GSNA

GIAC GSNA
GIAC Systems and Network Auditor

Version: 2.3
GIAC GSNA Exam
Topic 1, Volume A
QUESTION NO: 1
Sarah works as a Web Developer for XYZ CORP. She is creating a Web site for her company.
Sarah wants greater control over the appearance and presentation of Web pages. She wants the
ability to precisely specify the display attributes and the appearance of elements on the Web
pages.
How will she accomplish this?
A.
Use the Database Design wizard.
B.
Make two templates, one for the index page and the other for all other pages.
C.
Use Cascading Style Sheet (CSS).
D.
Make a template and use it to create each Web page.
Answer: C
Explanation:
Sarah should use the Cascading Style Sheet (CSS) while creating Web pages. This will give her
greater control over the appearance and presentation of the Web pages and will also enable her to
precisely specify the display attributes and the appearance of elements on the Web pages.
QUESTION NO: 2
You work as a Network Administrator for XYZ CORP. The company has a Windows Server 2008
network environment. The network is configured as a Windows Active Directory-based single
forest single domain network. You have installed a Windows Server 2008 computer. You have
configured auditing on this server. The client computers of the company use the Windows XP
Professional operating system. You want to audit each event that is related to a user managing an
account in the user database on the computer where the auditing is configured. To accomplish the
task, you have enabled the Audit account management option on the server.
Which of the following events can be audited by enabling this audit option?
"Pass Any Exam. Any Time." - www.actualtests.com 2

GIAC GSNA Exam
A.
Access to an Active Directory object
B.
Change of password for a user account
C.
Addition of a user account to a group
D.
Creation of a user account
Answer: B,C,D
Explanation:
Audit account management is one of the nine audit settings that can be configured on a Windows
computer. This option is enabled to audit each event that is related to a user managing an account
in the user database on the computer where the auditing is configured. These events include the
following:
This option is also used to audit the changes to the domain account of the domain controllers.
QUESTION NO: 3
John works as a contract Ethical Hacker. He has recently got a project to do security checking for
www.we-are-secure.com. He wants to find out the operating system of the we-are-secure server in
the information gathering step.
Which of the following commands will he use to accomplish the task? (Choose two.)
A.
nc 208.100.2.25 23
B.
nmap -v -O www.we-are-secure.com
C.
nc -v -n 208.100.2.25 80
D.
nmap -v -O 208.100.2.25
Answer: B,D

GIAC GSNA Exam
Explanation:
According to the scenario, John will use "nmap -v -O 208.100.2.25" to detect the operating system
of the we-are-secure server. Here, -v is used for verbose and -O is used for TCP/IP fingerprinting
to guess the remote operating system. John may also use the DNS name of we-are-secure
instead of using the IP address of the we-are-secure server. So, he can also use the nmap
command "nmap -v -O www.we-are-secure.com ".
Answer: C is incorrect. "nc -v -n 208.100.2.25 80" is a Netcat command, which is used to banner
grab for getting information about the system and running services.
QUESTION NO: 4
You check performance logs and note that there has been a recent dramatic increase in the
amount of broadcast traffic. What is this most likely to be an indicator of?
A.
Misconfigured router
B.
DoS attack
C.
Syn flood
D.
Virus
Answer: B
Explanation:
There are several denial of service (DoS) attacks that specifically use broadcast traffic to flood a
targeted computer. Seeing an unexplained spike in broadcast traffic could be an indicator of an
attempted denial of service attack.
Answer: D is incorrect. Viruses can cause an increase in network traffic, and it is possible for that
to be broadcast traffic. However, a DoS attack is more likely than a virus to cause this particular
problem.
Answer: C is incorrect. A syn flood does not cause increased broadcast traffic.
Answer: A is incorrect. A misconfigured router could possibly cause an increase in broadcast

traffic.
However, this are cent problem, the router is unlikely to be the issue.

GIAC GSNA Exam
QUESTION NO: 5
You run the wc -c file1.txt command. If this command displays any error message, you want to
store the error message in the error.txt file. Which of the following commands will you use to
accomplish the task?
A.
wc -c file1.txt >>error.txt
B.
wc -c file1.txt 1>error.txt
C.
wc -c file1.txt 2>error.txt
D.
wc -c file1.txt >error.txt
Answer: C
Explanation:
According to the scenario, you will use the wc -c file1.txt 2>error.txt command to accomplish the
task. The 2> operator is an error redirector, which, while running a command, redirects the error (if
it exists) on the specified file.
Answer: B, D are incorrect.
The > or 1> redirector can be used to redirect the output of the wc -c file1.txt file to the error.txt file;
however, you want to write the errors in the error.txt file, not the whole output.
Answer: A is incorrect.
The >> operator will redirect the output of the command in the same manner as the > or 1>
operator. Although the >>operator will not overwrite the error.txt file, it will append the error.txt file.
QUESTION NO: 6
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. John is working as a root user on the Linux operating system. He wants to forward all the
kernel messages to the remote host having IP address 192.168.0.1. Which of the following
changes will he perform in the syslog.conf file to accomplish the task?

GIAC GSNA Exam
A.
kern.* @192.168.0.1
B.
!*.* @192.168.0.1
C.
!kern.* @192.168.0.1
D.
*.* @192.168.0.1
Answer: A
Explanation:
According to the scenario, John will make the following entry in the syslog.conf file to forward all
the kernel messages to the remote host having IP address 192.168.0.1: kern.* @192.168.0.1
Answer: Dis incorrect.
This entry will forward all the messages to the remote host having IP address 192.168.0.1.
Answer: B is incorrect.
This entry will not forward any message to the remote host having IP address 192.168.0.1.
Answer: C is incorrect.
This entry will not forward any kernel message to the remote host having IP address 192.168.0.1.
QUESTION NO: 7
John works as a Security Professional. He is assigned a project to test the security of www.we-
are-secure.com. John wants to get the information of all network connections and listening ports in
the numerical form. Which of the following commands will he use?
A.
netstat -e
B.
netstat –r
C.
netstat -s
D.

GIAC GSNA Exam
netstat –an
Answer: D
Explanation:
According to the scenario, John will use the netstat -an command to accomplish the task. The
netstat -an command is used to get the information of all network connections and listening ports
in the numerical form. The netstat command displays protocol-related statistics and the state of
current TCP/IP connections. It is used to get information about the open connections on a
computer, incoming and outgoing data, as well as the ports of remote computers to which the
computer is connected. The netstat command gets all this networking information by reading the
kernel routing tables in the memory.
Answer: A is incorrect. The netstat -e command displays the Ethernet information.
Answer: B is incorrect. The netstat -r command displays the routing table information.
Answer: C is incorrect. The netstat -s command displays per-protocol statistics.
By default, statistics are shown for TCP, UDP and IP.
QUESTION NO: 8
John works as a professional Ethical Hacker. He has been assigned the project of testing the
security of www.we-are-secure.com. He wants to use Kismet as a wireless sniffer to sniff the We-
are-secure network. Which of the following IEEE-based traffic can be sniffed with Kismet?
A.
802.11g
B.
802.11n
C.
802.11b
D.
802.11a
Answer: A,B,C,D
Explanation:
Kismet can sniff IEEE 802.11a, 802.11b, 802.11g, and 802.11n-based wireless network traffic.

GIAC GSNA Exam
QUESTION NO: 9
Which of the following statements about the traceroute utility are true?
A.
It uses ICMP echo packets to display the Fully Qualified Domain Name (FQDN) and the IP
address of each gateway along the route to the remote host.
B.
It records the time taken for a round trip for each packet at each router.
C.
It is an online tool that performs polymorphic shell code attacks.
D.
It generates a buffer overflow exploit by transforming an attack shell code so that the new attack
shell code cannot be recognized by any Intrusion Detection Systems.
Answer: A,B
Explanation:
Traceroute is a route-tracing utility that displays the path an IP packet takes to reach its
destination. It uses ICMP echo packets to display the Fully Qualified Domain Name (FQDN) and
the IP address of each gateway along the route to the remote host. This tool also records the time
taken for a round trip for each packet at each router that can be used to find any faulty router
along the path.
Answer: C, D are incorrect. Traceroute does not perform polymorphic shell code attacks. Attacking
tools such as AD Mutate are used to perform polymorphic shell code attacks.
QUESTION NO: 10
George works as an office assistant in Soft Well Inc. The company uses the Windows Vista
operating system. He wants to disable a program running on a computer. Which of the following
Windows Defender tools will he use to accomplish the task?
A.
Allowed items
B.
Quarantined items
GIAC GSNA Exam
C.
Options
D.
Software Explorer
Answer: D
Explanation:
Software Explorer is used to remove, enable, or disable a program running on a computer.
Answer: A is incorrect. Allowed items contains a list of all the programs that a user has chosen not
to monitor with Windows Defender.
Answer: C is incorrect. Options is used to choose how Windows Defender should monitor all the
programs running on a computer.
Answer: B is incorrect. Quarantined items are used to remove or restore a program blocked by
Windows Defender.
QUESTION NO: 11
You work as a Network Administrator for XYZ CORP. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
Server 2003. The company's management has decided to provide laptops to its sales team
members. These laptops are equipped with smart card readers. The laptops will be configured as
wireless network clients. You are required to accomplish the following tasks:
The wireless network communication should be secured.
The laptop users should be able to use smart cards for getting authenticated.
In order to accomplish the tasks, you take the following steps:
Configure 802.1x and WEP for the wireless connections.
Configure the PEAP-MS-CHAP v2 protocol for authentication.
What will happen after you have taken these steps?
A.
Both tasks will be accomplished.
B.
GIAC GSNA Exam
The laptop users will be able to use smart cards for getting authenticated.
C.
The wireless network communication will be secured.
D.
None of the tasks will be accomplished.
Answer: C
Explanation:
As 802.1x and WEP are configured, this step will enable the secure wireless network
communication. For authentication, you have configured the PEAP-MS-CHAP v2 protocol. This
protocol can be used for authentication on wireless networks, but it cannot use a public key
infrastructure (PKI). No certificate can be issued without a PKI. Smart cards cannot be used for
authentication without certificates. Hence, the laptop users will not be able to use smart cards for
getting authenticated.
QUESTION NO: 12
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network.
You want to print the super block and block the group information for the filesystem present on a
system. Which of the following Unix commands can you use to accomplish the task?
A.
e2fsck
B.
dump
C.
dumpe2fs
D.
e2label
Answer: C
Explanation:
In Unix, the dumpe2fs command dumps the filesystem superblock and blocks the group
information.
Answer: B is incorrect. In Unix, the dump command is used to back up an ext2 filesystem.

GIAC GSNA Exam
Answer A is incorrect. The e2fsck command is used to check the second extended file system
(E2FS) of a Linux computer. Syntax: e2fsck [options] <device> Where, <device> is the file name
of a mounted storage device (for example, /dev/hda1). Several options are used with the e2fsck
command. Following is a list of some important options:
Answer: D is incorrect. In Unix, the e2label command is used to change the label of an ext2
filesystem.
QUESTION NO: 13
Which of the following is a wireless auditing tool that is used to pinpoint the actual physical
location of wireless devices in the network?
A.
KisMAC
B.
Ekahau
C.
Kismet
D.
AirSnort
Answer: B
Explanation:
Ekahau is an easy-to-use powerful and comprehensive tool for network site surveys and
optimization. Itis an auditing tool that can be used to pinpoint the actual physical location of
wireless devices in the network. This tool can be used to make a map of the office and then
perform the survey of the office. In the process, if one finds an unknown node, ekahau can be
used to locate that node.
Answer: D is incorrect. AirSnort is a Linux-based WLAN WEP cracking tool that recovers
encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only
Attack and captures approximately5 to 10 million packets to decrypt the WEP keys.
Answer: C is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion
GIAC GSNA Exam
detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode.
Kismet can sniff802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the
following tasks:
Answer: A is incorrect. KisMAC is a wireless network discovery tool for Mac OS X. It has a wide
range of features, similar to those of Kismet, its Linux/BSD namesake and far exceeding those of
NetStumbler, its closest equivalent on Windows. The program is geared toward network security
professionals, and is not as novice-friendly as similar applications. KisMAC will scan for networks
passively on supported cards - including Apple's AirPort, and AirPort Extreme, and many third-
party cards, and actively on any card supported by Mac OS X itself. Cracking of WEP and WPA
keys, both by brute force, and exploiting flaws such as weak scheduling and badly generated keys
is supported when a card capable of monitor mode is used, and packet reinjection can be done
with a supported card. GPS mapping can be performed when an NMEA compatible GPS receiver
is attached. Data can also be saved in pcap format and loaded into programs such as Wireshark.
QUESTION NO: 14
Which of the following tools works both as an encryption-cracking tool and as a keylogger?
A.
Magic Lantern
B.
KeyGhost Keylogger
C.
Alchemy Remote Executor
D.
SocketShield
Answer: A
Explanation:
Magic Lantern works both as an encryption-cracking tool and as a keylogger.
Answer: C is incorrect. Alchemy Remote Executor is a system management tool that allows
Network Administrators to execute programs on remote network computers without leaving their
workplace. From the hacker's point of view, it can be useful for installing keyloggers, spyware,
Trojans, Windows rootkits and such. One necessary condition for using the Alchemy Remote
Executor is that the user/attacker must have the administrative passwords of the remote
computers on which the malware is to be installed.
Answer: B is incorrect. The KeyGhost keylogger is a hardware keylogger that is used to log all
keystrokes on a computer. It is a tiny device that clips onto the keyboard cable. Once the
GIAC GSNA Exam
KeyGhost keylogger is attached to the computer, it quietly logs every key pressed on the keyboard
into its own internal Flash memory (just as with smart cards). When the log becomes full, it
overwrites the oldest keystrokes with the newest ones.
Answer: D is incorrect. SocketShield provides a protection shield to a computer system against

malware, viruses, spyware, and various types of keyloggers. SocketShield provides protection at
the following two levels:
1. Blocking: In this level, SocketShield uses a list of IP addresses that are known as purveyor of
exploits. All http requests for any page in these domains are simply blocked.
2.Shielding: In this level, SocketShield blocks all the current and past IP addresses that are the
cause of unauthorized access.
QUESTION NO: 15
You want to set some terminal characteristics and environment variables. Which of the following
Unix configuration files can you use to accomplish the task?
A.
/etc/sysconfig/routed
B.
/proc/net
C.
/etc/sysconfig/network-scripts/ifcfg-interface
D.
/etc/sysconfig/init
Answer: D
Explanation:
In Unix, the /etc/sysconfig/init file is used to set terminal characteristics and environment variables.
Answer: B is incorrect. In Unix, the /proc/net file contains status information about the network
protocols.
Answer: C is incorrect. In Unix, the /etc/sysconfig/network-scripts/ifcfg-interface file is the

configuration file used to define a network interface.
Answer: A is incorrect. In Unix, the /etc/sysconfig/routed file is used to set up the dynamic routing
policies.

GIAC GSNA Exam
QUESTION NO: 16
You work as a Network Auditor for XYZ CORP. The company has a Windows-based network.
While auditing the company's network, you are facing problems in searching the faults and other
entities that belong to it. Which of the following risks may occur due to the existence of these
problems?
A.
Residual risk
B.
Inherent risk
C.
Secondary risk
D.
Detection risk
Answer: D
Explanation:
Detection risks are the risks that an auditor will not be able to find what they are looking to detect.
Hence, it becomes tedious to report negative results when material conditions (faults) actually
exist. Detection risk includes two types of risk:
Sampling risk: This risk occurs when an auditor falsely accepts or erroneously rejects an audit
sample.
Nonsampling risk: This risk occurs when an auditor fails to detect a condition because of not
applying the appropriate procedure or using procedures inconsistent with the audit objectives
(detection faults).
Answer: A is incorrect. Residual risk is the risk or danger of an action or an event, a method or a
(technical) process that, although being abreast with science, still conceives these dangers, even
if all theoretically possible safety measures would be applied (scientifically conceivable measures).
The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is
(threats vulnerability). In the economic context, residual means "the quantity left over at the end of
a process; a remainder".
Answer: B is incorrect. Inherent risk, in auditing, is the risk that the account or section being
audited is materially misstated without considering internal controls due to error or fraud. The
assessment of inherent risk depends on the professional judgment of the auditor, and it is done
after assessing the business environment of the entity being audited.
Answer: C is incorrect. A secondary risk is a risk that arises as a straight consequence of

GIAC GSNA Exam
implementing a risk response. The secondary risk is an outcome of dealing with the original risk.
Secondary risks are not as rigorous or important as primary risks, but can turn out to be so if not
estimated and planned properly.
QUESTION NO: 17
Which of the following statements are true about locating rogue access points using WLAN
discovery software such as NetStumbler, Kismet, or MacStumbler if you are using a Laptop
integrated with Wi-Fi compliant MiniPCI card? (Choose two.)
A.
These tools can determine the rogue access point even when it is attached to a wired network.
B.
These tools can determine the authorization status of an access point.
C.
These tools cannot detect rogue access points if the victim is using data encryption.
D.
These tools detect rogue access points if the victim is using IEEE 802.11 frequency bands.
Answer: B,D
Explanation:
WLAN discovery software such as NetStumbler, Kismet, or MacStumbler can be used to detect
rogue access points if the victim is using IEEE 802 frequency bands. However, if the victim is
using non-IEEE 802.11 frequency bands or unpopular modulations, these tools might not detect
rogue access. NetStumbler, kismet, or MacStumbler also gives the authorization status of an
access point. A Rogue access point (AP) is set up by the attackers in an Enterprise's network. The
attacker captures packets in the existing wireless LAN (WLAN) and finds the SSID and security
keys (by cracking). Then the attacker sets up his own AP using the same SSID and security keys.
The network clients unknowingly use this AP and the attacker captures their usernames and
passwords. This can help the attacker to intrude the security and have access to the Enterprise
data.
Answer: A, C are incorrect. The WLAN software such as NetStumbler, Kismet, or MacStumbler
can search rogue access points even when the victim is using data encryption. However, these
tools cannot determine the rogue access point even when it is attached to a wired network.

GIAC GSNA Exam
QUESTION NO: 18
A Web developer with your company wants to have wireless access for contractors that come in to
work on various projects. The process of getting this approved takes time. So rather than wait, he
has put his own wireless router attached to one of the network ports in his department. What
security risk does this present?
A.
None, adding a wireless access point is a common task and not a security risk.
B.
It is likely to increase network traffic and slow down network performance.
C.
This circumvents network intrusion detection.
D.
An unauthorized WAP is one way for hackers to get into a network.
Answer: D
Explanation:
Any unauthorized Wireless Access Point (WAP) is a serious security breach. Its configuration
might be very unsecure. For example it might not use encryption or MAC filtering, thus allowing
anyone in range to get on the network.
QUESTION NO: 19
Which of the following allows the use of multiple virtual servers using different DNS names
resolved by the same IP address?
A.
HTTP 1.1
B.
JAVA
C.
HTML
D.
VPN

GIAC GSNA Exam
Answer: A
Explanation:
HTTP 1.1 allows the use of multiple virtual servers, all using different DNS names resolved by the
same IP address. The WWW service supports a concept called virtual server. A virtual server can
be used to host multiple domain names on the same physical Web server. Using virtual servers,
multiple FTP sites and Web sites can be hosted on a single computer. It means that there is no
need to allocate different computers and software packages for each site.
Answer: D is incorrect. VPN stands for virtual private network. It allows users to use the Internet as
a secure pipeline to their corporate local area networks (LANs). Remote users can dial-in to any
local Internet Service Provider (ISP) and initiate a VPN session to connect to their corporate LAN
over the Internet. Companies using VPNs significantly reduce long-distance dial-upcharges. VPNs
also provide remote employees with an inexpensive way of remaining connected to their
company's LAN for extended periods.
Answer: B is incorrect. Java is an object oriented programming language developed by Sun

Microsystems. It allows the creation of platform independent executables. Java source code files
are compiled into a format known as bytecode (files with .class extension). Java supports
programming for the Internet in the form of Java applets. Java applets can be executed on a
computer having a Java interpreter and a run-time environment known as Java Virtual Machine
(JVM). Java Virtual Machines (JVMs) are available for most operating systems, including UNIX,
Macintosh OS, and Windows.
Answer: C is incorrect. HTML stands for Hypertext Markup Language. It is a set of markup
symbols or codes used to create Web pages and define formatting specifications. The markup
tells the Web browser how to display the content of the Web page.
QUESTION NO: 20
Which of the following is Microsoft's implementation of the file and application server for the
Internet and private intranets?
A.
Internet Server Service (ISS)
B.
Internet Server (IS)
C.
WWW Server (WWWS)
D.
Internet Information Server (IIS)

GIAC GSNA Exam
Answer: D
Explanation:
Microsoft Internet Information Server (IIS)is a Web Application server for the Internet and private
intranets. IIS receives requests from users on the network using the World Wide Web (WWW)
service and transmits information using the Hypertext Transport Protocol (HTTP). IIS uses
Microsoft Transaction Server (MTS) to provide security, performance, and scalability with server
side packages.
QUESTION NO: 21
Which of the following encryption modes are possible in WEP?
A.
128 bit encryption
B.
No encryption
C.
256 bit encryption
D.
40 bit encryption
Answer: A,B,D
Explanation:
WEP supports three encryption modes, i.e., no encryption, 40 bit encryption, and 128 bit
encryption. Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks
(WLANs). It has two components, authentication and encryption. It provides security, which is
equivalent to wired networks, for wireless networks. WEP encrypts data on a wireless network by
using a fixed secret key. WEP incorporates a checksum in each frame to provide protection
against the attacks that attempt to reveal the key stream.
Answer: C is incorrect. WEP does not support 256 bit encryption.
QUESTION NO: 22
Which of the following responsibilities does not come under the audit process?
GIAC GSNA Exam
A.
Reporting all facts and circumstances of their regular and illegal acts.
B.
Planning the IT audit engagement based on the assessed level of risk.
C.
Reviewing the results of the audit procedures.
D.
Applying security policies.
Answer: A,B,C
Explanation:
According to the standards of ISACA, an auditor should hold the following responsibilities:
Planning the IT audit engagement based on an assessed level of risk.
Designing audit procedures of irregular and illegal acts.
Reviewing the results of the audit procedures.
Assuming that acts are not isolated.
Determining why the internal control system failed for that act.
Conducting additional audit procedures.
Evaluating the results of the expanded audit procedures.
Reporting all facts and circumstances of the irregular and illegal acts.
Distributing the report to the appropriate internal parties, such as managers.
Answer: D is incorrect. The auditor is not responsible for applying security policies.
QUESTION NO: 23
You are responsible for a large network that has its own DNS servers. You periodically check the
log to see if there are any problems. Which of the following are likely errors you might encounter in
the log? (Choose three)
A.
The DNS server could not create FTP socket for address [IP address of server]

GIAC GSNA Exam
B.
The DNS server could not create an SMTP socket
C.
Active Directory Errors
D.
The DNS server could not create a Transmission Control Protocol (TCP) socket
E.
The DNS server could not initialize the Remote Procedure Call (RPC) service
Answer: C,D,E
Explanation:
There are a number of errors one could find in a Windows Server 2003 DNS log. They are as
follows:
The DNS server could not create a Transmission Control Protocol.
The DNS server could not open socket for address.
The DNS server could not initialize the Remote Procedure Call (RPC) service.
The DNS server could not bind the main datagram socket.
The DNS Server service relies on Active Directory to store and retrieve information for Active
Directory-integrated zones.
And several active directory errors are possible.
Answer: B is incorrect. DNS Servers do not create FTP connections.
Answer: A is incorrect. DNS Servers do not create SMTP connections.
QUESTION NO: 24
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote
device during standard layer 4 network communications. The combination of parameters may then
be used to infer the remote operating system (OS fingerprinting), or incorporated into a device
fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack
fingerprinting?
A.
nmap -sS

GIAC GSNA Exam
B.
nmap -sU -p
C.
nmap -O -p
D.
nmap -sT Explanation:
Answer: C
Explanation:
The nmap -O -p switch can be used to perform TCP/IP stack fingerprinting. Nmap is a free open-
source utility for network exploration and security auditing. It is used to discover computers and
services on a computer network, thus creating a "map" of the network. Just like many simple port
scanners, Nmap is capable of discovering passive services. In addition, Nmap may be able to
determine various details about the remote computers. These include operating system, device
type, uptime, software product used to run a service, exact version number of that product,
presence of some firewall techniques and, on a local area network, even vendor of the remote
network card. Nmap runs on Linux, Microsoft Windows etc.
Answer: B is incorrect. The nmap -sU -p switch can be used to perform UDP port scanning.
Answer: A is incorrect. The nmap -sS switch is used to perform a TCP half scan. TCP SYN
scanning is also known as half-open scanning because in this a full TCP connection is never
opened.
Answer: D is incorrect. The nmap -sT switch is used to perform a TCP full scan.
QUESTION NO: 25
You work as a Network Administrator for XYZ CORP. The company has a Linux-based network.
The company needs to provide secure network access. You have configured a firewall to prevent
certain ports and applications from forwarding the packets to the company's intranet. What does a
firewall check to prevent these ports and applications from forwarding the packets to the intranet?
A.
The network layer headers and the session layer port numbers
B.
The application layer port numbers and the transport layer headers
C.
The transport layer port numbers and the application layer headers

GIAC GSNA Exam
D.
The presentation layer headers and the session layer port numbers
Answer: C
Explanation:
A firewall stops delivery of packets that are not marked safe by the Network Administrator. It
checks the transport layer port numbers and the application layer headers to prevent certain ports
and applications from forwarding the packets to an intranet.
Answer: D, A, and B are incorrect. These are not checked by a firewall.
QUESTION NO: 26
network. John is working as a root user on the Linux operating system. You want to run two
programs, foo and bar. You also want to ensure that bar is executed if and only if foo has
executed successfully. Which of the following command sequences will John use to accomplish
the task?
A.
foo; bar;
B.
foo || bar;
C.
foo | bar;
D.
foo && bar;
Answer: D
Explanation:
According to the scenario, John will execute the foo && bar; command. Because of the &&
operator, bar will execute if and only if foo completes successfully.
Answer: A is incorrect. The foo; bar; command sequence will run foo and bar in a sequential
manner, but the successful completion of the first command does not matter.
Answer: B is incorrect. The foo || bar; command sequence will run the bar if and only if foo fails to
complete successfully.

GIAC GSNA Exam
Answer: C is incorrect. In the foo | bar; command sequence, the output of the foo command will be
the input for the bar command.
QUESTION NO: 27
network. John is working as a root user on the Linux operating system. He is configuring the
Apache Web server settings. He does not want the commands being used in the settings to be
stored in the history. Which of the following commands can he use to disable history?
A.
history !!
B.
set +o history
C.
history !N
D.
set -o history
Answer: B
Explanation:
According to the scenario, John can use the set +o history command to disable history.
Answer: D is incorrect. John cannot use the set -o history command to accomplish his task. This
command is used to enable disabled history.
Answer: A is incorrect. John cannot use the history !! command to accomplish his task. This
command is used to see the most recently typed command.
Answer: C is incorrect. John cannot use the history !N command to accomplish his task. This
command is used to display the Nth history command.
QUESTION NO: 28
You are the Network Administrator for a software development company. Your company creates
various utilities and tools. You have noticed that some of the files your company creates are
getting deleted from systems. When one is deleted, it seems to be deleted from all the computers

GIAC GSNA Exam
on your network. Where would you first look to try and diagnose this problem?
A.
Antivirus log
B.
IDS log
C.
System log
D.
Firewall log
Answer: A
Explanation:
Check the antivirus log and see if it is detecting your file as a virus and deleting it. All antivirus
programs have a certain rate of false positives. Since the file is being deleted from all computers, it
seems likely that your antivirus has mistakenly identified that file as a virus.
Answer: D is incorrect. The firewall log can help you identify traffic entering or leaving your
network, but won't help with files being deleted.
Answer: B is incorrect. An IDS log would help you identify possible attacks, but this scenario is
unlikely to be from an external attack.
Answer: C is incorrect. Your system log can only tell you what is happening on that individual
computer.
QUESTION NO: 29
Which of the following statements about a screened host is true?
A.
It facilitates a more efficient use of the Internet connection bandwidth and hides the real IP
addresses of computers located behind the proxy.
B.
It is a small network that lies in between the Internet and a private network.
C.
It provides added security by using Internet access to deny or permit certain traffic from the
Bastion Host.

GIAC GSNA Exam
D.
It provides a physical connection between computers within a network.
Answer: C
Explanation:
A screened host provides added security by using Internet access to deny or permit certain traffic
from the Bastion Host.
Answer: D is incorrect. A network interface card provides a physical connection between

computers within a network.
Answer: B is incorrect. Demilitarized zone (DMZ) or perimeter network is a small network that lies
in between the Internet and a private network. It is the boundary between the Internet and an
internal network, usually a combination of firewalls and bastion hosts that are gateways between
inside networks and outside networks. DMZ provides a large enterprise network or corporate
network the ability to use the Internet while still maintaining its security.
Answer: A is incorrect. A proxy server facilitates a more efficient use of the Internet connection
bandwidth and hides the real IP addresses of computers located behind the proxy.
QUESTION NO: 30
security of www.we-are-secure.com. He notices that UDP port 137 of the We-are-secure server is
open. Assuming that the Network Administrator of We-are-secure Inc. has not changed the default
port values of the services, which of the following services is running on UDP port 137?
A.
HTTP
B.
TELNET
C.
NetBIOS
D.
HTTPS
Answer: C
Explanation:
NetBIOS is a Microsoft service that enables applications on different computers to communicate

GIAC GSNA Exam
within a LAN. NetBIOS systems identify themselves with a 15-character unique name and use
Server Message Block, which allows Remote directory, file and printer sharing, etc. The default
port value of NetBIOS Name Resolution Service is 137/UDP.
Answer: A is incorrect. Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used
on the World Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP
defines how messages are formatted and transmitted, and what actions Web servers and
browsers should take in response to various commands. For example, when a client application or
browser sends a request to the server using HTTP commands, the server responds with a
message containing the protocol version, success or failure code, server information, and body
content, depending on the request. HTTP uses TCP port 80 as the default port.
Answer: D is incorrect. The default port of HTTPS is TCP/443. Hypertext Transfer Protocol Secure
(HTTPS) protocol is a protocol used in the Universal Resource Locater (URL) address line to
connect to a secure site. If a site has been made secure by using the Secure Sockets Layer (SSL)
then HTTPS, instead of HTTP protocol, should be used as a protocol type in the URL.
Answer: B is incorrect. TELNET is a command-line connectivity tool that starts terminal emulation
with a remote host running the telnet server service. TELNET allows users to communicate with a
remote computer, offers the ability to run programs remotely, and facilitates remote administration.
The TELNET utility uses the Telnet protocol for connecting to a remote computer running the
Telnet server software, to access files. It uses TCP port 23 by default.
QUESTION NO: 31
Which of the following statements about a session are true? (Choose two.)
A.
The creation time can be obtained using the getSessionCreationTime() method of the
HttpSession.
B.
The getAttribute() method of the HttpSession interface returns a String.
C.
The time for the setMaxInactiveInterval() method of the HttpSession interface is specified in
seconds.
D.
The isNew() method is used to identify if the session is new.
Answer: C,D
Explanation:
The setMaxInactiveInterval() method sets the maximum time in seconds before a session
GIAC GSNA Exam
becomes invalid. The syntax of this method is as follows: public void setMaxInactiveInterval(int
interval)
Here, interval is specified in seconds. The isNew() method of the HttpSession interface returns
true if the client does not yet know about the session, or if the client chooses not to join the
session. This method throws an IllegalStateException if called on an invalidated session.
Answer B is incorrect. The getAttribute(String name) method of the HttpSession interface returns
the value of the named attribute as an object. It returns a null value if no attribute with the given
name is bound to the session. This method throws an IllegalStateException if it is called on an
invalidated session.
Answer: A is incorrect. The creation time of a session can be obtained using the
getCreationTime() method of the HttpSession.
QUESTION NO: 32
Which of the following statements is true about a relational database?
A.
It is difficult to extend a relational database.
B.
The standard user and application program interface to a relational database is Programming
Language (PL).
C.
It is a collection of data items organized as a set of formally-described tables.
D.
It is a set of tables containing data fitted into runtime defined categories.
Answer: C
Explanation:
A relational database is a collection of data items organized as a set of formally-described tables

from which data can be accessed or reassembled in many different ways without having to
reorganize the database tables.
Answer: B is incorrect. The standard user and application program interface to a relational
database is the structured query language (SQL).
Answer: A is incorrect. In addition to being relatively easy to create and access, a relational
database has the important advantage of being easy to extend.
Answer: D is incorrect. A relational database is a set of tables containing data fitted into predefined

GIAC GSNA Exam
categories. Each table (which is sometimes called a relation) contains one or more data categories
in columns. Each row contains a unique instance of data for the categories defined by the
columns.
QUESTION NO: 33
You work as a Network Administrator for BetaTech Inc. You have been assigned the task of
designing the firewall policy for the company. Which of the following statements is unacceptable in
the 'acceptable use statement' portion of the firewall policy?
A.
The computers and their applications should be used for organizational related activities only.
B.
Computers may not be left unattended with a user account still logged on.
C.
Applications other than those supplied or approved by the company can be installed on any
computer.
D.
The installed e-mail application can only be used as the authorized e-mail service.
Answer: C
Explanation:
Applications other than those supplied or approved by the company shall not be installed on any
computer.
Answer: A, B, D are incorrect. All of these statements stand true in the 'acceptable use statement'
portion of the firewall policy.
QUESTION NO: 34
You have recently joined as a Network Auditor in XYZ CORP. The company has a Windows-
based network. You have been assigned the task to determine whether or not the company's goal
is being achieved. As an auditor, which of the following tasks should you perform before
conducting the data center review? Each correct answer represents a complete solution. (Choose
three.)

GIAC GSNA Exam
A.
Review the future IT organization chart.
B.
Meet with IT management to determine possible areas of concern.
C.
Review the company's IT policies and procedures.
D.
Research all operating systems, software applications, and data center equipment operating within
the data center.
Answer: B,C,D
Explanation:
The auditor should be adequately educated about the company and its critical business activities
before conducting a data center review. The objective of the data center is to align data center
activities with the goals of the business while maintaining the security and integrity of critical
information and processes. To adequately determine if whether or not the client's goal is being
achieved, the auditor should perform the following before conducting the review:
Meet with IT management to determine possible areas of concern.
Review the current IT organization chart.
Review job descriptions of data center employees.
Research all operating systems, software applications, and data center equipment operating within
the data center.
Review the company's IT policies and procedures.
Evaluate the company's IT budget and systems planning documentation.
Review the data center's disaster recovery plan.
Answer: A is incorrect. An auditor should review the current organization chart. Reviewing the
future organization chart would not help in finding the current threats to the organization.
QUESTION NO: 35
Patricia joins XYZ CORP., as a Web Developer. While reviewing the company's Web site, she
finds that many words including keywords are misspelled. How will this affect the Web site traffic?

GIAC GSNA Exam
A.
Leave a bad impression on users.
B.
Search engine relevancy may be altered.
C.
Link exchange with other sites becomes difficult.
D.
The domain name cannot be registered.
Answer: B
Explanation:
Web site traffic depends upon the number of users who are able to locate a Web site. Search
engines are one of the most frequently used tools to locate Web sites. They perform searches on
the basis of keywords contained in the Web pages of a Web site. Keywords are simple text strings
that are associated with one or more topics of a Web page. Misspelled keywords prevent Web
pages from being displayed in the search results.
QUESTION NO: 36
You work as a Network Administrator for ABC Inc. The company uses a secure wireless network.
John complains to you that his computer is not working properly. What type of security audit do
you need to conduct to resolve the problem?
A.
Non-operational audit
B.
Dependent audit
C.
Independent audit
D.
Operational audit
Answer: C
Explanation:
An independent audit is an audit that is usually conducted by external or outside resources. It is

the process of reviewing detailed audit logs for the following purposes:

GIAC GSNA Exam
Answer: B is incorrect. It is not a valid type of security audit.
Answer: D is incorrect. It is done to examine the operational and ongoing activities within a
network.
Answer: B is incorrect. It is not a valid type of security audit.
Answer: D is incorrect. It is done to examine the operational and ongoing activities within a
network. Answer: A is incorrect. It is not a valid type of security audit.
QUESTION NO: 37
You have an online video library. You want to upload a directory of movies. Since this process will
take several hours, you want to ensure that the process continues even after the terminal is shut
down or session is closed. What will you do to accomplish the task?
A.
Use the bg command to run the process at the background.
B.
Add the nohup command in front of the process.
C.
Add the nohup command at the end of the process.
D.
Run the process inside a GNU Screen-style screen multiplexer.
Answer: B,D
Explanation:
Whenever the nohup command is added in front of any command or process, it makes the
command or process run even after the terminal is shut down or session is closed. All processes,
except the 'at' and batch requests, are killed when a user logs out. If a user wants a background
process to continue running even after he logs out, he must use the nohup command to submit
that background command. To nohup running processes, press ctrl+z, enter "bg" and enter
"disown". The other way to accomplish the task is to run the command/process inside a GNU
Screen-style screen multiplexer, and then detach the screen. GNU Screen maintains the illusion
that the user is always logged in, and allows the user to reattach at any time. This has the
advantage of being able to continue to interact with the program once reattached (which is
impossible with nohup alone).
Answer: C is incorrect. The nohup command works when it is added in front of a command.
Answer: A is incorrect. The bg command cannot run the command or process after the terminal is

GIAC GSNA Exam
shut down or session is closed.
QUESTION NO: 38
You work as a Web Deployer for UcTech Inc. You write the <security constraint> element for an
application in which you write the <auth-constraint> sub-element as follows: <auth-constraint>
<role-name>*</role-name> </auth-constraint>
Who will have access to the application?
A.
Only the administrator
B.
No user
C.
All users
D.
It depends on the application.
Answer: C
Explanation:
The <auth-constraint> element is a sub-element of the <security-constraint> element. It defines

the roles that are allowed to access the Web resources specified by the <web-resource-collection>
sub-elements. The <auth-constraint> element is written in the deployment descriptor as follows:
<security-constraint> <web-resource-collection> ---------------- </web-resource-collection> <auth-

constraint> <role-name>Administrator</role-name> </auth-constraint> </security-constraint>
Writing Administrator within the <role-name> element will allow only the administrator to have
access to the resource defined within the <web-resource-collection> element.
QUESTION NO: 39
You work as a Network Administrator for XYZ CORP. The company has a TCP/IP-based network
environment. The network contains Cisco switches and a Cisco router.

GIAC GSNA Exam
You run the following command for a router interface:
show interface serial0
You get the following output:
Serial0 is administratively down, line protocol is down
What will be your conclusion after viewing this output?
A.
There is a physical problem either with the interface or the cable attached to it.
B.
The router has no power.
C.
There is a problem related to encapsulation.
D.
The interface is shut down.
Answer: D
Explanation:
According to the question, the output displays that the interface is administratively down.
Administratively down means that the interface is shut down. In order to up the interface, you will
have to open the interface with the no shutdown command.
Answer: A is incorrect. Had there been a physical problem with the interface, the output would not
have displayed "administratively down". Instead, the output would be as follows: serial0 is down,
line protocol is down
Answer: B is incorrect. You cannot run this command on a router that is powered off.
Answer: C is incorrect. Encapsulation has nothing to do with the output displayed in the question.
QUESTION NO: 40
Sam works as a Web Developer for McRobert Inc. He creates a Web site. He wants to include the
following table in the Web site:
He writes the following HTML code to create the table:

GIAC GSNA Exam
1. <TABLE BORDER="1" WIDTH="500">
2. <TR>
3.
4.
5. </TR>
6. <TR>
7. <TD>
8. </TD>
9. <TD>
10. </TD>
11. <TD>
12. </TD>
13. </TR>
14. <TR>
15. <TD>
16. </TD>
17. <TD>
18. </TD>
19. <TD>
20. </TD>
21. </TR>
22. </TABLE>
Which of the following tags will Sam place at lines 3 and 4 to create the table?
A.
at line 3 at line 4
B.
at line 3 at line 4

GIAC GSNA Exam
C.
at line4 at line
D.
at line 3 at line 4
Answer: D
Explanation:
The tag is used to specify each cell of the table. It can be used only within a row in a table. The
ROWSPAN attribute of the tag specifies the number of rows that a cell spans over in a table.
Since, the first cell of the table spans over three rows, Sam will use specifies the number of
columns that the head row contains.
Answer: C is incorrect.
Answer: A, B are incorrect. There are no attributes such as SPAN and SPANWIDTH for the tag.
QUESTION NO: 41
security of www.we-are-secure.com. He is using the Linux operating system. He wants to use a
wireless sniffer to sniff the We-are-secure network. Which of the following tools will he use to
accomplish his task?
A.
WEPCrack
B.
Kismet
C.
Snadboy's Revelation
D.
NetStumbler
Answer: B
Explanation:
According to the scenario, John will use Kismet. Kismet is a Linux-based 802.11 wireless network
sniffer and intrusion detection system. It can work with any wireless card that supports raw
monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and802.11n traffic. Kismet
can be used for the following tasks:

GIAC GSNA Exam
Answer: D is incorrect. NetStumbler is a Windows-based tool that is used for the detection of
wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. It detects wireless
networks and marks their relative position with a GPS.
Answer: A is incorrect. WEPCrack is an open source tool that breaks IEEE 802.11 WEP secret
keys.
Answer: C is incorrect. Snadboy's Revelation is not a sniffer. It is used to see the actual password
behind the asterisks.
QUESTION NO: 42
You work as a Network Administrator of a TCP/IP network. You are having DNS resolution
problem. Which of the following utilities will you use to diagnose the problem?
A.
PING
B.
IPCONFIG
C.
TRACERT
D.
NSLOOKUP
Answer: D
Explanation:
NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems.
It performs its function by sending queries to the DNS server and obtaining detailed responses at
the command prompt. This information can be useful for diagnosing and resolving name resolution
issues, verifying whether or not the resource records are added or updated correctly in a zone,
and debugging other server-related problems. This tool is installed along with the TCP/IP protocol
through the Control Panel.
Answer: A is incorrect. The ping command-line utility is used to test connectivity with a host on a
TCP/IP-based network. This is achieved by sending out a series of packets to a specified
destination host. On receiving the packets, the destination host responds with a series of replies.
These replies can be used to determine whether or not the network is working properly.
Answer: B is incorrect. IPCONFIG is a command-line utility used to display current TCP/IP

network configuration values and update or release the Dynamic Host Configuration Protocol

GIAC GSNA Exam
(DHCP) allocated leases. It is also used to display, register, or flush Domain Name System (DNS)
names.
Answer: C is incorrect. TRACERT is a route-tracing Windows utility that displays the path an IP
packet takes to reach the destination. It shows the Fully Qualified Domain Name (FQDN) and the
IP address of each gateway along the route to the remote host.
QUESTION NO: 43
John works as a professional Ethical Hacker. He is assigned a project to test the security of
www.we-are-secure.com. He is working on the Linux operating system. He wants to sniff the we-
are-secure network and intercept a conversation between two employees of the company through
session hijacking. Which of the following tools will John use to accomplish the task?
A.
IPChains
B.
Tripwire
C.
Hunt
D.
Ethercap
Answer: C
Explanation:
In such a scenario, John will use Hunt which is capable of performing both the hacking techniques,
sniffing and session hijacking.
Answer: D is incorrect. Ethercap is a network sniffer and packet generator. It may be an option,
but John wants to do session hijacking as well. Hence, he will not use Ethercap.
Answer: A is incorrect. IPChains is a firewall.
Answer: B is incorrect. Tripwire is a file and directory integrity checker.
QUESTION NO: 44

GIAC GSNA Exam
In which of the following CAATs (Computer Assisted Auditing Techniques) does an auditor
perform tests on computer files and databases?
A.
Parallel Simulation
B.
Generalized Audit Software (GAS)
C.
Test Data
D.
Custom Audit Software (CAS)
Answer: B
Explanation:
CAATs (Computer Assisted Auditing Techniques) are used to test application controls as well as
perform substantive tests on sample items. Following are the types of CAATs:
Generalized Audit Software (GAS): It allows the auditor to perform tests on computer files and
databases.
Custom Audit Software (CAS): It is generally written by auditors for specific audit tasks. CAS is
necessary when the organization's computer system is not compatible with the auditor's GAS or
when the auditor wants to conduct some testing that may not be possible with the GAS.
Test Data: The auditor uses test data for testing the application controls in the client's computer
programs. The auditor includes simulated valid and invalid test data, used to test the accuracy of
the computer system's operations. This technique can be used to check data validation controls
and error detection routines, processing logic controls, and arithmetic calculations, to name a few.
Parallel Simulation: The auditor must construct a computer simulation that mimics the client's
production programs.
Integrated TestFacility: The auditor enters test data along with actual data in a normal application
run.
QUESTION NO: 45
You are concerned about an attacker being able to get into your network. You want to make sure
that you are informed of any network activity that is outside normal parameters. What is the best
way to do this?

