Professional Documents
Culture Documents
QUESTION NO: 1
Sarah works as a Web Developer for XYZ CORP. She is creating a Web site for her company.
Sarah wants greater control over the appearance and presentation of Web pages. She wants the
ability to precisely specify the display attributes and the appearance of elements on the Web
pages.
A.
Use the Database Design wizard.
B.
Make two templates, one for the index page and the other for all other pages.
C.
Use Cascading Style Sheet (CSS).
D.
Make a template and use it to create each Web page.
Answer: C
Explanation:
Sarah should use the Cascading Style Sheet (CSS) while creating Web pages. This will give her
greater control over the appearance and presentation of the Web pages and will also enable her to
precisely specify the display attributes and the appearance of elements on the Web pages.
QUESTION NO: 2
You work as a Network Administrator for XYZ CORP. The company has a Windows Server 2008
network environment. The network is configured as a Windows Active Directory-based single
forest single domain network. You have installed a Windows Server 2008 computer. You have
configured auditing on this server. The client computers of the company use the Windows XP
Professional operating system. You want to audit each event that is related to a user managing an
account in the user database on the computer where the auditing is configured. To accomplish the
task, you have enabled the Audit account management option on the server.
Which of the following events can be audited by enabling this audit option?
B.
Change of password for a user account
C.
Addition of a user account to a group
D.
Creation of a user account
Answer: B,C,D
Explanation:
Audit account management is one of the nine audit settings that can be configured on a Windows
computer. This option is enabled to audit each event that is related to a user managing an account
in the user database on the computer where the auditing is configured. These events include the
following:
This option is also used to audit the changes to the domain account of the domain controllers.
QUESTION NO: 3
John works as a contract Ethical Hacker. He has recently got a project to do security checking for
www.we-are-secure.com. He wants to find out the operating system of the we-are-secure server in
the information gathering step.
Which of the following commands will he use to accomplish the task? (Choose two.)
A.
nc 208.100.2.25 23
B.
nmap -v -O www.we-are-secure.com
C.
nc -v -n 208.100.2.25 80
D.
nmap -v -O 208.100.2.25
Answer: B,D
According to the scenario, John will use "nmap -v -O 208.100.2.25" to detect the operating system
of the we-are-secure server. Here, -v is used for verbose and -O is used for TCP/IP fingerprinting
to guess the remote operating system. John may also use the DNS name of we-are-secure
instead of using the IP address of the we-are-secure server. So, he can also use the nmap
command "nmap -v -O www.we-are-secure.com ".
Answer: C is incorrect. "nc -v -n 208.100.2.25 80" is a Netcat command, which is used to banner
grab for getting information about the system and running services.
QUESTION NO: 4
You check performance logs and note that there has been a recent dramatic increase in the
amount of broadcast traffic. What is this most likely to be an indicator of?
A.
Misconfigured router
B.
DoS attack
C.
Syn flood
D.
Virus
Answer: B
Explanation:
There are several denial of service (DoS) attacks that specifically use broadcast traffic to flood a
targeted computer. Seeing an unexplained spike in broadcast traffic could be an indicator of an
attempted denial of service attack.
Answer: D is incorrect. Viruses can cause an increase in network traffic, and it is possible for that
to be broadcast traffic. However, a DoS attack is more likely than a virus to cause this particular
problem.
Answer: C is incorrect. A syn flood does not cause increased broadcast traffic.
However, this are cent problem, the router is unlikely to be the issue.
QUESTION NO: 5
You run the wc -c file1.txt command. If this command displays any error message, you want to
store the error message in the error.txt file. Which of the following commands will you use to
accomplish the task?
A.
wc -c file1.txt >>error.txt
B.
wc -c file1.txt 1>error.txt
C.
wc -c file1.txt 2>error.txt
D.
wc -c file1.txt >error.txt
Answer: C
Explanation:
According to the scenario, you will use the wc -c file1.txt 2>error.txt command to accomplish the
task. The 2> operator is an error redirector, which, while running a command, redirects the error (if
it exists) on the specified file.
The > or 1> redirector can be used to redirect the output of the wc -c file1.txt file to the error.txt file;
however, you want to write the errors in the error.txt file, not the whole output.
Answer: A is incorrect.
The >> operator will redirect the output of the command in the same manner as the > or 1>
operator. Although the >>operator will not overwrite the error.txt file, it will append the error.txt file.
QUESTION NO: 6
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. John is working as a root user on the Linux operating system. He wants to forward all the
kernel messages to the remote host having IP address 192.168.0.1. Which of the following
changes will he perform in the syslog.conf file to accomplish the task?
B.
!*.* @192.168.0.1
C.
!kern.* @192.168.0.1
D.
*.* @192.168.0.1
Answer: A
Explanation:
According to the scenario, John will make the following entry in the syslog.conf file to forward all
the kernel messages to the remote host having IP address 192.168.0.1: kern.* @192.168.0.1
This entry will forward all the messages to the remote host having IP address 192.168.0.1.
Answer: B is incorrect.
This entry will not forward any message to the remote host having IP address 192.168.0.1.
Answer: C is incorrect.
This entry will not forward any kernel message to the remote host having IP address 192.168.0.1.
QUESTION NO: 7
John works as a Security Professional. He is assigned a project to test the security of www.we-
are-secure.com. John wants to get the information of all network connections and listening ports in
the numerical form. Which of the following commands will he use?
A.
netstat -e
B.
netstat –r
C.
netstat -s
D.
Answer: D
Explanation:
According to the scenario, John will use the netstat -an command to accomplish the task. The
netstat -an command is used to get the information of all network connections and listening ports
in the numerical form. The netstat command displays protocol-related statistics and the state of
current TCP/IP connections. It is used to get information about the open connections on a
computer, incoming and outgoing data, as well as the ports of remote computers to which the
computer is connected. The netstat command gets all this networking information by reading the
kernel routing tables in the memory.
Answer: B is incorrect. The netstat -r command displays the routing table information.
QUESTION NO: 8
John works as a professional Ethical Hacker. He has been assigned the project of testing the
security of www.we-are-secure.com. He wants to use Kismet as a wireless sniffer to sniff the We-
are-secure network. Which of the following IEEE-based traffic can be sniffed with Kismet?
A.
802.11g
B.
802.11n
C.
802.11b
D.
802.11a
Answer: A,B,C,D
Explanation:
Kismet can sniff IEEE 802.11a, 802.11b, 802.11g, and 802.11n-based wireless network traffic.
QUESTION NO: 9
Which of the following statements about the traceroute utility are true?
A.
It uses ICMP echo packets to display the Fully Qualified Domain Name (FQDN) and the IP
address of each gateway along the route to the remote host.
B.
It records the time taken for a round trip for each packet at each router.
C.
It is an online tool that performs polymorphic shell code attacks.
D.
It generates a buffer overflow exploit by transforming an attack shell code so that the new attack
shell code cannot be recognized by any Intrusion Detection Systems.
Answer: A,B
Explanation:
Traceroute is a route-tracing utility that displays the path an IP packet takes to reach its
destination. It uses ICMP echo packets to display the Fully Qualified Domain Name (FQDN) and
the IP address of each gateway along the route to the remote host. This tool also records the time
taken for a round trip for each packet at each router that can be used to find any faulty router
along the path.
Answer: C, D are incorrect. Traceroute does not perform polymorphic shell code attacks. Attacking
tools such as AD Mutate are used to perform polymorphic shell code attacks.
QUESTION NO: 10
George works as an office assistant in Soft Well Inc. The company uses the Windows Vista
operating system. He wants to disable a program running on a computer. Which of the following
Windows Defender tools will he use to accomplish the task?
A.
Allowed items
B.
Quarantined items
"Pass Any Exam. Any Time." - www.actualtests.com 8
GIAC GSNA Exam
C.
Options
D.
Software Explorer
Answer: D
Explanation:
Answer: A is incorrect. Allowed items contains a list of all the programs that a user has chosen not
to monitor with Windows Defender.
Answer: C is incorrect. Options is used to choose how Windows Defender should monitor all the
programs running on a computer.
Answer: B is incorrect. Quarantined items are used to remove or restore a program blocked by
Windows Defender.
QUESTION NO: 11
You work as a Network Administrator for XYZ CORP. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
Server 2003. The company's management has decided to provide laptops to its sales team
members. These laptops are equipped with smart card readers. The laptops will be configured as
wireless network clients. You are required to accomplish the following tasks:
The laptop users should be able to use smart cards for getting authenticated.
A.
Both tasks will be accomplished.
B.
"Pass Any Exam. Any Time." - www.actualtests.com 9
GIAC GSNA Exam
The laptop users will be able to use smart cards for getting authenticated.
C.
The wireless network communication will be secured.
D.
None of the tasks will be accomplished.
Answer: C
Explanation:
As 802.1x and WEP are configured, this step will enable the secure wireless network
communication. For authentication, you have configured the PEAP-MS-CHAP v2 protocol. This
protocol can be used for authentication on wireless networks, but it cannot use a public key
infrastructure (PKI). No certificate can be issued without a PKI. Smart cards cannot be used for
authentication without certificates. Hence, the laptop users will not be able to use smart cards for
getting authenticated.
QUESTION NO: 12
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to print the super block and block the group information for the filesystem present on a
system. Which of the following Unix commands can you use to accomplish the task?
A.
e2fsck
B.
dump
C.
dumpe2fs
D.
e2label
Answer: C
Explanation:
In Unix, the dumpe2fs command dumps the filesystem superblock and blocks the group
information.
Answer: B is incorrect. In Unix, the dump command is used to back up an ext2 filesystem.
Answer: D is incorrect. In Unix, the e2label command is used to change the label of an ext2
filesystem.
QUESTION NO: 13
Which of the following is a wireless auditing tool that is used to pinpoint the actual physical
location of wireless devices in the network?
A.
KisMAC
B.
Ekahau
C.
Kismet
D.
AirSnort
Answer: B
Explanation:
Ekahau is an easy-to-use powerful and comprehensive tool for network site surveys and
optimization. Itis an auditing tool that can be used to pinpoint the actual physical location of
wireless devices in the network. This tool can be used to make a map of the office and then
perform the survey of the office. In the process, if one finds an unknown node, ekahau can be
used to locate that node.
Answer: D is incorrect. AirSnort is a Linux-based WLAN WEP cracking tool that recovers
encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only
Attack and captures approximately5 to 10 million packets to decrypt the WEP keys.
Answer: C is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion
"Pass Any Exam. Any Time." - www.actualtests.com 11
GIAC GSNA Exam
detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode.
Kismet can sniff802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the
following tasks:
Answer: A is incorrect. KisMAC is a wireless network discovery tool for Mac OS X. It has a wide
range of features, similar to those of Kismet, its Linux/BSD namesake and far exceeding those of
NetStumbler, its closest equivalent on Windows. The program is geared toward network security
professionals, and is not as novice-friendly as similar applications. KisMAC will scan for networks
passively on supported cards - including Apple's AirPort, and AirPort Extreme, and many third-
party cards, and actively on any card supported by Mac OS X itself. Cracking of WEP and WPA
keys, both by brute force, and exploiting flaws such as weak scheduling and badly generated keys
is supported when a card capable of monitor mode is used, and packet reinjection can be done
with a supported card. GPS mapping can be performed when an NMEA compatible GPS receiver
is attached. Data can also be saved in pcap format and loaded into programs such as Wireshark.
QUESTION NO: 14
Which of the following tools works both as an encryption-cracking tool and as a keylogger?
A.
Magic Lantern
B.
KeyGhost Keylogger
C.
Alchemy Remote Executor
D.
SocketShield
Answer: A
Explanation:
Answer: C is incorrect. Alchemy Remote Executor is a system management tool that allows
Network Administrators to execute programs on remote network computers without leaving their
workplace. From the hacker's point of view, it can be useful for installing keyloggers, spyware,
Trojans, Windows rootkits and such. One necessary condition for using the Alchemy Remote
Executor is that the user/attacker must have the administrative passwords of the remote
computers on which the malware is to be installed.
Answer: B is incorrect. The KeyGhost keylogger is a hardware keylogger that is used to log all
keystrokes on a computer. It is a tiny device that clips onto the keyboard cable. Once the
"Pass Any Exam. Any Time." - www.actualtests.com 12
GIAC GSNA Exam
KeyGhost keylogger is attached to the computer, it quietly logs every key pressed on the keyboard
into its own internal Flash memory (just as with smart cards). When the log becomes full, it
overwrites the oldest keystrokes with the newest ones.
1. Blocking: In this level, SocketShield uses a list of IP addresses that are known as purveyor of
exploits. All http requests for any page in these domains are simply blocked.
2.Shielding: In this level, SocketShield blocks all the current and past IP addresses that are the
cause of unauthorized access.
QUESTION NO: 15
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to set some terminal characteristics and environment variables. Which of the following
Unix configuration files can you use to accomplish the task?
A.
/etc/sysconfig/routed
B.
/proc/net
C.
/etc/sysconfig/network-scripts/ifcfg-interface
D.
/etc/sysconfig/init
Answer: D
Explanation:
In Unix, the /etc/sysconfig/init file is used to set terminal characteristics and environment variables.
Answer: B is incorrect. In Unix, the /proc/net file contains status information about the network
protocols.
Answer: A is incorrect. In Unix, the /etc/sysconfig/routed file is used to set up the dynamic routing
policies.
QUESTION NO: 16
You work as a Network Auditor for XYZ CORP. The company has a Windows-based network.
While auditing the company's network, you are facing problems in searching the faults and other
entities that belong to it. Which of the following risks may occur due to the existence of these
problems?
A.
Residual risk
B.
Inherent risk
C.
Secondary risk
D.
Detection risk
Answer: D
Explanation:
Detection risks are the risks that an auditor will not be able to find what they are looking to detect.
Hence, it becomes tedious to report negative results when material conditions (faults) actually
exist. Detection risk includes two types of risk:
Sampling risk: This risk occurs when an auditor falsely accepts or erroneously rejects an audit
sample.
Nonsampling risk: This risk occurs when an auditor fails to detect a condition because of not
applying the appropriate procedure or using procedures inconsistent with the audit objectives
(detection faults).
Answer: A is incorrect. Residual risk is the risk or danger of an action or an event, a method or a
(technical) process that, although being abreast with science, still conceives these dangers, even
if all theoretically possible safety measures would be applied (scientifically conceivable measures).
The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is
(threats vulnerability). In the economic context, residual means "the quantity left over at the end of
a process; a remainder".
Answer: B is incorrect. Inherent risk, in auditing, is the risk that the account or section being
audited is materially misstated without considering internal controls due to error or fraud. The
assessment of inherent risk depends on the professional judgment of the auditor, and it is done
after assessing the business environment of the entity being audited.
QUESTION NO: 17
Which of the following statements are true about locating rogue access points using WLAN
discovery software such as NetStumbler, Kismet, or MacStumbler if you are using a Laptop
integrated with Wi-Fi compliant MiniPCI card? (Choose two.)
A.
These tools can determine the rogue access point even when it is attached to a wired network.
B.
These tools can determine the authorization status of an access point.
C.
These tools cannot detect rogue access points if the victim is using data encryption.
D.
These tools detect rogue access points if the victim is using IEEE 802.11 frequency bands.
Answer: B,D
Explanation:
WLAN discovery software such as NetStumbler, Kismet, or MacStumbler can be used to detect
rogue access points if the victim is using IEEE 802 frequency bands. However, if the victim is
using non-IEEE 802.11 frequency bands or unpopular modulations, these tools might not detect
rogue access. NetStumbler, kismet, or MacStumbler also gives the authorization status of an
access point. A Rogue access point (AP) is set up by the attackers in an Enterprise's network. The
attacker captures packets in the existing wireless LAN (WLAN) and finds the SSID and security
keys (by cracking). Then the attacker sets up his own AP using the same SSID and security keys.
The network clients unknowingly use this AP and the attacker captures their usernames and
passwords. This can help the attacker to intrude the security and have access to the Enterprise
data.
Answer: A, C are incorrect. The WLAN software such as NetStumbler, Kismet, or MacStumbler
can search rogue access points even when the victim is using data encryption. However, these
tools cannot determine the rogue access point even when it is attached to a wired network.
A Web developer with your company wants to have wireless access for contractors that come in to
work on various projects. The process of getting this approved takes time. So rather than wait, he
has put his own wireless router attached to one of the network ports in his department. What
security risk does this present?
A.
None, adding a wireless access point is a common task and not a security risk.
B.
It is likely to increase network traffic and slow down network performance.
C.
This circumvents network intrusion detection.
D.
An unauthorized WAP is one way for hackers to get into a network.
Answer: D
Explanation:
Any unauthorized Wireless Access Point (WAP) is a serious security breach. Its configuration
might be very unsecure. For example it might not use encryption or MAC filtering, thus allowing
anyone in range to get on the network.
QUESTION NO: 19
Which of the following allows the use of multiple virtual servers using different DNS names
resolved by the same IP address?
A.
HTTP 1.1
B.
JAVA
C.
HTML
D.
VPN
HTTP 1.1 allows the use of multiple virtual servers, all using different DNS names resolved by the
same IP address. The WWW service supports a concept called virtual server. A virtual server can
be used to host multiple domain names on the same physical Web server. Using virtual servers,
multiple FTP sites and Web sites can be hosted on a single computer. It means that there is no
need to allocate different computers and software packages for each site.
Answer: D is incorrect. VPN stands for virtual private network. It allows users to use the Internet as
a secure pipeline to their corporate local area networks (LANs). Remote users can dial-in to any
local Internet Service Provider (ISP) and initiate a VPN session to connect to their corporate LAN
over the Internet. Companies using VPNs significantly reduce long-distance dial-upcharges. VPNs
also provide remote employees with an inexpensive way of remaining connected to their
company's LAN for extended periods.
Answer: C is incorrect. HTML stands for Hypertext Markup Language. It is a set of markup
symbols or codes used to create Web pages and define formatting specifications. The markup
tells the Web browser how to display the content of the Web page.
QUESTION NO: 20
Which of the following is Microsoft's implementation of the file and application server for the
Internet and private intranets?
A.
Internet Server Service (ISS)
B.
Internet Server (IS)
C.
WWW Server (WWWS)
D.
Internet Information Server (IIS)
Microsoft Internet Information Server (IIS)is a Web Application server for the Internet and private
intranets. IIS receives requests from users on the network using the World Wide Web (WWW)
service and transmits information using the Hypertext Transport Protocol (HTTP). IIS uses
Microsoft Transaction Server (MTS) to provide security, performance, and scalability with server
side packages.
QUESTION NO: 21
A.
128 bit encryption
B.
No encryption
C.
256 bit encryption
D.
40 bit encryption
Answer: A,B,D
Explanation:
WEP supports three encryption modes, i.e., no encryption, 40 bit encryption, and 128 bit
encryption. Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks
(WLANs). It has two components, authentication and encryption. It provides security, which is
equivalent to wired networks, for wireless networks. WEP encrypts data on a wireless network by
using a fixed secret key. WEP incorporates a checksum in each frame to provide protection
against the attacks that attempt to reveal the key stream.
QUESTION NO: 22
Which of the following responsibilities does not come under the audit process?
"Pass Any Exam. Any Time." - www.actualtests.com 18
GIAC GSNA Exam
A.
Reporting all facts and circumstances of their regular and illegal acts.
B.
Planning the IT audit engagement based on the assessed level of risk.
C.
Reviewing the results of the audit procedures.
D.
Applying security policies.
Answer: A,B,C
Explanation:
According to the standards of ISACA, an auditor should hold the following responsibilities:
Determining why the internal control system failed for that act.
Reporting all facts and circumstances of the irregular and illegal acts.
Answer: D is incorrect. The auditor is not responsible for applying security policies.
QUESTION NO: 23
You are responsible for a large network that has its own DNS servers. You periodically check the
log to see if there are any problems. Which of the following are likely errors you might encounter in
the log? (Choose three)
A.
The DNS server could not create FTP socket for address [IP address of server]
C.
Active Directory Errors
D.
The DNS server could not create a Transmission Control Protocol (TCP) socket
E.
The DNS server could not initialize the Remote Procedure Call (RPC) service
Answer: C,D,E
Explanation:
There are a number of errors one could find in a Windows Server 2003 DNS log. They are as
follows:
The DNS server could not initialize the Remote Procedure Call (RPC) service.
The DNS server could not bind the main datagram socket.
The DNS Server service relies on Active Directory to store and retrieve information for Active
Directory-integrated zones.
QUESTION NO: 24
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote
device during standard layer 4 network communications. The combination of parameters may then
be used to infer the remote operating system (OS fingerprinting), or incorporated into a device
fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack
fingerprinting?
A.
nmap -sS
C.
nmap -O -p
D.
nmap -sT Explanation:
Answer: C
Explanation:
The nmap -O -p switch can be used to perform TCP/IP stack fingerprinting. Nmap is a free open-
source utility for network exploration and security auditing. It is used to discover computers and
services on a computer network, thus creating a "map" of the network. Just like many simple port
scanners, Nmap is capable of discovering passive services. In addition, Nmap may be able to
determine various details about the remote computers. These include operating system, device
type, uptime, software product used to run a service, exact version number of that product,
presence of some firewall techniques and, on a local area network, even vendor of the remote
network card. Nmap runs on Linux, Microsoft Windows etc.
Answer: B is incorrect. The nmap -sU -p switch can be used to perform UDP port scanning.
Answer: A is incorrect. The nmap -sS switch is used to perform a TCP half scan. TCP SYN
scanning is also known as half-open scanning because in this a full TCP connection is never
opened.
Answer: D is incorrect. The nmap -sT switch is used to perform a TCP full scan.
QUESTION NO: 25
You work as a Network Administrator for XYZ CORP. The company has a Linux-based network.
The company needs to provide secure network access. You have configured a firewall to prevent
certain ports and applications from forwarding the packets to the company's intranet. What does a
firewall check to prevent these ports and applications from forwarding the packets to the intranet?
A.
The network layer headers and the session layer port numbers
B.
The application layer port numbers and the transport layer headers
C.
The transport layer port numbers and the application layer headers
Answer: C
Explanation:
A firewall stops delivery of packets that are not marked safe by the Network Administrator. It
checks the transport layer port numbers and the application layer headers to prevent certain ports
and applications from forwarding the packets to an intranet.
QUESTION NO: 26
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. John is working as a root user on the Linux operating system. You want to run two
programs, foo and bar. You also want to ensure that bar is executed if and only if foo has
executed successfully. Which of the following command sequences will John use to accomplish
the task?
A.
foo; bar;
B.
foo || bar;
C.
foo | bar;
D.
foo && bar;
Answer: D
Explanation:
According to the scenario, John will execute the foo && bar; command. Because of the &&
operator, bar will execute if and only if foo completes successfully.
Answer: A is incorrect. The foo; bar; command sequence will run foo and bar in a sequential
manner, but the successful completion of the first command does not matter.
Answer: B is incorrect. The foo || bar; command sequence will run the bar if and only if foo fails to
complete successfully.
QUESTION NO: 27
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. John is working as a root user on the Linux operating system. He is configuring the
Apache Web server settings. He does not want the commands being used in the settings to be
stored in the history. Which of the following commands can he use to disable history?
A.
history !!
B.
set +o history
C.
history !N
D.
set -o history
Answer: B
Explanation:
According to the scenario, John can use the set +o history command to disable history.
Answer: D is incorrect. John cannot use the set -o history command to accomplish his task. This
command is used to enable disabled history.
Answer: A is incorrect. John cannot use the history !! command to accomplish his task. This
command is used to see the most recently typed command.
Answer: C is incorrect. John cannot use the history !N command to accomplish his task. This
command is used to display the Nth history command.
QUESTION NO: 28
You are the Network Administrator for a software development company. Your company creates
various utilities and tools. You have noticed that some of the files your company creates are
getting deleted from systems. When one is deleted, it seems to be deleted from all the computers
A.
Antivirus log
B.
IDS log
C.
System log
D.
Firewall log
Answer: A
Explanation:
Check the antivirus log and see if it is detecting your file as a virus and deleting it. All antivirus
programs have a certain rate of false positives. Since the file is being deleted from all computers, it
seems likely that your antivirus has mistakenly identified that file as a virus.
Answer: D is incorrect. The firewall log can help you identify traffic entering or leaving your
network, but won't help with files being deleted.
Answer: B is incorrect. An IDS log would help you identify possible attacks, but this scenario is
unlikely to be from an external attack.
Answer: C is incorrect. Your system log can only tell you what is happening on that individual
computer.
QUESTION NO: 29
A.
It facilitates a more efficient use of the Internet connection bandwidth and hides the real IP
addresses of computers located behind the proxy.
B.
It is a small network that lies in between the Internet and a private network.
C.
It provides added security by using Internet access to deny or permit certain traffic from the
Bastion Host.
Answer: C
Explanation:
A screened host provides added security by using Internet access to deny or permit certain traffic
from the Bastion Host.
Answer: B is incorrect. Demilitarized zone (DMZ) or perimeter network is a small network that lies
in between the Internet and a private network. It is the boundary between the Internet and an
internal network, usually a combination of firewalls and bastion hosts that are gateways between
inside networks and outside networks. DMZ provides a large enterprise network or corporate
network the ability to use the Internet while still maintaining its security.
Answer: A is incorrect. A proxy server facilitates a more efficient use of the Internet connection
bandwidth and hides the real IP addresses of computers located behind the proxy.
QUESTION NO: 30
John works as a professional Ethical Hacker. He has been assigned the project of testing the
security of www.we-are-secure.com. He notices that UDP port 137 of the We-are-secure server is
open. Assuming that the Network Administrator of We-are-secure Inc. has not changed the default
port values of the services, which of the following services is running on UDP port 137?
A.
HTTP
B.
TELNET
C.
NetBIOS
D.
HTTPS
Answer: C
Explanation:
Answer: A is incorrect. Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used
on the World Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP
defines how messages are formatted and transmitted, and what actions Web servers and
browsers should take in response to various commands. For example, when a client application or
browser sends a request to the server using HTTP commands, the server responds with a
message containing the protocol version, success or failure code, server information, and body
content, depending on the request. HTTP uses TCP port 80 as the default port.
Answer: D is incorrect. The default port of HTTPS is TCP/443. Hypertext Transfer Protocol Secure
(HTTPS) protocol is a protocol used in the Universal Resource Locater (URL) address line to
connect to a secure site. If a site has been made secure by using the Secure Sockets Layer (SSL)
then HTTPS, instead of HTTP protocol, should be used as a protocol type in the URL.
Answer: B is incorrect. TELNET is a command-line connectivity tool that starts terminal emulation
with a remote host running the telnet server service. TELNET allows users to communicate with a
remote computer, offers the ability to run programs remotely, and facilitates remote administration.
The TELNET utility uses the Telnet protocol for connecting to a remote computer running the
Telnet server software, to access files. It uses TCP port 23 by default.
QUESTION NO: 31
Which of the following statements about a session are true? (Choose two.)
A.
The creation time can be obtained using the getSessionCreationTime() method of the
HttpSession.
B.
The getAttribute() method of the HttpSession interface returns a String.
C.
The time for the setMaxInactiveInterval() method of the HttpSession interface is specified in
seconds.
D.
The isNew() method is used to identify if the session is new.
Answer: C,D
Explanation:
The setMaxInactiveInterval() method sets the maximum time in seconds before a session
"Pass Any Exam. Any Time." - www.actualtests.com 26
GIAC GSNA Exam
becomes invalid. The syntax of this method is as follows: public void setMaxInactiveInterval(int
interval)
Here, interval is specified in seconds. The isNew() method of the HttpSession interface returns
true if the client does not yet know about the session, or if the client chooses not to join the
session. This method throws an IllegalStateException if called on an invalidated session.
Answer B is incorrect. The getAttribute(String name) method of the HttpSession interface returns
the value of the named attribute as an object. It returns a null value if no attribute with the given
name is bound to the session. This method throws an IllegalStateException if it is called on an
invalidated session.
Answer: A is incorrect. The creation time of a session can be obtained using the
getCreationTime() method of the HttpSession.
QUESTION NO: 32
A.
It is difficult to extend a relational database.
B.
The standard user and application program interface to a relational database is Programming
Language (PL).
C.
It is a collection of data items organized as a set of formally-described tables.
D.
It is a set of tables containing data fitted into runtime defined categories.
Answer: C
Explanation:
Answer: B is incorrect. The standard user and application program interface to a relational
database is the structured query language (SQL).
Answer: A is incorrect. In addition to being relatively easy to create and access, a relational
database has the important advantage of being easy to extend.
Answer: D is incorrect. A relational database is a set of tables containing data fitted into predefined
QUESTION NO: 33
You work as a Network Administrator for BetaTech Inc. You have been assigned the task of
designing the firewall policy for the company. Which of the following statements is unacceptable in
the 'acceptable use statement' portion of the firewall policy?
A.
The computers and their applications should be used for organizational related activities only.
B.
Computers may not be left unattended with a user account still logged on.
C.
Applications other than those supplied or approved by the company can be installed on any
computer.
D.
The installed e-mail application can only be used as the authorized e-mail service.
Answer: C
Explanation:
Applications other than those supplied or approved by the company shall not be installed on any
computer.
Answer: A, B, D are incorrect. All of these statements stand true in the 'acceptable use statement'
portion of the firewall policy.
QUESTION NO: 34
You have recently joined as a Network Auditor in XYZ CORP. The company has a Windows-
based network. You have been assigned the task to determine whether or not the company's goal
is being achieved. As an auditor, which of the following tasks should you perform before
conducting the data center review? Each correct answer represents a complete solution. (Choose
three.)
B.
Meet with IT management to determine possible areas of concern.
C.
Review the company's IT policies and procedures.
D.
Research all operating systems, software applications, and data center equipment operating within
the data center.
Answer: B,C,D
Explanation:
The auditor should be adequately educated about the company and its critical business activities
before conducting a data center review. The objective of the data center is to align data center
activities with the goals of the business while maintaining the security and integrity of critical
information and processes. To adequately determine if whether or not the client's goal is being
achieved, the auditor should perform the following before conducting the review:
Research all operating systems, software applications, and data center equipment operating within
the data center.
Answer: A is incorrect. An auditor should review the current organization chart. Reviewing the
future organization chart would not help in finding the current threats to the organization.
QUESTION NO: 35
Patricia joins XYZ CORP., as a Web Developer. While reviewing the company's Web site, she
finds that many words including keywords are misspelled. How will this affect the Web site traffic?
B.
Search engine relevancy may be altered.
C.
Link exchange with other sites becomes difficult.
D.
The domain name cannot be registered.
Answer: B
Explanation:
Web site traffic depends upon the number of users who are able to locate a Web site. Search
engines are one of the most frequently used tools to locate Web sites. They perform searches on
the basis of keywords contained in the Web pages of a Web site. Keywords are simple text strings
that are associated with one or more topics of a Web page. Misspelled keywords prevent Web
pages from being displayed in the search results.
QUESTION NO: 36
You work as a Network Administrator for ABC Inc. The company uses a secure wireless network.
John complains to you that his computer is not working properly. What type of security audit do
you need to conduct to resolve the problem?
A.
Non-operational audit
B.
Dependent audit
C.
Independent audit
D.
Operational audit
Answer: C
Explanation:
Answer: D is incorrect. It is done to examine the operational and ongoing activities within a
network.
Answer: D is incorrect. It is done to examine the operational and ongoing activities within a
network. Answer: A is incorrect. It is not a valid type of security audit.
QUESTION NO: 37
You have an online video library. You want to upload a directory of movies. Since this process will
take several hours, you want to ensure that the process continues even after the terminal is shut
down or session is closed. What will you do to accomplish the task?
A.
Use the bg command to run the process at the background.
B.
Add the nohup command in front of the process.
C.
Add the nohup command at the end of the process.
D.
Run the process inside a GNU Screen-style screen multiplexer.
Answer: B,D
Explanation:
Whenever the nohup command is added in front of any command or process, it makes the
command or process run even after the terminal is shut down or session is closed. All processes,
except the 'at' and batch requests, are killed when a user logs out. If a user wants a background
process to continue running even after he logs out, he must use the nohup command to submit
that background command. To nohup running processes, press ctrl+z, enter "bg" and enter
"disown". The other way to accomplish the task is to run the command/process inside a GNU
Screen-style screen multiplexer, and then detach the screen. GNU Screen maintains the illusion
that the user is always logged in, and allows the user to reattach at any time. This has the
advantage of being able to continue to interact with the program once reattached (which is
impossible with nohup alone).
Answer: C is incorrect. The nohup command works when it is added in front of a command.
Answer: A is incorrect. The bg command cannot run the command or process after the terminal is
QUESTION NO: 38
You work as a Web Deployer for UcTech Inc. You write the <security constraint> element for an
application in which you write the <auth-constraint> sub-element as follows: <auth-constraint>
<role-name>*</role-name> </auth-constraint>
A.
Only the administrator
B.
No user
C.
All users
D.
It depends on the application.
Answer: C
Explanation:
Writing Administrator within the <role-name> element will allow only the administrator to have
access to the resource defined within the <web-resource-collection> element.
QUESTION NO: 39
You work as a Network Administrator for XYZ CORP. The company has a TCP/IP-based network
environment. The network contains Cisco switches and a Cisco router.
A.
There is a physical problem either with the interface or the cable attached to it.
B.
The router has no power.
C.
There is a problem related to encapsulation.
D.
The interface is shut down.
Answer: D
Explanation:
According to the question, the output displays that the interface is administratively down.
Administratively down means that the interface is shut down. In order to up the interface, you will
have to open the interface with the no shutdown command.
Answer: A is incorrect. Had there been a physical problem with the interface, the output would not
have displayed "administratively down". Instead, the output would be as follows: serial0 is down,
line protocol is down
Answer: B is incorrect. You cannot run this command on a router that is powered off.
Answer: C is incorrect. Encapsulation has nothing to do with the output displayed in the question.
QUESTION NO: 40
Sam works as a Web Developer for McRobert Inc. He creates a Web site. He wants to include the
following table in the Web site:
2. <TR>
3.
4.
5. </TR>
6. <TR>
7. <TD>
8. </TD>
9. <TD>
10. </TD>
11. <TD>
12. </TD>
13. </TR>
14. <TR>
15. <TD>
16. </TD>
17. <TD>
18. </TD>
19. <TD>
20. </TD>
21. </TR>
22. </TABLE>
Which of the following tags will Sam place at lines 3 and 4 to create the table?
A.
at line 3 at line 4
B.
at line 3 at line 4
D.
at line 3 at line 4
Answer: D
Explanation:
The tag is used to specify each cell of the table. It can be used only within a row in a table. The
ROWSPAN attribute of the tag specifies the number of rows that a cell spans over in a table.
Since, the first cell of the table spans over three rows, Sam will use specifies the number of
columns that the head row contains.
Answer: C is incorrect.
Answer: A, B are incorrect. There are no attributes such as SPAN and SPANWIDTH for the tag.
QUESTION NO: 41
John works as a professional Ethical Hacker. He has been assigned the project of testing the
security of www.we-are-secure.com. He is using the Linux operating system. He wants to use a
wireless sniffer to sniff the We-are-secure network. Which of the following tools will he use to
accomplish his task?
A.
WEPCrack
B.
Kismet
C.
Snadboy's Revelation
D.
NetStumbler
Answer: B
Explanation:
According to the scenario, John will use Kismet. Kismet is a Linux-based 802.11 wireless network
sniffer and intrusion detection system. It can work with any wireless card that supports raw
monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and802.11n traffic. Kismet
can be used for the following tasks:
Answer: A is incorrect. WEPCrack is an open source tool that breaks IEEE 802.11 WEP secret
keys.
Answer: C is incorrect. Snadboy's Revelation is not a sniffer. It is used to see the actual password
behind the asterisks.
QUESTION NO: 42
You work as a Network Administrator of a TCP/IP network. You are having DNS resolution
problem. Which of the following utilities will you use to diagnose the problem?
A.
PING
B.
IPCONFIG
C.
TRACERT
D.
NSLOOKUP
Answer: D
Explanation:
NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems.
It performs its function by sending queries to the DNS server and obtaining detailed responses at
the command prompt. This information can be useful for diagnosing and resolving name resolution
issues, verifying whether or not the resource records are added or updated correctly in a zone,
and debugging other server-related problems. This tool is installed along with the TCP/IP protocol
through the Control Panel.
Answer: A is incorrect. The ping command-line utility is used to test connectivity with a host on a
TCP/IP-based network. This is achieved by sending out a series of packets to a specified
destination host. On receiving the packets, the destination host responds with a series of replies.
These replies can be used to determine whether or not the network is working properly.
Answer: C is incorrect. TRACERT is a route-tracing Windows utility that displays the path an IP
packet takes to reach the destination. It shows the Fully Qualified Domain Name (FQDN) and the
IP address of each gateway along the route to the remote host.
QUESTION NO: 43
John works as a professional Ethical Hacker. He is assigned a project to test the security of
www.we-are-secure.com. He is working on the Linux operating system. He wants to sniff the we-
are-secure network and intercept a conversation between two employees of the company through
session hijacking. Which of the following tools will John use to accomplish the task?
A.
IPChains
B.
Tripwire
C.
Hunt
D.
Ethercap
Answer: C
Explanation:
In such a scenario, John will use Hunt which is capable of performing both the hacking techniques,
sniffing and session hijacking.
Answer: D is incorrect. Ethercap is a network sniffer and packet generator. It may be an option,
but John wants to do session hijacking as well. Hence, he will not use Ethercap.
QUESTION NO: 44
A.
Parallel Simulation
B.
Generalized Audit Software (GAS)
C.
Test Data
D.
Custom Audit Software (CAS)
Answer: B
Explanation:
CAATs (Computer Assisted Auditing Techniques) are used to test application controls as well as
perform substantive tests on sample items. Following are the types of CAATs:
Generalized Audit Software (GAS): It allows the auditor to perform tests on computer files and
databases.
Custom Audit Software (CAS): It is generally written by auditors for specific audit tasks. CAS is
necessary when the organization's computer system is not compatible with the auditor's GAS or
when the auditor wants to conduct some testing that may not be possible with the GAS.
Test Data: The auditor uses test data for testing the application controls in the client's computer
programs. The auditor includes simulated valid and invalid test data, used to test the accuracy of
the computer system's operations. This technique can be used to check data validation controls
and error detection routines, processing logic controls, and arithmetic calculations, to name a few.
Parallel Simulation: The auditor must construct a computer simulation that mimics the client's
production programs.
Integrated TestFacility: The auditor enters test data along with actual data in a normal application
run.
QUESTION NO: 45
You are concerned about an attacker being able to get into your network. You want to make sure
that you are informed of any network activity that is outside normal parameters. What is the best
way to do this?
B.
User performance monitors.
C.
Implement signature based antivirus.
D.
Implement an anomaly based IDS.
Answer: D
Explanation:
An anomaly based Intrusion Detection System will monitor the network for any activity that is
outside normal parameters (i.e. an anomaly) and inform you of it.
Answer: C is incorrect. Antivirus software, while important, won't help detect the activities of
intruders.
Answer: B is incorrect. Performance monitors are used to measure normal network activity and
look for problems such as bottlenecks.
Answer: A is incorrect. A protocol analyzer does detect if a given protocol is moving over a
particular network segment.
QUESTION NO: 46
Which of the following is a technique for creating Internet maps? (Choose two.)
A.
AS PATH Inference
B.
Object Relational Mapping
C.
Active Probing
D.
Network Quota
Answer: A,C
"Pass Any Exam. Any Time." - www.actualtests.com 39
GIAC GSNA Exam
Explanation:
There are two prominent techniques used today for creating Internet maps:
Active probing: It is the first works on the data plane of the Internet and is called active probing. It
is used to infer Internet topology based on router adjacencies.
AS PATH Inference: It is the second works on the control plane and infers autonomous system
connectivity based on BGP data.
QUESTION NO: 47
A.
A common aggregation purpose is to get more information about particular groups based on
specific variables.
B.
Data aggregation cannot be user-based.
C.
Data aggregation is any process in which information is gathered and expressed in a summary
form.
D.
Online analytic processing (OLAP) is a simple type of data aggregation.
Answer: A,C,D
Explanation:
Data aggregation is any process in which information is gathered and expressed in a summary
form, for purposes such as statistical analysis. A common aggregation purpose is to get more
information about particular groups based on specific variables such as age, profession, or
income. The information about such groups can then be used for Web site personalization to
choose content and advertising likely to appeal to an individual belonging to one or more groups
for which data has been collected. For example, a site that sells music CDs might advertise certain
CDs based on the age of the user and the data aggregate for their age group. Online analytic
processing (OLAP) is a simple type of data aggregation in which the marketer uses an online
reporting mechanism to process the information.
Answer: B is incorrect. Data aggregation can be user-based. Personal data aggregation services
offer the user a single point for collection of their personal information from other Web sites. The
customer uses a single master personal identification number (PIN) to give them access to their
various accounts (such as those for financial institutions, airlines, book and music clubs, and so
"Pass Any Exam. Any Time." - www.actualtests.com 40
GIAC GSNA Exam
on). Performing this type of data aggregation is sometimes referred to as "screen scraping."
QUESTION NO: 48
You have just installed a Windows 2003 server. What action should you take regarding the default
shares?
A.
Disable them only if this is a domain server.
B.
Disable them.
C.
Make them hidden shares.
D.
Leave them, as they are needed for Windows Server operations.
Answer: B
Explanation:
Default shares should be disabled, unless they are absolutely needed. They pose a significant
security risk by providing a way for an intruder to enter your machine.
Answer: A is incorrect. Whether this is a domain server, a DHCP server, a file server, or database
server does not change the issue with shared drives/folders.
Answer: C is incorrect. They cannot be hidden. Shared folders are, by definition, not hidden but
rather available to users on the network.
Answer: D is incorrect. These are not necessary for Windows Server operations.
QUESTION NO: 49
Which of the following controls define the direction and behavior required for technology to
function properly?
A.
Detailed IS controls
C.
Application controls
D.
Pervasive IS controls
Answer: D
Explanation:
Pervasive IS controls are a subset of general controls that contains some extra definitions
focusing on the management of monitoring a specific technology. A pervasive order or control
determines the direction and behavior required for technology to function properly. The pervasive
control permeates the area by using a greater depth of control integration over a wide area of
influence.
Answer: B is incorrect. General controls are the parent class of controls that governs all areas of a
business. An example of general controls includes the separation duties that prevent employees
from writing their own paychecks and creating accurate job descriptions. General controls define
the structure of an organization, establish HR policies, monitor workers and the work environment,
as well as support budgeting, auditing, and reporting.
Answer: A is incorrect. Detailed IS controls are controls used for manipulating the on-going tasks
in an organization. Some of the specific tasks require additional detailed controls to ensure that
the workers perform their job correctly. These controls refer to some specific tasks or steps to be
performed such as:
How the department handles acquisitions, security, delivery, implementation, and support of IS
services.
Answer: C is incorrect. Application controls are embedded in programs. It constitutes the lowest
subset in the control family. An activity should be filtered through the general controls, then the
pervasive controls and detailed controls, before reaching the application controls level. Controls in
the higher level category help in protecting the integrity of the applications and their data. The
management is responsible to get applications tested prior to production through a recognized test
method. The goal of this test is to provide a technical certificate that each system meets the
requirement.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to see the list of the filesystems mounted automatically at startup by the mount -a
command in the /etc/rc startup file. Which of the following Unix configuration files can you use to
accomplish the task?
A.
/etc/named.conf
B.
/etc/groups
C.
/etc/mtab
D.
/etc/fstab
Answer: D
Explanation:
In Unix, the /etc/fstab file is used by system administrators to list the filesystems that are mounted
automatically at startup by the mount –a command (in /etc/rc or its equivalent startup file).
Answer: C is incorrect. In Unix, the /etc/mtab file contains a list of the currently mounted file
systems. This is set up by the boot scripts and updated by the mount command.
Answer: A is incorrect. In Unix, the /etc/named.conf file is used for domain name servers.
Answer: B is incorrect. In Unix, the /etc/groups file contains passwords to let a user join a group.
QUESTION NO: 51
Which of the following terms related to risk management represents the estimated frequency at
which a threat is expected to occur?
A.
Single Loss Expectancy (SLE)
B.
Annualized Rate of Occurrence (ARO)
C.
Exposure Factor (EF)
"Pass Any Exam. Any Time." - www.actualtests.com 43
GIAC GSNA Exam
D.
Safeguard
Answer: B
Explanation:
The Annualized Rate of Occurrence (ARO) is a number that represents the estimated frequency at
which a threat is expected to occur. It is calculated based upon the probability of the event
occurring and the number of employees that could make that event occur.
