper command is enable secret followed by the password value.

• Question 8:

  This is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. The main features of these tools are as follows: It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc. It is commonly used for the following purposes:

  A. War driving

  B. Detecting unauthorized access points

  C. Detecting causes of interference on a WLAN d.WEP ICV error tracking

  D. Making Graphs and Alarms on 802.11 Data, including Signal Strength This tool is known as __________.

  E. THC-Scan

  F. NetStumbler

  G. Absinthe

  H. Kismet

  Correct Answer: B

  NetStumbler is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. The main features of NetStumbler are as follows: It displays the signal strength of a wireless

  network, MAC address, SSID, channel details, etc. It is commonly used for the following purposes:

  a.War driving

  b.Detecting unauthorized access points

  c.Detecting causes of interference on a WLAN

  d.WEP ICV error tracking e.Making Graphs and Alarms on 802.11 Data, including Signal Strength Answer D is incorrect. Kismet is an IEEE 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.

  Answer: A is incorrect. THC-Scan is a war-dialing tool.

  Answer: C is incorrect. Absinthe is an automated SQL injection tool.

• Question 9:

  Data access auditing is a surveillance mechanism that watches over access to all sensitive information contained within the database.

  What are the questions addressed in a perfect data access auditing solution?

  A. Who accessed the data?

  B. When was the data accessed?

  C. For whom was the data accessed?

  D. What was the SQL query that accessed the data?

  Correct Answer: ABD

  The perfect data access auditing solution would address the following six questions:

  1. Who accessed the data? 2.

  When was the data accessed?

  3.Which computer program or client software was used to access the data? 4.From what location on the network was the data accessed? 5.What was the SQL query that accessed the data?

  6.Was access to the data successfully done; and if so, how many rows of data were retrieved? Answer: C is incorrect. In the perfect data access auditing solution, it cannot be determined for whom the data is being accessed. Only the person

  accessing the data can be identified.

• Question 10:

  In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to establish standards for audits.

  Which of the following categories of audit standards established by GAAS are related to professional and technical competence, independence, and professional due care?

  A. Reporting standards

  B. Risk Analysis standards

  C. General standards

  D. Fieldwork standards

  Correct Answer: C

  In 1947, the American Institute of Certified Public Accountants (AICPA) adopted Generally Accepted Auditing Standards (GAAS) to establish standards for audits. The standards cover the following three categories:

  General Standards: They relate to professional and technical competence, independence, and professional due care.

  Field Work Standards: They relate to the planning of an audit, evaluation of internal control, and obtaining sufficient evidential matter upon which an opinion is based. Reporting Standards: They relate to the compliance of all auditing

  standards and adequacy of disclosure of opinion in the audit reports. If an opinion cannot be reached, the auditor is required to explicitly state their assertions.

  Answer: B is incorrect. There was no such category of standard established by GAAS.