GIAC GSNA Exam
A.
Utilize protocol analyzers.
B.
User performance monitors.
C.
Implement signature based antivirus.
D.
Implement an anomaly based IDS.
Answer: D
Explanation:
An anomaly based Intrusion Detection System will monitor the network for any activity that is
outside normal parameters (i.e. an anomaly) and inform you of it.
Answer: C is incorrect. Antivirus software, while important, won't help detect the activities of
intruders.
Answer: B is incorrect. Performance monitors are used to measure normal network activity and
look for problems such as bottlenecks.
Answer: A is incorrect. A protocol analyzer does detect if a given protocol is moving over a
particular network segment.
QUESTION NO: 46
Which of the following is a technique for creating Internet maps? (Choose two.)
A.
AS PATH Inference
B.
Object Relational Mapping
C.
Active Probing
D.
Network Quota
Answer: A,C
GIAC GSNA Exam
Explanation:
There are two prominent techniques used today for creating Internet maps:
Active probing: It is the first works on the data plane of the Internet and is called active probing. It
is used to infer Internet topology based on router adjacencies.
AS PATH Inference: It is the second works on the control plane and infers autonomous system
connectivity based on BGP data.
QUESTION NO: 47
Which of the following statements are true about data aggregation?
A.
A common aggregation purpose is to get more information about particular groups based on
specific variables.
B.
Data aggregation cannot be user-based.
C.
Data aggregation is any process in which information is gathered and expressed in a summary
form.
D.
Online analytic processing (OLAP) is a simple type of data aggregation.
Answer: A,C,D
Explanation:
Data aggregation is any process in which information is gathered and expressed in a summary
form, for purposes such as statistical analysis. A common aggregation purpose is to get more
information about particular groups based on specific variables such as age, profession, or
income. The information about such groups can then be used for Web site personalization to
choose content and advertising likely to appeal to an individual belonging to one or more groups
for which data has been collected. For example, a site that sells music CDs might advertise certain
CDs based on the age of the user and the data aggregate for their age group. Online analytic
processing (OLAP) is a simple type of data aggregation in which the marketer uses an online
reporting mechanism to process the information.
Answer: B is incorrect. Data aggregation can be user-based. Personal data aggregation services
offer the user a single point for collection of their personal information from other Web sites. The
customer uses a single master personal identification number (PIN) to give them access to their
various accounts (such as those for financial institutions, airlines, book and music clubs, and so
GIAC GSNA Exam
on). Performing this type of data aggregation is sometimes referred to as "screen scraping."
QUESTION NO: 48
You have just installed a Windows 2003 server. What action should you take regarding the default
shares?
A.
Disable them only if this is a domain server.
B.
Disable them.
C.
Make them hidden shares.
D.
Leave them, as they are needed for Windows Server operations.
Answer: B
Explanation:
Default shares should be disabled, unless they are absolutely needed. They pose a significant
security risk by providing a way for an intruder to enter your machine.
Answer: A is incorrect. Whether this is a domain server, a DHCP server, a file server, or database
server does not change the issue with shared drives/folders.
Answer: C is incorrect. They cannot be hidden. Shared folders are, by definition, not hidden but
rather available to users on the network.
Answer: D is incorrect. These are not necessary for Windows Server operations.
QUESTION NO: 49
Which of the following controls define the direction and behavior required for technology to
function properly?
A.
Detailed IS controls

GIAC GSNA Exam
B.
General controls
C.
Application controls
D.
Pervasive IS controls
Answer: D
Explanation:
Pervasive IS controls are a subset of general controls that contains some extra definitions
focusing on the management of monitoring a specific technology. A pervasive order or control
determines the direction and behavior required for technology to function properly. The pervasive
control permeates the area by using a greater depth of control integration over a wide area of
influence.
Answer: B is incorrect. General controls are the parent class of controls that governs all areas of a
business. An example of general controls includes the separation duties that prevent employees
from writing their own paychecks and creating accurate job descriptions. General controls define
the structure of an organization, establish HR policies, monitor workers and the work environment,
as well as support budgeting, auditing, and reporting.
Answer: A is incorrect. Detailed IS controls are controls used for manipulating the on-going tasks
in an organization. Some of the specific tasks require additional detailed controls to ensure that
the workers perform their job correctly. These controls refer to some specific tasks or steps to be
performed such as:
The way system security parameters are set.
How input data is verified before being accepted into an application.
How to lock a user account after unsuccessful logon attempts.
How the department handles acquisitions, security, delivery, implementation, and support of IS
services.
Answer: C is incorrect. Application controls are embedded in programs. It constitutes the lowest
subset in the control family. An activity should be filtered through the general controls, then the
pervasive controls and detailed controls, before reaching the application controls level. Controls in
the higher level category help in protecting the integrity of the applications and their data. The
management is responsible to get applications tested prior to production through a recognized test
method. The goal of this test is to provide a technical certificate that each system meets the
requirement.

GIAC GSNA Exam
QUESTION NO: 50
You want to see the list of the filesystems mounted automatically at startup by the mount -a
command in the /etc/rc startup file. Which of the following Unix configuration files can you use to
A.
/etc/named.conf
B.
/etc/groups
C.
/etc/mtab
D.
/etc/fstab
Answer: D
Explanation:
In Unix, the /etc/fstab file is used by system administrators to list the filesystems that are mounted
automatically at startup by the mount –a command (in /etc/rc or its equivalent startup file).
Answer: C is incorrect. In Unix, the /etc/mtab file contains a list of the currently mounted file
systems. This is set up by the boot scripts and updated by the mount command.
Answer: A is incorrect. In Unix, the /etc/named.conf file is used for domain name servers.
Answer: B is incorrect. In Unix, the /etc/groups file contains passwords to let a user join a group.
QUESTION NO: 51
Which of the following terms related to risk management represents the estimated frequency at
which a threat is expected to occur?
A.
Single Loss Expectancy (SLE)
B.
Annualized Rate of Occurrence (ARO)
C.
Exposure Factor (EF)
GIAC GSNA Exam
D.
Safeguard
Answer: B
Explanation:
The Annualized Rate of Occurrence (ARO) is a number that represents the estimated frequency at
which a threat is expected to occur. It is calculated based upon the probability of the event
occurring and the number of employees that could make that event occur.
Answer: C is incorrect. The Exposure Factor (EF) represents the % of assets loss caused by a
threat. The EF is required to calculate the Single Loss Expectancy (SLE).
Answer: A is incorrect. The Single Loss Expectancy (SLE) is the value in dollars that is assigned
to a single event. SLE = Asset Value ($) X Exposure Factor (EF)
Answer: D is incorrect. Safeguard acts as a countermeasure for reducing the risk associated with
a specific threat or a group of threats.
QUESTION NO: 52
An executive in your company reports odd behavior on her PDA. After investigation you discover
that a trusted device is actually copying data off the PDA. The executive tells you that the behavior
started shortly after accepting an e-business card from an unknown person. What type of attack is
this?
A.
Session Hijacking
B.
Bluesnarfing
C.
Privilege Escalation
D.
PDA Hijacking
Answer: B
Explanation:
Bluesnarfing is a rare attack in which an attacker takes control of a bluetooth enabled device. One
way to do this is to get your PDA to accept the attacker's device as a trusted device.

GIAC GSNA Exam
QUESTION NO: 53
You work as the Project Engineer for XYZ CORP. The company has a Unix-based network. Your
office consists of one server, seventy client computers, and one print device. You raise a request
for printing a confidential page. After 30 minutes, you find that your print request job is not
processed and is at the seventh position in the printer queue. You analyze that it shall take
another one hour to print. You decide to remove your job from the printer queue and get your page
printed outside the office.
Which of the following Unix commands can you use to remove your job from the printer queue?
A.
tunelp
B.
pr
C.
lprm
D.
gs
Answer: C
Explanation:
The basic Unix printing commands are as follows:
banner: It is used to print a large banner on a printer.
lpr: It is used to submit a job to the printer.
lpc: It enables one to check the status of the printer and set its state.
lpq: It shows the contents of a spool directory for a given printer.
lprm: It is used to remove a job from the printer queue.
gs: It works as a PostScript interpreter.
pr: It is used to print a file.
tunelp: It is used to set various parameters for the lp device.

GIAC GSNA Exam
QUESTION NO: 54
You want to run a command that forces all the unwritten blocks in the buffer cache to be written to
the disk. Which of the following Unix commands can you use to accomplish the task?
A.
swapon
B.
tune2fs
C.
swapoff
D.
sync
Answer: D
Explanation:
The sync command is used to flush filesystem buffers. It ensures that all disk writes have been
completed before the processor is halted or rebooted. Generally, it is preferable to use reboot or
halt to shut down a system, as they may perform additional actions such as resynchronizing the
hardware clock and flushing internal caches before performing a final sync.
Answer: B is incorrect. In Unix, the tune2fs command is used to adjust tunable filesystem
parameters on the second extended filesystems.
Answer: A is incorrect. In Unix, the swapon command is used to activate a swap partition.
Answer: C is incorrect. In Unix, the swapoff command is used to de-activate a swap partition.
QUESTION NO: 55
You work as a Network Administrator for Infonet Inc. The company's network has an FTP server.
You want to secure the server so that only authorized users can access it. What will you do to
accomplish this?
A.
Disable anonymous authentication.
B.
Stop the FTP service on the server.

GIAC GSNA Exam
C.
Disable the network adapter on the server.
D.
Enable anonymous authentication.
Answer: A
Explanation:
You will have to disable anonymous authentication. This will prevent unauthorized users from
accessing the FTP server. Anonymous authentication (anonymous access) is a method of
authentication for Websites. Using this method, a user can establish a Web connection to the IIS
server without providing a username and password. Hence, this is an insecure method of
authentication. This method is generally used to permit unknown users to access the Web or FTP
server directories.
Answer: D is incorrect. Enabling anonymous authentication will allow all the users to access the
server.
Answer: B is incorrect. Stopping the FTP service on the server will prevent all the users from
accessing the FTP server.
Answer: C is incorrect. Disabling the network adapter on the FTP server will disconnect the server
from the network.
QUESTION NO: 56
Which of the following statements about a perimeter network are true? (Choose three)
A.
It has a connection to the Internet through an external firewall and a connection to an internal
network through an interior firewall.
B.
It has a connection to a private network through an external firewall and a connection to an
internal network through an interior firewall.
C.
It is also known as a demilitarized zone or DMZ.
D.
It prevents access to the internal corporate network for outside users.
Answer: A,C,D

GIAC GSNA Exam
Explanation:
A perimeter network, also known as a demilitarized zone or DMZ, is a small network that lies in
between the Internet and a private network. It has a connection to the Internet through an external
firewall and a connection to the internal network through an interior firewall. It allows outside users
access to the specific servers located in the perimeter network while preventing access to the
internal corporate network. Servers, routers, and switches that maintain security by preventing the
internal network from being exposed on the Internet are placed in a perimeter network. A
perimeter network is commonly used for deploying e-mail and Web servers for a company.
QUESTION NO: 57
John works as a Network Administrator for We-are-secure Inc. The We-are-secure server is based
on Windows Server 2003. One day, while analyzing the network security, he receives an error
message that Kernel32.exe is encountering a problem. Which of the following steps should John
take as a countermeasure to this situation?
A.
He should download the latest patches for Windows Server 2003 from the Microsoft site, so that
he can repair the kernel.
B.
He should restore his Windows settings.
C.
He should observe the process viewer (Task Manager) to see whether any new process is running
on the computer or not. If any new malicious process is running, he should kill that process.
D.
He should upgrade his antivirus program.
Answer: C,D
Explanation:
In such a situation, when John receives an error message revealing that Kernel32.exe is
encountering a problem, he needs to come to the conclusion that his antivirus program needs to
be updated, because Kernel32.exe is not a Microsoft file (It is a Kernel32.DLL file.). Although such
viruses normally run on stealth mode, he should examine the process viewer (Task Manager) to
see whether any new process is running on the computer or not. If any new process (malicious) is
running on the server, he should exterminate that process.
Answer: A, B are incorrect. Since kernel.exe is not a real kernel file of Windows, there is no need
to repair or download any patch for Windows Server 2003 from the Microsoft site to repair the
kernel.
GIAC GSNA Exam
Note: Such error messages can be received if the computer is infected with malware, such as
Worm_Badtrans.b, Backdoor.G_Door, Glacier Backdoor, Win32.Badtrans.29020, etc.
QUESTION NO: 58
In addition to denying and granting access, what other services does a firewall support?
A.
Network Access Translation (NAT)
B.
Secondary connections
C.
Control Internet access based on keyword restriction
D.
Data caching
Answer: A,C,D
Explanation:
A firewall is a tool to provide security to a network. It is used to protect an internal network or

intranet against unauthorized access from the Internet or other outside networks. It restricts
inbound and outbound access and can analyze all traffic between an internal network and the
Internet. Users can configure a firewall to pass or block packets from specific IP addresses and
ports. Firewalls often have network address translation (NAT) functionality. The hosts protected
behind a firewall commonly have addresses in the private address range. Firewalls have such
functionality to hide the true address of protected hosts. Firewalls are used by administrators to
control Internet access based on keyword restriction. Some proxy firewalls can cache data so that
clients can access frequently requested data from the local cache instead of using the Internet
connection to request it. This is convenient for cutting down on unnecessary bandwidth
consumption.
Answer: B is incorrect. It is an area where a firewall faces difficulty in securing the network. It is the
area where employees make alternate connections to the Internet for their personal use, resulting
in useless rendering of the firewall.
QUESTION NO: 59
GIAC GSNA Exam
Which of the following are the goals of risk management? (Choose three)
A.
Identifying the risk
B.
Assessing the impact of potential threats
C.
Finding an economic balance between the impact of the risk and the cost of the countermeasure
D.
Identifying the accused
Answer: A,B,C
Explanation:
There are three goals of risk management as follows:
Answer: D is incorrect. Identifying the accused does not come under the scope of risk
management.
QUESTION NO: 60
Ryan wants to create an ad hoc wireless network so that he can share some important files with
another employee of his company. Which of the following wireless security protocols should he
choose for setting up an ad hoc wireless network? (Choose two.)
A.
WPA2 -EAP
B.
WPA-PSK
C.
WEP
D.
WPA-EAP
Answer: B,C
Explanation:

GIAC GSNA Exam
Ryan can either choose WEP or WPA-PSK wireless protocol to set an ad hoc wireless network.
Answer: A is incorrect. WPA2-EAP cannot be chosen for an ad hoc wireless network, as it

requires RADIUS (Remote Authentication Dial- In User Service) server for authentication.
Answer: D is incorrect. WPA-EAP cannot be chosen for an ad hoc wireless network, as it requires
RADIUS (Remote Authentication Dial-In User Service) server for authentication.
QUESTION NO: 61
Which of the following mechanisms is closely related to authorization?
A.
Sending secret data such as credit card information.
B.
Allowing access to a particular resource.
C.
Verifying username and password.
D.
Sending data so that no one can alter it on the way.
Answer: B
Explanation:
Authorization is a process that verifies whether a user has permission to access a Web resource.
A Web server can restrict access to some of its resources to only those clients that log in using a
recognized username and password. To be authorized, a user must first be authenticated.
Answer: C is incorrect. Verifying username and password describes the mechanism of

authentication. Authentication is the process of verifying the identity of a user. This is usually done
using a user name and password. This process compares the provided user name and password
with those stored in the database of an authentication server.
Answer: D is incorrect. Sending data so that no one can alter it on the way describes the
mechanism of data integrity. Data integrity is a mechanism that ensures that the data is not
modified during transmission from source to destination. This means that the data received at the
destination should be exactly the same as that sent from the source.
Answer: A is incorrect. Sending secret data such as credit card information describes the
mechanism of confidentiality. Confidentiality is a mechanism that ensures that only the intended,
Authorized recipients are able to read data. The data is so encrypted that even if an unauthorized
user gets access to it, he will not get any meaning out of it.

GIAC GSNA Exam
QUESTION NO: 62
An auditor assesses the database environment before beginning the audit. This includes various
key tasks that should be performed by an auditor to identify and prioritize the users, data,
activities, and applications to be monitored. Which of the following tasks need to be performed by
the auditor manually?
A.
Classifying data risk within the database systems
B.
Monitoring data changes and modifications to the database structure, permission and user
changes, and data viewing activities
C.
Analyzing access authority
D.
Archiving, analyzing, reviewing, and reporting of audit information
Answer: A,C
Explanation:
The Internal Audit Association lists the following as key components of a database audit:
Create an inventory of all database systems and use classifications. This should include
production and test data. Keep it up-to-date.
Classify data risk within the database systems. Monitoring should be prioritized for high, medium,
and low risk data.
Implement an access request process that requires database owners to authorize the "roles"
granted to database accounts (roles as in Role Based Access and not the native database roles).
Analyze access authority. Users with higher degrees of access permission should be under higher
scrutiny, and any account for which access has been suspended should be monitored to ensure
access is denied, attempts are identified.
Assess application coverage. Determine what applications have built-in controls, and prioritize
database auditing accordingly. All privileged user access must have audit priority. Legacy and
custom applications are the next highest priority to consider, followed by the packaged
applications.
Ensure technical safeguards. Make sure access controls are set properly.
Audit the activities. Monitor data changes and modifications to the database structure, permission
and user changes, and data viewing activities. Consider using network-based database activity
GIAC GSNA Exam
monitoring appliances instead of native database audit trails.
Archive, analyze, review, and report audit information. Reports to auditors and IT managers must
communicate relevant audit information, which can be analyzed and reviewed to determine if
corrective action is required. Organizations that must retain audit data for long-term use should
archive this information with the ability to retrieve relevant data when needed.
The first five steps listed are to be performed by the auditor manually.
Answers B, D are incorrect. These tasks are best achieved by using an automated solution.
QUESTION NO: 63
Which of the following statements about session tracking is true?
A.
When using cookies for session tracking, there is no restriction on the name of the session
tracking cookie.
B.
When using cookies for session tracking, the name of the session tracking cookie must be
jsessionid.
C.
A server cannot use cookie as the basis for session tracking.
D.
A server cannot use URL rewriting as the basis for session tracking.
Answer: B
Explanation:
If you are using cookies for session tracking, the name of the session tracking cookie must be
jsessionid. A jsessionid can be placed only inside a cookie header. You can use HTTP cookies to
store information about a session. The servlet container takes responsibility of generating the
session ID, making a new cookie object, associating the session ID into the cookie, and setting the
cookie as part of response.
QUESTION NO: 64
GIAC GSNA Exam
The SALES folder has a file named XFILE.DOC that contains critical information about your
company. This folder resides on an NTFS volume. The company's Senior Sales Manager asks
you to provide security for that file. You make a backup of that file and keep it in a locked
cupboard, and then you deny access on the file for the Sales group. John, a member of the Sales
group, accidentally deletes that file. You have verified that John is not a member of any other
group. Although you restore the file from backup, you are confused how John was able to delete
the file despite having no access to that file. What is the most likely cause?
A.
The Sales group has the Full Control permission on the SALES folder.
B.
The DenyAccess permission does not restrict the deletion of files.
C.
John is a member of another group having the Full Control permission on that file.
D.
The Deny Access permission does not work on files.
Answer: A
Explanation:
Although NTFS provides access controls to individual files and folders, users can perform certain
actions even if permissions are set on a file or folder to prevent access. If a user has been denied
access to any file and he has Full Control rights in the folder on which it resides, he will be able to
delete the file, as Full Control rights in the folder allow the user to delete the contents of the folder.
Answer: C is incorrect. In the event of any permission conflict, the most restrictive one prevails.
Moreover, the question clearly states that John is not a member of any other group.
Answer: B, D are incorrect. The Deny Access permission works on files.
QUESTION NO: 65
Adam works on a Linux system. He is using Sendmail as the primary application to transmit e-
mails. Linux uses Syslog to maintain logs of what has occurred on the system. Which of the
following log files contains e-mail information such as source and destination IP addresses, date
and time stamps etc?
A.
/var/log/mailog
B.

GIAC GSNA Exam
/var/log/logmail
C.
/log/var/mailog
D.
/log/var/logd
Answer: A
Explanation:
/var/log/mailog generally contains the source and destination IP addresses, date and time stamps,
and other information that may be used to check the information contained within an e-mail
header. Linux uses Syslog to maintain logs of what has occurred on the system. The configuration
file /etc/syslog.conf is used to determine where the Syslog service (Syslogd) sends its logs.
Sendmail can create event messages and is usually configured to record the basic information
such as the source and destination addresses, the sender and recipient addresses, and the
message ID of e-mail. The syslog.conf will display the location of the log file for e-mail.
Answer: B, C, D are incorrect. All these files are not valid log files.
QUESTION NO: 66
You work as a Java Programmer for JavaSkills Inc. You are working with the Linux operating
system. Nowadays, when you start your computer, you notice that your OS is taking more time to
boot than usual. You discuss this with your Network Administrator. He suggests that you mail him
your Linux bootup report. Which of the following commands will you use to create the Linux bootup
report?
A.
touch bootup_report.txt
B.
dmesg > bootup_report.txt
C.
dmesg | wc
D.
man touch
Answer: B
Explanation:

GIAC GSNA Exam
According to the scenario, you can use dmesg > bootup_report.txt to create the bootup file. With
this command, the bootup messages will be displayed and will be redirected towards
bootup_report.txt using the > command.
QUESTION NO: 67
You work as a Network Administrator for Tech Perfect Inc. For security issues, the company
requires you to harden its routers. You therefore write the following code:
Router#config terminal
Router(config) #no ip bootp server
Router(config) #no ip name-server
Router(config) #no ntp server
Router(config) #no snmp server
Router(config) #no ip http server
Router(config) #^Z Router#
What services will be disabled by using this configuration fragment?
A.
BootP service
B.
Finger
C.
CDP
D.
DNS function Explanation:
Answer: A,D
Explanation:
The above configuration fragment will disable the following services from the router:
The BootP service The DNS function
The Network Time Protocol

GIAC GSNA Exam
The Simple Network Management Protocol Hyper Text Transfer Protocol
QUESTION NO: 68
Which of the following attacks allows the bypassing of access control lists on servers or routers,
and helps an attacker to hide? (Choose two.)
A.
DNS cache poisoning
B.
DDoS attack
C.
IP spoofing attack
D.
MAC spoofing
Answer: C,D
Explanation:
Either IP spoofing or MAC spoofing attacks can be performed to hide the identity in the network.
MAC spoofing is a hacking technique of changing an assigned Media Access Control (MAC)
address of a networked device to a different one. The changing of the assigned MAC address may
allow the bypassing of access control lists on servers or routers, either hiding a computer on a
network or allowing it to impersonate another computer. MAC spoofing is the activity of altering the
MAC address of a network card.
Answer: A is incorrect. DNS cache poisoning is a maliciously created or unintended situation that
provides data to a caching name server that did not originate from authoritative Domain Name
System (DNS) sources. Once a DNS server has received such non-authentic data, Caches it for
future performance increase, it is considered poisoned, supplying the non-authentic data to the
clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS
software. If the server does not correctly validate DNS responses to ensure that they are from an
authoritative source, the server will end up caching the incorrect entries locally and serve them to
other users that make the same request.
Answer: B is incorrect. In a distributed denial of service (DDOS) attack, an attacker uses multiple
computers throughout the network that has been previously infected. Such computers act as
zombies and work together to send out bogus messages, thereby increasing the amount of phony
traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that
multiple machines can generate more attack traffic than one machine, multiple attack machines
are harder to turn off than one attack machine, and that the behavior of each attack machine can

GIAC GSNA Exam
be stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for
a DDoS attack.
QUESTION NO: 69
You work as a Network Administrator for XYZ CORP. The company has a Windows-based
network. You have been assigned the task to design the authentication system for the remote
users of the company. For security purposes, you want to issue security tokens to the remote
users. The token should work on the one-time password principle and so once used, the next
password gets generated. Which of the following security tokens should you issue to accomplish
the task?
A.
Virtual tokens
B.
Event-based tokens
C.
Bluetooth tokens
D.
Single sign-on software tokens
Answer: B
Explanation:
An event-based token, by its nature, has a long life span. They work on the one-time password
principle and so once used, the next password is generated. Often the user has a button to press
to receive this new code via either a token or via an SMS message. All CRYPTOCard's tokens are
event-based rather than time-based.
Answer: C is incorrect. Bluetooth tokens are often combined with a USB token, and hence work in
both a connected and disconnected state. Bluetooth authentication works when closer than 32 feet
(10 meters). If the Bluetooth is not available, the token must be inserted into a USB input device to
function.
Answer: A is incorrect. Virtual tokens are a new concept in multi-factor authentication first
introduced in 2005 by security company Sestus. Virtual tokens work by sharing the token
generation process between the Internet website and the user's computer and have the advantage
of not requiring the distribution of additional hardware or software. In addition, since the user's
device is communicating directly with the authenticating website, the solution is resistant to man-
in-the-middle attacks and similar forms of online fraud.
Answer: D is incorrect. Single sign-on software tokens are used by the multiple, related, but
GIAC GSNA Exam
independent software systems. Some types of single sign-on (SSO) solutions, like enterprise
single sign-on, use this token to store software that allows for seamless authentication and
password filling. As the passwords are stored on the token, users need not remember their
passwords and therefore can select more secure passwords, or have more secure passwords
assigned.
QUESTION NO: 70
Which of the following is the default port for Hypertext Transfer Protocol (HTTP)?
A.
20
B.
443
C.
80
D.
21
Answer: C
Explanation:
Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World Wide
Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines how messages
are formatted and transmitted, and what actions Web servers and browsers should take in
response to various commands. For example, when a client application or browser sends a
request to the server using HTTP commands, the server responds with a message containing the
protocol version, success or failure code, server information, and body content, depending on the
request. HTTP uses TCP port 80 as the default port.
Answer: B is incorrect. Port 443 is the default port for Hypertext Transfer Protocol Secure (HTTPS)
and Secure Socket Layer (SSL).
Answer: A, D are incorrect. By default, FTP server uses TCP port 20 for data transfer and TCP
port 21 for session control.
QUESTION NO: 71

GIAC GSNA Exam
network. You are concerned about the vulnerabilities existing in the network of the company.
Which of the following can be a cause for making the network vulnerable? (Choose two.)
A.
Use of well-known code
B.
Use of uncommon code
C.
Use of uncommon software
D.
Use of more physical connections
Answer: A,D
Explanation:
In computer security, the term vulnerability is a weakness which allows an attacker to reduce a
system's Information Assurance. A computer or a network can be vulnerable due to the following
reasons:
Complexity: Large, complex systems increase the probability of flaws and unintended access
points.
Familiarity: Using common, well-known code, software, operating systems, and/or hardware
increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.
Connectivity: More physical connections, privileges, ports, protocols, and services and time each
of those are accessible increase vulnerability.
Password management flaws: The computer user uses weak passwords that could be discovered
by brute force. The computer user stores the password on the computer where a program can
access it. Users re-use passwords between many programs and websites.
Fundamental operating system design flaws: The operating system designer chooses to enforce
sub optimal policies on user/program management. For example, operating systems with policies
such as default permit grant every program and every user full access to the entire computer. This
operating system flaw allows viruses and malware to execute commands on behalf of the
administrator.
Internet Website Browsing: Some Internet websites may contain harmful Spyware or Adware that
can be installed automatically on the computer systems. After visiting those websites, the
computer systems become infected and personal information will be collected and passed on to
third party individuals.
Software bugs: The programmer leaves an exploitable bug in a software program. The software
bug may allow an attacker to misuse an application.

GIAC GSNA Exam
Unchecked user input: The program assumes that all user input is safe. Programs that do not
check user input can allow unintended direct execution of commands or SQL statements (known
as Buffer overflows, SQL injection or other non-validated inputs).
Answers B, C are incorrect. Use of common software and common code can make a network
vulnerable.
QUESTION NO: 72
You are the security manager of Microliss Inc. Your enterprise uses a wireless network
infrastructure with access points ranging 150-350 feet. The employees using the network complain
that their passwords and important official information have been traced.
You discover the following clues:
The information has proved beneficial to another company.
The other company is located about 340 feet away from your office.
The other company is also using wireless network.
The bandwidth of your network has degraded to a great extent.
Which of the following methods of attack has been used?
A.
A piggybacking attack has been performed.
B.
A DOS attack has been performed.
C.
The information is traced using Bluebugging.
D.
A worm has exported the information.
Answer: A
Explanation:
Piggybacking refers to access of a wireless Internet connection by bringing one's own computer
within the range of another's wireless connection, and using that service without the subscriber's
explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that
vary in jurisdictions around the world. While completely outlawed in some jurisdictions, it is
permitted in others. The process of sending data along with the acknowledgment is called
GIAC GSNA Exam
piggybacking.
Answer: C is incorrect. Bluebugging is an attack used only in a Bluetooth network. Bluebugging is

a form of bluetooth attack often caused by a lack of awareness. Bluebugging tools allow attacker
to "take control" of the victim's phone via the usage of the victim's Bluetooth phone headset. It
does this by pretending to be the users bluetooth headset and therefore "tricking" the phone to
obey its call commands.
Answer: D is incorrect. A worm is a software program that uses computer networks and security
holes to replicate itself from one computer to another. It usually performs malicious actions, such
as using the resources of computers as well as shutting down computers.
Answer: B is incorrect. A Denial-of-Service (DoS) attack is mounted with the objective of causing a
negative impact on the performance of a computer or network. It is also known as a network
saturation attack or bandwidth consumption attack. Attackers perform DoS attacks by sending a
large number of protocol packets to the network. The effects of a DoS attack are as follows:
QUESTION NO: 73
Anonymizers are the services that help make a user's own Web surfing anonymous. An
anonymizer removes all the identifying information from a user's computer while the user surfs the
Internet. It ensures the privacy of the user in this manner. After the user anonymizes a Web
access with an anonymizer prefix, every subsequent link selected is also automatically accessed
anonymously. Which of the following are limitations of anonymizers?
A.
ActiveX controls
B.
Plugins
C.
Secure protocols
D.
Java applications
E.
JavaScript
Answer: A,B,C,D,E
Explanation:
Anonymizers have the following limitations:

GIAC GSNA Exam
1. HTTPS: Secure protocols such as 'https:' cannot be properly anonymized, as the browser
needs to access the site directly to properly maintain the secure encryption.
2.Plugins: If an accessed site invokes a third-party plugin, there is no guarantee of an established

independent direct connection from the user computer to a remote site.
3.Java: Any Java application accessed through an anonymizer will not be able to bypass the Java
security wall.
4.ActiveX: ActiveX applications have almost unlimited access to the user's computer system.
5.JavaScript: The JavaScript scripting language is disabled with URL-based anonymizers.
QUESTION NO: 74
You work as a Network Administrator for XYZ CORP. The company has a Linux-based network.
You need to configure a firewall for the company. The firewall should be able to keep track of the
state of network connections traveling across the network. Which of the following types of firewalls
will you configure to accomplish the task?
A.
A network-based application layer firewall
B.
Host-based application firewall
C.
An application firewall
D.
Stateful firewall
Answer: D
Explanation:
A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP
streams, UDP communication) traveling across it. The firewall is programmed to distinguish
legitimate packets for different types of connections. Only packets matching a known connection
state will be allowed by the firewall; others will be rejected.
Answer: B is incorrect. A host-based application firewall can monitor any application input, output,
and/or system service calls made from, to, or by an application. This is done by examining
information passed through system calls instead of, or in addition to, a network stack. A host-
based application firewall can only provide protection to the applications running on the same host.

GIAC GSNA Exam
An example of a host-based application firewall that controls system service calls by an application
is AppArmor or the Mac OS X application firewall. Host-based application firewalls may also
provide network-based application firewalling.
Answer: A is incorrect. A network-based application layer firewall, also known as a proxy-based or

reverse-proxy firewall, is a computer networking firewall that operates at the application layer of a
protocol stack. Application firewalls specific to a particular kind of network traffic may be titled with
the service name, such as a Web application firewall. They may be implemented through software
running on a host or a stand-alone piece of network hardware. Often, it is a host using various
forms of proxy servers to proxy traffic before passing it on to the client or server. Because it acts
on the application layer, it may inspect the contents of the traffic, blocking specified content, such
as certain websites, viruses, and attempts to exploit known logical flaws in client software.
Answer: C is incorrect. An application firewall is a form of firewall that controls input, output, and/or
access from, to, or by an application or service. It operates by monitoring and potentially blocking
the input, output, or system service calls that do not meet the configured policy of the firewall. The
application firewall is typically built to monitor one or more specific applications or services (such
as a web or database service), unlike a stateful network firewall, which can provide some access
controls for nearly any kind of network traffic.
There are two primary categories of application firewalls:
QUESTION NO: 75
Which of the following Windows processes supports creating and deleting processes and threads,
running 16-bit virtual DOS machine processes, and running console windows?
A.
smss.exe
B.
services.exe
C.
csrss.exe
D.
System
Answer: C
Explanation:
csrss.exe is a process that supports creating and deleting processes and threads, running 16-bit
virtual DOS machine processes, and running console windows.

GIAC GSNA Exam
Answer: B is incorrect. This process is the Windows Service Controller, which is responsible for
starting and stopping system services running in the background.
Answer: A is incorrect. This process supports the programs needed to implement the user
interface, including the graphics subsystem and the log on processes.
Answer: D is incorrect. This process includes most kernel-level threads, which manage the
underlying aspects of the operating system.
QUESTION NO: 76
Which of the following are HTML tags, used to create a table?
A.
<TR>
B.
<TD>
C.
<TABLE SET>
D.
<SET TABLE>
E.
<TT>
F.
<TABLE>
Answer: A,B,F
Explanation:
In Hypertext Markup Language (HTML), a table is created using the <TABLE>, <TR>, and <TD>
tags. The <TABLE> tag designs the table layout, the <TR> tag is used to create a row, and the
<TD> tag is used to create a column. For example, the following code generates a table with two
rows and two columns:
<TABLE BORDER=1>
<TR> <TD>Cell 1</TD>
<TD>Cell 2</TD> </TR>

GIAC GSNA Exam
<TR> <TD>Cell 3</TD>
<TD>Cell 4</TD> </TR>
</TABLE>
Answer: C, E, and D are incorrect. There are no HTML tags suchas <TABLE SET>, <TT>, and
<SET TABLE>.
QUESTION NO: 77
You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active
Server 2003. The company has recently provided fifty laptops to its sales team members. You are
required to configure an 802.11 wireless network for the laptops. The sales team members must
be able to use their data placed at a server in a cabled network. The planned network should be
able to handle the threat of unauthorized access and data interception by an unauthorized user.
You are also required to prevent the sales team members from communicating directly to one
another.
Which of the following actions will you take to accomplish the task?
A.
Implement the open system authentication for the wireless network.
B.
Configure the wireless network to use WEP encryption for the data transmitted over a wireless
network.
C.
Using group policies, configure the network to allow the wireless computers to connect to the
infrastructure networks only.
D.
Implement the IEEE 802.1X authentication for the wireless network.
E.
Using group policies, configure the network to allow the wireless computers to connect to the ad
hoc networks only.
Answer: B,C,D
Explanation:
In order to enable wireless networking, you have to install access points in various areas of your
GIAC GSNA Exam
office building. These access points generate omni directional signals to broadcast network traffic.
Unauthorized users can intercept these packets. Hence, security is the major concern for a
wireless network. The two primary threats are unauthorized access and data interception.
In order to accomplish the task, you will have to take the following steps:
Using group policies, configure the network to allow the wireless computers to connect to the
infrastructure networks only. This will prevent the sales team members from communicating
directly to one another.
Implement the IEEE 802.1X authentication for the wireless network. This will allow only
authenticated users to access the network data and resources.
Configure the wireless network to use WEP encryption for data transmitted over a wireless
network. This will encrypt the network data packets transmitted over wireless connections.
Although WEP encryption does not prevent intruders from capturing the packets, it prevents them
from reading the data inside.
QUESTION NO: 78
You have to move the whole directory /foo to /bar. Which of the following commands will you use
to accomplish the task?
A.
mv /bar /foo
B.
mv -R /foo /bar
C.
mv /foo /bar
D.
mv -r /bar /foo
Answer: C
Explanation:
You will use the mv /foo /bar command to move the whole directory /foo to /bar. The mv command
moves files and directories from one directory to another or renames a file or directory. mv must
always be given at least two arguments.
The first argument is given as a source file.
The second argument is interpreted as the destination.

GIAC GSNA Exam
If destination is an existing directory, the source file is moved to that directory with the same name
as the source. If the destination is any other directory, the source file is moved and/or renamed to
that destination name.
Syntax : mv [options] source destination Some important options used with mv command are as
follows:
Answer: A is incorrect. The mv /bar /foo command will move the whole /bar directory to the /foo
directory.
Answer: B, D are incorrect. These are not valid Linux commands.
QUESTION NO: 79
What are the different categories of PL/SQL program units?
A.
Default
B.
Unnamed
C.
Primary
D.
Named
Answer: B,D
Explanation:
A named block is a PL/SQL block that Oracle stores in the database and can be called by name
from any application. A named block is also known as a stored procedure. Named blocks can be
called from any PL/SQL block. It has a declaration section, which is known as a header. The

GIAC GSNA Exam
header may include the name of a block, type of the block, and parameter. The name and list of
formal parameters are known as the signature of a subroutine. Once a named PL/SQL block is
compiled, it gets permanently stored as p-code after compilation in the shared pool of the system
global area. Therefore, the named block gets compiled only once.
An anonymous block is a PL/SQL block that appears in a user's application and is neither named
nor stored in the database. This block does not allow any mode of parameter. Anonymous block
programs are effective in some situations. They are basically used when building scripts to seed
data or perform one-time processing activities. They are also used when a user wants to nest
activity in another PL/SQL block's execution section. Anonymous blocks are compiled each time
they are executed.
QUESTION NO: 80
In which of the following is absolute size of frames expressed?
A.
Bits
B.
Percentage
C.
Inches
D.
Pixels
Answer: D
Explanation:
Absolute size of frames is expressed in pixels. Size is expressed in terms of the number of pixels
in a frame. Therefore, a change in the screen area of a display device does not affect the absolute
frame size of a Web page.
QUESTION NO: 81
You work as the Network Administrator for Perfect Solutions Inc. The company has a Linux-based
network. You are a root user on the Red Hat operating system. You want to keep an eye on the

GIAC GSNA Exam
system log file /var/adm/messages.
Which of the following commands should you use to read the file in real time?
A.
tail -n 3 /var/adm/messages
B.
tail -f /var/adm/messages
C.
cat /var/adm/messages
D.
tail /var/adm/messages
Answer: B
Explanation:
Using the -f option causes tail to continue to display the file in real time, showing added lines to the
end of the file as they occur.
QUESTION NO: 82
Which of the following techniques are used after a security breach and are intended to limit the
extent of any damage caused by the incident?
A.
Safeguards
B.
Detective controls
C.
Corrective controls
D.
Preventive controls
Answer: C
Explanation:

GIAC GSNA Exam
Corrective controls are used after a security breach. After security has been breached, corrective
controls are intended to limit the extent of any damage caused by the incident, e.g. by recovering
the organization to normal working status as efficiently as possible.
Answer: D is incorrect. Before the event, preventive controls are intended to prevent an incident
from occurring, e.g. by locking out unauthorized intruders.
Answer: B is incorrect. During the event, detective controls are intended to identify and
characterize an incident in progress, e.g. by sounding the intruder alarm and alerting the security
guards or the police.
Answer: A is incorrect. Safeguards are those controls that provide some amount of protection to
an asset.
QUESTION NO: 83
Which of the following wireless security features provides the best wireless security mechanism?
A.
WEP
B.
WPA with 802.1Xauthentication
C.
WPA
D.
WPA with Pre Shared Key
Answer: B
Explanation:
WPA with 802.1X authentication provides best wireless security mechanism. 802.1X
authentication, also known as WPA-Enterprise, is a security mechanism for wireless networks.
802.1Xprovides port-based authentication, which involves communications between a supplicant,
authenticator, and authentication server. The supplicant is often software on a client device, the
authenticator is a wired Ethernet switch or wireless access point, and an authentication server is
generally a RADIUS database. The authenticator acts like a security guard to a protected network.
The supplicant (client device) is not allowed access through the authenticator to the protected side
of the network until the supplicant's identity is authorized. With 802.1X port-based authentication,
the supplicant provides credentials, such as user name/password or digital certificate, to the
authenticator, and the authenticator forwards the credentials to the authentication server for
verification. If the credentials are valid, the supplicant (client device) is allowed to access
resources located on the protected side of the network.
GIAC GSNA Exam
Answer: A is incorrect. Wired equivalent privacy (WEP) uses the stream cipher RC4 (Rivest
Cipher). WEP uses the Shared Key Authentication, since both the access point and the wireless
device possess the same key. Attacker with enough Initialization Vectors can crack the key used
and gain full access to the network.
Answer: D is incorrect. WPA-PSK is a strong encryption where encryption keys are automatically
changed (called rekeying) and authenticated between devices after a fixed period of time, or after
a fixed number of packets has been transmitted.
Answer: C is incorrect. WAP uses TKIP (Temporal Key Integrity Protocol) to enhance data
encryption, but still vulnerable to different password cracking attacks.
QUESTION NO: 84
You work as a Network Administrator for TechPerfect Inc. The company has a secure wireless
network. Since the company's wireless network is so dynamic, it requires regular auditing to
maintain proper security. For this reason, you are configuring NetStumbler as a wireless auditing
tool.
Which of the following statements are true about NetStumbler?
A.
It can be integrated with the GPS.
GIAC GSNA Exam
B.
It cannot identify the channel being used.
C.
It can identify the SSIDs.
D.
It works with a wide variety of cards.
Answer: A,C,D
Explanation:
NetStumbler is one of the most famous wireless auditing tools. It works with a wide variety of
cards. If it is loaded on a computer, it can be used to detect 802.11 networks. It can easily identify
the SSIDs and security tools. It can even identify the channel being used. This tool can also be
integrated with the GPS to identify the exact location of AP for plotting onto a map.
Answer: B is incorrect. It can identify the channel being used. NetStumbler can be used for a
variety of services:
QUESTION NO: 85
You work as a Network Administrator for Blue Well Inc. The company has a TCP/IP-based routed
network. Two segments have been configured on the network as shown below:
One day, the switch in Subnet B fails. What will happen?
A.
Communication between the two subnets will be affected.
B.
The whole network will collapse.
C.
Workstations on Subnet A will become offline

GIAC GSNA Exam
D.
Workstations on Subnet B will become offline.
Answer: A,D
Explanation:
According to the question, the network is a routed network where two segments have been divided
and each segment has a switch. These switches are connected to a common router. All
workstations in a segment are connected to their respective subnet's switches.
Failure of the switch in Subnet B will make all workstations connected to it offline. Moreover,
communication between the two subnets will be affected, as there will be no link to connect to
Subnet B.
QUESTION NO: 86
John visits an online shop that stores the IDs and prices of the items to buy in a cookie. After
selecting the items that he wants to buy, the attacker changes the price of the item to 1.
Original cookie values: ItemID1=2 ItemPrice1=900 ItemID2=1 ItemPrice2=200
Modified cookie values: ItemID1=2 ItemPrice1=1 ItemID2=1 ItemPrice2=1
Now, he clicks the Buy button, and the prices are sent to the server that calculates the total price.
Which of the following hacking techniques is John performing?
A.
Cross site scripting
B.
Man-in-the-middle attack
C.
Cookie poisoning
D.
Computer-based social engineering
Answer: C
Explanation:
John is performing cookie poisoning. In cookie poisoning, an attacker modifies the value of
cookies before sending them back to the server. On modifying the cookie values, an attacker can
GIAC GSNA Exam
log in to any other user account and can perform identity theft. The following figure explains how
cookie poisoning occurs:
For example: The attacker visits an online shop that stores the IDs and prices of the items to buy
in a cookie. After selecting the items that he wants to buy, the attacker changes the price of the
item to 1.
Original cookie values: ItemID1= 2 ItemPrice1=900 ItemID2=1 ItemPrice2=200
Modified cookie values: ItemID1= 2 ItemPrice1=1 ItemID2=1 ItemPrice2=1
Now, the attacker clicks the Buy button and the prices are sent to the server that calculates the
total price.
Another use of a Cookie Poisoning attack is to pretend to be another user after changing the
username in the cookie values:
Original cookie values: LoggedIn= True Username = Mark
Modified cookie values: LoggedIn= True Username = Admin
Now, after modifying the cookie values, the attacker can do the admin login.
Answer: A is incorrect. A cross site scripting attack is one in which an attacker enters malicious
data into a Website. For example, the attacker posts a message that contains malicious code to
any newsgroup site. When another user views this message, the browser interprets this code and
executes it and, as a result, the attacker is able to take control of the user's system. Cross site
scripting attacks require the execution of client-side languages such as JavaScript, Java,
VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site
scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc.