Answer: C is incorrect. The Exposure Factor (EF) represents the % of assets loss caused by a
threat. The EF is required to calculate the Single Loss Expectancy (SLE).
Answer: A is incorrect. The Single Loss Expectancy (SLE) is the value in dollars that is assigned
to a single event. SLE = Asset Value ($) X Exposure Factor (EF)
Answer: D is incorrect. Safeguard acts as a countermeasure for reducing the risk associated with
a specific threat or a group of threats.
QUESTION NO: 52
An executive in your company reports odd behavior on her PDA. After investigation you discover
that a trusted device is actually copying data off the PDA. The executive tells you that the behavior
started shortly after accepting an e-business card from an unknown person. What type of attack is
this?
A.
Session Hijacking
B.
Bluesnarfing
C.
Privilege Escalation
D.
PDA Hijacking
Answer: B
Explanation:
Bluesnarfing is a rare attack in which an attacker takes control of a bluetooth enabled device. One
way to do this is to get your PDA to accept the attacker's device as a trusted device.
QUESTION NO: 53
You work as the Project Engineer for XYZ CORP. The company has a Unix-based network. Your
office consists of one server, seventy client computers, and one print device. You raise a request
for printing a confidential page. After 30 minutes, you find that your print request job is not
processed and is at the seventh position in the printer queue. You analyze that it shall take
another one hour to print. You decide to remove your job from the printer queue and get your page
printed outside the office.
Which of the following Unix commands can you use to remove your job from the printer queue?
A.
tunelp
B.
pr
C.
lprm
D.
gs
Answer: C
Explanation:
lpc: It enables one to check the status of the printer and set its state.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to run a command that forces all the unwritten blocks in the buffer cache to be written to
the disk. Which of the following Unix commands can you use to accomplish the task?
A.
swapon
B.
tune2fs
C.
swapoff
D.
sync
Answer: D
Explanation:
The sync command is used to flush filesystem buffers. It ensures that all disk writes have been
completed before the processor is halted or rebooted. Generally, it is preferable to use reboot or
halt to shut down a system, as they may perform additional actions such as resynchronizing the
hardware clock and flushing internal caches before performing a final sync.
Answer: B is incorrect. In Unix, the tune2fs command is used to adjust tunable filesystem
parameters on the second extended filesystems.
Answer: A is incorrect. In Unix, the swapon command is used to activate a swap partition.
Answer: C is incorrect. In Unix, the swapoff command is used to de-activate a swap partition.
QUESTION NO: 55
You work as a Network Administrator for Infonet Inc. The company's network has an FTP server.
You want to secure the server so that only authorized users can access it. What will you do to
accomplish this?
A.
Disable anonymous authentication.
B.
Stop the FTP service on the server.
D.
Enable anonymous authentication.
Answer: A
Explanation:
You will have to disable anonymous authentication. This will prevent unauthorized users from
accessing the FTP server. Anonymous authentication (anonymous access) is a method of
authentication for Websites. Using this method, a user can establish a Web connection to the IIS
server without providing a username and password. Hence, this is an insecure method of
authentication. This method is generally used to permit unknown users to access the Web or FTP
server directories.
Answer: D is incorrect. Enabling anonymous authentication will allow all the users to access the
server.
Answer: B is incorrect. Stopping the FTP service on the server will prevent all the users from
accessing the FTP server.
Answer: C is incorrect. Disabling the network adapter on the FTP server will disconnect the server
from the network.
QUESTION NO: 56
Which of the following statements about a perimeter network are true? (Choose three)
A.
It has a connection to the Internet through an external firewall and a connection to an internal
network through an interior firewall.
B.
It has a connection to a private network through an external firewall and a connection to an
internal network through an interior firewall.
C.
It is also known as a demilitarized zone or DMZ.
D.
It prevents access to the internal corporate network for outside users.
Answer: A,C,D
A perimeter network, also known as a demilitarized zone or DMZ, is a small network that lies in
between the Internet and a private network. It has a connection to the Internet through an external
firewall and a connection to the internal network through an interior firewall. It allows outside users
access to the specific servers located in the perimeter network while preventing access to the
internal corporate network. Servers, routers, and switches that maintain security by preventing the
internal network from being exposed on the Internet are placed in a perimeter network. A
perimeter network is commonly used for deploying e-mail and Web servers for a company.
QUESTION NO: 57
John works as a Network Administrator for We-are-secure Inc. The We-are-secure server is based
on Windows Server 2003. One day, while analyzing the network security, he receives an error
message that Kernel32.exe is encountering a problem. Which of the following steps should John
take as a countermeasure to this situation?
A.
He should download the latest patches for Windows Server 2003 from the Microsoft site, so that
he can repair the kernel.
B.
He should restore his Windows settings.
C.
He should observe the process viewer (Task Manager) to see whether any new process is running
on the computer or not. If any new malicious process is running, he should kill that process.
D.
He should upgrade his antivirus program.
Answer: C,D
Explanation:
In such a situation, when John receives an error message revealing that Kernel32.exe is
encountering a problem, he needs to come to the conclusion that his antivirus program needs to
be updated, because Kernel32.exe is not a Microsoft file (It is a Kernel32.DLL file.). Although such
viruses normally run on stealth mode, he should examine the process viewer (Task Manager) to
see whether any new process is running on the computer or not. If any new process (malicious) is
running on the server, he should exterminate that process.
Answer: A, B are incorrect. Since kernel.exe is not a real kernel file of Windows, there is no need
to repair or download any patch for Windows Server 2003 from the Microsoft site to repair the
kernel.
"Pass Any Exam. Any Time." - www.actualtests.com 48
GIAC GSNA Exam
Note: Such error messages can be received if the computer is infected with malware, such as
Worm_Badtrans.b, Backdoor.G_Door, Glacier Backdoor, Win32.Badtrans.29020, etc.
QUESTION NO: 58
In addition to denying and granting access, what other services does a firewall support?
A.
Network Access Translation (NAT)
B.
Secondary connections
C.
Control Internet access based on keyword restriction
D.
Data caching
Answer: A,C,D
Explanation:
Answer: B is incorrect. It is an area where a firewall faces difficulty in securing the network. It is the
area where employees make alternate connections to the Internet for their personal use, resulting
in useless rendering of the firewall.
QUESTION NO: 59
"Pass Any Exam. Any Time." - www.actualtests.com 49
GIAC GSNA Exam
Which of the following are the goals of risk management? (Choose three)
A.
Identifying the risk
B.
Assessing the impact of potential threats
C.
Finding an economic balance between the impact of the risk and the cost of the countermeasure
D.
Identifying the accused
Answer: A,B,C
Explanation:
Answer: D is incorrect. Identifying the accused does not come under the scope of risk
management.
QUESTION NO: 60
Ryan wants to create an ad hoc wireless network so that he can share some important files with
another employee of his company. Which of the following wireless security protocols should he
choose for setting up an ad hoc wireless network? (Choose two.)
A.
WPA2 -EAP
B.
WPA-PSK
C.
WEP
D.
WPA-EAP
Answer: B,C
Explanation:
Answer: D is incorrect. WPA-EAP cannot be chosen for an ad hoc wireless network, as it requires
RADIUS (Remote Authentication Dial-In User Service) server for authentication.
QUESTION NO: 61
A.
Sending secret data such as credit card information.
B.
Allowing access to a particular resource.
C.
Verifying username and password.
D.
Sending data so that no one can alter it on the way.
Answer: B
Explanation:
Authorization is a process that verifies whether a user has permission to access a Web resource.
A Web server can restrict access to some of its resources to only those clients that log in using a
recognized username and password. To be authorized, a user must first be authenticated.
Answer: D is incorrect. Sending data so that no one can alter it on the way describes the
mechanism of data integrity. Data integrity is a mechanism that ensures that the data is not
modified during transmission from source to destination. This means that the data received at the
destination should be exactly the same as that sent from the source.
Answer: A is incorrect. Sending secret data such as credit card information describes the
mechanism of confidentiality. Confidentiality is a mechanism that ensures that only the intended,
Authorized recipients are able to read data. The data is so encrypted that even if an unauthorized
user gets access to it, he will not get any meaning out of it.
QUESTION NO: 62
An auditor assesses the database environment before beginning the audit. This includes various
key tasks that should be performed by an auditor to identify and prioritize the users, data,
activities, and applications to be monitored. Which of the following tasks need to be performed by
the auditor manually?
A.
Classifying data risk within the database systems
B.
Monitoring data changes and modifications to the database structure, permission and user
changes, and data viewing activities
C.
Analyzing access authority
D.
Archiving, analyzing, reviewing, and reporting of audit information
Answer: A,C
Explanation:
The Internal Audit Association lists the following as key components of a database audit:
Create an inventory of all database systems and use classifications. This should include
production and test data. Keep it up-to-date.
Classify data risk within the database systems. Monitoring should be prioritized for high, medium,
and low risk data.
Implement an access request process that requires database owners to authorize the "roles"
granted to database accounts (roles as in Role Based Access and not the native database roles).
Analyze access authority. Users with higher degrees of access permission should be under higher
scrutiny, and any account for which access has been suspended should be monitored to ensure
access is denied, attempts are identified.
Assess application coverage. Determine what applications have built-in controls, and prioritize
database auditing accordingly. All privileged user access must have audit priority. Legacy and
custom applications are the next highest priority to consider, followed by the packaged
applications.
Ensure technical safeguards. Make sure access controls are set properly.
Audit the activities. Monitor data changes and modifications to the database structure, permission
and user changes, and data viewing activities. Consider using network-based database activity
"Pass Any Exam. Any Time." - www.actualtests.com 52
GIAC GSNA Exam
monitoring appliances instead of native database audit trails.
Archive, analyze, review, and report audit information. Reports to auditors and IT managers must
communicate relevant audit information, which can be analyzed and reviewed to determine if
corrective action is required. Organizations that must retain audit data for long-term use should
archive this information with the ability to retrieve relevant data when needed.
The first five steps listed are to be performed by the auditor manually.
Answers B, D are incorrect. These tasks are best achieved by using an automated solution.
QUESTION NO: 63
A.
When using cookies for session tracking, there is no restriction on the name of the session
tracking cookie.
B.
When using cookies for session tracking, the name of the session tracking cookie must be
jsessionid.
C.
A server cannot use cookie as the basis for session tracking.
D.
A server cannot use URL rewriting as the basis for session tracking.
Answer: B
Explanation:
If you are using cookies for session tracking, the name of the session tracking cookie must be
jsessionid. A jsessionid can be placed only inside a cookie header. You can use HTTP cookies to
store information about a session. The servlet container takes responsibility of generating the
session ID, making a new cookie object, associating the session ID into the cookie, and setting the
cookie as part of response.
QUESTION NO: 64
"Pass Any Exam. Any Time." - www.actualtests.com 53
GIAC GSNA Exam
The SALES folder has a file named XFILE.DOC that contains critical information about your
company. This folder resides on an NTFS volume. The company's Senior Sales Manager asks
you to provide security for that file. You make a backup of that file and keep it in a locked
cupboard, and then you deny access on the file for the Sales group. John, a member of the Sales
group, accidentally deletes that file. You have verified that John is not a member of any other
group. Although you restore the file from backup, you are confused how John was able to delete
the file despite having no access to that file. What is the most likely cause?
A.
The Sales group has the Full Control permission on the SALES folder.
B.
The DenyAccess permission does not restrict the deletion of files.
C.
John is a member of another group having the Full Control permission on that file.
D.
The Deny Access permission does not work on files.
Answer: A
Explanation:
Although NTFS provides access controls to individual files and folders, users can perform certain
actions even if permissions are set on a file or folder to prevent access. If a user has been denied
access to any file and he has Full Control rights in the folder on which it resides, he will be able to
delete the file, as Full Control rights in the folder allow the user to delete the contents of the folder.
Answer: C is incorrect. In the event of any permission conflict, the most restrictive one prevails.
Moreover, the question clearly states that John is not a member of any other group.
QUESTION NO: 65
Adam works on a Linux system. He is using Sendmail as the primary application to transmit e-
mails. Linux uses Syslog to maintain logs of what has occurred on the system. Which of the
following log files contains e-mail information such as source and destination IP addresses, date
and time stamps etc?
A.
/var/log/mailog
B.
C.
/log/var/mailog
D.
/log/var/logd
Answer: A
Explanation:
/var/log/mailog generally contains the source and destination IP addresses, date and time stamps,
and other information that may be used to check the information contained within an e-mail
header. Linux uses Syslog to maintain logs of what has occurred on the system. The configuration
file /etc/syslog.conf is used to determine where the Syslog service (Syslogd) sends its logs.
Sendmail can create event messages and is usually configured to record the basic information
such as the source and destination addresses, the sender and recipient addresses, and the
message ID of e-mail. The syslog.conf will display the location of the log file for e-mail.
Answer: B, C, D are incorrect. All these files are not valid log files.
QUESTION NO: 66
You work as a Java Programmer for JavaSkills Inc. You are working with the Linux operating
system. Nowadays, when you start your computer, you notice that your OS is taking more time to
boot than usual. You discuss this with your Network Administrator. He suggests that you mail him
your Linux bootup report. Which of the following commands will you use to create the Linux bootup
report?
A.
touch bootup_report.txt
B.
dmesg > bootup_report.txt
C.
dmesg | wc
D.
man touch
Answer: B
Explanation:
QUESTION NO: 67
You work as a Network Administrator for Tech Perfect Inc. For security issues, the company
requires you to harden its routers. You therefore write the following code:
Router#config terminal
A.
BootP service
B.
Finger
C.
CDP
D.
DNS function Explanation:
Answer: A,D
Explanation:
The above configuration fragment will disable the following services from the router:
QUESTION NO: 68
Which of the following attacks allows the bypassing of access control lists on servers or routers,
and helps an attacker to hide? (Choose two.)
A.
DNS cache poisoning
B.
DDoS attack
C.
IP spoofing attack
D.
MAC spoofing
Answer: C,D
Explanation:
Either IP spoofing or MAC spoofing attacks can be performed to hide the identity in the network.
MAC spoofing is a hacking technique of changing an assigned Media Access Control (MAC)
address of a networked device to a different one. The changing of the assigned MAC address may
allow the bypassing of access control lists on servers or routers, either hiding a computer on a
network or allowing it to impersonate another computer. MAC spoofing is the activity of altering the
MAC address of a network card.
Answer: A is incorrect. DNS cache poisoning is a maliciously created or unintended situation that
provides data to a caching name server that did not originate from authoritative Domain Name
System (DNS) sources. Once a DNS server has received such non-authentic data, Caches it for
future performance increase, it is considered poisoned, supplying the non-authentic data to the
clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS
software. If the server does not correctly validate DNS responses to ensure that they are from an
authoritative source, the server will end up caching the incorrect entries locally and serve them to
other users that make the same request.
Answer: B is incorrect. In a distributed denial of service (DDOS) attack, an attacker uses multiple
computers throughout the network that has been previously infected. Such computers act as
zombies and work together to send out bogus messages, thereby increasing the amount of phony
traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that
multiple machines can generate more attack traffic than one machine, multiple attack machines
are harder to turn off than one attack machine, and that the behavior of each attack machine can
QUESTION NO: 69
You work as a Network Administrator for XYZ CORP. The company has a Windows-based
network. You have been assigned the task to design the authentication system for the remote
users of the company. For security purposes, you want to issue security tokens to the remote
users. The token should work on the one-time password principle and so once used, the next
password gets generated. Which of the following security tokens should you issue to accomplish
the task?
A.
Virtual tokens
B.
Event-based tokens
C.
Bluetooth tokens
D.
Single sign-on software tokens
Answer: B
Explanation:
An event-based token, by its nature, has a long life span. They work on the one-time password
principle and so once used, the next password is generated. Often the user has a button to press
to receive this new code via either a token or via an SMS message. All CRYPTOCard's tokens are
event-based rather than time-based.
Answer: C is incorrect. Bluetooth tokens are often combined with a USB token, and hence work in
both a connected and disconnected state. Bluetooth authentication works when closer than 32 feet
(10 meters). If the Bluetooth is not available, the token must be inserted into a USB input device to
function.
Answer: A is incorrect. Virtual tokens are a new concept in multi-factor authentication first
introduced in 2005 by security company Sestus. Virtual tokens work by sharing the token
generation process between the Internet website and the user's computer and have the advantage
of not requiring the distribution of additional hardware or software. In addition, since the user's
device is communicating directly with the authenticating website, the solution is resistant to man-
in-the-middle attacks and similar forms of online fraud.
Answer: D is incorrect. Single sign-on software tokens are used by the multiple, related, but
"Pass Any Exam. Any Time." - www.actualtests.com 58
GIAC GSNA Exam
independent software systems. Some types of single sign-on (SSO) solutions, like enterprise
single sign-on, use this token to store software that allows for seamless authentication and
password filling. As the passwords are stored on the token, users need not remember their
passwords and therefore can select more secure passwords, or have more secure passwords
assigned.
QUESTION NO: 70
Which of the following is the default port for Hypertext Transfer Protocol (HTTP)?
A.
20
B.
443
C.
80
D.
21
Answer: C
Explanation:
Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World Wide
Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines how messages
are formatted and transmitted, and what actions Web servers and browsers should take in
response to various commands. For example, when a client application or browser sends a
request to the server using HTTP commands, the server responds with a message containing the
protocol version, success or failure code, server information, and body content, depending on the
request. HTTP uses TCP port 80 as the default port.
Answer: B is incorrect. Port 443 is the default port for Hypertext Transfer Protocol Secure (HTTPS)
and Secure Socket Layer (SSL).
Answer: A, D are incorrect. By default, FTP server uses TCP port 20 for data transfer and TCP
port 21 for session control.
QUESTION NO: 71
A.
Use of well-known code
B.
Use of uncommon code
C.
Use of uncommon software
D.
Use of more physical connections
Answer: A,D
Explanation:
In computer security, the term vulnerability is a weakness which allows an attacker to reduce a
system's Information Assurance. A computer or a network can be vulnerable due to the following
reasons:
Complexity: Large, complex systems increase the probability of flaws and unintended access
points.
Familiarity: Using common, well-known code, software, operating systems, and/or hardware
increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.
Connectivity: More physical connections, privileges, ports, protocols, and services and time each
of those are accessible increase vulnerability.
Password management flaws: The computer user uses weak passwords that could be discovered
by brute force. The computer user stores the password on the computer where a program can
access it. Users re-use passwords between many programs and websites.
Fundamental operating system design flaws: The operating system designer chooses to enforce
sub optimal policies on user/program management. For example, operating systems with policies
such as default permit grant every program and every user full access to the entire computer. This
operating system flaw allows viruses and malware to execute commands on behalf of the
administrator.
Internet Website Browsing: Some Internet websites may contain harmful Spyware or Adware that
can be installed automatically on the computer systems. After visiting those websites, the
computer systems become infected and personal information will be collected and passed on to
third party individuals.
Software bugs: The programmer leaves an exploitable bug in a software program. The software
bug may allow an attacker to misuse an application.
Answers B, C are incorrect. Use of common software and common code can make a network
vulnerable.
QUESTION NO: 72
You are the security manager of Microliss Inc. Your enterprise uses a wireless network
infrastructure with access points ranging 150-350 feet. The employees using the network complain
that their passwords and important official information have been traced.
The other company is located about 340 feet away from your office.
A.
A piggybacking attack has been performed.
B.
A DOS attack has been performed.
C.
The information is traced using Bluebugging.
D.
A worm has exported the information.
Answer: A
Explanation:
Piggybacking refers to access of a wireless Internet connection by bringing one's own computer
within the range of another's wireless connection, and using that service without the subscriber's
explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that
vary in jurisdictions around the world. While completely outlawed in some jurisdictions, it is
permitted in others. The process of sending data along with the acknowledgment is called
"Pass Any Exam. Any Time." - www.actualtests.com 61
GIAC GSNA Exam
piggybacking.
Answer: D is incorrect. A worm is a software program that uses computer networks and security
holes to replicate itself from one computer to another. It usually performs malicious actions, such
as using the resources of computers as well as shutting down computers.
Answer: B is incorrect. A Denial-of-Service (DoS) attack is mounted with the objective of causing a
negative impact on the performance of a computer or network. It is also known as a network
saturation attack or bandwidth consumption attack. Attackers perform DoS attacks by sending a
large number of protocol packets to the network. The effects of a DoS attack are as follows:
QUESTION NO: 73
Anonymizers are the services that help make a user's own Web surfing anonymous. An
anonymizer removes all the identifying information from a user's computer while the user surfs the
Internet. It ensures the privacy of the user in this manner. After the user anonymizes a Web
access with an anonymizer prefix, every subsequent link selected is also automatically accessed
anonymously. Which of the following are limitations of anonymizers?
A.
ActiveX controls
B.
Plugins
C.
Secure protocols
D.
Java applications
E.
JavaScript
Answer: A,B,C,D,E
Explanation:
3.Java: Any Java application accessed through an anonymizer will not be able to bypass the Java
security wall.
4.ActiveX: ActiveX applications have almost unlimited access to the user's computer system.
QUESTION NO: 74
You work as a Network Administrator for XYZ CORP. The company has a Linux-based network.
You need to configure a firewall for the company. The firewall should be able to keep track of the
state of network connections traveling across the network. Which of the following types of firewalls
will you configure to accomplish the task?
A.
A network-based application layer firewall
B.
Host-based application firewall
C.
An application firewall
D.
Stateful firewall
Answer: D
Explanation:
A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP
streams, UDP communication) traveling across it. The firewall is programmed to distinguish
legitimate packets for different types of connections. Only packets matching a known connection
state will be allowed by the firewall; others will be rejected.
Answer: B is incorrect. A host-based application firewall can monitor any application input, output,
and/or system service calls made from, to, or by an application. This is done by examining
information passed through system calls instead of, or in addition to, a network stack. A host-
based application firewall can only provide protection to the applications running on the same host.
Answer: C is incorrect. An application firewall is a form of firewall that controls input, output, and/or
access from, to, or by an application or service. It operates by monitoring and potentially blocking
the input, output, or system service calls that do not meet the configured policy of the firewall. The
application firewall is typically built to monitor one or more specific applications or services (such
as a web or database service), unlike a stateful network firewall, which can provide some access
controls for nearly any kind of network traffic.
QUESTION NO: 75
Which of the following Windows processes supports creating and deleting processes and threads,
running 16-bit virtual DOS machine processes, and running console windows?
A.
smss.exe
B.
services.exe
C.
csrss.exe
D.
System
Answer: C
Explanation:
csrss.exe is a process that supports creating and deleting processes and threads, running 16-bit
virtual DOS machine processes, and running console windows.
Answer: A is incorrect. This process supports the programs needed to implement the user
interface, including the graphics subsystem and the log on processes.
Answer: D is incorrect. This process includes most kernel-level threads, which manage the
underlying aspects of the operating system.
QUESTION NO: 76
A.
<TR>
B.
<TD>
C.
<TABLE SET>
D.
<SET TABLE>
E.
<TT>
F.
<TABLE>
Answer: A,B,F
Explanation:
In Hypertext Markup Language (HTML), a table is created using the <TABLE>, <TR>, and <TD>
tags. The <TABLE> tag designs the table layout, the <TR> tag is used to create a row, and the
<TD> tag is used to create a column. For example, the following code generates a table with two
rows and two columns:
<TABLE BORDER=1>
</TABLE>
Answer: C, E, and D are incorrect. There are no HTML tags suchas <TABLE SET>, <TT>, and
<SET TABLE>.
QUESTION NO: 77
You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
Server 2003. The company has recently provided fifty laptops to its sales team members. You are
required to configure an 802.11 wireless network for the laptops. The sales team members must
be able to use their data placed at a server in a cabled network. The planned network should be
able to handle the threat of unauthorized access and data interception by an unauthorized user.
You are also required to prevent the sales team members from communicating directly to one
another.
Which of the following actions will you take to accomplish the task?
A.
Implement the open system authentication for the wireless network.
B.
Configure the wireless network to use WEP encryption for the data transmitted over a wireless
network.
C.
Using group policies, configure the network to allow the wireless computers to connect to the
infrastructure networks only.
D.
Implement the IEEE 802.1X authentication for the wireless network.
E.
Using group policies, configure the network to allow the wireless computers to connect to the ad
hoc networks only.
Answer: B,C,D
Explanation:
In order to enable wireless networking, you have to install access points in various areas of your
"Pass Any Exam. Any Time." - www.actualtests.com 66
GIAC GSNA Exam
office building. These access points generate omni directional signals to broadcast network traffic.
Unauthorized users can intercept these packets. Hence, security is the major concern for a
wireless network. The two primary threats are unauthorized access and data interception.
In order to accomplish the task, you will have to take the following steps:
Using group policies, configure the network to allow the wireless computers to connect to the
infrastructure networks only. This will prevent the sales team members from communicating
directly to one another.
Implement the IEEE 802.1X authentication for the wireless network. This will allow only
authenticated users to access the network data and resources.
Configure the wireless network to use WEP encryption for data transmitted over a wireless
network. This will encrypt the network data packets transmitted over wireless connections.
Although WEP encryption does not prevent intruders from capturing the packets, it prevents them
from reading the data inside.
QUESTION NO: 78
You have to move the whole directory /foo to /bar. Which of the following commands will you use
to accomplish the task?
A.
mv /bar /foo
B.
mv -R /foo /bar
C.
mv /foo /bar
D.
mv -r /bar /foo
Answer: C
Explanation:
You will use the mv /foo /bar command to move the whole directory /foo to /bar. The mv command
moves files and directories from one directory to another or renames a file or directory. mv must
always be given at least two arguments.
Syntax : mv [options] source destination Some important options used with mv command are as
follows:
Answer: A is incorrect. The mv /bar /foo command will move the whole /bar directory to the /foo
directory.
QUESTION NO: 79
A.
Default
B.
Unnamed
C.
Primary
D.
Named
Answer: B,D
Explanation:
A named block is a PL/SQL block that Oracle stores in the database and can be called by name
from any application. A named block is also known as a stored procedure. Named blocks can be
called from any PL/SQL block. It has a declaration section, which is known as a header. The
An anonymous block is a PL/SQL block that appears in a user's application and is neither named
nor stored in the database. This block does not allow any mode of parameter. Anonymous block
programs are effective in some situations. They are basically used when building scripts to seed
data or perform one-time processing activities. They are also used when a user wants to nest
activity in another PL/SQL block's execution section. Anonymous blocks are compiled each time
they are executed.
QUESTION NO: 80
A.
Bits
B.
Percentage
C.
Inches
D.
Pixels
Answer: D
Explanation:
Absolute size of frames is expressed in pixels. Size is expressed in terms of the number of pixels
in a frame. Therefore, a change in the screen area of a display device does not affect the absolute
frame size of a Web page.
QUESTION NO: 81
You work as the Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. You are a root user on the Red Hat operating system. You want to keep an eye on the
Which of the following commands should you use to read the file in real time?
A.
tail -n 3 /var/adm/messages
B.
tail -f /var/adm/messages
C.
cat /var/adm/messages
D.
tail /var/adm/messages
Answer: B
Explanation:
Using the -f option causes tail to continue to display the file in real time, showing added lines to the
end of the file as they occur.
QUESTION NO: 82
Which of the following techniques are used after a security breach and are intended to limit the
extent of any damage caused by the incident?
A.
Safeguards
B.
Detective controls
C.
Corrective controls
D.
Preventive controls
Answer: C
Explanation:
Answer: D is incorrect. Before the event, preventive controls are intended to prevent an incident
from occurring, e.g. by locking out unauthorized intruders.
Answer: B is incorrect. During the event, detective controls are intended to identify and
characterize an incident in progress, e.g. by sounding the intruder alarm and alerting the security
guards or the police.
Answer: A is incorrect. Safeguards are those controls that provide some amount of protection to
an asset.
QUESTION NO: 83
Which of the following wireless security features provides the best wireless security mechanism?
A.
WEP
B.
WPA with 802.1Xauthentication
C.
WPA
D.
WPA with Pre Shared Key
Answer: B
Explanation:
WPA with 802.1X authentication provides best wireless security mechanism. 802.1X
authentication, also known as WPA-Enterprise, is a security mechanism for wireless networks.
802.1Xprovides port-based authentication, which involves communications between a supplicant,
authenticator, and authentication server. The supplicant is often software on a client device, the
authenticator is a wired Ethernet switch or wireless access point, and an authentication server is
generally a RADIUS database. The authenticator acts like a security guard to a protected network.
The supplicant (client device) is not allowed access through the authenticator to the protected side
of the network until the supplicant's identity is authorized. With 802.1X port-based authentication,
the supplicant provides credentials, such as user name/password or digital certificate, to the
authenticator, and the authenticator forwards the credentials to the authentication server for
verification. If the credentials are valid, the supplicant (client device) is allowed to access
resources located on the protected side of the network.
"Pass Any Exam. Any Time." - www.actualtests.com 71
GIAC GSNA Exam
Answer: A is incorrect. Wired equivalent privacy (WEP) uses the stream cipher RC4 (Rivest
Cipher). WEP uses the Shared Key Authentication, since both the access point and the wireless
device possess the same key. Attacker with enough Initialization Vectors can crack the key used
and gain full access to the network.
Answer: D is incorrect. WPA-PSK is a strong encryption where encryption keys are automatically
changed (called rekeying) and authenticated between devices after a fixed period of time, or after
a fixed number of packets has been transmitted.
Answer: C is incorrect. WAP uses TKIP (Temporal Key Integrity Protocol) to enhance data
encryption, but still vulnerable to different password cracking attacks.
QUESTION NO: 84
You work as a Network Administrator for TechPerfect Inc. The company has a secure wireless
network. Since the company's wireless network is so dynamic, it requires regular auditing to
maintain proper security. For this reason, you are configuring NetStumbler as a wireless auditing
tool.
A.
It can be integrated with the GPS.
"Pass Any Exam. Any Time." - www.actualtests.com 72
GIAC GSNA Exam
B.
It cannot identify the channel being used.
C.
It can identify the SSIDs.
D.
It works with a wide variety of cards.
Answer: A,C,D
Explanation:
NetStumbler is one of the most famous wireless auditing tools. It works with a wide variety of
cards. If it is loaded on a computer, it can be used to detect 802.11 networks. It can easily identify
the SSIDs and security tools. It can even identify the channel being used. This tool can also be
integrated with the GPS to identify the exact location of AP for plotting onto a map.
Answer: B is incorrect. It can identify the channel being used. NetStumbler can be used for a
variety of services:
QUESTION NO: 85
You work as a Network Administrator for Blue Well Inc. The company has a TCP/IP-based routed
network. Two segments have been configured on the network as shown below:
A.
Communication between the two subnets will be affected.
B.
The whole network will collapse.
C.
Workstations on Subnet A will become offline
Answer: A,D
Explanation:
According to the question, the network is a routed network where two segments have been divided
and each segment has a switch. These switches are connected to a common router. All
workstations in a segment are connected to their respective subnet's switches.
Failure of the switch in Subnet B will make all workstations connected to it offline. Moreover,
communication between the two subnets will be affected, as there will be no link to connect to
Subnet B.
QUESTION NO: 86
John visits an online shop that stores the IDs and prices of the items to buy in a cookie. After
selecting the items that he wants to buy, the attacker changes the price of the item to 1.
Now, he clicks the Buy button, and the prices are sent to the server that calculates the total price.
A.
Cross site scripting
B.
Man-in-the-middle attack
C.
Cookie poisoning
D.
Computer-based social engineering
Answer: C
Explanation:
John is performing cookie poisoning. In cookie poisoning, an attacker modifies the value of
cookies before sending them back to the server. On modifying the cookie values, an attacker can
"Pass Any Exam. Any Time." - www.actualtests.com 74
GIAC GSNA Exam
log in to any other user account and can perform identity theft. The following figure explains how
cookie poisoning occurs:
For example: The attacker visits an online shop that stores the IDs and prices of the items to buy
in a cookie. After selecting the items that he wants to buy, the attacker changes the price of the
item to 1.
Now, the attacker clicks the Buy button and the prices are sent to the server that calculates the
total price.
Another use of a Cookie Poisoning attack is to pretend to be another user after changing the
username in the cookie values:
Now, after modifying the cookie values, the attacker can do the admin login.
Answer: A is incorrect. A cross site scripting attack is one in which an attacker enters malicious
data into a Website. For example, the attacker posts a message that contains malicious code to
any newsgroup site. When another user views this message, the browser interprets this code and
executes it and, as a result, the attacker is able to take control of the user's system. Cross site
scripting attacks require the execution of client-side languages such as JavaScript, Java,
VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site
scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc.
QUESTION NO: 87
You work as a Network Administrator for XYZ CORP. The company has a Windows Server 2008
network environment. The network is configured as a Windows Active Directory-based single
forest network.
You configure a new Windows Server 2008 server in the network. The new server is not yet linked
to Active Directory. You are required to accomplish the following tasks:
Copy the "Returns" group from the older server to the new one.
A.
Copy the "Returns" group to the new server.
B.
Rename the "Returns" group to "Revenue".
C.
Add the new group named "Sales".
D.
View and manage all group members, including for multiplegroups/entire domain.
Answer: A,B,C
Explanation:
Rename groups
View both direct and indirect (nested) group members for one or more groups [only for Active
Directory]
Answer: D is incorrect. All group members can neither be viewed nor managed until the new
server is linked to Active Directory.
QUESTION NO: 88
Which of the following tools can be used to read NetStumbler's collected data files and present
street maps showing the logged WAPs as icons, whose color and shape indicates WEP mode and
signal strength?
A.
Kismet
B.
StumbVerter
C.
WEPcrack
D.
NetStumbler
Answer: B
Explanation:
StumbVerter tool is used to read NetStumbler's collected data files and present street maps
showing the logged WAPs as icons, whose color and shape indicates WEPmode and signal
strength.
Answer: C is incorrect. WEPcrack is a wireless network cracking tool that exploits the
vulnerabilities in the RC4 Algorithm, which comprises the WEP security parameters.
Answer: A is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion
detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode.
Answer: D is incorrect. NetStumbler is a Windows-based tool that is used for the detection of
wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. It detects wireless
networks and marks their relative position with a GPS.
QUESTION NO: 89
A.
Unified Communications Server
B.
Network Infrastructure Manager
C.
Gateway
D.
Sandbox
Answer: A,B,C
Explanation:
eBox Platform is an open source unified network server (or a Unified Network Platform) for SMEs.
eBoxPlatform can act as a Gateway, Network Infrastructure Manager, Unified Threat Manager,
Office Server, Unified Communications Server or a combination of them. Besides, eBox Platform
includes a development framework to ease the development of new Unix-based services.
QUESTION NO: 90
Which of the following encryption encoding techniques is used in the basic authentication method?
A.
HMAC_MD5
B.
Md5
C.
DES (ECB mode)
D.
Base64
Base64 encryption encoding, which can easily be decoded, is used in the basic authentication
method.
Answer: B is incorrect. The Md5 hashing technique is used in the digest authentication method.
Answer: A is incorrect. The HMAC_MD5 hashing technique is used in the NTLMv2 authentication
method.
Answer: C is incorrect. DES (ECB mode) is used in the NTLMv1 authentication method.
QUESTION NO: 91
A.
Obiwan
B.
Netcat
C.
WinSSLMiM
D.
Brutus
Answer: C
Explanation:
WinSSLMiM is an HTTPSMan in the Middle attacking tool. It includes FakeCert, a tool used to
make fake certificates. It can be used to exploit the Certificate Chain vulnerability in Internet
Explorer. The tool works under Windows 9x/2000. For example, Generate fake certificate:fc -s
www.we-are-secure.com -f fakeCert.crt Launch WinSSLMiM: wsm -f fakeCert.crt
Answer: D is incorrect. Brutus is a password cracking tool that performs both dictionary and brute
force attacks in which passwords are randomly generated from given characters. Brute forcing can
be performed on the following authentications:
Answer: A is incorrect. Obiwan is a Web password cracking tool that is used to perform brute force
and hybrid attacks. It is effective against HTTP connections for Web servers that allow unlimited
failed login attempts by the user. Obiwan uses wordlists as well as alphanumeric characters as
"Pass Any Exam. Any Time." - www.actualtests.com 79
GIAC GSNA Exam
possible passwords.
Answer: B is incorrect. Netcat is a freely available networking utility that reads and writes data
across network connections by using the TCP/IP protocol.
QUESTION NO: 92
A.
Cascading Style Sheet
B.
Coded System Sheet
C.
Cyclic Style Sheet
D.
Cascading Style System
Answer: A
Explanation:
A Cascading Style Sheet (CSS) is a separate text file that keeps track of design and formatting
information, such as colors, fonts, font sizes, and margins, used in Web pages. CSS is used to
provide Web site authors greater control on the appearance and presentation of their Web pages.
It has codes that are interpreted and applied by the browser on to the Web pages and their
elements. CSS files have .css extension.
QUESTION NO: 93
You work as a Network Administrator for NetTech Inc. Your computer has the Windows 2000
Server operating system. You want to harden the security of the server.
Which of the following changes are required to accomplish this? (Choose two.)
B.
Disable the Guest account.
C.
Rename the Administrator account.
D.
Enable the Guest account.
Answer: B,C
Explanation:
For security, you will have to rename the Administrator account and disable the Guest account.
Renaming the Administrator account will ensure that hackers do not break into the network or
computer by guessing the password of the Administrator account. You can also create a fake
Administrator account that has no privileges and audit its use to detect attacks. Disabling the
Guest account will prevent users who do not have a domain or local user account from illegally
accessing the network or computer. By default, the Guest account is disabled on systems running
Windows 2000 Server. If the Guest account is enabled, you will have to disable it.
QUESTION NO: 94
Mark works as a project engineer in Tech Perfect Inc. His office is configured with Windows XP-
based computers. The computer that he uses is not configured with a default gateway. He is able
to access the Internet, but is not able to use e-mail services via the Internet. However, he is able
to access e-mail services via the intranet of the company.
Which of the following could be the reason of not being able to access e-mail services via the
Internet?
A.
Proxy server
B.
IP packet filter
C.
Router
D.
Answer: A
Explanation:
A proxy server exists between a client's Web-browsing program and a real Internet server. The
purpose of the proxy server is to enhance the performance of user requests and filter requests. A
proxy server has a database called cache where the most frequently accessed Web pages are
stored. The next time such pages are requested, the proxy server is able to suffice the request
locally, thereby greatly reducing the access time. Only when a proxy server is unable to fulfill a
request locally does it forward the request to a real Internet server.
The proxy server can also be used for filtering user requests. This may be done in order to prevent
the users from visiting non-genuine sites.
Answer: B is incorrect. IP packet filters allow or block packets from passing through specified
ports. They can filter packets based on service type, port number, source computer name, or
destination computer name. When packet filtering is enabled, all packets on the external interface
are dropped unless they are explicitly allowed, either statically by IP packet filters or dynamically
by access policy or publishing rules.
Answer: C is incorrect. A router is a device that routes data packets between computers in
different networks. It is used to connect multiple networks, and it determines the path to be taken
by each data packet to its destination computer. A router maintains a routing table of the available
routes and their conditions. By using this information, along with distance and cost algorithms, the
router determines the best path to be taken by the data packets to the destination computer. A
router can connect dissimilar networks, such as Ethernet, FDDI, and Token Ring, and route data
packets among them. Routers operate at the network layer (layer 3) of the Open Systems
Interconnection (OSI) model.
QUESTION NO: 95
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to find out when a particular user was last logged in. To accomplish this, you need to
analyze the log configuration files.
Which of the following Unix log configuration files can you use to accomplish the task?
B.
/var/log/messages
C.
/var/log/lastlog
D.
/var/log/wtmp
Answer: C
Explanation:
In Unix, the /var/log/lastlog file is used by the finger to find when a user was last logged in.
Answer: D is incorrect. In Unix, the /var/log/wtmp file stores the binary info of users that have been
logged on.
Answer: A is incorrect. In Unix, the /var/log/btmp file is used to store information about failed
logins.
Answer: B is incorrect. In Unix, the /var/log/messages is the main system message log file.
QUESTION NO: 96
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to fix partitions on a hard drive.
Which of the following Unix commands can you use to accomplish the task?
A.
fdformat
B.
exportfs
C.
fsck
D.
fdisk
The fdisk command is a menu-based command available with Unix for hard disk configuration.
This command can perform the following tasks:
Answer: B is incorrect. In Unix, the exportfs command is used to set up filesystems to export for
nfs (network file sharing).
Answer: C is incorrect. In Unix, the fsck command is used to add new blocks to a filesystem. This
command must not be run on a mounted file system.
QUESTION NO: 97
Mark works as a Web Developer for XYZ CORP. He is developing a Web site for the company. He
wants to use frames in the Web site.
A.
<REGION>
B.
<TABLESET>
C.
<FRAMEWINDOW>
D.
<FRAMESET>
Answer: D
Explanation:
<FRAMESET> tag specifies a frameset used to organize multiple frames and nested framesets in
an HTML document. It defines the location, size, and orientation of frames. An HTML document
can either contain a <FRAMESET> tag or a <BODY> tag.
QUESTION NO: 98
You work as a professional Ethical Hacker. You are assigned a project to perform blackbox testing
of the security of www.we-are-secure.com. Now you want to perform banner grabbing to retrieve
information about the Webserver being used by we-are-secure.
Which of the following tools can you use to accomplish the task?
A.
Wget
B.
WinSSLMiM
C.
Whisker
D.
httprint
Answer: D
Explanation:
According to the scenario, you want to perform banner grabbing to retrieve information about the
Webserver being used by we-are-secure. For this, you will use the httprint tool to accomplish the
task. httprint is a fingerprinting tool that is based on Web server characteristics to accurately
identify Web servers. It works even when Web server may have been obfuscated by changing the
server banner strings, or by plug-ins such as mod_security or servermask. It can also be used to
detect Web enabled devices that do not contain a server banner string, such as wireless access
points, routers, switches, cable modems, etc. httprint uses text signature strings for identification,
and an attacker can also add signatures to the signature database.
Answer: A is incorrect. Wget is a Website copier that is used to analyze the vulnerabilities of a
Website offline.
Answer: C is incorrect. Whisker is an HTTP/Web vulnerability scanner that is written in the PERL
language. Whisker runs on both the Windows and UNIX environments. It provides functions for
testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs.
Answer: B is incorrect. WinSSLMiM is an HTTPS Man in the Middle attacking tool. It includes
FakeCert, a tool used to make fake certificates. It can be used to exploit the Certificate Chain
vulnerability in Internet Explorer.
Which of the following types of firewall functions at the Session layer of OSI model?
A.
Packet filtering firewall
B.
Circuit-level firewall
C.
Switch-level firewall
D.
Application-level firewall
Answer: B
Explanation:
Circuit-level firewall operates at the Session layer of the OSI model. This type of firewall regulates
traffic based on whether or not a trusted connection has been established.
Mark implements a Cisco unified wireless network for Tech Perfect Inc. Which functional area of
the Cisco unified wireless network architecture includes intrusion detection and prevention?
A.
Network services
B.
Wireless clients
C.
Network unification
D.
Wireless access points
Answer: A
Explanation:
Network services is the last functional area of the Cisco unified wireless network architecture. This
"Pass Any Exam. Any Time." - www.actualtests.com 86
GIAC GSNA Exam
functional area includes the self-depending network, enhanced network support, such as location
services, intrusion detection and prevention, firewalls, network admission control, and all other
services.
Answer: C is incorrect. Network unification is a functional area of the Cisco unified wireless
network architecture. This functional area includes the following wireless LAN controllers:
Answer: B is incorrect. Wireless clients are a functional area of the Cisco unified wireless network.
The client devices are connected to a user.
Answer: D is incorrect. A wireless access point (WAP) is a device that allows wireless
communication devices to connect to a wireless network using Wi-Fi, Bluetooth, or related
standards. The WAP usually connects to a wired network, and it can transmit data between
wireless devices and wired devices on the network. Each access point can serve multiple users
within a defined network area. As people move beyond the range of one access point, they are
automatically handed over to the next one. A small WLAN requires a single access point. The
number of access points in a network depends on the number of network users and the physical
size of the network.
The tool works under Windows 9x/2000. Which of the following tools can be used to automate the
MITM attack?
A.
Airjack
B.
Kismet
C.
Hotspotter
D.