GIAC GSNA Exam
QUESTION NO: 87
forest network.
You configure a new Windows Server 2008 server in the network. The new server is not yet linked
to Active Directory. You are required to accomplish the following tasks:
Add a new group named "Sales".
Copy the "Returns" group from the older server to the new one.
Rename the "Returns" group to "Revenue".
View all group members, including for multiple groups/entire domain.
You use Hyena to simplify and centralize all of these tasks.
Which of the assigned tasks will you be able to accomplish?
A.
Copy the "Returns" group to the new server.
B.
Rename the "Returns" group to "Revenue".
C.
Add the new group named "Sales".
D.
View and manage all group members, including for multiplegroups/entire domain.
Answer: A,B,C
Explanation:
Hyena supports the following group management functions:
Full group administration such as add, modify, delete, and copy
Rename groups
Copy groups from one computer to another
View both direct and indirect (nested) group members for one or more groups [only for Active
Directory]

GIAC GSNA Exam
View all group members, including for multiple groups/entire domain [only for Active Directory]
Answer: D is incorrect. All group members can neither be viewed nor managed until the new
server is linked to Active Directory.
QUESTION NO: 88
Which of the following tools can be used to read NetStumbler's collected data files and present
street maps showing the logged WAPs as icons, whose color and shape indicates WEP mode and
signal strength?
A.
Kismet
B.
StumbVerter
C.
WEPcrack
D.
NetStumbler
Answer: B
Explanation:
StumbVerter tool is used to read NetStumbler's collected data files and present street maps
showing the logged WAPs as icons, whose color and shape indicates WEPmode and signal
strength.
Answer: C is incorrect. WEPcrack is a wireless network cracking tool that exploits the
vulnerabilities in the RC4 Algorithm, which comprises the WEP security parameters.
Answer: A is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion
Answer: D is incorrect. NetStumbler is a Windows-based tool that is used for the detection of
wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. It detects wireless
networks and marks their relative position with a GPS.
QUESTION NO: 89

GIAC GSNA Exam
eBox Platform is an open source unified network server (or a Unified Network Platform) for SMEs.
In which of the following forms can eBox Platform be used?
A.
Unified Communications Server
B.
Network Infrastructure Manager
C.
Gateway
D.
Sandbox
Answer: A,B,C
Explanation:
eBox Platform is an open source unified network server (or a Unified Network Platform) for SMEs.
eBoxPlatform can act as a Gateway, Network Infrastructure Manager, Unified Threat Manager,
Office Server, Unified Communications Server or a combination of them. Besides, eBox Platform
includes a development framework to ease the development of new Unix-based services.
Answer: D is incorrect. eBox Platform cannot act as a sandbox. A sandbox is a security

mechanism for separating running programs. It is often used to execute untested code, or
untrusted programs, from unverified third-parties, suppliers, and untrusted users.
QUESTION NO: 90
Which of the following encryption encoding techniques is used in the basic authentication method?
A.
HMAC_MD5
B.
Md5
C.
DES (ECB mode)
D.
Base64

GIAC GSNA Exam
Answer: D
Explanation:
Base64 encryption encoding, which can easily be decoded, is used in the basic authentication
method.
Answer: B is incorrect. The Md5 hashing technique is used in the digest authentication method.
Answer: A is incorrect. The HMAC_MD5 hashing technique is used in the NTLMv2 authentication
method.
Answer: C is incorrect. DES (ECB mode) is used in the NTLMv1 authentication method.
QUESTION NO: 91
Which of the following tools is used to make fake authentication certificates?
A.
Obiwan
B.
Netcat
C.
WinSSLMiM
D.
Brutus
Answer: C
Explanation:
WinSSLMiM is an HTTPSMan in the Middle attacking tool. It includes FakeCert, a tool used to
make fake certificates. It can be used to exploit the Certificate Chain vulnerability in Internet
Explorer. The tool works under Windows 9x/2000. For example, Generate fake certificate:fc -s
www.we-are-secure.com -f fakeCert.crt Launch WinSSLMiM: wsm -f fakeCert.crt
Answer: D is incorrect. Brutus is a password cracking tool that performs both dictionary and brute
force attacks in which passwords are randomly generated from given characters. Brute forcing can
be performed on the following authentications:
Answer: A is incorrect. Obiwan is a Web password cracking tool that is used to perform brute force
and hybrid attacks. It is effective against HTTP connections for Web servers that allow unlimited
failed login attempts by the user. Obiwan uses wordlists as well as alphanumeric characters as
GIAC GSNA Exam
possible passwords.
Answer: B is incorrect. Netcat is a freely available networking utility that reads and writes data
across network connections by using the TCP/IP protocol.
Netcat has the following features:
QUESTION NO: 92
What does CSS stand for?
A.
Cascading Style Sheet
B.
Coded System Sheet
C.
Cyclic Style Sheet
D.
Cascading Style System
Answer: A
Explanation:
A Cascading Style Sheet (CSS) is a separate text file that keeps track of design and formatting
information, such as colors, fonts, font sizes, and margins, used in Web pages. CSS is used to
provide Web site authors greater control on the appearance and presentation of their Web pages.
It has codes that are interpreted and applied by the browser on to the Web pages and their
elements. CSS files have .css extension.
There are three types of Cascading Style Sheets:
QUESTION NO: 93
You work as a Network Administrator for NetTech Inc. Your computer has the Windows 2000
Server operating system. You want to harden the security of the server.
Which of the following changes are required to accomplish this? (Choose two.)

GIAC GSNA Exam
A.
Remove the Administrator account.
B.
Disable the Guest account.
C.
Rename the Administrator account.
D.
Enable the Guest account.
Answer: B,C
Explanation:
For security, you will have to rename the Administrator account and disable the Guest account.
Renaming the Administrator account will ensure that hackers do not break into the network or
computer by guessing the password of the Administrator account. You can also create a fake
Administrator account that has no privileges and audit its use to detect attacks. Disabling the
Guest account will prevent users who do not have a domain or local user account from illegally
accessing the network or computer. By default, the Guest account is disabled on systems running
Windows 2000 Server. If the Guest account is enabled, you will have to disable it.
QUESTION NO: 94
Mark works as a project engineer in Tech Perfect Inc. His office is configured with Windows XP-
based computers. The computer that he uses is not configured with a default gateway. He is able
to access the Internet, but is not able to use e-mail services via the Internet. However, he is able
to access e-mail services via the intranet of the company.
Which of the following could be the reason of not being able to access e-mail services via the
Internet?
A.
Proxy server
B.
IP packet filter
C.
Router
D.

GIAC GSNA Exam
Protocols other than TCP/IP
Answer: A
Explanation:
A proxy server exists between a client's Web-browsing program and a real Internet server. The
purpose of the proxy server is to enhance the performance of user requests and filter requests. A
proxy server has a database called cache where the most frequently accessed Web pages are
stored. The next time such pages are requested, the proxy server is able to suffice the request
locally, thereby greatly reducing the access time. Only when a proxy server is unable to fulfill a
request locally does it forward the request to a real Internet server.
The proxy server can also be used for filtering user requests. This may be done in order to prevent
the users from visiting non-genuine sites.
Answer: D is incorrect. Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of

standard protocols that govern how data passes between networks. It can be used to provide
communication between the basic operating systems on local and wide-area networks (WANs).
TCP/IP is the basic communication language or protocol of the Internet. It can also be used as a
communications protocol in a private network (either an intranet or an extranet). It is considered
the primary protocol of the Internet and the World Wide Web.
Answer: B is incorrect. IP packet filters allow or block packets from passing through specified
ports. They can filter packets based on service type, port number, source computer name, or
destination computer name. When packet filtering is enabled, all packets on the external interface
are dropped unless they are explicitly allowed, either statically by IP packet filters or dynamically
by access policy or publishing rules.
Answer: C is incorrect. A router is a device that routes data packets between computers in
different networks. It is used to connect multiple networks, and it determines the path to be taken
by each data packet to its destination computer. A router maintains a routing table of the available
routes and their conditions. By using this information, along with distance and cost algorithms, the
router determines the best path to be taken by the data packets to the destination computer. A
router can connect dissimilar networks, such as Ethernet, FDDI, and Token Ring, and route data
packets among them. Routers operate at the network layer (layer 3) of the Open Systems
Interconnection (OSI) model.
QUESTION NO: 95
You want to find out when a particular user was last logged in. To accomplish this, you need to
analyze the log configuration files.
Which of the following Unix log configuration files can you use to accomplish the task?

GIAC GSNA Exam
A.
/var/log/btmp
B.
/var/log/messages
C.
/var/log/lastlog
D.
/var/log/wtmp
Answer: C
Explanation:
In Unix, the /var/log/lastlog file is used by the finger to find when a user was last logged in.
Answer: D is incorrect. In Unix, the /var/log/wtmp file stores the binary info of users that have been
logged on.
Answer: A is incorrect. In Unix, the /var/log/btmp file is used to store information about failed
logins.
Answer: B is incorrect. In Unix, the /var/log/messages is the main system message log file.
QUESTION NO: 96
You want to fix partitions on a hard drive.
Which of the following Unix commands can you use to accomplish the task?
A.
fdformat
B.
exportfs
C.
fsck
D.
fdisk

GIAC GSNA Exam
Answer: D
Explanation:
The fdisk command is a menu-based command available with Unix for hard disk configuration.
This command can perform the following tasks:
Answer: B is incorrect. In Unix, the exportfs command is used to set up filesystems to export for
nfs (network file sharing).
Answer: A is incorrect. In Unix, the fdformat command formats a floppy disk.
Answer: C is incorrect. In Unix, the fsck command is used to add new blocks to a filesystem. This
command must not be run on a mounted file system.
QUESTION NO: 97
Mark works as a Web Developer for XYZ CORP. He is developing a Web site for the company. He
wants to use frames in the Web site.
Which of the following is an HTML tag used to create frames?
A.
<REGION>
B.
<TABLESET>
C.
<FRAMEWINDOW>
D.
<FRAMESET>
Answer: D
Explanation:
<FRAMESET> tag specifies a frameset used to organize multiple frames and nested framesets in
an HTML document. It defines the location, size, and orientation of frames. An HTML document
can either contain a <FRAMESET> tag or a <BODY> tag.
Answer: A, B, C are incorrect. There are no HTML tags such as <TABLESET>,

<FRAMEWINDOW>, and <REGION>.

GIAC GSNA Exam
QUESTION NO: 98
You work as a professional Ethical Hacker. You are assigned a project to perform blackbox testing
of the security of www.we-are-secure.com. Now you want to perform banner grabbing to retrieve
information about the Webserver being used by we-are-secure.
Which of the following tools can you use to accomplish the task?
A.
Wget
B.
WinSSLMiM
C.
Whisker
D.
httprint
Answer: D
Explanation:
According to the scenario, you want to perform banner grabbing to retrieve information about the
Webserver being used by we-are-secure. For this, you will use the httprint tool to accomplish the
task. httprint is a fingerprinting tool that is based on Web server characteristics to accurately
identify Web servers. It works even when Web server may have been obfuscated by changing the
server banner strings, or by plug-ins such as mod_security or servermask. It can also be used to
detect Web enabled devices that do not contain a server banner string, such as wireless access
points, routers, switches, cable modems, etc. httprint uses text signature strings for identification,
and an attacker can also add signatures to the signature database.
Answer: A is incorrect. Wget is a Website copier that is used to analyze the vulnerabilities of a
Website offline.
Answer: C is incorrect. Whisker is an HTTP/Web vulnerability scanner that is written in the PERL
language. Whisker runs on both the Windows and UNIX environments. It provides functions for
testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs.
Answer: B is incorrect. WinSSLMiM is an HTTPS Man in the Middle attacking tool. It includes
FakeCert, a tool used to make fake certificates. It can be used to exploit the Certificate Chain
vulnerability in Internet Explorer.

GIAC GSNA Exam
QUESTION NO: 99
Which of the following types of firewall functions at the Session layer of OSI model?
A.
Packet filtering firewall
B.
Circuit-level firewall
C.
Switch-level firewall
D.
Application-level firewall
Answer: B
Explanation:
Circuit-level firewall operates at the Session layer of the OSI model. This type of firewall regulates
traffic based on whether or not a trusted connection has been established.
QUESTION NO: 100
Mark implements a Cisco unified wireless network for Tech Perfect Inc. Which functional area of
the Cisco unified wireless network architecture includes intrusion detection and prevention?
A.
Network services
B.
Wireless clients
C.
Network unification
D.
Wireless access points
Answer: A
Explanation:
Network services is the last functional area of the Cisco unified wireless network architecture. This
GIAC GSNA Exam
functional area includes the self-depending network, enhanced network support, such as location
services, intrusion detection and prevention, firewalls, network admission control, and all other
services.
Answer: C is incorrect. Network unification is a functional area of the Cisco unified wireless
network architecture. This functional area includes the following wireless LAN controllers:
1. The 6500 series catalyst switch
2.Wireless services module (WiSM)
3.Cisco wireless LAN controller module (WLCM)
4.Cisco catalyst 3750 series integrated WLC
5.Cisco 4400 series WLC
6.Cisco 2000 series WLC
Answer: B is incorrect. Wireless clients are a functional area of the Cisco unified wireless network.
The client devices are connected to a user.
Answer: D is incorrect. A wireless access point (WAP) is a device that allows wireless
communication devices to connect to a wireless network using Wi-Fi, Bluetooth, or related
standards. The WAP usually connects to a wired network, and it can transmit data between
wireless devices and wired devices on the network. Each access point can serve multiple users
within a defined network area. As people move beyond the range of one access point, they are
automatically handed over to the next one. A small WLAN requires a single access point. The
number of access points in a network depends on the number of network users and the physical
size of the network.
QUESTION NO: 101
The tool works under Windows 9x/2000. Which of the following tools can be used to automate the
MITM attack?
A.
Airjack
B.
Kismet
C.
Hotspotter
D.
GIAC GSNA Exam
IKECrack
Answer: A
Explanation:
Airjack is a collection of wireless card drivers and related programs. It uses a program called
monkey_jack that is used to automate the MITM attack. Wlan_jack is a DoS tool in the set of
airjack tools, which accepts a target source and BSSID to send continuous deauthenticate frames
to a single client or an entire network. Another tool, essid_jack is used to send a disassociate
frame to a target client in order to force the client to reassociate with the network and giving up the
network SSID. Answer: C is incorrect. Hotspotter is a wireless hacking tool that is used to detect
rogue access point. It fools users to connect, and authenticate with the hacker's tool. It sends the
deauthenticate frame to the victim's computer that causes the victim's wireless connection to be
switched to a non-preferred connection. Answer: D is incorrect. IKECrack is an IKE/IPSec
authentication crack tool, which uses brute force for searching password and key combinations of
Pre-Shared-Key authentication networks. The IKECrack tool undermines the latest Wi-Fi security
protocol with repetitive attempts at authentication with random passphrases or keys. Answer: B is
incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system.
It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff
802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks:
Topic 2, Volume B
QUESTION NO: 102
You work as a Software Developer for Cinera Softwares Inc. You create a DHTML page that
contains ten TextBox controls to get information from the users who use your application. You
want all the components placed on the DHTML page to be repositioned dynamically, when a user
resizes the browser window.
Which of the following will you use for this?
A.
Use the position attribute of the Cascading Style Sheet.
B.
Use the OnResizeevent for the DHTML page object.
C.
Use the Resize event of the Document object.
D.
GIAC GSNA Exam
Use the OnResize event of the Cascading Style Sheet.
Answer: A
Explanation:
Position attribute of the Cascading Style Sheet. The DHTML page object modal gives access to
styles and style sheets. Therefore, you can easily set and change the position of an element.
Reference: MSDN, Index "Dynamic HTML(DHTML), in DHTML Applications", "Elements

Positioning in DHTML Application", Search "Positioning", "Dynamic HTML"
QUESTION NO: 103
You are concerned about rogue wireless access points being connected to your network.
What is the best way to detect and prevent these?
A.
Network anti-spyware software
B.
Network anti-virus software
C.
Protocol analyzers
D.
Site surveys
Answer: D
Explanation:
Routinely doing site surveys (or better still, having them automatically conducted frequently) is the
only way to know what is connected to your network. And it will reveal any rogue access points.
Answer: B is incorrect. While antivirus software is always a good idea, it will do nothing to prevent
rogue access points.
Answer: A is incorrect. While anti-spyware software is always a good idea, it will do nothing to
prevent rogue access points.
Answer: C is incorrect. A protocol analyzer will help you analyze the specific traffic on a given
node, but won't be much help in directly detecting rogue access points.

GIAC GSNA Exam
QUESTION NO: 104
You want to repeat the last command you entered in the bash shell.
Which of the following commands will you use?
A.
history ##
B.
history !#
C.
history !!
D.
history !1
Answer: C
Explanation:
The history !! command shows the previously entered command in the bash shell. In the bash
shell, the history command is used to view the recently executed commands. History is on by
default. A user can turn off history using the command set +o history and turn it on using set -o
history. An environment variable HISTSIZE is used to inform bash about how many history lines
should be kept.
The following commands are frequently used to view and manipulate history:
Answer: B is incorrect. The history !# command shows the entire command line typed.
Answer: D is incorrect. The history !n command shows the nth command typed. Since n is equal to
1 in this command, the first command willbe shown.
Answer: A is incorrect. It is not a valid command.

GIAC GSNA Exam
QUESTION NO: 105
You have been assigned a project to develop a Web site for a construction company. You have to
develop a Web site and want to get more control over the appearance and presentation of your
Web pages. You also want to increase the ability to precisely specify the location and appearance
of the elements on a page and create special effects. You plan to use Cascading style sheets
(CSS). You want to apply the same style consistently throughout your Web site.
Which type of style sheet will you use?
A.
Internal Style Sheet
B.
External Style Sheet
C.
Inline Style Sheet
D.
Embedded Style Sheet
Answer: B
Explanation:
To apply the same style consistently throughout your Web site you should use external style
sheet. Cascading style sheets (CSS) are used so that the Web site authors can exercise greater
control on the appearance and presentation of their Web pages. And also because they increase
the ability to precisely point to the location and look of elements on a Web page and help in
creating special effects.
Cascading Style Sheets have codes, which are interpreted and applied by the browser on to the
Web pages and their elements.
There are three types of cascading style sheets.
External Style Sheets are used whenever consistency in style is required throughout a Web site. A
typical external style sheet uses a .css file extension, which can be edited using a text editor such
as a Notepad.
Embedded Style Sheets are used for defining styles for an active page.
Inline Style Sheets are used for defining individual elements of a page.
Reference: TechNet, Contents: Microsoft Knowledgebase, February 2000 issue PSS ID Number:
Q179628

GIAC GSNA Exam
QUESTION NO: 106
Which of the following can be the countermeasures to prevent NetBIOS NULL session
enumeration in Windows 2000 operating systems?
A.
Denying all unauthorized inbound connections to TCP port 53
B.
Disabling SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the
interface
C.
Editing the registry key HKLM\SYSTEM\CurrentControlSet\LSA and adding the value
RestrictAnonymous
D.
Disabling TCP port 139/445
Answer: B,C,D
Explanation:
NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part
of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL
session vulnerabilities:
1.Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a
Network Administrator.
2. A Network Administrator can also disable SMB services entirely on individual hosts by
unbinding WINS Client TCP/IP from the interface.
3. A Network Administrator can also restrict the anonymous user by editing the registry values:
- a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA.
- b.Choose edit > add value.
Value name: RestrictAnonymous
Data Type: REG_WORD Value: 2
Answer: A is incorrect. TCP port 53 is the default port for DNS zone transfer. Although disabling it
can help restrict DNS zone transfer enumeration, it is not useful as a countermeasure against the
NetBIOS NULL session enumeration.

GIAC GSNA Exam
QUESTION NO: 107
From an auditing perspective, database security can be broken down into four key categories:
Server Security
Database Connections
Table Access Control
Restricting Database Access.
Which of the following categories leads to the process of limiting access to the database server?
A.
Table access control
B.
Database connections
C.
Restricting database access
D.
Server security
Answer: D
Explanation:
Server security is the process of limiting access to the database server. This is one of the most
basic and most important components of database security. It is imperative that an organization
not let their database server be visible to the world. If an organization's database server is
supplying information to a web server, then it should be configured to allow connections only from
that web server. Also, every server should be configured to allow only trusted IP addresses.
Answer: B is incorrect. With regard to database connections, system administrators should not
allow immediate unauthenticated updates to a database. If users are allowed to make updates to a
database via a web page, the system administrator should validate all updates to make sure that
they are warranted and safe. Also, the system administrator should not allow users to use their
designation of "sa" when accessing the database. This gives employees complete access to all of
the data stored on the database regardless of whether or not they are authenticated to have such
access.
Answer: A is incorrect. Table access control is related to an access control list, which is a table
that tells a computer operating system which access rights each user has to a particular system
object. Table access control has been referred to as one of the most overlooked forms of

GIAC GSNA Exam
database security. This is primarily because it is so difficult to apply. In order to properly use table
access control, the system administrator and the database developer need to collaborate with
each other.
Answer: C is incorrect. Restricting database access is important especially for the companies that
have their databases uploaded on the Internet. Internet-based databases have been the most
recent targets of attacks, due to their open access or open ports. It is very easy for criminals to
conduct a "port scan" to look for ports that are open that popular database systems are using by
default. The ports that are used by default can be changed, thus throwing off a criminal looking for
open ports set by default.
Following are the security measures that can be implemented to prevent open access from the
Internet:
Trusted IP addresses: Servers can be configured to answer pings from a list of trusted hosts only.
Server account disabling: The server ID can be suspended after three password attempts.
Special tools: Products can be used to send an alert when an external server is attempting to
breach the system's security. One such example is Real Secure by ISS.
QUESTION NO: 108
John works as a Network Auditor for XYZ CORP. The company has a Windows-based network.
John wants to conduct risk analysis for the company.
Which of the following can be the purpose of this analysis? (Choose three.)
A.
To ensure absolute safety during the audit
B.
To analyze exposure to risk in order to support better decision-making and proper management of
those risks
C.
To try to quantify the possible impact or loss of a threat
D.
To assist the auditor in identifying the risks and threats
Answer: B,C,D
Explanation:
There are many purposes of conducting risk analysis, which are as follows:
GIAC GSNA Exam
Answer: A is incorrect. The analysis of risk does not ensure absolute safety. The main purpose of
using a risk-based audit strategy is to ensure that the audit adds value with meaningful
information.
QUESTION NO: 109
Which of the following methods is used to get a cookie from a client?
Note: Here, request is a reference of type HttpServletRequest, and response is a reference of type
HttpServletResponse.
A.
Cookie [] cookies = request.getCookies();
B.
Cookie [] cookies = request.getCookie(String str)
C.
Cookie [] cookies = response.getCookie(String str)
D.
Cookie[] cookies = response.getCookies()
Answer: A
Explanation:
The getCookies() method of the HttpServletRequest interface is used to get the cookies from a
client. This method returns an array of cookies.
Answer: B, C are incorrect. The getCookie(String str)method does not exist.
Answer: D is incorrect. The getCookies() method is present in the HttpServletRequest interface

and not in the HttpServletResponse interface.
QUESTION NO: 110
You work as a Software Developer for UcTech Inc. You build an online book shop, so that users
can purchase books using their credit cards. You want to ensure that only the administrator can
access the credit card information sent by users.

GIAC GSNA Exam
Which security mechanism will you use to accomplish the task?
A.
Confidentiality
B.
Dataintegrity
C.
Authentication
D.
Authorization
Answer: A
Explanation:
Confidentiality is a mechanism that ensures that only the intended authorized recipients are able
to read data. The data is so encrypted that even if an unauthorized user gets access to it, he will
not get any meaning out of it.
Answer: D is incorrect. Authorization is a process that verifies whether a user has permission to
access a Web resource. A Web server can restrict access to some of its resources to only those
clients that log in using a recognized username and password. To be authorized, a user must first
be authenticated.
Answer: C is incorrect. Authentication is the process of verifying the identity of a user. This is
usually done using a user name and password. This process compares the provided user name
and password with those stored in the database of an authentication server.
Answer: B is incorrect. Data integrity is a mechanism that ensures that the data is not modified
during transmission from source to destination. This means that the data received at the
QUESTION NO: 111
Which of the following is an enterprise-grade network/application/performance monitoring platform

that tightly integrates with other smart building management systems, such as physical access
control, HVAC, lighting, and time/attendance control?
A.
Airwave Management Platform
B.

GIAC GSNA Exam
Andrisoft WANGuard Platform
C.
akk@da
D.
Aggregate Network Manager
Answer: D
Explanation:
Aggregate Network Manager is an enterprise-grade network/application/performance monitoring

platform that tightly integrates with other smart building management systems, such as physical
access control, HVAC, lighting, and time/attendance control.
Answer: A is incorrect. Airwave Management Platform (AMP) is wireless network management

software. It offers centralized control for Wi-Fi networks. Some of its common features are access
point configuration management, reporting, user tracking, help desk views, and rogue AP
discovery.
Answer: C is incorrect. akk@da is a simple network monitoring system. It is designed for small
and middle size computer networks. Its function is to quickly detect the system or network faults
and display the information about detected faults to the administrators. The information is collected
by it in every single minute (a user can decrease this period to 1 second). Approximately all the
services of the monitored hosts are discovered automatically.
Answer: B is incorrect. Andrisoft WANGuard Platform offers solutions for various network issues
such as WAN links monitoring, DDoS detection and mitigation, traffic accounting, and graphing.
QUESTION NO: 112
Sam works as a Network Administrator for Blue Well Inc. All client computers in the company run
the Windows Vista operating. Sam creates a new user account. He wants to create a temporary
password for the new user such that the user is forced to change his password when he logs on
for the first time. Which of the following options will he choose to accomplish the task?
A.
User cannot change password
B.
Delete temporary password at next logon
C.
User must change password at next logon

GIAC GSNA Exam
D.
Password never expires
Answer: C
Explanation:
Enabling the user must change password at next logon option will make the given password a
temporary password. Enabling this option forces, a user to change his existing password at next
logon.
Answer: B is incorrect. There is no such option in Windows Vista.
Answer: D is incorrect. This option sets the password to never expire.
Answer: A is incorrect. This option sets the existing password as a permanent password for the
user. Only administrators can change the password of the user.
QUESTION NO: 113
You work as a Web Developer for XYZ CORP. The company has a Windows-based network. You
have been assigned the task to secure the website of the company. To accomplish the task, you
want to use a website monitoring service.
What are the tasks performed by a website monitoring service?
A.
It checks the health of various links in a network using end-to-end probes sent by agents located
at vantage points in the network.
B.
It checks SSL Certificate Expiry.
C.
It checks HTTP pages.
D.
It checks Domain Name Expiry.
Answer: B,C,D
Explanation:
Website monitoring service can check HTTP pages, HTTPS, FTP, SMTP, POP3, IMAP, DNS,
SSH, Telnet, SSL, TCP, PING, Domain Name Expiry, SSL Certificate Expiry, and a range of other
ports with great variety of check intervals from every four hours to every one minute. Typically,
GIAC GSNA Exam
most website monitoring services test a server anywhere between once-per hour to once-per-
minute. Advanced services offer in-browser web transaction monitoring based on browser add-ons
such as Selenium or iMacros. These services test a website by remotely controlling a large
number of web browsers. Hence, it can also detect website issues such a JavaScript bugs that are
browser specific.
Answer: A is incorrect. This task is performed under network monitoring. Network tomography
deals with monitoring the health of various links in a network using end-to-end probes sent by
agents located at vantage points in the network/Internet.
QUESTION NO: 114
Which of the following statements is true about residual risks?
A.
It is the probabilistic risk after implementing all security measures.
B.
It can be considered as an indicator of threats coupled with vulnerability.
C.
It is a weakness or lack of safeguard that can be exploited by a threat.
D.
It is the probabilistic risk before implementing all security measures.
Answer: A
Explanation:
The residual risk is the risk or danger of an action or an event, a method or a (technical) process
that still conceives these dangers even if all theoretically possible safety measures would be
applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk
is (threats vulnerability).
Answer: B is incorrect. In information security, security risks are considered as an indicator of

threats coupled with vulnerability. In other words, security risk is a probabilistic function of a given
threat agent exercising a particular vulnerability and the impact of that risk on the organization.
Security risks can be mitigated by reviewing and taking responsible actions based on possible
risks.
Answer: C is incorrect. Vulnerability is a weakness or lack of safeguard that can be exploited by a

threat, thus causing harm to the information systems or networks. It can exist in hardware,
operating systems, firmware, applications, and configuration files. Vulnerability has been variously
defined in the current context as follows:

GIAC GSNA Exam
1.A security weakness in a Target of Evaluation due to failures in analysis, design,
implementation, or operation and such.
2.Weakness in an information system or components (e.g. system security procedures, hardware

design, or internal controls that could be exploited to produce an information-related misfortune.)
3. The existence of a weakness, design, or implementation error that can lead to an unexpected,
undesirable event compromising the security of the system, network, application, or protocol
involved.
QUESTION NO: 115
Which of the following tools is a Windows-based commercial wireless LAN analyzer for IEEE
802.11b and supports all high level protocols such as TCP/IP, NetBEUI, and IPX?
A.
SamSpade
B.
John the Ripper
C.
Cheops-ng
D.
AiroPeek
Answer: D
Explanation:
AiroPeek is a Windows-based commercial wireless LAN analyzer for IEEE 802.11b. It supports all
high level protocols such as TCP/IP, NetBEUI, IPX, etc. It can be used to perform the following
tasks:
Answer: A is incorrect. Sam Spade is a penetration-testing tool that is used in the discovery
phase. It provides GUI graphics and a lot of functionalities. It can perform mainly who is queries,
ping requests, DNS requests, tracerouting, OS finger-printing, zone transferring, SMTP mail relay
checking, and Web site crawling and mirroring. Sam Spade runs on Windows operating systems.
Answer: B is incorrect. John the Ripper is a fast password cracking tool that is available for most
versions of UNIX, Windows, DOS, BeOS, and Open VMS. It also supports Kerberos, AFS, and
Windows NT/2000/XP/2003 LM hashes. John the Ripper requires a user to have a copy of the
password file.
Answer: C is incorrect. Cheops-ng is a network management tool that is used for mapping and

GIAC GSNA Exam
monitoring networks. It can detect a network of a host and provides OS detection for hosts. On
some services, Cheops-ng is able to see what program is running for a service and what is the
version number of that program. The main difference between Cheops and Cheops-ng is that
Cheops-ng does not have monitoring capabilities.
QUESTION NO: 116
On which of the following does a CGI program execute?
A.
Router
B.
Web server
C.
Client
D.
Client and Web server
Answer: B
Explanation:
The Common Gateway Interface (CGI) specification is used for creating executable programs that
run on a Web server. CGI defines the communication link between a Web server and Web
applications. It gives a network or Internet resource access to specific programs. For example,
when users submit an HTML form on a Web site, CGI is used to pass this information to a remote
application for processing, and retrieve the results from the application. It then returns these
results to the user by means of an HTML page.
Answer: A is incorrect. CGI programs do not execute on routers.
QUESTION NO: 117
Which of the following is required by a Web-based application to connect to a database?
A.
DSN

GIAC GSNA Exam
B.
DNS
C.
CGI
D.
FQDN
Answer: A
Explanation:
A Web-based application uses Data Source Name (DSN) to connect to a database. DSN is a
logical name used by Open Database Connectivity (ODBC) to refer to connection information
required to access data.
Answer: C is incorrect. The Common Gateway Interface (CGI) specification is used for creating
executable programs that run on a Web server. CGI defines the communication link between a
Web server and Web applications. It gives a network or Internet resource access to specific
programs. For example, when users submit an HTML form on a Web site, CGI is used to pass this
information to a remote application for processing, and retrieve the results from the application. It
then returns these results to the user by means of an HTML page.
Answer: D is incorrect. Fully Qualified Domain Name (FQDN) is a unique name of a host or
computer, which represents its position in the hierarchy. An FQDN begins with a host name and
ends with the top-level domain name. FQDN includes the second-level domain and other lower
level domains.
For example, the FQDN of the address HTTP://WWW.UNI.ORG will be WWW.UNI.ORG where
WWW is the host name, UNI is the second-level domain, and ORG is the top-level domain name.
Answer: B is incorrect. Domain Name System (DNS) is a hierarchical naming system used for
locating domain names on private TCP/IP networks and the Internet. It provides a service for
mapping DNS domain names to IP addresses and vice versa. DNS enables users to use friendly
names to locate computers and other resources on an IP network. TCP/IP uses IP addresses to
locate and connect to hosts, but for users, it is easier to use names instead of IP address to locate
or connect to a site.
For example, users will be more comfortable in using the host name www.mycompany.com rather
than using its IP address XX.XXX.XX.XXX.
QUESTION NO: 118
What is the purpose of Cellpadding attribute of <Table> tag?

GIAC GSNA Exam
A.
Cellpadding is used to set the width of cell border and its content.
B.
Cellpadding is used to set the width of a table.
C.
Cellpadding is used to set the space between the cell border and its content.
D.
Cellpadding is used to set the space between two cells in a table.
Answer: C
Explanation:
Cellpadding attribute is used to set the space, in pixels, between the cell border and its content. If
you have not set the value of Cellpadding attribute for a table, the browser takes the default value
as 1.
QUESTION NO: 119
You want to see the local device files or 'links to device files' for a non-standard device driver.
Which of the following Unix configuration files should you use to accomplish the task?
A.
profile
B.
/etc/bootptab
C.
/dev/MAKEDEV
D.
/etc/aliases
Answer: C
Explanation:
In Unix, the /dev/MAKEDEV file is used by system administrators for local device files or links to
device filesfor a non-standard device driver.
GIAC GSNA Exam
Answer: A is incorrect. In Unix, the profile file stores the system wide environment and startup
script program.
Answer: D is incorrect. In Unix, the /etc/aliases file is where the user's name is matched to a
nickname fore-mail.
Answer: B is incorrect. In Unix, the /etc/bootptab/ file contains the configuration for the BOOTP
server daemon.
QUESTION NO: 120
Which of the following firewalls inspects the actual contents of packets?
A.
B.
Stateful inspection firewall
C.
D.
Answer: D
Explanation:
The application level firewall inspects the contents of packets, rather than the source/destination
or connection between the two. An Application level firewall operates at the application layer of the
OSI model.
Answer: A is incorrect. The circuit-level firewall regulates traffic based on whether or not a trusted
connection has been established. It operates at the session layer of the OSI model.
Answer: C is incorrect. The packet filtering firewall filters traffic based on the headers. It operates
at the network layer of the OSI model.
Answer: B is incorrect. The stateful inspection firewall assures the connection between the two
parties is valid and inspects packets from this connection to assure the packets are not malicious.

GIAC GSNA Exam
QUESTION NO: 121
Which of the following methods will free up bandwidth in a Wireless LAN (WLAN)?
A.
Change hub with switch.
B.
Deploying a powerful antenna.
C.
Disabling SSID broadcast.
D.
Implement WEP.
Answer: C
Explanation:
Disabling SSID broadcast will free up bandwidth in a WLAN environment. It is used to enhance
security of a Wireless LAN (WLAN). It makes difficult for attackers to find the access point (AP). It
is also used by enterprises to prevent curious people from trying to access the WLAN.
QUESTION NO: 122
You work as the Network Technician for XYZ CORP. The company has a Linux-based network.
You are working on the Red Hat operating system. You want to view only the last 4 lines of a file
named /var/log/cron. Which of the following commands should you use to accomplish the task?
A.
tail -n 4 /var/log/cron
B.
tail /var/log/cron
C.
cat /var/log/cron
D.
head /var/log/cron
Answer: A

GIAC GSNA Exam
Explanation:
The tail -n 4 /var/log/cron command will show the last four lines of the file /var/log/cron.
QUESTION NO: 123
Which of the following are the countermeasures against WEP cracking?
A.
Using the longest key supported by hardware.
B.
Changing keys often.
C.
Using a non-obvious key.
D.
Using a 16 bit SSID.
Answer: A,B,C
Explanation:
A user can use some countermeasures to prevent WEP cracking. Although WEP is least secure, it
should not be used. However, a user can use the following methods to mitigate WEP cracking:
Use a non-obvious key.
Use the longest key supported by hardware.
Change keys often.
Use WEP in combination with other security features, such as rapid WEP key rotation and
dynamic keying using 802.1x.
Consider WEP a deterrent, not a guarantee.
Answer: D is incorrect. SSID stands for Service Set Identifier. It is used to identify a wireless
network. SSIDs are case sensitive text strings and have a maximum length of 32 characters. All
wireless devices on a wireless network must have the same SSID in order to communicate with
each other. The SSID on computers and the devices in WLAN can be set manually and
automatically. Configuring the same SSID as that of the other Wireless Access Points (WAPs) of
other networks will create a conflict. A network administrator often uses a public SSID that is set
on the access point. The access point broadcasts SSID to all wireless devices within its range.
GIAC GSNA Exam
Some newer wireless access points have the ability to disable the automatic SSID broadcast
feature in order to improve network security.
QUESTION NO: 124
Which of the following statements are true about SSIDs?
A.
Configuring the same SSID as that of the other Wireless Access Points (WAPs) of other networks
will create a conflict.
B.
SSIDs are case insensitive text strings and have a maximum length of 64 characters.
C.
All wireless devices on a wireless network must have the same SSID in order to communicate with
each other.
D.
SSID is used to identify a wireless network.
Answer: A,C,D
Explanation:
SSID stands for Service SetIdentifier. It is used to identify a wireless network. SSIDs are case
sensitive text strings and have a maximum length of 32 characters. All wireless devices on a
wireless network must have the same SSID in order to communicate with each other. The SSID
on computers and the devices in WLAN can be set manually and automatically. Configuring the
same SSID as that of the other Wireless Access Points (WAPs) of other networks will create a
conflict. A network administrator often uses a public SSID that is set on the access point. The
access point broadcasts SSID to all wireless devices within its range. Some newer wireless
access points have the ability to disable the automatic SSID broadcast feature in order to improve
network security.
QUESTION NO: 125
Which of the following statements is NOT true about FAT16 file system?
A.

GIAC GSNA Exam
FAT16 file system works well with large disks because the cluster size increases as the disk
partition size increases.
B.
FAT16 file system supports file-level compression.
C.
FAT16 does not support file-level security.
D.
FAT16 file system supports Linux operating system.
Answer: A,B
Explanation:
FAT16 file system was developed for disks larger than 16MB. It uses 16-bit allocation table
entries. FAT16 file system supports all Microsoft operating systems. It also supports OS/2 and
Linux.
Answer: C, D are incorrect. All these statements are true about FAT16 file system.
QUESTION NO: 126
network. John is working as a root user on the Linux operating system. He has a data.txt file in
which each column is separated by the TAB character. Now, he wants to use this file as input for a
data mining software he has created. The problem preventing him from accomplishing his task is
that with his data mining software, he has used TAB as a delimiter to distinguish between
columns. Hence, he is unable to use this file as input for the software. However, if he somehow
replaces the TAB characters of the file with SPACE characters, he can use this file as an input file
for his data mining software. Which of the following commands will John use to replace the TAB
characters of the file with SPACE characters?
A.
expand -t 1 data.txt > data.txt
B.
cat data.txt
C.
chmod 755 data.txt
D.
touch data.txt

GIAC GSNA Exam
Answer: A
Explanation:
According to the scenario, John can replace the TAB characters with single space characters with
the expand command. With the expand -t 1 data.txt > data.txt command, the TABs of data.txt are
changed into single spaces and are redirected by using the > command into the data.txt file. Now,
John can use the data.txt file as the input file for his data mining software.
QUESTION NO: 127
You are concerned about possible hackers doing penetration testing on your network as a prelude
to an attack. What would be most helpful to you in finding out if this is occurring?
A.
Examining your antivirus logs
B.
Examining your domain controller server logs
C.
Examining your firewall logs
D.
Examining your DNS Server logs
Answer: C
Explanation:
Firewall logs will show all incoming and outgoing traffic. By examining those logs, you can do port
scans and use other penetration testing tools that have been used on your firewall.
QUESTION NO: 128
Mark works as a Network Administrator for NetTech Inc. The company has a Windows 2003
Active Directory domain-based network. The domain consists of a domain controller, two Windows
2003 member servers, and one hundred client computers. The company employees use laptops
with Windows XP Professional. These laptops are equipped with wireless network cards that are
used to connect to access points located in the Marketing department of the company. The
company employees log on to the domain by using a user name and password combination. The
GIAC GSNA Exam
wireless network has been configured with WEP in addition to 802.1x. Mark wants to provide the
best level of security for the kind of authentication used by the company. What will Mark do to
A.
Use IPSec
B.
Use MD5
C.
Use PEAP
D.
Use EAP-TLS
Answer: C
Explanation:
In order to provide the best level of security for the kind of authentication used by the company,
Mark will have to use the PEAP protocol. This protocol will provide the strongest password-based
authentication for a WEP solution with 802.1x. Implementing 802.1x authentication for wireless
security requires using an Extensible Authentication Protocol (EAP)-based method for
authentication. There are two EAP-based methods:
1.EAP-Transport Layer Security (EAP-TLS)
2. Protected EAP (PEAP)
Answer: A is incorrect. IPSec has nothing to do with this issue.
QUESTION NO: 129
You have to ensure that your Cisco Router is only accessible via telnet and ssh from the following
hosts and subnets: 10.10.2.103 10.10.0.0/24 Which of the following sets of commands will you
use to accomplish the task?
A.
access-list 10 permit host 10.10.2.103 access-list 10 permit 10.10.0.0 0.0.0.255 access-list 10
deny any line vty 0 4 access-class 10 out
B.
access-list 10 permit 10.10.2.103 access-list 10 permit 10.10.0.0 0.0.0.255 access-list 10 deny
any line vty 0 4 access-group 10 in

GIAC GSNA Exam
C.
access-list 10 permit host 10.10.2.103 access-list 10 permit 10.10.0.0 0.0.0.255 access-list 10
deny any line vty 0 4access-class 10 in
D.
access-list 10 permit host 10.10.2.103 access-list 11 permit host 10.10.0.0 255.255.255.0 access-
list 12 deny any line vty 0 4 access-group 10, 11, 12 in
Answer: C
Explanation:
In order to accomplish the task, you will have to run the following sets of commands:
access-list 10 permit host 10.10.2.103
access-list 10 permit 10.10.0.0 0.0.0.255
access-list 10 deny any line vty 0 4 access-class 10
In this configuration set meets all the requirements. The ACL is correctly configured and is applied
to the VTY lines using the access-class command for inbound connections.
Answer: D is incorrect. This configuration actually creates 3 separate ACL's (10, 11, and 12) and
also incorrectly attempts to apply the ACL's to the VTY lines.
Answer: A is incorrect. This configuration is correct except for the access-class command being
applied in the outbound direction. When using "access-class out", the router will not match
connections coming into the router for Telnet and/or SSH. Instead, it will match connections being
generated from the router.
Answer: B is incorrect. This configuration is correct except for the access-group command.
Access-group is used to apply ACLs to an interface. Access-class is used to apply ACLs to VTY
lines.
QUESTION NO: 130
Which of the following is a prevention-driven activity to reduce errors in the project and to help the
project meet its requirements?
A.
Audit sampling
B.
Asset management
C.
GIAC GSNA Exam
Access control
D.
Quality assurance
Answer: D
Explanation:
Quality assurance is the application of planned, systematic quality activities to ensure that the
project will employ all processes needed to meet requirements. It is a prevention-driven activity to
reduce errors in the project and to help the project meet its requirements.
Answer: A is incorrect. Audit sampling is an application of the audit procedure that enables the IT
auditor to evaluate audit evidence within a class of transactions for the purpose of forming a
conclusion concerning the population. When designing the size and structure of an audit sample,
the IT auditor should consider the audit objectives determined when planning the audit, the nature
of the population, and the sampling and selection methods.
Answer: C is incorrect. The process of limiting access to the resources of a Web site is called
access control.
Access control can be performed in the following ways:
Answer: B is incorrect. It is the practice of managing the whole life cycle (design, construction,
commissioning, operating, maintaining, repairing, modifying, replacing and
decommissioning/disposal) of physical and infrastructure assets such as structures, production,
distribution networks, transport systems, buildings, and other physical assets.
QUESTION NO: 131
You are concerned about attackers simply passing by your office, discovering your wireless
network, and getting into your network via the wireless connection. Which of the following are NOT
steps in securing your wireless connection? (Choose two.)
A.
Hardening the server OS
B.
Using either WEP or WPA encryption
C.
MAC filtering on the router
D.
Strong password policies on workstations.

GIAC GSNA Exam
E.
Not broadcasting SSID
Answer: A,D
Explanation:
Both hardening the server OS and using strong password policies on workstations are good ideas,
but neither has anything to do with securing your wireless connection.
Answer: B is incorrect. Using WEP or WPA is one of the most basic security steps in securing your
wireless.
QUESTION NO: 132
Which of the following key combinations in the vi editor is used to copy the current line?
A.
dk
B.
yy
C.
d$
D.
dl
Answer: B
Explanation:
The yy key combination in the vi editor is used to copy the current line. The vi editor is an
interactive, cryptic, and screen-based text editor used to create and edit a file. It operates in either
Input mode or Command mode. In Input mode, the vi editor accepts a keystroke as text and
displays it on the screen, whereas in Command mode, it interprets keystrokes as commands. As
the vi editor is case sensitive, it interprets the same character or characters as different
commands, depending upon whether the user enters a lowercase or uppercase character. When a
user starts a new session with vi, he must put the editor in Input mode by pressing the "I" key. If he
is not able to see the entered text on the vi editor's screen, it means that he has not put the editor
in Insert mode. The user must change the editor to Input mode before entering any text so that he
can see the text he has entered.
Answer: D is incorrect. It deletes next char on the right.

GIAC GSNA Exam
Answer: A is incorrect. It deletes the current line and one line above.
Answer: C is incorrect. It deletes from the cursor till the end of the line.
QUESTION NO: 133
Data mining is a process of sorting through data to identify patterns and establish relationships.
Which of the following data mining parameters looks for patterns where one event is connected to
another event?
A.
Sequence or path analysis
B.
Forecasting
C.
Clustering
D.
Association
Answer: D
Explanation:
Data mining is a process of sorting through data to identify patterns and establish relationships.
Following are the data mining parameters:
QUESTION NO: 134
In which of the following social engineering attacks does an attacker first damage any part of the
target's equipment and then advertise himself as an authorized person who can help fix the
problem.
A.
Reverse social engineering attack
B.
Impersonation attack
C.
GIAC GSNA Exam
Important user posing attack
D.
In person attack
Answer: A
Explanation:
A reverse social engineering attack is a person-to-person attack in which an attacker convinces

the target that he or she has a problem or might have a certain problem in the future and that he,
the attacker, is ready to help solve the problem. Reverse social engineering is performed through
the following steps:
An attacker first damages the target's equipment.
He next advertises himself as a person of authority, ably skilled in solving that problem.
In this step, he gains the trust of the target and obtains access to sensitive information.
If this reverse social engineering is performed well enough to convince the target, he often calls
the attacker and asks for help.
Answer: B, C, D are incorrect. Person-to-Person social engineering works on the personal level. It
can be classified as follows:
Impersonation: In the impersonation social engineering attack, an attacker pretends to be

someone else, for example, the employee's friend, a repairman, or a delivery person.
In Person Attack: In this attack, the attacker just visits the organization and collects information. To
accomplish such an attack, the attacker can call a victim on the phone, or might simply walk into
an office and pretend to be a client or a new worker.
Important User Posing: In this attack, the attacker pretends to be an important member of the
organization. This attack works because there is a common belief that it is not good to question
authority.
Third-Party Authorization: In this attack, the attacker tries to make the victim believe that he has
the approval of a third party. This works because people believe that most people are good and
they are being truthful about what they are saying.
QUESTION NO: 135
Which of the following commands can be used to find out where commands are located?
A.
type
GIAC GSNA Exam
B.
which
C.
env
D.
ls
Answer: A,B
Explanation:
The which and type commands can be used to find out where commands are located.
QUESTION NO: 136
Which of the following applications work as mass-emailing worms? (Choose two.)
A.
Chernobyl virus
B.
I LOVE YOU virus
C.
Nimda virus
D.
Melissa virus
Answer: B,C
Explanation:
The Nimda and I LOVE YOU viruses work as mass-emailing worms.
QUESTION NO: 137
Which of the following text editing tools can be used to edit text files without having to open them?

GIAC GSNA Exam
A.
less
B.
sed
C.
vi
D.
more
Answer: B
Explanation:
The Unix utility sed (stream editor) is a text editing tool that can be used to edit text files without
having to open them. This utility parses text files and implements a programming language which
can apply textual transformations to such files. It reads input files line by line (sequentially),
applying the operation which has been specified via the command line (or a sed script), and then
outputs the line.
Answer: D is incorrect. The more command is used to view (but not modify) the contents of a text
file on the terminal screen at a time. The syntax of the more command is as follows: more [options]
file_name Where,
Answer: A is incorrect. The less command is used to view (but not change) the contents of a text
file, one screen at a time. It is similar to the more command. However, it has the extended
capability of allowing both forward and backward navigation through the file. Unlike most Unix text
editors/viewers, less does not need to read the entire file before starting; therefore, it has faster
load times with large files. The command syntax of the less command is as follows: less [options]
file_name Where,
Answer C is incorrect. The vi editor is an interactive, cryptic, and screen-based text editor used to
create and edit a file. It operates in either Input mode or Command mode. In Input mode, the vi
editor accepts a keystroke as text and displays it on the screen, whereas in Command mode, it

GIAC GSNA Exam
interprets keystrokes as commands. As the vi editor is case sensitive, it interprets the same
character or characters as different commands, depending upon whether the user enters a
lowercase or uppercase character. When a user starts a new session with vi, he must put the
editor in Input mode by pressing the "I" key. If he is not able to see the entered text on the vi
editor's screen, it means that he has not put the editor in Insert mode. The user must change the
editor to Input mode before entering any text so that he can see the text he has entered.
QUESTION NO: 138
You work as a Software Developer for UcTech Inc. You want to ensure that a class is informed
whenever an attribute is added, removed, or replaced in a session. Which of the following is the
event that you will use to accomplish the task?
A.
HttpSessionBindingEvent
B.
HttpAttributeEvent
C.
HttpSessionEvent
D.
HttpSessionAttributeEvent
Answer: A
Explanation:
To be informed whenever an attribute is added, removed, or replaced in a session, a class must

have a method with HttpSessionBindingEvent as its attribute. The HttpSessionBindingEvent class
extends the HttpSessionEvent class. The HttpSessionBindingEvent class is used with the
following listeners:
HttpSessionBindingListener: It notifies the attribute when it is bound or unbound from a session.
HttpSessionAttributeListener: It notifies the class when an attribute is bound, unbound, or replaced

in a session.
The session binds the object by a call to the HttpSession.setAttribute() method and unbinds the
object by a call to the HttpSession.removeAttribute() method.
Answer: C is incorrect. The HttpSessionEvent is associated with the HttpSessionListener interface

and HttpSessionActivationListener.

GIAC GSNA Exam
QUESTION NO: 139
Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks (WLANs). It
has two components, authentication and encryption. It provides security equivalent to wired
networks for wireless networks. WEP encrypts data on a wireless network by using a fixed secret
key. Which of the following statements are true about WEP?
A.
WEP uses the RC4 encryption algorithm.
B.
The Initialization Vector (IV) field of WEP is only 24 bits long.
C.
It provides better security than the Wi-Fi Protected Access protocol.
D.
Automated tools such as AirSnort are available for discovering WEP keys.
Answer: A,B,D
Explanation:
Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks (WLANs). It
has two components, authentication and encryption. It provides security equivalent to wired
networks for wireless networks. WEP encrypts data on a wireless network by using a fixed secret
key. WEP uses the RC4 encryption algorithm. The main drawback of WEP is that its Initialization
Vector (IV) field is only 24 bits long. Many automated tools such as AirSnort are available for
discovering WEP keys.
Answer: C is incorrect. WPA stands for Wi-Fi Protected Access. It is a wireless security standard.
It provides better security than WEP (Wired Equivalent Protection). Windows Vista supports both
WPA-PSK and WPA-EAP.
Each of these is described as follows:
QUESTION NO: 140
Victor works as a professional Ethical Hacker for SecureEnet Inc. He wants to scan the wireless
network of the company. He uses a tool that is a free open-source utility for network exploration.
The tool uses raw IP packets to determine the following:
What ports are open on our network systems.

GIAC GSNA Exam
What hosts are available on the network.
Identify unauthorized wireless access points.
What services (application name and version) those hosts are offering.
What operating systems (and OS versions) they are running.
What type of packet filters/firewalls are in use.
Which of the following tools is Victor using?
A.
Nessus
B.
Sniffer
C.
Nmap
D.
Kismet
Answer: C
Explanation:
Nmap is a free open-source utility for network exploration and security auditing. It is used to
discover computers and services on a computer network, thus creating a "map" of the network.
Just like many simple port scanners, Nmap is capable of discovering passive services. In addition,
Nmap may be able to determine various details about the remote computers. These include
operating system, device type, uptime, software product used to run a service, exact version
number of that product, presence of some firewall techniques and, on a local area network, even
vendor of the remote network card. Nmap runs on Linux, Microsoft Windows etc.
Answer: D is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion
Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the
following tasks:
Answer: A is incorrect. Nessus is proprietary comprehensive vulnerability scanning software. It is

free of charge for personal use in a non-enterprise environment. Its goal is to detect potential
vulnerabilities on the tested systems. It is capable of checking various types of vulnerabilities,
some of which are as follows:
Answer: B is incorrect. A sniffer is a software tool that is used to capture any network traffic. Since
a sniffer changes the NIC of the LAN card into promiscuous mode, the NIC begins to record
incoming and outgoing data traffic across the network. A sniffer attack is a passive attack because
the attacker does not directly connect with the target host. This attack is most often used to grab
GIAC GSNA Exam
logins and passwords from network traffic. Tools such as Ethereal, Snort, Windump, EtherPeek,
Dsniff are some good examples of sniffers. These tools provide many facilities to users such as
graphical user interface, traffic statistics graph, multiple sessions tracking, etc.
QUESTION NO: 141
You work as a Network Auditor for XYZ CORP. The company has a Windows-based network. You
use DumpSec as an auditing and reporting program for security issues. Which of the following
statements is true about DumpSec? (Choose three.)
A.
It obtains the DACLs for the registry.
B.
It dumps user and group information.
C.
It collates the DACLs for the file system.
D.
It kills the running services in the Windows environment.
Answer: A,B,C
Explanation:
DumpSec, a program launched by Somarsoft, is a security auditing and reporting program for
Microsoft Windows. It collates and obtains the permissions (DACLs) and audit settings (SACLs)
for the file system, registry, printers, and shares in a concise, readable format, so that holes in
system security are readily apparent. DumpSec also dumps user, group, and replication
information, policies, as well as services (Win32) and kernel drivers loaded on the system. It can
also report the current status of services (running or stopped) in the Windows environment.
Answer: D is incorrect. It cannot kill running services. It can only report the current status of
services (running or stopped) in the Windows environment.
QUESTION NO: 142
You work as a Network Administrator for Tech Perfect Inc. You need to configure the company
firewall so that only Simple Network Management Protocol (SNMP) and Secure HTTP (HTTPS)
traffic is allowed into the intranet of the company. No other traffic should be allowed into the
intranet. Which of the following rule sets should you use on your firewall to accomplish the task?
GIAC GSNA Exam
(Assume left to right equals top to bottom.)
A.
Output chain: allow port 443, allow 25, deny all
B.
Input chain: deny all, allow port 25, allow 443
C.
Input chain: allow port 25, allow 443, deny all
D.
Output chain: allow port 25, allow 443, deny all
Answer: C
Explanation:
In the given rule set, 'Inputchain' defines that the rule is for the incoming traffic, i.e., traffic coming
from the intranet to the Internet. Port 25 is being allowed for SNMP traffic and port 443 for the
HTTPS traffic. Deny all is being used after allowing port 25 and 443; hence, all the other traffic will
be denied.
Answer: B is incorrect. Deny all is executed first; hence, all the traffic will be denied including port
25 and 443.
Answer: A, D are incorrect. These rule sets are used for outgoing traffic, i.e., traffic going from the
intranet to the Internet as the 'Output chain' rule is being used.
QUESTION NO: 143
network. You want to configure the ACL with a Cisco router. Which of the following router prompts
can you use to accomplish the task?
A.
router(config-if)#
B.
router(config)#
C.
router(config-ext-nacl)#
D.
router#
GIAC GSNA Exam
Answer: C
Explanation:
The auditor of a Cisco router should be familiar with the variety of privilege modes. The current
privilege mode can be quickly identified by looking at the current router prompt. The prime modes
of a Cisco router are as follows:
QUESTION NO: 144
Audit trail or audit log is a chronological sequence of audit records, each of which contains
evidence directly pertaining to and resulting from the execution of a business process or system
function. Under which of the following controls does audit control come?
A.
Protective controls
B.
Reactive controls
C.
Detective controls
D.
Preventive controls
Answer: C
Explanation:
Audit trail or audit log comes under detective controls. Detective controls are the audit controls that
are not needed to be restricted. Any control that performs a monitoring activity can likely be
defined as a Detective Control. For example, it is possible that mistakes, either intentional or
unintentional, can be made. Therefore, an additional Protective control is that these companies
must have their financial results audited by an independent Certified Public Accountant. The role
of this accountant is to act as an auditor. In fact, any auditor acts as a Detective control. If the
organization in question has not properly followed the rules, a diligent auditor should be able to
detect the deficiency which indicates that some control somewhere has failed.
Answer: B is incorrect. Reactive or corrective controls typically work in response to a detective

control, responding in such a way as to alert or otherwise correct an unacceptable condition. Using
the example of account rules, either the internal Audit Committee or the SEC itself, based on the
report generated by the external auditor, will take some corrective action. In this way, they are
acting as a Corrective or Reactive control.
Answer: A, D are incorrect. Protective or preventative controls serve to proactively define and

GIAC GSNA Exam
possibly enforce acceptable behaviors. As an example, a set of common accounting rules are
defined and must be followed by any publicly traded company. Each quarter, any particular
company must publicly state its current financial standing and accounting as reflected by an
application of these rules. These accounting rules and the SEC requirements serve as protective
or preventative controls.
QUESTION NO: 145
Which of the following does an anti-virus program update regularly from its manufacturer's Web
site?
A.
Hotfixes
B.
Permissions
C.
Service packs
D.
Definition
Answer: D
Explanation:
An anti-virus program updates the virus definition file regularly from the anti-virus manufacturer's
Web site. Antivirus (or anti-virus) software is used to prevent, detect, and remove malware,
including computer viruses, worms, and trojan horses. Such programs may also prevent and
remove adware, spyware, and other forms of malware. Traditional antivirus software solutions run
virus scanners on schedule, on demand and some run scans in real time. If a virus or malware is
located, the suspect file is usually placed into a quarantine to terminate its chances of disrupting
the system. Traditional antivirus solutions scan and compare against a publicized and regularly
updated dictionary of malware otherwise known as a blacklist. Some antivirus solutions have
additional options that employ a heuristic engine which further examines the file to see if it is
behaving in a similar manner to previous examples of malware. A new technology utilized by a few
antivirus solutions is whitelisting; this technology first checks if the file is trusted and only questions
those that are not. With the addition of wisdom of crowds, antivirus solutions backup other
antivirus techniques by harnessing the intelligence and advice of a community of trusted users to
protect each other.
Answer: C is incorrect. A service pack is a collection of Fixes and Patches in a single product. A
service pack can be used to handle a large number of viruses and bugs or to update an operating
system with advanced better capabilities. A service pack usually contains a number of file

GIAC GSNA Exam
replacements.
Answer: A is incorrect. Hotfix is a collection of files used by Microsoft for software updates that are
released between major service pack releases. A hotfix is about a problem, occurring under
specific circumstances, which cannot wait to be fixed till the next service pack release. Hotfixes
are generally related to security problems. Hence, it is essential to fix these problems as soon as
possible.
Answer: B is incorrect. An anti-virus program does not update Permissions regularly from its
manufacturer's Web site.
QUESTION NO: 146
Which of the following are the drawbacks of the NTLM Web authentication scheme?
A.
The password is sent in hashed format to the Web server.
B.
It works only with Microsoft Internet Explorer.
C.
The password is sent in clear text format to the Web server.
D.
It can be brute forced easily.
Answer: B,D
Explanation:
The following are the drawbacks of the NTLM Web Authentication Scheme:
Answer: A, C are incorrect. NTLM authentication does not send the user's password (or hashed
representation of the password) across the network. Instead, NTLM authentication utilizes
challenge/response mechanisms to ensure that the actual password never traverses the network.
How does it work? When the authentication process begins, the client sends a login request to the
telnet server. The server replies with a randomly generated 'token' to the client. The client hashes
the currently logged-on user's cryptographically protected password with the challenge and sends
the resulting "response" to the server. The server receives the challenge-hashed response and
compares it in the following manner:
The server takes a copy of the original token.
Now it hashes the token against the user's password hash from its own user account database.

GIAC GSNA Exam
If the received response matches the expected response, the user is successfully authenticated to
the host.
QUESTION NO: 147
Which of the following tools uses Internet Control Message Protocol (ICMP)?
A.
Port scanner
B.
Brutus
C.
Fragroute
D.
Ping scanner
Answer: D
Explanation:
A ping scanner is a tool that sends ICMP ECHO requests across a network and rapidly makes a
list of responding nodes. Internet Control Message Protocol (ICMP) is an integral part of IP. It is
used to report an error in datagram processing. The Internet Protocol (IP) is used for host-to-host
datagram service in a network. The network is configured with connecting devices called
gateways. When an error occurs in datagram processing, gateways or destination hosts report the
error to the source hosts through the ICMP protocol. The ICMP messages are sent in various
situations, such as when a datagram cannot reach its destination, when the gateway cannot direct
the host to send traffic on a shorter route, when the gateway does not have the buffering capacity,
etc.
Answer: A, B, C are incorrect. These tools do not use ICMP to perform their functions.
QUESTION NO: 148
Which of the following statements about invalidating a session is true?
A.
The getCreationTime() method can be called on an invalidated session.

GIAC GSNA Exam
B.
The invalidate() method belongs to the HttpServletRequest interface.
C.
A session can be invalidated programmatically as well as using the deployment descriptor.
D.
The getAttribute(String name) method throws an IllegalArgumentException if called on an
Answer: C
Explanation:
An existing session can be invalidated in the following two ways:
Setting timeout in the deployment descriptor:
This can be done by specifying timeout between the <session-timeout> tags as follows: <session-
config> <session-timeout> 10 </session-timeout> </session-config>
This will set the time for session timeout to be ten minutes.
Setting timeout programmatically: This will set the timeout for a specific session.
The syntax for setting the timeout programmatically is as follows:
session.setMaxInactiveInterval(10*60)
In this method, the timeout is specified in seconds. Hence, this will set the time for the session
timeout to be ten minutes.
Answer: A is incorrect. The getCreationTime() method returns the time when the session was
created. The time is measured in milliseconds since midnight January 1, 1970. This method
throws an IllegalStateException if it is called on an invalidated session.
Answer: D is incorrect. The getAttribute(String name) method of the HttpSession interface returns
the value of the named attribute as an object. It returns a null value if no attribute with the given
name is bound to the session. This method throws an IllegalStateException if it is called on an
Answer: B is incorrect. The invalidate() method belongs to the HttpSession interface.
QUESTION NO: 149
You want to impose some special access restrictions on users. Which of the following Unix
configuration files can you use to accomplish the task?
GIAC GSNA Exam
A.
/var/run/utmp
B.
/etc/terminfo
C.
/etc/usertty
D.
/etc/termcap
Answer: C
Explanation:
In Unix, the /etc/usertty file is used to impose some special access restrictions on users. Answer:
B is incorrect. In Unix, the /etc/terminfo file contains the details for the terminal I/O. Answer: A is
incorrect. In Unix, the /var/run/utmp file is the configuration file that contains information about the
currently logged in users. Mostly, the 'Who' and 'w' commands use this file.
Answer: D is incorrect. In Unix, the /etc/termcap file works as a terminal capability database.
QUESTION NO: 150
network. You want to use multiple security countermeasures to protect the integrity of the
information assets of the company. To accomplish the task, you need to create a complex and
multi-layered defense system. Which of the following components can be used as a layer that
constitutes 'Defense in depth'? (Choose three.)
A.
Backdoor
B.
Firewall
C.
Antivirus software
D.
Intrusion detection
Answer: B,C,D

GIAC GSNA Exam
Explanation:
The components of Defense in depth include antivirus software, firewalls, anti-spyware programs,
hierarchical passwords, intrusion detection, and biometric verification. In addition to electronic
countermeasures, physical protection of business sites along with comprehensive and ongoing
personnel training enhances the security of vital data against compromise, theft, or destruction.
Answer A is incorrect. A backdoor is any program that allows a hacker to connect to a computer
without going through the normal authentication process. The main advantage of this type of
attack is that the network traffic moves from inside a network to the hacker's computer. The traffic
moving from inside a network to the outside world is typically the least restrictive, as companies
are more concerned about what comes into a network, rather than what leaves it. It, therefore,
becomes hard to detect backdoors.
QUESTION NO: 151
You want to see the username, real name, home directory, encrypted password, and other
information about a user. Which of the following Unix configuration files can you use to accomplish
the task?
A.
/etc/passwd
B.
/etc/printcap
C.
/etc/hosts
D.
/etc/inittab
Answer: A
Explanation:
In Unix, the /etc/passwd file contains username, real name, home directory, encrypted password,
and other information about a user.
Answer: C is incorrect. In Unix, the /etc/hosts file lists the hosts for name lookup use that are
locally required.
Answer: D is incorrect. In Unix, the /etc/inittab file is the configuration file for init. It controls startup
run levels and determines scripts to start with.

GIAC GSNA Exam
Answer: B is incorrect. In Unix, the /etc/printcap file is the configuration file for printers.
QUESTION NO: 152
Which of the following statements are true about KisMAC?
A.
It scans for networks passively on supported cards.
B.
It cracks WEP and WPA keys by Rainbow attack or by dictionary attack.
C.
It is a wireless network discovery tool for Mac OS X.
D.
Data generated by KisMAC can also be saved in pcap format.
Answer: A,C,D
Explanation:
KisMAC is a wireless network discovery tool for Mac OS X. It has a wide range of features, similar
to those of Kismet, its Linux/BSD namesake and far exceeding those of NetStumbler, its closest
equivalent on Windows. The program is geared toward network security professionals, and is not
as novice-friendly as similar applications. KisMAC will scan for networks passively on supported
cards - including Apple's AirPort, and AirPort Extreme, and many third-party cards, and actively on
any card supported by Mac OS X itself. Cracking of WEP and WPA keys, both by brute force, and
exploiting flaws such as weak scheduling and badly generated keys is supported when a card
capable of monitor mode is used, and packet reinjection can be done with a supported card. GPS
mapping can be performed when an NMEA compatible GPS receiver is attached. Data can also
be saved in pcap format and loaded into programs such as Wireshark.
QUESTION NO: 153
You are the Network Administrator for a company. You have decided to conduct a user access
and rights review. Which of the following would be checked during such a review? (Choose three.)
A.
Access Control Lists

GIAC GSNA Exam
B.
Encryption Methods
C.
User Roles
D.
Firewalls
E.
Group Membership
Answer: A,C,E
Explanation:
A user access and rights review must check all users, what groups they belong to, what roles they
have, and what access they have. Furthermore, such a review should also check logs to see if
users are appropriately utilizing their system rights and privileges.
QUESTION NO: 154
You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP-based
network. You have configured a firewall on the network. A filter has been applied to block all the
ports. You want to enable sending and receiving of emails on the network. Which of the following
ports will you open? (Choose two.)
A.
25
B.
20
C.
80
D.
110
Answer: A,D
Explanation:
In order to enable email communication, you will have to open ports 25 and 110. Port 25 is used
by SMTP to send emails. Port 110 is used by POP3 to receive emails.

GIAC GSNA Exam
QUESTION NO: 155
In which of the following attack techniques does an attacker try to intercept the successful
handshake and then use a dictionary attack to retrieve the shared key?
A.
Shared key guessing
B.
Brute force attack
C.
Dictionary attack
D.
PSK cracking
Answer: D
Explanation:
PSK cracking is an attack technique in which an attacker tries to intercept the successful
handshake and then uses a dictionary attack to retrieve the shared key.
Answer: A is incorrect. Shared key guessing is an attack technique in which an intruder by use of
various cracking tools tries to guess the shared key of a wireless network and gain access to it.
Answer: C is incorrect. A dictionary attack is a technique for defeating a cipher or authentication

mechanism by trying to determine its decryption key or passphrase by searching likely
possibilities. A dictionary attack uses a brute-force technique of successively trying all the words in
an exhaustive list (from a pre-arranged list of values). In contrast with a normal brute force attack,
where a large proportion key space is searched systematically, a dictionary attack tries only those
possibilities which are most likely to succeed, typically derived from a list of words in a dictionary.
Generally, dictionary attacks succeed because many people have a tendency to choose
passwords which are short (7 characters or fewer), single words found in dictionaries, or simple,
easily-predicted variations on words, such as appending a digit.
Answer: B is incorrect. In a brute force attack, an attacker uses software that tries a large number
of the keys combinations in order to get a password. To prevent such attacks, users should create
passwords more difficult to guess, e.g., using a minimum of six characters, alphanumeric
combinations, and lower-upper case combinations, etc.
QUESTION NO: 156

GIAC GSNA Exam
You work as a Software Developer for Mansoft Inc. You create an application and use it to create
users as members of the local Users group. Which of the following code snippets imperatively
demands that the current user is a member of the local Users group?
A.
System.AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
PrincipalPermission MyPermission = new PrincipalPermission(null, @"BUILTIN\Users", true);
MyPermission.Demand();
B.
PrincipalPermission MyPermission = new PrincipalPermission(null, @"BUILTIN\Users", true);
C.
System.AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
PrincipalPermission MyPermission = newPrincipalPermission(null, @"Users", true);
D.
PrincipalPermission MyPermission = new PrincipalPermission(null, @"Users", true);
Answer: A,C
Explanation:
The PrincipalPermission class allows security checksagainst the active principal. This is done by
using the language constructs that are defined for both imperative and declarative security actions.
To perform an imperative security demand for membership in a built-in Microsoft Windows group,
you must firstset the default principal policy to the Windows principal by calling the
SetPrincipalPolicy (PrincipalPolicy.WindowsPrincipal) statement. Construct a PrincipalPermission
object specifying the group name. To specify the group name, you can provide just thegroup
name, or you can preface the group name with either "BUILTIN\" or the computer name and a
backslash. Finally, call the PrincipalPermission.Demand method. There is another method of
identifying group membership, i.e. by using the PrincipalPermissionclass or the
PrincipalPermissionAttribute attribute derived from the System.Security.Permissions namespace.
The PrincipalPermission object identifies that the identity of the active principal should match its
information with the identity information thatis passed to its constructor. The identity information
contains the user's identity name and role.
QUESTION NO: 157
You want to change the number of characters displaying on the screen while reading a txt file.
However, you do not want to change the format of the txt file. Which of the following commands

GIAC GSNA Exam
can be used to view (but not modify) the contents of the text file on the terminal screen at a time?
A.
cat
B.
tail
C.
less
D.
more
Answer: D
Explanation:
The more command is used to view (but not modify) the contents of a text file on the terminal
screen at a time. The syntax of the more command is as follows: more [options] file_name Where,
Answer: A is incorrect. The concatenate (cat) command is used to display or print the contents of
a file.Syntax: cat filename For example, the following command will display the contents of the
/var/log/dmesg file: cat /var/log/dmesg
Note: The more command is used in conjunction with the cat command to prevent scrolling of the
screen while displaying the contents of a file. Answer: C is incorrect. The less command is used to
view (but not change) the contents of a text file, one screen at a time. It is similar to the more
command. However, it has the extended capability of allowing both forward and backward
navigation through the file. Unlike most Unix text editors/viewers, less does not need to read the
entire file before starting; therefore, it has faster load times with large files. The command syntax
of the less command is as follows: less [options] file_nameWhere,
Answer: B is incorrect. The tail command is used to display the last few lines of a text file or piped
GIAC GSNA Exam
data.
QUESTION NO: 158
Zorp is a proxy firewall suite developed by Balabit IT Security. Which of the following statements
are true about Zorp?
A.
It allows the administrators to fine-tune proxy decisions.
B.
Zorp aims for compliance with the Common Criteria/Application Level Firewall Protection Profile
for Medium Robustness.
C.
It allows full analysis of embedded protocols.
D.
The GPL versionof Zorp lacks much of the usability and functions from the other versions.
Answer: A,B,C
Explanation:
Zorp is a proxy firewall suite developed by Balabit IT Security. Its core framework allows the
administrator to fine-tune proxy decisions (with its built-in script language), and fully analyze
embedded protocols (such as SSL with an embedded POP3 or HTTP protocol). The FTP, HTTP,
FINGER, WHOIS, TELNET, and SSL protocols are fully supported with an application-level
gateway. Zorp aims for compliance with the Common Criteria/Application Level Firewall Protection
Profile for Medium Robustness. Zorp is released under GNU/GPL and commercial license too.
The GPL version is completely usable and functional; however, it lacks some of the more
advanced functions available in the commercially available version only. Some of the Zorp
supported protocols are Finger, Ftp, Http, Pop3, NNTP, IMAP4, RDP, RPC, SIP, SSL, SSH,
Telnet, Whois, LDAP, RADIUS, TFtp, SQLNet NET8, Rsh, etc.
Answer: D is incorrect. The GPL version of Zorp is completely usable and functional; however, it
lacks some of the more advanced functions available in the commercially available version only.
QUESTION NO: 159
Which of the following user authentications are supported by the SSH-1 protocol but not by the
GIAC GSNA Exam
SSH-2 protocol?
A.
TIS authentication
B.
Kerberos authentication
C.
Rhosts (rsh-style) authentication
D.
Password-based authentication
Answer: A,B,C
Explanation:
The Rhosts (rsh-style), TIS, and Kerberos user authentication methods are supported by the SSH-
1 protocol but not by SSH-2 protocol.
Answer: D is incorrect. Password-based authentication is supported by both the SSH-1 and SSH-2
protocols.
QUESTION NO: 160
Samantha works as a Web Developer for XYZ CORP. She is designing a Web site for the
company. In a Web page, she uses the HTTP-EQUIV attribute to control the page cache. Which of
the following HTTP-EQUIV values controls the page cache in the browser folder?
A.
Window-target
B.
Status-code
C.
Content-type
D.
Pragma
Answer: D
Explanation:

GIAC GSNA Exam
HTTP-EQUIV is an attribute of the META tag. It sets or retrieves information used to bind the
META tag's content to an HTTP response header. The pragma value of HTTP-EQUIV controls the
page cache.
QUESTION NO: 161
Which of the following are the reasons for implementing firewall in any network?
A.
Create a choke point
B.
Log Internet activity
C.
Log system activity
D.
Limit access control
E.
Implementing security policy
F.
Limit network host exposure
Answer: A,B,E,F
Explanation:
A firewall is a part of a computer system or network that is designed to block unauthorized access
while permitting authorized communications. It is a device or set of devices configured to permit,
deny, encrypt, decrypt, or proxy all computer traffic between different security domains based
upon a set of rules and other criteria. The four important roles of a firewall are as follows:
1. Implement security policy: A firewall is a first step in implementing security policies of an

organization. Different policies are directly implemented at the firewall. A firewall can also work
with network routers to implement Types-Of-Service (ToS) policies.
2. Creating a choke point: A firewall can create a choke point between a private network of an
organization and a public network. With the help of a choke point the firewall devices can monitor,
filter, and verify all inbound and outbound traffic.
3. Logging Internet activity: A firewall also enforces logging of the errors and faults. It also provides
alarming mechanism to the network.

GIAC GSNA Exam
4. Limiting network host exposure: A firewall can create a perimeter around the network to protect
it from the Internet. It increases the security by hiding internal information.
QUESTION NO: 162
Which of the following aaa accounting commands should be used to enable logging of both the
start and stop records for user terminal sessions on the router?
A.
aaa accounting auth proxy start-stop tacacs+
B.
aaa accounting system none tacacs+
C.
aaa accounting connection start-stop tacacs+
D.
aaaaccounting exec start-stop tacacs+
Answer: D
Explanation:
In order to enable logging of both start and stop records for user terminal sessions on the router,
the aaa accounting exec start-stop tacacs+ command should be used. The exec option performs
accounting for EXEC shell sessions.
Answer: B is incorrect. The aaa accounting system none tacacs+ command disables accounting
services on a specific interface for all system-level events that are not related with users such as
reload.
Answer: C is incorrect. The aaa accounting connection start-stop tacacs+ command is used to
enable logging of both start and stop records for all outbound connections that are established
from the NAS (Network Access Server), such as Telnet, local-area transport (LAT), TN3270,
packet assembler and disassembler (PAD), and rlogin.
Answer: A is incorrect. The aaa accounting auth proxy start-stop tacacs+ command is used to
enable logging of both start and stop records for all authenticated proxy user events.
QUESTION NO: 163

GIAC GSNA Exam
Which of the following commands can be used to intercept and log the Linux kernel messages?
A.
syslogd
B.
klogd
C.
sysklogd
D.
syslog-ng
Answer: B,C
Explanation:
The klogd and sysklogd commands can be used to intercept and log the Linux kernel messages.
QUESTION NO: 164
You work as a Security Administrator in Tech Perfect Inc. The company has a TCP/IP based
network. The network has a vast majority of Cisco Systems routers and Cisco network switches.
You have implemented four VPN connections in the network. You use the Cisco IOS on the
network. Which feature will you enable to maintain a separate routing and forwarding table for
each VPN?
A.
Intrusion Prevention System
B.
VRF-aware firewall
C.
Virtual Private Network
D.
Stateful firewall
Answer: B
Explanation:
In this scenario, the company's network has a vast majority of Cisco Systems routers and Cisco
network switches. The security administrator of the company has implemented four VPN
GIAC GSNA Exam
connections in the network and uses the Cisco IOS on the network. He needs to maintain a
separate routing and forwarding table for each VPN in order to provide more secure
communication. To accomplish this task, he should enable the VRF-aware firewall feature on the
Cisco IOS routers.
QUESTION NO: 165
In which of the following scanning techniques does a scanner connect to an FTP server and
request that server to start data transfer to the third system?
A.
Xmas Tree scanning
B.
TCP FIN scanning
C.
TCP SYN scanning
D.
Bounce attack scanning
Answer: D
Explanation:
In the TCPFTP proxy (bounce attack) scanning, a scanner connects to an FTP server and
requests that server to start data transfer to the third system. Now, the scanner uses the PORT
FTP command to declare whether or not the data transfer process is listening to the target system
at the certain port number. Then the scanner uses LIST FTP command to list the current directory.
This result is sent over the server. If the data transfer is successful, it is clear that the port is open.
If the port is closed, the attacker receives the connection refused ICMP error message.
Answer: A is incorrect. Xmas Tree scanning is just the opposite of null scanning. In Xmas Tree
scanning, all packets are turned on. If the target port is open, the service running on the target port
discards the packets without any reply. According to RFC 793, if the port is closed, the remote
system replies with the RST packet. Active monitoring of all incoming packets can help system
network administrators detect an Xmas Tree scan.
Answer: B is incorrect. TCP FIN scanning is a type of stealth scanning, through which the attacker
sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was
sent mistakenly by the attacker and sends the RST packet to the attacker. If the port is open, the
FIN packet will be ignored and the port will drop that packet. TCP FIN scanning is useful only for
identifying ports of non Windows operating system because Windows operating systems send
only RST packets irrespective of whether the port is open or closed.

GIAC GSNA Exam
Answer: C is incorrect. TCP SYN scanning is also known as half-open scanning because in this a
full TCP connection is never opened. The steps of TCP SYN scanning are as follows:
1.The attacker sends SYN packet to the target port.
2.If the port is open, the attacker receives SYN/ACK message.
3.Now the attacker breaks the connection by sending an RST packet.
4.If the RST packet is received, it indicates that the port is closed.
This type of scanning is hard to trace because the attacker never establishes a full 3-way
handshake connection and most sites do not create a log of incomplete TCP connections.
QUESTION NO: 166
In the DNS Zone transfer enumeration, an attacker attempts to retrieve a copy of the entire zone
file for a domain from a DNS server. The information provided by the DNS zone can help an
attacker gather user names, passwords, and other valuable information. To attempt a zone
transfer, an attacker must be connected to a DNS server that is the authoritative server for that
zone. Besides this, an attacker can launch a Denial of Service attack against the zone's DNS
servers by flooding them with a lot of requests. Which of the following tools can an attacker use to
perform a DNS zone transfer?
A.
DSniff
B.
Dig
C.
Host
D.
NSLookup
Answer: B,C,D
Explanation:
An attacker can use Host, Dig, and NSLookup to perform a DNS zone transfer.
Answer: A is incorrect. DSniff is a sniffer that can be used to record network traffic. Dsniff is a set
of tools that are used for sniffing passwords, e-mail, and HTTP traffic. Some of the tools of Dsniff
include dsniff, arpredirect, macof, tcpkill, tcpnice, filesnarf, and mailsnarf. Dsniff is highly effective
for sniffing both switched and shared networks. It uses the arpredirect and macof tools for

GIAC GSNA Exam
switching across switched networks. It can also be used to capture authentication information for
FTP, telnet, SMTP, HTTP, POP, NNTP, IMAP, etc.
QUESTION NO: 167
Which of the following statements are true about security risks? (Choose three.)
A.
They can be removed completely by taking proper actions.
B.
They are considered an indicator of threats coupled with vulnerability.
C.
They can be mitigated by reviewing and taking responsible actions based on possible risks.
D.
They can be analyzed and measured by the risk analysis process.
Answer: B,C,D
Explanation:
In information security, security risks are considered an indicator of threats coupled with
vulnerability. In other words, security risk is a probabilistic function of a given threat agent
exercising a particular vulnerability and the impact of that risk on the organization. Security risks
can be mitigated by reviewing and taking responsible actions based on possible risks. These risks
can be analyzed and measured by the risk analysis process.
Answer: A is incorrect. Security risks can never be removed completely but can be mitigated by
taking proper actions.
QUESTION NO: 168
Which of the following statements about packet filtering is true?
A.
It allows or restricts the flow of specific types of packets to provide security.
B.
GIAC GSNA Exam
It is used to send confidential data on the public network.
C.
It allows or restricts the flow of encrypted packets to provide security.
D.
It is used to store information about confidential data.
Answer: A
Explanation:
Packet filtering is a method that allows or restricts the flow of specific types of packets to provide
security. It analyzes the incoming and outgoing packets and lets them pass or stops them at a
network interface based on the source and destination addresses, ports, or protocols. Packet
filtering provides a way to define precisely which type of IP traffic is allowed to cross the firewall of
an intranet. IP packet filtering is important when users from private intranets connect to public
networks, such as the Internet.
QUESTION NO: 169
Mark works as a Web Designer for XYZ CORP. The company has a Windows-based network.
Mark creates an HTML document that gives the following error on execution: "These hypertext
system features are not supported by HTML". Which of the following can be the hypertext system
features that are NOT supported by HTML? (Choose three.)
A.
Source tracking
B.
Typed link
C.
Hyperlink
D.
Fat link
Answer: A,B,D
Explanation:
HTML lacks some of the features found in earlier hypertext systems, such as typed links, source
tracking, fat links etc. Even some hypertext features that were in early versions of HTML have
been ignored by most popular web browsers until recently, such as the link element and in-
browser Web page editing. Sometimes Web services or browser manufacturers remedy these
GIAC GSNA Exam
shortcomings.
Answer: C is incorrect. Hyperlink is supported by HTML as well as Hypertext.
QUESTION NO: 170
Which of the following statements about data integrity of a container are true? (Choose two.)
A.
It ensures that a hacker cannot alter the contents of an HTTP message while it is in transit from a
container to a client.
B.
Data integrity ensures that information is made available to users who are authorized to access it.
C.
Data integrity ensures that information has not been modified by a third party while it is in transit.
D.
It ensures that an eavesdropper cannot read an HTTP message being sent from a client to a
container.
Answer: A,C
Explanation:
Data integrity ensures that information has not been modified, altered, or destroyed by a third
party while it is in transit. Data integrity ensures that the data received is same as the data that
was sent. Moreover, no one can tamper with the data during transmission from source to
destination.
It also ensures that a hacker cannot alter the contents of an HTTP message while it is in transit
from the container to the client. This will be accomplished through the use of HTTPS. The HTTPS
stands for Hypertext Transfer Protocol over Secure Socket Layer. The HTTPS encrypts and
decrypts the page requests and page information between the client browser and the Web server
using a Secure Socket Layer.
Answer: D is incorrect. This answer option describes confidentiality.
Answer: B is incorrect. This answer option also describes confidentiality.
QUESTION NO: 171

GIAC GSNA Exam
What does a firewall check to prevent certain ports and applications from getting the packets into
an Enterprise?
A.
The network layer headers and the session layer port numbers
B.
The transport layer port numbers and the application layer headers
C.
The application layer port numbers and the transport layer headers
D.
The presentation layer headers and the session layer port numbers
Answer: B
Explanation:
A firewall stops delivery of packets that are not marked safe by the Network Administrator. It
checks the transport layer port numbers and the application layer headers to prevent certain ports
and applications from getting the packets into an Enterprise.
Answer: A, C, D are incorrect. This information are not checked by a firewall.
QUESTION NO: 172
You work as a Network Administrator for XYZ CORP. The company's Windows 2000 network is
configured with Internet Security and Acceleration (ISA) Server 2000. ISA Server is configured as
follows:
The server uses the default site and content rule and default IP packet filters.
Packet filtering is enabled.
The server has two protocol rules:
Users in the network complain that they are unable to access secure Web sites. However, they
are able to connect to Web sites in which secure transmission is not required. What is the most
GIAC GSNA Exam
likely cause?
A.
A protocol rule that allows the use of HTTP has not been created.
B.
An IP packet filter that allows the use of network traffic on port 80 has not been created.
C.
An IP packet filter that allows the use of network traffic on port 443 has not been created.
D.
A protocol rule that allows the use of HTTPS has not been created.
Answer: C
Explanation:
The default IP packet filter allows HTTP protocol (for non-secure communication) at port 80 to
access the Internet. However, to allow users to access secure Web sites, you will have to create
an additional packet filter to allow communication on port 443.
QUESTION NO: 173
You work as a Database Administrator for Dolliver Inc. The company uses Oracle 11g as its
database. You have used the LogMiner feature for auditing purposes. Which of the following files
store a copy of the data dictionary? (Choose two.)
A.
Online redo log files
B.
Operating system flat file
C.
Dump file
D.
Control file
Answer: A,B
Explanation:
LogMiner requires a dictionary to translate object IDs into object names when it returns redo data
GIAC GSNA Exam
to you. You have the following three options to retrieve the data dictionary:
The Online catalog: It is the most easy and efficient option to be used. It is used when a database
user have access to the source database from which the redo log files were created. The other
condition that should qualify is that there should be no changes to the column definitions in the
desired tables.
The Redo Log Files: This option is used when a database user does not have access to the
source database from which the redo log files were created and if there are any chances of
changes to the column definitions of the desired tables.
An operating system flat file: Oracle does not recommend to use this option, but it is retained for
backward compatibility. The reason for not preferring the option is that it does not guarantee
transactional consistency. LogMiner is capable to access the Oracle redo logs. It keeps the
complete record of all the activities performed on the database, and the associated data
dictionary, which is used to translate internal object identifiers and types to external names and
data formats. For offline analysis, LogMiner can be run on a separate database, using archived
redo logs and the associated dictionary from the source database.
QUESTION NO: 174
Which of the following policies helps reduce the potential damage from the actions of one person?
A.
CSA
B.
Separation of duties
C.
Internal audit
D.
Risk assessment
Answer: B
Explanation:
Separation of duties (SoD) is the concept of having more than one person required to complete a
task. It is alternatively called segregation of duties or, in the political realm, separation of powers.
Segregation of duties helps reduce the potential damage from the actions of one person. IS or
end-user department should be organized in a way to achieve adequate separation of duties.
According to ISACA's Segregation of Duties Control matrix, some duties should not be combined
into one position. This matrix is not an industry standard, just a general guideline suggesting which
GIAC GSNA Exam
positions should be separated and which require compensating controls when combined.
Answer: A is incorrect. Cisco Security Agent (CSA) is an endpoint intrusion prevention system. It is
rule-based and examines system activity and network traffic, determining which behaviors are
normal and which may indicate an attack. CSA uses a two or three-tier client- server architecture.
The Management Center 'MC' (or Management Console) contains the program logic; an MS SQL
database backend is used to store alerts and configuration information; the MC and SQL database
may be co-resident on the same system. The Agent is installed on the desktops and/or servers to
be protected. The Agent communicates with the Management Center, sending logged events to
the Management Center and receiving updates in rules when they occur.
Answer: C is incorrect. Internal auditing is a profession and activity involved in helping

organizations achieve their stated objectives. It does this by using a systematic methodology for
analyzing business processes, procedures and activities with the goal of highlighting
organizational problems and recommending solutions.
Answer: D is incorrect. Risk assessment is a step in a risk management process.
QUESTION NO: 175
Web mining allows a user to look for patterns in data through content mining, structure mining, and
usage mining. What is the function of structure mining?
A.
To examine data collected by search engines
B.
To examine data collected by Web spiders
C.
To examine data related to the structure of a particular Web site
D.
To examine data related to a particular user's browser
Answer: C
Explanation:
Structure mining is used to examine data related to the structure of a particular Web site.
Answer: D is incorrect. Usage mining is used to examine data related to a particular user's
browser as well as data gathered by forms the user may have submitted during Web transactions.