"Pass Any Exam. Any Time." - www.actualtests.com 87
GIAC GSNA Exam
IKECrack
Answer: A
Explanation:
Airjack is a collection of wireless card drivers and related programs. It uses a program called
monkey_jack that is used to automate the MITM attack. Wlan_jack is a DoS tool in the set of
airjack tools, which accepts a target source and BSSID to send continuous deauthenticate frames
to a single client or an entire network. Another tool, essid_jack is used to send a disassociate
frame to a target client in order to force the client to reassociate with the network and giving up the
network SSID. Answer: C is incorrect. Hotspotter is a wireless hacking tool that is used to detect
rogue access point. It fools users to connect, and authenticate with the hacker's tool. It sends the
deauthenticate frame to the victim's computer that causes the victim's wireless connection to be
switched to a non-preferred connection. Answer: D is incorrect. IKECrack is an IKE/IPSec
authentication crack tool, which uses brute force for searching password and key combinations of
Pre-Shared-Key authentication networks. The IKECrack tool undermines the latest Wi-Fi security
protocol with repetitive attempts at authentication with random passphrases or keys. Answer: B is
incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system.
It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff
802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks:
Topic 2, Volume B
You work as a Software Developer for Cinera Softwares Inc. You create a DHTML page that
contains ten TextBox controls to get information from the users who use your application. You
want all the components placed on the DHTML page to be repositioned dynamically, when a user
resizes the browser window.
A.
Use the position attribute of the Cascading Style Sheet.
B.
Use the OnResizeevent for the DHTML page object.
C.
Use the Resize event of the Document object.
D.
"Pass Any Exam. Any Time." - www.actualtests.com 88
GIAC GSNA Exam
Use the OnResize event of the Cascading Style Sheet.
Answer: A
Explanation:
Position attribute of the Cascading Style Sheet. The DHTML page object modal gives access to
styles and style sheets. Therefore, you can easily set and change the position of an element.
You are concerned about rogue wireless access points being connected to your network.
A.
Network anti-spyware software
B.
Network anti-virus software
C.
Protocol analyzers
D.
Site surveys
Answer: D
Explanation:
Routinely doing site surveys (or better still, having them automatically conducted frequently) is the
only way to know what is connected to your network. And it will reveal any rogue access points.
Answer: B is incorrect. While antivirus software is always a good idea, it will do nothing to prevent
rogue access points.
Answer: A is incorrect. While anti-spyware software is always a good idea, it will do nothing to
prevent rogue access points.
Answer: C is incorrect. A protocol analyzer will help you analyze the specific traffic on a given
node, but won't be much help in directly detecting rogue access points.
You want to repeat the last command you entered in the bash shell.
A.
history ##
B.
history !#
C.
history !!
D.
history !1
Answer: C
Explanation:
The history !! command shows the previously entered command in the bash shell. In the bash
shell, the history command is used to view the recently executed commands. History is on by
default. A user can turn off history using the command set +o history and turn it on using set -o
history. An environment variable HISTSIZE is used to inform bash about how many history lines
should be kept.
The following commands are frequently used to view and manipulate history:
Answer: B is incorrect. The history !# command shows the entire command line typed.
Answer: D is incorrect. The history !n command shows the nth command typed. Since n is equal to
1 in this command, the first command willbe shown.
You have been assigned a project to develop a Web site for a construction company. You have to
develop a Web site and want to get more control over the appearance and presentation of your
Web pages. You also want to increase the ability to precisely specify the location and appearance
of the elements on a page and create special effects. You plan to use Cascading style sheets
(CSS). You want to apply the same style consistently throughout your Web site.
A.
Internal Style Sheet
B.
External Style Sheet
C.
Inline Style Sheet
D.
Embedded Style Sheet
Answer: B
Explanation:
To apply the same style consistently throughout your Web site you should use external style
sheet. Cascading style sheets (CSS) are used so that the Web site authors can exercise greater
control on the appearance and presentation of their Web pages. And also because they increase
the ability to precisely point to the location and look of elements on a Web page and help in
creating special effects.
Cascading Style Sheets have codes, which are interpreted and applied by the browser on to the
Web pages and their elements.
External Style Sheets are used whenever consistency in style is required throughout a Web site. A
typical external style sheet uses a .css file extension, which can be edited using a text editor such
as a Notepad.
Embedded Style Sheets are used for defining styles for an active page.
Inline Style Sheets are used for defining individual elements of a page.
Reference: TechNet, Contents: Microsoft Knowledgebase, February 2000 issue PSS ID Number:
Q179628
Which of the following can be the countermeasures to prevent NetBIOS NULL session
enumeration in Windows 2000 operating systems?
A.
Denying all unauthorized inbound connections to TCP port 53
B.
Disabling SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the
interface
C.
Editing the registry key HKLM\SYSTEM\CurrentControlSet\LSA and adding the value
RestrictAnonymous
D.
Disabling TCP port 139/445
Answer: B,C,D
Explanation:
NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part
of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL
session vulnerabilities:
1.Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a
Network Administrator.
2. A Network Administrator can also disable SMB services entirely on individual hosts by
unbinding WINS Client TCP/IP from the interface.
3. A Network Administrator can also restrict the anonymous user by editing the registry values:
Answer: A is incorrect. TCP port 53 is the default port for DNS zone transfer. Although disabling it
can help restrict DNS zone transfer enumeration, it is not useful as a countermeasure against the
NetBIOS NULL session enumeration.
From an auditing perspective, database security can be broken down into four key categories:
Server Security
Database Connections
Which of the following categories leads to the process of limiting access to the database server?
A.
Table access control
B.
Database connections
C.
Restricting database access
D.
Server security
Answer: D
Explanation:
Server security is the process of limiting access to the database server. This is one of the most
basic and most important components of database security. It is imperative that an organization
not let their database server be visible to the world. If an organization's database server is
supplying information to a web server, then it should be configured to allow connections only from
that web server. Also, every server should be configured to allow only trusted IP addresses.
Answer: B is incorrect. With regard to database connections, system administrators should not
allow immediate unauthenticated updates to a database. If users are allowed to make updates to a
database via a web page, the system administrator should validate all updates to make sure that
they are warranted and safe. Also, the system administrator should not allow users to use their
designation of "sa" when accessing the database. This gives employees complete access to all of
the data stored on the database regardless of whether or not they are authenticated to have such
access.
Answer: A is incorrect. Table access control is related to an access control list, which is a table
that tells a computer operating system which access rights each user has to a particular system
object. Table access control has been referred to as one of the most overlooked forms of
Answer: C is incorrect. Restricting database access is important especially for the companies that
have their databases uploaded on the Internet. Internet-based databases have been the most
recent targets of attacks, due to their open access or open ports. It is very easy for criminals to
conduct a "port scan" to look for ports that are open that popular database systems are using by
default. The ports that are used by default can be changed, thus throwing off a criminal looking for
open ports set by default.
Following are the security measures that can be implemented to prevent open access from the
Internet:
Trusted IP addresses: Servers can be configured to answer pings from a list of trusted hosts only.
Server account disabling: The server ID can be suspended after three password attempts.
Special tools: Products can be used to send an alert when an external server is attempting to
breach the system's security. One such example is Real Secure by ISS.
John works as a Network Auditor for XYZ CORP. The company has a Windows-based network.
John wants to conduct risk analysis for the company.
Which of the following can be the purpose of this analysis? (Choose three.)
A.
To ensure absolute safety during the audit
B.
To analyze exposure to risk in order to support better decision-making and proper management of
those risks
C.
To try to quantify the possible impact or loss of a threat
D.
To assist the auditor in identifying the risks and threats
Answer: B,C,D
Explanation:
There are many purposes of conducting risk analysis, which are as follows:
"Pass Any Exam. Any Time." - www.actualtests.com 94
GIAC GSNA Exam
Answer: A is incorrect. The analysis of risk does not ensure absolute safety. The main purpose of
using a risk-based audit strategy is to ensure that the audit adds value with meaningful
information.
Note: Here, request is a reference of type HttpServletRequest, and response is a reference of type
HttpServletResponse.
A.
Cookie [] cookies = request.getCookies();
B.
Cookie [] cookies = request.getCookie(String str)
C.
Cookie [] cookies = response.getCookie(String str)
D.
Cookie[] cookies = response.getCookies()
Answer: A
Explanation:
The getCookies() method of the HttpServletRequest interface is used to get the cookies from a
client. This method returns an array of cookies.
You work as a Software Developer for UcTech Inc. You build an online book shop, so that users
can purchase books using their credit cards. You want to ensure that only the administrator can
access the credit card information sent by users.
A.
Confidentiality
B.
Dataintegrity
C.
Authentication
D.
Authorization
Answer: A
Explanation:
Confidentiality is a mechanism that ensures that only the intended authorized recipients are able
to read data. The data is so encrypted that even if an unauthorized user gets access to it, he will
not get any meaning out of it.
Answer: D is incorrect. Authorization is a process that verifies whether a user has permission to
access a Web resource. A Web server can restrict access to some of its resources to only those
clients that log in using a recognized username and password. To be authorized, a user must first
be authenticated.
Answer: C is incorrect. Authentication is the process of verifying the identity of a user. This is
usually done using a user name and password. This process compares the provided user name
and password with those stored in the database of an authentication server.
Answer: B is incorrect. Data integrity is a mechanism that ensures that the data is not modified
during transmission from source to destination. This means that the data received at the
destination should be exactly the same as that sent from the source.
A.
Airwave Management Platform
B.
C.
akk@da
D.
Aggregate Network Manager
Answer: D
Explanation:
Answer: C is incorrect. akk@da is a simple network monitoring system. It is designed for small
and middle size computer networks. Its function is to quickly detect the system or network faults
and display the information about detected faults to the administrators. The information is collected
by it in every single minute (a user can decrease this period to 1 second). Approximately all the
services of the monitored hosts are discovered automatically.
Answer: B is incorrect. Andrisoft WANGuard Platform offers solutions for various network issues
such as WAN links monitoring, DDoS detection and mitigation, traffic accounting, and graphing.
Sam works as a Network Administrator for Blue Well Inc. All client computers in the company run
the Windows Vista operating. Sam creates a new user account. He wants to create a temporary
password for the new user such that the user is forced to change his password when he logs on
for the first time. Which of the following options will he choose to accomplish the task?
A.
User cannot change password
B.
Delete temporary password at next logon
C.
User must change password at next logon
Answer: C
Explanation:
Enabling the user must change password at next logon option will make the given password a
temporary password. Enabling this option forces, a user to change his existing password at next
logon.
Answer: A is incorrect. This option sets the existing password as a permanent password for the
user. Only administrators can change the password of the user.
You work as a Web Developer for XYZ CORP. The company has a Windows-based network. You
have been assigned the task to secure the website of the company. To accomplish the task, you
want to use a website monitoring service.
A.
It checks the health of various links in a network using end-to-end probes sent by agents located
at vantage points in the network.
B.
It checks SSL Certificate Expiry.
C.
It checks HTTP pages.
D.
It checks Domain Name Expiry.
Answer: B,C,D
Explanation:
Website monitoring service can check HTTP pages, HTTPS, FTP, SMTP, POP3, IMAP, DNS,
SSH, Telnet, SSL, TCP, PING, Domain Name Expiry, SSL Certificate Expiry, and a range of other
ports with great variety of check intervals from every four hours to every one minute. Typically,
"Pass Any Exam. Any Time." - www.actualtests.com 98
GIAC GSNA Exam
most website monitoring services test a server anywhere between once-per hour to once-per-
minute. Advanced services offer in-browser web transaction monitoring based on browser add-ons
such as Selenium or iMacros. These services test a website by remotely controlling a large
number of web browsers. Hence, it can also detect website issues such a JavaScript bugs that are
browser specific.
Answer: A is incorrect. This task is performed under network monitoring. Network tomography
deals with monitoring the health of various links in a network using end-to-end probes sent by
agents located at vantage points in the network/Internet.
A.
It is the probabilistic risk after implementing all security measures.
B.
It can be considered as an indicator of threats coupled with vulnerability.
C.
It is a weakness or lack of safeguard that can be exploited by a threat.
D.
It is the probabilistic risk before implementing all security measures.
Answer: A
Explanation:
The residual risk is the risk or danger of an action or an event, a method or a (technical) process
that still conceives these dangers even if all theoretically possible safety measures would be
applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk
is (threats vulnerability).
3. The existence of a weakness, design, or implementation error that can lead to an unexpected,
undesirable event compromising the security of the system, network, application, or protocol
involved.
Which of the following tools is a Windows-based commercial wireless LAN analyzer for IEEE
802.11b and supports all high level protocols such as TCP/IP, NetBEUI, and IPX?
A.
SamSpade
B.
John the Ripper
C.
Cheops-ng
D.
AiroPeek
Answer: D
Explanation:
AiroPeek is a Windows-based commercial wireless LAN analyzer for IEEE 802.11b. It supports all
high level protocols such as TCP/IP, NetBEUI, IPX, etc. It can be used to perform the following
tasks:
Answer: A is incorrect. Sam Spade is a penetration-testing tool that is used in the discovery
phase. It provides GUI graphics and a lot of functionalities. It can perform mainly who is queries,
ping requests, DNS requests, tracerouting, OS finger-printing, zone transferring, SMTP mail relay
checking, and Web site crawling and mirroring. Sam Spade runs on Windows operating systems.
Answer: B is incorrect. John the Ripper is a fast password cracking tool that is available for most
versions of UNIX, Windows, DOS, BeOS, and Open VMS. It also supports Kerberos, AFS, and
Windows NT/2000/XP/2003 LM hashes. John the Ripper requires a user to have a copy of the
password file.
Answer: C is incorrect. Cheops-ng is a network management tool that is used for mapping and
A.
Router
B.
Web server
C.
Client
D.
Client and Web server
Answer: B
Explanation:
The Common Gateway Interface (CGI) specification is used for creating executable programs that
run on a Web server. CGI defines the communication link between a Web server and Web
applications. It gives a network or Internet resource access to specific programs. For example,
when users submit an HTML form on a Web site, CGI is used to pass this information to a remote
application for processing, and retrieve the results from the application. It then returns these
results to the user by means of an HTML page.
A.
DSN
C.
CGI
D.
FQDN
Answer: A
Explanation:
A Web-based application uses Data Source Name (DSN) to connect to a database. DSN is a
logical name used by Open Database Connectivity (ODBC) to refer to connection information
required to access data.
Answer: C is incorrect. The Common Gateway Interface (CGI) specification is used for creating
executable programs that run on a Web server. CGI defines the communication link between a
Web server and Web applications. It gives a network or Internet resource access to specific
programs. For example, when users submit an HTML form on a Web site, CGI is used to pass this
information to a remote application for processing, and retrieve the results from the application. It
then returns these results to the user by means of an HTML page.
Answer: D is incorrect. Fully Qualified Domain Name (FQDN) is a unique name of a host or
computer, which represents its position in the hierarchy. An FQDN begins with a host name and
ends with the top-level domain name. FQDN includes the second-level domain and other lower
level domains.
For example, the FQDN of the address HTTP://WWW.UNI.ORG will be WWW.UNI.ORG where
WWW is the host name, UNI is the second-level domain, and ORG is the top-level domain name.
Answer: B is incorrect. Domain Name System (DNS) is a hierarchical naming system used for
locating domain names on private TCP/IP networks and the Internet. It provides a service for
mapping DNS domain names to IP addresses and vice versa. DNS enables users to use friendly
names to locate computers and other resources on an IP network. TCP/IP uses IP addresses to
locate and connect to hosts, but for users, it is easier to use names instead of IP address to locate
or connect to a site.
For example, users will be more comfortable in using the host name www.mycompany.com rather
than using its IP address XX.XXX.XX.XXX.
B.
Cellpadding is used to set the width of a table.
C.
Cellpadding is used to set the space between the cell border and its content.
D.
Cellpadding is used to set the space between two cells in a table.
Answer: C
Explanation:
Cellpadding attribute is used to set the space, in pixels, between the cell border and its content. If
you have not set the value of Cellpadding attribute for a table, the browser takes the default value
as 1.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to see the local device files or 'links to device files' for a non-standard device driver.
Which of the following Unix configuration files should you use to accomplish the task?
A.
profile
B.
/etc/bootptab
C.
/dev/MAKEDEV
D.
/etc/aliases
Answer: C
Explanation:
In Unix, the /dev/MAKEDEV file is used by system administrators for local device files or links to
device filesfor a non-standard device driver.
"Pass Any Exam. Any Time." - www.actualtests.com 103
GIAC GSNA Exam
Answer: A is incorrect. In Unix, the profile file stores the system wide environment and startup
script program.
Answer: D is incorrect. In Unix, the /etc/aliases file is where the user's name is matched to a
nickname fore-mail.
Answer: B is incorrect. In Unix, the /etc/bootptab/ file contains the configuration for the BOOTP
server daemon.
A.
Circuit-level firewall
B.
Stateful inspection firewall
C.
Packet filtering firewall
D.
Application-level firewall
Answer: D
Explanation:
The application level firewall inspects the contents of packets, rather than the source/destination
or connection between the two. An Application level firewall operates at the application layer of the
OSI model.
Answer: A is incorrect. The circuit-level firewall regulates traffic based on whether or not a trusted
connection has been established. It operates at the session layer of the OSI model.
Answer: C is incorrect. The packet filtering firewall filters traffic based on the headers. It operates
at the network layer of the OSI model.
Answer: B is incorrect. The stateful inspection firewall assures the connection between the two
parties is valid and inspects packets from this connection to assure the packets are not malicious.
Which of the following methods will free up bandwidth in a Wireless LAN (WLAN)?
A.
Change hub with switch.
B.
Deploying a powerful antenna.
C.
Disabling SSID broadcast.
D.
Implement WEP.
Answer: C
Explanation:
Disabling SSID broadcast will free up bandwidth in a WLAN environment. It is used to enhance
security of a Wireless LAN (WLAN). It makes difficult for attackers to find the access point (AP). It
is also used by enterprises to prevent curious people from trying to access the WLAN.
You work as the Network Technician for XYZ CORP. The company has a Linux-based network.
You are working on the Red Hat operating system. You want to view only the last 4 lines of a file
named /var/log/cron. Which of the following commands should you use to accomplish the task?
A.
tail -n 4 /var/log/cron
B.
tail /var/log/cron
C.
cat /var/log/cron
D.
head /var/log/cron
Answer: A
The tail -n 4 /var/log/cron command will show the last four lines of the file /var/log/cron.
A.
Using the longest key supported by hardware.
B.
Changing keys often.
C.
Using a non-obvious key.
D.
Using a 16 bit SSID.
Answer: A,B,C
Explanation:
A user can use some countermeasures to prevent WEP cracking. Although WEP is least secure, it
should not be used. However, a user can use the following methods to mitigate WEP cracking:
Use WEP in combination with other security features, such as rapid WEP key rotation and
dynamic keying using 802.1x.
Answer: D is incorrect. SSID stands for Service Set Identifier. It is used to identify a wireless
network. SSIDs are case sensitive text strings and have a maximum length of 32 characters. All
wireless devices on a wireless network must have the same SSID in order to communicate with
each other. The SSID on computers and the devices in WLAN can be set manually and
automatically. Configuring the same SSID as that of the other Wireless Access Points (WAPs) of
other networks will create a conflict. A network administrator often uses a public SSID that is set
on the access point. The access point broadcasts SSID to all wireless devices within its range.
"Pass Any Exam. Any Time." - www.actualtests.com 106
GIAC GSNA Exam
Some newer wireless access points have the ability to disable the automatic SSID broadcast
feature in order to improve network security.
A.
Configuring the same SSID as that of the other Wireless Access Points (WAPs) of other networks
will create a conflict.
B.
SSIDs are case insensitive text strings and have a maximum length of 64 characters.
C.
All wireless devices on a wireless network must have the same SSID in order to communicate with
each other.
D.
SSID is used to identify a wireless network.
Answer: A,C,D
Explanation:
SSID stands for Service SetIdentifier. It is used to identify a wireless network. SSIDs are case
sensitive text strings and have a maximum length of 32 characters. All wireless devices on a
wireless network must have the same SSID in order to communicate with each other. The SSID
on computers and the devices in WLAN can be set manually and automatically. Configuring the
same SSID as that of the other Wireless Access Points (WAPs) of other networks will create a
conflict. A network administrator often uses a public SSID that is set on the access point. The
access point broadcasts SSID to all wireless devices within its range. Some newer wireless
access points have the ability to disable the automatic SSID broadcast feature in order to improve
network security.
Which of the following statements is NOT true about FAT16 file system?
A.
B.
FAT16 file system supports file-level compression.
C.
FAT16 does not support file-level security.
D.
FAT16 file system supports Linux operating system.
Answer: A,B
Explanation:
FAT16 file system was developed for disks larger than 16MB. It uses 16-bit allocation table
entries. FAT16 file system supports all Microsoft operating systems. It also supports OS/2 and
Linux.
Answer: C, D are incorrect. All these statements are true about FAT16 file system.
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. John is working as a root user on the Linux operating system. He has a data.txt file in
which each column is separated by the TAB character. Now, he wants to use this file as input for a
data mining software he has created. The problem preventing him from accomplishing his task is
that with his data mining software, he has used TAB as a delimiter to distinguish between
columns. Hence, he is unable to use this file as input for the software. However, if he somehow
replaces the TAB characters of the file with SPACE characters, he can use this file as an input file
for his data mining software. Which of the following commands will John use to replace the TAB
characters of the file with SPACE characters?
A.
expand -t 1 data.txt > data.txt
B.
cat data.txt
C.
chmod 755 data.txt
D.
touch data.txt
According to the scenario, John can replace the TAB characters with single space characters with
the expand command. With the expand -t 1 data.txt > data.txt command, the TABs of data.txt are
changed into single spaces and are redirected by using the > command into the data.txt file. Now,
John can use the data.txt file as the input file for his data mining software.
You are concerned about possible hackers doing penetration testing on your network as a prelude
to an attack. What would be most helpful to you in finding out if this is occurring?
A.
Examining your antivirus logs
B.
Examining your domain controller server logs
C.
Examining your firewall logs
D.
Examining your DNS Server logs
Answer: C
Explanation:
Firewall logs will show all incoming and outgoing traffic. By examining those logs, you can do port
scans and use other penetration testing tools that have been used on your firewall.
Mark works as a Network Administrator for NetTech Inc. The company has a Windows 2003
Active Directory domain-based network. The domain consists of a domain controller, two Windows
2003 member servers, and one hundred client computers. The company employees use laptops
with Windows XP Professional. These laptops are equipped with wireless network cards that are
used to connect to access points located in the Marketing department of the company. The
company employees log on to the domain by using a user name and password combination. The
"Pass Any Exam. Any Time." - www.actualtests.com 109
GIAC GSNA Exam
wireless network has been configured with WEP in addition to 802.1x. Mark wants to provide the
best level of security for the kind of authentication used by the company. What will Mark do to
accomplish the task?
A.
Use IPSec
B.
Use MD5
C.
Use PEAP
D.
Use EAP-TLS
Answer: C
Explanation:
In order to provide the best level of security for the kind of authentication used by the company,
Mark will have to use the PEAP protocol. This protocol will provide the strongest password-based
authentication for a WEP solution with 802.1x. Implementing 802.1x authentication for wireless
security requires using an Extensible Authentication Protocol (EAP)-based method for
authentication. There are two EAP-based methods:
You have to ensure that your Cisco Router is only accessible via telnet and ssh from the following
hosts and subnets: 10.10.2.103 10.10.0.0/24 Which of the following sets of commands will you
use to accomplish the task?
A.
access-list 10 permit host 10.10.2.103 access-list 10 permit 10.10.0.0 0.0.0.255 access-list 10
deny any line vty 0 4 access-class 10 out
B.
access-list 10 permit 10.10.2.103 access-list 10 permit 10.10.0.0 0.0.0.255 access-list 10 deny
any line vty 0 4 access-group 10 in
D.
access-list 10 permit host 10.10.2.103 access-list 11 permit host 10.10.0.0 255.255.255.0 access-
list 12 deny any line vty 0 4 access-group 10, 11, 12 in
Answer: C
Explanation:
In order to accomplish the task, you will have to run the following sets of commands:
In this configuration set meets all the requirements. The ACL is correctly configured and is applied
to the VTY lines using the access-class command for inbound connections.
Answer: D is incorrect. This configuration actually creates 3 separate ACL's (10, 11, and 12) and
also incorrectly attempts to apply the ACL's to the VTY lines.
Answer: A is incorrect. This configuration is correct except for the access-class command being
applied in the outbound direction. When using "access-class out", the router will not match
connections coming into the router for Telnet and/or SSH. Instead, it will match connections being
generated from the router.
Answer: B is incorrect. This configuration is correct except for the access-group command.
Access-group is used to apply ACLs to an interface. Access-class is used to apply ACLs to VTY
lines.
Which of the following is a prevention-driven activity to reduce errors in the project and to help the
project meet its requirements?
A.
Audit sampling
B.
Asset management
C.
"Pass Any Exam. Any Time." - www.actualtests.com 111
GIAC GSNA Exam
Access control
D.
Quality assurance
Answer: D
Explanation:
Quality assurance is the application of planned, systematic quality activities to ensure that the
project will employ all processes needed to meet requirements. It is a prevention-driven activity to
reduce errors in the project and to help the project meet its requirements.
Answer: A is incorrect. Audit sampling is an application of the audit procedure that enables the IT
auditor to evaluate audit evidence within a class of transactions for the purpose of forming a
conclusion concerning the population. When designing the size and structure of an audit sample,
the IT auditor should consider the audit objectives determined when planning the audit, the nature
of the population, and the sampling and selection methods.
Answer: C is incorrect. The process of limiting access to the resources of a Web site is called
access control.
Answer: B is incorrect. It is the practice of managing the whole life cycle (design, construction,
commissioning, operating, maintaining, repairing, modifying, replacing and
decommissioning/disposal) of physical and infrastructure assets such as structures, production,
distribution networks, transport systems, buildings, and other physical assets.
You are concerned about attackers simply passing by your office, discovering your wireless
network, and getting into your network via the wireless connection. Which of the following are NOT
steps in securing your wireless connection? (Choose two.)
A.
Hardening the server OS
B.
Using either WEP or WPA encryption
C.
MAC filtering on the router
D.
Strong password policies on workstations.
Answer: A,D
Explanation:
Both hardening the server OS and using strong password policies on workstations are good ideas,
but neither has anything to do with securing your wireless connection.
Answer: B is incorrect. Using WEP or WPA is one of the most basic security steps in securing your
wireless.
Which of the following key combinations in the vi editor is used to copy the current line?
A.
dk
B.
yy
C.
d$
D.
dl
Answer: B
Explanation:
The yy key combination in the vi editor is used to copy the current line. The vi editor is an
interactive, cryptic, and screen-based text editor used to create and edit a file. It operates in either
Input mode or Command mode. In Input mode, the vi editor accepts a keystroke as text and
displays it on the screen, whereas in Command mode, it interprets keystrokes as commands. As
the vi editor is case sensitive, it interprets the same character or characters as different
commands, depending upon whether the user enters a lowercase or uppercase character. When a
user starts a new session with vi, he must put the editor in Input mode by pressing the "I" key. If he
is not able to see the entered text on the vi editor's screen, it means that he has not put the editor
in Insert mode. The user must change the editor to Input mode before entering any text so that he
can see the text he has entered.
Answer: C is incorrect. It deletes from the cursor till the end of the line.
Data mining is a process of sorting through data to identify patterns and establish relationships.
Which of the following data mining parameters looks for patterns where one event is connected to
another event?
A.
Sequence or path analysis
B.
Forecasting
C.
Clustering
D.
Association
Answer: D
Explanation:
Data mining is a process of sorting through data to identify patterns and establish relationships.
Following are the data mining parameters:
In which of the following social engineering attacks does an attacker first damage any part of the
target's equipment and then advertise himself as an authorized person who can help fix the
problem.
A.
Reverse social engineering attack
B.
Impersonation attack
C.
"Pass Any Exam. Any Time." - www.actualtests.com 114
GIAC GSNA Exam
Important user posing attack
D.
In person attack
Answer: A
Explanation:
He next advertises himself as a person of authority, ably skilled in solving that problem.
In this step, he gains the trust of the target and obtains access to sensitive information.
If this reverse social engineering is performed well enough to convince the target, he often calls
the attacker and asks for help.
Answer: B, C, D are incorrect. Person-to-Person social engineering works on the personal level. It
can be classified as follows:
In Person Attack: In this attack, the attacker just visits the organization and collects information. To
accomplish such an attack, the attacker can call a victim on the phone, or might simply walk into
an office and pretend to be a client or a new worker.
Important User Posing: In this attack, the attacker pretends to be an important member of the
organization. This attack works because there is a common belief that it is not good to question
authority.
Third-Party Authorization: In this attack, the attacker tries to make the victim believe that he has
the approval of a third party. This works because people believe that most people are good and
they are being truthful about what they are saying.
Which of the following commands can be used to find out where commands are located?
A.
type
"Pass Any Exam. Any Time." - www.actualtests.com 115
GIAC GSNA Exam
B.
which
C.
env
D.
ls
Answer: A,B
Explanation:
The which and type commands can be used to find out where commands are located.
A.
Chernobyl virus
B.
I LOVE YOU virus
C.
Nimda virus
D.
Melissa virus
Answer: B,C
Explanation:
Which of the following text editing tools can be used to edit text files without having to open them?
B.
sed
C.
vi
D.
more
Answer: B
Explanation:
The Unix utility sed (stream editor) is a text editing tool that can be used to edit text files without
having to open them. This utility parses text files and implements a programming language which
can apply textual transformations to such files. It reads input files line by line (sequentially),
applying the operation which has been specified via the command line (or a sed script), and then
outputs the line.
Answer: D is incorrect. The more command is used to view (but not modify) the contents of a text
file on the terminal screen at a time. The syntax of the more command is as follows: more [options]
file_name Where,
Answer: A is incorrect. The less command is used to view (but not change) the contents of a text
file, one screen at a time. It is similar to the more command. However, it has the extended
capability of allowing both forward and backward navigation through the file. Unlike most Unix text
editors/viewers, less does not need to read the entire file before starting; therefore, it has faster
load times with large files. The command syntax of the less command is as follows: less [options]
file_name Where,
Answer C is incorrect. The vi editor is an interactive, cryptic, and screen-based text editor used to
create and edit a file. It operates in either Input mode or Command mode. In Input mode, the vi
editor accepts a keystroke as text and displays it on the screen, whereas in Command mode, it
You work as a Software Developer for UcTech Inc. You want to ensure that a class is informed
whenever an attribute is added, removed, or replaced in a session. Which of the following is the
event that you will use to accomplish the task?
A.
HttpSessionBindingEvent
B.
HttpAttributeEvent
C.
HttpSessionEvent
D.
HttpSessionAttributeEvent
Answer: A
Explanation:
The session binds the object by a call to the HttpSession.setAttribute() method and unbinds the
object by a call to the HttpSession.removeAttribute() method.
Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks (WLANs). It
has two components, authentication and encryption. It provides security equivalent to wired
networks for wireless networks. WEP encrypts data on a wireless network by using a fixed secret
key. Which of the following statements are true about WEP?
A.
WEP uses the RC4 encryption algorithm.
B.
The Initialization Vector (IV) field of WEP is only 24 bits long.
C.
It provides better security than the Wi-Fi Protected Access protocol.
D.
Automated tools such as AirSnort are available for discovering WEP keys.
Answer: A,B,D
Explanation:
Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks (WLANs). It
has two components, authentication and encryption. It provides security equivalent to wired
networks for wireless networks. WEP encrypts data on a wireless network by using a fixed secret
key. WEP uses the RC4 encryption algorithm. The main drawback of WEP is that its Initialization
Vector (IV) field is only 24 bits long. Many automated tools such as AirSnort are available for
discovering WEP keys.
Answer: C is incorrect. WPA stands for Wi-Fi Protected Access. It is a wireless security standard.
It provides better security than WEP (Wired Equivalent Protection). Windows Vista supports both
WPA-PSK and WPA-EAP.
Victor works as a professional Ethical Hacker for SecureEnet Inc. He wants to scan the wireless
network of the company. He uses a tool that is a free open-source utility for network exploration.
The tool uses raw IP packets to determine the following:
What services (application name and version) those hosts are offering.
A.
Nessus
B.
Sniffer
C.
Nmap
D.
Kismet
Answer: C
Explanation:
Nmap is a free open-source utility for network exploration and security auditing. It is used to
discover computers and services on a computer network, thus creating a "map" of the network.
Just like many simple port scanners, Nmap is capable of discovering passive services. In addition,
Nmap may be able to determine various details about the remote computers. These include
operating system, device type, uptime, software product used to run a service, exact version
number of that product, presence of some firewall techniques and, on a local area network, even
vendor of the remote network card. Nmap runs on Linux, Microsoft Windows etc.
Answer: D is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion
detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode.
Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the
following tasks:
Answer: B is incorrect. A sniffer is a software tool that is used to capture any network traffic. Since
a sniffer changes the NIC of the LAN card into promiscuous mode, the NIC begins to record
incoming and outgoing data traffic across the network. A sniffer attack is a passive attack because
the attacker does not directly connect with the target host. This attack is most often used to grab
"Pass Any Exam. Any Time." - www.actualtests.com 120
GIAC GSNA Exam
logins and passwords from network traffic. Tools such as Ethereal, Snort, Windump, EtherPeek,
Dsniff are some good examples of sniffers. These tools provide many facilities to users such as
graphical user interface, traffic statistics graph, multiple sessions tracking, etc.
You work as a Network Auditor for XYZ CORP. The company has a Windows-based network. You
use DumpSec as an auditing and reporting program for security issues. Which of the following
statements is true about DumpSec? (Choose three.)
A.
It obtains the DACLs for the registry.
B.
It dumps user and group information.
C.
It collates the DACLs for the file system.
D.
It kills the running services in the Windows environment.
Answer: A,B,C
Explanation:
DumpSec, a program launched by Somarsoft, is a security auditing and reporting program for
Microsoft Windows. It collates and obtains the permissions (DACLs) and audit settings (SACLs)
for the file system, registry, printers, and shares in a concise, readable format, so that holes in
system security are readily apparent. DumpSec also dumps user, group, and replication
information, policies, as well as services (Win32) and kernel drivers loaded on the system. It can
also report the current status of services (running or stopped) in the Windows environment.
Answer: D is incorrect. It cannot kill running services. It can only report the current status of
services (running or stopped) in the Windows environment.
You work as a Network Administrator for Tech Perfect Inc. You need to configure the company
firewall so that only Simple Network Management Protocol (SNMP) and Secure HTTP (HTTPS)
traffic is allowed into the intranet of the company. No other traffic should be allowed into the
intranet. Which of the following rule sets should you use on your firewall to accomplish the task?
"Pass Any Exam. Any Time." - www.actualtests.com 121
GIAC GSNA Exam
(Assume left to right equals top to bottom.)
A.
Output chain: allow port 443, allow 25, deny all
B.
Input chain: deny all, allow port 25, allow 443
C.
Input chain: allow port 25, allow 443, deny all
D.
Output chain: allow port 25, allow 443, deny all
Answer: C
Explanation:
In the given rule set, 'Inputchain' defines that the rule is for the incoming traffic, i.e., traffic coming
from the intranet to the Internet. Port 25 is being allowed for SNMP traffic and port 443 for the
HTTPS traffic. Deny all is being used after allowing port 25 and 443; hence, all the other traffic will
be denied.
Answer: B is incorrect. Deny all is executed first; hence, all the traffic will be denied including port
25 and 443.
Answer: A, D are incorrect. These rule sets are used for outgoing traffic, i.e., traffic going from the
intranet to the Internet as the 'Output chain' rule is being used.
You work as a Network Administrator for XYZ CORP. The company has a Windows-based
network. You want to configure the ACL with a Cisco router. Which of the following router prompts
can you use to accomplish the task?
A.
router(config-if)#
B.
router(config)#
C.
router(config-ext-nacl)#
D.
router#
"Pass Any Exam. Any Time." - www.actualtests.com 122
GIAC GSNA Exam
Answer: C
Explanation:
The auditor of a Cisco router should be familiar with the variety of privilege modes. The current
privilege mode can be quickly identified by looking at the current router prompt. The prime modes
of a Cisco router are as follows:
Audit trail or audit log is a chronological sequence of audit records, each of which contains
evidence directly pertaining to and resulting from the execution of a business process or system
function. Under which of the following controls does audit control come?
A.
Protective controls
B.
Reactive controls
C.
Detective controls
D.
Preventive controls
Answer: C
Explanation:
Audit trail or audit log comes under detective controls. Detective controls are the audit controls that
are not needed to be restricted. Any control that performs a monitoring activity can likely be
defined as a Detective Control. For example, it is possible that mistakes, either intentional or
unintentional, can be made. Therefore, an additional Protective control is that these companies
must have their financial results audited by an independent Certified Public Accountant. The role
of this accountant is to act as an auditor. In fact, any auditor acts as a Detective control. If the
organization in question has not properly followed the rules, a diligent auditor should be able to
detect the deficiency which indicates that some control somewhere has failed.
Answer: A, D are incorrect. Protective or preventative controls serve to proactively define and
Which of the following does an anti-virus program update regularly from its manufacturer's Web
site?
A.
Hotfixes
B.
Permissions
C.
Service packs
D.
Definition
Answer: D
Explanation:
An anti-virus program updates the virus definition file regularly from the anti-virus manufacturer's
Web site. Antivirus (or anti-virus) software is used to prevent, detect, and remove malware,
including computer viruses, worms, and trojan horses. Such programs may also prevent and
remove adware, spyware, and other forms of malware. Traditional antivirus software solutions run
virus scanners on schedule, on demand and some run scans in real time. If a virus or malware is
located, the suspect file is usually placed into a quarantine to terminate its chances of disrupting
the system. Traditional antivirus solutions scan and compare against a publicized and regularly
updated dictionary of malware otherwise known as a blacklist. Some antivirus solutions have
additional options that employ a heuristic engine which further examines the file to see if it is
behaving in a similar manner to previous examples of malware. A new technology utilized by a few
antivirus solutions is whitelisting; this technology first checks if the file is trusted and only questions
those that are not. With the addition of wisdom of crowds, antivirus solutions backup other
antivirus techniques by harnessing the intelligence and advice of a community of trusted users to
protect each other.
Answer: C is incorrect. A service pack is a collection of Fixes and Patches in a single product. A
service pack can be used to handle a large number of viruses and bugs or to update an operating
system with advanced better capabilities. A service pack usually contains a number of file
Answer: A is incorrect. Hotfix is a collection of files used by Microsoft for software updates that are
released between major service pack releases. A hotfix is about a problem, occurring under
specific circumstances, which cannot wait to be fixed till the next service pack release. Hotfixes
are generally related to security problems. Hence, it is essential to fix these problems as soon as
possible.
Answer: B is incorrect. An anti-virus program does not update Permissions regularly from its
manufacturer's Web site.
Which of the following are the drawbacks of the NTLM Web authentication scheme?
A.
The password is sent in hashed format to the Web server.
B.
It works only with Microsoft Internet Explorer.
C.
The password is sent in clear text format to the Web server.
D.
It can be brute forced easily.
Answer: B,D
Explanation:
The following are the drawbacks of the NTLM Web Authentication Scheme:
Answer: A, C are incorrect. NTLM authentication does not send the user's password (or hashed
representation of the password) across the network. Instead, NTLM authentication utilizes
challenge/response mechanisms to ensure that the actual password never traverses the network.
How does it work? When the authentication process begins, the client sends a login request to the
telnet server. The server replies with a randomly generated 'token' to the client. The client hashes
the currently logged-on user's cryptographically protected password with the challenge and sends
the resulting "response" to the server. The server receives the challenge-hashed response and
compares it in the following manner:
Now it hashes the token against the user's password hash from its own user account database.
Which of the following tools uses Internet Control Message Protocol (ICMP)?
A.
Port scanner
B.
Brutus
C.
Fragroute
D.
Ping scanner
Answer: D
Explanation:
A ping scanner is a tool that sends ICMP ECHO requests across a network and rapidly makes a
list of responding nodes. Internet Control Message Protocol (ICMP) is an integral part of IP. It is
used to report an error in datagram processing. The Internet Protocol (IP) is used for host-to-host
datagram service in a network. The network is configured with connecting devices called
gateways. When an error occurs in datagram processing, gateways or destination hosts report the
error to the source hosts through the ICMP protocol. The ICMP messages are sent in various
situations, such as when a datagram cannot reach its destination, when the gateway cannot direct
the host to send traffic on a shorter route, when the gateway does not have the buffering capacity,
etc.
Answer: A, B, C are incorrect. These tools do not use ICMP to perform their functions.
A.
The getCreationTime() method can be called on an invalidated session.
C.
A session can be invalidated programmatically as well as using the deployment descriptor.
D.
The getAttribute(String name) method throws an IllegalArgumentException if called on an
invalidated session.
Answer: C
Explanation:
This can be done by specifying timeout between the <session-timeout> tags as follows: <session-
config> <session-timeout> 10 </session-timeout> </session-config>
This will set the time for session timeout to be ten minutes.
Setting timeout programmatically: This will set the timeout for a specific session.
session.setMaxInactiveInterval(10*60)
In this method, the timeout is specified in seconds. Hence, this will set the time for the session
timeout to be ten minutes.
Answer: A is incorrect. The getCreationTime() method returns the time when the session was
created. The time is measured in milliseconds since midnight January 1, 1970. This method
throws an IllegalStateException if it is called on an invalidated session.
Answer: D is incorrect. The getAttribute(String name) method of the HttpSession interface returns
the value of the named attribute as an object. It returns a null value if no attribute with the given
name is bound to the session. This method throws an IllegalStateException if it is called on an
invalidated session.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to impose some special access restrictions on users. Which of the following Unix
configuration files can you use to accomplish the task?
"Pass Any Exam. Any Time." - www.actualtests.com 127
GIAC GSNA Exam
A.
/var/run/utmp
B.
/etc/terminfo
C.
/etc/usertty
D.
/etc/termcap
Answer: C
Explanation:
In Unix, the /etc/usertty file is used to impose some special access restrictions on users. Answer:
B is incorrect. In Unix, the /etc/terminfo file contains the details for the terminal I/O. Answer: A is
incorrect. In Unix, the /var/run/utmp file is the configuration file that contains information about the
currently logged in users. Mostly, the 'Who' and 'w' commands use this file.
Answer: D is incorrect. In Unix, the /etc/termcap file works as a terminal capability database.
You work as a Network Administrator for XYZ CORP. The company has a Windows-based
network. You want to use multiple security countermeasures to protect the integrity of the
information assets of the company. To accomplish the task, you need to create a complex and
multi-layered defense system. Which of the following components can be used as a layer that
constitutes 'Defense in depth'? (Choose three.)
A.
Backdoor
B.
Firewall
C.
Antivirus software
D.
Intrusion detection
Answer: B,C,D
The components of Defense in depth include antivirus software, firewalls, anti-spyware programs,
hierarchical passwords, intrusion detection, and biometric verification. In addition to electronic
countermeasures, physical protection of business sites along with comprehensive and ongoing
personnel training enhances the security of vital data against compromise, theft, or destruction.
Answer A is incorrect. A backdoor is any program that allows a hacker to connect to a computer
without going through the normal authentication process. The main advantage of this type of
attack is that the network traffic moves from inside a network to the hacker's computer. The traffic
moving from inside a network to the outside world is typically the least restrictive, as companies
are more concerned about what comes into a network, rather than what leaves it. It, therefore,
becomes hard to detect backdoors.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to see the username, real name, home directory, encrypted password, and other
information about a user. Which of the following Unix configuration files can you use to accomplish
the task?
A.
/etc/passwd
B.
/etc/printcap
C.
/etc/hosts
D.
/etc/inittab
Answer: A
Explanation:
In Unix, the /etc/passwd file contains username, real name, home directory, encrypted password,
and other information about a user.
Answer: C is incorrect. In Unix, the /etc/hosts file lists the hosts for name lookup use that are
locally required.
Answer: D is incorrect. In Unix, the /etc/inittab file is the configuration file for init. It controls startup
run levels and determines scripts to start with.
A.
It scans for networks passively on supported cards.
B.
It cracks WEP and WPA keys by Rainbow attack or by dictionary attack.
C.
It is a wireless network discovery tool for Mac OS X.
D.
Data generated by KisMAC can also be saved in pcap format.