GIAC GSNA Exam
QUESTION NO: 176
John works as a professional Ethical Hacker. He has been assigned a project to test the security
of www.we-are-secure.com. He copies the whole structure of the We-are-secure Web site to the
local disk and obtains all the files on the Web site. Which of the following techniques is he using to
accomplish his task?
A.
Eavesdropping
B.
Fingerprinting
C.
Web ripping
D.
TCP FTP proxy scanning
Answer: C
Explanation:
Web ripping is a technique in which the attacker copies the whole structure of a Web site to the
local disk and obtains all files of the Web site. Web ripping helps an attacker to trace the loopholes
of the Web site.
Answer: A is incorrect. Eavesdropping is the intentional interception of data (such as e-mail,

username, password, credit card, or calling card number) as it passes from a user's computer to a
server, or vice versa. There are high-tech methods of eavesdropping. It has been demonstrated
that a laser can be bounced off a window and vibrations caused by the sounds inside the building
can be collected and turned back into those sounds. The cost of high-tech surveillance has made
such instruments available only to the professional information gatherer, however. But as with all
high-tech electronics, falling prices are making these more affordable to a wider audience.
Answer: D is incorrect. In TCP FTP proxy (bounce attack) scanning, a scanner connects to an
FTP server and requests it to start data transfer to a third system. The scanner uses the PORT
FTP command to find out whether or not the data transfer process is listening to the target system
at a certain port number. It then uses the LIST FTP command to list the current directory, and the
result is sent over the server. If the data transfer is successful, it clearly indicates that the port is
open. If the port is closed, the attacker receives the connection refused ICMP error message.
Answer: B is incorrect. Fingerprinting is the easiest way to detect the Operating System (OS)of a
remote system. OS detection is important because, after knowing the target system's OS, it
becomes easier to hack into the system. The comparison of data packets that are sent by the
target system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to
which operating system is being used by the remote system. There are two types of fingerprinting
techniques as follows:
In active fingerprinting ICMP messages are sent to the target system and the response message
GIAC GSNA Exam
of the target system shows which OS is being used by the remote system. In passive fingerprinting
the number of hops reveals the OS of the remote system.
QUESTION NO: 177
Peter works as a Web Developer for XYZ CORP. He is developing a Web site for the company. In
one of the Web pages, Peter wants to ensure that certain information is consistent and visible
while the other information changes. Which of the following will he use to accomplish this?
A.
Tables
B.
Navigation links
C.
Data elements
D.
Frames
Answer: D
Explanation:
Peter will use frames in the Web page. Frames are extensions of the HTML 3.2 standard
introduced by Netscape. Elements such as navigation links and title graphic, can be placed in
static individual frames. The <frame> tag defines the contents that will appear in each frame. It is
used within the <frameset> tag. Frames allow users to display multiple HTML files at a time.
Answer: A is incorrect. A table is used to handle data in tabular form.
Answer: B is incorrect. Navigation links are used with the navigation bar to display a page. These
hyperlinks are relative to the navigational structure of a Web site.
Answer: C is incorrect. Data elements are used to access data in XML format from a Web server.
QUESTION NO: 178
In a network, a data packet is received by a router for transmitting it to another network. In order to
make decisions on where the data packet should be forwarded, the router checks with its routing
table. Which of the following lists does a router check in a routing table?

GIAC GSNA Exam
A.
Available networks
B.
Available packets
C.
Available protocols
D.
Available paths
Answer: A,D
Explanation:
A Routing table stores the actual routes to all destinations; the routing table is populated from the
topology table with every destination network that has its successor and optionally feasible
successor identified (if unequal-cost load-balancing is enabled using the variance command). The
successors and feasible successors serve as the next hop routers for these destinations. Unlike
most other distance vector protocols, EIGRP does not rely on periodic route dumps in order to
maintain its topology table. Routing information is exchanged only upon the establishment of new
neighbor adjacencies, after which only changes are sent.
Answer: C is incorrect. A routing table does not contain any list of protocols.
Answer: B is incorrect. A routing table does not contain any list of packets.
QUESTION NO: 179
You work as a Network Administrator for XYZ CORP. The company has a small TCP/IP-based
network environment. The network contains a Cisco Catalyst 6000 family switch. A few sales
people come to your outer office and use your local network to access the Internet, as well as to
demonstrate their products. What will you do to prevent your network from being accessed by any
outside computers?
A.
Configure port security.
B.
Configure a firewall for IP blocking on the network.
C.
Configure a firewall for MAC address blocking on the network.
D.

GIAC GSNA Exam
Configure a port scanner.
Answer: A
Explanation:
According to the question, you are required to prevent outside computers from accessing your
network. You should therefore configure the switch's port access based on the MAC address,
which can be done by configuring port security. Port security is a feature of Cisco Catalyst series
switches. Port security is used to block input based on the media access control (MAC) address to
an Ethernet, Fast Ethernet, or Gigabit Ethernet port. It denies the port access to a workstation
when the MAC address of the station attempting to access the port is different from any of the
MAC addresses specified for that port. Internet or other outside networks.
Answer: D is incorrect. A port scanner is a software tool that is designed to search network host
for open ports. This tool is often used by administrators to check the security of their networks. It is
also used by hackers to compromise the network and systems.
QUESTION NO: 180
Which of the following security policies will you implement to keep safe your data when you
connect your Laptop to the office network over IEEE 802.11 WLANs? (Choose two.)
A.
Using personal firewall software on your Laptop.
B.
Using a protocol analyzer on your Laptop to monitor for risks.
C.
Using portscanner likenmap in your network.
D.
Using an IPSec enabled VPN for remote connectivity.
Answer: A,D
Explanation:
According to the scenario, you want to implement a security policy to keep safe your data when
you connect your Laptop to the office network over IEEE802.11 WLANs. For this, you will use the
following two options:
1. Using IPSec enabled VPN for remote connectivity: Internet Protocol Security (IPSec) is a
standard-based protocol that provides the highest level of VPN security. IPSec can encrypt

GIAC GSNA Exam
virtually everything above the networking layer. It is used for VPN connections that use the L2TP
protocol. It secures both data and password.
2. Using personal firewall software on your Laptop: You can also create a firewall rule to block
malicious packets so that you can secure your network.
Answer: C is incorrect. Portscanner is used for scanning port and tells which ports are open.
However, this tool is very much useful in information gathering step of the attacking process, it
cannot be used to protect a WLAN network.
Answer: B is incorrect. You cannot use the packet analyzer to protect your network. Packet
analyzer is used to analyze data packets flowing in the network.
QUESTION NO: 181
You work as a Database Administrator for XYZ CORP. The company has a multi-platform
network. The company requires a database that can receive data from various types of operating
systems. You want to design a multidimensional database to accomplish the task. Which of the
following statements are true about a multidimensional database?
A.
It is used to optimize Online Analytical Processing (OLAP) applications.
B.
It is used to optimize data warehouse.
C.
It is rarely created using input from existing relational databases.
D.
It allows users to ask questions that are related to summarizing business operations and trends.
Answer: A,B,D
Explanation:
A multidimensional database (MDB) is a type of database that is optimized for data warehouse
and Online Analytical Processing (OLAP) applications. Multidimensional databases are frequently
created using input from existing relational databases. Whereas a relational database is typically
accessed using a Structured Query Language (SQL) query, a multidimensional database allows a
user to ask questions like "How many Aptivas have been sold in Nebraska so far this year?" and
similar questions related to summarizing business operations and trends. An OLAP application
that accesses data from a multidimensional database is known as a MOLAP (multidimensional
OLAP) application.
Answer: C is incorrect. A multidimensional database is frequently created using input from existing
GIAC GSNA Exam
relational databases.
QUESTION NO: 182
You want to record auditing information in the SYS.AUD$ table, and also want to record SQL bind
variables as well as the SQL text in the audit trail. Which of the following statements will
accomplish this task?
A.
ALTER SYSTEM SET AUDIT_TRAIL = DB, XML SCOPE=SPFILE;
B.
ALTER SYSTEM SET AUDIT_TRAIL = 'DB, EXTENDED' SCOPE=SPFILE;
C.
ALTER SYSTEM SET AUDIT_TRAIL = 'DB','EXTENDED'SCOPE=SPFILE;
D.
ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE=SPFILE;
E.
ALTER SYSTEM SET AUDIT_FILE_DEST = 'DB, EXTENDED' SCOPE=SPFILE;
F.
ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE=BOTH;
Answer: C,D
Explanation:
The initialization parameter AUDIT_TRAIL is used to specify the kind of auditing that needs to be
performed, as well as the destination where it will be performed. There are three basic values for
auditing that are DB, OS, and XML. Specifying DB sends all audit rows to the table SYS.AUD$,
OS sends the audit rows to an operating system file, and XML sends the audit rows to an
operating system file in the XML format. The location for external audit rows is specified by the
AUDIT_FILE_DEST parameter. By adding the EXTENDED parameter for either DB or XML
auditing, all SQL bind variables and the text of all SQL commands are included in the audit row.
EXTENDED cannot be specified for OS auditing. In addition, NONE can be specified as the value
for AUDIT_TRAIL, which will disable all auditing.
Answer: B is incorrect. DB, EXTENDED in single quotes cannot be specified when setting the
AUDIT_TRAIL parameter.
Answer: E is incorrect. AUDIT_TRAIL must be set to specify the type of auditing.

AUDIT_FILE_DEST is used to specify the operating system location for either OS or XML
auditing.
GIAC GSNA Exam
Answer: A is incorrect. DB and XML auditing cannot be specified at the same time and the
database must be restarted for the auditing change to go into effect.
QUESTION NO: 183
You want to track the system for user logins. To accomplish the task, you need to analyze the log
configuration files. Which of the following Unix log configuration files can you use to accomplish
the task?
A.
/var/log/messages
B.
/var/log/secure
C.
/var/spool/mail
D.
/var/log/maillog
Answer: B
Explanation:
In Unix, the /var/log/secure file is used to track the systems for user logins.
Answer: D is incorrect. In Unix, the /var/log/maillog file is the normal system maillog file.
Answer: A is incorrect. In Unix, the /var/log/messages file is the main system message log file.
Answer: C is incorrect. In Unix, the /var/spool/mail file is the file where mailboxes are usually
stored.
QUESTION NO: 184
You work as a Software Developer for UcTech Inc. You are building a Web site that will contain
study materials on the Java language. The company wants that members can access all the
pages, but non-members have only limited access to the Web site pages. Which of the following
security mechanisms will you use to accomplish the task?

GIAC GSNA Exam
A.
Data integrity
B.
Authentication
C.
Confidentiality
D.
Authorization
Answer: D
Explanation:
Authorization is a process that verifies whether a user has permission to access a Webresource. A
Web server can restrict access to some of its resources to only those clients that log in using a
recognized username and password. To be authorized, a user must first be authenticated.
Answer: B is incorrect. Authentication is the process of verifying the identity of a user. This is
usually done using a user name and password. This process compares the provided user name
and password with those stored in the database of an authentication server.
Answer: C is incorrect. Confidentiality is a mechanism that ensures that only the intended and
authorized recipients are able to read data. The data is so encrypted that even if an unauthorized
user gets access to it, he will not get any meaning out of it.
Answer: A is incorrect. Data integrity is a mechanism that ensures that the data is not modified
during transmission from source to destination. This means that the data received at the
QUESTION NO: 185
Which of the following commands can you use to search a string 'pwd' in all text files without
opening them? (Choose two.)
A.
vi
B.
grep
C.
sed

GIAC GSNA Exam
D.
locate
Answer: B,C
Explanation:
sed and grep are the two commands that can be used to search a specified string in all text files
without opening them. sed is a stream editor that is used to perform basic text transformations on
an input stream (a file or input from a pipeline).
QUESTION NO: 186
Pingdom is a website monitoring service. Which of the following services are provided by
Pingdom?
A.
It creates complicated charts to spot trends and imprecisely pinpoint problems.
B.
It works as an iPhone application to make sure that a website is reachable and responding
properly at all times.
C.
It is used to monitor sites and servers on the Internet.
D.
It is used to track the uptime, downtime, and performance of websites.
Answer: B,C,D
Explanation:
Pingdom is a website monitoring service that is used by administrators to monitor sites and
servers on the Internet. It alerts the site owners if it detects a problem. Pingdom service is used to
track the uptime, downtime, and overall performance of websites. Pingdom also works as an
iPhone application to make sure that a website is reachable and responding properly at all times. If
not so, it provides the administrator with the email and SMS alerts. It creates charts and tables that
are easy to understand. These charts and tables enable an administrator to spot trends and
accurately pinpoint problems.
Answer: A is incorrect. Pingdom creates chartsthat are easy to understand. These charts are used
to spot trends and accurately pinpoint problems.

GIAC GSNA Exam
QUESTION NO: 187
Which of the following records is the first entry in a DNS database file?
A.
CNAME
B.
SOA
C.
SRV
D.
MX
Answer: B
Explanation:
Start of Authority (SOA) record is the first record in any DNS database file. The SOA resource
record includes the following fields: owner, TTL, class, type, authoritative server, refresh, minimum
TTL, etc.
Answer: A is incorrect. Canonical Name (CNAME) is a resource record that creates an alias for
the specified Fully Qualified Domain Name (FQDN). It hides the implementation details of a
network from the clients that are connected to the network.
Answer: D is incorrect. MX is a mail exchange resource record in the database file of a DNS
server. It specifies a mail exchange server for a DNS domain name.
Answer: C is incorrect. SRV resource record is a DNS record that enables users to specify the
location of servers for a specific service, protocol, and DNS domain. For example, if there are two
servers in a domain, creating SRV records specifies which hosts serve as Web servers, and
resolvers can then retrieve all the SRV resource records for the Web servers.
QUESTION NO: 188
Which of the following is an example of penetration testing?
A.
Configuring firewall to block unauthorized traffic

GIAC GSNA Exam
B.
Implementing HIDS on a computer
C.
Simulating an actual attack on a network
D.
Implementing NIDS on a network
Answer: C
Explanation:
Penetration testing is a method of evaluating the security of a computer system or network by

simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The
process involves an active analysis of the system for any potential vulnerabilities that may result
from poor or improper system configuration, known and/or unknown hardware or software flaws,
or operational weaknesses in process or technical countermeasures. This analysis is carried out
from the position of a potential attacker, and can involve active exploitation of security
vulnerabilities. Any security issues that are found will be presented to the system owner together
with an assessment of their impact and often with a proposal for mitigation or a technical solution.
The intent of a penetration testing is to determine feasibility of an attack and the amount of
business impact of a successful exploit, if discovered. It is a component of a full security of
penetration testing.
QUESTION NO: 189
You configure a wireless router at your home. To secure your home Wireless LAN (WLAN), you
implement WEP. Now you want to connect your client computer to the WLAN. Which of the
following is the required information that you will need to configure the client computer? (Choose
two.)
A.
SSID of the WLAN
B.
WEP key
C.
IP address of the router
D.
MAC address of the router
Answer: A,B
GIAC GSNA Exam
Explanation:
In order to connect a client computer to a secured Wireless LAN (WLAN), you are required to
provide the following information:
SSID of the WLAN WEP key rticlesItemsReportsHelp
QUESTION NO: 190
Which of the following statements about the /etc/profile file are true?
A.
It allows a system administrator to create a default home directory for all new users on a
computer.
B.
A user can change the settings of the /etc/profile file, but he cannot delete the file. It can only be
deleted by the root user.
C.
It can change the default umask value.
D.
It is used to configure and control system-wide default variables.
Answer: C,D
Explanation:
The /etc/profile file is used to configure and control system-wide default variables. It performs
many operations, some of which are as follows:
Exporting variables Setting the umask value
Sending mail messages to indicate that new mail has arrived
Exporting variables Setting the umask value
Sending mail messages to indicate that new mail has arrived
Only the root user can configure and change the /etc/profile file for all users on the system.
Answer: A is incorrect. The /etc/skel file allows a system administrator to create a default home
directory for all new users on a computer or network and thus to make certain that all users begin
with the same settings. When a new account is created with a home directory, the entire contents
of /etc/skel are copied into the new home directory location. The home directory and its entire
GIAC GSNA Exam
contents are then set to the new account's UID and GID, making the new user owner of the initial
files. The system administrator can create files in /etc/skel that will provide a nice default
environment for users. For example, he might create a /etc/skel/.profile that sets the PATH
environment variable for new users.
Answer: B is incorrect. Only the root user can change the settings of the /etc/profile file.
QUESTION NO: 191
Which of the following are attributes of the <TABLE> tag? (Choose three.)
A.
BORDER
B.
ALIGN
C.
TD
D.
WIDTH
Answer: A,B,D
Explanation:
The WIDTH attribute of the <TABLE> tag is used to set the width of a table. Width can be
specified in pixels and percentage. For example, if a table of the same width as that of the parent
object has to be created, the WIDTH attribute must be set to 100%. The ALIGN attribute aligns the
table within the text flow. By default alignment is set to left. The BORDER attribute of the
<TABLE> tag is used to set the width of the table border.
Answer C is incorrect. <TD> is not an attribute of the <TABLE> tag. It is a tag used to specify cells
in a table.
QUESTION NO: 192
You want to make changes on a per-directory basis. Which of the following Unix configuration files
can you use to accomplish the task?

GIAC GSNA Exam
A.
$HOME/.profile
B.
$HOME/Xrootenv.0
C.
$HOME/.htaccess
D.
/var/log/btmp
Answer: C
Explanation:
In Unix, the $HOME/.htaccess file provides a way to make configuration changes on a per
directory basis.
Answer: A is incorrect. In Unix, the $HOME/.profile file contains the user's environment stuff and
startup programs.
Answer: B is incorrect. In Unix, the $HOME/Xrootenv.0 file contains networking and environment
info.
Answer: D is incorrect. In Unix, the /var/log/btmp file is used to store information about failed
logins.
QUESTION NO: 193
Which of the following types of audit constructs a risk profile for existing and new projects?
A.
Technological position audit
B.
Technological innovation process audit
C.
Innovative comparison audit
D.
Client/Server, Telecommunications, Intranets, and Extranets audits
Answer: B

GIAC GSNA Exam
Explanation:
Various authorities have created differing taxonomies to distinguish the various types of IT audits.
Goodman & Lawless state that there are three specific systematic approaches to carry out an IT
audit:
Answer: D is incorrect. These are the audits to verify that controls are in place on the client
(computer receiving services), server, and on the network connecting the clients and servers.
QUESTION NO: 194
Pervasive IS controls can be used across all the internal departments and external contractors to
define the direction and behavior required for the technology to function properly. When these
controls are implemented properly, which of the following areas show the reliability improvement?
(Choose three.)
A.
Hardware development
B.
Software development
C.
Security administration
D.
Disaster recovery
Answer: B,C,D
Explanation:
Pervasive IS controls can be used across all the internal departments and external contractors. If
the Pervasive IS controls are implemented properly, it improves the reliability of the following:
Answer: A is incorrect. Pervasive IS controls do not have any relation with the reliability of the
hardware development.
QUESTION NO: 195
Which of the following are the limitations for the cross site request forgery (CSRF) attack?

GIAC GSNA Exam
A.
The attacker must determine the right values for all the form inputs.
B.
The attacker must target a site that doesn't check the referrer header.
C.
The target site should have limited lifetime authentication cookies.
D.
The target site should authenticate in GET and POST parameters, not only cookies.
Answer: A,B
Explanation:
Following are the limitations of cross site request forgeries to be successful:
1. The attacker must target either a site that doesn't check the Referer header (which is common)
or a victim with a browser or plugin bug that allows Referer spoofing (which is rare).
2. The attacker must find a form submission at the target site that does something useful to the
attacker (e.g., transfers money, or changes the victim's e-mail address or password).
3. The attacker must determine the right values for all the form inputs: if any of them are required
to be secret authentication values or IDs that the attacker can't guess, the attack will fail.
4. The attacker must lure the victim to a Web page with malicious code while the victim is logged
in to the target site. Since, the attacker can't see what the target Web site sends back to the victim
in response to the forged requests, unless he exploits a cross- site scripting or other bug at the
target Web site.
Similarly, the attacker can only "click" any links or submit any forms that come up after the initial
forged request, if the subsequent links or forms are similarly predictable. (Multiple "clicks" can be
simulated by including multiple images on a page, or by using JavaScript to introduce a delay
between clicks). from cross site request forgeries (CSRF) by applying the following
countermeasures available:
Requiring authentication in GET and POST parameters, not only cookies.
Checking the HTTP Referer header.
Ensuring there's no crossdomain.xml file granting unintended access to Flash movies.
Limiting the lifetime of authentication cookies.
Requiring a secret, user-specific token in all form submissions prevents CSRF; the attacker's site
can't put the right token in its submissions.
Individual Web users can do relatively little to prevent cross-site request forgery.

GIAC GSNA Exam
Logging out of sites and avoiding their "remember me" features can mitigate CSRF risk; not
displaying external images or not clicking links in "spam" or unreliable e-mails may also help.
QUESTION NO: 196
of www.we-are-secure.com. He successfully performs a brute force attack on the We-are-secure
server. Now, he suggests some countermeasures to avoid such brute force attacks on the We-
are-secure server. Which of the following are countermeasures against a brute force attack?
A.
The site should use CAPTCHA after a specific number of failed login attempts.
B.
The site should increase the encryption key length of the password.
C.
The site should restrict the number of login attempts to only three times.
D.
The site should force its users to change their passwords from time to time.
Answer: A,C
Explanation:
Using CAPTCHA or restricting the number of login attempts are good countermeasures against a
brute force attack.
QUESTION NO: 197
Which of the following types of firewall ensures that the packets are part of the established
session?
A.
Stateful inspection firewall
B.
Switch-level firewall
C.

GIAC GSNA Exam
D.
Answer: A
Explanation:
The stateful inspection firewall combines the circuit level and the application level firewall
techniques. It assures the session or connection between the two parties is valid. It also inspects
packets from the session to assure that the packets are part of the established session and not
malicious.
Answer: C is incorrect. The circuit-level firewall regulates traffic based on whether or not a trusted
connection has been established.
Answer: D is incorrect. The application level firewall inspects the contents of packets, rather than
the source/destination or connection between the two devices.
Answer: B is incorrect. There is no firewall type such as switch-level firewall.
QUESTION NO: 198
One of the sales people in your company complains that sometimes he gets a lot of unsolicited
messages on his PD A. After asking a few questions, you determine that the issue only occurs in
crowded areas like airports. What is the most likely problem?
A.
Spam
B.
Blue snarfing
C.
A virus
D.
Blue jacking
Answer: D
Explanation:
Blue jacking is the process of using another bluetooth device that is within range (about 30' or
less) and sending unsolicited messages to the target.

GIAC GSNA Exam
Answer: B is incorrect. Blue snarfing is a process whereby the attacker actually takes control of
the phone. Perhaps copying data or even making calls.
Answer: C is incorrect. A virus would not cause unsolicited messages. Adware might, but not a
virus.
Answer: A is incorrect. Spam would not be limited to when the person was in a crowded area.
QUESTION NO: 199
Which of the following is a technique of using a modem to automatically scan a list of telephone
numbers, usually dialing every number in a local area code to search for computers, Bulletin board
systems, and fax machines?
A.
Warkitting
B.
War driving
C.
Wardialing
D.
Demon dialing
Answer: C
Explanation:
War dialing or wardialing is a technique of using a modem to automatically scan a list of telephone
numbers, usually dialing every number in a local area code to search for computers, Bulletin board
systems, and fax machines. Hackers use the resulting lists for various purposes, hobbyists for
exploration, and crackers - hackers that specialize in computer security - for password guessing.
Answer: A is incorrect. Warkitting is a combination of wardriving and rootkitting. In a warkitting

attack, a hacker replaces the firmware of an attacked router. This allows them to control all
trafficfor the victim, and could even permit them to disable SSL by replacing HTML content as it is
being downloaded. Warkitting was identified by Tsow, Jakobsson, Yang, and Wetzel in 2006.
Their discovery indicated that 10% of the wireless routers were susceptible to WAPjacking
(malicious configuring of the firmware settings, but making no modification on the firmware itself)
and 4.4% of wireless routers were vulnerable to WAPkitting (subverting the router firmware). Their
analysis showed that the volume of credential theft possible through Warkitting exceeded the
estimates of credential theft due to phishing.
Answer: D is incorrect. In the computer hacking scene of the 1980s, demon dialing was a
GIAC GSNA Exam
technique by which a computer is used to repeatedly dial a number (usually to a crowded modem
pool) in an attempt to gain access immediately after another user had hung up. The expansion of
accessible Internet service provider connectivity since that time more or less rendered the practice
obsolete. The term "demon dialing" derives from the Demon Dialer product from Zoom
Telephonics, Inc., a telephone device produced in the 1980s which repeatedly dialed busy
telephone numbers under control of an extension phone.
Answer: B is incorrect. War driving, also called access pointmapping, is the act of locating and
possibly exploiting connections to wireless local area networks while driving around a city or
elsewhere. To do war driving, one needs a vehicle, a computer (which can be a laptop), a wireless
Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be
mounted on top of or positioned inside the car. Because a wireless LAN may have a range that
extends beyond an office building, an outside user may be able to intrude into the network, obtain
a free Internet connection, and possibly gain access to company records and other resources.
QUESTION NO: 200
You work as a Network Administrator for NTY Inc. The company has a secure wireless network.
While auditing the network for maintaining security, you find an unknown node. You want to locate
that node.
Which tool will you use to pinpoint the actual physical location of the node?
A.
Kismet
B.
Ekahau
C.
WEPCrack
D.
AirSnort
Answer: B
Explanation:
Ekahau is an easy-to-use powerful and comprehensive tool for network site surveys and
optimization. It is an auditing tool that can be used to pinpoint the actual physical location of
wireless devices in the network. This tool can be used to make a map of the office and then
perform the survey of the office. In the process, if one finds an unknown node, ekahau can be
used to locate that node.

GIAC GSNA Exam
Answer D is incorrect. AirSnort is a Linux-based WLAN WEP cracking tool that recovers
encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only
Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.
Answer: A is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion
Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the
following tasks:
Answer: C is incorrect. WEPcrack is a wireless network cracking tool that exploits the
vulnerabilities in the RC4 Algorithm, which comprises the WEP security parameters. It mainly
consists of three tools, which are as follows:
WeakIVGen: It allows a user to emulate the encryption output of 802.11 networks to weaken the
secret key used to encrypt the network traffic.
Prism-getIV: It analyzes packets of information until ultimately matching patterns to the one known
to decrypt the secret key.
WEPcrack: It pulls the all beneficial data of WeakIVGen and Prism-getIV to decipher the network
encryption.
Topic 3, Volume C
QUESTION NO: 201
You are the Network Admin for a company. You are concerned about users having access to
items they should not. Your concern is that they may inadvertently have been granted access to
those resources. When conducting a user access and rights review, which of the following is most
likely to show you such unintentional granting of user rights?
A.
IDS Logs
B.
Access Control Lists
C.
Server logs
D.
Group Membership
Answer: D
GIAC GSNA Exam
Explanation:
Most often user rights are determined by the groups the user belongs to. In some cases a user
may mistakenly be added to a group they should not be. It is also common that a user moves
within the organization, but is still retained in their previous group giving them those rights.
Answer: B is incorrect. Access Control Lists are usually setup up manually. This means that a
person would not likely be inadvertently added. You might want to check the ACL's, and you might
find some issues, but this is not the most likely way to find users with inappropriate rights.
Answer: C is incorrect. At best server logs can show you if a user accessed a resource. But a user
could have access to a resource, and simply not have used that access yet.
Answer: A is incorrect. IDS logs will only help you identify potential attacks. Unless you suspect
the user of intentionally trying to break into resources, an IDS log will not help in this scenario.
QUESTION NO: 202
Brutus is a password cracking tool that can be used to crack the following authentications: HTTP
(Basic Authentication) HTTP (HTML Form/CGI) POP3 (Post Office Protocol v3) FTP (File Transfer
Protocol) SMB (Server Message Block) Telnet Which of the following attacks can be performed by
Brutus for password cracking?
A.
Man-in-the-middle attack
B.
Hybrid attack
C.
Replay attack
D.
Brute force attack
E.
Dictionary attack
Answer: B,D,E
Explanation:
Brutus can be used to perform brute force attacks, dictionary attacks, or hybrid attacks.

GIAC GSNA Exam
QUESTION NO: 203
John used to work as a Network Administrator for We-are-secure Inc. Now he has resigned from
the company for personal reasons. He wants to send out some secret information of the company.
To do so, he takes an image file and simply uses a tool image hide and embeds the secret file
within an image file of the famous actress, Jennifer Lopez, and sends it to his Yahoo mail id. Since
he is using the image file to send the data, the mail server of his company is unable to filter this
mail. Which of the following techniques is he performing to accomplish his task?
A.
Web ripping
B.
Steganography
C.
Email spoofing
D.
Social engineering
Answer: B
Explanation:
According to the scenario, John is performing the Steganography technique for sending malicious
data. Steganography is an art and science of hiding information by embedding harmful messages
within other seemingly harmless messages. It works by replacing bits of unused data, such as
graphics, sound, text, and HTML, with bits of invisible information in regular computer files. This
hidden information can be in the form of plain text, cipher text, or even in the form of images.
Answer: A is incorrect. Web ripping is a technique in which the attacker copies the whole structure
of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker
to trace the loopholes of the Web site.
Answer: D is incorrect. Social engineering is the art of convincing people and making them
disclose useful information such as account names and passwords. This information is further
exploited by hackers to gain access to a user's computer or network. This method involves mental
ability of the people to trick someone rather than their technical skills. A user should always
distrust people who ask him for his account name or password, computer name, IP address,
employee ID, or other information that can be misused.
Answer: C is incorrect. John is not performing email spoofing. In email spoofing, an attacker sends
emails after writing another person's mailing address in the from field of the emailed.

GIAC GSNA Exam
QUESTION NO: 204
Which of the following backup sites takes the longest recovery time?
A.
Mobile backup site
B.
Warm site
C.
Cold site
D.
Hot site
Answer: C
Explanation:
A cold backup site takes the longest recovery time. It is the most inexpensive type of backup site
for an organization to operate. It does not include backed up copies of data and information from
the original location of the organization, nor does it include hardware already set up. The lack of
hardware contributes to the minimal startup costs of the cold site, but requires additional time
following the disaster to have the operation running at a capacity close to that prior to the disaster.
Answer: D is incorrect. A hot site is a duplicate of the original site of the organization, with full
computer systems as well as near- complete backups of user data. Real time synchronization
between the two sites may be used to completely mirror the data environment of the original site
using wide area network links and specialized software. Ideally, a hot site will be up and running
within a matter of hours or even less.
Answer: A is incorrect. Although a mobile backup site provides rapid recovery, it does not provide
full recovery in time. Hence, a hot site takes the shortest recovery time.
Answer: B is incorrect. A warm site is, quite logically, a compromise between hot and cold. These
sites will have hardware and connectivity already established, though on a smaller scale than the
original production site or even a hot site. Warm sites will have backups on hand, but they may not
be complete and may be between several days and a week old. An example would be backup
tapes sent to the warm site by courier.
QUESTION NO: 205
Many organizations create network maps of their network system to visualize the network and
understand the relationship between the end devices and the transport layer that provide services.
Which of the following are the techniques used for network mapping by large organizations? Each
GIAC GSNA Exam
correct answer represents a complete solution. (Choose three.)
A.
Route analytics
B.
Active Probing
C.
SNMP-based approaches
D.
Packet crafting
Answer: A,B,C
Explanation:
Many organizations create network maps of their network system. These maps can be made
manually using simple tools such as Microsoft Visio, or the mapping process can be simplified by
using tools that integrate auto network discovery with Network mapping. Many of the vendors from
the Notable network Mappers list enable a user to do the following:
Sophisticated mapping is used to help visualize the network and understand relationships between
end devices and the transport layers that provide service. Items such as bottlenecks and root
cause analysis can be easier to spot using these tools.
There are three main techniques used for network mapping: SNMP-based approaches, Active
Probing, and Route analytics. The SNMP-based approach retrieves data from Router and Switch
MIBs in order to build the network map. The Active Probing approach relies on a series of trace
route like probe packets in order to build the network map. The Route analytics approach relies on
information from the routing protocols to build the network map. Each of the three approaches has
advantages and disadvantages in the methods that they use.
Answer: D is incorrect. Packet crafting is a technique that allows probing firewall rule-sets and
finding entry points into the targeted system or network. This can be done with a packet generator.
A packet generator is a type of software that generates random packets or allows the user to
construct detailed custom packets. Packet generators utilize raw sockets. This is useful for testing
implementations of IP stacks for bugs and security vulnerabilities.
QUESTION NO: 206
You have been assigned a project to develop a Web site for a construction company. You plan to
develop a Web site and want to get more control over the appearance and presentation of the
Web pages. You also want to increase your ability to precisely specify the position and
appearance of the elements on a page and create special effects. You plan to use cascading style
GIAC GSNA Exam
sheets (CSS). You want to define styles only for the active page. Which type of style sheet will you
use?
A.
B.
Inline Style Sheet
C.
D.
Answer: A
Explanation:
To define styles only for the active page you should use embedded style sheet. Cascading style
sheets (CSS) are used so that the Website authors can exercise greater control on the
appearance and presentation of their Web pages. And also because they increase the ability to
precisely point to the location and look of elements on a Web page and help in creating special
effects. Cascading Style Sheets have codes, which are interpreted applied by the browser on to
the Web pages and their elements. There are three types of cascading style sheets. External Style
Sheets Embedded Style Sheets Inline Style Sheets External Style Sheets are used whenever
consistency in style is required throughout a Web site. A typical external style sheet uses a .css
file extension, which can be edited using a text editor such as a Notepad. Embedded Style Sheets
are used for defining styles for an active page. Inline Style Sheets are used for defining individual
elements of a page.
Q179628
QUESTION NO: 207
You want to monitor the network infrastructure of a software-based company. The network
infrastructure of the company consists of the following:
Windows TCP/IP services
Web and mail servers
URLs Applications (MS Exchange, SQL etc.)

GIAC GSNA Exam
Which of the following network monitoring solutions can you use to accomplish the task?
A.
Axence nVision
B.
CommandCenter NOC
C.
Netmon
D.
Cymphonix Network Composer
Answer: A
Explanation:
Axence nVision is an advanced solution for a comprehensive network management. It is used to

monitor network infrastructure such as Windows, TCP/IP services, web and mail servers, URLs,
and applications (MS Exchange, SQL, etc.). It is also used to monitor routers and switches such
as network traffic, interface status, and connected computers. It collects the network inventory and
audit license usage. It also gives alerts in case of a program installation or any configuration
change on a remote node. With the agent, an administrator can easily monitor user activities and
can access computers remotely.
Answer: B is incorrect. CommandCenter NOC is a simple and effective tool that performs network
monitoring with a powerful polling engine. It provides polling, Windows and UNIX/Linux server
management, intrusion detection, vulnerability scanning, and traffic analysis in an integrated
appliance.
Answer: D is incorrect. Cymphonix Network Composer is a precise Web gateway appliance. It is

used to monitorInternet traffic by user, application, and threat. It consists of controls to shape
access to Internet resources by user, group, and/or time of day. It also supports anonymous proxy
blocking, policy management, and real time monitoring.
Answer: C is incorrect. Network Monitor (Netmon) is a protocol analyzer. It is used to analyze the
network traffic. It is installed by default during the installation of the operating system. It can be
installed by using Windows Components Wizard in the Add or Remove Programs tool in Control
Panel. Network Monitor is used to perform the following tasks:
1. Capture frames directly from the network.
2. Display and filter captured frames immediately after capture or a later time.
3. Edit captured frames and transmit them on the network.
4. Capture frames from a remote computer.

GIAC GSNA Exam
QUESTION NO: 208
You work as a Network Administrator for Techpearl Inc. You are configuring the rules for the
firewall of the company. You need to allow internal users to access secure external websites.
Which of the following firewall rules will you use to accomplish the task?
A.
TCP 172.16.1.0/24 any any 80 HTTP permit
B.
TCP 172.16.1.0/24 any any 25 SMTP permit
C.
TCP 172.16.1.0/24 any any 80 HTTP deny
D.
TCP 172.16.1.0/24 any any 443 HTTPs permit
Answer: D
Explanation:
The TCP 172.16.1.0/24 any any 443 HTTPs permit rule is used to allow internal users to access
secure external websites.
Answer: A is incorrect. The TCP 172.16.1.0/24 any any 80 HTTP permit rule is used to allow
internal users to access external websites (secure & unsecure both).
Answer: C is incorrect. The TCP 172.16.1.0/24 any any 80 HTTP deny rule is used to deny
internal users to access external websites.
Answer: B is incorrect. The TCP 172.16.1.0/24 any any 25 SMTP permit rule is used to allow
internal mail servers to deliver mails to external mail servers.
QUESTION NO: 209
Which of the following statements is true about the Digest Authentication scheme?
A.
A valid response from the client contains a checksum of the username, the password, the given
random value, the HTTP method, and the requested URL.
B.

GIAC GSNA Exam
In this authentication scheme, the username and password are passed with every request, not just
when the user first types them.
C.
The password is sent over the network in clear text format.
D.
It uses the base64 encoding encryption scheme.
Answer: A
Explanation:
The Digest Authentication scheme is a replacement of the Basic Authentication scheme. This
authentication scheme is based on the challenge response model. In Digest authentication, the
password is never sent across the network in clear text format but is always transmitted as an
MD5 digest of the user's password. In this way, the password cannot be determined with the help
of a sniffer.
How does it work? In this authentication scheme, an optional header allows the server to specify
the algorithm used to create the checksum or digest (by default, the MD5 algorithm). The Digest
Authentication scheme provides the challenge using a randomly chosen value. This randomly
chosen value is a server-specified data string which may be uniquely generated each time a 401
response is made. A valid response contains a checksum (by default, the MD5 checksum) of the
username, the password, the given random value, the HTTP method, and the requested URL. In
this way, the password is never sent in clear text format.
Drawback: Although the password is not sent in clear text format, an attacker can gain access with
the help of the digested password, since the digested password is really all the information needed
to access the web site.
Answer: B, C, D are incorrect. These statements are true about the Basic Authentication scheme.
QUESTION NO: 210
You have detected what appears to be an unauthorized wireless access point on your network.
However this access point has the same MAC address as one of your real access points and is
broadcasting with a stronger signal. What is this called?
A.
Buesnarfing
B.
The evil twin attack
C.
GIAC GSNA Exam
WAP cloning
D.
DOS
Answer: B
Explanation:
In the evil twin attack, a rogue wireless access point is set up that has the same MAC address as
one of your legitimate access points. That rogue WAP will often then initiate a denial of service
attack on your legitimate access point making it unable to respond to users, so they are redirected
to the 'evil twin'.
Answer: A is incorrect. Blue snarfing is the process of taking over a PDA.
Answer: D is incorrect. A DOS may be used as part of establishing an evil twin, but this attack is
not specifically for denial of service.
Answer C is incorrect. While you must clone a WAP MAC address, the attack is not called WAP
cloning.
QUESTION NO: 211
You work as a Computer Hacking Forensic Investigator for SecureNet Inc. You want to investigate
Cross-Site Scripting attack on your company's Website. Which of the following methods of
investigation can you use to accomplish the task?
A.
Review the source of any HTML-formatted e-mail messages for embedded scripts or links in the
URL to the company's site.
B.
Look at the Web servers logs and normal traffic logging.
C.
Use Wireshark to capture traffic going to the server and then searching for the requests going to
the input page, which may give log of the malicious traffic and the IP address of the source.
D.
Use a Web proxy to view the Web server transactions in real time and investigate any
communication with outside servers.
Answer: A,B,D

GIAC GSNA Exam
Explanation:
You can use the following methods to investigate Cross-Site Scripting attack:
1. Look at the Web servers logs and normal traffic logging.
2. Use a Web proxy to view the Web server transactions in real time and investigate any
communication with outside servers.
3. Review the source of any HTML-formatted e-mail messages for embedded scripts or links in the
URL to the company's site.
Answer: C is incorrect. This method is not used to investigate Cross-Site Scripting attack.
QUESTION NO: 212
Which of the following commands will you use to watch a log file /var/adm/messages while the log
file is updating continuously?
A.
less -g /var/adm/messages
B.
tail /var/adm/messages
C.
cat /var/adm/messages
D.
Answer: D
Explanation:
The tail command is used to display the last few lines of a text file or piped data. It has a special
command line option -f (follow) that allows a file to be monitored. Instead of displaying the last few
lines and exiting, tail displays the lines and then monitors the file. As new lines are added to the
file by another process, tail updates the display. This is particularly useful for monitoring log files.
The following command will display the last 10 lines of messages and append new lines to the
display as new lines are added to messages:
Answer: B is incorrect. The tail command will display the last 10 lines (default) of the log file.

GIAC GSNA Exam
Answer: C is incorrect. The concatenate (cat) command is used to display or print the contents of
a file.
Syntax: cat filename
For example, the following command will display the contents of the /var/log/dmesg file: cat
/var/log/dmesg
Note: The more command is used in conjunction with the cat command to prevent scrolling of the
screen while displaying the contents of a file.
Answer: A is incorrect. The less command is used to view (but not change) the contents of a text
file, one screen at a time. It is similar to the more command. However, it has the extended
capability of allowing both forward and backward navigation through the file. Unlike most Unix text
load times with large files.
The command syntax of the less command is as follows:
less [options] file_name
QUESTION NO: 213
Mark works as the Network Administrator for XYZ CORP. The company has a Unix-based
network. Mark wants to scan one of the Unix systems to detect security vulnerabilities. To
accomplish this, he uses TARA as a system scanner. What can be the reasons that made Mark
use TARA?
A.
It has a very specific function of seeking paths to root.
B.
It is composed mostly of bash scripts
C.
It works on a wide variety of platforms.
D.
It is very modular.
Answer: B,C,D
Explanation:
Tiger Analytical Research Assistant (TARA) is a set of scripts that scans a Unix system for
security problems. Following are the pros and cons of using TARA.

GIAC GSNA Exam
Pros:
Cons:
It has a very specific function of seeking paths to root.
QUESTION NO: 214
Mark works as a Web Developer for XYZ CORP. He is developing a Web site for the company.
The Manager of the company requires Mark to use tables instead of frames in the Web site. What
is the major advantage that a table-structured Web site has over a frame-structured Web site?
A.
Easy maintenance
B.
Speed
C.
Better navigation
D.
Capability of being bookmarked or added to the Favorites folder
Answer: D
Explanation:
The major advantage that a table-structured Web site has over a frame-structured Web site is that
users can bookmark the pages of a table- structured Web site, whereas pages of a frame-
structured Web site cannot be bookmarked or added to the Favorites folder. Non-frame Web sites
also give better results with search engines.
Better navigation: Web pages can be divided into multiple frames and each frame can display a
separate Web page. It helps in providing better and consistent navigation.
Easy maintenance: Fixed elements, such as a navigation link and company logo page, can be
created once and used with all the other pages. Therefore, any change in these pages is required
to be made only once.
QUESTION NO: 215

GIAC GSNA Exam
Samantha works as a Web Developer for XYZ CORP. She develops a Web application using
Visual InterDev. She wants to group a series of HTML elements together so that an action can be
performed collectively on them. Which of the following tags will Samantha use to accomplish this?
A.
DIV
B.
GROUP
C.
BODY
D.
SPAN
Answer: A
Explanation:
DIV is an HTML tag that groups a series of elements into a larger group. It can be used when an
action needs to be performed collectively on the grouped elements. The DIVtag acts as a
container for other elements.
Answer: D is incorrect. The SPAN tag is used within an element to group a part of it. For example,
this tag can be used to group a few sentences from within a paragraph, so that a particular action
can be performed only on them.
Answer: C is incorrect. The BODY tag is used to specify the beginning and end of the document
body.
Answer: B is incorrect. There is no tag such as GROUP in HTML.
QUESTION NO: 216
Which of the following are the disadvantages of Dual-Homed Host Firewall Architecture?
A.
It can provide services by proxying them.
B.
It can provide a very low level of control.
C.
User accounts may unexpectedly enable services a user may not consider secure.

GIAC GSNA Exam
D.
It provides services when users log on to the dual-homed host directly.
Answer: A,C,D
Explanation:
A dual-homed host is one of the firewall architectures for implementing preventive security. It
provides the first-line defense and protection technology for keeping untrusted bodies from
compromising information security by violating trusted network space as shown in the image
below:
A dual-homed host (or bastion host) is a system fortified with two network interfaces (NICs) that
sits between an un-trusted network (like the Internet) and trusted network (such as a corporate
network) to provide secure access. Dual-homed, or bastion, is a general term for proxies,
gateways, firewalls, or any server that provides secured applications or services directly to an
untrusted network.
A dual-homed host also has some disadvantages, which are as follows:
1. It can provide services by proxying them.
2. User accounts may unexpectedly enable services a user may not consider secure.
3. It provides services when users log on to the dual-homed host directly.
Answer: B is incorrect. Dual-Homed Host Firewall Architecture can provide a very high level of
control.
GIAC GSNA Exam
QUESTION NO: 217
What are the purposes of audit records on an information system? (Choose two.)
A.
Upgradation
B.
Backup
C.
Troubleshooting
D.
Investigation
Answer: C,D
Explanation:
The following are the purposes of audit records on an information system:
An IT audit is the process of collecting and evaluating records of an organization's information

systems, practices, and operations. The evaluation of records provides evidence to determine if
the information systems are safeguarding assets, maintaining data integrity, and operating
effectively and efficiently enough to achieve the organization's goals or objectives. These reviews
may be performed in conjunction with a financial statement audit, internal audit, or other form of
attestation engagement. Audit records are also used to troubleshoot system issues.
Answers A, B are incorrect. The audit records cannot be used for backup and upgradation
purposes.
QUESTION NO: 218
Which of the following statements are true about WPA?
A.
WPA-PSK requires a user to enter an 8-character to 63-character passphrase into a wireless
client.
B.
Shared-key WPA is vulnerable to password cracking attacks if a weak passphrase is used.

GIAC GSNA Exam
C.
WPA-PSK converts the passphrase into a 256-bit key.
D.
WPA provides better security than WEP.
Answer: A,B,C,D
Explanation:
WPA stands for Wi-Fi Protected Access. It is a wireless security standard. It provides better
security than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and
WPA-EAP. Each of these is described as follows:
WPA-PSK: PSK stands for Preshared key. This standard is meant for home environment. WPA-
PSK requires a user to enter an 8- character to 63-character passphrase into a wireless client. The
WPA converts the passphrase into a 256-bit key.
WPA-EAP: EAP stands for Extensible Authentication Protocol. This standard relies on a back-end
server that runs Remote AuthenticationDial-In User Service for user authentication.
Note: Windows Vista supports a user to use a smart card to connect to a WPA-EAP protected
network.
Shared-key WPA is vulnerable to password cracking attacks if a weak passphrase is used. To

protect against a brute force attack, a truly random passphrase of 13 characters (selected from the
set of 95 permitted characters) is probably sufficient.
QUESTION NO: 219
You want to do RARP mapping from hardware mapping addresses to IP addresses. Which of the
following Unix configuration files can you use to accomplish the task?
A.
/etc/dhcpd.conf
B.
/etc/motd
C.
/etc/exports
D.
/etc/ethers

GIAC GSNA Exam
Answer: D
Explanation:
In Unix, the/etc/ethers file is used by system administrators for RARP mapping from hardware
mapping addresses to IP addresses.
Answer: A is incorrect. In Unix, the /etc/dhcpd.conf file is the configuration file for the DHCP server
daemon.
Answer: C is incorrect. In Unix, the /etc/exports file describes exported file systems for NFS
services.
Answer: B is incorrect. In Unix, the /etc/motd file automatically displays the message of the day
after a successful login.
QUESTION NO: 220
network. The network has a vast majority of Cisco Systems routers and Cisco network switches.
You want to take a snapshot of the router running configuration and archive running configuration
of the router to persistent storage. Which of the following steps will you take?
A.
Secure the boot configuration
B.
Restore an archived primary bootset
C.
Verify the security of the bootset
D.
Enable the image resilience
Answer: A
Explanation:
In order to take a snapshot of the router running configuration and archive running configuration of
the router to persistent storage, you should secure the boot configuration of the router using the
secure boot-config command.
Answer: D is incorrect. You can enable the image resilience, if you want to secure the Cisco IOS
image.
Answer: C is incorrect. By verifying the security of bootset, you can examine whether or not the

GIAC GSNA Exam
Cisco IOS Resilient Configuration is enabled and the files in the bootset are secured.
Answer: B is incorrect. By restoring an archived primary bootset, you can restore a primary
bootset from a secure archive after an NVRAM has been erased or a disk has been formatted.
QUESTION NO: 221
network. John is working as a root user on the Linux operating system. He executes the following
command in the terminal:
echo $USER, $UID.
Which of the following will be displayed as the correct output of the above command?
A.
John, 0
B.
root, 0
C.
root, 500
D.
John, 502
Answer: B
Explanation:
According to the scenario, John is a root user. Hence, the value of the environmental variables
$USER and $UID will be root and 0, respectively.
QUESTION NO: 222
You work as a Network Administrator for Tech Perfect Inc. The company requires a secure
wireless network. To provide security, you are configuring ISA Server 2006 as a firewall. While
configuring ISA Server 2006, which of the following is NOT necessary?
A.
GIAC GSNA Exam
Setting up of monitoring on ISA Server
B.
Defining how ISA Server would cache Web contents
C.
Defining ISA Server network configuration
D.
Configuration of VPN access
Answer: D
Explanation:
Configuration of VPN access is not mandatory. It is configured on the basis of requirement.
Answer: A, B, C are incorrect. All these steps are mandatory for the configuration of the ISA
Server 2006 firewall.
QUESTION NO: 223
You work as the Network Administrator for a company. You configure a Windows 2000-based
computer as the Routing and Remote Access server, so that users can access the company's
network, remotely. You want to log a record of all the users who access the network by using
Routing and Remote Access. What will you do to log all the logon activities?
A.
On the Routing and Remote Access server, enable log authentication requests in auditing, and
define the path for the log file in Remote Access Logging.
B.
On the Routing and Remote Access server, enable log authentication requests in Remote Access
Logging.
C.
On the Routing and Remote Access server, enable log authentication requests in auditing.
D.
Do nothing as the Windows 2000-based Routing and Remote Access server automatically creates
a log record for each connection attempt.
Answer: B
Explanation:

GIAC GSNA Exam
The Routing and Remote Access service can log all the records of authentication and accounting
information for connection attempts when Windows authentication or accounting is enabled. This
can be done by enabling the log authentication requests in the properties of the RemoteAccess
Logging folder, in the Routing and Remote Access snap-in, where you can configure the type of
activity to log, i.e., accounting or authentication activity and log file settings. This information is
stored in the form of a log file in '%SystemRoot%System32LogFiles' folder. For each
authentication attempt, the name of the remote access policy, that either accepted or rejected the
connection attempt, is recorded. The logged information is useful to track remote access usage,
and authentication attempts.
QUESTION NO: 224
What is the extension of a Cascading Style Sheet?
A.
.hts
B.
.cs
C.
.js
D.
.css
Answer: D
Explanation:
A Cascading Style Sheet (CSS) is a separate text file that keeps track of design and formatting
elements. CSS files have .css extension.
There are three types of Cascading Style Sheets:
QUESTION NO: 225
Which of the following is a basic feature of the Unix operating system? (Choose three.)

GIAC GSNA Exam
A.
It is highly portable across hardware.
B.
All files can be individually protected using read, write, and execute permissions for the user,
group, and others.
C.
It allows all the modules to be loaded into memory.
D.
A user can execute multiple programs at the same time from a single terminal.
Answer: A,B,D
Explanation:
The basic features of Unix are as follows:
QUESTION NO: 226
Which of the following statements are true about a hot site?
A.
It is a duplicate of the original site of the organization, with full computer systems as well as near-
complete backups of user data.
B.
It is the most inexpensive backup site.
C.
It can be used within an hour for data recovery.
D.
It is cheaper than a coldsite but more expensive than a worm site.
Answer: A,C
Explanation:
A hot site is a duplicate of the original site of the organization, with full computer systems as well
as near-complete backups of user data. A hot site can be used within an hour for data recovery.
The capacity of the hot site may or may not match the capacity of the original site depending on
the organization's requirements. This type of backup site is the most expensive to operate. Hot
sites are popular with organizations that operate real time processes such as financial institutions,
government agencies, and ecommerce providers. the original site. A cold site is the most

GIAC GSNA Exam
inexpensive type of backup site for an organization to operate since it does not include backed up
copies of data and information from the original location of the organization, nor does it include
hardware already set up. A warm site is, quite logically, a compromise between hot and cold in
terms of resources and cost.
QUESTION NO: 227
You have purchased a laptop that runs Windows Vista Home Premium. You want to protect your
computer from malicious applications, such as spyware, while connecting to the Internet. You
configure Windows Defender on your laptop to schedule scan daily at 2 AM as shown in the image
below:
You want Windows Defender to scan the laptop for all the known spyware and other potentially
unwanted software, including the latest one. You do not want to manually perform this task. Which
of the following actions will you perform to accomplish the task?
A.
Create a scheduled task to download definition files for Windows Defender every Sunday.
B.
Configure Windows Defender to use the definition file placed on the Microsoft Update site for
scanning the laptop.
C.
Select the Check for updated definitions before scanning check box in the Automatic Scanning
section.
D.
Click the arrow beside the Help button Click the Check for updates option.
Answer: C

GIAC GSNA Exam
Explanation:
According to the question, Windows Defender should scan the laptop for all the known spyware
and other potentially unwanted software, including the latest one. Windows Defender uses
definitions to scan the system. Definitions are files that include the information of known spyware
and potentially unwanted software. To scan a computer for the latest spyware, Windows Defender
requires the latest definition files available on the Internet. For this, you have to configure Windows
Defender to check for the latest definitions and download them, if available, before scanning the
computer. Furthermore, the question also states that the task must be performed automatically. In
order to accomplish the task, you will have to select the Check for updated definitions before
scanning check box in the Automatic Scanning section.
QUESTION NO: 228
Which of the following tags will create two vertical frames, as given in the image below, where the
left frame is half as wide as the right one?
A.
<FRAMESET ROWS = "*, *"><FRAME SRC = "cell1.htm"><FRAME SRC =
"cell2.htm"></FRAMESET>
B.
<FRAMESET ROWS = "1,2"><FRAME SRC = "cell1.htm"><FRAME SRC =
C.
<FRAMESET COLS = "*, *"><FRAME SRC = "cell1.htm"><FRAME SRC =

GIAC GSNA Exam
D.
<FRAMESET ROWS = "*, 2*"><FRAME SRC = "cell1.htm"><FRAME SRC =
E.
<FRAMESET COLS = "*, 2*"><FRAME SRC = "cell1.htm"><FRAME SRC =
Answer: E
Explanation:
<FRAMESET> tag specifies a frameset used to organize multiple frames and nested framesets in
an HTML document. It defines the location, size, and orientation of frames. An HTML document
can either contain a <FRAMESET> tag or a <BODY> tag.
The COLS attribute of the <FRAMESET> tag defines the width of the vertical frames. The ROWS
attribute defines the height of the horizontal frames. The code in answer option E will create two
identical frames. The left frame will be half as wide as the right frame because of the relative size
attributes given in the <FRAMESET> tag, i.e., <FRAMESET COLS = "*, 2*">.
QUESTION NO: 229
network. The company wants to fix potential vulnerabilities existing on the tested systems. You
use Nessus as a vulnerability scanning program to fix the vulnerabilities. Which of the following
vulnerabilities can be fixed using Nessus?
A.
Vulnerabilities that allow a remote cracker to control sensitive data on a system
B.
Misconfiguration (e.g. open mail relay, missing patches, etc.)
C.
Vulnerabilities that allow a remote cracker to access sensitive data on a system
D.
Vulnerabilities that help in Code injection attacks
Answer: A,B,C
Explanation:
Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for

personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the
GIAC GSNA Exam
tested systems.
For example: Vulnerabilities that allow a remote cracker to control or access sensitive data on a
system. Misconfiguration (e.g. open mail relay, missing patches, etc). Default passwords, a few
common passwords, and blank/absent passwords on some system accounts. Nessus can also
call Hydra (an external tool) to launch a dictionary attack. Denials of service against the TCP/IP
stack by using mangled packets. On UNIX (including Mac OS X), it consists of nessusd, the
Nessus daemon, which does the scanning, and nessus, the client, which controls scans and
presents the vulnerability results to the user. For Windows, Nessus 3 installs as an executable and
has a self-contained scanning, reporting, and management system.
Operations: In typical operation, Nessus begins by doing a port scan with one of its four internal
portscanners (or it can optionally use Amap or Nmap) to determine which ports are open on the
target and then tries various exploits on the open ports. The vulnerability tests, available as
subscriptions, are written in NASL (Nessus Attack Scripting Language), a scripting language
optimized for custom network interaction. Tenable Network Security produces several dozen new
vulnerability checks (called plugins) each week, usually on a daily basis. These checks are
available for free to the general public; commercial customers are not allowed to use this Home
Feed any more. The Professional Feed (which is not free) also gives access to support and
additional scripts (audit and compliance tests). Optionally, the results of the scan can be reported
in various formats, such as plain text, XML, HTML, and LaTeX. The results can also be saved in a
knowledge base for debugging. On UNIX, scanning can be automated through the use of a
command-line client. There exist many different commercial, free and open source tools for both
UNIX and Windows to manage individual or distributed Nessus scanners. If the user chooses to
do so (by disabling the option’ safe checks'), some of Nessus's vulnerability tests may try to cause
vulnerable services or operating systems to crash. This lets a user test the resistance of a device
before putting it in production. Nessus provides additional functionality beyond testing for known
network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on
computers running the Windows operating system, and can perform password auditing using
dictionary and brute force methods. Nessus 3 and later can also audit systems to make sure they
have been configured per a specific policy, such as the NSA's guide for hardening Windows
servers.
Answer: D is incorrect. Nessus cannot be used to scan vulnerabilities that help in Code injection
attacks.
QUESTION NO: 230
You are tasked with configuring your routers with a minimum security standard that includes the
following:
A local Username and Password configured on the router
A strong privilege mode password Encryption of user passwords
Configuring telnet and ssh to authenticate against the router user database
GIAC GSNA Exam
Choose the configuration that best meets these requirements.
A.
RouterA(config)#service password-encryption
RouterA(config)#username cisco password PaS$w0Rd
RouterA(config)#enable secret n56e&$te
RouterA(config)#line vty 0 4 RouterA(config-line)#login
B.
RouterA(config)#enable password n56e&$te
RouterA(config)#line vty 0 4
RouterA(config-line)#login local
C.
D.
RouterA(config)#service enable-password-encryption
RouterA(config-line)#login user
Answer: C
Explanation:
In order to fulfill the requirements, you should use the following set of commands:

GIAC GSNA Exam
Answer: D is incorrect. This configuration does not apply password encryption correctly. The
command service enable-password- encryption is incorrect. The correct command is service
password-encryption.
Answer: A is incorrect. This configuration applies the login command to the VTY lines. This would
require the password to be set at the VTY Line 0 4 level. This effectively will not configure user-
level access for the VTY lines.
Answer: B is incorrect. The enable password command is obsolete and considered insecure. The
proper command is enable secret followed by the password value.
QUESTION NO: 231
This is a Windows-based tool that is used for the detection of wireless LANs using the IEEE
802.11a, 802.11b, and 802.11g standards. The main features of these tools are as follows:
It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.
It is commonly used for the following purposes:
a) War driving
b) Detecting unauthorized access points
c) Detecting causes of interference on a WLAN d.WEP ICV error tracking
d) Making Graphs and Alarms on 802.11 Data, including Signal Strength
This tool is known as __________.
A.
THC-Scan
B.
NetStumbler
C.
Absinthe
D.
Kismet
GIAC GSNA Exam
Answer: B
Explanation:
NetStumbler is a Windows-based tool that is used for the detection of wireless LANs using the
IEEE 802.11a, 802.11b, and 802.11g standards. The main features of NetStumbler are as follows:
It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.
It is commonly used for the following purposes:
a.War driving
b.Detecting unauthorized access points
c.Detecting causes of interference on a WLAN
d.WEP ICV error tracking e.Making Graphs and Alarms on 802.11 Data, including Signal Strength
Answer D is incorrect. Kismet is an IEEE 802.11 layer2 wireless network detector, sniffer, and
intrusion detection system.
Answer: A is incorrect. THC-Scan is a war-dialing tool.
Answer: C is incorrect. Absinthe is an automated SQL injection tool.
QUESTION NO: 232
Data access auditing is a surveillance mechanism that watches over access to all sensitive
information contained within the database. What are the questions addressed in a perfect data
access auditing solution?
A.
Who accessed the data?
B.
When was the data accessed?
C.
For whom was the data accessed?
D.
What was the SQL query that accessed the data?
Answer: A,B,D

GIAC GSNA Exam
Explanation:
The perfect data access auditing solution would address the following six questions:
1. Who accessed the data?
2. When was the data accessed?
3. Which computer program or client software was used to access the data?
4. From what location on the network was the data accessed?
5. What was the SQL query that accessed the data?
6. Was access to the data successfully done; and if so, how many rows of data were retrieved?
Answer: C is incorrect. In the perfect data access auditing solution, it cannot be determined for
whom the data is being accessed. Only the person accessing the data can be identified.
QUESTION NO: 233
In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to
establish standards for audits. Which of the following categories of audit standards established by
GAAS are related to professional and technical competence, independence, and professional due
care?
A.
Reporting standards
B.
Risk Analysis standards
C.
General standards
D.
Fieldwork standards
Answer: C
Explanation:
In 1947, the American Institute of Certified Public Accountants (AICPA) adopted Generally
Accepted Auditing Standards (GAAS) to establish standards for audits. The standards cover the
following three categories:
General Standards: They relate to professional and technical competence, independence, and
GIAC GSNA Exam
professional due care.
Field Work Standards: They relate to the planning of an audit, evaluation of internal control, and
obtaining sufficient evidential matter upon which an opinion is based.
Reporting Standards: They relate to the compliance of all auditing standards and adequacy of
disclosure of opinion in the audit reports. If an opinion cannot be reached, the auditor is required to
explicitly state their assertions.
Answer: B is incorrect. There was no such category of standard established by GAAS.
QUESTION NO: 234
Mark is an attacker. He wants to discover wireless LANs by listening to beacons or sending probe
requests and thereby provide a launch point for further attacks. Which of the following tools can he
use to accomplish the task?
A.
DStumbler
B.
Wellenreiter
C.
KisMAC
D.
Airmon-ng
Answer: A,C,D
Explanation:
War driving is an attack in which the attacker discovers wireless LANs by listening to beacons or
sending probe requests, thereby providing a launch point for further attacks. Airmon-ng,
DStumbler, KisMAC, MacStumbler, NetStumbler, Wellenreiter, and WiFiFoFum are the tools that
can be used to perform a war driving attack.
Answer: B is incorrect. Wellenreiter is a tool that is used to perform MAC spoofing attacks.
QUESTION NO: 235

GIAC GSNA Exam
Which of the following standards is used in wireless local area networks (WLANs)?
A.
IEEE 802.4
B.
IEEE 802.3
C.
IEEE 802.5
D.
IEEE 802.11b
Answer: D
Explanation:
IEEE 802.11b is an extension of the 802.11 standard. It is used in wireless local area networks
(WLANs) and provides 11 Mbps transmission speeds in the bandwidth of 2.4 GHz.
Answer: B is incorrect. IEEE 802.3 is a standard for wired networks, which defines the media
access control(MAC) layer for bus networks that use CSMA/CD.
Answer: A is incorrect. IEEE 802.4 is a standard for wired networks, which defines the MAC layer
for bus networks that use a token- passing mechanism.
Answer: C is incorrect. IEEE 802.5 is a standard for wired networks, which defines the MAC layer
for token-ring networks.
QUESTION NO: 236
You are responsible for a number of Windows Server 2003 DNS servers on a large corporate
network. You have decided to audit the DNS server logs. Which of the following are likely errors
you could encounter in the log? (Choose two.)
A.
The DNS server could not create FTP socket for address [IP address of server].
B.
The DNS server could not open socket for domain name [domain name of server].
C.
The DNS server could not create a Transmission Control Protocol (TCP) socket.
D.
GIAC GSNA Exam
The DNS server could not open socket for address [IP address of server].
Answer: C,D
Explanation:
There are a number of errors one could find in a Windows Server 2003 DNS log. They are as
follows:
The DNS server could not create a Transmission Control Protocol.
The DNS server could not open socket for address.
The DNS server could not initialize the Remote Procedure Call (RPC) service.
The DNS server could not bind the main datagram socket.
The DNS Server service relies on Active Directory to store and retrieve information for Active
Directory-integrated zones.
And several active directory errors are possible.
Answer: A is incorrect. DNS Servers do not create FTP connections.
Answer: B is incorrect. A DNS server looks up a name to return an IP, it would not and cannot
connect to a domain name, it must connect to an IP address.
QUESTION NO: 237
security of www.we-are-secure.com. He finds that the We-are-secure server is vulnerable to
attacks. As a countermeasure, he suggests that the Network Administrator should remove the IPP
printing capability from the server. He is suggesting this as a countermeasure against
__________.
A.
NetBIOS NULL session
B.
DNS zone transfer
C.
IIS buffer overflow
D.
SNMP enumeration

GIAC GSNA Exam
Answer: C
Explanation:
Removing the IPP printing capability from a server is a good countermeasure against an IIS buffer
overflow attack. A Network Administrator should take the following steps to prevent a Web server
from IIS buffer overflow attacks:
Conduct frequent scans for server vulnerabilities.
Install the upgrades of Microsoft service packs.
Implement effective firewalls.
Apply URLScan and IISLockdown utilities.
Remove the IPP printing capability.
Answer: B is incorrect. The following are the DNS zone transfer countermeasures:
Do not allow
DNS zone transfer using the DNS property sheet:
a. Open DNS.
b. Right-click a DNS zone and click Properties.
c. On the Zone Transfer tab, clear the Allow zone transfers check box.
Configure the master DNS server to allow zone transfers only from secondary DNS servers:
a. Open DNS.
b. Right-click a DNS zone and click Properties.
c. On the zone transfer tab, select the Allow zone transfers check box, and then do one of the
following:
To allow zone transfers only to the DNS servers listed on the name servers tab, click on the Only
to the servers listed on the Name Server tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers, and add
the IP address of one or more servers.
Deny all unauthorized inbound connections to TCP port 53.
Implement DNS keys and encrypted DNS payloads.
Answer: D is incorrect. The following are the countermeasures against SNMP enumeration:
1. Removing the SNMP agent or disabling the SNMP service

GIAC GSNA Exam
2. Changing the default PUBLIC community name when 'shutting off SNMP' is not an option
3. Implementing the Group Policy security option called Additional restrictions for anonymous
connections
4. Restricting access to NULL session pipes and NULL session shares
5. Upgrading SNMP Version 1 with the latest version
6. Implementing Access control list filtering to allow only access to the read-write community from
approved stations or subnets
Answer: A is incorrect.
NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part
of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL
session vulnerabilities:
1.Removing the SNMP agent or disabling the SNMP service
2.Changing the default PUBLIC community name when 'shutting off SNMP' is not an option
3.Implementing the Group Policy security option called Additional restrictions for anonymous
connections
4.Restricting access to NULL session pipes and NULL session shares
5.UpgradingSNMP Version 1 with the latest version
6.Implementing Access control list filtering to allow only access to the read-write community from
approved stations or subnets answer option A is incorrect. NetBIOS NULL session vulnerabilities
are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of
the following steps can be taken to limit NetBIOS NULL session vulnerabilities:
1. Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a
Network Administrator.
2. A Network Administrator can also disable SMB services entirely on individual hosts by
unbinding WINS Client TCP/IP from the interface.
3. A Network Administrator can also restrict the anonymous user by editing the registry values:
a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA.
b. Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD Value: 2
QUESTION NO: 238

GIAC GSNA Exam
Which of the following commands is most useful for viewing large files?
A.
cat
B.
less
C.
touch
D.
cp
Answer: B
Explanation:
The less command is most useful for viewing large files. The less command displays the output of
a file one page at a time. Viewing large files through cat may take more time to scroll pages, so it
is better to use the less command to see the content of large files.
Answer: A is incorrect. The cat command is also used to view the content of a file, but it is most
useful for viewing short files.
Answer: D is incorrect. The cp command is used to copy files and directories from one location to
another.
Answer: C is incorrect. The touch command is not used to view the content of a file. It is used to
create empty files or to update file timestamps.
QUESTION NO: 239
Which of the following is an attempt to give false information or to deny that a real event or
transaction should have occurred?
A.
A DDoS attack
B.
A repudiation attack
C.
A reply attack
D.
GIAC GSNA Exam
A dictionary attack
Answer: B
Explanation:
A repudiation attack is an attempt to give false information or to deny that a real event or
transaction should have occurred.
Answer: A is incorrect. In a distributed denial of service (DDOS) attack, an attacker uses multiple
computers throughout the network that has been previously infected. Such computers act as
zombies and work together to send out bogus messages, thereby increasing the amount of phony
traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that
multiple machines can generate more attack traffic than one machine, multiple attack machines
are harder to turn off than one attack machine, and that the behavior of each attack machine can
be stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for
a DDoS attack.
Answer: C is incorrect. A replay attack is a type of attack in which attackers capture packets
containing passwords or digital signatures whenever packets pass between two hosts on a
network. In an attempt to obtain an authenticated connection, the attackers then resend the
captured packet to the system. In this type of attack, the attacker does not know the actual
password, but can simply replay the captured packet.
Answer: D is incorrect. Dictionary attack is a type of password guessing attack. This type of attack
uses a dictionary of common words to find out the password of a user. It can also use common
words in either upper or lower case to find a password. There are many programs available on the
Internet to automate and execute dictionary attacks.
QUESTION NO: 240
Which of the following types of attack is described in the statement below?
"It is a technique employed to compromise the security of network switches. In this attack, a switch
is flooded with packets, each containing different source MAC addresses. The intention is to
consume the limited memory set aside in the switch to store the MAC address-to-physical port
translation table."
A.
Man-in-the-middle
B.
Blind spoofing
C.
GIAC GSNA Exam
Dictionary
D.
MAC flooding
Answer: D
Explanation:
MAC flooding is a technique employed to compromise the security of network switches. In a

typical MAC flooding attack, a switch is flooded with packets, each containing different source
MAC addresses. The intention is to consume the limited memory set aside in the switch to store
the MAC address-to-physical port translation table. The result of this attack causes the switch to
enter a state called fail open mode, in which all incoming packets are broadcast out on all ports
(as with a hub), instead of just down the correct port as per normal operation. A malicious user
could then use a packet sniffer (such as Wireshark) running in promiscuous mode to capture
sensitive data from other computers (such as unencrypted passwords, e-mail and instant
messaging conversations), which would not be accessible were the switch operating normally.
Answer: B is incorrect. Blind spoofing is a type of IP spoofing attack. This attack occurs when the
attacker is on a different subnet as the destination host. Therefore, it is more difficult to obtain
correct TCP sequence number and acknowledgement number of the data frames. In blind
spoofing attack, an attacker sends several packets to the target computer so that he can easily
obtain sequence number of each data frame. If the attacker is successful in compromising the
sequence number of the data frames, the data is successfully sent to the target computer.
Answer: C is incorrect. Dictionary attack is a type of password guessing attack. This type of attack
uses a dictionary of common words to find out the password of a user. It can also use common
words in either upper or lower case to find a password. There are many programs available on the
Internet to automate and execute dictionary attacks.
Answer: A is incorrect. Man-in-the-middle attacks occur when an attacker successfully inserts an

intermediary software or program between two communicating hosts. The intermediary software or
program allows attackers to listen to and modify the communication packets passing between the
two hosts. The software intercepts the communication packets and then sends the information to
the receiving host. The receiving host responds to the software, presuming it to be the legitimate
client.
QUESTION NO: 241
Network mapping provides a security testing team with a blueprint of the organization. Which of
the following steps is NOT a part of manual network mapping?
A.
Gathering private and public IP addresses

GIAC GSNA Exam
B.
Collecting employees information
C.
Performing Neotracerouting
D.
Banner grabbing
Answer: C
Explanation:
Using automated tools, such as NeoTraceroute, for mapping a network is a part of automated
network mapping. part of manual network mapping. Network mapping is the process of providing a
blueprint of the organization to a security testing team. There are two ways of performing network
mapping:
Manual Mapping: In manual mapping, a hacker gathers information to create a matrix that
contains the domain name information, IP addresses of the network, DNS servers, employee
information, company location, phone numbers, yearly earnings, recently acquired organizations,
email addresses, publicly available IP address ranges, open ports, wireless access points, modem
lines, and banner grabbing details.
Automated Mapping: In automated mapping, a hacker uses any automated tool to gather
information about the network. There are many tools for this purpose, such as NeoTrace, Visual
traceroute, Cheops, Cheops-ng, etc. The only advantage of automated mapping is that it is very
fast and hence it may generate erroneous results.
QUESTION NO: 242
Which of the following methods can be helpful to eliminate social engineering threat? (Choose
three.)
A.
Data encryption
B.
Data classification
C.
Password policies
D.
Vulnerability assessments

GIAC GSNA Exam
Answer: B,C,D
Explanation:
The following methods can be helpful to eliminate social engineering threat:
Password policies
Vulnerability assessments
Data classification
Password policy should specify that how the password can be shared. Company should
implement periodic penetration and vulnerability assessments. These assessments usually consist
of using known hacker tools and common hacker techniques to breach a network security. Social
engineering should also be used for an accurate assessment. Since social engineers use the
knowledge of others to attain information, it is essential to have a data classification model in place
that all employees know and follow. Data classification assigns level of sensitivity of company
information. Each classification level specifies that who can view and edit data, and how it can be
shared.
QUESTION NO: 243
You work as a Network Administrator for Net World International. The company has a Windows
Active Directory-based single domain single forest network. The functional level of the forest is
Windows Server 2003. There are ten Sales Managers in the company. The company has recently
provided laptops to all its Sales Managers. All the laptops run Windows XP Professional. These
laptops will be connected to the company's network through wireless connections. The company's
management wants to implement Shared Key authentication for these laptops. When you try to
configure the network interface card of one of the laptops for Shared Key authentication, you find
no such option. What will you do to enable Shared Key authentication?
A.
Install PEAP-MS-CHAP v2
B.
Enable WEP
C.
Install Service Pack 1
D.
Install EAP-TLS.
Answer: B

GIAC GSNA Exam
Explanation:
Shared Key authentication requires the use of the Wired Equivalent Privacy (WEP) algorithm. If
the WEP is not implemented, then the option for Shared Key authentication is not available. In
order to accomplish the task, you will have to enable the WEP on all the laptops.
QUESTION NO: 244
Which of the following tools hides information about IIS Webservers so that they can be prevented
from various attacks performed by an attacker?
A.
httprint
B.
ServerMask
C.
Whisker
D.
WinSSLMiM
Answer: B
Explanation:
ServerMask is a tool that is used to hide information about IISWebservers. Since IIS Webservers
are vulnerable to various attacks, such as, code red worm, is unicode exploit, etc., to mitigate such
attacks, ServerMask removes all unnecessary HTTP headers & response data, and file extensions
like .asp or .aspx, whichare clear indicators that a site is running on a Microsoft server. Besides
this, ServerMask modifies the ASP session ID cookies values, default messages, pages and
scripts of all kinds to misguide an attacker.
Answer: A is incorrect. httprint is a fingerprinting tool that is based on Web server characteristics to
accurately identify Web servers. It works even when Web server may have been obfuscated by
changing the server banner strings, or by plug-ins such as mod_security or servermask.
Answer: C is incorrect. Whisker is an HTTP/Web vulnerability scanner that is written in the PERL
language. Whisker runs on both the Windows and UNIX environments. It provides functions for
testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs.
Answer: D is incorrect. WinSSLMiM is an HTTPS Man in the Middle attacking tool. It includes
FakeCert, a tool used to make fake certificates. It can be used to exploit the Certificate Chain
vulnerability in Internet Explorer. The tool works under Windows 9x/2000.
GIAC GSNA Exam
QUESTION NO: 245
Sarah works as a Web Developer for XYZ CORP. She develops a Web site for the company. She
uses tables in the Web site. Sarah embeds three tables within a table. What is the technique of
embedding tables within a table known as?
A.
Nesting tables
B.
Stacking tables
C.
CSS tables
D.
Horned tables
Answer: A
Explanation:
In general, nesting means embedding a construct inside another. Nesting tables is a technique in
which one or more tables are embedded within a table.
Answer: B, C, D are incorrect. There are no techniques such as stacking tables, horned tables, or
CSS tables.
QUESTION NO: 246
network. John is working as a root user on the Linux operating system. He has recently backed up
his entire Linux hard drive into the my_backup.tgz file. The size of the my_backup.tgz file is
800MB. Now, he wants to break this file into two files in which the size of the first file named
my_backup.tgz.aa should be 600MB and that of the second file named my_backup.tgz.ab should
be 200MB. Which of the following commands will John use to accomplish his task?
A.
split --verbose -b 200m my_backup.tgz my_backup.tgz
B.
GIAC GSNA Exam
C.
D.
Answer: D
Explanation:
According to the scenario, John wants to break the my_backup.tgz file into two files in which
thesize of the first file named my_backup.tgz.aa should be 600MB and that of the second file
named my_backup.tgz.ab should be 200MB. Hence, he will use the the split --verbose -b 600
my_backup.tgz my_backup.tgz. command, which will automatically break the first file into 600MB
named my_backup.tgz.aa, and the rest of the data (200MB) will be assigned to the second file
named my_backup.tgz.ab. The reason behind the names is that the split command provides
suffixes as 'aa', 'ab', 'ac', ..., 'az', 'ba', 'bb', etc. in the broken file names by default. Hence, both
conditions, the file names as well as the file sizes, match with this command.
Note: If the size of the tar file my_backup.tgz is 1300MB, the command split --verbose -b 600
my_backup.tgz my_backup.tgz. breaks the my_backup.tgz file into three files,i.e.,
my_backup.tgz.aa of size 600MB, my_backup.tgz.ab of size 600MB, and my_backup.tgz.ac of
size 100MB.
QUESTION NO: 247
Which of the following statements are true about the Enum tool?
A.
It uses NULL and User sessions to retrieve user lists, machine lists, LSA policy information, etc.
B.
It is capable of performing brute force and dictionary attacks on individual accounts of Windows
NT/2000.
C.
One of the countermeasures against the Enum tool is to disable TCP port 139/445.
D.
It is a console-based Win32 information enumeration utility.
Answer: A,B,C,D
Explanation:
Enum is a console-based Win32 information enumeration utility. It uses null sessions to retrieve
GIAC GSNA Exam
user lists, machine lists, share lists, namelists, group and member lists, passwords, and LSA
policy information. It is also capable of performing brute force and dictionary attacks on individual
accounts. Since the Enum tool works on the NetBIOS NULL sessions, disabling the NetBIOS port
can be a good countermeasure against the Enum tool.
QUESTION NO: 248
Which of the following processes is described in the statement below?
"This is the process of numerically analyzing the effect of identified risks on overall project
objectives."
A.
Perform Quantitative Risk Analysis
B.
Monitor and Control Risks
C.
Perform Qualitative Risk Analysis
D.
Identify Risks
Answer: A
Explanation:
Perform Quantitative Risk Analysis is the process of numerically analyzing the effect of identified
risks on overall project objectives. This process generally follows the Perform Qualitative Risk
Analysis process. It is performed on risks that have been prioritized by the Perform Qualitative
Risk Analysis process as potentially and substantially impacting the project's competing demands.
The Perform Quantitative Risk Analysis should be repeated after Plan Risk Responses, as well as
part of Monitor and Control Risks, to determine if the overall project risk has been decreased.
Answer: C is incorrect. This is the process of prioritizing risks for further analysis or action by
accessing and combining their probability of occurrence and impact.
Answer: D is incorrect. This is the process of determining which risks may affect the project and
documenting their characteristics.
Answer: B is incorrect. This is the process of implementing risk response plans, tracking identified
risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness
through the project.

GIAC GSNA Exam
QUESTION NO: 249
Which of the following statements are true about MS-CHAPv2?
A.
It is a connectionless protocol.
B.
It provides an authenticator-controlled password change mechanism.
C.
It is subject to offline dictionary attacks.
D.
It can be replaced with EAP-TLS as the authentication mechanism for PPTP.
Answer: B,C,D
Explanation:
MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on

the Response packet and an authenticator response on the Success packet. MS-CHAPv2 has
various features such as:
It is enabled by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3,
Authentication Protocol.
It provides an authenticator-controlled password change mechanism.
It provides an authenticator-controlled authentication retry mechanism.
It defines failure codes returned in the Failure packet message field.
With weak passwords, MS-CHAPv2 is subject to offline dictionary attacks; hence, it can be
replaced with EAP-TLS as the authentication mechanism for PPTP.
QUESTION NO: 250
You work as a Software Developer for XYZ CORP. You create a SQL server database named
DATA1 that will manage the payroll system of the company. DATA1 contains two tables named
EmployeeData, Department. While EmployeeData records detailed information of the employees,
Department stores information about the available departments in the company. EmployeeData
consists of columns that include EmpID, EmpName, DtOBrth, DtOJoin, DeptNo, Desig, BasicSal,
etc. You want to ensure that each employee ID is unique and is not shared between two or more
GIAC GSNA Exam
employees. You also want to ensure that the employees enter only valid department numbers in
the DeptNo column. Which of the following actions will you perform to accomplish the task?
A.
Define triggers in the EmployeeData table.
B.
Add stored procedures by using Transact-SQL queries.
C.
Add constraints to the EmployeeData table.
D.
Define indexes in the EmployeeData table.
E.
Define views in the database.
Answer: B,C,D,E
Explanation:
In the given scenario, you will add constraints to the EmpID and DeptNo columns of the
EmployeeData table, as you want EmpID to be unique, and the number entered in the DeptNo
column to be valid. A constraint enforces the integrity of a database. It defines rules regarding the
values allowed in the columns of a table. A constraint is the standard mechanism for enforcing
integrity. Using constraints is preferred to using triggers, rules, and defaults. Most of the RDBMS
databases support the following five types of constraints:
NOT NULL constraint: It specifies that the column does not accept NULL values.
CHECK constraint: It enforces domain integrity by limiting the values that can be placed in a
column.
UNIQUE constraint: It enforces the uniqueness of values in a set of columns.
PRIMARY KEY constraint: It identifies the column or set of columns whose values uniquely
identify a row in a table.
FOREIGN KEY constraint: It establishes a foreign key relationship between the columns of the
same table or different tables.
Following are the functions of constraints:
Constraints enforce rules on data in a table whenever a row is inserted, updated, or deleted from
the table.
Constraints prevent the deletion of a table if there are dependencies from other tables.
Constraints enforce rules at the column level as well as at the table level.

GIAC GSNA Exam
Defining indexes in the EmployeeData table will help you find employee information based on
EmpID, very fast.
An index is a pointer to a table.
It speeds up the process of data retrieval from a table.
It is stored separately from a table for which it was created.
Indexes can be created or dropped without affecting the data in a table.
The syntax for creating an index is as follows: CREATE INDEX <Index name>
Indexes can also be used for implementing data integrity in a table.
A unique index does not allow duplicate values to enter in a row if a particular column is indexed
as a unique index.
The syntax for creating a unique index is as follows:
CREATE UNIQUE INDEX <Index name>
You will also add a stored procedure named AddEmp by using Transact-SQL queries. AddEmp
will accept data values for new employees and will subsequently add a row in the EmployeeData
table. Stored procedures are precompiled SQL routines that are stored on a database server.
They are a combination of multiple SQL statements that form a logical unit and perform a
particular task. Stored procedures provide the capability of combining multiple SQL statements
and improve speed due to precompiled routines. Most of the DBMS provide support for stored
procedures. They usually differ in their syntax and capabilities from one DBMS to another.
A stored procedure can take three parameters: IN, OUT, and INOUT. Note: Stored procedures are
very similar to functions and procedures of common programming languages. You will also define
a view named DeptEmpView that will combine data from the Department and EmployeeData
tables and thus produce the required result. A view can be thought of as a virtual table. The data
accessible through a view is not stored in the database as a distinct object. Views are created by
defining a SELECT statement. The result set of the SELECT statement forms the virtual table. A
user can use this virtual table by referencing the view name in SQL statements in the same way a
table is referenced.
Answer: A is incorrect. You do not need to define any triggers in the EmployeeData table, as they
are not required while making the EmpID unique, or while entering valid data values in DeptNo. A
trigger is a special kind of stored procedure that automatically runs when data in a specified table
is updated, inserted, or deleted. Triggers can query other tables and can include complex SQL
statements.
QUESTION NO: 251

GIAC GSNA Exam
Which of the following listeners need not be configured in the deployment descriptor? (Choose
two.)
A.
HttpSessionBindingListener
B.
HttpSessionAttributeListener
C.
HttpSessionListener
D.
HttpSessionActivationListener
Answer: A,D
Explanation:
Except for the HttpSessionActivationListener and the HttpSessionBindingListener, all other

listeners must be configured in the deployment descriptor.
HttpSessionBindingListener has methods that notify the object when it is added to or removed
from a session. It has methods that informs the attributes when the session is about to be
activated or passivated. These methods are related to the attributes and not to the complete
session. Hence, the container takes care of them and need not be configured in the deployment
descriptor.
QUESTION NO: 252
You work as a Database Administrator for BigApple Inc. The Company uses Oracle as its
database. You enabled standard database auditing. Later, you noticed that it has a huge impact
on performance of the database by generating a large amount of audit data. How will you keep
control on this audit data?
A.
By implementing principle of least privilege.
B.
By removing some potentially dangerous privileges.
C.
By setting the REMOTE_LOGIN_PASSWORDFILE instance parameter to NONE.
D.

GIAC GSNA Exam
By limiting the number of audit records generated to only those of interest.
Answer: D
Explanation:
Auditing is the process of monitoring and recording the actions of selected users in a database.
Auditing is of the following types:
By focusing the audits as narrow as possible, you will get audit records for events that are of
significance. If it is possible then try doing audit by session, not by access. When auditing a
database the SYS.AUD$ table may grow many gigabytes. You may delete or truncate it
periodically to control the load of audit data. minimum set of privileges that are just sufficient to
accomplish their requisite roles, so that even if the users try, they cannot perform those actions
that may critically endanger the safety of data in the event of any malicious attacks. It is important
to mention that some damage to data may still be unavoidable. Therefore, after identifying the
scope of their role, users are allocated only those minimal privileges just compatible with that role.
This helps in minimizing the damage to data due to malicious attacks. Grant of more privileges
than necessary may make data critically vulnerable to malicious exploitation. The principle of least
privilege is also known as the principle of minimal privilege and is sometimes also referred to as
POLA, an abbreviation for the principle of least authority. The principle of least privilege is
implemented to enhance fault tolerance, i.e. to protect data from malicious attacks. While applying
the principle of least privilege, one should ensure that the parameter
07_DICTIONARY_ACCESSIBILITY in the data dictionary is set to FALSE, and revoke those
packages and roles granted to a special pseudo-user known as Public that are not necessary to
perform the legitimate actions, after reviewing them. This is very important since every user of the
database, without exception, is automatically allocated the Public pseudo-user role.
Some of the packages that are granted to the special pseudo-user known as Public are as follows:
UTL_TCP UTL_SMTP UTL_HTTP UTL_FILE REMOTE_LOGIN_PASSWORDFILE is an

initialization parameter used to mention whether or not Oracle will check for a password file and by
which databases a password file can be used.
The various properties of this initialization parameter are as follows:
Parameter type:
String Syntax:
REMOTE_LOGIN_PASSWORDFILE = {NONE | SHARED | EXCLUSIVE}
Default value:
NONE Removing some potentially dangerous privileges is a security option.
All of the above discussed options are security steps and are not involved in standard database
auditing.