Answer: A,C,D
Explanation:
KisMAC is a wireless network discovery tool for Mac OS X. It has a wide range of features, similar
to those of Kismet, its Linux/BSD namesake and far exceeding those of NetStumbler, its closest
equivalent on Windows. The program is geared toward network security professionals, and is not
as novice-friendly as similar applications. KisMAC will scan for networks passively on supported
cards - including Apple's AirPort, and AirPort Extreme, and many third-party cards, and actively on
any card supported by Mac OS X itself. Cracking of WEP and WPA keys, both by brute force, and
exploiting flaws such as weak scheduling and badly generated keys is supported when a card
capable of monitor mode is used, and packet reinjection can be done with a supported card. GPS
mapping can be performed when an NMEA compatible GPS receiver is attached. Data can also
be saved in pcap format and loaded into programs such as Wireshark.
You are the Network Administrator for a company. You have decided to conduct a user access
and rights review. Which of the following would be checked during such a review? (Choose three.)
A.
Access Control Lists
C.
User Roles
D.
Firewalls
E.
Group Membership
Answer: A,C,E
Explanation:
A user access and rights review must check all users, what groups they belong to, what roles they
have, and what access they have. Furthermore, such a review should also check logs to see if
users are appropriately utilizing their system rights and privileges.
You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP-based
network. You have configured a firewall on the network. A filter has been applied to block all the
ports. You want to enable sending and receiving of emails on the network. Which of the following
ports will you open? (Choose two.)
A.
25
B.
20
C.
80
D.
110
Answer: A,D
Explanation:
In order to enable email communication, you will have to open ports 25 and 110. Port 25 is used
by SMTP to send emails. Port 110 is used by POP3 to receive emails.
In which of the following attack techniques does an attacker try to intercept the successful
handshake and then use a dictionary attack to retrieve the shared key?
A.
Shared key guessing
B.
Brute force attack
C.
Dictionary attack
D.
PSK cracking
Answer: D
Explanation:
PSK cracking is an attack technique in which an attacker tries to intercept the successful
handshake and then uses a dictionary attack to retrieve the shared key.
Answer: A is incorrect. Shared key guessing is an attack technique in which an intruder by use of
various cracking tools tries to guess the shared key of a wireless network and gain access to it.
Answer: B is incorrect. In a brute force attack, an attacker uses software that tries a large number
of the keys combinations in order to get a password. To prevent such attacks, users should create
passwords more difficult to guess, e.g., using a minimum of six characters, alphanumeric
combinations, and lower-upper case combinations, etc.
A.
System.AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
PrincipalPermission MyPermission = new PrincipalPermission(null, @"BUILTIN\Users", true);
MyPermission.Demand();
B.
PrincipalPermission MyPermission = new PrincipalPermission(null, @"BUILTIN\Users", true);
MyPermission.Demand();
C.
System.AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
PrincipalPermission MyPermission = newPrincipalPermission(null, @"Users", true);
MyPermission.Demand();
D.
PrincipalPermission MyPermission = new PrincipalPermission(null, @"Users", true);
MyPermission.Demand();
Answer: A,C
Explanation:
The PrincipalPermission class allows security checksagainst the active principal. This is done by
using the language constructs that are defined for both imperative and declarative security actions.
To perform an imperative security demand for membership in a built-in Microsoft Windows group,
you must firstset the default principal policy to the Windows principal by calling the
SetPrincipalPolicy (PrincipalPolicy.WindowsPrincipal) statement. Construct a PrincipalPermission
object specifying the group name. To specify the group name, you can provide just thegroup
name, or you can preface the group name with either "BUILTIN\" or the computer name and a
backslash. Finally, call the PrincipalPermission.Demand method. There is another method of
identifying group membership, i.e. by using the PrincipalPermissionclass or the
PrincipalPermissionAttribute attribute derived from the System.Security.Permissions namespace.
The PrincipalPermission object identifies that the identity of the active principal should match its
information with the identity information thatis passed to its constructor. The identity information
contains the user's identity name and role.
You want to change the number of characters displaying on the screen while reading a txt file.
However, you do not want to change the format of the txt file. Which of the following commands
A.
cat
B.
tail
C.
less
D.
more
Answer: D
Explanation:
The more command is used to view (but not modify) the contents of a text file on the terminal
screen at a time. The syntax of the more command is as follows: more [options] file_name Where,
Answer: A is incorrect. The concatenate (cat) command is used to display or print the contents of
a file.Syntax: cat filename For example, the following command will display the contents of the
/var/log/dmesg file: cat /var/log/dmesg
Note: The more command is used in conjunction with the cat command to prevent scrolling of the
screen while displaying the contents of a file. Answer: C is incorrect. The less command is used to
view (but not change) the contents of a text file, one screen at a time. It is similar to the more
command. However, it has the extended capability of allowing both forward and backward
navigation through the file. Unlike most Unix text editors/viewers, less does not need to read the
entire file before starting; therefore, it has faster load times with large files. The command syntax
of the less command is as follows: less [options] file_nameWhere,
Answer: B is incorrect. The tail command is used to display the last few lines of a text file or piped
"Pass Any Exam. Any Time." - www.actualtests.com 134
GIAC GSNA Exam
data.
Zorp is a proxy firewall suite developed by Balabit IT Security. Which of the following statements
are true about Zorp?
A.
It allows the administrators to fine-tune proxy decisions.
B.
Zorp aims for compliance with the Common Criteria/Application Level Firewall Protection Profile
for Medium Robustness.
C.
It allows full analysis of embedded protocols.
D.
The GPL versionof Zorp lacks much of the usability and functions from the other versions.
Answer: A,B,C
Explanation:
Zorp is a proxy firewall suite developed by Balabit IT Security. Its core framework allows the
administrator to fine-tune proxy decisions (with its built-in script language), and fully analyze
embedded protocols (such as SSL with an embedded POP3 or HTTP protocol). The FTP, HTTP,
FINGER, WHOIS, TELNET, and SSL protocols are fully supported with an application-level
gateway. Zorp aims for compliance with the Common Criteria/Application Level Firewall Protection
Profile for Medium Robustness. Zorp is released under GNU/GPL and commercial license too.
The GPL version is completely usable and functional; however, it lacks some of the more
advanced functions available in the commercially available version only. Some of the Zorp
supported protocols are Finger, Ftp, Http, Pop3, NNTP, IMAP4, RDP, RPC, SIP, SSL, SSH,
Telnet, Whois, LDAP, RADIUS, TFtp, SQLNet NET8, Rsh, etc.
Answer: D is incorrect. The GPL version of Zorp is completely usable and functional; however, it
lacks some of the more advanced functions available in the commercially available version only.
Which of the following user authentications are supported by the SSH-1 protocol but not by the
"Pass Any Exam. Any Time." - www.actualtests.com 135
GIAC GSNA Exam
SSH-2 protocol?
A.
TIS authentication
B.
Kerberos authentication
C.
Rhosts (rsh-style) authentication
D.
Password-based authentication
Answer: A,B,C
Explanation:
The Rhosts (rsh-style), TIS, and Kerberos user authentication methods are supported by the SSH-
1 protocol but not by SSH-2 protocol.
Answer: D is incorrect. Password-based authentication is supported by both the SSH-1 and SSH-2
protocols.
Samantha works as a Web Developer for XYZ CORP. She is designing a Web site for the
company. In a Web page, she uses the HTTP-EQUIV attribute to control the page cache. Which of
the following HTTP-EQUIV values controls the page cache in the browser folder?
A.
Window-target
B.
Status-code
C.
Content-type
D.
Pragma
Answer: D
Explanation:
Which of the following are the reasons for implementing firewall in any network?
A.
Create a choke point
B.
Log Internet activity
C.
Log system activity
D.
Limit access control
E.
Implementing security policy
F.
Limit network host exposure
Answer: A,B,E,F
Explanation:
A firewall is a part of a computer system or network that is designed to block unauthorized access
while permitting authorized communications. It is a device or set of devices configured to permit,
deny, encrypt, decrypt, or proxy all computer traffic between different security domains based
upon a set of rules and other criteria. The four important roles of a firewall are as follows:
2. Creating a choke point: A firewall can create a choke point between a private network of an
organization and a public network. With the help of a choke point the firewall devices can monitor,
filter, and verify all inbound and outbound traffic.
3. Logging Internet activity: A firewall also enforces logging of the errors and faults. It also provides
alarming mechanism to the network.
Which of the following aaa accounting commands should be used to enable logging of both the
start and stop records for user terminal sessions on the router?
A.
aaa accounting auth proxy start-stop tacacs+
B.
aaa accounting system none tacacs+
C.
aaa accounting connection start-stop tacacs+
D.
aaaaccounting exec start-stop tacacs+
Answer: D
Explanation:
In order to enable logging of both start and stop records for user terminal sessions on the router,
the aaa accounting exec start-stop tacacs+ command should be used. The exec option performs
accounting for EXEC shell sessions.
Answer: B is incorrect. The aaa accounting system none tacacs+ command disables accounting
services on a specific interface for all system-level events that are not related with users such as
reload.
Answer: C is incorrect. The aaa accounting connection start-stop tacacs+ command is used to
enable logging of both start and stop records for all outbound connections that are established
from the NAS (Network Access Server), such as Telnet, local-area transport (LAT), TN3270,
packet assembler and disassembler (PAD), and rlogin.
Answer: A is incorrect. The aaa accounting auth proxy start-stop tacacs+ command is used to
enable logging of both start and stop records for all authenticated proxy user events.
A.
syslogd
B.
klogd
C.
sysklogd
D.
syslog-ng
Answer: B,C
Explanation:
The klogd and sysklogd commands can be used to intercept and log the Linux kernel messages.
You work as a Security Administrator in Tech Perfect Inc. The company has a TCP/IP based
network. The network has a vast majority of Cisco Systems routers and Cisco network switches.
You have implemented four VPN connections in the network. You use the Cisco IOS on the
network. Which feature will you enable to maintain a separate routing and forwarding table for
each VPN?
A.
Intrusion Prevention System
B.
VRF-aware firewall
C.
Virtual Private Network
D.
Stateful firewall
Answer: B
Explanation:
In this scenario, the company's network has a vast majority of Cisco Systems routers and Cisco
network switches. The security administrator of the company has implemented four VPN
"Pass Any Exam. Any Time." - www.actualtests.com 139
GIAC GSNA Exam
connections in the network and uses the Cisco IOS on the network. He needs to maintain a
separate routing and forwarding table for each VPN in order to provide more secure
communication. To accomplish this task, he should enable the VRF-aware firewall feature on the
Cisco IOS routers.
In which of the following scanning techniques does a scanner connect to an FTP server and
request that server to start data transfer to the third system?
A.
Xmas Tree scanning
B.
TCP FIN scanning
C.
TCP SYN scanning
D.
Bounce attack scanning
Answer: D
Explanation:
In the TCPFTP proxy (bounce attack) scanning, a scanner connects to an FTP server and
requests that server to start data transfer to the third system. Now, the scanner uses the PORT
FTP command to declare whether or not the data transfer process is listening to the target system
at the certain port number. Then the scanner uses LIST FTP command to list the current directory.
This result is sent over the server. If the data transfer is successful, it is clear that the port is open.
If the port is closed, the attacker receives the connection refused ICMP error message.
Answer: A is incorrect. Xmas Tree scanning is just the opposite of null scanning. In Xmas Tree
scanning, all packets are turned on. If the target port is open, the service running on the target port
discards the packets without any reply. According to RFC 793, if the port is closed, the remote
system replies with the RST packet. Active monitoring of all incoming packets can help system
network administrators detect an Xmas Tree scan.
Answer: B is incorrect. TCP FIN scanning is a type of stealth scanning, through which the attacker
sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was
sent mistakenly by the attacker and sends the RST packet to the attacker. If the port is open, the
FIN packet will be ignored and the port will drop that packet. TCP FIN scanning is useful only for
identifying ports of non Windows operating system because Windows operating systems send
only RST packets irrespective of whether the port is open or closed.
4.If the RST packet is received, it indicates that the port is closed.
This type of scanning is hard to trace because the attacker never establishes a full 3-way
handshake connection and most sites do not create a log of incomplete TCP connections.
In the DNS Zone transfer enumeration, an attacker attempts to retrieve a copy of the entire zone
file for a domain from a DNS server. The information provided by the DNS zone can help an
attacker gather user names, passwords, and other valuable information. To attempt a zone
transfer, an attacker must be connected to a DNS server that is the authoritative server for that
zone. Besides this, an attacker can launch a Denial of Service attack against the zone's DNS
servers by flooding them with a lot of requests. Which of the following tools can an attacker use to
perform a DNS zone transfer?
A.
DSniff
B.
Dig
C.
Host
D.
NSLookup
Answer: B,C,D
Explanation:
An attacker can use Host, Dig, and NSLookup to perform a DNS zone transfer.
Answer: A is incorrect. DSniff is a sniffer that can be used to record network traffic. Dsniff is a set
of tools that are used for sniffing passwords, e-mail, and HTTP traffic. Some of the tools of Dsniff
include dsniff, arpredirect, macof, tcpkill, tcpnice, filesnarf, and mailsnarf. Dsniff is highly effective
for sniffing both switched and shared networks. It uses the arpredirect and macof tools for
Which of the following statements are true about security risks? (Choose three.)
A.
They can be removed completely by taking proper actions.
B.
They are considered an indicator of threats coupled with vulnerability.
C.
They can be mitigated by reviewing and taking responsible actions based on possible risks.
D.
They can be analyzed and measured by the risk analysis process.
Answer: B,C,D
Explanation:
In information security, security risks are considered an indicator of threats coupled with
vulnerability. In other words, security risk is a probabilistic function of a given threat agent
exercising a particular vulnerability and the impact of that risk on the organization. Security risks
can be mitigated by reviewing and taking responsible actions based on possible risks. These risks
can be analyzed and measured by the risk analysis process.
Answer: A is incorrect. Security risks can never be removed completely but can be mitigated by
taking proper actions.
A.
It allows or restricts the flow of specific types of packets to provide security.
B.
"Pass Any Exam. Any Time." - www.actualtests.com 142
GIAC GSNA Exam
It is used to send confidential data on the public network.
C.
It allows or restricts the flow of encrypted packets to provide security.
D.
It is used to store information about confidential data.
Answer: A
Explanation:
Packet filtering is a method that allows or restricts the flow of specific types of packets to provide
security. It analyzes the incoming and outgoing packets and lets them pass or stops them at a
network interface based on the source and destination addresses, ports, or protocols. Packet
filtering provides a way to define precisely which type of IP traffic is allowed to cross the firewall of
an intranet. IP packet filtering is important when users from private intranets connect to public
networks, such as the Internet.
Mark works as a Web Designer for XYZ CORP. The company has a Windows-based network.
Mark creates an HTML document that gives the following error on execution: "These hypertext
system features are not supported by HTML". Which of the following can be the hypertext system
features that are NOT supported by HTML? (Choose three.)
A.
Source tracking
B.
Typed link
C.
Hyperlink
D.
Fat link
Answer: A,B,D
Explanation:
HTML lacks some of the features found in earlier hypertext systems, such as typed links, source
tracking, fat links etc. Even some hypertext features that were in early versions of HTML have
been ignored by most popular web browsers until recently, such as the link element and in-
browser Web page editing. Sometimes Web services or browser manufacturers remedy these
"Pass Any Exam. Any Time." - www.actualtests.com 143
GIAC GSNA Exam
shortcomings.
Which of the following statements about data integrity of a container are true? (Choose two.)
A.
It ensures that a hacker cannot alter the contents of an HTTP message while it is in transit from a
container to a client.
B.
Data integrity ensures that information is made available to users who are authorized to access it.
C.
Data integrity ensures that information has not been modified by a third party while it is in transit.
D.
It ensures that an eavesdropper cannot read an HTTP message being sent from a client to a
container.
Answer: A,C
Explanation:
Data integrity ensures that information has not been modified, altered, or destroyed by a third
party while it is in transit. Data integrity ensures that the data received is same as the data that
was sent. Moreover, no one can tamper with the data during transmission from source to
destination.
It also ensures that a hacker cannot alter the contents of an HTTP message while it is in transit
from the container to the client. This will be accomplished through the use of HTTPS. The HTTPS
stands for Hypertext Transfer Protocol over Secure Socket Layer. The HTTPS encrypts and
decrypts the page requests and page information between the client browser and the Web server
using a Secure Socket Layer.
A.
The network layer headers and the session layer port numbers
B.
The transport layer port numbers and the application layer headers
C.
The application layer port numbers and the transport layer headers
D.
The presentation layer headers and the session layer port numbers
Answer: B
Explanation:
A firewall stops delivery of packets that are not marked safe by the Network Administrator. It
checks the transport layer port numbers and the application layer headers to prevent certain ports
and applications from getting the packets into an Enterprise.
You work as a Network Administrator for XYZ CORP. The company's Windows 2000 network is
configured with Internet Security and Acceleration (ISA) Server 2000. ISA Server is configured as
follows:
The server uses the default site and content rule and default IP packet filters.
Users in the network complain that they are unable to access secure Web sites. However, they
are able to connect to Web sites in which secure transmission is not required. What is the most
"Pass Any Exam. Any Time." - www.actualtests.com 145
GIAC GSNA Exam
likely cause?
A.
A protocol rule that allows the use of HTTP has not been created.
B.
An IP packet filter that allows the use of network traffic on port 80 has not been created.
C.
An IP packet filter that allows the use of network traffic on port 443 has not been created.
D.
A protocol rule that allows the use of HTTPS has not been created.
Answer: C
Explanation:
The default IP packet filter allows HTTP protocol (for non-secure communication) at port 80 to
access the Internet. However, to allow users to access secure Web sites, you will have to create
an additional packet filter to allow communication on port 443.
You work as a Database Administrator for Dolliver Inc. The company uses Oracle 11g as its
database. You have used the LogMiner feature for auditing purposes. Which of the following files
store a copy of the data dictionary? (Choose two.)
A.
Online redo log files
B.
Operating system flat file
C.
Dump file
D.
Control file
Answer: A,B
Explanation:
LogMiner requires a dictionary to translate object IDs into object names when it returns redo data
"Pass Any Exam. Any Time." - www.actualtests.com 146
GIAC GSNA Exam
to you. You have the following three options to retrieve the data dictionary:
The Online catalog: It is the most easy and efficient option to be used. It is used when a database
user have access to the source database from which the redo log files were created. The other
condition that should qualify is that there should be no changes to the column definitions in the
desired tables.
The Redo Log Files: This option is used when a database user does not have access to the
source database from which the redo log files were created and if there are any chances of
changes to the column definitions of the desired tables.
An operating system flat file: Oracle does not recommend to use this option, but it is retained for
backward compatibility. The reason for not preferring the option is that it does not guarantee
transactional consistency. LogMiner is capable to access the Oracle redo logs. It keeps the
complete record of all the activities performed on the database, and the associated data
dictionary, which is used to translate internal object identifiers and types to external names and
data formats. For offline analysis, LogMiner can be run on a separate database, using archived
redo logs and the associated dictionary from the source database.
Which of the following policies helps reduce the potential damage from the actions of one person?
A.
CSA
B.
Separation of duties
C.
Internal audit
D.
Risk assessment
Answer: B
Explanation:
Separation of duties (SoD) is the concept of having more than one person required to complete a
task. It is alternatively called segregation of duties or, in the political realm, separation of powers.
Segregation of duties helps reduce the potential damage from the actions of one person. IS or
end-user department should be organized in a way to achieve adequate separation of duties.
According to ISACA's Segregation of Duties Control matrix, some duties should not be combined
into one position. This matrix is not an industry standard, just a general guideline suggesting which
"Pass Any Exam. Any Time." - www.actualtests.com 147
GIAC GSNA Exam
positions should be separated and which require compensating controls when combined.
Answer: A is incorrect. Cisco Security Agent (CSA) is an endpoint intrusion prevention system. It is
rule-based and examines system activity and network traffic, determining which behaviors are
normal and which may indicate an attack. CSA uses a two or three-tier client- server architecture.
The Management Center 'MC' (or Management Console) contains the program logic; an MS SQL
database backend is used to store alerts and configuration information; the MC and SQL database
may be co-resident on the same system. The Agent is installed on the desktops and/or servers to
be protected. The Agent communicates with the Management Center, sending logged events to
the Management Center and receiving updates in rules when they occur.
Web mining allows a user to look for patterns in data through content mining, structure mining, and
usage mining. What is the function of structure mining?
A.
To examine data collected by search engines
B.
To examine data collected by Web spiders
C.
To examine data related to the structure of a particular Web site
D.
To examine data related to a particular user's browser
Answer: C
Explanation:
Structure mining is used to examine data related to the structure of a particular Web site.
Answer: D is incorrect. Usage mining is used to examine data related to a particular user's
browser as well as data gathered by forms the user may have submitted during Web transactions.
John works as a professional Ethical Hacker. He has been assigned a project to test the security
of www.we-are-secure.com. He copies the whole structure of the We-are-secure Web site to the
local disk and obtains all the files on the Web site. Which of the following techniques is he using to
accomplish his task?
A.
Eavesdropping
B.
Fingerprinting
C.
Web ripping
D.
TCP FTP proxy scanning
Answer: C
Explanation:
Web ripping is a technique in which the attacker copies the whole structure of a Web site to the
local disk and obtains all files of the Web site. Web ripping helps an attacker to trace the loopholes
of the Web site.
Answer: D is incorrect. In TCP FTP proxy (bounce attack) scanning, a scanner connects to an
FTP server and requests it to start data transfer to a third system. The scanner uses the PORT
FTP command to find out whether or not the data transfer process is listening to the target system
at a certain port number. It then uses the LIST FTP command to list the current directory, and the
result is sent over the server. If the data transfer is successful, it clearly indicates that the port is
open. If the port is closed, the attacker receives the connection refused ICMP error message.
Answer: B is incorrect. Fingerprinting is the easiest way to detect the Operating System (OS)of a
remote system. OS detection is important because, after knowing the target system's OS, it
becomes easier to hack into the system. The comparison of data packets that are sent by the
target system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to
which operating system is being used by the remote system. There are two types of fingerprinting
techniques as follows:
In active fingerprinting ICMP messages are sent to the target system and the response message
"Pass Any Exam. Any Time." - www.actualtests.com 149
GIAC GSNA Exam
of the target system shows which OS is being used by the remote system. In passive fingerprinting
the number of hops reveals the OS of the remote system.
Peter works as a Web Developer for XYZ CORP. He is developing a Web site for the company. In
one of the Web pages, Peter wants to ensure that certain information is consistent and visible
while the other information changes. Which of the following will he use to accomplish this?
A.
Tables
B.
Navigation links
C.
Data elements
D.
Frames
Answer: D
Explanation:
Peter will use frames in the Web page. Frames are extensions of the HTML 3.2 standard
introduced by Netscape. Elements such as navigation links and title graphic, can be placed in
static individual frames. The <frame> tag defines the contents that will appear in each frame. It is
used within the <frameset> tag. Frames allow users to display multiple HTML files at a time.
Answer: B is incorrect. Navigation links are used with the navigation bar to display a page. These
hyperlinks are relative to the navigational structure of a Web site.
Answer: C is incorrect. Data elements are used to access data in XML format from a Web server.
In a network, a data packet is received by a router for transmitting it to another network. In order to
make decisions on where the data packet should be forwarded, the router checks with its routing
table. Which of the following lists does a router check in a routing table?
B.
Available packets
C.
Available protocols
D.
Available paths
Answer: A,D
Explanation:
A Routing table stores the actual routes to all destinations; the routing table is populated from the
topology table with every destination network that has its successor and optionally feasible
successor identified (if unequal-cost load-balancing is enabled using the variance command). The
successors and feasible successors serve as the next hop routers for these destinations. Unlike
most other distance vector protocols, EIGRP does not rely on periodic route dumps in order to
maintain its topology table. Routing information is exchanged only upon the establishment of new
neighbor adjacencies, after which only changes are sent.
Answer: C is incorrect. A routing table does not contain any list of protocols.
Answer: B is incorrect. A routing table does not contain any list of packets.
You work as a Network Administrator for XYZ CORP. The company has a small TCP/IP-based
network environment. The network contains a Cisco Catalyst 6000 family switch. A few sales
people come to your outer office and use your local network to access the Internet, as well as to
demonstrate their products. What will you do to prevent your network from being accessed by any
outside computers?
A.
Configure port security.
B.
Configure a firewall for IP blocking on the network.
C.
Configure a firewall for MAC address blocking on the network.
D.
Answer: A
Explanation:
According to the question, you are required to prevent outside computers from accessing your
network. You should therefore configure the switch's port access based on the MAC address,
which can be done by configuring port security. Port security is a feature of Cisco Catalyst series
switches. Port security is used to block input based on the media access control (MAC) address to
an Ethernet, Fast Ethernet, or Gigabit Ethernet port. It denies the port access to a workstation
when the MAC address of the station attempting to access the port is different from any of the
MAC addresses specified for that port. Internet or other outside networks.
Answer: D is incorrect. A port scanner is a software tool that is designed to search network host
for open ports. This tool is often used by administrators to check the security of their networks. It is
also used by hackers to compromise the network and systems.
Which of the following security policies will you implement to keep safe your data when you
connect your Laptop to the office network over IEEE 802.11 WLANs? (Choose two.)
A.
Using personal firewall software on your Laptop.
B.
Using a protocol analyzer on your Laptop to monitor for risks.
C.
Using portscanner likenmap in your network.
D.
Using an IPSec enabled VPN for remote connectivity.
Answer: A,D
Explanation:
According to the scenario, you want to implement a security policy to keep safe your data when
you connect your Laptop to the office network over IEEE802.11 WLANs. For this, you will use the
following two options:
1. Using IPSec enabled VPN for remote connectivity: Internet Protocol Security (IPSec) is a
standard-based protocol that provides the highest level of VPN security. IPSec can encrypt
2. Using personal firewall software on your Laptop: You can also create a firewall rule to block
malicious packets so that you can secure your network.
Answer: C is incorrect. Portscanner is used for scanning port and tells which ports are open.
However, this tool is very much useful in information gathering step of the attacking process, it
cannot be used to protect a WLAN network.
Answer: B is incorrect. You cannot use the packet analyzer to protect your network. Packet
analyzer is used to analyze data packets flowing in the network.
You work as a Database Administrator for XYZ CORP. The company has a multi-platform
network. The company requires a database that can receive data from various types of operating
systems. You want to design a multidimensional database to accomplish the task. Which of the
following statements are true about a multidimensional database?
A.
It is used to optimize Online Analytical Processing (OLAP) applications.
B.
It is used to optimize data warehouse.
C.
It is rarely created using input from existing relational databases.
D.
It allows users to ask questions that are related to summarizing business operations and trends.
Answer: A,B,D
Explanation:
A multidimensional database (MDB) is a type of database that is optimized for data warehouse
and Online Analytical Processing (OLAP) applications. Multidimensional databases are frequently
created using input from existing relational databases. Whereas a relational database is typically
accessed using a Structured Query Language (SQL) query, a multidimensional database allows a
user to ask questions like "How many Aptivas have been sold in Nebraska so far this year?" and
similar questions related to summarizing business operations and trends. An OLAP application
that accesses data from a multidimensional database is known as a MOLAP (multidimensional
OLAP) application.
Answer: C is incorrect. A multidimensional database is frequently created using input from existing
"Pass Any Exam. Any Time." - www.actualtests.com 153
GIAC GSNA Exam
relational databases.
You want to record auditing information in the SYS.AUD$ table, and also want to record SQL bind
variables as well as the SQL text in the audit trail. Which of the following statements will
accomplish this task?
A.
ALTER SYSTEM SET AUDIT_TRAIL = DB, XML SCOPE=SPFILE;
B.
ALTER SYSTEM SET AUDIT_TRAIL = 'DB, EXTENDED' SCOPE=SPFILE;
C.
ALTER SYSTEM SET AUDIT_TRAIL = 'DB','EXTENDED'SCOPE=SPFILE;
D.
ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE=SPFILE;
E.
ALTER SYSTEM SET AUDIT_FILE_DEST = 'DB, EXTENDED' SCOPE=SPFILE;
F.
ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE=BOTH;
Answer: C,D
Explanation:
The initialization parameter AUDIT_TRAIL is used to specify the kind of auditing that needs to be
performed, as well as the destination where it will be performed. There are three basic values for
auditing that are DB, OS, and XML. Specifying DB sends all audit rows to the table SYS.AUD$,
OS sends the audit rows to an operating system file, and XML sends the audit rows to an
operating system file in the XML format. The location for external audit rows is specified by the
AUDIT_FILE_DEST parameter. By adding the EXTENDED parameter for either DB or XML
auditing, all SQL bind variables and the text of all SQL commands are included in the audit row.
EXTENDED cannot be specified for OS auditing. In addition, NONE can be specified as the value
for AUDIT_TRAIL, which will disable all auditing.
Answer: B is incorrect. DB, EXTENDED in single quotes cannot be specified when setting the
AUDIT_TRAIL parameter.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to track the system for user logins. To accomplish the task, you need to analyze the log
configuration files. Which of the following Unix log configuration files can you use to accomplish
the task?
A.
/var/log/messages
B.
/var/log/secure
C.
/var/spool/mail
D.
/var/log/maillog
Answer: B
Explanation:
In Unix, the /var/log/secure file is used to track the systems for user logins.
Answer: D is incorrect. In Unix, the /var/log/maillog file is the normal system maillog file.
Answer: A is incorrect. In Unix, the /var/log/messages file is the main system message log file.
Answer: C is incorrect. In Unix, the /var/spool/mail file is the file where mailboxes are usually
stored.
You work as a Software Developer for UcTech Inc. You are building a Web site that will contain
study materials on the Java language. The company wants that members can access all the
pages, but non-members have only limited access to the Web site pages. Which of the following
security mechanisms will you use to accomplish the task?
B.
Authentication
C.
Confidentiality
D.
Authorization
Answer: D
Explanation:
Authorization is a process that verifies whether a user has permission to access a Webresource. A
Web server can restrict access to some of its resources to only those clients that log in using a
recognized username and password. To be authorized, a user must first be authenticated.
Answer: B is incorrect. Authentication is the process of verifying the identity of a user. This is
usually done using a user name and password. This process compares the provided user name
and password with those stored in the database of an authentication server.
Answer: C is incorrect. Confidentiality is a mechanism that ensures that only the intended and
authorized recipients are able to read data. The data is so encrypted that even if an unauthorized
user gets access to it, he will not get any meaning out of it.
Answer: A is incorrect. Data integrity is a mechanism that ensures that the data is not modified
during transmission from source to destination. This means that the data received at the
destination should be exactly the same as that sent from the source.
Which of the following commands can you use to search a string 'pwd' in all text files without
opening them? (Choose two.)
A.
vi
B.
grep
C.
sed
Answer: B,C
Explanation:
sed and grep are the two commands that can be used to search a specified string in all text files
without opening them. sed is a stream editor that is used to perform basic text transformations on
an input stream (a file or input from a pipeline).
Pingdom is a website monitoring service. Which of the following services are provided by
Pingdom?
A.
It creates complicated charts to spot trends and imprecisely pinpoint problems.
B.
It works as an iPhone application to make sure that a website is reachable and responding
properly at all times.
C.
It is used to monitor sites and servers on the Internet.
D.
It is used to track the uptime, downtime, and performance of websites.
Answer: B,C,D
Explanation:
Pingdom is a website monitoring service that is used by administrators to monitor sites and
servers on the Internet. It alerts the site owners if it detects a problem. Pingdom service is used to
track the uptime, downtime, and overall performance of websites. Pingdom also works as an
iPhone application to make sure that a website is reachable and responding properly at all times. If
not so, it provides the administrator with the email and SMS alerts. It creates charts and tables that
are easy to understand. These charts and tables enable an administrator to spot trends and
accurately pinpoint problems.
Answer: A is incorrect. Pingdom creates chartsthat are easy to understand. These charts are used
to spot trends and accurately pinpoint problems.
Which of the following records is the first entry in a DNS database file?
A.
CNAME
B.
SOA
C.
SRV
D.
MX
Answer: B
Explanation:
Start of Authority (SOA) record is the first record in any DNS database file. The SOA resource
record includes the following fields: owner, TTL, class, type, authoritative server, refresh, minimum
TTL, etc.
Answer: A is incorrect. Canonical Name (CNAME) is a resource record that creates an alias for
the specified Fully Qualified Domain Name (FQDN). It hides the implementation details of a
network from the clients that are connected to the network.
Answer: D is incorrect. MX is a mail exchange resource record in the database file of a DNS
server. It specifies a mail exchange server for a DNS domain name.
Answer: C is incorrect. SRV resource record is a DNS record that enables users to specify the
location of servers for a specific service, protocol, and DNS domain. For example, if there are two
servers in a domain, creating SRV records specifies which hosts serve as Web servers, and
resolvers can then retrieve all the SRV resource records for the Web servers.
A.
Configuring firewall to block unauthorized traffic
C.
Simulating an actual attack on a network
D.
Implementing NIDS on a network
Answer: C
Explanation:
You configure a wireless router at your home. To secure your home Wireless LAN (WLAN), you
implement WEP. Now you want to connect your client computer to the WLAN. Which of the
following is the required information that you will need to configure the client computer? (Choose
two.)
A.
SSID of the WLAN
B.
WEP key
C.
IP address of the router
D.
MAC address of the router
Answer: A,B
"Pass Any Exam. Any Time." - www.actualtests.com 159
GIAC GSNA Exam
Explanation:
In order to connect a client computer to a secured Wireless LAN (WLAN), you are required to
provide the following information:
Which of the following statements about the /etc/profile file are true?
A.
It allows a system administrator to create a default home directory for all new users on a
computer.
B.
A user can change the settings of the /etc/profile file, but he cannot delete the file. It can only be
deleted by the root user.
C.
It can change the default umask value.
D.
It is used to configure and control system-wide default variables.
Answer: C,D
Explanation:
The /etc/profile file is used to configure and control system-wide default variables. It performs
many operations, some of which are as follows:
Only the root user can configure and change the /etc/profile file for all users on the system.
Answer: A is incorrect. The /etc/skel file allows a system administrator to create a default home
directory for all new users on a computer or network and thus to make certain that all users begin
with the same settings. When a new account is created with a home directory, the entire contents
of /etc/skel are copied into the new home directory location. The home directory and its entire
"Pass Any Exam. Any Time." - www.actualtests.com 160
GIAC GSNA Exam
contents are then set to the new account's UID and GID, making the new user owner of the initial
files. The system administrator can create files in /etc/skel that will provide a nice default
environment for users. For example, he might create a /etc/skel/.profile that sets the PATH
environment variable for new users.
Answer: B is incorrect. Only the root user can change the settings of the /etc/profile file.
Which of the following are attributes of the <TABLE> tag? (Choose three.)
A.
BORDER
B.
ALIGN
C.
TD
D.
WIDTH
Answer: A,B,D
Explanation:
The WIDTH attribute of the <TABLE> tag is used to set the width of a table. Width can be
specified in pixels and percentage. For example, if a table of the same width as that of the parent
object has to be created, the WIDTH attribute must be set to 100%. The ALIGN attribute aligns the
table within the text flow. By default alignment is set to left. The BORDER attribute of the
<TABLE> tag is used to set the width of the table border.
Answer C is incorrect. <TD> is not an attribute of the <TABLE> tag. It is a tag used to specify cells
in a table.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to make changes on a per-directory basis. Which of the following Unix configuration files
can you use to accomplish the task?
B.
$HOME/Xrootenv.0
C.
$HOME/.htaccess
D.
/var/log/btmp
Answer: C
Explanation:
In Unix, the $HOME/.htaccess file provides a way to make configuration changes on a per
directory basis.
Answer: A is incorrect. In Unix, the $HOME/.profile file contains the user's environment stuff and
startup programs.
Answer: B is incorrect. In Unix, the $HOME/Xrootenv.0 file contains networking and environment
info.
Answer: D is incorrect. In Unix, the /var/log/btmp file is used to store information about failed
logins.
Which of the following types of audit constructs a risk profile for existing and new projects?
A.
Technological position audit
B.
Technological innovation process audit
C.
Innovative comparison audit
D.
Client/Server, Telecommunications, Intranets, and Extranets audits
Answer: B
Various authorities have created differing taxonomies to distinguish the various types of IT audits.
Goodman & Lawless state that there are three specific systematic approaches to carry out an IT
audit:
Answer: D is incorrect. These are the audits to verify that controls are in place on the client
(computer receiving services), server, and on the network connecting the clients and servers.
Pervasive IS controls can be used across all the internal departments and external contractors to
define the direction and behavior required for the technology to function properly. When these
controls are implemented properly, which of the following areas show the reliability improvement?
(Choose three.)
A.
Hardware development
B.
Software development
C.
Security administration
D.
Disaster recovery
Answer: B,C,D
Explanation:
Pervasive IS controls can be used across all the internal departments and external contractors. If
the Pervasive IS controls are implemented properly, it improves the reliability of the following:
Answer: A is incorrect. Pervasive IS controls do not have any relation with the reliability of the
hardware development.
Which of the following are the limitations for the cross site request forgery (CSRF) attack?
B.
The attacker must target a site that doesn't check the referrer header.
C.
The target site should have limited lifetime authentication cookies.
D.
The target site should authenticate in GET and POST parameters, not only cookies.
Answer: A,B
Explanation:
1. The attacker must target either a site that doesn't check the Referer header (which is common)
or a victim with a browser or plugin bug that allows Referer spoofing (which is rare).
2. The attacker must find a form submission at the target site that does something useful to the
attacker (e.g., transfers money, or changes the victim's e-mail address or password).
3. The attacker must determine the right values for all the form inputs: if any of them are required
to be secret authentication values or IDs that the attacker can't guess, the attack will fail.
4. The attacker must lure the victim to a Web page with malicious code while the victim is logged
in to the target site. Since, the attacker can't see what the target Web site sends back to the victim
in response to the forged requests, unless he exploits a cross- site scripting or other bug at the
target Web site.
Similarly, the attacker can only "click" any links or submit any forms that come up after the initial
forged request, if the subsequent links or forms are similarly predictable. (Multiple "clicks" can be
simulated by including multiple images on a page, or by using JavaScript to introduce a delay
between clicks). from cross site request forgeries (CSRF) by applying the following
countermeasures available:
Requiring a secret, user-specific token in all form submissions prevents CSRF; the attacker's site
can't put the right token in its submissions.
Individual Web users can do relatively little to prevent cross-site request forgery.
John works as a professional Ethical Hacker. He has been assigned a project to test the security
of www.we-are-secure.com. He successfully performs a brute force attack on the We-are-secure
server. Now, he suggests some countermeasures to avoid such brute force attacks on the We-
are-secure server. Which of the following are countermeasures against a brute force attack?
A.
The site should use CAPTCHA after a specific number of failed login attempts.
B.
The site should increase the encryption key length of the password.
C.
The site should restrict the number of login attempts to only three times.
D.
The site should force its users to change their passwords from time to time.
Answer: A,C
Explanation:
Using CAPTCHA or restricting the number of login attempts are good countermeasures against a
brute force attack.
Which of the following types of firewall ensures that the packets are part of the established
session?
A.
Stateful inspection firewall
B.
Switch-level firewall
C.
D.
Application-level firewall
Answer: A
Explanation:
The stateful inspection firewall combines the circuit level and the application level firewall
techniques. It assures the session or connection between the two parties is valid. It also inspects
packets from the session to assure that the packets are part of the established session and not
malicious.
Answer: C is incorrect. The circuit-level firewall regulates traffic based on whether or not a trusted
connection has been established.
Answer: D is incorrect. The application level firewall inspects the contents of packets, rather than
the source/destination or connection between the two devices.
One of the sales people in your company complains that sometimes he gets a lot of unsolicited
messages on his PD A. After asking a few questions, you determine that the issue only occurs in
crowded areas like airports. What is the most likely problem?
A.
Spam
B.
Blue snarfing
C.
A virus
D.
Blue jacking
Answer: D
Explanation:
Blue jacking is the process of using another bluetooth device that is within range (about 30' or
less) and sending unsolicited messages to the target.
Answer: C is incorrect. A virus would not cause unsolicited messages. Adware might, but not a
virus.
Answer: A is incorrect. Spam would not be limited to when the person was in a crowded area.
Which of the following is a technique of using a modem to automatically scan a list of telephone
numbers, usually dialing every number in a local area code to search for computers, Bulletin board
systems, and fax machines?
A.
Warkitting
B.
War driving
C.
Wardialing
D.
Demon dialing
Answer: C
Explanation:
War dialing or wardialing is a technique of using a modem to automatically scan a list of telephone
numbers, usually dialing every number in a local area code to search for computers, Bulletin board
systems, and fax machines. Hackers use the resulting lists for various purposes, hobbyists for
exploration, and crackers - hackers that specialize in computer security - for password guessing.
Answer: D is incorrect. In the computer hacking scene of the 1980s, demon dialing was a
"Pass Any Exam. Any Time." - www.actualtests.com 167
GIAC GSNA Exam
technique by which a computer is used to repeatedly dial a number (usually to a crowded modem
pool) in an attempt to gain access immediately after another user had hung up. The expansion of
accessible Internet service provider connectivity since that time more or less rendered the practice
obsolete. The term "demon dialing" derives from the Demon Dialer product from Zoom
Telephonics, Inc., a telephone device produced in the 1980s which repeatedly dialed busy
telephone numbers under control of an extension phone.
Answer: B is incorrect. War driving, also called access pointmapping, is the act of locating and
possibly exploiting connections to wireless local area networks while driving around a city or
elsewhere. To do war driving, one needs a vehicle, a computer (which can be a laptop), a wireless
Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be
mounted on top of or positioned inside the car. Because a wireless LAN may have a range that
extends beyond an office building, an outside user may be able to intrude into the network, obtain
a free Internet connection, and possibly gain access to company records and other resources.
You work as a Network Administrator for NTY Inc. The company has a secure wireless network.
While auditing the network for maintaining security, you find an unknown node. You want to locate
that node.
Which tool will you use to pinpoint the actual physical location of the node?
A.
Kismet
B.
Ekahau
C.
WEPCrack
D.
AirSnort
Answer: B
Explanation:
Ekahau is an easy-to-use powerful and comprehensive tool for network site surveys and
optimization. It is an auditing tool that can be used to pinpoint the actual physical location of
wireless devices in the network. This tool can be used to make a map of the office and then
perform the survey of the office. In the process, if one finds an unknown node, ekahau can be
used to locate that node.
Answer: A is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion
detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode.
Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the
following tasks:
Answer: C is incorrect. WEPcrack is a wireless network cracking tool that exploits the
vulnerabilities in the RC4 Algorithm, which comprises the WEP security parameters. It mainly
consists of three tools, which are as follows:
WeakIVGen: It allows a user to emulate the encryption output of 802.11 networks to weaken the
secret key used to encrypt the network traffic.
Prism-getIV: It analyzes packets of information until ultimately matching patterns to the one known
to decrypt the secret key.
WEPcrack: It pulls the all beneficial data of WeakIVGen and Prism-getIV to decipher the network
encryption.
Topic 3, Volume C
You are the Network Admin for a company. You are concerned about users having access to
items they should not. Your concern is that they may inadvertently have been granted access to
those resources. When conducting a user access and rights review, which of the following is most
likely to show you such unintentional granting of user rights?
A.
IDS Logs
B.
Access Control Lists
C.
Server logs
D.
Group Membership
Answer: D
"Pass Any Exam. Any Time." - www.actualtests.com 169
GIAC GSNA Exam
Explanation:
Most often user rights are determined by the groups the user belongs to. In some cases a user
may mistakenly be added to a group they should not be. It is also common that a user moves
within the organization, but is still retained in their previous group giving them those rights.
Answer: B is incorrect. Access Control Lists are usually setup up manually. This means that a
person would not likely be inadvertently added. You might want to check the ACL's, and you might
find some issues, but this is not the most likely way to find users with inappropriate rights.
Answer: C is incorrect. At best server logs can show you if a user accessed a resource. But a user
could have access to a resource, and simply not have used that access yet.
Answer: A is incorrect. IDS logs will only help you identify potential attacks. Unless you suspect
the user of intentionally trying to break into resources, an IDS log will not help in this scenario.
Brutus is a password cracking tool that can be used to crack the following authentications: HTTP
(Basic Authentication) HTTP (HTML Form/CGI) POP3 (Post Office Protocol v3) FTP (File Transfer
Protocol) SMB (Server Message Block) Telnet Which of the following attacks can be performed by
Brutus for password cracking?
A.
Man-in-the-middle attack
B.
Hybrid attack
C.
Replay attack
D.
Brute force attack
E.
Dictionary attack
Answer: B,D,E
Explanation:
Brutus can be used to perform brute force attacks, dictionary attacks, or hybrid attacks.
John used to work as a Network Administrator for We-are-secure Inc. Now he has resigned from
the company for personal reasons. He wants to send out some secret information of the company.
To do so, he takes an image file and simply uses a tool image hide and embeds the secret file
within an image file of the famous actress, Jennifer Lopez, and sends it to his Yahoo mail id. Since
he is using the image file to send the data, the mail server of his company is unable to filter this
mail. Which of the following techniques is he performing to accomplish his task?
A.
Web ripping
B.
Steganography
C.
Email spoofing
D.
Social engineering
Answer: B
Explanation:
According to the scenario, John is performing the Steganography technique for sending malicious
data. Steganography is an art and science of hiding information by embedding harmful messages
within other seemingly harmless messages. It works by replacing bits of unused data, such as
graphics, sound, text, and HTML, with bits of invisible information in regular computer files. This
hidden information can be in the form of plain text, cipher text, or even in the form of images.
Answer: A is incorrect. Web ripping is a technique in which the attacker copies the whole structure
of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker
to trace the loopholes of the Web site.
Answer: D is incorrect. Social engineering is the art of convincing people and making them
disclose useful information such as account names and passwords. This information is further
exploited by hackers to gain access to a user's computer or network. This method involves mental
ability of the people to trick someone rather than their technical skills. A user should always
distrust people who ask him for his account name or password, computer name, IP address,
employee ID, or other information that can be misused.
Answer: C is incorrect. John is not performing email spoofing. In email spoofing, an attacker sends
emails after writing another person's mailing address in the from field of the emailed.
Which of the following backup sites takes the longest recovery time?
A.
Mobile backup site
B.
Warm site
C.
Cold site
D.
Hot site
Answer: C
Explanation:
A cold backup site takes the longest recovery time. It is the most inexpensive type of backup site
for an organization to operate. It does not include backed up copies of data and information from
the original location of the organization, nor does it include hardware already set up. The lack of
hardware contributes to the minimal startup costs of the cold site, but requires additional time
following the disaster to have the operation running at a capacity close to that prior to the disaster.
Answer: D is incorrect. A hot site is a duplicate of the original site of the organization, with full
computer systems as well as near- complete backups of user data. Real time synchronization
between the two sites may be used to completely mirror the data environment of the original site
using wide area network links and specialized software. Ideally, a hot site will be up and running
within a matter of hours or even less.
Answer: A is incorrect. Although a mobile backup site provides rapid recovery, it does not provide
full recovery in time. Hence, a hot site takes the shortest recovery time.
Answer: B is incorrect. A warm site is, quite logically, a compromise between hot and cold. These
sites will have hardware and connectivity already established, though on a smaller scale than the
original production site or even a hot site. Warm sites will have backups on hand, but they may not
be complete and may be between several days and a week old. An example would be backup
tapes sent to the warm site by courier.
Many organizations create network maps of their network system to visualize the network and
understand the relationship between the end devices and the transport layer that provide services.
Which of the following are the techniques used for network mapping by large organizations? Each
"Pass Any Exam. Any Time." - www.actualtests.com 172
GIAC GSNA Exam
correct answer represents a complete solution. (Choose three.)
A.
Route analytics
B.
Active Probing
C.
SNMP-based approaches
D.
Packet crafting
Answer: A,B,C
Explanation:
Many organizations create network maps of their network system. These maps can be made
manually using simple tools such as Microsoft Visio, or the mapping process can be simplified by
using tools that integrate auto network discovery with Network mapping. Many of the vendors from
the Notable network Mappers list enable a user to do the following:
Sophisticated mapping is used to help visualize the network and understand relationships between
end devices and the transport layers that provide service. Items such as bottlenecks and root
cause analysis can be easier to spot using these tools.
There are three main techniques used for network mapping: SNMP-based approaches, Active
Probing, and Route analytics. The SNMP-based approach retrieves data from Router and Switch
MIBs in order to build the network map. The Active Probing approach relies on a series of trace
route like probe packets in order to build the network map. The Route analytics approach relies on
information from the routing protocols to build the network map. Each of the three approaches has
advantages and disadvantages in the methods that they use.
Answer: D is incorrect. Packet crafting is a technique that allows probing firewall rule-sets and
finding entry points into the targeted system or network. This can be done with a packet generator.
A packet generator is a type of software that generates random packets or allows the user to
construct detailed custom packets. Packet generators utilize raw sockets. This is useful for testing
implementations of IP stacks for bugs and security vulnerabilities.
You have been assigned a project to develop a Web site for a construction company. You plan to
develop a Web site and want to get more control over the appearance and presentation of the
Web pages. You also want to increase your ability to precisely specify the position and
appearance of the elements on a page and create special effects. You plan to use cascading style
"Pass Any Exam. Any Time." - www.actualtests.com 173
GIAC GSNA Exam
sheets (CSS). You want to define styles only for the active page. Which type of style sheet will you
use?
A.
Embedded Style Sheet
B.
Inline Style Sheet
C.
Internal Style Sheet
D.
External Style Sheet
Answer: A
Explanation:
To define styles only for the active page you should use embedded style sheet. Cascading style
sheets (CSS) are used so that the Website authors can exercise greater control on the
appearance and presentation of their Web pages. And also because they increase the ability to
precisely point to the location and look of elements on a Web page and help in creating special
effects. Cascading Style Sheets have codes, which are interpreted applied by the browser on to
the Web pages and their elements. There are three types of cascading style sheets. External Style
Sheets Embedded Style Sheets Inline Style Sheets External Style Sheets are used whenever
consistency in style is required throughout a Web site. A typical external style sheet uses a .css
file extension, which can be edited using a text editor such as a Notepad. Embedded Style Sheets
are used for defining styles for an active page. Inline Style Sheets are used for defining individual
elements of a page.
Reference: TechNet, Contents: Microsoft Knowledgebase, February 2000 issue PSS ID Number:
Q179628
You want to monitor the network infrastructure of a software-based company. The network
infrastructure of the company consists of the following:
A.
Axence nVision
B.
CommandCenter NOC
C.
Netmon
D.
Cymphonix Network Composer
Answer: A
Explanation:
Answer: B is incorrect. CommandCenter NOC is a simple and effective tool that performs network
monitoring with a powerful polling engine. It provides polling, Windows and UNIX/Linux server
management, intrusion detection, vulnerability scanning, and traffic analysis in an integrated
appliance.
Answer: C is incorrect. Network Monitor (Netmon) is a protocol analyzer. It is used to analyze the
network traffic. It is installed by default during the installation of the operating system. It can be
installed by using Windows Components Wizard in the Add or Remove Programs tool in Control
Panel. Network Monitor is used to perform the following tasks:
2. Display and filter captured frames immediately after capture or a later time.
You work as a Network Administrator for Techpearl Inc. You are configuring the rules for the
firewall of the company. You need to allow internal users to access secure external websites.
Which of the following firewall rules will you use to accomplish the task?
A.
TCP 172.16.1.0/24 any any 80 HTTP permit
B.
TCP 172.16.1.0/24 any any 25 SMTP permit
C.
TCP 172.16.1.0/24 any any 80 HTTP deny
D.
TCP 172.16.1.0/24 any any 443 HTTPs permit
Answer: D
Explanation:
The TCP 172.16.1.0/24 any any 443 HTTPs permit rule is used to allow internal users to access
secure external websites.
Answer: A is incorrect. The TCP 172.16.1.0/24 any any 80 HTTP permit rule is used to allow
internal users to access external websites (secure & unsecure both).
Answer: C is incorrect. The TCP 172.16.1.0/24 any any 80 HTTP deny rule is used to deny
internal users to access external websites.
Answer: B is incorrect. The TCP 172.16.1.0/24 any any 25 SMTP permit rule is used to allow
internal mail servers to deliver mails to external mail servers.
Which of the following statements is true about the Digest Authentication scheme?
A.
A valid response from the client contains a checksum of the username, the password, the given
random value, the HTTP method, and the requested URL.
B.
C.
The password is sent over the network in clear text format.
D.
It uses the base64 encoding encryption scheme.
Answer: A
Explanation:
The Digest Authentication scheme is a replacement of the Basic Authentication scheme. This
authentication scheme is based on the challenge response model. In Digest authentication, the
password is never sent across the network in clear text format but is always transmitted as an
MD5 digest of the user's password. In this way, the password cannot be determined with the help
of a sniffer.
How does it work? In this authentication scheme, an optional header allows the server to specify
the algorithm used to create the checksum or digest (by default, the MD5 algorithm). The Digest
Authentication scheme provides the challenge using a randomly chosen value. This randomly
chosen value is a server-specified data string which may be uniquely generated each time a 401
response is made. A valid response contains a checksum (by default, the MD5 checksum) of the
username, the password, the given random value, the HTTP method, and the requested URL. In
this way, the password is never sent in clear text format.
Drawback: Although the password is not sent in clear text format, an attacker can gain access with
the help of the digested password, since the digested password is really all the information needed
to access the web site.
Answer: B, C, D are incorrect. These statements are true about the Basic Authentication scheme.
You have detected what appears to be an unauthorized wireless access point on your network.
However this access point has the same MAC address as one of your real access points and is
broadcasting with a stronger signal. What is this called?
A.
Buesnarfing
B.
The evil twin attack
C.
"Pass Any Exam. Any Time." - www.actualtests.com 177
GIAC GSNA Exam
WAP cloning
D.
DOS
Answer: B
Explanation:
In the evil twin attack, a rogue wireless access point is set up that has the same MAC address as
one of your legitimate access points. That rogue WAP will often then initiate a denial of service
attack on your legitimate access point making it unable to respond to users, so they are redirected
to the 'evil twin'.
Answer: D is incorrect. A DOS may be used as part of establishing an evil twin, but this attack is
not specifically for denial of service.
Answer C is incorrect. While you must clone a WAP MAC address, the attack is not called WAP
cloning.
You work as a Computer Hacking Forensic Investigator for SecureNet Inc. You want to investigate
Cross-Site Scripting attack on your company's Website. Which of the following methods of
investigation can you use to accomplish the task?
A.
Review the source of any HTML-formatted e-mail messages for embedded scripts or links in the
URL to the company's site.
B.
Look at the Web servers logs and normal traffic logging.
C.
Use Wireshark to capture traffic going to the server and then searching for the requests going to
the input page, which may give log of the malicious traffic and the IP address of the source.
D.
Use a Web proxy to view the Web server transactions in real time and investigate any
communication with outside servers.
Answer: A,B,D
You can use the following methods to investigate Cross-Site Scripting attack:
2. Use a Web proxy to view the Web server transactions in real time and investigate any
communication with outside servers.
3. Review the source of any HTML-formatted e-mail messages for embedded scripts or links in the
URL to the company's site.
Answer: C is incorrect. This method is not used to investigate Cross-Site Scripting attack.
Which of the following commands will you use to watch a log file /var/adm/messages while the log
file is updating continuously?
A.
less -g /var/adm/messages
B.
tail /var/adm/messages
C.
cat /var/adm/messages
D.
tail -f /var/adm/messages
Answer: D
Explanation:
The tail command is used to display the last few lines of a text file or piped data. It has a special
command line option -f (follow) that allows a file to be monitored. Instead of displaying the last few
lines and exiting, tail displays the lines and then monitors the file. As new lines are added to the
file by another process, tail updates the display. This is particularly useful for monitoring log files.
The following command will display the last 10 lines of messages and append new lines to the
display as new lines are added to messages:
tail -f /var/adm/messages
Answer: B is incorrect. The tail command will display the last 10 lines (default) of the log file.
For example, the following command will display the contents of the /var/log/dmesg file: cat
/var/log/dmesg
Note: The more command is used in conjunction with the cat command to prevent scrolling of the
screen while displaying the contents of a file.
Answer: A is incorrect. The less command is used to view (but not change) the contents of a text
file, one screen at a time. It is similar to the more command. However, it has the extended
capability of allowing both forward and backward navigation through the file. Unlike most Unix text
editors/viewers, less does not need to read the entire file before starting; therefore, it has faster
load times with large files.
Mark works as the Network Administrator for XYZ CORP. The company has a Unix-based
network. Mark wants to scan one of the Unix systems to detect security vulnerabilities. To
accomplish this, he uses TARA as a system scanner. What can be the reasons that made Mark
use TARA?
A.
It has a very specific function of seeking paths to root.
B.
It is composed mostly of bash scripts
C.
It works on a wide variety of platforms.
D.
It is very modular.
Answer: B,C,D
Explanation:
Tiger Analytical Research Assistant (TARA) is a set of scripts that scans a Unix system for
security problems. Following are the pros and cons of using TARA.
Cons:
Mark works as a Web Developer for XYZ CORP. He is developing a Web site for the company.
The Manager of the company requires Mark to use tables instead of frames in the Web site. What
is the major advantage that a table-structured Web site has over a frame-structured Web site?
A.
Easy maintenance
B.
Speed
C.
Better navigation
D.
Capability of being bookmarked or added to the Favorites folder
Answer: D
Explanation:
The major advantage that a table-structured Web site has over a frame-structured Web site is that
users can bookmark the pages of a table- structured Web site, whereas pages of a frame-
structured Web site cannot be bookmarked or added to the Favorites folder. Non-frame Web sites
also give better results with search engines.
Better navigation: Web pages can be divided into multiple frames and each frame can display a
separate Web page. It helps in providing better and consistent navigation.
Easy maintenance: Fixed elements, such as a navigation link and company logo page, can be
created once and used with all the other pages. Therefore, any change in these pages is required
to be made only once.
A.
DIV
B.
GROUP
C.
BODY
D.
SPAN
Answer: A
Explanation:
DIV is an HTML tag that groups a series of elements into a larger group. It can be used when an
action needs to be performed collectively on the grouped elements. The DIVtag acts as a
container for other elements.
Answer: D is incorrect. The SPAN tag is used within an element to group a part of it. For example,
this tag can be used to group a few sentences from within a paragraph, so that a particular action
can be performed only on them.
Answer: C is incorrect. The BODY tag is used to specify the beginning and end of the document
body.
Which of the following are the disadvantages of Dual-Homed Host Firewall Architecture?
A.
It can provide services by proxying them.
B.
It can provide a very low level of control.
C.
User accounts may unexpectedly enable services a user may not consider secure.
Answer: A,C,D
Explanation:
A dual-homed host is one of the firewall architectures for implementing preventive security. It
provides the first-line defense and protection technology for keeping untrusted bodies from
compromising information security by violating trusted network space as shown in the image
below:
A dual-homed host (or bastion host) is a system fortified with two network interfaces (NICs) that
sits between an un-trusted network (like the Internet) and trusted network (such as a corporate
network) to provide secure access. Dual-homed, or bastion, is a general term for proxies,
gateways, firewalls, or any server that provides secured applications or services directly to an
untrusted network.
2. User accounts may unexpectedly enable services a user may not consider secure.
Answer: B is incorrect. Dual-Homed Host Firewall Architecture can provide a very high level of
control.
"Pass Any Exam. Any Time." - www.actualtests.com 183
GIAC GSNA Exam
What are the purposes of audit records on an information system? (Choose two.)
A.
Upgradation
B.
Backup
C.
Troubleshooting
D.
Investigation
Answer: C,D
Explanation:
Answers A, B are incorrect. The audit records cannot be used for backup and upgradation
purposes.
A.
WPA-PSK requires a user to enter an 8-character to 63-character passphrase into a wireless
client.
B.
Shared-key WPA is vulnerable to password cracking attacks if a weak passphrase is used.
D.
WPA provides better security than WEP.
Answer: A,B,C,D
Explanation:
WPA stands for Wi-Fi Protected Access. It is a wireless security standard. It provides better
security than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and
WPA-EAP. Each of these is described as follows:
WPA-PSK: PSK stands for Preshared key. This standard is meant for home environment. WPA-
PSK requires a user to enter an 8- character to 63-character passphrase into a wireless client. The
WPA converts the passphrase into a 256-bit key.
WPA-EAP: EAP stands for Extensible Authentication Protocol. This standard relies on a back-end
server that runs Remote AuthenticationDial-In User Service for user authentication.
Note: Windows Vista supports a user to use a smart card to connect to a WPA-EAP protected
network.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to do RARP mapping from hardware mapping addresses to IP addresses. Which of the
following Unix configuration files can you use to accomplish the task?
A.
/etc/dhcpd.conf
B.
/etc/motd
C.
/etc/exports
D.
/etc/ethers
In Unix, the/etc/ethers file is used by system administrators for RARP mapping from hardware
mapping addresses to IP addresses.
Answer: A is incorrect. In Unix, the /etc/dhcpd.conf file is the configuration file for the DHCP server
daemon.
Answer: C is incorrect. In Unix, the /etc/exports file describes exported file systems for NFS
services.
Answer: B is incorrect. In Unix, the /etc/motd file automatically displays the message of the day
after a successful login.
You work as a Security Administrator in Tech Perfect Inc. The company has a TCP/IP based
network. The network has a vast majority of Cisco Systems routers and Cisco network switches.
You want to take a snapshot of the router running configuration and archive running configuration
of the router to persistent storage. Which of the following steps will you take?
A.
Secure the boot configuration
B.
Restore an archived primary bootset
C.
Verify the security of the bootset
D.
Enable the image resilience
Answer: A
Explanation:
In order to take a snapshot of the router running configuration and archive running configuration of
the router to persistent storage, you should secure the boot configuration of the router using the
secure boot-config command.
Answer: D is incorrect. You can enable the image resilience, if you want to secure the Cisco IOS
image.
Answer: C is incorrect. By verifying the security of bootset, you can examine whether or not the
Answer: B is incorrect. By restoring an archived primary bootset, you can restore a primary
bootset from a secure archive after an NVRAM has been erased or a disk has been formatted.
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. John is working as a root user on the Linux operating system. He executes the following
command in the terminal:
Which of the following will be displayed as the correct output of the above command?
A.
John, 0
B.
root, 0
C.
root, 500
D.
John, 502
Answer: B
Explanation:
According to the scenario, John is a root user. Hence, the value of the environmental variables
$USER and $UID will be root and 0, respectively.
You work as a Network Administrator for Tech Perfect Inc. The company requires a secure
wireless network. To provide security, you are configuring ISA Server 2006 as a firewall. While
configuring ISA Server 2006, which of the following is NOT necessary?
A.
"Pass Any Exam. Any Time." - www.actualtests.com 187
GIAC GSNA Exam
Setting up of monitoring on ISA Server
B.
Defining how ISA Server would cache Web contents
C.
Defining ISA Server network configuration
D.
Configuration of VPN access
Answer: D
Explanation:
Answer: A, B, C are incorrect. All these steps are mandatory for the configuration of the ISA
Server 2006 firewall.
You work as the Network Administrator for a company. You configure a Windows 2000-based
computer as the Routing and Remote Access server, so that users can access the company's
network, remotely. You want to log a record of all the users who access the network by using
Routing and Remote Access. What will you do to log all the logon activities?
A.
On the Routing and Remote Access server, enable log authentication requests in auditing, and
define the path for the log file in Remote Access Logging.
B.
On the Routing and Remote Access server, enable log authentication requests in Remote Access
Logging.
C.
On the Routing and Remote Access server, enable log authentication requests in auditing.
D.
Do nothing as the Windows 2000-based Routing and Remote Access server automatically creates
a log record for each connection attempt.
Answer: B
Explanation:
A.
.hts
B.
.cs
C.
.js
D.
.css
Answer: D
Explanation:
A Cascading Style Sheet (CSS) is a separate text file that keeps track of design and formatting
information, such as colors, fonts, font sizes, and margins, used in Web pages. CSS is used to
provide Web site authors greater control on the appearance and presentation of their Web pages.
It has codes that are interpreted and applied by the browser on to the Web pages and their
elements. CSS files have .css extension.
Which of the following is a basic feature of the Unix operating system? (Choose three.)
B.
All files can be individually protected using read, write, and execute permissions for the user,
group, and others.
C.
It allows all the modules to be loaded into memory.
D.
A user can execute multiple programs at the same time from a single terminal.
Answer: A,B,D
Explanation:
A.
It is a duplicate of the original site of the organization, with full computer systems as well as near-
complete backups of user data.
B.
It is the most inexpensive backup site.
C.
It can be used within an hour for data recovery.
D.
It is cheaper than a coldsite but more expensive than a worm site.
Answer: A,C
Explanation:
A hot site is a duplicate of the original site of the organization, with full computer systems as well
as near-complete backups of user data. A hot site can be used within an hour for data recovery.
The capacity of the hot site may or may not match the capacity of the original site depending on
the organization's requirements. This type of backup site is the most expensive to operate. Hot
sites are popular with organizations that operate real time processes such as financial institutions,
government agencies, and ecommerce providers. the original site. A cold site is the most
You have purchased a laptop that runs Windows Vista Home Premium. You want to protect your
computer from malicious applications, such as spyware, while connecting to the Internet. You
configure Windows Defender on your laptop to schedule scan daily at 2 AM as shown in the image
below:
You want Windows Defender to scan the laptop for all the known spyware and other potentially
unwanted software, including the latest one. You do not want to manually perform this task. Which
of the following actions will you perform to accomplish the task?
A.
Create a scheduled task to download definition files for Windows Defender every Sunday.
B.
Configure Windows Defender to use the definition file placed on the Microsoft Update site for
scanning the laptop.
C.
Select the Check for updated definitions before scanning check box in the Automatic Scanning
section.
D.
Click the arrow beside the Help button Click the Check for updates option.
Answer: C
According to the question, Windows Defender should scan the laptop for all the known spyware
and other potentially unwanted software, including the latest one. Windows Defender uses
definitions to scan the system. Definitions are files that include the information of known spyware
and potentially unwanted software. To scan a computer for the latest spyware, Windows Defender
requires the latest definition files available on the Internet. For this, you have to configure Windows
Defender to check for the latest definitions and download them, if available, before scanning the
computer. Furthermore, the question also states that the task must be performed automatically. In
order to accomplish the task, you will have to select the Check for updated definitions before
scanning check box in the Automatic Scanning section.
Which of the following tags will create two vertical frames, as given in the image below, where the
left frame is half as wide as the right one?
A.
<FRAMESET ROWS = "*, *"><FRAME SRC = "cell1.htm"><FRAME SRC =
"cell2.htm"></FRAMESET>
B.
<FRAMESET ROWS = "1,2"><FRAME SRC = "cell1.htm"><FRAME SRC =
"cell2.htm"></FRAMESET>
C.
<FRAMESET COLS = "*, *"><FRAME SRC = "cell1.htm"><FRAME SRC =
"cell2.htm"></FRAMESET>
E.
<FRAMESET COLS = "*, 2*"><FRAME SRC = "cell1.htm"><FRAME SRC =
"cell2.htm"></FRAMESET>
Answer: E
Explanation:
<FRAMESET> tag specifies a frameset used to organize multiple frames and nested framesets in
an HTML document. It defines the location, size, and orientation of frames. An HTML document
can either contain a <FRAMESET> tag or a <BODY> tag.
The COLS attribute of the <FRAMESET> tag defines the width of the vertical frames. The ROWS
attribute defines the height of the horizontal frames. The code in answer option E will create two
identical frames. The left frame will be half as wide as the right frame because of the relative size
attributes given in the <FRAMESET> tag, i.e., <FRAMESET COLS = "*, 2*">.
You work as a Network Administrator for XYZ CORP. The company has a Windows-based
network. The company wants to fix potential vulnerabilities existing on the tested systems. You
use Nessus as a vulnerability scanning program to fix the vulnerabilities. Which of the following
vulnerabilities can be fixed using Nessus?
A.
Vulnerabilities that allow a remote cracker to control sensitive data on a system
B.
Misconfiguration (e.g. open mail relay, missing patches, etc.)
C.
Vulnerabilities that allow a remote cracker to access sensitive data on a system
D.
Vulnerabilities that help in Code injection attacks
Answer: A,B,C
Explanation:
For example: Vulnerabilities that allow a remote cracker to control or access sensitive data on a
system. Misconfiguration (e.g. open mail relay, missing patches, etc). Default passwords, a few
common passwords, and blank/absent passwords on some system accounts. Nessus can also
call Hydra (an external tool) to launch a dictionary attack. Denials of service against the TCP/IP
stack by using mangled packets. On UNIX (including Mac OS X), it consists of nessusd, the
Nessus daemon, which does the scanning, and nessus, the client, which controls scans and
presents the vulnerability results to the user. For Windows, Nessus 3 installs as an executable and
has a self-contained scanning, reporting, and management system.
Operations: In typical operation, Nessus begins by doing a port scan with one of its four internal
portscanners (or it can optionally use Amap or Nmap) to determine which ports are open on the
target and then tries various exploits on the open ports. The vulnerability tests, available as
subscriptions, are written in NASL (Nessus Attack Scripting Language), a scripting language
optimized for custom network interaction. Tenable Network Security produces several dozen new
vulnerability checks (called plugins) each week, usually on a daily basis. These checks are
available for free to the general public; commercial customers are not allowed to use this Home
Feed any more. The Professional Feed (which is not free) also gives access to support and
additional scripts (audit and compliance tests). Optionally, the results of the scan can be reported
in various formats, such as plain text, XML, HTML, and LaTeX. The results can also be saved in a
knowledge base for debugging. On UNIX, scanning can be automated through the use of a
command-line client. There exist many different commercial, free and open source tools for both
UNIX and Windows to manage individual or distributed Nessus scanners. If the user chooses to
do so (by disabling the option’ safe checks'), some of Nessus's vulnerability tests may try to cause
vulnerable services or operating systems to crash. This lets a user test the resistance of a device
before putting it in production. Nessus provides additional functionality beyond testing for known
network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on
computers running the Windows operating system, and can perform password auditing using
dictionary and brute force methods. Nessus 3 and later can also audit systems to make sure they
have been configured per a specific policy, such as the NSA's guide for hardening Windows
servers.
Answer: D is incorrect. Nessus cannot be used to scan vulnerabilities that help in Code injection
attacks.
You are tasked with configuring your routers with a minimum security standard that includes the
following:
Configuring telnet and ssh to authenticate against the router user database
"Pass Any Exam. Any Time." - www.actualtests.com 194
GIAC GSNA Exam
Choose the configuration that best meets these requirements.
A.
RouterA(config)#service password-encryption
B.
RouterA(config)#service password-encryption
RouterA(config)#line vty 0 4
RouterA(config-line)#login local
C.
RouterA(config)#service password-encryption
RouterA(config)#line vty 0 4
RouterA(config-line)#login local
D.
RouterA(config)#service enable-password-encryption
RouterA(config)#line vty 0 4
RouterA(config-line)#login user
Answer: C
Explanation:
In order to fulfill the requirements, you should use the following set of commands:
RouterA(config)#service password-encryption
RouterA(config)#line vty 0 4
RouterA(config-line)#login local
Answer: D is incorrect. This configuration does not apply password encryption correctly. The
command service enable-password- encryption is incorrect. The correct command is service
password-encryption.
Answer: A is incorrect. This configuration applies the login command to the VTY lines. This would
require the password to be set at the VTY Line 0 4 level. This effectively will not configure user-
level access for the VTY lines.
Answer: B is incorrect. The enable password command is obsolete and considered insecure. The
proper command is enable secret followed by the password value.
This is a Windows-based tool that is used for the detection of wireless LANs using the IEEE
802.11a, 802.11b, and 802.11g standards. The main features of these tools are as follows:
It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.
a) War driving
A.
THC-Scan
B.
NetStumbler
C.
Absinthe
D.
Kismet
"Pass Any Exam. Any Time." - www.actualtests.com 196
GIAC GSNA Exam
Answer: B
Explanation:
NetStumbler is a Windows-based tool that is used for the detection of wireless LANs using the
IEEE 802.11a, 802.11b, and 802.11g standards. The main features of NetStumbler are as follows:
It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.
a.War driving
d.WEP ICV error tracking e.Making Graphs and Alarms on 802.11 Data, including Signal Strength
Answer D is incorrect. Kismet is an IEEE 802.11 layer2 wireless network detector, sniffer, and
intrusion detection system.
Data access auditing is a surveillance mechanism that watches over access to all sensitive
information contained within the database. What are the questions addressed in a perfect data
access auditing solution?
A.
Who accessed the data?
B.
When was the data accessed?
C.
For whom was the data accessed?
D.
What was the SQL query that accessed the data?
Answer: A,B,D
The perfect data access auditing solution would address the following six questions:
3. Which computer program or client software was used to access the data?
6. Was access to the data successfully done; and if so, how many rows of data were retrieved?
Answer: C is incorrect. In the perfect data access auditing solution, it cannot be determined for
whom the data is being accessed. Only the person accessing the data can be identified.
In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to
establish standards for audits. Which of the following categories of audit standards established by
GAAS are related to professional and technical competence, independence, and professional due
care?
A.
Reporting standards
B.
Risk Analysis standards
C.
General standards
D.
Fieldwork standards
Answer: C
Explanation:
In 1947, the American Institute of Certified Public Accountants (AICPA) adopted Generally
Accepted Auditing Standards (GAAS) to establish standards for audits. The standards cover the
following three categories:
General Standards: They relate to professional and technical competence, independence, and
"Pass Any Exam. Any Time." - www.actualtests.com 198
GIAC GSNA Exam
professional due care.
Field Work Standards: They relate to the planning of an audit, evaluation of internal control, and
obtaining sufficient evidential matter upon which an opinion is based.
Reporting Standards: They relate to the compliance of all auditing standards and adequacy of
disclosure of opinion in the audit reports. If an opinion cannot be reached, the auditor is required to
explicitly state their assertions.
Mark is an attacker. He wants to discover wireless LANs by listening to beacons or sending probe
requests and thereby provide a launch point for further attacks. Which of the following tools can he
use to accomplish the task?
A.
DStumbler
B.
Wellenreiter
C.
KisMAC
D.
Airmon-ng
Answer: A,C,D
Explanation:
War driving is an attack in which the attacker discovers wireless LANs by listening to beacons or
sending probe requests, thereby providing a launch point for further attacks. Airmon-ng,
DStumbler, KisMAC, MacStumbler, NetStumbler, Wellenreiter, and WiFiFoFum are the tools that
can be used to perform a war driving attack.
Answer: B is incorrect. Wellenreiter is a tool that is used to perform MAC spoofing attacks.
A.
IEEE 802.4
B.
IEEE 802.3
C.
IEEE 802.5
D.
IEEE 802.11b
Answer: D
Explanation:
IEEE 802.11b is an extension of the 802.11 standard. It is used in wireless local area networks
(WLANs) and provides 11 Mbps transmission speeds in the bandwidth of 2.4 GHz.
Answer: B is incorrect. IEEE 802.3 is a standard for wired networks, which defines the media
access control(MAC) layer for bus networks that use CSMA/CD.
Answer: A is incorrect. IEEE 802.4 is a standard for wired networks, which defines the MAC layer
for bus networks that use a token- passing mechanism.
Answer: C is incorrect. IEEE 802.5 is a standard for wired networks, which defines the MAC layer
for token-ring networks.
You are responsible for a number of Windows Server 2003 DNS servers on a large corporate
network. You have decided to audit the DNS server logs. Which of the following are likely errors
you could encounter in the log? (Choose two.)
A.
The DNS server could not create FTP socket for address [IP address of server].
B.
The DNS server could not open socket for domain name [domain name of server].
C.
The DNS server could not create a Transmission Control Protocol (TCP) socket.
D.
"Pass Any Exam. Any Time." - www.actualtests.com 200
GIAC GSNA Exam
The DNS server could not open socket for address [IP address of server].
Answer: C,D
Explanation:
There are a number of errors one could find in a Windows Server 2003 DNS log. They are as
follows:
The DNS server could not initialize the Remote Procedure Call (RPC) service.
The DNS server could not bind the main datagram socket.
The DNS Server service relies on Active Directory to store and retrieve information for Active
Directory-integrated zones.
Answer: B is incorrect. A DNS server looks up a name to return an IP, it would not and cannot
connect to a domain name, it must connect to an IP address.
John works as a professional Ethical Hacker. He has been assigned the project of testing the
security of www.we-are-secure.com. He finds that the We-are-secure server is vulnerable to
attacks. As a countermeasure, he suggests that the Network Administrator should remove the IPP
printing capability from the server. He is suggesting this as a countermeasure against
__________.
A.
NetBIOS NULL session
B.
DNS zone transfer
C.
IIS buffer overflow
D.
SNMP enumeration
Removing the IPP printing capability from a server is a good countermeasure against an IIS buffer
overflow attack. A Network Administrator should take the following steps to prevent a Web server
from IIS buffer overflow attacks:
Answer: B is incorrect. The following are the DNS zone transfer countermeasures:
Do not allow
a. Open DNS.
c. On the Zone Transfer tab, clear the Allow zone transfers check box.
Configure the master DNS server to allow zone transfers only from secondary DNS servers:
a. Open DNS.
c. On the zone transfer tab, select the Allow zone transfers check box, and then do one of the
following:
To allow zone transfers only to the DNS servers listed on the name servers tab, click on the Only
to the servers listed on the Name Server tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers, and add
the IP address of one or more servers.
Answer: D is incorrect. The following are the countermeasures against SNMP enumeration:
3. Implementing the Group Policy security option called Additional restrictions for anonymous
connections
6. Implementing Access control list filtering to allow only access to the read-write community from
approved stations or subnets
Answer: A is incorrect.
NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part
of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL
session vulnerabilities:
2.Changing the default PUBLIC community name when 'shutting off SNMP' is not an option
3.Implementing the Group Policy security option called Additional restrictions for anonymous
connections
6.Implementing Access control list filtering to allow only access to the read-write community from
approved stations or subnets answer option A is incorrect. NetBIOS NULL session vulnerabilities
are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of
the following steps can be taken to limit NetBIOS NULL session vulnerabilities:
1. Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a
Network Administrator.
2. A Network Administrator can also disable SMB services entirely on individual hosts by
unbinding WINS Client TCP/IP from the interface.
3. A Network Administrator can also restrict the anonymous user by editing the registry values:
b. Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD Value: 2
A.
cat
B.
less
C.
touch
D.
cp
Answer: B
Explanation:
The less command is most useful for viewing large files. The less command displays the output of
a file one page at a time. Viewing large files through cat may take more time to scroll pages, so it
is better to use the less command to see the content of large files.
Answer: A is incorrect. The cat command is also used to view the content of a file, but it is most
useful for viewing short files.
Answer: D is incorrect. The cp command is used to copy files and directories from one location to
another.
Answer: C is incorrect. The touch command is not used to view the content of a file. It is used to
create empty files or to update file timestamps.
Which of the following is an attempt to give false information or to deny that a real event or
transaction should have occurred?
A.
A DDoS attack
B.
A repudiation attack
C.
A reply attack
D.
"Pass Any Exam. Any Time." - www.actualtests.com 204
GIAC GSNA Exam
A dictionary attack
Answer: B
Explanation:
A repudiation attack is an attempt to give false information or to deny that a real event or
transaction should have occurred.
Answer: A is incorrect. In a distributed denial of service (DDOS) attack, an attacker uses multiple
computers throughout the network that has been previously infected. Such computers act as
zombies and work together to send out bogus messages, thereby increasing the amount of phony
traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that
multiple machines can generate more attack traffic than one machine, multiple attack machines
are harder to turn off than one attack machine, and that the behavior of each attack machine can
be stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for
a DDoS attack.
Answer: C is incorrect. A replay attack is a type of attack in which attackers capture packets
containing passwords or digital signatures whenever packets pass between two hosts on a
network. In an attempt to obtain an authenticated connection, the attackers then resend the
captured packet to the system. In this type of attack, the attacker does not know the actual
password, but can simply replay the captured packet.
Answer: D is incorrect. Dictionary attack is a type of password guessing attack. This type of attack
uses a dictionary of common words to find out the password of a user. It can also use common
words in either upper or lower case to find a password. There are many programs available on the
Internet to automate and execute dictionary attacks.
"It is a technique employed to compromise the security of network switches. In this attack, a switch
is flooded with packets, each containing different source MAC addresses. The intention is to
consume the limited memory set aside in the switch to store the MAC address-to-physical port
translation table."
A.
Man-in-the-middle
B.
Blind spoofing
C.
"Pass Any Exam. Any Time." - www.actualtests.com 205
GIAC GSNA Exam
Dictionary
D.
MAC flooding
Answer: D
Explanation:
Answer: B is incorrect. Blind spoofing is a type of IP spoofing attack. This attack occurs when the
attacker is on a different subnet as the destination host. Therefore, it is more difficult to obtain
correct TCP sequence number and acknowledgement number of the data frames. In blind
spoofing attack, an attacker sends several packets to the target computer so that he can easily
obtain sequence number of each data frame. If the attacker is successful in compromising the
sequence number of the data frames, the data is successfully sent to the target computer.
Answer: C is incorrect. Dictionary attack is a type of password guessing attack. This type of attack
uses a dictionary of common words to find out the password of a user. It can also use common
words in either upper or lower case to find a password. There are many programs available on the
Internet to automate and execute dictionary attacks.
Network mapping provides a security testing team with a blueprint of the organization. Which of
the following steps is NOT a part of manual network mapping?
A.
Gathering private and public IP addresses
C.
Performing Neotracerouting
D.
Banner grabbing
Answer: C
Explanation:
Using automated tools, such as NeoTraceroute, for mapping a network is a part of automated
network mapping. part of manual network mapping. Network mapping is the process of providing a
blueprint of the organization to a security testing team. There are two ways of performing network
mapping:
Manual Mapping: In manual mapping, a hacker gathers information to create a matrix that
contains the domain name information, IP addresses of the network, DNS servers, employee
information, company location, phone numbers, yearly earnings, recently acquired organizations,
email addresses, publicly available IP address ranges, open ports, wireless access points, modem
lines, and banner grabbing details.
Automated Mapping: In automated mapping, a hacker uses any automated tool to gather
information about the network. There are many tools for this purpose, such as NeoTrace, Visual
traceroute, Cheops, Cheops-ng, etc. The only advantage of automated mapping is that it is very
fast and hence it may generate erroneous results.
Which of the following methods can be helpful to eliminate social engineering threat? (Choose
three.)
A.
Data encryption
B.
Data classification
C.
Password policies
D.
Vulnerability assessments
Password policies
Vulnerability assessments
Data classification
Password policy should specify that how the password can be shared. Company should
implement periodic penetration and vulnerability assessments. These assessments usually consist
of using known hacker tools and common hacker techniques to breach a network security. Social
engineering should also be used for an accurate assessment. Since social engineers use the
knowledge of others to attain information, it is essential to have a data classification model in place
that all employees know and follow. Data classification assigns level of sensitivity of company
information. Each classification level specifies that who can view and edit data, and how it can be
shared.
You work as a Network Administrator for Net World International. The company has a Windows
Active Directory-based single domain single forest network. The functional level of the forest is
Windows Server 2003. There are ten Sales Managers in the company. The company has recently
provided laptops to all its Sales Managers. All the laptops run Windows XP Professional. These
laptops will be connected to the company's network through wireless connections. The company's
management wants to implement Shared Key authentication for these laptops. When you try to
configure the network interface card of one of the laptops for Shared Key authentication, you find
no such option. What will you do to enable Shared Key authentication?
A.
Install PEAP-MS-CHAP v2
B.
Enable WEP
C.
Install Service Pack 1
D.
Install EAP-TLS.
Answer: B
Shared Key authentication requires the use of the Wired Equivalent Privacy (WEP) algorithm. If
the WEP is not implemented, then the option for Shared Key authentication is not available. In
order to accomplish the task, you will have to enable the WEP on all the laptops.
Which of the following tools hides information about IIS Webservers so that they can be prevented
from various attacks performed by an attacker?
A.
httprint
B.
ServerMask
C.
Whisker
D.
WinSSLMiM
Answer: B
Explanation:
ServerMask is a tool that is used to hide information about IISWebservers. Since IIS Webservers
are vulnerable to various attacks, such as, code red worm, is unicode exploit, etc., to mitigate such
attacks, ServerMask removes all unnecessary HTTP headers & response data, and file extensions
like .asp or .aspx, whichare clear indicators that a site is running on a Microsoft server. Besides
this, ServerMask modifies the ASP session ID cookies values, default messages, pages and
scripts of all kinds to misguide an attacker.
Answer: A is incorrect. httprint is a fingerprinting tool that is based on Web server characteristics to
accurately identify Web servers. It works even when Web server may have been obfuscated by
changing the server banner strings, or by plug-ins such as mod_security or servermask.
Answer: C is incorrect. Whisker is an HTTP/Web vulnerability scanner that is written in the PERL
language. Whisker runs on both the Windows and UNIX environments. It provides functions for
testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs.
Answer: D is incorrect. WinSSLMiM is an HTTPS Man in the Middle attacking tool. It includes
FakeCert, a tool used to make fake certificates. It can be used to exploit the Certificate Chain
vulnerability in Internet Explorer. The tool works under Windows 9x/2000.
"Pass Any Exam. Any Time." - www.actualtests.com 209
GIAC GSNA Exam
Sarah works as a Web Developer for XYZ CORP. She develops a Web site for the company. She
uses tables in the Web site. Sarah embeds three tables within a table. What is the technique of
embedding tables within a table known as?
A.
Nesting tables
B.
Stacking tables
C.
CSS tables
D.
Horned tables
Answer: A
Explanation:
In general, nesting means embedding a construct inside another. Nesting tables is a technique in
which one or more tables are embedded within a table.
Answer: B, C, D are incorrect. There are no techniques such as stacking tables, horned tables, or
CSS tables.
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. John is working as a root user on the Linux operating system. He has recently backed up
his entire Linux hard drive into the my_backup.tgz file. The size of the my_backup.tgz file is
800MB. Now, he wants to break this file into two files in which the size of the first file named
my_backup.tgz.aa should be 600MB and that of the second file named my_backup.tgz.ab should
be 200MB. Which of the following commands will John use to accomplish his task?
A.
split --verbose -b 200m my_backup.tgz my_backup.tgz
B.
split --verbose -b 200m my_backup.tgz my_backup.tgz
"Pass Any Exam. Any Time." - www.actualtests.com 210
GIAC GSNA Exam
C.
split --verbose -b 600m my_backup.tgz my_backup.tgz
D.
split --verbose -b 600m my_backup.tgz my_backup.tgz
Answer: D
Explanation:
According to the scenario, John wants to break the my_backup.tgz file into two files in which
thesize of the first file named my_backup.tgz.aa should be 600MB and that of the second file
named my_backup.tgz.ab should be 200MB. Hence, he will use the the split --verbose -b 600
my_backup.tgz my_backup.tgz. command, which will automatically break the first file into 600MB
named my_backup.tgz.aa, and the rest of the data (200MB) will be assigned to the second file
named my_backup.tgz.ab. The reason behind the names is that the split command provides
suffixes as 'aa', 'ab', 'ac', ..., 'az', 'ba', 'bb', etc. in the broken file names by default. Hence, both
conditions, the file names as well as the file sizes, match with this command.
Note: If the size of the tar file my_backup.tgz is 1300MB, the command split --verbose -b 600
my_backup.tgz my_backup.tgz. breaks the my_backup.tgz file into three files,i.e.,
my_backup.tgz.aa of size 600MB, my_backup.tgz.ab of size 600MB, and my_backup.tgz.ac of
size 100MB.
Which of the following statements are true about the Enum tool?
A.
It uses NULL and User sessions to retrieve user lists, machine lists, LSA policy information, etc.
B.
It is capable of performing brute force and dictionary attacks on individual accounts of Windows
NT/2000.
C.
One of the countermeasures against the Enum tool is to disable TCP port 139/445.
D.
It is a console-based Win32 information enumeration utility.
Answer: A,B,C,D
Explanation:
Enum is a console-based Win32 information enumeration utility. It uses null sessions to retrieve
"Pass Any Exam. Any Time." - www.actualtests.com 211
GIAC GSNA Exam
user lists, machine lists, share lists, namelists, group and member lists, passwords, and LSA
policy information. It is also capable of performing brute force and dictionary attacks on individual
accounts. Since the Enum tool works on the NetBIOS NULL sessions, disabling the NetBIOS port
can be a good countermeasure against the Enum tool.
"This is the process of numerically analyzing the effect of identified risks on overall project
objectives."
A.
Perform Quantitative Risk Analysis
B.
Monitor and Control Risks
C.
Perform Qualitative Risk Analysis
D.
Identify Risks
Answer: A
Explanation:
Perform Quantitative Risk Analysis is the process of numerically analyzing the effect of identified
risks on overall project objectives. This process generally follows the Perform Qualitative Risk
Analysis process. It is performed on risks that have been prioritized by the Perform Qualitative
Risk Analysis process as potentially and substantially impacting the project's competing demands.