GIAC GSNA Exam
QUESTION NO: 253
Which of the following functions are performed by methods of the HttpSessionActivationListener

interface?
A.
Notifying an attribute that a session has just migrated from one JVM to another.
B.
Notifying the object when it is unbound from a session.
C.
Notifying the object when it is bound to a session.
D.
Notifying an attribute that a session is about to migrate from one JVM to another.
Answer: A,D
Explanation:
The HttpSessionActivationListener interface notifies an attribute that the session is about to be

activated or passivated. Methods of this interface are as follows:
public voidsessionDidActivate(HttpSessionEvent session): It notifies the attribute that the session

has just been moved to a different JVM.
public void sessionWillPassivate(HttpSessionEvent se): It notifies the attribute that the session is
about to move to a different JVM.
Answer: B, C are incorrect. These functions are performed by the HttpSessionBindingListener

interface. The HttpSessionBindingListener interface causes an object of the implementing class to
be notified when it is added to or removed from a session. The HttpSessionBindingListener
interface has the following methods:
QUESTION NO: 254
You work as a Software Developer for UcTech Inc. You want to encode a URL, so that it can be
used with the sendRedirect() method to send the response to the client. In order to accomplish
this, you have to use a method of the HttpServletResponse interface. Which of the following
methods will you use?
A.
GIAC GSNA Exam
encodeResponseURL()
B.
encodeRedirectURL()
C.
encodeURL()
D.
encodeURLResponse()
Answer: B
Explanation:
The encodeRedirectURL() method of the HttpServletResponse interface, returns a URL by

including a session ID in it for use in the sendRedirect() method. If the encoding is not required,
the URL is returned unchanged. If browser supports cookies, the encodeRedirectURL() method
returns the input URL unchanged, since the session ID will be persisted as a cookie. This method
is different from the encodeURL as this method redirects the request to a different URL in the
same session. The syntax of the encodeRedirectURL() method is as follows:
public String encodeRedirectURL(String urlstring)Here, urlstring is the URL to be encoded.
Answer: C is incorrect. The encodeURL() method of the HttpServletResponse interface returns a

URL by including the session ID in it. If the encoding is not required, the URL is returned
unchanged. If cookies are supported by the browser, the encodeURL() method returns the input
URL unchanged since the session ID will be persisted as a cookie.
The syntax of the encodeURL() method is as follows:
public String encodeURL(String urlstring) Here, urlstring is the URL to be encoded.
QUESTION NO: 255
Which of the following protocols is the mandatory part of the WPA2 standard in the wireless
networking?
A.
CCMP
B.
ARP
C.
WEP

GIAC GSNA Exam
D.
TKIP
Answer: A
Explanation:
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) is an
IEEE 802.11i encryption protocol created to replace both TKIP, the mandatory protocol in WPA,
and WEP, the earlier, insecure protocol. CCMP is a mandatory part of the WPA2 standard, an
optional part of the WPA standard, and a required option for Robust Security Network (RSN)
Compliant networks. CCMP is also used in the ITU-T home and business networking standard.
CCMP, part of the 802.11i standard, uses the Advanced Encryption Standard (AES) algorithm.
Unlike in TKIP, key management and message integrity is handled by a single component built
around AES using a 128-bit key, a 128-bit block, and 10 rounds of encoding per the FIPS 197
standard.
Answer: C is incorrect. Wired Equivalent Privacy (WEP) is a security protocol for wireless local
area networks (WLANs). It has two components, authentication and encryption. It provides
security, which is equivalent to wired networks, for wireless networks. WEP encrypts data on a
wireless network by using a fixed secret key. WEP incorporates a checksum in each frame to
provide protection against the attacks that attempt to reveal the key stream.
Answer: D is incorrect. TKIP (Temporal Key Integrity Protocol) is an encryption protocol defined in
the IEEE 802.11i standard for wireless LANs (WLANs). Itis designed to provide more secure
encryption than the disreputably weak Wired Equivalent Privacy (WEP). TKIP is the encryption
method used in Wi-Fi Protected Access (WPA), which replaced WEP in WLAN products. TKIP is a
suite of algorithms to replace WEP without requiring the replacement of legacy WLAN equipment.
TKIP uses the original WEP programming but wraps additional code at the beginning and end to
encapsulate and modify it. Like WEP, TKIP uses the RC4 stream encryption algorithm as its basis.
Answer: B is incorrect. Address Resolution Protocol (ARP) is a network maintenance protocol of

the TCP/IP protocol suite. It is responsible for the resolution of IP addresses to media access
control (MAC) addresses of a network interface card (NIC). The ARP cache is used to maintain a
correlation between a MAC address and its corresponding IP address. ARP provides the protocol
rules for making this correlation and providing address conversion in both directions. ARP is
limited to physical network systems that support broadcast packets.
QUESTION NO: 256
Every network device contains a unique built in Media Access Control (MAC) address, which is
used to identify the authentic device to limit the network access. Which of the following addresses
is a valid MAC address?
A.
GIAC GSNA Exam
A3-07-B9-E3-BC-F9
B.
F936.28A1.5BCD.DEFA
C.
1011-0011-1010-1110-1100-0001
D.
132.298.1.23
Answer: A
Explanation:
The general format for writing MAC addresses is to use six group of two hexadecimal digits, each
separated by hyphen (-). Another standard method is also used for writing MAC addresses as
three groups of four hexadecimal digits separated by dots.
Answer: C is incorrect. Binary numbers are not used to denote MAC address.
Answer: D is incorrect. This is an example of IP address.
Answer: B is incorrect. This is not a valid MAC address as there four groups of four hexadecimal
digits exist.
QUESTION NO: 257
In which of the following does a Web site store information such as user preferences to provide
customized services to users?
A.
Protocol
B.
ActiveX control
C.
Cookie
D.
Keyword
Answer: C
Explanation:

GIAC GSNA Exam
A cookie is a small bit of text that accompanies requests and pages as they move between Web
servers and browsers. It contains information that is read by a Web application, whenever a user
visits a site. Cookies are stored in the memory or hard disk of client computers. A Web site stores
information, such as user preferences and settings in a cookie. This information helps in providing
customized services to users. There is absolutely no way a Web server can access any private
information about a user or his computer through cookies, unless a user provides the information.
A Web server cannot access cookies created by other Web servers.
Answer A is incorrect. A protocol is a set of predefined rules that govern how two or more
processes communicate and interact to exchange data. Protocols are considered as the building
blocks of network communication. Computer protocols are used by communicating devices and
software services to format data in a way that all participants understand. It provides a context in
which to interpret communicated information.
Answer: B is incorrect. ActiveX controls are software components that can be integrated into Web
pages and applications, within a computer or among computers in a network, to reuse the
functionality. Reusability of controls reduces development time of applications and improves
program interfaces. They enhance the Web pages with formatting features and animation. ActiveX
controls can be used in applications written in different programming languages that recognize
Microsoft's Component Object Model (COM). These controls always run in a container. ActiveX
controls simplify and automate the authoring tasks, display data, and add functionality to Web
pages.
Answer: D is incorrect. Keywords are important terms used to search Web pages on a particular
topic. For example, if a user enters a keyword "Networking" in a search engine form, all Web
pages containing the term "Networking" will be displayed.
QUESTION NO: 258
Which of the following tools can be used to perform tasks such as Windows password cracking,
Windows enumeration, and VoIP session sniffing?
A.
L0phtcrack
B.
Obiwan
C.
Cain
D.
John the Ripper
Answer: C
GIAC GSNA Exam
Explanation:
Cain is a multipurpose tool that can be used to perform many tasks such as Windows password
cracking, Windows enumeration, and VoIP session sniffing. This password cracking program can
perform the following types of password cracking attacks:
Answer: A is incorrect. L0phtcrack is a tool which identifies and remediate security vulnerabilities
that result from the use of weak or easily guessed passwords. It recovers Windows and Unix
account passwords to access user and administrator accounts.
Answer: D is incorrect. John the Ripper is a fast password cracking tool that is available for most
versions of UNIX, Windows, DOS, BeOS, and Open VMS. It also supports Kerberos, AFS, and
Windows NT/2000/XP/2003 LM hashes. John the Ripper requires a user to have a copy of the
password file.
Answer: B is incorrect. Obiwan is a Web password cracking tool that is used to perform brute force
and hybrid attacks. It is effective against HTTP connections for Web servers that allow unlimited
failed login attempts by the user. Obiwan uses wordlists as well as alphanumeric characters as
possible passwords.
QUESTION NO: 259
You want to set the hard disk geometry parameters, cylinders, heads, and sectors. Which of the
following Unix commands can you use to accomplish the task?
A.
mke2fs
B.
mkswap
C.
mkfs
D.
hdparm
Answer: D
Explanation:
In Unix, the hdparm command is used to get or sethard disk geometry parameters, cylinders,
heads, and sectors.
Answer: C is incorrect. In Unix, the mkfs command initializes a Unix filesystem. This is a front end
GIAC GSNA Exam
that runs a separate program depending on the filesystem's type.
Answer: A is incorrect. In Unix, the mke2fs command creates a Unix second extended filesystem.
Answer: B is incorrect. In Unix, the mkswap command sets up a Unix swap area on a device or
file.
QUESTION NO: 260
Which of the following statements about URL rewriting are true?
A.
If cookies are supported by the browser, URL rewriting will return the URL unchanged.
B.
The request.encodeRedirectURL() method is used to add a session id info to the URL and send
the request to another URL.
C.
The request.encodeURL() method is used to add a session id info to the URL.
D.
URL rewriting is used in cases where cookies are not supported by the browser.
Answer: A,D
Explanation:
By default, session tracking uses cookies to associate a session identifier with a unique user. URL
rewriting is used in cases where cookies are not supported by the browser.
QUESTION NO: 261
The employees of CCN Inc. require remote access to the company's proxy servers. In order to
provide solid wireless security, the company uses LEAP as the authentication protocol. Which of
the following is supported by the LEAP protocol?
A.
Dynamic key encryption
B.
Public key certificate for server authentication
GIAC GSNA Exam
C.
Strongest security level
D.
Password hash for client authentication
Answer: A,D
Explanation:
LEAP can use only password hash as the authentication technique. Not only LEAP, but EAP-TLS,
EAP-TTLS, and PEAP also support dynamic key encryption and mutual authentication.
Answer: C is incorrect. LEAP provides only a moderate level of security.
Answer: B is incorrect. LEAP uses password hash for server authentication.
QUESTION NO: 262
Which of the following statements is true about COLSPAN attribute?
A.
COLSPAN is used to create columns in a table.
B.
COLSPAN is used to divide one column into many columns.
C.
COLSPAN is used to span one column across many rows.
D.
COLSPAN is used to span one column across many columns.
Answer: D
Explanation:
COLSPAN attribute is used to span one column across many columns. COLSPAN is an attribute
of <TD> and <TH> tags that allow a single column in a table to take space that is occupied by
several columns. If the specified COLSPAN value is greater than the number of columns in the
table, then a new column is created at the end of the row.
Reference: MSDN, Contents: COLSPAN

GIAC GSNA Exam
QUESTION NO: 263
You are the project manager of a Web development project. You want to get information about
your competitors by hacking into their computers. You and the project team determine should the
hacking attack not be performed anonymously, you will be traced. Hence, you hire a professional
hacker to work on the project. This is an example of what type of risk response?
A.
Transference
B.
Mitigation
C.
Acceptance
D.
Avoidance
Answer: A
Explanation:
Whenever the risk is transferred to someone else, it is an example of transference risk response.
Transference usually has a fee attached to the service provider that will own the risk event.
QUESTION NO: 264
Which of the following is a type of web site monitoring that is done using web browser emulation or
scripted real web browsers?
A.
Route analytics
B.
Passive monitoring
C.
Network tomography
D.
Synthetic monitoring
Answer: D

GIAC GSNA Exam
Explanation:
Synthetic monitoring is an active Web site monitoring that is done using Web browser emulation or
scripted real Web browsers. Behavioral scripts (or paths) are created to simulate an action or path
that a customer or end-user would take on a site. Those paths are then continuously monitored at
specified intervals for availability and response time measures. Synthetic monitoring is valuable
because it enables a Webmaster to identify problems and determine if his Web site or Web
application is slow or experiencing downtime before that problem affects actual end-users or
customers.
Answer: B is incorrect. Passive monitoring is a technique used to analyze network traffic by

capturing traffic from a network by generating a copy of that traffic. It is done with the help of a
span port, mirror port, or network tap. Once the data (a stream of frames or packets) has been
extracted, it can be used in many ways. Passive monitoring can be very helpful in troubleshooting
performance problems once they have occurred. Passive monitoring relies on actual inbound Web
traffic to take measurements, so problems can only be discovered after they have occurred.
Answer: A is incorrect. Route analytics is an emerging network monitoring technology specifically

developed to analyze the routing protocols and structures in meshed IP networks. Their main
mode of operation is to passively listen to the Layer 3 routing protocol exchanges between routers
for the purposes of network discovery, mapping, real-time monitoring, and routing diagnostics.
Answer: C is incorrect. Network tomography is an important area of network measurement that

deals with monitoring the health of various links in a network using end-to-end probes sent by
agents located at vantage points in the network/Internet.
QUESTION NO: 265
Which of the following is the best way to authenticate users on the intranet?
A.
By using Forms authentication.
B.
By using Basic authentication.
C.
By using clear text.
D.
By using NT authentication.
Answer: D
Explanation:

GIAC GSNA Exam
The best way to authenticate users on the intranet is by using NT authentication. Windows NT
authentication works where the client and server computers are located in the same or trusted
domains. Using NT authentication with an anonymous logon account is the best way to
authenticate users on intranet because passwords are not transmitted over the network. User
credentials are supplied automatically, if the user is logged on to a Windows machine.
Answer: B is incorrect. Basic authentication is used to authenticate users on the Internet. It is used
by most of the browsers for authentication and connection. When using Basic authentication, the
browser prompts the user for a username and password. This information is then transmitted
across the Hypertext Transfer Protocol (HTTP).
Answer: A is incorrect. Forms authentication is used in an ASP environment to issue appropriate

Membership server related cookies, to a user.
Answer: C is incorrect. Clear text is not an authentication method.
QUESTION NO: 266
In a network, a data packet is received by a router for transmitting it to another network. For
forwarding the packet to the other available networks, the router is configured with a static or a
dynamic route. What are the benefits of using a static route?
A.
It is a fault tolerant path.
B.
It reduces load on routers, as no complex routing calculations are required.
C.
It reduces bandwidth usage, as there is no excessive router traffic.
D.
It provides precise control over the routes that packets will take across the network.
Answer: B,C,D
Explanation:
Static routing is a data communication concept that describes a way to configure path selection of
routers in computer networks. This is achieved by manually adding routes to the routing table.
However, when there is a change in the network or a failure occurs between two statically defined
nodes, traffic will not be rerouted.
Static routing is beneficial in many ways:
Precise control over the routes that a packet will take across the network

GIAC GSNA Exam
Reduced load on the routers, as no complex routing calculations are required
Reduced bandwidth use, as there is no excessive router traffic.
Easy to configure in small networks
Answer: A is incorrect. This is a property of a dynamic route. A static route cannot choose the best
path. It can only choose the paths that are manually entered. When there is a change in the
network or a failure occurs between two statically defined nodes, traffic will not be rerouted.
QUESTION NO: 267
John works as a Network Administrator for Perfect Solutions Inc. The company has a Debian
Linux-based network. He is working on the bash shell in which he creates a variable VAR1. After
some calculations, he opens a new ksh shell. Now, he wants to set VAR1 as an environmental
variable so that he can retrieve VAR1 into the ksh shell. Which of the following commands will
John run to accomplish the task?
A.
echo $VAR1
B.
touch VAR1
C.
export VAR1
D.
env -u VAR1
Answer: C
Explanation:
Since John wants to use the variable VAR1 as an environmental variable, he will use the export
command to accomplish the task.
QUESTION NO: 268
You want to query an image root device and RAM disk size. Which of the following Unix

GIAC GSNA Exam
commands can you use to accomplish the task?
A.
rdev
B.
rdump
C.
setfdprm
D.
mount
Answer: A
Explanation:
The rdev commad is usedto query/set an image root device, RAM disk size, or video mode. If a
user executes the rdev commands with no arguments, it outputs a /etc/mtab line for the current
root file system. The command syntax of the rdev command is as follows: rdev [ -Rrvh ] [ -ooffset ]
[ image [ value [ offset ] ] ]
Answer: B is incorrect. In Unix, the rdump command is used to back up an ext2 filesystem.
Answer: D is incorrect. In Unix, the mount command is used to mount a filesystem.
Answer: C is incorrect. In Unix, the setfdprm command sets floppy drive parameters.
QUESTION NO: 269
Which of the following are the methods of the HttpSession interface? (Choose three.)
A.
setAttribute(String name, Object value)
B.
getAttribute(String name)
C.
getAttributeNames()
D.
getSession(true)

GIAC GSNA Exam
Answer: A,B,C
Explanation:
The HttpSession interface methods are setAttribute(String name, Object value), getAttribute(String
name), and getAttributeNames(). The getAttribute(String name) method of the HttpSession
interface returns the value of the named attribute as an object. It returns a null value if no attribute
with the given name exists.
The setAttribute(String name, Object value) method stores an attribute in the current session. The
setAttribute(String name, Object value) method binds an object value to a session using the String
name. If an object with the same name is already bound, it will be replaced. The
getAttributeNames() method returns an Enumeration containing the names of the attributes
available to the current request. It returns an empty Enumeration if the request has no attributes
available to it.
Answer: D is incorrect. The getSession(true) method is a method of the HttpServletRequest

interface. The getSession(true) method gets the current session associated with the client request.
If the requested session does not exist, the getSession(true) method creates a new session object
explicitly for the request and returns it to the client.
QUESTION NO: 270
You want to allow direct access to the filesystems data structure. Which of the following Unix
A.
debugfs
B.
dosfsck
C.
du
D.
df
Answer: A
Explanation:
In Unix, the debugfs command is used to allowdirect access to the filesystems data structure.
Answer: D is incorrect. In Unix, the df command shows the disk free space on one or more
filesystems.
GIAC GSNA Exam
Answer: B is incorrect. In Unix, the dosfsck command checks and repairs MS-Dos filesystems.
Answer: C is incorrect. In Unix, the du command shows how much disk space a directory and all
its files contain.
QUESTION NO: 271
The employees of EWS Inc. require remote access to the company's Web servers. In order to
provide solid wireless security, the company uses EAP-TLS as the authentication protocol. Which
of the following statements are true about EAP-TLS?
A.
It uses password hash for client authentication.
B.
It uses a public key certificate for server authentication.
C.
It is supported by all manufacturers of wireless LAN hardware and software.
D.
It provides a moderate level of security.
Answer: B,C
Explanation:
EAP-TLS can use only a public key certificate as the authentication technique. It is supported by
all manufacturers of wireless LAN hardware and software. The requirement for a client-side
certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and
illustrates the classic convenience vs. security trade-off.
Answer: D is incorrect. EAP-TLS provides the highest level of security.
Answer: A is incorrect. EAP-TLS uses a public key certificate for server authentication.
QUESTION NO: 272
Which of the following tools combines two programs, and also encrypts the resulting package in
an attempt to foil antivirus programs?
A.
GIAC GSNA Exam
Tiny
B.
NetBus
C.
Trojan Man
D.
EliteWrap
Answer: C
Explanation:
The Trojan Man is a Trojan wrapper that not only combines two programs, but also encrypts the
resulting package in an attempt to foil antivirus programs.
QUESTION NO: 273
What will be the output of the following command? echo $(date %M) > date.txt
A.
The current time (Month) will be written in the date.txt file.
B.
It will create a variable $(date %M).
C.
It will print a string "date %M".
D.
The current time (Minutes) will be written in the date.txt file.
Answer: D
Explanation:
The date command with the %M specifier prints the current time (Minutes). Since the output is
redirected towards the date.txt file, the current time (Minutes) will be printed in the date.txt file.
QUESTION NO: 274

GIAC GSNA Exam
You work as a professional Ethical Hacker. You are assigned a project to test the security of
www.we-are-secure.com. You are working on the Windows Server 2003 operating system. You
suspect that your friend has installed the keyghost keylogger onto your computer. Which of the
following countermeasures would you employ in such a situation?
A.
Use commercially available anti-keyloggers such as PrivacyKeyboard.
B.
Use on-screen keyboards and speech-to-text conversion software which can also be useful
against keyloggers, as there are no typing or mouse movements involved.
C.
Remove the SNMP agent or disable the SNMP service.
D.
Monitor the programs running on the server to see whether any new process is running on the
server or not.
Answer: A,B,D
Explanation:
It is very hard to detect a keylogger's activity. Hence, a Network Administrator should take the
following steps as countermeasures against software keyloggers:
Actively monitor the programs running on the server.
Monitor the network whenever an application attempts to make a network connection.
Use commercially available anti-keyloggers, such as PrivacyKeyboard.
Update one's antivirus regularly.
Use on-screen keyboards and speech-to-text conversion software which can also be useful
against keyloggers, as there are no typing or mouse movements involved.
Answer: C is incorrect. An SNMP service is not used for keystroke logging. Hence, removing an
SNMP agent may be a valid option if, and only if, the server is vulnerable to SNMP enumeration.
QUESTION NO: 275
Andrew works as a Network Administrator for Infonet Inc. The company has a Windows 2003
domain-based network. The network has five Windows 2003 member servers and 150 Windows
XP Professional client computers. One of the member servers works as an IIS server. The IIS
server is configured to use the IP address 142.100.10.6 for Internet users and the IP address

GIAC GSNA Exam
16.5.7.1 for the local network. Andrew wants the server to allow only Web communication over the
Internet. He also wants to enable the local network users to access the shared folders and other
resources. How will Andrew configure the IIS server to accomplish this? (Choose three.)
A.
Enable the IP packet filter.
B.
Permit all the ports on the network adapter that uses the IP address142.100.10.6.
C.
Permit only port 25 on the network adapter that uses the IP address 142.100.10.6.
D.
Permit all the ports on the network adapter that uses the IP address 16.5.7.1.
E.
Permit only port 80 on the network adapter that uses the IP address 142.100.10.6.
Answer: A,D,E
Explanation:
In order to configure the IIS server to allow only Web communication over the Internet, Andrew will
have to use IP packet filtering to permit only port 80 on the network adapter that uses the IP
address 142.100.10.6 for connecting to the Internet. This is because Web communication uses the
Hyper Text Transfer Protocol (HTTP) that uses the TCP port 80. IP packet filtering restricts the IP
traffic received by the network interface by controlling the TCP or UDP port for incoming data.
Furthermore, Andrew wants to allow local users to access shared folders and all other resources.
Therefore, Andrew will have to enable all the ports on the network adapter that uses the IP
address 16.5.7.1 for the local network.
QUESTION NO: 276
Which of the following internal control components provides the foundation for the other
components and encompasses such factors as management's philosophy and operating style?
A.
Information and communication
B.
Risk assessment
C.
Control activities

GIAC GSNA Exam
D.
Control environment
Answer: D
Explanation:
COSO defines internal control as, "a process, influenced by an entity's board of directors,
management, and other personnel, that is designed to provide reasonable assurance in the
effectiveness and efficiency of operations, reliability of financial reporting, and the compliance of
applicable laws and regulations". The auditor evaluates the organization's control structure by
understanding the organization's five interrelated control components, which are as follows:
1. Control Environment: It provides the foundation for the other components and encompasses
such factors as management's philosophy and operating style.
2. Risk Assessment: It consists of risk identification and analysis.
3. Control Activities: It consists of the policies and procedures that ensure employees carry out
management's directions.
The types of control activities an organization must implement are preventative controls (controls
intended to stop an error from occurring), detective controls (controls intended to detect if an error
has occurred), and mitigating controls (control activities that can mitigate the risks associated with
a key control not operating effectively).
4. Information and Communication: It ensures the organization obtains pertinent information, and
then communicates it throughout the organization.
5. Monitoring: It involves reviewing the output generated by control activities and conducting
special evaluations. In addition to understanding the organization's control components, the
auditor must also evaluate the organization's General and Application controls. There are three
audit risk components: control risk, detection risk, and inherent risk.
QUESTION NO: 277
security of www.we-are-secure.com. He is using a tool to crack the wireless encryption keys. The
description of the tool is as follows:
It is Linux-based WLAN WEP cracking tool that recovers encryption keys.
It operates by passively monitoring transmissions.
It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the
WEP keys.

GIAC GSNA Exam
Which of the following tools is John using to crack the wireless encryption keys?
A.
Cain
B.
PsPasswd
C.
Kismet
D.
AirSnort
Answer: D
Explanation:
AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort
operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures
approximately 5 to 10 million packets to decrypt the WEP keys.
Answer: C is incorrect. Kismet is an IEEE 802.11 wireless network sniffer and intrusion detection
system.
QUESTION NO: 278
You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP based
switched network. A root bridge has been elected in the switched network. You have installed a
new switch with a lower bridge ID than the existing root bridge. What will happen?
A.
The new switch starts advertising itself as the rootbridge.
B.
The new switch divides the network into two broadcast domains.
C.
The new switch works as DR or BDR.
D.
The new switch blocks all advertisements.
Answer: A

GIAC GSNA Exam
Explanation:
The new switch starts advertising itself as the root bridge. It acts as itis the only bridge on the
network. It has a lower Bridge ID than the existing root, so it is elected as the root bridge after the
BPDUs converge and when all switches know about the new switch that it is the better choice.
Answer: B, C, D are incorrect. All these are not valid options, according to the given scenario.
QUESTION NO: 279
Which of the following Web attacks is performed by manipulating codes of programming

languages such as SQL, Perl, Java present in the Web pages?
A.
Command injection attack
B.
Code injection attack
C.
Cross-Site Scripting attack
D.
Cross-Site Request Forgery
Answer: B
Explanation:
A code injection attack exists whenever a scripting or programming language is used in a Web
page. All that the attacker needs are an error or opening. That opening usually comes in the form
of an input field that is not validated correctly. It is not necessary for the code injection attack to be
on the Web page. It can be located in the back end as part of a database query of the Web site. If
any part of the server uses Java, JavaScript, C, SQL, or any other code between the Internet and
the data, it is vulnerable to the code injection attack.
Answer: C is incorrect. A cross site scripting attack is one in which an attacker enters malicious
data into a Website. For example, the attacker posts a message that contains malicious code to
any newsgroup site. When another user views this message, the browser interprets this code and
executes it and, as a result, the attacker is able to take control of the user's system. Cross site
scripting attacks require the execution of client-side languages such as JavaScript, Java,
VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site
scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc.
Answer: A is incorrect. A command injection attack is used to inject and execute commands
specified by the attacker in the vulnerable application. The application, which executes unwanted
system commands, is like a virtual system shell. The attacker may use it as any authorized system
GIAC GSNA Exam
user. However, commands are executed with the same privileges and environment as the
application has. The command injection attacks are possible in most cases because of lack of
correct input data validation, which can be manipulated by the attacker.
Answer: D is incorrect. Cross-site request forgery, also known as one-click attack or session
riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted
from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a
user has for a particular site, CSRFexploits the trust that a site has in a user's browser. The attack
works by including a link or script in a page that accesses a site to which the user is known to
have authenticated.
QUESTION NO: 280
You want to check the status of the printer and set its state. Which of the following Unix
A.
banner
B.
lpq
C.
lpc
D.
lpr
Answer: C
Explanation:
In Unix, the lpc command is used to check the status of the printer and set its state.
Answer: A is incorrect. In Unix, the banner command is used to print a large banner on the printer.
Answer: D is incorrect. In Unix, the lpr command is used to submit a job to the printer.
Answer: B is incorrect. In Unix, the lpq command is used to show the contents of a spool directory
for a given printer.

GIAC GSNA Exam
QUESTION NO: 281
You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP-based
network. Rick, your assistant, is configuring some laptops for wireless access. For security, WEP
needs to be configured for wireless communication. By mistake, Rick configures different WEP
keys in a laptop than that is configured on the Wireless Access Point (WAP). Which of the
following statements is true in such situation?
A.
The laptop will be able to access the wireless network but the security will be compromised.
B.
The WAP will allow the connection with the guest account's privileges.
C.
The laptop will be able to access the wireless network but other wireless devices will be unable to
communicate with it.
D.
The laptop will not be able to access the wireless network.
Answer: D
Explanation:
In order to communicate with WAP, a wireless device needs to be configured with the same WEP
key. If there is any difference in the key, the device will not be able to access and communicate
with the wireless network.
QUESTION NO: 282
You want to set the user login features on the systems with the shadow passwords. Which of the
following Unix configuration files can you use to accomplish the task?
A.
/etc/logrotate.conf
B.
/etc/login.defs
C.
/etc/magic
D.
GIAC GSNA Exam
/etc/filesystems
Answer: B
Explanation:
In Unix, the /etc/login.defs file is used by system administrators to set the user login features on
the systems with the shadow passwords.
Answer: A is incorrect. In Unix, the /etc/logrotate.conf file configures the logrotate program used
for managing log files.
Answer: C is incorrect. In Unix, the /etc/magic file contains the descriptions of various file formats
for the file command.
Answer: D is incorrect. In Unix, the /etc/filesystems file is used to set the filesystem probe order
when filesystems are mounted with the auto option.
QUESTION NO: 283
forest single domain network. You have installed a Windows Server 2008 computer as the domain
controller. The client computers of the company use the Windows XP Professional operating
system. When a user logs on to a client computer, it gets authenticated by the domain controller.
You want to audit the logon events that would be generated on the domain controller. Which of the
following audit settings do you need to configure to accomplish the task?
A.
Audit account management
B.
Audit logon events
C.
Audit directory service access
D.
Audit account logon events
Answer: D
Explanation:
'Audit account logon events' is one of the nine audit settings that can be configured on a Windows
computer. This performs auditing whenever a user logs on or off from a different computer in

GIAC GSNA Exam
which the computer performing the auditing is used for validating the account, for example, when a
user logs on to a Windows XP Professional computer, but gets authenticated by a domain
controller. The event would be generated on the domain controller, as it is actually being used for
validating the user.
Answer: A is incorrect. Audit account management is one of the nine audit settings that can be
configured on a Windows computer. This option is enabled to audit each event that is related to a
user managing an account in the user database on the computer where the auditing is configured.
These events include the following:
This option is also used to audit the changes to the domain account of the domain controllers.
Answer: C is incorrect. The 'Audit directory service access' option is enabled to capture the events
that are related to the users accessing the Active Directory object which has been configured to
track user access through the System Access Control List (SACL) of the object.
Answer: B is incorrect. The 'Audit logon events' option is enabled to audit each event that is
related to a user logging on to, logging off from, or making a network connection to the computer
configured to audit logon events.
QUESTION NO: 284
Which of the following types of servers are dedicated to provide resources to hosts on the
network? (Choose three.)
A.
Web servers
B.
Monitoring servers
C.
Mail servers
D.
Default gateway servers
E.
Print servers
Answer: A,C,E
Explanation:
Following types of servers are dedicated to provide resources to other hosts on the network:

GIAC GSNA Exam
Default gateway does not provide resources to hosts on the network. Monitoring server is not a
type of server.
QUESTION NO: 285
Mark works as a Network Administrator for We-are-secure Inc. He finds that the We-are-secure
server has been infected with a virus. He presents to the company a report that describes the
symptoms of the virus.
A summary of the report is given below:
This virus has a dual payload, as the first payload of the virus changes the first megabyte of the
hard drive to zero. Due to this, the contents of the partition tables are deleted and the computer
hangs. The second payload replaces the code of the flash BIOS with garbage values. This virus
spreads under the Portable Executable File Format under Windows 95, Windows 98, and
Windows ME.
Which of the following viruses has the symptoms as the one described above?
A.
I Love You
B.
Nimda
C.
Chernobyl
D.
Melissa
Answer: C
Explanation:
The Chernobyl (CIH) virus is a good example of a dual payload virus. Since the first payload of the
virus changes the first megabyte of a computer's hard drive to zero, the contents of the partition
tables are deleted, resulting in the computer hanging. The second payload of CIH replaces the
code of the flash BIOS with garbage values so that the flash BIOS is unable to give a warning, the
end result being that the user is incapable of changing the BIOS settings. CIH spreads under the
Portable Executable file format under Windows 95, Windows 98, and Windows ME.
Answer: A is incorrect. The I LOVE YOU virus is a VBScript virus in which a victim gets an email
attachment titled as "I Love You" with an attachment file named as "Love-Letter-For-You.txt.vbs".
When the victim clicks on this attachment, the virus script infects the victim's computer. The virus

GIAC GSNA Exam
first scans system's memory for passwords, which are sent back to the virus' creator. In the next
step, the virus replicates itself and sends its copy to each address in the victim's Outlook address
book. Finally, the virus corrupts files with extensions .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg,
.mp2, and .mp3 by overwriting them with a copy of itself.
Answer: D is incorrect. The Melissa virus infects Word 97 documents and the NORMAL.DOT file
of Word 97 and Word 2000. This macro virus resides in word documents containing one macro
named as "Melissa". The Melissa virus has the ability to spread itself very fast by using an e-mail.
When the document infected by the Melissa virus is opened for the first time, the virus checks
whether or not the user has installed Outlook on the computer. If it finds the Outlook, it sends e-
mail to 50 addresses from the address book of the Outlook. This virus can spread only by using
the Outlook. This virus is also known as W97M/Melissa, Kwyjibo, and Word97.Melissa.
Answer: B is incorrect. Nimda is a mass mailing virus that spreads itself in attachments named
README.EXE. It affects Windows 95, 98, ME, NT4, and Windows 2000 users. Nimda uses the
Unicode exploit to infect IIS Web servers.
QUESTION NO: 286
You want to identify the list of users with special privileges along with the commands that they can
execute. Which of the following Unix configuration files can you use to accomplish the task?
A.
/proc/meminfo
B.
/etc/sysconfig/amd
C.
/proc/modules
D.
/etc/sudoers
Answer: D
Explanation:
In Unix, the /etc/sudoers file contains a list of users with special privileges along with the
commands that they can execute.
Answer: A is incorrect. In Unix, the /proc/meminfo file shows information about the memory usage,
both physical and swap.
Answer: B is incorrect. In Unix, the /etc/sysconfig/amd file is the configuration file that is used to
GIAC GSNA Exam
configure the auto mount daemon.
Answer: C is incorrect. In Unix, the /proc/modules file shows the kernel modules that are currently
loaded.
QUESTION NO: 287
Which of the following statements about the <web-resource-collection> element are true?
A.
It has <web-resource-name> as one of its sub-elements.
B.
If there is no <http-method> sub-element, no HTTP method will be constrained.
C.
It can have at the most one <url-pattern> sub-element.
D.
It is a sub-element of the <security-constraint> element.
Answer: A,D
Explanation:
The <web-resource-collection> element is a sub-element of the <security-constraint> element and

specifies the resources that will be constrained. Each <security-constraint> element should have
one or more <web-resource-collection> sub-elements. The syntax of the <web-resource-
collection> element is as follows: <security-constraint> <web-resource-collection> <web-resource-
name>ResourceName</web-resource-name> <http-method>GET</http-method> <url-
pattern>PatternName</url-pattern> </web-resource-collection> </security-constraint>
The sub-elements of the <web-resource-collection> element are as follows:
<web-resource-name>: This mandatory sub-element is the name of the Web resource collection.
<description>: This is an optional sub-element that specifies a text description of the current
security constraint.
<http-method>: This optional sub-element specifies HTTP methods that are constrained.
<url-pattern>: This sub-element specifies the URL to which the security constraint applies. There
should be at least one url-pattern element; otherwise, the <web-resource-collection> will be
ignored.
Answer: C is incorrect. The <web-resource-collection> element can have any number of <url-
pattern> sub-elements.
GIAC GSNA Exam
Answer: B is incorrect. If there is no <http-method> sub-element, no HTTP methods will be
allowed.
QUESTION NO: 288
Which of the following processes are involved under the COBIT framework?
A.
Managing the IT workforce.
B.
Correcting all risk issues.
C.
Conducting IT risk assessments.
D.
Developing a strategic plan.
Answer: A,C,D
Explanation:
The Control Objectives for Information and related Technology (COBIT) is a set of best practices
(framework) for information technology (IT) management, which provides managers, auditors, and
IT users with a set of generally accepted measures, indicators, processes and best practices to
assist them in maximizing the benefits derived through the use of information technology and
developing appropriate IT governance and control in a company. It has the following 11
processes:
Answer: B is incorrect. Correcting all risk issues does not come under auditing processes.
QUESTION NO: 289
Which of the following commands can be used to convert all lowercase letters of a text file to
uppercase?
A.
tac
B.
GIAC GSNA Exam
tr
C.
cat
D.
less
Answer: B
Explanation:
You can use the tr command to convert all lowercase letters of a text file to uppercase. The tr
command is used to translate, squeeze, and/or delete characters from standard input, writing to
standard output. If you want to change all lowercase letters to uppercase, you will use the tr [a-z]
[A-Z] command. commands cannot translate the text from one form to another.
QUESTION NO: 290
You work as the Network Administrator for XYZ CORP. The company has a Linux-based network.
You are a root user on the Red Hat operating system. You want to see first five lines of the file
/etc/passwd. Which of the following commands should you use to accomplish the task?
A.
head -n 5 /etc/passwd
B.
head 5 -n /etc/passwd
C.
tail -n 5 /etc/passwd
D.
head /etc/passwd
Answer: A
Explanation:
The head -n 5 /etc/passwd command will show the first 5 lines of the file /etc/passwd.

GIAC GSNA Exam
QUESTION NO: 291
In an IT organization, some specific tasks require additional detailed controls to ensure that the
workers perform their job correctly. What do these detailed controls specify? (Choose three.)
A.
How the department handles acquisitions, security, delivery, implementation, and support of IS
services
B.
How to lock a user account after unsuccessful logon attempts
C.
How output data is verified before being accepted into an application
D.
The way system security parameters are set
Answer: A,B,D
Explanation:
Some of the specific tasks require additional detailed controls to ensure that the workers perform
their job correctly. These controls refer to some specific tasks or steps to be performed such as:
Answer: C is incorrect. Input data should be verified before being accepted into an application.
QUESTION NO: 292
You are tasked with creating an ACL to apply to Fa0/0 based on the following requirements:
The ACL must be protocol specific.
All traffic from host 10.10.45.2 and subnet 10.10.1.32/27 must be denied access through the
router.
Telnet and SSH must be denied for ALL hosts except the management host with the IP address of
10.10.0.100.
This management host must not only have Telnet and SSH access, but access to any port in the
TCP and UDP suite to any destination.
HTTP, HTTPS, and DNS requests must be allowed for all hosts on subnets 10.10.2.0/24 and
10.10.3.0/24 to any destination.
All remaining traffic must be denied.

GIAC GSNA Exam
Cisco IOS applies an implied deny all at the end of an ACL.
However, you must provide this configuration manually so that engineers can see hit counts on the
deny all traffic when running the show ip access-lists command. Which of the following sets of
commands will you choose to complete the configuration on Router A?
A.
RouterA(config)#access-list 110 deny ip host 10.10.45.2 anyRouterA(config)#access-list 110 deny
ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 110 permit tcp host 10.10.0.100
anyRouterA(config)#access-list 110 permit udp host 10.10.0.100 anyRouterA(config)#access-list
110 permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 110 permit tcp 10.10.2.0
0.0.1.255 any eq 443RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.1.255 any eq
53RouterA(config)#access-list 110 deny ip any anyRouterA(config)#interface fa0/0RouterA(config-
if)#ip access-group 110 out
B.
ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 110 permit ip host 10.10.0.100
anyRouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq
80RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq
443RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.1.255 any eq
53RouterA(config)#access-list 110 deny ip any any RouterA(config)#interface
fa0/0RouterA(config-if)#ip access-group 110 in
C.
ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 110 permit tcp host 10.10.0.100
anyRouterA(config)#access-list 110 permit udp host 10.10.0.100 anyRouterA(config)#access-list
110 permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 110 permit tcp 10.10.2.0
0.0.1.255 any eq 443RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.1.255 anyeq
53RouterA(config)#access-list 110 deny ip any any RouterA(config)#interface
fa0/0RouterA(config-if)#ip access-group 110 in
D.
RouterA(config)#access-list 99 deny ip host 10.10.45.2 anyRouterA(config)#access-list 99 deny ip
10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 99 permit tcp host 10.10.0.100
anyRouterA(config)#access-list 99 permit udp host 10.10.0.100 anyRouterA(config)#access-list 99
permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 99 permit tcp 10.10.2.0
0.0.1.255 any eq 443RouterA(config)#access-list 99 permit udp 10.10.2.0 0.0.1.255 any eq
53RouterA(config)#access-list 99 deny ip any anyRouterA(config)#interface fa0/0 RouterA(config-
if)#ip access-group 99 in
Answer: C
Explanation:
This ACL is an extended ACL. It meets the traffic requirements and is applied to Fa0/0 in the
appropriate direction of in, which matches traffic going into the interface. In addition, this ACL
meets the needs for subnets 10.10.2.0/24 and 10.10.3.0/24 by applying the subnet and wildcard
GIAC GSNA Exam
mask of 10.10.2.0 0.0.1.255 for the lines that apply http, https, and dns. These subnets are
covered by the wildcard mask 0.0.1.255. This wildcard mask is applied to a range of hosts from
10.10.2.0 through 10.10.3.255 which covers both of the subnets required. This is handy since both
subnets are next to each other in their network numbers. Note: If the network numbers were not
next to each other, for example 10.10.2.0/24 and 10.10.20.0/24, then the wildcard mask of
0.0.1.255 would be incorrect. A wildcard mask of 0.0.0.255 would be required. The configuration of
the ACL would then be applied using the following commands:  RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.0.255 any eq 80
RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.0.255 any eq 443
RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.0.255 any eq 53
RouterA(config)#access-list 110 permit udp 10.10.20.0 0.0.0.255 any eq 53
QUESTION NO: 293
Which of the following statements about system hardening are true? (Choose two.)
A.
It is used for securing the computer hardware.
B.
It can be achieved by installing service packs and security updates on a regular basis.
C.
It can be achieved by locking the computer room.
D.
It is used for securing an operating system.
Answer: B,D
Explanation:
System hardening is a term used for securing an operating system. It can be achieved by installing
the latest service packs, removing unused protocols and services, and limiting the number of
users with administrative privileges.
QUESTION NO: 294
Which of the following are known as safety critical software?

GIAC GSNA Exam
A.
Software that is used to apply a critical decision-making process
B.
Software that manages safety critical data including display of safety critical information
C.
Software that intervenes when a safe condition is present or is about to happen
D.
Software that is used to create safety critical functions
Answer: A,B
Explanation:
The following types of software are safety critical software:
Answer: D is incorrect. Software that is used to manage or monitor safety critical functions is
known as safety critical software.
Answer: C is incorrect. Software that intervenes when an unsafe condition is present or is about to
happen is known as safety critical software.
QUESTION NO: 295
Which of the following wireless security standards supported by Windows Vista provides the
highest level of security?
A.
WPA-EAP
B.
WEP
C.
WPA-PSK
D.
WPA2
Answer: D
Explanation:
WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2 offers
enhanced protection to wireless networks than WPA and WEP standards. It is also available as
GIAC GSNA Exam
WPA2-PSK and WPA2-EAP for home and enterprise environment respectively. Answer: B is
incorrect. than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and
WPA-EAP. Each of these is described as follows:
QUESTION NO: 296
The Security Auditor's Research Assistant (SARA) is a third generation network security analysis
tool. Which of the following statements are true about SARA? (Choose two.)
A.
It operates under Unix, Linux, MAC OS/X, or Windows (through coLinux) OS.
B.
It cannot be used to perform exhaustive XSS tests.
C.
It cannot be used to perform SQL injection tests.
D.
It supports plug-in facility for third party apps.
Answer: A,D
Explanation:
The Security Auditor's Research Assistant (SARA) is a third generation network security analysis
tool. It has the following functions:
Answer: C is incorrect. SARA can be used to perform SQL injection tests.
Answer: B is incorrect. SARA can be used to perform exhaustive XSS tests.
QUESTION NO: 297

GIAC GSNA Exam
You work as a Desktop Support Technician for XYZ CORP. The company uses a Windows-based
network comprising 50 Windows XP Professional computers. You want to include the Safe Mode
with Command Prompt feature into the boot.ini file of a Windows XP Professional computer.
Which of the following switches will you use?
A.
/safeboot:network /sos /bootlog /noguiboot
B.
/safeboot:minimal /sos /bootlog /noguiboot
C.
/safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
D.
/safeboot:dsrepair /sos
Answer: C
Explanation:
Safe-mode boot switches are used in the Windows operating systems to use the afe-mode boot
feature. To use this feature the user should press F8 during boot. These modes are available in
the Boot.ini file. Users can also automate the boot process using this feature.
QUESTION NO: 298
Which of the following Web authentication techniques uses a single sign-on scheme?
A.
NTLMauthentication
B.
Digest authentication
C.
Microsoft Passport authentication
D.
Basic authentication
Answer: C

GIAC GSNA Exam
Explanation:
Microsoft Passport authentication is based on single sign-on authentication in which a user needs
to remember only one username and password to be authenticated for multiple services. The
Passport is a suite of services for authenticating users across a number of applications. The
Passport single sign-on service is an authentication service allowing users to create a single set of
credentials that will enable them to sign in to any participating site that supports the Passport
service. It enables the use of one set of credentials to access any Passport-enabled site such as
MSN, Hotmail, and MSN Messenger.
QUESTION NO: 299
Which of the following features of a switch helps to protect network from MAC flood and MAC
spoofing?
A.
Multi-Authentication
B.
Port security
C.
MAC Authentication Bypass
D.
Quality of Service (QoS)
Answer: B
Explanation:
If a switch has the ability to enable portsecurity, this will help to protect network from both the MAC
Flood and MAC Spoofing attacks.
Answer: D is incorrect. Quality of Service (QoS) feature is useful for prioritizing VOIP traffic.
Switches are offering the ability to assign a device a Quality of Service (QoS) value or a rate
limiting value based on the RADIUS response.
Answer: A is incorrect. Multi-Authentication feature is used to allow multiple devices to use a

single port.
Answer: C is incorrect. MAC Authentication Bypass feature is used to allow the RADIUS server to
specify the default VLAN/ACL for every device that doesn't authenticate by 802.1X.