The Perform Quantitative Risk Analysis should be repeated after Plan Risk Responses, as well as
part of Monitor and Control Risks, to determine if the overall project risk has been decreased.
Answer: C is incorrect. This is the process of prioritizing risks for further analysis or action by
accessing and combining their probability of occurrence and impact.
Answer: D is incorrect. This is the process of determining which risks may affect the project and
documenting their characteristics.
Answer: B is incorrect. This is the process of implementing risk response plans, tracking identified
risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness
through the project.
A.
It is a connectionless protocol.
B.
It provides an authenticator-controlled password change mechanism.
C.
It is subject to offline dictionary attacks.
D.
It can be replaced with EAP-TLS as the authentication mechanism for PPTP.
Answer: B,C,D
Explanation:
It is enabled by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3,
Authentication Protocol.
With weak passwords, MS-CHAPv2 is subject to offline dictionary attacks; hence, it can be
replaced with EAP-TLS as the authentication mechanism for PPTP.
You work as a Software Developer for XYZ CORP. You create a SQL server database named
DATA1 that will manage the payroll system of the company. DATA1 contains two tables named
EmployeeData, Department. While EmployeeData records detailed information of the employees,
Department stores information about the available departments in the company. EmployeeData
consists of columns that include EmpID, EmpName, DtOBrth, DtOJoin, DeptNo, Desig, BasicSal,
etc. You want to ensure that each employee ID is unique and is not shared between two or more
"Pass Any Exam. Any Time." - www.actualtests.com 213
GIAC GSNA Exam
employees. You also want to ensure that the employees enter only valid department numbers in
the DeptNo column. Which of the following actions will you perform to accomplish the task?
A.
Define triggers in the EmployeeData table.
B.
Add stored procedures by using Transact-SQL queries.
C.
Add constraints to the EmployeeData table.
D.
Define indexes in the EmployeeData table.
E.
Define views in the database.
Answer: B,C,D,E
Explanation:
In the given scenario, you will add constraints to the EmpID and DeptNo columns of the
EmployeeData table, as you want EmpID to be unique, and the number entered in the DeptNo
column to be valid. A constraint enforces the integrity of a database. It defines rules regarding the
values allowed in the columns of a table. A constraint is the standard mechanism for enforcing
integrity. Using constraints is preferred to using triggers, rules, and defaults. Most of the RDBMS
databases support the following five types of constraints:
NOT NULL constraint: It specifies that the column does not accept NULL values.
CHECK constraint: It enforces domain integrity by limiting the values that can be placed in a
column.
PRIMARY KEY constraint: It identifies the column or set of columns whose values uniquely
identify a row in a table.
FOREIGN KEY constraint: It establishes a foreign key relationship between the columns of the
same table or different tables.
Constraints enforce rules on data in a table whenever a row is inserted, updated, or deleted from
the table.
Constraints prevent the deletion of a table if there are dependencies from other tables.
Constraints enforce rules at the column level as well as at the table level.
The syntax for creating an index is as follows: CREATE INDEX <Index name>
A unique index does not allow duplicate values to enter in a row if a particular column is indexed
as a unique index.
You will also add a stored procedure named AddEmp by using Transact-SQL queries. AddEmp
will accept data values for new employees and will subsequently add a row in the EmployeeData
table. Stored procedures are precompiled SQL routines that are stored on a database server.
They are a combination of multiple SQL statements that form a logical unit and perform a
particular task. Stored procedures provide the capability of combining multiple SQL statements
and improve speed due to precompiled routines. Most of the DBMS provide support for stored
procedures. They usually differ in their syntax and capabilities from one DBMS to another.
A stored procedure can take three parameters: IN, OUT, and INOUT. Note: Stored procedures are
very similar to functions and procedures of common programming languages. You will also define
a view named DeptEmpView that will combine data from the Department and EmployeeData
tables and thus produce the required result. A view can be thought of as a virtual table. The data
accessible through a view is not stored in the database as a distinct object. Views are created by
defining a SELECT statement. The result set of the SELECT statement forms the virtual table. A
user can use this virtual table by referencing the view name in SQL statements in the same way a
table is referenced.
Answer: A is incorrect. You do not need to define any triggers in the EmployeeData table, as they
are not required while making the EmpID unique, or while entering valid data values in DeptNo. A
trigger is a special kind of stored procedure that automatically runs when data in a specified table
is updated, inserted, or deleted. Triggers can query other tables and can include complex SQL
statements.
A.
HttpSessionBindingListener
B.
HttpSessionAttributeListener
C.
HttpSessionListener
D.
HttpSessionActivationListener
Answer: A,D
Explanation:
HttpSessionBindingListener has methods that notify the object when it is added to or removed
from a session. It has methods that informs the attributes when the session is about to be
activated or passivated. These methods are related to the attributes and not to the complete
session. Hence, the container takes care of them and need not be configured in the deployment
descriptor.
You work as a Database Administrator for BigApple Inc. The Company uses Oracle as its
database. You enabled standard database auditing. Later, you noticed that it has a huge impact
on performance of the database by generating a large amount of audit data. How will you keep
control on this audit data?
A.
By implementing principle of least privilege.
B.
By removing some potentially dangerous privileges.
C.
By setting the REMOTE_LOGIN_PASSWORDFILE instance parameter to NONE.
D.
Answer: D
Explanation:
Auditing is the process of monitoring and recording the actions of selected users in a database.
Auditing is of the following types:
By focusing the audits as narrow as possible, you will get audit records for events that are of
significance. If it is possible then try doing audit by session, not by access. When auditing a
database the SYS.AUD$ table may grow many gigabytes. You may delete or truncate it
periodically to control the load of audit data. minimum set of privileges that are just sufficient to
accomplish their requisite roles, so that even if the users try, they cannot perform those actions
that may critically endanger the safety of data in the event of any malicious attacks. It is important
to mention that some damage to data may still be unavoidable. Therefore, after identifying the
scope of their role, users are allocated only those minimal privileges just compatible with that role.
This helps in minimizing the damage to data due to malicious attacks. Grant of more privileges
than necessary may make data critically vulnerable to malicious exploitation. The principle of least
privilege is also known as the principle of minimal privilege and is sometimes also referred to as
POLA, an abbreviation for the principle of least authority. The principle of least privilege is
implemented to enhance fault tolerance, i.e. to protect data from malicious attacks. While applying
the principle of least privilege, one should ensure that the parameter
07_DICTIONARY_ACCESSIBILITY in the data dictionary is set to FALSE, and revoke those
packages and roles granted to a special pseudo-user known as Public that are not necessary to
perform the legitimate actions, after reviewing them. This is very important since every user of the
database, without exception, is automatically allocated the Public pseudo-user role.
Some of the packages that are granted to the special pseudo-user known as Public are as follows:
Parameter type:
String Syntax:
Default value:
All of the above discussed options are security steps and are not involved in standard database
auditing.
A.
Notifying an attribute that a session has just migrated from one JVM to another.
B.
Notifying the object when it is unbound from a session.
C.
Notifying the object when it is bound to a session.
D.
Notifying an attribute that a session is about to migrate from one JVM to another.
Answer: A,D
Explanation:
public void sessionWillPassivate(HttpSessionEvent se): It notifies the attribute that the session is
about to move to a different JVM.
You work as a Software Developer for UcTech Inc. You want to encode a URL, so that it can be
used with the sendRedirect() method to send the response to the client. In order to accomplish
this, you have to use a method of the HttpServletResponse interface. Which of the following
methods will you use?
A.
"Pass Any Exam. Any Time." - www.actualtests.com 218
GIAC GSNA Exam
encodeResponseURL()
B.
encodeRedirectURL()
C.
encodeURL()
D.
encodeURLResponse()
Answer: B
Explanation:
Which of the following protocols is the mandatory part of the WPA2 standard in the wireless
networking?
A.
CCMP
B.
ARP
C.
WEP
Answer: A
Explanation:
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) is an
IEEE 802.11i encryption protocol created to replace both TKIP, the mandatory protocol in WPA,
and WEP, the earlier, insecure protocol. CCMP is a mandatory part of the WPA2 standard, an
optional part of the WPA standard, and a required option for Robust Security Network (RSN)
Compliant networks. CCMP is also used in the ITU-T home and business networking standard.
CCMP, part of the 802.11i standard, uses the Advanced Encryption Standard (AES) algorithm.
Unlike in TKIP, key management and message integrity is handled by a single component built
around AES using a 128-bit key, a 128-bit block, and 10 rounds of encoding per the FIPS 197
standard.
Answer: C is incorrect. Wired Equivalent Privacy (WEP) is a security protocol for wireless local
area networks (WLANs). It has two components, authentication and encryption. It provides
security, which is equivalent to wired networks, for wireless networks. WEP encrypts data on a
wireless network by using a fixed secret key. WEP incorporates a checksum in each frame to
provide protection against the attacks that attempt to reveal the key stream.
Answer: D is incorrect. TKIP (Temporal Key Integrity Protocol) is an encryption protocol defined in
the IEEE 802.11i standard for wireless LANs (WLANs). Itis designed to provide more secure
encryption than the disreputably weak Wired Equivalent Privacy (WEP). TKIP is the encryption
method used in Wi-Fi Protected Access (WPA), which replaced WEP in WLAN products. TKIP is a
suite of algorithms to replace WEP without requiring the replacement of legacy WLAN equipment.
TKIP uses the original WEP programming but wraps additional code at the beginning and end to
encapsulate and modify it. Like WEP, TKIP uses the RC4 stream encryption algorithm as its basis.
Every network device contains a unique built in Media Access Control (MAC) address, which is
used to identify the authentic device to limit the network access. Which of the following addresses
is a valid MAC address?
A.
"Pass Any Exam. Any Time." - www.actualtests.com 220
GIAC GSNA Exam
A3-07-B9-E3-BC-F9
B.
F936.28A1.5BCD.DEFA
C.
1011-0011-1010-1110-1100-0001
D.
132.298.1.23
Answer: A
Explanation:
The general format for writing MAC addresses is to use six group of two hexadecimal digits, each
separated by hyphen (-). Another standard method is also used for writing MAC addresses as
three groups of four hexadecimal digits separated by dots.
Answer: C is incorrect. Binary numbers are not used to denote MAC address.
Answer: B is incorrect. This is not a valid MAC address as there four groups of four hexadecimal
digits exist.
In which of the following does a Web site store information such as user preferences to provide
customized services to users?
A.
Protocol
B.
ActiveX control
C.
Cookie
D.
Keyword
Answer: C
Explanation:
Answer A is incorrect. A protocol is a set of predefined rules that govern how two or more
processes communicate and interact to exchange data. Protocols are considered as the building
blocks of network communication. Computer protocols are used by communicating devices and
software services to format data in a way that all participants understand. It provides a context in
which to interpret communicated information.
Answer: B is incorrect. ActiveX controls are software components that can be integrated into Web
pages and applications, within a computer or among computers in a network, to reuse the
functionality. Reusability of controls reduces development time of applications and improves
program interfaces. They enhance the Web pages with formatting features and animation. ActiveX
controls can be used in applications written in different programming languages that recognize
Microsoft's Component Object Model (COM). These controls always run in a container. ActiveX
controls simplify and automate the authoring tasks, display data, and add functionality to Web
pages.
Answer: D is incorrect. Keywords are important terms used to search Web pages on a particular
topic. For example, if a user enters a keyword "Networking" in a search engine form, all Web
pages containing the term "Networking" will be displayed.
Which of the following tools can be used to perform tasks such as Windows password cracking,
Windows enumeration, and VoIP session sniffing?
A.
L0phtcrack
B.
Obiwan
C.
Cain
D.
John the Ripper
Answer: C
"Pass Any Exam. Any Time." - www.actualtests.com 222
GIAC GSNA Exam
Explanation:
Cain is a multipurpose tool that can be used to perform many tasks such as Windows password
cracking, Windows enumeration, and VoIP session sniffing. This password cracking program can
perform the following types of password cracking attacks:
Answer: A is incorrect. L0phtcrack is a tool which identifies and remediate security vulnerabilities
that result from the use of weak or easily guessed passwords. It recovers Windows and Unix
account passwords to access user and administrator accounts.
Answer: D is incorrect. John the Ripper is a fast password cracking tool that is available for most
versions of UNIX, Windows, DOS, BeOS, and Open VMS. It also supports Kerberos, AFS, and
Windows NT/2000/XP/2003 LM hashes. John the Ripper requires a user to have a copy of the
password file.
Answer: B is incorrect. Obiwan is a Web password cracking tool that is used to perform brute force
and hybrid attacks. It is effective against HTTP connections for Web servers that allow unlimited
failed login attempts by the user. Obiwan uses wordlists as well as alphanumeric characters as
possible passwords.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to set the hard disk geometry parameters, cylinders, heads, and sectors. Which of the
following Unix commands can you use to accomplish the task?
A.
mke2fs
B.
mkswap
C.
mkfs
D.
hdparm
Answer: D
Explanation:
In Unix, the hdparm command is used to get or sethard disk geometry parameters, cylinders,
heads, and sectors.
Answer: C is incorrect. In Unix, the mkfs command initializes a Unix filesystem. This is a front end
"Pass Any Exam. Any Time." - www.actualtests.com 223
GIAC GSNA Exam
that runs a separate program depending on the filesystem's type.
Answer: A is incorrect. In Unix, the mke2fs command creates a Unix second extended filesystem.
Answer: B is incorrect. In Unix, the mkswap command sets up a Unix swap area on a device or
file.
A.
If cookies are supported by the browser, URL rewriting will return the URL unchanged.
B.
The request.encodeRedirectURL() method is used to add a session id info to the URL and send
the request to another URL.
C.
The request.encodeURL() method is used to add a session id info to the URL.
D.
URL rewriting is used in cases where cookies are not supported by the browser.
Answer: A,D
Explanation:
By default, session tracking uses cookies to associate a session identifier with a unique user. URL
rewriting is used in cases where cookies are not supported by the browser.
The employees of CCN Inc. require remote access to the company's proxy servers. In order to
provide solid wireless security, the company uses LEAP as the authentication protocol. Which of
the following is supported by the LEAP protocol?
A.
Dynamic key encryption
B.
Public key certificate for server authentication
"Pass Any Exam. Any Time." - www.actualtests.com 224
GIAC GSNA Exam
C.
Strongest security level
D.
Password hash for client authentication
Answer: A,D
Explanation:
LEAP can use only password hash as the authentication technique. Not only LEAP, but EAP-TLS,
EAP-TTLS, and PEAP also support dynamic key encryption and mutual authentication.
A.
COLSPAN is used to create columns in a table.
B.
COLSPAN is used to divide one column into many columns.
C.
COLSPAN is used to span one column across many rows.
D.
COLSPAN is used to span one column across many columns.
Answer: D
Explanation:
COLSPAN attribute is used to span one column across many columns. COLSPAN is an attribute
of <TD> and <TH> tags that allow a single column in a table to take space that is occupied by
several columns. If the specified COLSPAN value is greater than the number of columns in the
table, then a new column is created at the end of the row.
You are the project manager of a Web development project. You want to get information about
your competitors by hacking into their computers. You and the project team determine should the
hacking attack not be performed anonymously, you will be traced. Hence, you hire a professional
hacker to work on the project. This is an example of what type of risk response?
A.
Transference
B.
Mitigation
C.
Acceptance
D.
Avoidance
Answer: A
Explanation:
Whenever the risk is transferred to someone else, it is an example of transference risk response.
Transference usually has a fee attached to the service provider that will own the risk event.
Which of the following is a type of web site monitoring that is done using web browser emulation or
scripted real web browsers?
A.
Route analytics
B.
Passive monitoring
C.
Network tomography
D.
Synthetic monitoring
Answer: D
Synthetic monitoring is an active Web site monitoring that is done using Web browser emulation or
scripted real Web browsers. Behavioral scripts (or paths) are created to simulate an action or path
that a customer or end-user would take on a site. Those paths are then continuously monitored at
specified intervals for availability and response time measures. Synthetic monitoring is valuable
because it enables a Webmaster to identify problems and determine if his Web site or Web
application is slow or experiencing downtime before that problem affects actual end-users or
customers.
Which of the following is the best way to authenticate users on the intranet?
A.
By using Forms authentication.
B.
By using Basic authentication.
C.
By using clear text.
D.
By using NT authentication.
Answer: D
Explanation:
Answer: B is incorrect. Basic authentication is used to authenticate users on the Internet. It is used
by most of the browsers for authentication and connection. When using Basic authentication, the
browser prompts the user for a username and password. This information is then transmitted
across the Hypertext Transfer Protocol (HTTP).
In a network, a data packet is received by a router for transmitting it to another network. For
forwarding the packet to the other available networks, the router is configured with a static or a
dynamic route. What are the benefits of using a static route?
A.
It is a fault tolerant path.
B.
It reduces load on routers, as no complex routing calculations are required.
C.
It reduces bandwidth usage, as there is no excessive router traffic.
D.
It provides precise control over the routes that packets will take across the network.
Answer: B,C,D
Explanation:
Static routing is a data communication concept that describes a way to configure path selection of
routers in computer networks. This is achieved by manually adding routes to the routing table.
However, when there is a change in the network or a failure occurs between two statically defined
nodes, traffic will not be rerouted.
Precise control over the routes that a packet will take across the network
Answer: A is incorrect. This is a property of a dynamic route. A static route cannot choose the best
path. It can only choose the paths that are manually entered. When there is a change in the
network or a failure occurs between two statically defined nodes, traffic will not be rerouted.
John works as a Network Administrator for Perfect Solutions Inc. The company has a Debian
Linux-based network. He is working on the bash shell in which he creates a variable VAR1. After
some calculations, he opens a new ksh shell. Now, he wants to set VAR1 as an environmental
variable so that he can retrieve VAR1 into the ksh shell. Which of the following commands will
John run to accomplish the task?
A.
echo $VAR1
B.
touch VAR1
C.
export VAR1
D.
env -u VAR1
Answer: C
Explanation:
Since John wants to use the variable VAR1 as an environmental variable, he will use the export
command to accomplish the task.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to query an image root device and RAM disk size. Which of the following Unix
A.
rdev
B.
rdump
C.
setfdprm
D.
mount
Answer: A
Explanation:
The rdev commad is usedto query/set an image root device, RAM disk size, or video mode. If a
user executes the rdev commands with no arguments, it outputs a /etc/mtab line for the current
root file system. The command syntax of the rdev command is as follows: rdev [ -Rrvh ] [ -ooffset ]
[ image [ value [ offset ] ] ]
Answer: B is incorrect. In Unix, the rdump command is used to back up an ext2 filesystem.
Answer: C is incorrect. In Unix, the setfdprm command sets floppy drive parameters.
Which of the following are the methods of the HttpSession interface? (Choose three.)
A.
setAttribute(String name, Object value)
B.
getAttribute(String name)
C.
getAttributeNames()
D.
getSession(true)
The HttpSession interface methods are setAttribute(String name, Object value), getAttribute(String
name), and getAttributeNames(). The getAttribute(String name) method of the HttpSession
interface returns the value of the named attribute as an object. It returns a null value if no attribute
with the given name exists.
The setAttribute(String name, Object value) method stores an attribute in the current session. The
setAttribute(String name, Object value) method binds an object value to a session using the String
name. If an object with the same name is already bound, it will be replaced. The
getAttributeNames() method returns an Enumeration containing the names of the attributes
available to the current request. It returns an empty Enumeration if the request has no attributes
available to it.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to allow direct access to the filesystems data structure. Which of the following Unix
commands can you use to accomplish the task?
A.
debugfs
B.
dosfsck
C.
du
D.
df
Answer: A
Explanation:
In Unix, the debugfs command is used to allowdirect access to the filesystems data structure.
Answer: D is incorrect. In Unix, the df command shows the disk free space on one or more
filesystems.
"Pass Any Exam. Any Time." - www.actualtests.com 231
GIAC GSNA Exam
Answer: B is incorrect. In Unix, the dosfsck command checks and repairs MS-Dos filesystems.
Answer: C is incorrect. In Unix, the du command shows how much disk space a directory and all
its files contain.
The employees of EWS Inc. require remote access to the company's Web servers. In order to
provide solid wireless security, the company uses EAP-TLS as the authentication protocol. Which
of the following statements are true about EAP-TLS?
A.
It uses password hash for client authentication.
B.
It uses a public key certificate for server authentication.
C.
It is supported by all manufacturers of wireless LAN hardware and software.
D.
It provides a moderate level of security.
Answer: B,C
Explanation:
EAP-TLS can use only a public key certificate as the authentication technique. It is supported by
all manufacturers of wireless LAN hardware and software. The requirement for a client-side
certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and
illustrates the classic convenience vs. security trade-off.
Answer: A is incorrect. EAP-TLS uses a public key certificate for server authentication.
Which of the following tools combines two programs, and also encrypts the resulting package in
an attempt to foil antivirus programs?
A.
"Pass Any Exam. Any Time." - www.actualtests.com 232
GIAC GSNA Exam
Tiny
B.
NetBus
C.
Trojan Man
D.
EliteWrap
Answer: C
Explanation:
The Trojan Man is a Trojan wrapper that not only combines two programs, but also encrypts the
resulting package in an attempt to foil antivirus programs.
What will be the output of the following command? echo $(date %M) > date.txt
A.
The current time (Month) will be written in the date.txt file.
B.
It will create a variable $(date %M).
C.
It will print a string "date %M".
D.
The current time (Minutes) will be written in the date.txt file.
Answer: D
Explanation:
The date command with the %M specifier prints the current time (Minutes). Since the output is
redirected towards the date.txt file, the current time (Minutes) will be printed in the date.txt file.
A.
Use commercially available anti-keyloggers such as PrivacyKeyboard.
B.
Use on-screen keyboards and speech-to-text conversion software which can also be useful
against keyloggers, as there are no typing or mouse movements involved.
C.
Remove the SNMP agent or disable the SNMP service.
D.
Monitor the programs running on the server to see whether any new process is running on the
server or not.
Answer: A,B,D
Explanation:
It is very hard to detect a keylogger's activity. Hence, a Network Administrator should take the
following steps as countermeasures against software keyloggers:
Use on-screen keyboards and speech-to-text conversion software which can also be useful
against keyloggers, as there are no typing or mouse movements involved.
Answer: C is incorrect. An SNMP service is not used for keystroke logging. Hence, removing an
SNMP agent may be a valid option if, and only if, the server is vulnerable to SNMP enumeration.
Andrew works as a Network Administrator for Infonet Inc. The company has a Windows 2003
domain-based network. The network has five Windows 2003 member servers and 150 Windows
XP Professional client computers. One of the member servers works as an IIS server. The IIS
server is configured to use the IP address 142.100.10.6 for Internet users and the IP address
A.
Enable the IP packet filter.
B.
Permit all the ports on the network adapter that uses the IP address142.100.10.6.
C.
Permit only port 25 on the network adapter that uses the IP address 142.100.10.6.
D.
Permit all the ports on the network adapter that uses the IP address 16.5.7.1.
E.
Permit only port 80 on the network adapter that uses the IP address 142.100.10.6.
Answer: A,D,E
Explanation:
In order to configure the IIS server to allow only Web communication over the Internet, Andrew will
have to use IP packet filtering to permit only port 80 on the network adapter that uses the IP
address 142.100.10.6 for connecting to the Internet. This is because Web communication uses the
Hyper Text Transfer Protocol (HTTP) that uses the TCP port 80. IP packet filtering restricts the IP
traffic received by the network interface by controlling the TCP or UDP port for incoming data.
Furthermore, Andrew wants to allow local users to access shared folders and all other resources.
Therefore, Andrew will have to enable all the ports on the network adapter that uses the IP
address 16.5.7.1 for the local network.
Which of the following internal control components provides the foundation for the other
components and encompasses such factors as management's philosophy and operating style?
A.
Information and communication
B.
Risk assessment
C.
Control activities
Answer: D
Explanation:
COSO defines internal control as, "a process, influenced by an entity's board of directors,
management, and other personnel, that is designed to provide reasonable assurance in the
effectiveness and efficiency of operations, reliability of financial reporting, and the compliance of
applicable laws and regulations". The auditor evaluates the organization's control structure by
understanding the organization's five interrelated control components, which are as follows:
1. Control Environment: It provides the foundation for the other components and encompasses
such factors as management's philosophy and operating style.
3. Control Activities: It consists of the policies and procedures that ensure employees carry out
management's directions.
The types of control activities an organization must implement are preventative controls (controls
intended to stop an error from occurring), detective controls (controls intended to detect if an error
has occurred), and mitigating controls (control activities that can mitigate the risks associated with
a key control not operating effectively).
4. Information and Communication: It ensures the organization obtains pertinent information, and
then communicates it throughout the organization.
5. Monitoring: It involves reviewing the output generated by control activities and conducting
special evaluations. In addition to understanding the organization's control components, the
auditor must also evaluate the organization's General and Application controls. There are three
audit risk components: control risk, detection risk, and inherent risk.
John works as a professional Ethical Hacker. He has been assigned the project of testing the
security of www.we-are-secure.com. He is using a tool to crack the wireless encryption keys. The
description of the tool is as follows:
It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the
WEP keys.
A.
Cain
B.
PsPasswd
C.
Kismet
D.
AirSnort
Answer: D
Explanation:
AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort
operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures
approximately 5 to 10 million packets to decrypt the WEP keys.
Answer: C is incorrect. Kismet is an IEEE 802.11 wireless network sniffer and intrusion detection
system.
You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP based
switched network. A root bridge has been elected in the switched network. You have installed a
new switch with a lower bridge ID than the existing root bridge. What will happen?
A.
The new switch starts advertising itself as the rootbridge.
B.
The new switch divides the network into two broadcast domains.
C.
The new switch works as DR or BDR.
D.
The new switch blocks all advertisements.
Answer: A
The new switch starts advertising itself as the root bridge. It acts as itis the only bridge on the
network. It has a lower Bridge ID than the existing root, so it is elected as the root bridge after the
BPDUs converge and when all switches know about the new switch that it is the better choice.
Answer: B, C, D are incorrect. All these are not valid options, according to the given scenario.
A.
Command injection attack
B.
Code injection attack
C.
Cross-Site Scripting attack
D.
Cross-Site Request Forgery
Answer: B
Explanation:
A code injection attack exists whenever a scripting or programming language is used in a Web
page. All that the attacker needs are an error or opening. That opening usually comes in the form
of an input field that is not validated correctly. It is not necessary for the code injection attack to be
on the Web page. It can be located in the back end as part of a database query of the Web site. If
any part of the server uses Java, JavaScript, C, SQL, or any other code between the Internet and
the data, it is vulnerable to the code injection attack.
Answer: C is incorrect. A cross site scripting attack is one in which an attacker enters malicious
data into a Website. For example, the attacker posts a message that contains malicious code to
any newsgroup site. When another user views this message, the browser interprets this code and
executes it and, as a result, the attacker is able to take control of the user's system. Cross site
scripting attacks require the execution of client-side languages such as JavaScript, Java,
VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site
scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc.
Answer: A is incorrect. A command injection attack is used to inject and execute commands
specified by the attacker in the vulnerable application. The application, which executes unwanted
system commands, is like a virtual system shell. The attacker may use it as any authorized system
"Pass Any Exam. Any Time." - www.actualtests.com 238
GIAC GSNA Exam
user. However, commands are executed with the same privileges and environment as the
application has. The command injection attacks are possible in most cases because of lack of
correct input data validation, which can be manipulated by the attacker.
Answer: D is incorrect. Cross-site request forgery, also known as one-click attack or session
riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted
from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a
user has for a particular site, CSRFexploits the trust that a site has in a user's browser. The attack
works by including a link or script in a page that accesses a site to which the user is known to
have authenticated.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to check the status of the printer and set its state. Which of the following Unix
commands can you use to accomplish the task?
A.
banner
B.
lpq
C.
lpc
D.
lpr
Answer: C
Explanation:
In Unix, the lpc command is used to check the status of the printer and set its state.
Answer: A is incorrect. In Unix, the banner command is used to print a large banner on the printer.
Answer: D is incorrect. In Unix, the lpr command is used to submit a job to the printer.
Answer: B is incorrect. In Unix, the lpq command is used to show the contents of a spool directory
for a given printer.
You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP-based
network. Rick, your assistant, is configuring some laptops for wireless access. For security, WEP
needs to be configured for wireless communication. By mistake, Rick configures different WEP
keys in a laptop than that is configured on the Wireless Access Point (WAP). Which of the
following statements is true in such situation?
A.
The laptop will be able to access the wireless network but the security will be compromised.
B.
The WAP will allow the connection with the guest account's privileges.
C.
The laptop will be able to access the wireless network but other wireless devices will be unable to
communicate with it.
D.
The laptop will not be able to access the wireless network.
Answer: D
Explanation:
In order to communicate with WAP, a wireless device needs to be configured with the same WEP
key. If there is any difference in the key, the device will not be able to access and communicate
with the wireless network.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to set the user login features on the systems with the shadow passwords. Which of the
following Unix configuration files can you use to accomplish the task?
A.
/etc/logrotate.conf
B.
/etc/login.defs
C.
/etc/magic
D.
"Pass Any Exam. Any Time." - www.actualtests.com 240
GIAC GSNA Exam
/etc/filesystems
Answer: B
Explanation:
In Unix, the /etc/login.defs file is used by system administrators to set the user login features on
the systems with the shadow passwords.
Answer: A is incorrect. In Unix, the /etc/logrotate.conf file configures the logrotate program used
for managing log files.
Answer: C is incorrect. In Unix, the /etc/magic file contains the descriptions of various file formats
for the file command.
Answer: D is incorrect. In Unix, the /etc/filesystems file is used to set the filesystem probe order
when filesystems are mounted with the auto option.
You work as a Network Administrator for XYZ CORP. The company has a Windows Server 2008
network environment. The network is configured as a Windows Active Directory-based single
forest single domain network. You have installed a Windows Server 2008 computer as the domain
controller. The client computers of the company use the Windows XP Professional operating
system. When a user logs on to a client computer, it gets authenticated by the domain controller.
You want to audit the logon events that would be generated on the domain controller. Which of the
following audit settings do you need to configure to accomplish the task?
A.
Audit account management
B.
Audit logon events
C.
Audit directory service access
D.
Audit account logon events
Answer: D
Explanation:
'Audit account logon events' is one of the nine audit settings that can be configured on a Windows
computer. This performs auditing whenever a user logs on or off from a different computer in
Answer: A is incorrect. Audit account management is one of the nine audit settings that can be
configured on a Windows computer. This option is enabled to audit each event that is related to a
user managing an account in the user database on the computer where the auditing is configured.
This option is also used to audit the changes to the domain account of the domain controllers.
Answer: C is incorrect. The 'Audit directory service access' option is enabled to capture the events
that are related to the users accessing the Active Directory object which has been configured to
track user access through the System Access Control List (SACL) of the object.
Answer: B is incorrect. The 'Audit logon events' option is enabled to audit each event that is
related to a user logging on to, logging off from, or making a network connection to the computer
configured to audit logon events.
Which of the following types of servers are dedicated to provide resources to hosts on the
network? (Choose three.)
A.
Web servers
B.
Monitoring servers
C.
Mail servers
D.
Default gateway servers
E.
Print servers
Answer: A,C,E
Explanation:
Following types of servers are dedicated to provide resources to other hosts on the network:
Mark works as a Network Administrator for We-are-secure Inc. He finds that the We-are-secure
server has been infected with a virus. He presents to the company a report that describes the
symptoms of the virus.
This virus has a dual payload, as the first payload of the virus changes the first megabyte of the
hard drive to zero. Due to this, the contents of the partition tables are deleted and the computer
hangs. The second payload replaces the code of the flash BIOS with garbage values. This virus
spreads under the Portable Executable File Format under Windows 95, Windows 98, and
Windows ME.
Which of the following viruses has the symptoms as the one described above?
A.
I Love You
B.
Nimda
C.
Chernobyl
D.
Melissa
Answer: C
Explanation:
The Chernobyl (CIH) virus is a good example of a dual payload virus. Since the first payload of the
virus changes the first megabyte of a computer's hard drive to zero, the contents of the partition
tables are deleted, resulting in the computer hanging. The second payload of CIH replaces the
code of the flash BIOS with garbage values so that the flash BIOS is unable to give a warning, the
end result being that the user is incapable of changing the BIOS settings. CIH spreads under the
Portable Executable file format under Windows 95, Windows 98, and Windows ME.
Answer: A is incorrect. The I LOVE YOU virus is a VBScript virus in which a victim gets an email
attachment titled as "I Love You" with an attachment file named as "Love-Letter-For-You.txt.vbs".
When the victim clicks on this attachment, the virus script infects the victim's computer. The virus
Answer: D is incorrect. The Melissa virus infects Word 97 documents and the NORMAL.DOT file
of Word 97 and Word 2000. This macro virus resides in word documents containing one macro
named as "Melissa". The Melissa virus has the ability to spread itself very fast by using an e-mail.
When the document infected by the Melissa virus is opened for the first time, the virus checks
whether or not the user has installed Outlook on the computer. If it finds the Outlook, it sends e-
mail to 50 addresses from the address book of the Outlook. This virus can spread only by using
the Outlook. This virus is also known as W97M/Melissa, Kwyjibo, and Word97.Melissa.
Answer: B is incorrect. Nimda is a mass mailing virus that spreads itself in attachments named
README.EXE. It affects Windows 95, 98, ME, NT4, and Windows 2000 users. Nimda uses the
Unicode exploit to infect IIS Web servers.
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to identify the list of users with special privileges along with the commands that they can
execute. Which of the following Unix configuration files can you use to accomplish the task?
A.
/proc/meminfo
B.
/etc/sysconfig/amd
C.
/proc/modules
D.
/etc/sudoers
Answer: D
Explanation:
In Unix, the /etc/sudoers file contains a list of users with special privileges along with the
commands that they can execute.
Answer: A is incorrect. In Unix, the /proc/meminfo file shows information about the memory usage,
both physical and swap.
Answer: B is incorrect. In Unix, the /etc/sysconfig/amd file is the configuration file that is used to
"Pass Any Exam. Any Time." - www.actualtests.com 244
GIAC GSNA Exam
configure the auto mount daemon.
Answer: C is incorrect. In Unix, the /proc/modules file shows the kernel modules that are currently
loaded.
Which of the following statements about the <web-resource-collection> element are true?
A.
It has <web-resource-name> as one of its sub-elements.
B.
If there is no <http-method> sub-element, no HTTP method will be constrained.
C.
It can have at the most one <url-pattern> sub-element.
D.
It is a sub-element of the <security-constraint> element.
Answer: A,D
Explanation:
<web-resource-name>: This mandatory sub-element is the name of the Web resource collection.
<description>: This is an optional sub-element that specifies a text description of the current
security constraint.
<http-method>: This optional sub-element specifies HTTP methods that are constrained.
<url-pattern>: This sub-element specifies the URL to which the security constraint applies. There
should be at least one url-pattern element; otherwise, the <web-resource-collection> will be
ignored.
Answer: C is incorrect. The <web-resource-collection> element can have any number of <url-
pattern> sub-elements.
"Pass Any Exam. Any Time." - www.actualtests.com 245
GIAC GSNA Exam
Answer: B is incorrect. If there is no <http-method> sub-element, no HTTP methods will be
allowed.
Which of the following processes are involved under the COBIT framework?
A.
Managing the IT workforce.
B.
Correcting all risk issues.
C.
Conducting IT risk assessments.
D.
Developing a strategic plan.
Answer: A,C,D
Explanation:
The Control Objectives for Information and related Technology (COBIT) is a set of best practices
(framework) for information technology (IT) management, which provides managers, auditors, and
IT users with a set of generally accepted measures, indicators, processes and best practices to
assist them in maximizing the benefits derived through the use of information technology and
developing appropriate IT governance and control in a company. It has the following 11
processes:
Answer: B is incorrect. Correcting all risk issues does not come under auditing processes.
Which of the following commands can be used to convert all lowercase letters of a text file to
uppercase?
A.
tac
B.
"Pass Any Exam. Any Time." - www.actualtests.com 246
GIAC GSNA Exam
tr
C.
cat
D.
less
Answer: B
Explanation:
You can use the tr command to convert all lowercase letters of a text file to uppercase. The tr
command is used to translate, squeeze, and/or delete characters from standard input, writing to
standard output. If you want to change all lowercase letters to uppercase, you will use the tr [a-z]
[A-Z] command. commands cannot translate the text from one form to another.
You work as the Network Administrator for XYZ CORP. The company has a Linux-based network.
You are a root user on the Red Hat operating system. You want to see first five lines of the file
/etc/passwd. Which of the following commands should you use to accomplish the task?
A.
head -n 5 /etc/passwd
B.
head 5 -n /etc/passwd
C.
tail -n 5 /etc/passwd
D.
head /etc/passwd
Answer: A
Explanation:
The head -n 5 /etc/passwd command will show the first 5 lines of the file /etc/passwd.
In an IT organization, some specific tasks require additional detailed controls to ensure that the
workers perform their job correctly. What do these detailed controls specify? (Choose three.)
A.
How the department handles acquisitions, security, delivery, implementation, and support of IS
services
B.
How to lock a user account after unsuccessful logon attempts
C.
How output data is verified before being accepted into an application
D.
The way system security parameters are set
Answer: A,B,D
Explanation:
Some of the specific tasks require additional detailed controls to ensure that the workers perform
their job correctly. These controls refer to some specific tasks or steps to be performed such as:
Answer: C is incorrect. Input data should be verified before being accepted into an application.
You are tasked with creating an ACL to apply to Fa0/0 based on the following requirements:
All traffic from host 10.10.45.2 and subnet 10.10.1.32/27 must be denied access through the
router.
Telnet and SSH must be denied for ALL hosts except the management host with the IP address of
10.10.0.100.
This management host must not only have Telnet and SSH access, but access to any port in the
TCP and UDP suite to any destination.
HTTP, HTTPS, and DNS requests must be allowed for all hosts on subnets 10.10.2.0/24 and
10.10.3.0/24 to any destination.
However, you must provide this configuration manually so that engineers can see hit counts on the
deny all traffic when running the show ip access-lists command. Which of the following sets of
commands will you choose to complete the configuration on Router A?
A.
RouterA(config)#access-list 110 deny ip host 10.10.45.2 anyRouterA(config)#access-list 110 deny
ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 110 permit tcp host 10.10.0.100
anyRouterA(config)#access-list 110 permit udp host 10.10.0.100 anyRouterA(config)#access-list
110 permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 110 permit tcp 10.10.2.0
0.0.1.255 any eq 443RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.1.255 any eq
53RouterA(config)#access-list 110 deny ip any anyRouterA(config)#interface fa0/0RouterA(config-
if)#ip access-group 110 out
B.
RouterA(config)#access-list 110 deny ip host 10.10.45.2 anyRouterA(config)#access-list 110 deny
ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 110 permit ip host 10.10.0.100
anyRouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq
80RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq
443RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.1.255 any eq
53RouterA(config)#access-list 110 deny ip any any RouterA(config)#interface
fa0/0RouterA(config-if)#ip access-group 110 in
C.
RouterA(config)#access-list 110 deny ip host 10.10.45.2 anyRouterA(config)#access-list 110 deny
ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 110 permit tcp host 10.10.0.100
anyRouterA(config)#access-list 110 permit udp host 10.10.0.100 anyRouterA(config)#access-list
110 permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 110 permit tcp 10.10.2.0
0.0.1.255 any eq 443RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.1.255 anyeq
53RouterA(config)#access-list 110 deny ip any any RouterA(config)#interface
fa0/0RouterA(config-if)#ip access-group 110 in
D.
RouterA(config)#access-list 99 deny ip host 10.10.45.2 anyRouterA(config)#access-list 99 deny ip
10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 99 permit tcp host 10.10.0.100
anyRouterA(config)#access-list 99 permit udp host 10.10.0.100 anyRouterA(config)#access-list 99
permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 99 permit tcp 10.10.2.0
0.0.1.255 any eq 443RouterA(config)#access-list 99 permit udp 10.10.2.0 0.0.1.255 any eq
53RouterA(config)#access-list 99 deny ip any anyRouterA(config)#interface fa0/0 RouterA(config-
if)#ip access-group 99 in
Answer: C
Explanation:
This ACL is an extended ACL. It meets the traffic requirements and is applied to Fa0/0 in the
appropriate direction of in, which matches traffic going into the interface. In addition, this ACL
meets the needs for subnets 10.10.2.0/24 and 10.10.3.0/24 by applying the subnet and wildcard
"Pass Any Exam. Any Time." - www.actualtests.com 249
GIAC GSNA Exam
mask of 10.10.2.0 0.0.1.255 for the lines that apply http, https, and dns. These subnets are
covered by the wildcard mask 0.0.1.255. This wildcard mask is applied to a range of hosts from
10.10.2.0 through 10.10.3.255 which covers both of the subnets required. This is handy since both
subnets are next to each other in their network numbers. Note: If the network numbers were not
next to each other, for example 10.10.2.0/24 and 10.10.20.0/24, then the wildcard mask of
0.0.1.255 would be incorrect. A wildcard mask of 0.0.0.255 would be required. The configuration of
the ACL would then be applied using the following commands: <!-- Only the relevant commands
are displayed --> RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.0.255 any eq 80
RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.0.255 any eq 443
RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.0.255 any eq 53
RouterA(config)#access-list 110 permit tcp 10.10.20.0 0.0.0.255 any eq 80
RouterA(config)#access-list 110 permit tcp 10.10.20.0 0.0.0.255 any eq 443
RouterA(config)#access-list 110 permit udp 10.10.20.0 0.0.0.255 any eq 53
Which of the following statements about system hardening are true? (Choose two.)
A.
It is used for securing the computer hardware.
B.
It can be achieved by installing service packs and security updates on a regular basis.
C.
It can be achieved by locking the computer room.
D.
It is used for securing an operating system.
Answer: B,D
Explanation:
System hardening is a term used for securing an operating system. It can be achieved by installing
the latest service packs, removing unused protocols and services, and limiting the number of
users with administrative privileges.
B.
Software that manages safety critical data including display of safety critical information
C.
Software that intervenes when a safe condition is present or is about to happen
D.
Software that is used to create safety critical functions
Answer: A,B
Explanation:
Answer: D is incorrect. Software that is used to manage or monitor safety critical functions is
known as safety critical software.
Answer: C is incorrect. Software that intervenes when an unsafe condition is present or is about to
happen is known as safety critical software.
Which of the following wireless security standards supported by Windows Vista provides the
highest level of security?
A.
WPA-EAP
B.
WEP
C.
WPA-PSK
D.
WPA2
Answer: D
Explanation:
WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2 offers
enhanced protection to wireless networks than WPA and WEP standards. It is also available as
"Pass Any Exam. Any Time." - www.actualtests.com 251
GIAC GSNA Exam
WPA2-PSK and WPA2-EAP for home and enterprise environment respectively. Answer: B is
incorrect. than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and
WPA-EAP. Each of these is described as follows:
The Security Auditor's Research Assistant (SARA) is a third generation network security analysis
tool. Which of the following statements are true about SARA? (Choose two.)
A.
It operates under Unix, Linux, MAC OS/X, or Windows (through coLinux) OS.
B.
It cannot be used to perform exhaustive XSS tests.
C.
It cannot be used to perform SQL injection tests.
D.
It supports plug-in facility for third party apps.
Answer: A,D
Explanation:
The Security Auditor's Research Assistant (SARA) is a third generation network security analysis
tool. It has the following functions:
A.
/safeboot:network /sos /bootlog /noguiboot
B.
/safeboot:minimal /sos /bootlog /noguiboot
C.
/safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
D.
/safeboot:dsrepair /sos
Answer: C
Explanation:
Safe-mode boot switches are used in the Windows operating systems to use the afe-mode boot
feature. To use this feature the user should press F8 during boot. These modes are available in
the Boot.ini file. Users can also automate the boot process using this feature.
Which of the following Web authentication techniques uses a single sign-on scheme?
A.
NTLMauthentication
B.
Digest authentication
C.
Microsoft Passport authentication
D.
Basic authentication
Answer: C
Microsoft Passport authentication is based on single sign-on authentication in which a user needs
to remember only one username and password to be authenticated for multiple services. The
Passport is a suite of services for authenticating users across a number of applications. The
Passport single sign-on service is an authentication service allowing users to create a single set of
credentials that will enable them to sign in to any participating site that supports the Passport
service. It enables the use of one set of credentials to access any Passport-enabled site such as
MSN, Hotmail, and MSN Messenger.
Which of the following features of a switch helps to protect network from MAC flood and MAC
spoofing?
A.
Multi-Authentication
B.
Port security
C.
MAC Authentication Bypass
D.
Quality of Service (QoS)
Answer: B
Explanation:
If a switch has the ability to enable portsecurity, this will help to protect network from both the MAC
Flood and MAC Spoofing attacks.
Answer: D is incorrect. Quality of Service (QoS) feature is useful for prioritizing VOIP traffic.
Switches are offering the ability to assign a device a Quality of Service (QoS) value or a rate
limiting value based on the RADIUS response.
Answer: C is incorrect. MAC Authentication Bypass feature is used to allow the RADIUS server to
specify the default VLAN/ACL for every device that doesn't authenticate by 802.1X.
You work as a Security manager for Qualoxizz Inc. Your company has number of network
switches in the site network infrastructure. Which of the following actions will you perform to
ensure the security of the switches in your company?
A.
Open up all the unused management ports.
B.
Set similar passwords for each management port.
C.
Set long session timeouts.
D.
Ignore usage of the default account settings.
Answer: D
Explanation:
A switch with a management port using a default user account permits an attacker to intrude
inside by making connections using one or more of the well-known default user accounts (e.g.,
administrator, root, security). Therefore, the default account settings should not be used.
Answer: A is incorrect. The unused management ports on a switch should always be blocked to
prevent port scanning attacks from the attackers.
Answer: B is incorrect. Setting similar passwords on all management ports increases the
vulnerability of password cracking. The matching passwords on all ports can be used by the
attacker to break into all ports once the password of one of the ports is known.
Answer: C is incorrect. Short timeout sessions should always be set to reduce the session period.
If the connections to a management port on a switch do not have a timeout period set or have a
large timeout period (greater than 9 minutes), then the connections will be more available for an
attacker to hijack them.
Topic 4, Volume D
Employees are required to use Microsoft Outlook Web Access to access their emails remotely.
You are required to accomplish the following goals:
Ensure the highest level of security and encryption for the Outlook Web Access clients.
A.
Install one front-end Exchange 2000 server and continue to run Microsoft Outlook Web Access on
the existing server. Place the new server on the perimeter network. Configure unique URLs for
each server. Configure Certificate Services. Create a rule on the firewall to direct port 443 to the
servers.
B.
Install two front-end Exchange 2000 servers. Place the new servers on the internal network and
configure load balancing between them. Configure Certificate Services. Create a rule on the
firewall to redirect port 443 to the servers.
C.
Install two front-end Exchange 2000 servers. Place the new servers on the perimeter network and
configure load balancing between them. Configure Certificate Services. Create a rule on the
firewall to redirect port 443 to the servers.
D.
Install two Exchange 2000 servers. Place the new servers on the perimeter network. Configure
unique URLs for each server. Configure Certificate Services. Create a rule on the firewall to direct
port 443 to the servers.
Answer: C
To ensure fault tolerance among the servers and to get the highest possible level of security and
encryption for OWA clients, you must install two front-end Exchange 2000 servers. Place the new
servers on the perimeter network and configure load balancing between them. To enhance
security, you should also configure Certificate Services and create a rule on the firewall to redirect
port 443 to the servers. The most secure firewall configuration is placing a firewall on either side of
the front-end servers. This isolates the front-end servers in a perimeter network, commonly
referred to as a demilitarized zone (DMZ). It is always better to configure more than one front-end
server to get fault tolerance.
Which of the following is an Internet mapping technique that relies on various BGP collectors that
collect information such as routing updates and tables and provide this information publicly?
A.
Path MTU discovery (PMTUD)
B.
AS Route Inference
C.
AS PATH Inference
D.
Firewalking
Answer: C
Explanation:
AS PATH Inference is one of the prominent techniques used for creating Internet maps. This
technique relies on various BGP collectors that collect information such as routing updates and
tables and provide this information publicly. Each BGP entry contains a Path Vector attribute
called the AS Path. This path represents an autonomous system forwarding path from a given
origin for a given set of prefixes. These paths can be used to infer AS-level connectivity and in turn
be used to build AS topology graphs. However, these paths do not necessarily reflect how data is
actually forwarded. Adjacencies between AS nodes only represent a policy relationship between
them. A single AS link can in reality be several router links. It is also much harder to infer peering
between two AS nodes, as these peering relationships are only propagated to an ISP's customer
networks. Nevertheless, support for this type of mapping is increasing as more and more ISP's
offer to peer with public route collectors such as Route-Views and RIPE. New toolsets are
emerging such as Cyclops and NetViews that take advantage of a new experimental BGP
collector BGPMon. NetViews can not only build topology maps in seconds but visualize topology
"Pass Any Exam. Any Time." - www.actualtests.com 257
GIAC GSNA Exam
changes moments after occurring at the actual router. Hence, routing dynamics can be visualized
in real time.
Answer: A is incorrect. Path MTU discovery (PMTUD) is a technique in computer networking for
determining the maximum transmission unit (MTU) size on the network path between two Internet
Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. Path MTU discovery works
by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets. Then, any
device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP
"Fragmentation Needed" (Type 3, Code 4) message containing its MTU, allowing the source host
to reduce its path MTU appropriately. The process repeats until the MTU is small enough to
traverse the entire path without fragmentation. If the path MTU changes after the connection is set
up and is lower than the previously determined path MTU, the first large packet will cause an
ICMP error and the new, lower path MTU will be found. Conversely, if PMTUD finds that the path
allows a larger MTU than what is possible on the lower link, the OS will periodically reprobe to see
if the path has changed and now allows larger packets. On Linux this timer is set by default to ten
minutes.
John works as a professional Ethical Hacker. He has been assigned the project of testing the
security of www.we-are-secure.com. He wants to perform a stealth scan to discover open ports
and applications running on the We-are-secure server. For this purpose, he wants to initiate
scanning with the IP address of any third party.
Which of the following scanning techniques will John use to accomplish his task?
A.
UDP
C.
IDLE
D.
TCP SYN/ACK
Answer: C
Explanation:
The IDLE scan is initiated with the IP address of a third party. Hence, it becomes a stealth scan.
Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the
hacker.
Answer: B is incorrect. The RPC (Remote Procedure Call) scan is used to find the RPC
applications. After getting the RPC application port with the help of another port scanner, RPC port
scanner sends a null RPC packet to all the RPC service ports, which are open into the target
system.
Answer: A is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target
system. If the remote port is closed, the server replies that the remote port is unreachable. If the
remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at
that time the UDP port scanning maybe useful. Certain IDS and firewalls can detect UDP port
scanning easily.
Answer: D is incorrect. TCP SYN scanning is also known as half-open scanning because in this a
full TCP connection is never opened. The steps of TCP SYN scanning are as follows:
4. If the RST packet is received, it indicates that the port is closed. This type of scanning is hard to
trace because the attacker never establishes a full 3-way handshake connection and most sites do
not create a log of incomplete TCP connections.
You work as a Database Administrator for XYZ CORP. The company has a multi-platform
network. The company requires fast processing of the data in the database of the company so that
answers to queries can be generated quickly. To provide fast processing, you have a conceptual
Which of the following systems can you use to implement your idea?
A.
SYSDBA
B.
MDDBMS
C.
Federated database system
D.
Hierarchical database system
Answer: B
Explanation:
Answer: A is incorrect. SYSDBA is a system privilege that allows a user to perform basic database
administrative tasks, such as creating a database, altering a database, starting up and shutting
down an Oracle instance, performing time-based recovery etc. The SYSDBA contains all system
privileges with the ADMIN OPTION. It also contains the SYSOPER system privilege. Granting the
SYSDBA system privilege to a user automatically adds him to the password file that is used to
authenticate administrative users. Therefore, a user possessing the SYSDBA system privilege can
connect to a database by using the password file authentication method.
The routing algorithm uses certain variables to create a metric of a path. It is the metric that
actually determines the routing path. In a metric, which of the following variables is used to define
the 'largest size' of a message that can be routed?
A.
Load
B.
MTU
C.
Hop count
D.
Bandwidth
Answer: B
Explanation:
The routing algorithm uses certain variables to create a metric of a path. It is the metric that is
actually used for path determination. Variables that are used to create a metric of a path are as
follows:
You are concerned about war driving bringing hackers attention to your wireless network. What is
the most basic step you can take to mitigate this risk?
A.
Implement WPA
B.
Implement WEP
D.
Implement MAC filtering
Answer: C
Explanation:
By not broadcasting your SSID some simple war driving tools won't detect your network. However
you should be aware that there are tools that will still detect networks that are not broadcasting
their SSID across your network.
Answer: D is incorrect. While MAC filtering may help prevent a hacker from accessing your
network, it won't keep him or her from finding your network.
John works as a professional Ethical Hacker. He has been assigned the project of testing the
security of www.we-are-secure.com. He has successfully completed the following pre-attack
phases while testing the security of the server:
Footprinting
Scanning
A.
PsPasswd
B.
WinSSLMiM
C.
PsFile
D.
UserInfo
Answer: A,C,D
John can use the UserInfo, PsFile, and PsPasswd tools in the enumeration phase. UserInfo is a
utility that retrieves all available information about any known user from any Windows 2000/NT
operating system (accessible by TCP port 139). UserInfo returns mainly the following information:
SID and Primary group Logon restrictions and smart card requirements
Note: UserInfo works as a NULL user even if the RestrictedAnonymous value in the LSA key is set
to 1 to specifically deny anonymous enumeration. PsFile is a command-line utility that shows a list
of files on a system that are opened remotely. It also allows a user to close opened files either by
name or by a file identifier. The command syntax for PsFile is as follows:
If this is omitted, the user is prompted to enter the password without it being echoed to the screen.
Id is the identifier of the file about which the user wants to display information.
PsPasswd is a tool that helps Network Administrators change an account password on the local or
remote system.
In which of the following techniques does an attacker take network traffic coming towards a host at
one port and forward it from that host to another host?
A.
Snooping
"Pass Any Exam. Any Time." - www.actualtests.com 263
GIAC GSNA Exam
B.
UDP port scanning
C.
Firewalking
D.
Portredirection
Answer: D
Explanation:
Port redirection is a technique by which an attacker takes network traffic coming towards a host at
one port and redirects it from that host to another host. For example, tools such as Fpipe and
Datapipe are port redirection tools that accept connections at any specified port and resend them
to other specified ports on specified hosts. For example, the following command establishes a
listener on port 25 on the test system and then redirects the connection to port 80 on the target
system using the source port of 25. C.\>fpipe -l 25 -s 25 -r 80 IP_address
Answer: B is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target
system. If the remote port is closed, the server replies that the remote port is unreachable. If the
remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at
that time the UDP port scanning may be useful. Certain IDS and firewalls can detect UDP port
scanning easily.
You are the Security Consultant and have been hired to check security for a client's network. Your
client has stated that he has many concerns but the most critical is the security of Web
applications on their Web server.
A.
Setting up a honey pot
B.
Vulnerability scanning
C.
Setting up IDS
D.
Port scanning
Answer: B
Explanation:
According to the question, you highest priority is to scan the Web applications for vulnerability.
Which of the following is the most secure place to host a server that will be accessed publicly
through the Internet?
A.
A DNS Zone
B.
An Intranet
C.
A stub zone
D.
A demilitarized zone (DMZ)
Answer: D
A demilitarized zone (DMZ) is the most secure place to host a server that will be accessed publicly
through the Internet. Demilitarized zone (DMZ) or perimeter network is a small network that lies in
between the Internet and a private network. It is the boundary between the Internet and an internal
network, usually a combination of firewalls and bastion hosts that are gateways between inside
networks and outside networks. DMZ provides a large enterprise network or corporate network the
ability to use the Internet while still maintaining its security.
Answer: B is incorrect. Hosting a server on the intranet for public access will not be good from a
security point of view.
Mark works as a Database Administrator for MarLinc Inc. How will he execute a SQL command
from the SQL buffer?
A.
Enter an asterisk (*)
B.
Enter a semicolon (;)
C.
Press [ESC] twice
D.
Press [RETURN] twice
E.
Enter a slash(/)
Answer: B,E
Explanation:
SQL buffer stores the most recently used SQL commands and PL/SQL blocks. It does not store
the SQL* Plus commands. The SQL buffer can be edited or saved to a file. A SQL command or a
PL/SQL block can be executed by entering a semicolon (;) or a slash (/), or by using the RUN
command at the command prompt. When a semicolon (;) is entered at the end of a command, the
command is completed and executed. When a slash (/) is entered on a new line, the command in
the buffer is executed. It can also be used to execute a PL/SQL block. The RUN command is used
to execute a command in the buffer. A SQL command can be saved in the buffer by entering a
blank line.
Which of the following techniques can be used to determine the network ranges of any network?
A.
Whois query
B.
SQL injection
C.
Snooping
D.
Web ripping
Answer: A
Explanation:
Whois queries are used to determine the IP address ranges associated with clients. A whois query
can be run on most UNIX environments. In a Windows environment, the tools such as WsPingPro
and Sam Spade can be used to perform whois queries. Whois queries can also be executed over
the Web from www.arin.net and www.networksolutions.com.
Answer: B is incorrect. A SQL injection attack is a process in which an attacker tries to execute
unauthorized SQL statements. These statements can be used to delete data from a database,
delete database objects such as tables, views, stored procedures, etc. An attacker can either
directly enter the code into input variables or insert malicious code in strings that can be stored in
a database. For example, the following line of code illustrates one form of SQL injection attack:
This SQL code is designed to fetch the records of any specified username from its table of users.
However, if the "userName" variable is crafted in a specific way by a malicious hacker, the SQL
statement maydo more than the code author intended. For example, if the attacker puts the
"userName" value as ' or ''=', the SQL statement will now be as follows:
Answer: D is incorrect. Web ripping is a technique in which the attacker copies the whole structure
of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker
to trace the loopholes of the Web site.
You work as a Network Architect for Tech Perfect Inc. The company has a TCP/IP based
Enterprise network. The company uses Cisco IOS technologies in the Enterprise network. You
have enabled system message logging (syslog) service on all the routers that are currently
working in the network. The syslog service provides all the reports, and important error and
notification messages. You want to store all the reports and messages.
A.
Auxiliary
B.
Buffer
C.
Syslog server
D.
tty lines
E.
Console
Answer: B,C,D,E
Explanation:
According to the scenario, you have enabled system message logging (syslog) service on all the
routers that are currently working in the network. If you want to store all the repots, important error
and notification messages sent by the routers, you can store all of these in the buffer, console,
syslog server, and tty lines. You can use buffer, if you want to store syslog messages for later
analysis of the network. Buffer is the memory of the router. The syslog messages that you have
stored in the buffer are later available for the network analysis until the router is rebooted. You can
use console port of the routers to send syslog messages to the attached terminal. You can also
use vty and tty lines to send syslog messages to the remote terminal. However, the messages
"Pass Any Exam. Any Time." - www.actualtests.com 268
GIAC GSNA Exam
send through the console, vty, and tty lines are not later available for network analysis. You can
use syslog server to store all the reports, and important error and notification messages. It is the
best option to store all these because it is easy to configure a syslog server and you can store a
large volume of logs. Note: If you have configured to run an SNMP agent, the routers send all the
reports, and important error and messages in the form of SNMP traps to an SNMP server. Using
this you can store the reports and messages for a long period of time.
Answer: A is incorrect. You cannot store syslog messages in the auxiliary line.
Peter works as a Web Developer for XYZ CORP. He is developing a Web site for the company.
Peter specifies MARGINHEIGHT="0" and MARGINWIDTH="0" in one of the Web pages.
A.
It will create a borderless page structure when viewed in any browser.
B.
It will create a borderless page structure when viewed in Netscape Navigator.
C.
It will delete all the text from the margins.
D.
It will create a borderless page structure when viewed in Internet Explorer.
Answer: B
Explanation:
The MARGINHEIGHT and MARGINWIDTH attributes are used in the <BODY> tag to adjust the
top and left margins of a Web page to be displayed in Netscape Navigator. Specifying
MARGINHEIGHT="0" and MARGINWIDTH="0" within the <BODY> tag will create a borderless
page structure when viewed in Netscape Navigator.
Answer: D is incorrect. The TOPMARGIN and LEFTMARGIN attributes are used in the <BODY>
tag to adjust the top and left margins of a Web page to be displayed in Internet Explorer.
Specifying TOPMARGIN="0" and LEFTMARGIN="0" within the <BODY> tag will create a
borderless page structure when viewed in Internet Explorer.
Answer C is incorrect. These attributes are used to adjust margins and not to delete text from
margins.
What will happen if you write the following parameters in the web.xml file?
<session-config>
<session-timeout>0</session-timeout>
</session-config>
A.
There will be no effect on the session; it will last for its default time.
B.
The session will never expire.
C.
An error will occur during execution.
D.
The session will expire immediately.
Answer: B
Explanation:
The <session-timeout> element of the deployment descriptor sets the session timeout. If the time
specified for timeout is zero or negative, the session will never timeout.
Mike works as a Network Engineer for XYZ CORP. The company has a multi-platform network.
Recently, the company faced lots of blended threat issues that lead to several drastic attacks.
Mike has been assigned a project to manage the resources and services of the company through
both Intranet and Internet to protect the company from these attacks. Mike needs a system that
provides auto-discovering and network topology building features to allow him to keep an intuitive
view of the IT infrastructure.
A.
eBox
C.
David system
D.
EM7
Answer: C
Explanation:
David system is a network management system that allows a user to manage the resources and
services through both Intranet and Internet. It provides auto-discovering and network topology
building features to facilitate in keeping an intuitive view of the IT infrastructure. The resources,
real-time monitoring, and accessibility of historical data facilitate reaction to failures. Configured
interfaces for monitored devices permit a user to focus on the most important aspects of their
work.
Answer: A is incorrect. eBox is an open source distribution and web development framework. This
framework is used to manage server application configuration. It is based on Ubuntu Linux. It is
projected to manage services in a computer network. The modular design of eBox allows a user to
pick and choose the services.
You work as a Network Administrator for Tech-E-book Inc. You are configuring the ISA Server
2006 firewall to provide your company with a secure wireless intranet. You want to accept inbound
mail delivery though an SMTP server. What basic rules of ISA Server do you need to configure to
accomplish the task.
A.
Publishing rules
B.
"Pass Any Exam. Any Time." - www.actualtests.com 271
GIAC GSNA Exam
Network rules
C.
Mailbox rules
D.
Access rules
Answer: A
Explanation:
Publishing rules are applied on SMTP servers to accept inbound mail delivery. There are three
basic rules of ISA Server, which are as follows:
Answer: D is incorrect. These rules are set for controlling outbound traffic.
You work as a Network Analyst for XYZ CORP. The company has a Unix-based network. You
want to view the directories in alphabetical order.
Which of the following Unix commands will you use to accomplish the task?
A.
cat
B.
chmod
C.
cp
D.
ls
Answer: D
Explanation:
Adam works as a Security Analyst for Umbrella Inc. He is retrieving large amount of log data from
syslog servers and network devices such as Router and switches. He is facing difficulty in
analyzing the logs that he has retrieved. To solve this problem, Adam decides to use software
called Sawmill. Which of the following statements are true about Sawmill?
A.
It incorporates real-time reporting and real-time alerting.
B.
It is used to analyze any device or software package, which produces a log file such as Web
servers, network devices (switches & routers etc.), syslog servers etc.
C.
It is a software package for the statistical analysis and reporting of log files.
D.
It comes only as a software package for user deployment.
Answer: A,B,C
Explanation:
Sawmill is a software package for the statistical analysis and reporting of log files, with dynamic
contextual filtering, 'live' data zooming, user interface customization, and custom calculated
reports. Sawmill incorporates real-time reporting and real-time alerting. Sawmill also includes a
page tagging server and JavaScript page tag for the analysis of client side clicks (client requests)
providing a total view of visitor traffic and on-site behavioral activity. Sawmill Analytics is offered in
three forms, as a software package for user deployment, as a turnkey on-premise system
appliance, and as a SaaS service. Sawmill analyzes any device or software package producing a
log file and that includes Web servers, firewalls, proxy servers, mail servers, network devices
(switches & routers etc.), syslog servers, databases etc. Its range of potential uses by knowledge
workers is essentially limitless.
Which of the following recovery plans includes specific strategies and actions to deal with specific
variances to assumptions resulting in a particular security problem, emergency, or state of affairs?
A.
Disaster recovery plan
B.
Continuity of Operations Plan
C.
Business continuity plan
D.
Contingency plan
Answer: D
Explanation:
A contingency plan is a plan devised for a specific situation when things could go wrong.
Contingency plans include specific strategies and actions to deal with specific variances to
assumptions resulting in a particular problem, emergency, or state of affairs. They also include a
monitoring process and triggers for initiating planned actions.
Answer: A is incorrect. Disaster recovery is the process, policies, and procedures related to
preparing for recovery or continuation of technology infrastructure critical to an organization after a
natural or human-induced disaster.
Answer: C is incorrect. It deals with the plans and procedures that identify and prioritize the critical
business functions that must be preserved.
Answer: B is incorrect. It includes the plans and procedures documented that ensure the continuity
of critical operations during any period where normal operations are impossible.
You have just taken over as the Network Administrator for a medium sized company. You want to
check to see what services are exposed to the outside world.
B.
Protocol analyzer
C.
A port scanner
D.
Packet sniffer
Answer: C
Explanation:
A port scanner is often used on the periphery of a network by either administrators or hackers. It
will tell you what ports are open. By determining what ports are open, you know what services are
exposed to the outside world. For example, if port 80 is open, then HTTP traffic is allowed,
meaning there should be a Web server on the network.
Answer: A is incorrect. Network mappers give a topography of the network, letting you know what
is on your network and where it is connected.
Answer: B is incorrect. A protocol analyzer does detect if a given protocol is moving over a
particular network segment, thus would detect services working on that segment. However, a port
scanner is a better tool for detecting all the ports that are open.
Answer: D is incorrect. Packet sniffers are used to intercept traffic and to detect the contents of
that traffic.
Which of the following types of authentication tokens forms a logical connection to the client
computer but does not require a physical connection?
A.
Virtual token
B.
Connected token
C.
Disconnected token
D.
Answer: D
Explanation:
Contactless tokens are the third main type of physical tokens. Unlike connected tokens, they form
a logical connection to the client computer but do not require a physical connection. The absence
of the need for physical contact makes them more convenient than both connected and
disconnected tokens. As a result, contactless tokens are a popular choice for keyless entry
systems and electronic payment solutions such as Mobil Speedpass, which uses RFID to transmit
authentication information from a keychain token. However, there have been various security
concerns raised about RFID tokens after researchers at Johns Hopkins University and RSA
Laboratories discovered that RFID tags could be easily cracked and cloned. Another downside is
that contactless tokens have relatively short battery lives, usually only 3-5 years, which is low
compared to USB tokens which may last up to 10 years. However, some tokens do allow the
batteries to be changed, thus reducing costs.
Answer: A is incorrect. Virtual tokens are a new concept in multi-factor authentication first
introduced in 2005 by security company Sestus. Virtual tokens work by sharing the token
generation process between the Internet website and the user's computer and have the advantage
of not requiring the distribution of additional hardware or software. In addition, since the user's
device is communicating directly with the authenticating website, the solution is resistant to man-
in-the-middle attacks and similar forms of online fraud.
Answer: B is incorrect. Connected tokens are tokens that must be physically connected to the
client computer. Tokens in this category will automatically transmit the authentication information
to the client computer once a physical connection is made, eliminating the need for the user to
manually enter the authentication information. However, in order to use a connected token, the
appropriate input device must be installed. The most common types of physical tokens are smart
cards and USB tokens, which require a smart card reader and a USB port, respectively.
Answer: C is incorrect. Disconnected tokens have neither a physical nor logical connection to the
client computer. They typically do not require a special input device, and instead use a built-in
screen to display the generated authentication data, which the user enters manually via a
keyboard or keypad. Disconnected tokens are the most common type of security token used
(usually in combination with a password) in two-factor authentication for online identification.
Choose the benefits of deploying switches over hubs in your infrastructure. (Choose two.)
A.
Layer 2 switches allow for the creation of Virtual LANs providing options for further segmentation
and security.
"Pass Any Exam. Any Time." - www.actualtests.com 276
GIAC GSNA Exam
B.
Switches lower the number of collisions in the environment.
C.
Switches create an environment best suited for half duplex communications. This improves
network performance and the amount of available bandwidth.
D.
Layer 2 switches increase the number of broadcast domains in the environment.
Answer: A,B
Explanation:
Switches differ from hubs in that they break up Collision Domains. Each port on a switch equals
one Collision Domain. Therefore, a switch will lower the number of collisions within the
infrastructure. Managed switches typically offer the ability to create Virtual LANs. Virtual LANs
allow the switch to create multiple LANs/network segments that are Virtual. This allows the switch
to create additional environments where needed.
A.
L0phtcrack
B.
NSLOOKUP
C.
NETSH
D.
Nmap
Answer: D
Explanation:
The nmap utility, also commonly known as port scanner, is used to view the open ports on a Linux
computer. It is used by administrators to determine which services are available for external users.
This utility helps administrators in deciding whether to disable the services that are not being used
in order to minimize any security risk.
Answer: B is incorrect. NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name
Answer C is incorrect. NETSH is a command line tool to configure TCP/IP settings such as the IP
address, Subnet Mask, Default Gateway, DNS, WINS addresses, etc.
Answer: A is incorrect. L0phtcrack is a tool which identifies and remediate security vulnerabilities
that result from the use of weak or easily guessed passwords. It recovers Windows and Unix
account passwords to access user and administrator accounts.
You have just set up a wireless network for customers at a coffee shop. Which of the following are
good security measures to implement? (Choose two.)
A.
Using WPA encryption
B.
MAC filtering the router
C.
Not broadcasting SSID
D.
Using WEP encryption
Answer: A,D
Explanation:
With either encryption method (WEP or WPA) you can give the password to customers who need
it, and even change it frequently (daily if you like). So this won't be an inconvenience for
customers.
You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
"Pass Any Exam. Any Time." - www.actualtests.com 278
GIAC GSNA Exam
Server 2003. The company has recently provided laptops to its sales team members. You have
configured access points in the network to enable a wireless network. The company's security
policy states that all users using laptops must use smart cards for authentication.
Which of the following authentication techniques will you use to implement the security policy of
the company?
A.
IEEE 802.1X using EAP-TLS
B.
IEEE 802.1X using PEAP-MS-CHAP
C.
Pre-shared key
D.
Open system
Answer: A
Explanation:
In order to ensure that the laptop users use smart cards for authentication, you will have to
configure IEEE 802.1X authentication using the EAP-TLS protocol on the network.
You have been assigned a project to develop a Web site for a construction company. You plan to
develop a Web site and want to use cascading style sheets (CSS) as it helps you to get more
control over the appearance and presentation of your Web pages and also extends your ability to
precisely specify the position and appearance of the elements on a page and create special
effects. You want to define styles for individual elements of a page.
A.
Embedded Style Sheet
B.
Internal Style Sheet
C.
External Style Sheet
"Pass Any Exam. Any Time." - www.actualtests.com 279
GIAC GSNA Exam
D.
Inline Style Sheet
Answer: D
Explanation:
Cascading style sheets (CSS) are used so that the Web site authors can exercise greater control
on the appearance and presentation of their Web pages. And also because they increase the
ability to precisely point to the location and look of elements on a Web page and help in creating
special effects. Cascading Style Sheets have codes, which are interpreted and applied by the
browser on to the Web pages and their elements. There are three types of cascading style sheets.
External Style Sheets are used whenever consistency in style is required throughout a Web site. A
typical external style sheet uses a .css file extension, which can be edited using a text editor such
as a Notepad.
Embedded Style Sheets are used for defining styles for an active page.
Inline Style Sheets are used for defining individual elements of a page.
Reference: TechNet, Contents: Microsoft Knowledgebase, February 2000 issue PSS ID Number:
Q179628
You want to append a tar file if the on-disk version of the tar file has a modification date more
recent than its copy in the tar archive.
Which of the following commands will you use to accomplish the task?
A.
tar -u
B.
tar -t
C.
tar -c
Answer: A
Explanation:
The tar -u command is used to append a tar file if the on-disk version of the tar file has a
modification date more recent than its copy in the tar archive.
Answer: B is incorrect. The tar -t command is used to list the contents of an archive.
Answer: D is incorrect. The tar -x command is used to extract the files from an archive.
Answer: C is incorrect. The tar -c command is used to create a new archive of specified files.
You are the Security Administrator for an Internet Service Provider. From time to time your
company gets subpoenas from attorneys and law enforcement for records of customers' access to
the internet. What policies must you have in place to be prepared for such requests?
A.
Group access policies
B.
Backup policies
C.
User access policies
D.
Storage and retention policies
Answer: D
Explanation:
Storage and retention policies will determine how long you keep records (such as records of
customers Web activity), how you will store them, and how you will dispose of them. This will allow
you to know what records you should still have on hand should a legal request for such records
come in.
Answer: C is incorrect. User policies might determine what a customer has access to, but won't
help you identify what they actually did access.
Answer: A is incorrect. Group policies are usually pertinent to network administration, not the open
"Pass Any Exam. Any Time." - www.actualtests.com 281
GIAC GSNA Exam
and uncontrolled environment of an ISP.
Answer B is incorrect. Backup policies dictate how data is backed up and stored.
You work as a Network Administrator for Infosec Inc. Nowadays, you are facing an unauthorized
access in your Wi-Fi network. Therefore, you analyze a log that has been recorded by your
favorite sniffer, Ethereal. You are able to discover the cause of the unauthorized access after
noticing the following string in the log file:
When you find All your 802.11b are belong to us as the payload string, you are convinced about
which tool is being used for the unauthorized access.
A.
AiroPeek
B.
AirSnort
C.
Kismet
D.
NetStumbler
Answer: D
Explanation:
NetStumbler, a war driving tool, uses an organizationally unique identifier (OID) of 0x00601A, D
protocol identifier (PID) of 0x0001. Each version has a typical payload string. For example,
NetStumbler 3.2.3 has a payload string: 'All your 802.11b are belong to us'. Therefore, when you
see the OID and PID values, you discover that the attacker is using NetStumbler, and when you
see the payload string, you are able to ascertain that the attacker is using NetStumbler 3.2.3.
Without using an IDS how can you detect this sort of activity?
A.
By setting up a DMZ.
B.
You cannot, you need an IDS.
C.
By examining your domain controller server logs.
D.
By examining your firewall logs.
Answer: D
Explanation:
Firewall logs will show all incoming and outgoing traffic. By examining those logs you can detect
anomalous traffic, which can indicate the presence of malicious code such as rootkits.
Answer: B is incorrect. While an IDS might be the most obvious solution in this scenario, it is not
the only one.
Answer: C is incorrect. It is very unlikely that anything in your domain controller logs will show the
presence of a rootkit, unless that rootkit is on the domain controller itself.
Answer A is incorrect. A DMZ is an excellent firewall configuration but will not aid in detecting
rootkits.
Martha works as a Web Developer for XYZ CORP. She is developing a Web site for the company.
In the Web site, she uses multiple and overlapping style definitions to control the appearance of
HTML elements.
A.
Style sheet
C.
Overlapping Style Sheet
D.
Core sheet
Answer: B
Explanation:
A CascadingStyle Sheet (CSS) is a separate text file that keeps track of design and formatting
information, such as colors, fonts, font sizes, and margins, used in Web pages. CSS is used to
provide Web site authors greater control on the appearance and presentation of their Web pages.
It has codes that are interpreted and applied by the browser on to the Web pages and their
elements. CSS files have .css extension. There are three types of Cascading Style Sheets:
Answer: A is incorrect. A style sheet is a set of additional tags used to describe the appearance of
individual HTML tags.
Which of the following is used to execute a SQL statement from the SQL buffer?
A.
Entering an asterisk (*)
B.
Pressing [RETURN] once
C.
Pressing [RETURN] twice
D.
Entering a slash (/)
E.
Pressing [ESC] twice.
Answer: D
Explanation:
A SQL statement or a PL/SQL block can be executed by entering a semicolon (;) or a slash (/), or
Reference: Oracle8i Online Documentation, Contents: "SQL*PLUS Users Guide and Reference",
"Learning SQL*PLUS Basics,3 of 4", "Understanding SQL COMMAND Syntax"
You work as a Network Administrator for Tech Perfect Inc. You have a laptop running Windows
Vista Ultimate. You want to configure Windows Defender on your laptop so that it does not take
any action automatically whenever it scans malicious software. Rather, it should recommend the
action and wait for your approval for taking any action.
Which of the following actions will you take to accomplish the task?
A.
Clear the Use real-time protection check box in Defender Options
B.
Clear the Automatically scan my computer check box in Defender Options
C.
Select the Create a restore point before applying action to detected items check box in Defender
Options
D.
Clear the Apply default actions to items detected during a scan check box in Defender Options.
Answer: D
Explanation:
According to the question, you want to prevent Windows Defender from taking any action
automatically during the scanning of your laptop. In order to accomplish this, you will have to clear
the Apply default actions to items detected during a scan check box in Defender Options.
If you clear the Applydefault actions to items detected during a scan check box, it will result in
Windows Defender only recommending an action to take for detected malicious software.
Mark works as a Network Administrator for Infonet Inc. The company has a Windows 2000 Active
Directory domain-based network. The domain contains one hundred Windows XP Professional
client computers. Mark is deploying an 802.11 wireless LAN on the network. The wireless LAN will
use Wired Equivalent Privacy (WEP) for all the connections. According to the company's security
policy, the client computers must be able to automatically connect to the wireless LAN. However,
the unauthorized computers must not be allowed to connect to the wireless LAN and view the
wireless network. Mark wants to configure all the wireless access points and client computers to
act in accordance with the company's security policy.
A.
Configure the authentication type for the wireless LAN to Shared Key
B.
On each client computer, add the SSID for the wireless LAN as the preferred network
C.
"Pass Any Exam. Any Time." - www.actualtests.com 286
GIAC GSNA Exam
Install a firewall software on each wireless access point
D.
Disable SSID Broadcast and enable MAC address filtering on all wireless access points
E.
Configure the authentication type for the wireless LAN to Open system
F.
Broadcast SSID to connect to the access point (AP)
Answer: A,B,D
Explanation:
To configure all the wireless access points and client computers to act in accordance with the
company's security policy, Mark will take the following actions:
Answer: E is incorrect. Setting the authentication type for the wireless LAN to Open System will
disable Wired Equivalent Privacy (WEP). This level of WEP will not provide security.
John works as a professional Ethical Hacker. He has been assigned a project to test the security
of www.we-are-secure.com. He performs Web vulnerability scanning on the We-are-secure
server. The output of the scanning test is as follows:
A.
With the help of 'printenv' vulnerability, an attacker can input specially crafted links and/or other
malicious scripts.
B.
'Printenv' vulnerability maintains a log file of user activities on the Website, which may be useful
for the attacker.
C.
The countermeasure to 'printenv' vulnerability is to remove the CGI script.
D.
"Pass Any Exam. Any Time." - www.actualtests.com 287
GIAC GSNA Exam
This vulnerability helps in a cross site scripting attack.
Answer: A,C,D
Explanation:
'Printenv' vulnerability allows an attacker to input specially crafted links and/or other malicious
scripts. For example, http://www/cgi-bin/printenv/<script>alert (An attacker can misuse it!)</script>
Since 'printenv' is just an example CGI script (It comes with various versions of the Apache Web
server.) that has no real use and has its own problems, there is no problem in removing it.
Answer: B is incorrect. 'Printenv' does not maintain any log file of user activities.
Which of the following protocols are used to provide secure communication between a client and a
server over the Internet? (Choose two.)
A.
TLS
B.
SSL
C.
HTTP
D.
SNMP
Answer: A,B
Explanation:
SSL and TLS protocols are used to provide secure communication between a client and a server
over the Internet.
You have made a program secure.c to display which ports are open and what types of services
are running on these ports. You want to write the program's output to standard output and
simultaneously copy it into a specified file.
A.
cat
B.
more
C.
less
D.
tee
Answer: D
Explanation:
You will use the tee command to write its content to standard output and simultaneously copy it
into the specified file. The tee command is used to split the output of a program so that it can be
seen on the display and also be saved in a file. It can also be used to capture intermediate output
before the data is altered by another command or program. The tee command reads standard
input, then writes its content to standard output, and simultaneously copies it into the specified
file(s) or variables. The syntax of the tee command is as follows: tee [-a] [-i] [File] where, the -a
option appends the output to the end of File instead of writing over it and the -i option is used to
ignore interrupts.
Answer: A is incorrect. The concatenate (cat) command is used to display or print the contents of
a file. Syntax: cat filename For example, the following command will display the contents of the
/var/log/dmesg file: cat /var/log/dmesg Note: The more command is used in conjunction with the
cat command to prevent scrolling of the screen while displaying the contents of a file. Answer: C is
incorrect. The less command is used to view (but not change) the contents of a text file, one
screen at a time. It is similar to the more command. However, it has the extended capability of
allowing both forward and backward navigation through the file. Unlike most Unix text
editors/viewers, less does not need to read the entire file before starting; therefore, it has faster
load times with large files. The command syntax of the less command is as follows: less [options]
file_name Where,
Answer B is incorrect. The more command is used to view (but not modify) the contents of a text
file on the terminal screen at a time. The syntax of the more command is as follows: more [options]
file_name Where,
"Pass Any Exam. Any Time." - www.actualtests.com 289
GIAC GSNA Exam
Victor wants to use Wireless Zero Configuration (WZC) to establish a wireless network connection
using his computer running on Windows XP operating system.
Which of the following are the most likely threats to his computer? (Choose two.)
A.
Information of probing for networks can be viewed using a wireless analyzer and may be used to
gain access.
B.
Attacker can use the Ping Flood DoS attack if WZC is used.
C.
Attacker by creating a fake wireless network with high power antenna cause Victor's computer to
associate with his network to gain access.
D.
It will not allow the configuration of encryption and MAC filtering. Sending information is not secure
on wireless network.
Answer: A,C
Explanation:
Wireless Zero Configuration (WZC), also known as Wireless Auto Configuration, or WLAN
AutoConfig is a wireless connection management utility included with Microsoft Windows XP and
later operating systems as a service that dynamically selects a wireless network to connect to
based on a user's preferences and various default settings. This can be used instead of, or in the
absence of, a wireless network utility from the manufacturer of a computer's wireless networking
device. The drivers for the wireless adapter query the NDIS Object IDs and pass the available
network names to the service. WZC also introduce some security threats, which are as follows:
WZC will probe for networks that are already connected. This information can be viewed by
anyone using a wireless analyzer and can be used to set up fake access points to connect. WZC
attempts to connect to the wireless network with the strongest signal. Attacker can create fake
wireless networks with high- power antennas and cause computers to associate with his access
point.
Answer: D is incorrect. WZC does not interfere in the configuration of encryption and MAC filtering.
"Pass Any Exam. Any Time." - www.actualtests.com 290
GIAC GSNA Exam
Answer: B is incorrect. In a ping flood attack, an attacker sends a large number of ICMP packets
to the target computer using the ping command, i.e., ping -f target_IP_address. When the target
computer receives these packets in large quantities, it does not respond and hangs.
Which of the following statements about Secure Sockets Layer (SSL) are true? (Choose two.)
A.
It provides connectivity between Web browser and Web server.
B.
It provides mail transfer service.
C.
It provides communication privacy, authentication, and message integrity.
D.
It uses a combination of public key and symmetric encryption for security of data.
Answer: C,D
Explanation:
Secure Sockets Layer (SSL) is a protocol used to transmit private documents via the Internet. SSL
uses a combination of public key and symmetric encryption to provide communication privacy,
authentication, and message integrity. Using the SSL protocol, clients and servers can
communicate in a way that prevents eavesdropping and tampering of data on the Internet. Many
Web sites use the SSL protocol to obtain confidential user information, such as credit card
numbers. By convention, URLs that require an SSL connection start with https: instead of http:. By
default, SSL uses port 443 for secured communication. For a SSL connection between a Web
browser and Web server, you must enter https, for example, "https://www.mycompany.com",
instead of http as the protocol type in the URL. This will instruct the Web browser to use a different
port for communication. SSL uses TCP port 443 for communication.
You work as a Network Administrator for InfraTech Inc. You have been assigned the task of
designing the firewall policy for the company.
Which of the following statements can be considered acceptable in the 'contracted worker
"Pass Any Exam. Any Time." - www.actualtests.com 291
GIAC GSNA Exam
statement' portion of the firewall policy?
A.
No contractors shall have access to the authorized resources.
B.
No contractors shall be permitted to scan the network.
C.
No contractors shall have access to the unauthorized resources.
D.
No contractors can access FTP unless specifically granted permissions to use it.
Answer: B,C,D
Explanation:
There are different portions that can be included in the firewall policy. These portions include the
acceptable use statement, the network connection statement, the contracted worker statement,
and the firewall administrator statement. The contracted worker statement portion of the policy is
related to the contracted or the temporary workers. It states the rights and permissions for these
workers. Some of the items hat can be included in this portion are as follows:
You work as a Network Administrator for XYZ CORP. The company has a TCP/IP-based network
environment. The network contains Cisco switches and a Cisco router. A user is unable to access
the Internet from Host B. You also verify that Host B is not able to connect to other resources on
the network. The IP configuration of Host B is shown below:
A.
An incorrect subnet mask is configured on Host B.
B.
The IP address of Host B is not from the correct IP address range of the network.
C.
There is an IP address conflict on the network.
D.
An incorrect default gateway is configured on Host B.
Answer: A
Explanation:
According to the network diagram, the IP address range used on the network is from the class C
private address range. The class C IP address uses the following default subnet mask:
255.255.255.0.
The question specifies that the subnet mask used in Host B is 255.255.0.0, which is an incorrect
subnet mask.
ACID (atomicity, consistency, isolation, and durability) is an acronym and mnemonic device for
learning and remembering the four primary attributes ensured to any transaction by a transaction
manager.
Which of the following attributes of ACID confirms that the committed data will be saved by the
system such that, even in the event of a failure or system restart, the data will be available in its
correct state?
A.
Durability
B.
Atomicity
C.
Isolation
D.
Consistency
Answer: A
Explanation:
Durability is the attribute of ACID which confirms that the committed data will be saved by the
system such that, even in the event of a failure or system restart, the data will be available in its
correct state.
Answer: B is incorrect. Atomicity is the attribute of ACID which confirms that, in a transaction
involving two or more discrete pieces of information, either all of the pieces are committed or none
are.
Answer: D is incorrect. Consistency is the attribute of ACID which confirms that a transaction
either creates a new and valid state of data, or, if any failure occurs, returns all data to its state
before the transaction was started.
Answer: C is incorrect. Isolation is the attribute of ACID which confirms that a transaction in
process and not yet committed must remain isolated from any other transaction.
Which TCP and UDP ports can be used to start a NULL session attack in NT and 2000 operating
systems?
B.
203 and 333
C.
139 and 445
D.
198 and 173
Answer: C
Explanation:
A null session is an anonymous connection to a freely accessible network share called IPC$ on
Windows-based servers. It allows immediate read and write access with Windows NT/2000 and
read-access with Windows XP and 2003. The command to be inserted at the DOS-prompt is as
follows: net use \\IP address_or_host name\ipc$ "" "/user:" net use Port numbers 139 TCP and
445 UDP can be used to start a NULL session attack.
Which of the following is a method of the HttpSession interface and is used to retrieve the time
when the session was created?
A.
getCreationTime()
B.
getSessionCreationTime()
C.
getSessionTime()
D.
getTime()
Answer: A
Explanation:
The getCreationTime() method returns the time when the session was created. The time is
measured in milliseconds since midnight January 1, 1970. This method throws an
IllegalStateException if it is called on an invalidated session.
You work as an IT Technician for XYZ CORP. You have to take security measures for the wireless
network of the company. You want to prevent other computers from accessing the company's
wireless network.
On the basis of the hardware address, which of the following will you use as the best possible
method to accomplish the task?
A.
RAS
B.
MAC Filtering
C.
SSID
D.
WEP
Answer: B
Explanation:
MAC filtering is a security access control technique that allows specific network devices to access,
or prevents them from accessing, the network. MAC filtering can also be used on a wireless
network to prevent certain network devices from accessing the wireless network. MAC addresses
are allocated only to hardware devices, not to persons.
Which of the following tools monitors the radio spectrum for the presence of unauthorized, rogue
access points and the use of wireless attack tools?
A.
Snort
B.
IDS
C.
D.
WIPS
Answer: D
Explanation:
Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of
unauthorized, rogue access points and the use of wireless attack tools. The system monitors the
radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever
a rogue access point is detected. Conventionally it is achieved by comparing the MAC address of
the participating wireless devices. Rogue devices can spoof MAC address of an authorized
network device as their own. WIPS uses fingerprinting approach to weed out devices with spoofed
MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by
each wireless device against the known signatures of pre-authorized, known wireless devices.
Answer B is incorrect. An Intrusion detection system (IDS) is used to detect unauthorized attempts
to access and manipulate computer systems locally or through the Internet or an intranet. It can
detect several types of attacks and malicious behaviors that can compromise the security of a
network and computers. This includes network attacks against vulnerable services, unauthorized
logins and access to sensitive data, and malware (e.g. viruses, worms, etc.). An IDS also detects
attacks that originate from within a system. In most cases, an IDS has three main components:
Sensors generate security events. A console is used to alert and control sensors and to monitor
events. An engine is used to record events and to generate security alerts based on received
security events. In many IDS implementations, these three components are combined into a single
device.
Answer: A is incorrect. Snort is an open source network intrusion prevention and detection system
that operates as a network sniffer. It logs activities of the network that is matched with the
predefined signatures. Signatures can be designed for a wide range of traffic, including Internet
Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet
Control Message Protocol (ICMP). The three main modes in which Snort can be configured are as
follows:
Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the
console.
Network intrusion detection mode: It is the most complex and configurable configuration, allowing
Snort to analyze network traffic for matches against a user-defined rule set.
You work as a Network Administrator for ABC Inc. The company needs a secured wireless
network. To provide network security to the company, you are required to configure a device that
provides the best network perimeter security.
Which of the following devices would you use to accomplish the task?
A.
Proxy server
B.
IDS
C.
Packet filtering firewall
D.
honeypot
Answer: C
Explanation:
Packet filtering firewalls work on the first three layers of the OSI reference model, which means all
the work is done between the network and physical layers. When a packet originates from the
sender and filters through a firewall, the device checks for matches to any of the packet filtering
rules that are configured in the firewall and drops or rejects the packet accordingly. In a software
firewall, packet filtering is done by a program called a packet filter. The packet filter examines the
header of each packet based on a specific set of rules, and on that basis, decides to prevent it
from passing (called DROP) or allow it to pass (called ACCEPT). A packet filter passes or blocks
packets at a network interface based on source and destination addresses, ports, or protocols.
The process is used in conjunction with packet mangling and Network Address Translation (NAT).
Packet filtering is often part of a firewall program for protecting a local network from unwanted
intrusion. This type of firewall can be best used for network perimeter security.
Answer: B is incorrect. An Intrusion detection system (IDS) is software and/or hardware designed
to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems,
mainly through a network, such as the Internet. These attempts may take the form of attacks, as
examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect
attacks within properly encrypted traffic. An intrusion detection system is used to detect several
types of malicious behaviors that can compromise the security and trust of a computer system.
"Pass Any Exam. Any Time." - www.actualtests.com 298
GIAC GSNA Exam
This includes network attacks against vulnerable services, data driven attacks on applications,
host based attacks such as privilege escalation, unauthorized logins and access to sensitive files,
and malware (viruses, Trojan horses, and worms).
Answer: A is incorrect. A proxy server exists between a client's Web-browsing program and a real
Internet server. The purpose of the proxy server is to enhance the performance of user requests
and filter requests. A proxy server has a database called cache where the most frequently
accessed Web pages are stored. The next time such pages are requested, the proxy server is
able to suffice the request locally, thereby greatly reducing the access time. Only when a proxy
server is unable to fulfill a request locally does it forward the request to a real Internet server. The
proxy server can also be used for filtering user requests. This may be done in order to prevent the
users from visiting non-genuine sites.
Answer: D is incorrect. A honeypot is a term in computer terminology used for a trap that is set to
detect, deflect, or in some manner counteract attempts at unauthorized use of information
systems. Generally it consists of a computer, data, or a network site that appears to be part of a
network, but is actually isolated, and monitored, and which seems to contain information or a
resource of value to attackers.
Which of the following tools can be used to perform ICMP tunneling? (Choose two.)
A.
Itunnel
B.
Ptunnel
C.
WinTunnel
D.
Ethereal
Answer: A,B
Explanation:
Ptunnel and Itunnel are the tools that are used to perform ICMP tunneling. In ICMP tunneling, an
attacker establishes a covert connection between two remote computers (a client and proxy),
using ICMP echo requests and reply packets. ICMP tunneling works by injecting arbitrary data into
an echo packet sent to a remote computer. The remote computer replies in the same manner,
injecting an answer into another ICMP packet and sending it back. The client performs all
communication using ICMP echo request packets, while the proxy uses echo reply packets.
You work as the Network Administrator of a Windows 2000 Active Directory network. Your
company's offices are at Dallas and New York. Your company wants to configure a secure, direct
Internet link. The company's management wants to accomplish the following tasks:
A.
The action taken will fulfill the secure communication concern.
B.
The action taken will accomplish neither of the goals.
C.
The action taken will fulfill the internal resource security concern.
D.
The action taken will accomplish both the goals.
Answer: C
Explanation:
The action taken will fulfill the internal resource security concern. It has nothing to do with the
secured communication. Firewall is used to protect the network from external attacks by hackers.
Firewall prevents direct communication between computers in the network and the external
computers, through the Internet. Instead, all communication is done through a proxy server,
outside the organization's network, which decides whether or not it is safe to let a file pass
through. To achieve the secured communication goal, you will have to configure a virtual private
network (VPN) between the two offices.
Sam works as a Network Administrator for XYZ CORP. The computers in the company run
Windows Vista operating system, and they are continuously connected to the Internet. This makes
the network of the company susceptible to attacks from unauthorized users.
Which of the following will Sam choose to protect the network of the company from such attacks?
A.
Firewall
B.
Windows Defender
C.
Software Explorer
D.
Quarantined items
Answer: A
Explanation:
A firewall is a set of related programs configured to protect private networks connected to the
Internet from intrusion. It is used to regulate the network traffic between different computer
networks. It permits or denies the transmission of a network packet to its destination based on a
set of rules. A firewall is often installed on a separate computer so that an incoming packet does
not get into the network directly.
A.
Determining network range
B.
Identifying active machines
C.
Enumeration
D.
Finding open ports and applications
E.
Information gathering
Answer: A,B,D,E
Explanation:
In the pre-attack phase, there are seven steps, which have been defined by the EC-Council, as
follows:
1. Information gathering
5. OS fingerprinting
6. Fingerprinting services
Answer: C is incorrect. In the enumeration phase, the attacker gathers information such as the
network user and group names, routing tables, and Simple Network Management Protocol
(SNMP) data.
A.
Wireless card
B.
MacChanger
C.
SirMACsAlot
D.
USB adapter
Answer: A,D
Explanation:
A.
wc
B.
ps
D.
pr
Answer: D
Explanation:
The pr command is used to format text files according to the specified options. This command is
usually used to paginate or columnate files for printing.
Answer: B is incorrect. The ps command reports the status of processes that are currently running
on a Linux computer.
Answer: A is incorrect. The wc command is used to count the number of bytes, words, and lines in
a given file or in the list of files.
Answer: C is incorrect. The tail command is used to display the last few lines of a text file or piped
data.
Which of the following NFS mount options specifies whether a program using a file via an NFS
connection should stop and wait for the server to come back online, if the host serving the
exported file system is unavailable, or if it should report an error?
A.
intr
B.
hard or soft
C.
nfsvers=2 or nfsvers=3
D.
fsid=num
Answer: B
Explanation:
The hard or soft NFS mount options are used to specify whether a program using a file via an NFS
connection should stop and wait (hard) for the server to come back online, if the host serving the
Answer: A is incorrect. The intr NFS mount option allows NFS requests to be interrupted if the
server goes down or cannot be reached.
Answer: C is incorrect. The nfsvers=2 or nfsvers=3 NFS mount options are used to specify which
version of the NFS protocol to use.
Answer: D is incorrect. The fsid=num NFS mount option forces the file handle and file attributes
settings on the wire to be num.
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. John is working as a root user on the Linux operating system. He wants to break a dat
a.txt file, 200MB in size, into two files in which the size of the first file named data.txt.aa should be
150MB and that of the second file named data.txt.ab should be 50MB. To accomplish his task and
to further delete the data.txt file, he enters the following command:
Which of the following commands can John use to join the splitted files into a new data.txt file?
A.
vi data.txt.* > data.txt
B.
less data.txt.* > data.txt
C.
vi data.txt.*
D.
cat data.txt.* > data.txt
Answer: D
Explanation:
The cat data.txt.* command will display both the splitted files, and the > command will redirect the
output into a new data.txt file.
In which of the following attacking methods does an attacker distribute incorrect IP address?
A.
DNS poisoning
B.
IPspoofing
C.
Mac flooding
D.
Man-in-the-middle
Answer: A
Explanation:
In DNS poisoning attack, an attacker distributes incorrect IP address. DNS cache poisoning is a
maliciously created or unintended situation that provides data to a caching name server that did
not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has
received such non-authentic data, Caches it for future performance increase, it is considered
poisoned, supplying the non-authentic data to the clients of the server. To perform a cache
poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly
validate DNS responses to ensure that they are from an authoritative source, the server will end
up caching the incorrect entries locally and serve them to other users that make the same request.
Which of the following evidences are the collection of facts that, when considered together, can be
used to infer a conclusion about the malicious activity/person?
A.
Incontrovertible
B.
Corroborating
C.
Direct
D.
Circumstantial
Answer: D
Explanation:
Circumstantial evidences are the collection of facts that, when considered together, can be used to
infer a conclusion about the malicious activity/person.
Answer: B is incorrect. Corroborating evidence is evidence that tends to support a proposition that
is already supported by some evidence.
Answer: C is incorrect. Direct evidence is testimony proof for any evidence, which expressly or
straight-forwardly proves the existence of a fact.
Web applications are accessed by communicating over TCP ports via an IP address. Choose the
two most common Web Application TCP ports and their respective protocol names. (Choose two.)
A.
TCP Port 443 / S-HTTP or SSL
B.
TCP Port 80 / HTTPS or SSL
C.
TCP Port 443 / HTTPS or SSL
D.
TCP Port 80 / HTTP
Answer: C,D
Explanation:
The two most common Web Application TCP ports are Port 443 and Port 80. HTTPS or SSL uses
TCP port 443, whereas HTTP uses TCP Port 80.
Answer: B is incorrect. Port 80 is used for HTTP, not HTTPS. Answer: A is incorrect. S-HTTP is
not the protocol name for Port 443. HTTPS or SSL is the name used for Port 443 traffic.
You work as a programmer for uCertify.Inc. You have a session object named session1 with an
attribute named Attribute1, and an HttpSessionBindingEvent object binding1 bound to session1.
A.
Object obj=binding1.getSession().getAttribute("Attribute1");
B.
Object obj=binding1.getAttribute("Attribute1");
C.
Long MyAttribute=session1.getAttribute("Attribute1");
E.
Stringstr1=session1.getAttribute("Attribute1");
Answer: A,D
Explanation:
Answer: B is incorrect. The HttpSessionBindingEvent object cannot use the getAttribute() method.
The following output is generated by running the show ip route command: RouterA#show ip route
< - - Output Omitted for brevity - ->
Which next hop address will RouterA use in forwarding traffic to 10.10.100.0/24?
A.
192.168.10.0
B.
172.18.60.1
C.
172.18.50.1
D.
172.18.1.1
Answer: D
Explanation:
The routing table displays various RIP and Connected routes. There is no routing entry for
10.10.100.0/24, but there is a default route in the routing table using 172.18.1.1 as the next hop
router. Given that 10.10.100.0/24 does not have a direct entry in the routing table, Router A will
"Pass Any Exam. Any Time." - www.actualtests.com 309
GIAC GSNA Exam
forward traffic to the default route next hop address of 172.18.1.1.
Answer: A is incorrect. The address does not appear in the routing table as a next hop router, in
addition to being an actual subnet number for 192.168.10.0/24.
A Cisco router can have multiple connections to networks. These connections are known as
interfaces for Cisco Routers. For naming each interface, Cisco generally uses the type of interface
as part of the name.
Which of the following are true about the naming conventions of Cisco Router interfaces?
A.
An interface connected to a serial connection always starts with an S.
B.
An interface connected to a Token Ring segment always starts with To.
C.
An Ethernet interface that is fast always starts with an F.
D.
An interface connected to an Ethernet segment of the network always starts with an En.
Answer: A,B,C
Explanation:
A Cisco router can have multiple connections to networks. These connections are known as
interfaces for Cisco Routers. For naming each interface, Cisco generally uses the type of interface
as part of the name.
You work as a Software Developer for UcTech Inc. You want to create a new session.
"Pass Any Exam. Any Time." - www.actualtests.com 310
GIAC GSNA Exam
Which of the following methods can you use to accomplish the task?
A.
getNewSession(true)
B.
getSession(false)
C.
getSession()
D.
getSession(true)
E.
getNewSession()
Answer: C,D
Explanation:
The getSession() method of the HttpServletRequest interface returns the current session
associated with the request, or creates a new session if no session exists. The method has two
syntaxes as follows:
Answer: B is incorrect. The getSession(false) method returns a pre-existing session. It returns null
if the client has no session associated with it.
A.
Intrusion detection
B.
Logging
C.
Hiding network resources
D.
Caching
Answer: B,C,D
"Pass Any Exam. Any Time." - www.actualtests.com 311
GIAC GSNA Exam
Explanation:
A proxy server is a very important element for firewall applications. The services that it provides
are as follows:
Hide network resources: Proxy replaces the network IP address with a single IP address. Multiple
systems can use a single IP address.
Logging: A proxy server can log incoming and outgoing access, allowing a user to see every
possible details of successful and failed connections.
Cache: A proxy server can save information obtained from the Internet. It regularly updates these
copies and automatically shows these pages, and will thus not need to access the Internet to view
them.
Which of the following tools can be used by a user to hide his identity?
A.
War dialer
B.
IPchains
C.
Proxy server
D.
Rootkit
E.
Anonymizer
Answer: B,C,E
Explanation:
A user can hide his identity using any firewall (such as IPChains), a proxy server, or an
anonymizer.
Which of the following Unix configuration files can you use to accomplish the task?
A.
/etc/services
B.
/etc/ioports
C.
/proc/interrupts
D.
/etc/securetty
Answer: D
Explanation:
In Unix, the /etc/securetty file is used to identify the secure terminals from where the root can be
allowed to log in.
Answer: B is incorrect. In Unix, the /etc/ioports fileshows which I/O ports are in use at the moment.
Answer: A is incorrect. In Unix, the /etc/services file is the configuration file that lists the network
services that the system supports.
Answer: C is incorrect. In Unix, the /proc/interrupts file is the configuration file that shows the
interrupts in use and how many of each there has been.
You are the Security Consultant and you frequently do vulnerability assessments on client
computers. You want to have a standardized approach that would be applicable to all of your
clients when doing a vulnerability assessment.
A.
Utilize OVAL.
B.
C.
Utilize each client's security policies when doing a vulnerability assessment for that client.
D.
Utilize the Microsoft security recommendations.
Answer: A
Explanation:
Answer: D is incorrect. While Microsoft security standards will be appropriate for many of your
clients, they won't help clients using Linux, Macintosh, or Unix. They also won't give you insight
into checking your firewalls or routers.
Answer: C is incorrect. This would not fulfill the requirement of having a standardized approach
applicable to all clients.
Answer: B is incorrect. This would not be the best way. You should use common industry
standards, like OVAL.
You work as a Security Administrator in Tech Perfect Inc. The company has a TCP/IP based
network. Three Cisco IOS routers- router1, router2, and router3 are currently working in the
network. You want to accomplish the following tasks:
Generate a general-purpose RSA key pair and specify the IP key size of 1024.
Drag and drop the appropriate commands beside their respective command prompts in order to
accomplish the tasks.
Answer:
Explanation:
In order to accomplish the given tasks, you will have to use the following commands:
router1(config)#line vty 0 4
In the image of the Screened Host Firewall Architecture given below, select the element that is
commonly known as the access router.
Answer:
Explanation:
An access router is the common name of the exterior router present in the screened host firewall
architecture. It is attached to the perimeter network and the Internet. An access router is used to
protect both the perimeter network and the internal network from the Internet. It allows anything
that is outbound from the perimeter network. Access routers seldom do packet filtering. The rules
for packet filtering regarding the protection of internal machines are always the same on both the
interior router and the exterior router.
A Screened Host Firewall Architecture is used to provide services from a host that is attached only
to the internal network by using a separate router. In this type of firewall architecture, the key
security is provided by packet filtering.
The host exists in the internal network. The packet filtering on the screening router is configured in
such a way that the bastion host is the only system in the internal network that is open to the
Internet connections. If any external system tries to access internal systems or services, then it will
connect only to this host. The bastion host therefore needs to be at a high level of security.
You work as a Network Administrator of a Windows 2000 Active Directory-based single domain
network. You have configured your Windows XP Professional computer at home to have a static
IP address assigned by your Internet service provider (ISP). It is always connected to the Internet
through a modem. You have enabled the Internet Connection Firewall for the Internet connection.
You use the PING command to check the connectivity of your home computer from office, but you
receive the following error message:
On examining the log file of the Internet Connection Firewall on your home computer, you find
DROP ICMP messages. You want to ping your home computer without compromising on security.
Select the option in the Internet Connection Firewall Advanced Settings dialog box, which will be
required to be checked to accomplish the task.
Answer:
Explanation:
The Internet Connection Firewall setting on your home computer is preventing PING from echoing
messages. Selecting the Allow incoming echo request check box on the ICMP tab of the Internet
Connection Firewall Advanced Settings dialog box will enable your computer to echo messages
back to the sender.
In Unix, there are different commands used for editing and viewing files. Drag and drop the
appropriate commands (available in Unix) in front of their respective functions that they perform.
Answer:
Explanation:
Following are the basic file editing and viewing commands in Unix:
You work as a Network Administrator for Hail International. The company has a Windows Server
2008 network environment. The network is configured as a Windows Active Directory-based single
forest single domain network. The company's headquarters is located at Los Angeles. The
company has branch offices in San Jose, Oakland, and San Francisco. All branch offices are
connected to the headquarters by using T1 leased lines. The fragment of the company's network
is shown below:
The routers are used to connect to the T1 lines to configure the private network. Each router at
each location is a server that is running Microsoft Windows Server 2008. The management of the
company wants to secure the WAN communication between the offices. The solution provided by
you must not be expensive.
Choose and place the correct actions required to configure the necessary components of the
network in order to accomplish the task.
Answer:
Explanation:
In order to accomplish the task, you will have to configure the routers at all locations to use IPSec
"Pass Any Exam. Any Time." - www.actualtests.com 327
GIAC GSNA Exam
in tunnel mode. Tunnel mode protects the WAN traffic. If you configure IPSec on routers, no
security for the WAN communication is required on other servers and workstations.
Drag and Drop the layers of TCP/IP model according to their level of data encapsulation.
Answer:
Explanation:
In the above diagram, the raw data is available in the Application layer of the TCP/IP model. The
data coded according to the Application layer protocols is encapsulated into one or more transport
layer protocols, which finally used by the lower layer protocols to affect the actual data transfer.
In the Transport layer, the data is combined with the UDP header. The responsibilities of the
Transport Layer include end-to-end message transfer capabilities independent of the underlying
network, along with error control, segmentation, flow control, congestion control, and application
"Pass Any Exam. Any Time." - www.actualtests.com 329
GIAC GSNA Exam
addressing (port numbers).
In the Internet layer, the data and UDP header are combined to form an IP data, which is
navigated by the IP header across the Internet for its exact destination.
In the Link layer, the IP data and IP header combine to form the final frame data, which is
accompanied by the Frame header and Frame Footer. The Link Layer is used to move packets
between the Internet Layer interfaces of two different hosts on the same link. Main function of the
Link layer is to add a packet header to prepare it for transmission and then actually transmit the
frame over a physical medium.
Drag and drop the corresponding prompt that is displayed in the command-line interface of a
Cisco switch IOS for different access modes.
Answer:
Explanation:
User: When a user accesses the command-line interface (CLI) of a Cisco switch IOS, the IOS puts
the user in user mode. The user mode allows the user to look around; it does not permit the user
to change or break any configuration. When the user enters a command, the switch executes the
command and displays the command result. A Limited set of commands is available for use in the
user mode. User mode is also called user EXEC mode. The prompt in this mode is displayed as
hostname > Enable: Privileged EXEC mode is an area from where more powerful commands can
be run while accessing CLI of a switch IOS. In this mode, more commands are added to the set of
commands available in user mode. Privileged EXEC mode is also known as privileged mode or
enable mode. For reaching privileged EXEC mode, the enable command is required to be run
from user mode. By default, a user cannot get into privileged EXEC mode through SSH and Telnet
sessions. The prompt changes from hostname > to hostname # when a user moves to privileged
EXEC mode from user mode.
You work as a Software Developer for UcTech Inc. You create a session object and want that it be
destroyed if it is not called for 20 minutes.
Drag and drop the appropriate statements that you will use to accomplish the task.
Answer:
Explanation:
Session timeout is an event that occurs when a session is invalidated if a user does not use the
session for a specified period of time. Session timeout can be set in the following two ways:
1.Setting timeout in deployment descriptor: This can be done by specifying timeout between the
<session-timeout> tags as follows:
<session-config>
<session-timeout> 10 </session-timeout>
<session-config>
This will set the time for session timeout to ten minutes.
2.Setting timeout programmatically: This will set the timeout for a specific session. The syntax for
setting the timeout programmatically is as follows:
"Pass Any Exam. Any Time." - www.actualtests.com 333
GIAC GSNA Exam
session.setMaxInactiveInterval(10*60)
In this method, the timeout is specified in seconds. Hence, this will set the time for session timeout
to ten minutes.
In Unix, 'less' is a program that allows backward as well as forward movement in a file. This
program is invoked with several options to change its behavior. Place the options of the less
program in front of their functions.
Answer:
Explanation:
Less is a program in Unix that allows backward as well as forward movement in the file. The
syntax of the less command is as follows:
Following are the options that can be used with the less command:
John works as a Network Administrator for Blue Well Inc. All client computers in the company run
the Windows Vista operating system. He wants to view the status of Windows Defender. What
steps will he take to accomplish the task?
Answer:
Explanation:
Clicking on the Security Center icon will show the status of malware protection, status of firewall,
and other security settings.
Clicking on the Windows Firewall icon will open the Windows Firewall dialog box and allow a user
to configure the Windows Firewall settings.
You have designed a TCP/IP based routed network. Diagram of the network is given below:
You are configuring IS-IS protocol as an IP routing protocol in the given network. Drag and drop
the appropriate commands beside their respective command prompts which you are using at
router C.
Explanation:
RouterC(config)#interface ethernet 1
Router C(config-if)#exit
You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Server
2008 network environment. The network is configured as a Windows Active Directory-based single
forest single domain network. The company has recently provided laptops to its sales team
members. You have configured access points in the network to enable a wireless network. The
company's security policy states that all users using laptops must use smart cards for
authentication. Select and place the authentication method you are required to configure to
implement the security policy of the company.
Answer:
Explanation:
In order to ensure that the laptop users use smart cards for authentication, you will have to
configure IEEE 802.1X authentication using the EAP-TLS protocol on the network.
You are responsible for security at a company that uses a lot of Web applications. You are most
concerned about flaws in those applications allowing some attacker to get into your network. What
method would be best for finding such flaws?
A.
Manual penetration testing
B.
Automated penetration testing
D.
Code review
Answer: C
Explanation:
Vulnerability scanning will be the best method to find flaws in applications allowing some attacker
to get into your network. There are a number of tools available that will check Web applications for
security flaws. They examine the application and identify any potential flaws due to improper
coding, such as SQL injection attacks.
Answer: B and A are incorrect. Penetration testing is used to test the network defenses. It is an
excellent tool to check your firewall, IDS, policies, default shares, and other facets of your network
infrastructure. However, it is not as useful in finding programming flaws in Web applications.
Answer D is incorrect. A code review might well discover some issues with the Web applications.
But it is long, tedious, and depends on the human reviewer noticing the coding flaws. So it is not
as good a solution as vulnerability scanning.
You work as a Network Administrator for McRobert Inc. The company has a Windows Active
Directory-based single domain single forest network. The network includes fifty client computers
running different Windows client operating systems.
Configure the required options in the dialog box given below in order to accomplish the task.
Answer:
Explanation:
In order to accomplish the task, you will have to select the Allow unsecured communication with
non-IPSec -aware computers check box.
By enabling this option, IPSec will allow unsecured communication, if necessary. Disabling the
option blocks communication with computers that cannot initiate IPSec, such as legacy systems.
This option should be disabled to secure computers connected to the Internet.
Choose and select the information present in the header of a single IP packet that are helpful in
packet filtering.
Answer:
Explanation:
An IP packet is a formatted unit of data carried by a packet mode computer network. A packet
consists of two kinds of data:
control information and user data (also known as payload). The control information provides data
the network needs to deliver the user data, for example: source and destination addresses, error
detection codes like checksums, and sequencing information. Typically, control information is
found in packet headers and trailers, with user data in between.
IP packets are composed of a header and payload. Every IP packet has a set of headers
containing certain information. The main information is as follows:
George works as an Office Assistance in TechSoft Inc. All client computers in the company run
Windows Vista operating system. He has turned on the Windows Firewall for security purposes.
He prepares a document and wants to share it with other users of the company. When he tries to
share the document, he gets a message that firewall has blocked the sharing of the files on his
computer. He wants to ensure that that the firewall does not block sharing of the document. He
opens Windows Firewall dialog box.
What actions will he perform in the dialog box to accomplish the task?
Answer:
Explanation:
George will click on the Allow a program through Windows Firewall link to open the Windows
Firewall Settings dialog box. He will then insert a check mark in the File and Printer Sharing
checkbox in the Exceptions tab of the Windows Firewall Settings dialog box.
You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
Server 2003. The company has recently provided laptops to its sales team members. You have
configured access points in the network to enable a wireless network. The company's security
policy states that all users using laptops must use smart cards for authentication. Select and place
"Pass Any Exam. Any Time." - www.actualtests.com 350
GIAC GSNA Exam
the authentication method you are required to configure to implement the security policy of the
company.
Answer:
Explanation:
In order to ensure that the laptop users use smart cards for authentication, you will have to
configure IEEE 802.1X authentication using the EAP-TLS protocol on the network.
The network infrastructure of a company consists of a perimeter network. For security purposes,
the network zones have been created and divided into a firewall-based Border network and a
DMZ. The enterprise internal network is attacked by a latest Internet worm.
Which of the following devices in the enterprise network should be upgraded or reconfigured to
counter this type of attack?
Answer:
Explanation:
The firewall in the enterprise network should be reconfigured or upgraded to detect and filter an
Internet worm. Firewall is used to protect the network from external attacks by hackers. Firewall
prevents direct communication between computers in the network and the external computers,
through the Internet. Instead, all communication is done through a proxy server, outside the
organization's network, which decides whether or not it is safe to let a file pass through.
Your company has been hired to provide consultancy, development, and integration services for a
company named Soul International. You have prepared a case study to plan the upgrade for the
company.
You are designing policy settings for the Web servers at the headquarters.
Place Allow or Deny in front of the type of traffic received by or sent to the Web servers from the
internal clients and the Internet.
Answer:
Explanation:
Use for transferring HTML pages over the network. Hence, you should allow it for both the Internet
and internal clients traffic.
The Remote Desktop Protocol (RDP) is used to connect to servers remotely. Allowing it for the
"Pass Any Exam. Any Time." - www.actualtests.com 355
GIAC GSNA Exam
Internet traffic is definitely a security threat. Hence, you should deny this for the Internet traffic.
According to the case study, the administrators must use RDP to connect to the servers in the
perimeter network. Hence, you will have to allow it for the internal clients traffic.
__________ is a wireless network cracking tool that exploits the vulnerabilities in the RC4
Algorithm, which comprises the WEP security parameters.
Answer:
WEPcrack
Explanation:
WEPcrack is a wireless network cracking tool that exploits the vulnerabilities in the RC4 algorithm,
which comprises the WEP security parameters. It mainly consists of three tools:
• WeakIVGen: It allows a user to emulate the encryption output of 802.11 networks to weaken the
secret key used to encrypt the network traffic.
• Prism-getIV: It analyzes packets of information until ultimately matching patterns to the one
known to decrypt the secret key.
• WEPcrack: It pulls all beneficial data of WeakIVGen and Prism-getIV to decipher the network
encryption.
You work as a Network Administrator for SoftWorld Inc. All client computers in the company run
Windows Vista. You want to view the status of Windows Firewall. Choose in the correct order the
steps you will take to accomplish the task.
Answer:
Explanation:
4.The Windows Firewall dialog box appears, displaying the status of Windows Firewall.
You want to search the most recent command that starts with the string 'user'. For this, you will
enter the ________ command to get the desired result.
Answer:
history !user
Here, you will use the history !user command to search the most recent command that starts with
the string 'user'. In the bash shell, the history command is used to view the recently executed
commands. History is on by default. A user can turn off history using the command set +o history
and turn it on using set -o history. An environment variable HISTSIZE is used to inform bash about
how many history lines should be kept. The following commands are frequently used to view and
manipulate history:
Auditing is used to track user accounts for file and object access, logon attempts, system
shutdown, and many more vulnerabilities to enhance the security of the network. It encompasses
a wide variety of activities.
Answer:
Explanation:
Logging: It is the activity of recording information to a log file or database about events or
occurrences.
Log Analysis: It is a systematic form of monitoring where the logged information is analyzed in
detail. It is done to find out the trends and patterns as well as abnormal, unauthorized, illegal, and
policy-violating activities.
Intrusion Detection: It is a process to detect unwanted system access by monitoring both recorded
information and real time events.
Alarm Triggers: These are the notifications that are sent to an administrator whenever a specific
event occurs.
You want to enable Host A to access the Internet. For this, you need to configure the default
gateway settings. Choose the appropriate address to accomplish the task.
Answer:
Explanation:
According to the question, you are required to configure the default gateway setting on Host A so
that users can access the Internet through it. For a computer to communicate with computers on
another segment in a routed network, it is important to configure the default gateway. In order to
accomplish the task, you will have to set the address 192.168.19.203 as the default gateway
address.
You are developing a business solution for Haynes Super Leather Inc. A case study for the
organization is given in the exhibit. Based on the case study, you create different modules and
Answer:
Explanation:
the external network, i.e., the Internet through the restricted HTTP and HTTPS protocols.
"Pass Any Exam. Any Time." - www.actualtests.com 366
GIAC GSNA Exam
Therefore, the functionality between the Corporate Intranet interface and the Internet interface in
this diagram should be the HTTP and HTTPS protocols.
In the case study, it is mentioned that the company uses a Web-based CustomerOrder application
for the existing order placement process.
Therefore, the functionality between the Corporate Intranet interface and the Customer Order
Form module in this diagram should be the Order Placement Process.
The Board of Directors wants to ensure that as soon as a customer clicks the SUBMIT button in
the customer order Web form, he is redirected to a Web page displaying the order payment
details, i.e., the customer payment Web form. Therefore, the functionality between the Customer
Order Form module and the Customer Payment Form module in this diagram should be the Order
Payment Process.
It is very obvious that both the customer order Web form and the customer payment Web form will
interact with the Internet through a client Web browser. Therefore, the functionality between the
Internet interface and the Customer Order Form and Customer Payment Form modules in this
diagram should be the Client Web Browser.
A wireless network uses multiple modulation schemes to make the signal strong so that it can
travel far. These modulation schemes work with a certain IEEE standard. Choose and drop the
correct standards in the right pane according to the modulation scheme.
Answer:
Explanation:
A.
Most writers believe that the design of a data mart tends to start from an analysis of the data
already existing.
B.
Users of a data mart can expect to have data presented in terms that are familiar to them.
C.
A data mart is a repository of data gathered from operational data.
D.
The emphasis of a data mart is on meeting the specific demands of a particular group of
knowledge users.
Answer: B,C,D
Explanation:
A data mart is a repository of data gathered from operational data and other sources that is
designed to serve a particular community of knowledge workers. In scope, the data may derive
from an enterprise-wide database or data warehouse or be more specialized. The emphasis of a
data mart is on meeting the specific demands of a particular group of knowledge users in terms of
analysis, content, presentation, and ease-of-use. Users of a data mart can expect to have data
presented in terms that are familiar.
In practice, the terms data mart and data warehouse each tend to imply the presence of the other
in some form. However, most writers using the term seem to agree that the design of a data mart
tends to start from an analysis of user needs and that a data warehouse tends to start from an
analysis of what data already exists and how it can be collected in such a way that the data can
"Pass Any Exam. Any Time." - www.actualtests.com 370
GIAC GSNA Exam
later be used. A data warehouse is a central aggregation of data (which can be distributed
physically); a data mart is a data repository that may derive from a data warehouse or not and that
emphasizes ease of access and usability for a particular designed purpose. In general, a data
warehouse tends to be a strategic but somewhat unfinished concept; a data mart tends to be
tactical and aimed at meeting an immediate need.
Answer: A is incorrect. Writers using a data mart believe that the design of a data mart tends to
start from an analysis of user needs.
Sam works as a network administrator in Bluewell Inc. The company uses Windows Vista
operating system. He wants to restore a program that is blocked by Windows Defender. He opens
the Windows Defender window and clicks on the Tools link. He clicks on a link to view the list of
programs blocked by Windows Defender, selects a program and then clicks on the Restore button
to restore it. Mark the option that Sam had chosen to view the list of programs blocked by
Windows Defender.
Answer:
Explanation:
You work as a Network Administrator for uCertify Inc. The company's Windows 2000-based
network is configured with Internet Security and Acceleration (ISA) Server 2000. All clients on the
network run Windows 2000 Professional. The company policy prevents you from installing the
Firewall Client software or configuring the Web Proxy service on any client computer. You
configure access policy rules to allow all the users to use the HTTP protocol for accessing all
Internet sites. However, users on the network report that they are unable to do so.
Answer:
Explanation:
The company policy states that you cannot install the Firewall Client software or configure the
Web Proxy service on any client computer. Therefore, you will have to configure all client
computers as SecureNAT clients. The users are unable to access Internet Web sites because you
have enabled the Ask unauthenticated users for identification check box. SecureNAT clients do
not provide user name or computer name information to ISA Server when making requests.
Hence, all SecureNAT client requests are denied.
To resolve the issue, you will have to disable the Ask unauthenticated users for identification
check box.
You work as a Network Administrator for Net Perfect Inc. The company has a TCP/IP-based
network environment. The network has two switches and a router as shown in the image below:
"Pass Any Exam. Any Time." - www.actualtests.com 377
GIAC GSNA Exam
The router connects the network to the Internet. For security, you want to disable CDP for the
interface connected to the Internet. However, you do not want to disable this information for the
internal network. Select the command (or series of commands) that you will issue to accomplish
this task.
Answer:
Explanation:
In order to accomplish this task, you will have to issue the following commands:
interface s0/0
no cdp enable
According to the question, you are required to disable CDP only on the interface that is connected
to the Internet. For this, you will have to run the no cdp enable command on the interface. To
select the interface, the interface <interface id> command is issued. This will disable CDP only on
the interface selected.
The no cdp run command is a global command and is used to disable CDP for the entire switch.
John works as a Network Administrator for Blue Well Inc. All client computers in the company run
the Windows Vista operating system. He installs an application on his computer. The application is
not running properly. Therefore, he wants to disable the application. What steps will he take to
accomplish the task?
"Pass Any Exam. Any Time." - www.actualtests.com 379
GIAC GSNA Exam
Answer:
Explanation:
John will click the Disable button in the Software Explorer page to Disable the application running
on his computer.
The Quarantined items link will open the Quarantined items page that will help a user to remove or
restore software that Windows Defender has prevented from running.
John works as an office assistance in an office. The office uses Windows Vista operating system.
He wants to disable a program from running on a computer. He opens the Windows Defender
window and clicks on the Tools link. He clicks on a link to view the list of programs running on the
computer, selects a program and then clicks on the Disable button to disable it. Mark the option
that John had chosen to view the list of programs running on the computer.
Answer:
Explanation:
The Software Explorer link will open a list of programs running on the computer.
In the image of the Screened Host Firewall Architecture given below, select the element that is
commonly known as the choke router.
Answer:
Explanation:
A choke router is an interior router present in the screened host firewall architecture. It is attached
to the perimeter network and protects the internal network from the Internet and the perimeter net.
A choke router is basically employed for the job of packet filtering for the firewall. It is also used to
provide access to selected services that are outbound from the internal net to the Internet. These
services may include outgoing Telnet, FTP, WAIS, Archie, Gopher, etc.
A Screened Host Firewall Architecture is used to provide services from a host that is attached only
to the internal network by using a separate router. In this type of firewall architecture, the key
security is provided by packet filtering.
The host exists in the internal network. The packet filtering on the screening router is configured in
such a way that the bastion host is the only system in the internal network that is open to the
Internet connections. If any external system tries to access internal systems or services, then it will
connect only to this host. The bastion host therefore needs to be at a high level of security.
John works as a Network Administrator for Blue Well Inc. The company uses Windows Vista
operating system. He wants to configure the firewall access for specific programs. What steps will
he take to accomplish the task?
Answer:
Explanation:
A firewall is a set of related programs configured to protect private networks connected to the
Internet from intrusion. It is used to regulate the network traffic between different computer
networks. It permits or denies the transmission of a network packet to its destination based on a
set of rules. A firewall is often installed on a separate computer so that an incoming packet does
not get into the network directly.
Each listener interface method has an event associated with it. Drag and drop the appropriate
event names to match the respective listener interface methods.
Answer:
Explanation:
The session binds the object by a call to the HttpSession.setAttribute() method and unbinds the
object by a call to the HttpSession.removeAttribute() method.
In Unix, there are different commands used for editing and viewing files. Drag and drop the
appropriate commands (available in Unix) in front of their respective functions that they perform.
Answer:
Following are the basic file editing and viewing commands in Unix:
George works as a Network Administrator for Blue Soft Inc. The company uses Windows Vista
operating system. The network of the company is continuously connected to the Internet.
What will George use to protect the network of the company from intrusion?
Answer:
Explanation:
A firewall is a set of related programs configured to protect private networks connected to the
Internet from intrusion. It is used to regulate the network traffic between different computer
networks. It permits or denies the transmission of a network packet to its destination based on a
set of rules. A firewall is often installed on a separate computer so that an incoming packet does
not get into the network directly.
Place the protocols on the TCP/IP layer to which they are associated.
Answer:
Explanation:
TCP/IP defines a large set of protocols that allow communication between various devices on a
network. TCP/IP classifies the various protocols into different layers. Some of the common
protocols are listed in the table below:
You work as a Network Auditor for Net Perfect Inc. The company has a Windows-based network.
You need to audit the network of the company. You need to plan the audit process to minimize the
audit risk. What steps will you take to minimize the possibility of audit risk?
Answer:
Explanation:
The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an
incorrect conclusion based on the audit findings) will be limited to an acceptable level. To eliminate
the possibility of assessing audit risk too low, the auditor should perform the following steps:
Obtain an Understanding of the Organization and its Environment: The understanding of the
organization and its environment is used to assess the risk of material misstatement/weakness
and to set the scope of the audit. The auditor's understanding should include information on the
nature of the entity, management, governance, objectives and strategies, and business processes.
Identify Risks that May Result in Material Misstatements: The auditor must evaluate an
Evaluate the Organization's Response to those Risks: Once the auditor has evaluated the
organization's response to the assessed risks, the auditor should then obtain evidence of
management's actions toward those risks. The organization's response (or lack thereof) to any
business risks will impact the auditor's assessed level of audit risk.
Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the
organization's responses to business risks, the auditor then assesses the risk of material
misstatements and determines specific audit procedures that are necessary based on that risk
assessment.
Evaluate Results and Issue Audit Report: At this level, the auditor should determine if the
assessments of risks were appropriate and whether sufficient evidence was obtained. The auditor
will issue either an unqualified or qualified audit report based on their findings.
You have created VLANs in your network and have assigned interfaces to each VLAN. You want
to configure trunking for carrying traffic of VLANs over a point-to-point link between a switch and a
wireless LAN controller. Drag and drop the appropriate commands beside their respective
command prompts.
Answer:
Explanation:
controller, you will have to execute the following commands in command-line mode:
Switch1(config)#interface fa0/1
Switch1(config-if)#exit
You will have to use the interface fa slot/port global configuration command to select a specific
Fast Ethernet interface that you want to configure.
The switchport trunk encapsulation dot1q command is used to define a trunking protocol as
802.1Q.
You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active
Choose the steps that you will take to accomplish the task.
Answer:
Explanation:
In order to accomplish the task, you will have to take the following steps:
"Pass Any Exam. Any Time." - www.actualtests.com 400
GIAC GSNA Exam
Install a WLAN access point on the network.
Install wireless network interface adapters on the laptops of the Sales Managers.
Create a Wireless Network policy and configure it to allow infrastructure networking only.
Configuring the Wireless Network policy to allow infrastructure networking only will prevent the
Sales.
Although they will be able to communicate with each other by using this configuration, the
communication will be made through the access point.
The Ad hoc topology is used by wireless equipment, which are configured with the wireless
network interface adapters, to communicate directly with each other.
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) is an
IEEE encryption protocol created to replace both TKIP and ______.
Answer:
WEP
Explanation:
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) is an
IEEE 802.11i encryption protocol created to replace both TKIP, the mandatory protocol in WPA,
and WEP, the earlier, insecure protocol. CCMP is a mandatory part of the WPA2 standard, an
optional part of the WPA standard, and a required option for Robust Security Network (RSN)
Compliant networks. CCMP is also used in the ITU-T home and business networking standard.
CCMP, part of the 802.11i standard, uses the Advanced Encryption Standard (AES) algorithm.
Unlike in TKIP, key management and message integrity is handled by a single component built
around AES using a 128-bit key, a 128-bit block, and 10 rounds of encoding per the FIPS 197
standard.
When two routers are used in a firewall configuration, the internal router is known as a ______
router.
Answer:
choke
Explanation:
When two routers are used in a firewall configuration, the internal router is known as a choke
router. A choke router is an interior router present in the screened host firewall architecture. It is
attached to the perimeter network and protects the internal network from the Internet and the
perimeter net.
A choke router is basically employed for the job of packet filtering for the firewall. It is also used to
provide access to selected services that are outbound from the internal net to the Internet. These
services may include outgoing Telnet, FTP, WAIS, Archie, Gopher, etc.
Fill in the blank with the command to complete the statement below. Do not enter the full path of
the command.
The ________ command supports system logging and kernel message trapping.
Answer:
sysklogd
Explanation:
The sysklogd command is used to support system logging and kernel message trapping. Sysklogd
includes two system utilities: syslogd and klogd, which support system logging and kernel
message trapping. Since, this utility supports both internet and UNIX domain sockets, it also
supports both local and remote logging. Every logged message contains at least a time and a
hostname field and sometimes a program name field as well.
John works as a Network Administrator for Blue Well Inc. All client computers in the company run
the Windows Vista operating system. He wants to view the status of malware protection.
"Pass Any Exam. Any Time." - www.actualtests.com 402
GIAC GSNA Exam
What steps will he take to accomplish the task?
Answer:
Explanation:
John will click on the Security Center icon to view the malware status.
Malware is a combination of the terms malicious and software. It refers to a variety of hostile
programs, such as a virus or a Trojan horse, designed to damage or disrupt a computer. It gathers
information about a computer without the user's permission or knowledge.
The Windows Update icon is used to manually update Windows Vista and configure the settings
for the update.
A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over
the network, it is broken into fragments (packets) at the source and reassembled at the destination
system. Each packet contains a sequence number that is used by the destination system to
reassemble the data packets in the correct order. The Initial Sequence Number of your computer
is 24171311 at login time. You connect your computer to a computer having the IP address
210.213.23.21. This whole process takes three seconds.
What will the value of the Initial Sequence Number be at this moment?
A.
24171811
B.
24619311
C.
24171111
D.
24171311
Answer: B
Explanation:
You took 3 seconds to establish a connection. During this time, the value of the Initial Sequence
Number would become [24171311 + (1 * 64000) + (3 * 128000)], i.e., 24619311.