GIAC GSNA Exam
QUESTION NO: 300
You work as a Security manager for Qualoxizz Inc. Your company has number of network
switches in the site network infrastructure. Which of the following actions will you perform to
ensure the security of the switches in your company?
A.
Open up all the unused management ports.
B.
Set similar passwords for each management port.
C.
Set long session timeouts.
D.
Ignore usage of the default account settings.
Answer: D
Explanation:
A switch with a management port using a default user account permits an attacker to intrude
inside by making connections using one or more of the well-known default user accounts (e.g.,
administrator, root, security). Therefore, the default account settings should not be used.
Answer: A is incorrect. The unused management ports on a switch should always be blocked to
prevent port scanning attacks from the attackers.
Answer: B is incorrect. Setting similar passwords on all management ports increases the
vulnerability of password cracking. The matching passwords on all ports can be used by the
attacker to break into all ports once the password of one of the ports is known.
Answer: C is incorrect. Short timeout sessions should always be set to reduce the session period.
If the connections to a management port on a switch do not have a timeout period set or have a
large timeout period (greater than 9 minutes), then the connections will be more available for an
attacker to hijack them.
Topic 4, Volume D
QUESTION NO: 301

GIAC GSNA Exam
You work as an Exchange Administrator for XYZ CORP. The network design of the company is
given below:
Employees are required to use Microsoft Outlook Web Access to access their emails remotely.
You are required to accomplish the following goals:
Ensure fault tolerance amongst the servers.
Ensure the highest level of security and encryption for the Outlook Web Access clients.
What will you do to accomplish these goals?
A.
Install one front-end Exchange 2000 server and continue to run Microsoft Outlook Web Access on
the existing server. Place the new server on the perimeter network. Configure unique URLs for
each server. Configure Certificate Services. Create a rule on the firewall to direct port 443 to the
servers.
B.
Install two front-end Exchange 2000 servers. Place the new servers on the internal network and
configure load balancing between them. Configure Certificate Services. Create a rule on the
firewall to redirect port 443 to the servers.
C.
Install two front-end Exchange 2000 servers. Place the new servers on the perimeter network and
configure load balancing between them. Configure Certificate Services. Create a rule on the
firewall to redirect port 443 to the servers.
D.
Install two Exchange 2000 servers. Place the new servers on the perimeter network. Configure
unique URLs for each server. Configure Certificate Services. Create a rule on the firewall to direct
port 443 to the servers.
Answer: C

GIAC GSNA Exam
Explanation:
To ensure fault tolerance among the servers and to get the highest possible level of security and
encryption for OWA clients, you must install two front-end Exchange 2000 servers. Place the new
servers on the perimeter network and configure load balancing between them. To enhance
security, you should also configure Certificate Services and create a rule on the firewall to redirect
port 443 to the servers. The most secure firewall configuration is placing a firewall on either side of
the front-end servers. This isolates the front-end servers in a perimeter network, commonly
referred to as a demilitarized zone (DMZ). It is always better to configure more than one front-end
server to get fault tolerance.
QUESTION NO: 302
Which of the following is an Internet mapping technique that relies on various BGP collectors that
collect information such as routing updates and tables and provide this information publicly?
A.
Path MTU discovery (PMTUD)
B.
AS Route Inference
C.
AS PATH Inference
D.
Firewalking
Answer: C
Explanation:
AS PATH Inference is one of the prominent techniques used for creating Internet maps. This
technique relies on various BGP collectors that collect information such as routing updates and
tables and provide this information publicly. Each BGP entry contains a Path Vector attribute
called the AS Path. This path represents an autonomous system forwarding path from a given
origin for a given set of prefixes. These paths can be used to infer AS-level connectivity and in turn
be used to build AS topology graphs. However, these paths do not necessarily reflect how data is
actually forwarded. Adjacencies between AS nodes only represent a policy relationship between
them. A single AS link can in reality be several router links. It is also much harder to infer peering
between two AS nodes, as these peering relationships are only propagated to an ISP's customer
networks. Nevertheless, support for this type of mapping is increasing as more and more ISP's
offer to peer with public route collectors such as Route-Views and RIPE. New toolsets are
emerging such as Cyclops and NetViews that take advantage of a new experimental BGP
collector BGPMon. NetViews can not only build topology maps in seconds but visualize topology
GIAC GSNA Exam
changes moments after occurring at the actual router. Hence, routing dynamics can be visualized
in real time.
Answer: B is incorrect. There is no such Internet mapping technique.
Answer: D is incorrect. Firewalking is a technique for gathering information about a remote

network protected by a firewall. This technique can be used effectively to perform information
gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set
to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the
packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTLexpired in
transit" message to the attacker. If the firewall does not allow the traffic, there should be no
response, or an ICMP "administratively prohibited" message should be returned to the attacker. A
malicious attacker can use firewalking to determine the types of ports/protocols that can bypass
the firewall. To use firewalking, the attacker needs the IP address of the last known gateway
before the firewall and the IP address of a host located behind the firewall. The main drawback of
this technique is that if an administrator blocks ICMP packets from leaving the network, it is
ineffective.
Answer: A is incorrect. Path MTU discovery (PMTUD) is a technique in computer networking for
determining the maximum transmission unit (MTU) size on the network path between two Internet
Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. Path MTU discovery works
by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets. Then, any
device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP
"Fragmentation Needed" (Type 3, Code 4) message containing its MTU, allowing the source host
to reduce its path MTU appropriately. The process repeats until the MTU is small enough to
traverse the entire path without fragmentation. If the path MTU changes after the connection is set
up and is lower than the previously determined path MTU, the first large packet will cause an
ICMP error and the new, lower path MTU will be found. Conversely, if PMTUD finds that the path
allows a larger MTU than what is possible on the lower link, the OS will periodically reprobe to see
if the path has changed and now allows larger packets. On Linux this timer is set by default to ten
minutes.
QUESTION NO: 303
security of www.we-are-secure.com. He wants to perform a stealth scan to discover open ports
and applications running on the We-are-secure server. For this purpose, he wants to initiate
scanning with the IP address of any third party.
Which of the following scanning techniques will John use to accomplish his task?
A.
UDP

GIAC GSNA Exam
B.
RPC
C.
IDLE
D.
TCP SYN/ACK
Answer: C
Explanation:
The IDLE scan is initiated with the IP address of a third party. Hence, it becomes a stealth scan.
Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the
hacker.
Answer: B is incorrect. The RPC (Remote Procedure Call) scan is used to find the RPC
applications. After getting the RPC application port with the help of another port scanner, RPC port
scanner sends a null RPC packet to all the RPC service ports, which are open into the target
system.
Answer: A is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target
system. If the remote port is closed, the server replies that the remote port is unreachable. If the
remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at
that time the UDP port scanning maybe useful. Certain IDS and firewalls can detect UDP port
scanning easily.
Answer: D is incorrect. TCP SYN scanning is also known as half-open scanning because in this a
full TCP connection is never opened. The steps of TCP SYN scanning are as follows:
1.The attacker sends SYN packet to the target port.
2. If the port is open, the attacker receives SYN/ACK message.
3. Now the attacker breaks the connection by sending an RST packet.
4. If the RST packet is received, it indicates that the port is closed. This type of scanning is hard to
trace because the attacker never establishes a full 3-way handshake connection and most sites do
not create a log of incomplete TCP connections.
QUESTION NO: 304
You work as a Database Administrator for XYZ CORP. The company has a multi-platform
network. The company requires fast processing of the data in the database of the company so that
answers to queries can be generated quickly. To provide fast processing, you have a conceptual

GIAC GSNA Exam
idea of representing the dimensions of data available to a user in the data cube format.
Which of the following systems can you use to implement your idea?
A.
SYSDBA
B.
MDDBMS
C.
Federated database system
D.
Hierarchical database system
Answer: B
Explanation:
A multidimensional database management system (MDDBMS) implies the ability to rapidly

process the data in the database so that answers to the queries can be generated quickly. A
number of vendors provide products that use multidimensional databases. The approach behind
this system is to manage that how data should be stored in the database, and depending upon
that storage, how user interface should vary. Conceptually, an MDDBMS uses the idea of a data
cube to represent the dimensions of data available to a user. For example, "sales" could be
viewed in the dimensions of product model, geography, time, or some additional dimension. In this
case, "sales" is known as the measure attribute of the data cube and the other dimensions are
seen as feature attributes. Additionally, a database creator can define hierarchies and levels within
a dimension (for example, state and city levels within a regional hierarchy).
Answer: C is incorrect. A federated database system is a type of meta-database management

system (DBMS) that transparently integrates multiple autonomous database systems into a single
federated database. The constituent databases are interconnected via a computer network, and
may be geographically decentralized. Since the constituent database systems remain
autonomous, a federated database system is a contrastable alternative to the (sometimes
daunting) task of merging together several disparate databases. A federated database (or virtual
database) is the fully-integrated, logical composite of all constituent databases in a federated
database system.
Answer: A is incorrect. SYSDBA is a system privilege that allows a user to perform basic database
administrative tasks, such as creating a database, altering a database, starting up and shutting
down an Oracle instance, performing time-based recovery etc. The SYSDBA contains all system
privileges with the ADMIN OPTION. It also contains the SYSOPER system privilege. Granting the
SYSDBA system privilege to a user automatically adds him to the password file that is used to
authenticate administrative users. Therefore, a user possessing the SYSDBA system privilege can
connect to a database by using the password file authentication method.
Answer: D is incorrect. A hierarchical database is a database management system that

GIAC GSNA Exam
implements the hierarchical data model. A hierarchical database system organizes data in a family
tree structure such that each record has only one owner and the hierarchy is in a parent and child
data segment. This implies that the record can have repeated information in a child segment. The
best-known hierarchical DBMS is IMS.
QUESTION NO: 305
The routing algorithm uses certain variables to create a metric of a path. It is the metric that
actually determines the routing path. In a metric, which of the following variables is used to define
the 'largest size' of a message that can be routed?
A.
Load
B.
MTU
C.
Hop count
D.
Bandwidth
Answer: B
Explanation:
The routing algorithm uses certain variables to create a metric of a path. It is the metric that is
actually used for path determination. Variables that are used to create a metric of a path are as
follows:
QUESTION NO: 306
You are concerned about war driving bringing hackers attention to your wireless network. What is
the most basic step you can take to mitigate this risk?
A.
Implement WPA
B.
Implement WEP

GIAC GSNA Exam
C.
Don't broadcast SSID
D.
Implement MAC filtering
Answer: C
Explanation:
By not broadcasting your SSID some simple war driving tools won't detect your network. However
you should be aware that there are tools that will still detect networks that are not broadcasting
their SSID across your network.
Answer: D is incorrect. While MAC filtering may help prevent a hacker from accessing your
network, it won't keep him or her from finding your network.
QUESTION NO: 307
security of www.we-are-secure.com. He has successfully completed the following pre-attack
phases while testing the security of the server:
Footprinting
Scanning
Now he wants to conduct the enumeration phase.
Which of the following tools can John use to conduct it?
A.
PsPasswd
B.
WinSSLMiM
C.
PsFile
D.
UserInfo
Answer: A,C,D

GIAC GSNA Exam
Explanation:
John can use the UserInfo, PsFile, and PsPasswd tools in the enumeration phase. UserInfo is a
utility that retrieves all available information about any known user from any Windows 2000/NT
operating system (accessible by TCP port 139). UserInfo returns mainly the following information:
SID and Primary group Logon restrictions and smart card requirements
Special group Password expiration
Note: UserInfo works as a NULL user even if the RestrictedAnonymous value in the LSA key is set
to 1 to specifically deny anonymous enumeration. PsFile is a command-line utility that shows a list
of files on a system that are opened remotely. It also allows a user to close opened files either by
name or by a file identifier. The command syntax for PsFile is as follows:
psfile [\\RemoteComputer [-u Username [-p Password]]] [Id | path] [-c]
-u specifies the optional user name for logging in to a remote computer.
-p specifies a password for a user name.
If this is omitted, the user is prompted to enter the password without it being echoed to the screen.
Id is the identifier of the file about which the user wants to display information.
-c closes the files identifed by the ID or path.
PsPasswd is a tool that helps Network Administrators change an account password on the local or
remote system.
The command syntax of PsPasswd is as follows: pspasswd [\\computer[,computer[,..] | @file [-u

user [-p psswd]] Username [NewPassword]
QUESTION NO: 308
In which of the following techniques does an attacker take network traffic coming towards a host at
one port and forward it from that host to another host?
A.
Snooping
GIAC GSNA Exam
B.
UDP port scanning
C.
Firewalking
D.
Portredirection
Answer: D
Explanation:
Port redirection is a technique by which an attacker takes network traffic coming towards a host at
one port and redirects it from that host to another host. For example, tools such as Fpipe and
Datapipe are port redirection tools that accept connections at any specified port and resend them
to other specified ports on specified hosts. For example, the following command establishes a
listener on port 25 on the test system and then redirects the connection to port 80 on the target
system using the source port of 25. C.\>fpipe -l 25 -s 25 -r 80 IP_address
Answer: C is incorrect. Firewalking is a technique for gathering information about a remote

network protected by a firewall. This technique can be used effectively to perform information
gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set
to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the
packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in
transit" message to the attacker. If the firewall does not allow the traffic, there should be no
response, or an ICMP "administratively prohibited" message should be returned to the attacker.
Amalicious attacker can use firewalking to determine the types of ports/protocols that can bypass
the firewall. To use firewalking, the attacker needs the IP address of the last known gateway
before the firewall and the IP address of a host located behind the firewall. The main drawback of
this technique is that if an administrator blocks ICMP packets from leaving the network, it is
ineffective.
Answer: A is incorrect. Snooping is an activity of observing the content that appears on a

computer monitor or watching what a user is typing. Snooping also occurs by using software
programs to remotely monitor activity on a computer or network device. Hackers or attackers use
snooping techniques and equipment such as keyloggers to monitor keystrokes, capture
passwords and login information, and to intercept e-mail and other private communications.
Sometimes, organizations also snoop their employees legitimately to monitor their use of
organizations' computers and track Internet usage.
Answer: B is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target
system. If the remote port is closed, the server replies that the remote port is unreachable. If the
remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at
that time the UDP port scanning may be useful. Certain IDS and firewalls can detect UDP port
scanning easily.

GIAC GSNA Exam
QUESTION NO: 309
You are the Security Consultant and have been hired to check security for a client's network. Your
client has stated that he has many concerns but the most critical is the security of Web
applications on their Web server.
What should be your highest priority then in checking his network?
A.
Setting up a honey pot
B.
Vulnerability scanning
C.
Setting up IDS
D.
Port scanning
Answer: B
Explanation:
According to the question, you highest priority is to scan the Web applications for vulnerability.
QUESTION NO: 310
Which of the following is the most secure place to host a server that will be accessed publicly
through the Internet?
A.
A DNS Zone
B.
An Intranet
C.
A stub zone
D.
A demilitarized zone (DMZ)
Answer: D

GIAC GSNA Exam
Explanation:
A demilitarized zone (DMZ) is the most secure place to host a server that will be accessed publicly
through the Internet. Demilitarized zone (DMZ) or perimeter network is a small network that lies in
between the Internet and a private network. It is the boundary between the Internet and an internal
network, usually a combination of firewalls and bastion hosts that are gateways between inside
networks and outside networks. DMZ provides a large enterprise network or corporate network the
ability to use the Internet while still maintaining its security.
Answer: B is incorrect. Hosting a server on the intranet for public access will not be good from a
security point of view.
QUESTION NO: 311
Mark works as a Database Administrator for MarLinc Inc. How will he execute a SQL command
from the SQL buffer?
A.
Enter an asterisk (*)
B.
Enter a semicolon (;)
C.
Press [ESC] twice
D.
Press [RETURN] twice
E.
Enter a slash(/)
Answer: B,E
Explanation:
SQL buffer stores the most recently used SQL commands and PL/SQL blocks. It does not store
the SQL* Plus commands. The SQL buffer can be edited or saved to a file. A SQL command or a
PL/SQL block can be executed by entering a semicolon (;) or a slash (/), or by using the RUN
command at the command prompt. When a semicolon (;) is entered at the end of a command, the
command is completed and executed. When a slash (/) is entered on a new line, the command in
the buffer is executed. It can also be used to execute a PL/SQL block. The RUN command is used
to execute a command in the buffer. A SQL command can be saved in the buffer by entering a
blank line.

GIAC GSNA Exam
Reference: Oracle8i Online Documentation, Contents: "SQL*PLUS Users Guide and Reference",
"Learning SQL*PLUS Basics, 3 of 4"
QUESTION NO: 312
Which of the following techniques can be used to determine the network ranges of any network?
A.
Whois query
B.
SQL injection
C.
Snooping
D.
Web ripping
Answer: A
Explanation:
Whois queries are used to determine the IP address ranges associated with clients. A whois query
can be run on most UNIX environments. In a Windows environment, the tools such as WsPingPro
and Sam Spade can be used to perform whois queries. Whois queries can also be executed over
the Web from www.arin.net and www.networksolutions.com.
Answer: B is incorrect. A SQL injection attack is a process in which an attacker tries to execute
unauthorized SQL statements. These statements can be used to delete data from a database,
delete database objects such as tables, views, stored procedures, etc. An attacker can either
directly enter the code into input variables or insert malicious code in strings that can be stored in
a database. For example, the following line of code illustrates one form of SQL injection attack:
query = "SELECT * FROM users WHERE name = '" + userName + "';"
This SQL code is designed to fetch the records of any specified username from its table of users.
However, if the "userName" variable is crafted in a specific way by a malicious hacker, the SQL
statement maydo more than the code author intended. For example, if the attacker puts the
"userName" value as ' or ''=', the SQL statement will now be as follows:
SELECT * FROM users WHERE name = '' OR ''='';
Answer: D is incorrect. Web ripping is a technique in which the attacker copies the whole structure
of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker
to trace the loopholes of the Web site.

GIAC GSNA Exam
Answer: C is incorrect. Snooping is an activity of observing the content that appears on a
computer monitor or watching what a user is typing. Snooping also occurs by using software
programs to remotely monitor activity on a computer or network device. Hackers or attackers use
snooping techniques and equipment such as keyloggers to monitor keystrokes, capture
passwords and login information, and to intercept e-mail and other private communications.
Sometimes, organizations also snoop their employees legitimately to monitor their use of
organizations' computers and track Internet usage.
QUESTION NO: 313
You work as a Network Architect for Tech Perfect Inc. The company has a TCP/IP based
Enterprise network. The company uses Cisco IOS technologies in the Enterprise network. You
have enabled system message logging (syslog) service on all the routers that are currently
working in the network. The syslog service provides all the reports, and important error and
notification messages. You want to store all the reports and messages.
Choose the locations where you can store all of these.
A.
Auxiliary
B.
Buffer
C.
Syslog server
D.
tty lines
E.
Console
Answer: B,C,D,E
Explanation:
According to the scenario, you have enabled system message logging (syslog) service on all the
routers that are currently working in the network. If you want to store all the repots, important error
and notification messages sent by the routers, you can store all of these in the buffer, console,
syslog server, and tty lines. You can use buffer, if you want to store syslog messages for later
analysis of the network. Buffer is the memory of the router. The syslog messages that you have
stored in the buffer are later available for the network analysis until the router is rebooted. You can
use console port of the routers to send syslog messages to the attached terminal. You can also
use vty and tty lines to send syslog messages to the remote terminal. However, the messages
GIAC GSNA Exam
send through the console, vty, and tty lines are not later available for network analysis. You can
use syslog server to store all the reports, and important error and notification messages. It is the
best option to store all these because it is easy to configure a syslog server and you can store a
large volume of logs. Note: If you have configured to run an SNMP agent, the routers send all the
reports, and important error and messages in the form of SNMP traps to an SNMP server. Using
this you can store the reports and messages for a long period of time.
Answer: A is incorrect. You cannot store syslog messages in the auxiliary line.
QUESTION NO: 314
Peter works as a Web Developer for XYZ CORP. He is developing a Web site for the company.
Peter specifies MARGINHEIGHT="0" and MARGINWIDTH="0" in one of the Web pages.
How will this affect the Web page?
A.
It will create a borderless page structure when viewed in any browser.
B.
It will create a borderless page structure when viewed in Netscape Navigator.
C.
It will delete all the text from the margins.
D.
It will create a borderless page structure when viewed in Internet Explorer.
Answer: B
Explanation:
The MARGINHEIGHT and MARGINWIDTH attributes are used in the <BODY> tag to adjust the
top and left margins of a Web page to be displayed in Netscape Navigator. Specifying
MARGINHEIGHT="0" and MARGINWIDTH="0" within the <BODY> tag will create a borderless
page structure when viewed in Netscape Navigator.
Answer: D is incorrect. The TOPMARGIN and LEFTMARGIN attributes are used in the <BODY>
tag to adjust the top and left margins of a Web page to be displayed in Internet Explorer.
Specifying TOPMARGIN="0" and LEFTMARGIN="0" within the <BODY> tag will create a
borderless page structure when viewed in Internet Explorer.
Answer C is incorrect. These attributes are used to adjust margins and not to delete text from
margins.

GIAC GSNA Exam
QUESTION NO: 315
What will happen if you write the following parameters in the web.xml file?
<session-config>
<session-timeout>0</session-timeout>
</session-config>
A.
There will be no effect on the session; it will last for its default time.
B.
The session will never expire.
C.
An error will occur during execution.
D.
The session will expire immediately.
Answer: B
Explanation:
The <session-timeout> element of the deployment descriptor sets the session timeout. If the time
specified for timeout is zero or negative, the session will never timeout.
QUESTION NO: 316
Mike works as a Network Engineer for XYZ CORP. The company has a multi-platform network.
Recently, the company faced lots of blended threat issues that lead to several drastic attacks.
Mike has been assigned a project to manage the resources and services of the company through
both Intranet and Internet to protect the company from these attacks. Mike needs a system that
provides auto-discovering and network topology building features to allow him to keep an intuitive
view of the IT infrastructure.
What will Mike use to meet the requirement of the project?
A.
eBox

GIAC GSNA Exam
B.
dopplerVUe
C.
David system
D.
EM7
Answer: C
Explanation:
David system is a network management system that allows a user to manage the resources and
services through both Intranet and Internet. It provides auto-discovering and network topology
building features to facilitate in keeping an intuitive view of the IT infrastructure. The resources,
real-time monitoring, and accessibility of historical data facilitate reaction to failures. Configured
interfaces for monitored devices permit a user to focus on the most important aspects of their
work.
Answer: B is incorrect. dopplerVUe is a network management tool that facilitates network

discovery, mapping, alerts and alarm management, and bandwidth management system. It
enables monitoring of Ping, SNMP, syslog, and WMI performance metrics. It can also be used to
monitor IPv6 devices, as well as services such as DNS, http, and email.
Answer: A is incorrect. eBox is an open source distribution and web development framework. This
framework is used to manage server application configuration. It is based on Ubuntu Linux. It is
projected to manage services in a computer network. The modular design of eBox allows a user to
pick and choose the services.
Answer: D is incorrect. EM7 is a network monitoring system that is used to measure IT

infrastructure health and performance. It is an NMS integrated system. It is designed to help in
optimizing the performance and availability of the networks, systems, and applications. It facilitates
trouble-ticketing, event management, reporting, IP management, DNS, and monitoring.
QUESTION NO: 317
You work as a Network Administrator for Tech-E-book Inc. You are configuring the ISA Server
2006 firewall to provide your company with a secure wireless intranet. You want to accept inbound
mail delivery though an SMTP server. What basic rules of ISA Server do you need to configure to
accomplish the task.
A.
Publishing rules
B.
GIAC GSNA Exam
Network rules
C.
Mailbox rules
D.
Access rules
Answer: A
Explanation:
Publishing rules are applied on SMTP servers to accept inbound mail delivery. There are three
basic rules of ISA Server, which are as follows:
Answer: D is incorrect. These rules are set for controlling outbound traffic.
Answer: B is incorrect. These rules define how to handle the traffic.
Answer: C is incorrect. There are no such ISA Server rule sets.
QUESTION NO: 318
You work as a Network Analyst for XYZ CORP. The company has a Unix-based network. You
want to view the directories in alphabetical order.
Which of the following Unix commands will you use to accomplish the task?
A.
cat
B.
chmod
C.
cp
D.
ls
Answer: D
Explanation:
In Unix, the lscommand is used to view the directories in alphabetical order.

GIAC GSNA Exam
Answer: A is incorrect. In Unix, the cat command in Unix is used to create or display short files.
Answer: B is incorrect. In Unix, the chmod command is used to change permissions.
Answer: C is incorrect. In Unix, the cp command is used for copying files.
QUESTION NO: 319
Adam works as a Security Analyst for Umbrella Inc. He is retrieving large amount of log data from
syslog servers and network devices such as Router and switches. He is facing difficulty in
analyzing the logs that he has retrieved. To solve this problem, Adam decides to use software
called Sawmill. Which of the following statements are true about Sawmill?
A.
It incorporates real-time reporting and real-time alerting.
B.
It is used to analyze any device or software package, which produces a log file such as Web
servers, network devices (switches & routers etc.), syslog servers etc.
C.
It is a software package for the statistical analysis and reporting of log files.
D.
It comes only as a software package for user deployment.
Answer: A,B,C
Explanation:
Sawmill is a software package for the statistical analysis and reporting of log files, with dynamic
contextual filtering, 'live' data zooming, user interface customization, and custom calculated
reports. Sawmill incorporates real-time reporting and real-time alerting. Sawmill also includes a
page tagging server and JavaScript page tag for the analysis of client side clicks (client requests)
providing a total view of visitor traffic and on-site behavioral activity. Sawmill Analytics is offered in
three forms, as a software package for user deployment, as a turnkey on-premise system
appliance, and as a SaaS service. Sawmill analyzes any device or software package producing a
log file and that includes Web servers, firewalls, proxy servers, mail servers, network devices
(switches & routers etc.), syslog servers, databases etc. Its range of potential uses by knowledge
workers is essentially limitless.
Answer: D is incorrect. Sawmill Analytics software is available in three different forms; as a

software package for user deployment, as a turnkey on-premise system appliance, and as a SaaS
service.

GIAC GSNA Exam
QUESTION NO: 320
Which of the following recovery plans includes specific strategies and actions to deal with specific
variances to assumptions resulting in a particular security problem, emergency, or state of affairs?
A.
Disaster recovery plan
B.
Continuity of Operations Plan
C.
Business continuity plan
D.
Contingency plan
Answer: D
Explanation:
A contingency plan is a plan devised for a specific situation when things could go wrong.
Contingency plans include specific strategies and actions to deal with specific variances to
assumptions resulting in a particular problem, emergency, or state of affairs. They also include a
monitoring process and triggers for initiating planned actions.
Answer: A is incorrect. Disaster recovery is the process, policies, and procedures related to
preparing for recovery or continuation of technology infrastructure critical to an organization after a
natural or human-induced disaster.
Answer: C is incorrect. It deals with the plans and procedures that identify and prioritize the critical
business functions that must be preserved.
Answer: B is incorrect. It includes the plans and procedures documented that ensure the continuity
of critical operations during any period where normal operations are impossible.
QUESTION NO: 321
You have just taken over as the Network Administrator for a medium sized company. You want to
check to see what services are exposed to the outside world.
What tool would you use to accomplish this?

GIAC GSNA Exam
A.
Network mapper
B.
Protocol analyzer
C.
A port scanner
D.
Packet sniffer
Answer: C
Explanation:
A port scanner is often used on the periphery of a network by either administrators or hackers. It
will tell you what ports are open. By determining what ports are open, you know what services are
exposed to the outside world. For example, if port 80 is open, then HTTP traffic is allowed,
meaning there should be a Web server on the network.
Answer: A is incorrect. Network mappers give a topography of the network, letting you know what
is on your network and where it is connected.
Answer: B is incorrect. A protocol analyzer does detect if a given protocol is moving over a
particular network segment, thus would detect services working on that segment. However, a port
scanner is a better tool for detecting all the ports that are open.
Answer: D is incorrect. Packet sniffers are used to intercept traffic and to detect the contents of
that traffic.
QUESTION NO: 322
Which of the following types of authentication tokens forms a logical connection to the client
computer but does not require a physical connection?
A.
Virtual token
B.
Connected token
C.
Disconnected token
D.

GIAC GSNA Exam
Contactless token
Answer: D
Explanation:
Contactless tokens are the third main type of physical tokens. Unlike connected tokens, they form
a logical connection to the client computer but do not require a physical connection. The absence
of the need for physical contact makes them more convenient than both connected and
disconnected tokens. As a result, contactless tokens are a popular choice for keyless entry
systems and electronic payment solutions such as Mobil Speedpass, which uses RFID to transmit
authentication information from a keychain token. However, there have been various security
concerns raised about RFID tokens after researchers at Johns Hopkins University and RSA
Laboratories discovered that RFID tags could be easily cracked and cloned. Another downside is
that contactless tokens have relatively short battery lives, usually only 3-5 years, which is low
compared to USB tokens which may last up to 10 years. However, some tokens do allow the
batteries to be changed, thus reducing costs.
Answer: A is incorrect. Virtual tokens are a new concept in multi-factor authentication first
introduced in 2005 by security company Sestus. Virtual tokens work by sharing the token
generation process between the Internet website and the user's computer and have the advantage
of not requiring the distribution of additional hardware or software. In addition, since the user's
device is communicating directly with the authenticating website, the solution is resistant to man-
in-the-middle attacks and similar forms of online fraud.
Answer: B is incorrect. Connected tokens are tokens that must be physically connected to the
client computer. Tokens in this category will automatically transmit the authentication information
to the client computer once a physical connection is made, eliminating the need for the user to
manually enter the authentication information. However, in order to use a connected token, the
appropriate input device must be installed. The most common types of physical tokens are smart
cards and USB tokens, which require a smart card reader and a USB port, respectively.
Answer: C is incorrect. Disconnected tokens have neither a physical nor logical connection to the
client computer. They typically do not require a special input device, and instead use a built-in
screen to display the generated authentication data, which the user enters manually via a
keyboard or keypad. Disconnected tokens are the most common type of security token used
(usually in combination with a password) in two-factor authentication for online identification.
QUESTION NO: 323
Choose the benefits of deploying switches over hubs in your infrastructure. (Choose two.)
A.
Layer 2 switches allow for the creation of Virtual LANs providing options for further segmentation
and security.
GIAC GSNA Exam
B.
Switches lower the number of collisions in the environment.
C.
Switches create an environment best suited for half duplex communications. This improves
network performance and the amount of available bandwidth.
D.
Layer 2 switches increase the number of broadcast domains in the environment.
Answer: A,B
Explanation:
Switches differ from hubs in that they break up Collision Domains. Each port on a switch equals
one Collision Domain. Therefore, a switch will lower the number of collisions within the
infrastructure. Managed switches typically offer the ability to create Virtual LANs. Virtual LANs
allow the switch to create multiple LANs/network segments that are Virtual. This allows the switch
to create additional environments where needed.
QUESTION NO: 324
Which of the following tools is used for port scanning?
A.
L0phtcrack
B.
NSLOOKUP
C.
NETSH
D.
Nmap
Answer: D
Explanation:
The nmap utility, also commonly known as port scanner, is used to view the open ports on a Linux
computer. It is used by administrators to determine which services are available for external users.
This utility helps administrators in deciding whether to disable the services that are not being used
in order to minimize any security risk.
Answer: B is incorrect. NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name

GIAC GSNA Exam
System (DNS) problems. It performs its function by sending queries to the DNS server and
obtaining detailed responses at the command prompt. This information can be useful for
diagnosing and resolving name resolution issues, verifying whether or not the resource records
are added or updated correctly in a zone, and debugging other server-related problems. This tool
is installed along with the TCP/IP protocol through the Control Panel.
Answer C is incorrect. NETSH is a command line tool to configure TCP/IP settings such as the IP
address, Subnet Mask, Default Gateway, DNS, WINS addresses, etc.
Answer: A is incorrect. L0phtcrack is a tool which identifies and remediate security vulnerabilities
that result from the use of weak or easily guessed passwords. It recovers Windows and Unix
account passwords to access user and administrator accounts.
QUESTION NO: 325
You have just set up a wireless network for customers at a coffee shop. Which of the following are
good security measures to implement? (Choose two.)
A.
Using WPA encryption
B.
MAC filtering the router
C.
Not broadcasting SSID
D.
Using WEP encryption
Answer: A,D
Explanation:
With either encryption method (WEP or WPA) you can give the password to customers who need
it, and even change it frequently (daily if you like). So this won't be an inconvenience for
customers.
QUESTION NO: 326
GIAC GSNA Exam
Server 2003. The company has recently provided laptops to its sales team members. You have
configured access points in the network to enable a wireless network. The company's security
policy states that all users using laptops must use smart cards for authentication.
Which of the following authentication techniques will you use to implement the security policy of
the company?
A.
IEEE 802.1X using EAP-TLS
B.
IEEE 802.1X using PEAP-MS-CHAP
C.
Pre-shared key
D.
Open system
Answer: A
Explanation:
In order to ensure that the laptop users use smart cards for authentication, you will have to
configure IEEE 802.1X authentication using the EAP-TLS protocol on the network.
QUESTION NO: 327
You have been assigned a project to develop a Web site for a construction company. You plan to
develop a Web site and want to use cascading style sheets (CSS) as it helps you to get more
control over the appearance and presentation of your Web pages and also extends your ability to
precisely specify the position and appearance of the elements on a page and create special
effects. You want to define styles for individual elements of a page.
Which type of style sheet will you use?
A.
B.
C.
GIAC GSNA Exam
D.
Inline Style Sheet
Answer: D
Explanation:
Cascading style sheets (CSS) are used so that the Web site authors can exercise greater control
on the appearance and presentation of their Web pages. And also because they increase the
ability to precisely point to the location and look of elements on a Web page and help in creating
special effects. Cascading Style Sheets have codes, which are interpreted and applied by the
browser on to the Web pages and their elements. There are three types of cascading style sheets.
External Style Sheets
Embedded Style Sheets
Inline Style Sheets
External Style Sheets are used whenever consistency in style is required throughout a Web site. A
typical external style sheet uses a .css file extension, which can be edited using a text editor such
as a Notepad.
Embedded Style Sheets are used for defining styles for an active page.
Inline Style Sheets are used for defining individual elements of a page.
Q179628
QUESTION NO: 328
You want to append a tar file if the on-disk version of the tar file has a modification date more
recent than its copy in the tar archive.
Which of the following commands will you use to accomplish the task?
A.
tar -u
B.
tar -t
C.
tar -c

GIAC GSNA Exam
D.
tar –x
Answer: A
Explanation:
The tar -u command is used to append a tar file if the on-disk version of the tar file has a
modification date more recent than its copy in the tar archive.
Answer: B is incorrect. The tar -t command is used to list the contents of an archive.
Answer: D is incorrect. The tar -x command is used to extract the files from an archive.
Answer: C is incorrect. The tar -c command is used to create a new archive of specified files.
QUESTION NO: 329
You are the Security Administrator for an Internet Service Provider. From time to time your
company gets subpoenas from attorneys and law enforcement for records of customers' access to
the internet. What policies must you have in place to be prepared for such requests?
A.
Group access policies
B.
Backup policies
C.
User access policies
D.
Storage and retention policies
Answer: D
Explanation:
Storage and retention policies will determine how long you keep records (such as records of
customers Web activity), how you will store them, and how you will dispose of them. This will allow
you to know what records you should still have on hand should a legal request for such records
come in.
Answer: C is incorrect. User policies might determine what a customer has access to, but won't
help you identify what they actually did access.
Answer: A is incorrect. Group policies are usually pertinent to network administration, not the open
GIAC GSNA Exam
and uncontrolled environment of an ISP.
Answer B is incorrect. Backup policies dictate how data is backed up and stored.
QUESTION NO: 330
You work as a Network Administrator for Infosec Inc. Nowadays, you are facing an unauthorized
access in your Wi-Fi network. Therefore, you analyze a log that has been recorded by your
favorite sniffer, Ethereal. You are able to discover the cause of the unauthorized access after
noticing the following string in the log file:
(Wlan.fc.type_subtype eq 32 and llc.oui eq 0x00601d and llc.pid eq 0x0001)
When you find All your 802.11b are belong to us as the payload string, you are convinced about
which tool is being used for the unauthorized access.
Which of the following tools have you ascertained?
A.
AiroPeek
B.
AirSnort
C.
Kismet
D.
NetStumbler
Answer: D
Explanation:
NetStumbler, a war driving tool, uses an organizationally unique identifier (OID) of 0x00601A, D
protocol identifier (PID) of 0x0001. Each version has a typical payload string. For example,
NetStumbler 3.2.3 has a payload string: 'All your 802.11b are belong to us'. Therefore, when you
see the OID and PID values, you discover that the attacker is using NetStumbler, and when you
see the payload string, you are able to ascertain that the attacker is using NetStumbler 3.2.3.
QUESTION NO: 331

GIAC GSNA Exam
You are concerned about rootkits on your network communicating with attackers outside your
network.
Without using an IDS how can you detect this sort of activity?
A.
By setting up a DMZ.
B.
You cannot, you need an IDS.
C.
By examining your domain controller server logs.
D.
By examining your firewall logs.
Answer: D
Explanation:
Firewall logs will show all incoming and outgoing traffic. By examining those logs you can detect
anomalous traffic, which can indicate the presence of malicious code such as rootkits.
Answer: B is incorrect. While an IDS might be the most obvious solution in this scenario, it is not
the only one.
Answer: C is incorrect. It is very unlikely that anything in your domain controller logs will show the
presence of a rootkit, unless that rootkit is on the domain controller itself.
Answer A is incorrect. A DMZ is an excellent firewall configuration but will not aid in detecting
rootkits.
QUESTION NO: 332
Martha works as a Web Developer for XYZ CORP. She is developing a Web site for the company.
In the Web site, she uses multiple and overlapping style definitions to control the appearance of
HTML elements.
What is this technique known as?
A.
Style sheet

GIAC GSNA Exam
B.
Cascading Style Sheet
C.
Overlapping Style Sheet
D.
Core sheet
Answer: B
Explanation:
A CascadingStyle Sheet (CSS) is a separate text file that keeps track of design and formatting
elements. CSS files have .css extension. There are three types of Cascading Style Sheets:
Answer: A is incorrect. A style sheet is a set of additional tags used to describe the appearance of
individual HTML tags.
QUESTION NO: 333
Which of the following is used to execute a SQL statement from the SQL buffer?
A.
Entering an asterisk (*)
B.
Pressing [RETURN] once
C.
Pressing [RETURN] twice
D.
Entering a slash (/)
E.
Pressing [ESC] twice.
Answer: D
Explanation:
A SQL statement or a PL/SQL block can be executed by entering a semicolon (;) or a slash (/), or

GIAC GSNA Exam
by using the RUN command at SQL prompt. When a semicolon (;) is entered at the end of a
command, the command is completed and executed. When a slash (/) is entered, the command in
the buffer is executed. It can also be used to execute a PL/SQL block. The RUN command is used
to execute a command in the buffer. Note: The SQL buffer stores the most recently used SQL
commands and PL/SQL blocks. It does not store SQL* Plus commands. It can be edited or saved
to a file. Note: A SQL command can be saved in the buffer by entering a blank line.
Reference: Oracle8i Online Documentation, Contents: "SQL*PLUS Users Guide and Reference",
"Learning SQL*PLUS Basics,3 of 4", "Understanding SQL COMMAND Syntax"
QUESTION NO: 334
You work as a Network Administrator for Tech Perfect Inc. You have a laptop running Windows
Vista Ultimate. You want to configure Windows Defender on your laptop so that it does not take
any action automatically whenever it scans malicious software. Rather, it should recommend the
action and wait for your approval for taking any action.
Which of the following actions will you take to accomplish the task?
A.
Clear the Use real-time protection check box in Defender Options
B.
Clear the Automatically scan my computer check box in Defender Options
C.
Select the Create a restore point before applying action to detected items check box in Defender
Options
D.
Clear the Apply default actions to items detected during a scan check box in Defender Options.
Answer: D
Explanation:
According to the question, you want to prevent Windows Defender from taking any action
automatically during the scanning of your laptop. In order to accomplish this, you will have to clear
the Apply default actions to items detected during a scan check box in Defender Options.

GIAC GSNA Exam
If you clear the Applydefault actions to items detected during a scan check box, it will result in
Windows Defender only recommending an action to take for detected malicious software.
QUESTION NO: 335
Mark works as a Network Administrator for Infonet Inc. The company has a Windows 2000 Active
Directory domain-based network. The domain contains one hundred Windows XP Professional
client computers. Mark is deploying an 802.11 wireless LAN on the network. The wireless LAN will
use Wired Equivalent Privacy (WEP) for all the connections. According to the company's security
policy, the client computers must be able to automatically connect to the wireless LAN. However,
the unauthorized computers must not be allowed to connect to the wireless LAN and view the
wireless network. Mark wants to configure all the wireless access points and client computers to
act in accordance with the company's security policy.
What will he do to accomplish this? (Choose three.)
A.
Configure the authentication type for the wireless LAN to Shared Key
B.
On each client computer, add the SSID for the wireless LAN as the preferred network
C.
GIAC GSNA Exam
Install a firewall software on each wireless access point
D.
Disable SSID Broadcast and enable MAC address filtering on all wireless access points
E.
Configure the authentication type for the wireless LAN to Open system
F.
Broadcast SSID to connect to the access point (AP)
Answer: A,B,D
Explanation:
To configure all the wireless access points and client computers to act in accordance with the
company's security policy, Mark will take the following actions:
Answer: E is incorrect. Setting the authentication type for the wireless LAN to Open System will
disable Wired Equivalent Privacy (WEP). This level of WEP will not provide security.
QUESTION NO: 336
of www.we-are-secure.com. He performs Web vulnerability scanning on the We-are-secure
server. The output of the scanning test is as follows:
C.\whisker.pl -h target_IP_address -- whisker / v1.4.0 / rain forest puppy / www.mycompany.net --

= - = - = - = - = = Host: target_IP_address = Server: Apache/1.3.12 (Win32) ApacheJServ/1.1
mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22 + 200 OK: HEAD /cgi-bin/printenv John recognizes
/cgi-bin/printenv vulnerability ('Printenv' vulnerability) in the We_are_secure server.
Which of the following statements about 'Printenv' vulnerability are true?
A.
With the help of 'printenv' vulnerability, an attacker can input specially crafted links and/or other
malicious scripts.
B.
'Printenv' vulnerability maintains a log file of user activities on the Website, which may be useful
for the attacker.
C.
The countermeasure to 'printenv' vulnerability is to remove the CGI script.
D.
GIAC GSNA Exam
This vulnerability helps in a cross site scripting attack.
Answer: A,C,D
Explanation:
'Printenv' vulnerability allows an attacker to input specially crafted links and/or other malicious
scripts. For example, http://www/cgi-bin/printenv/<script>alert (An attacker can misuse it!)</script>
Since 'printenv' is just an example CGI script (It comes with various versions of the Apache Web
server.) that has no real use and has its own problems, there is no problem in removing it.
Answer: B is incorrect. 'Printenv' does not maintain any log file of user activities.
QUESTION NO: 337
Which of the following protocols are used to provide secure communication between a client and a
server over the Internet? (Choose two.)
A.
TLS
B.
SSL
C.
HTTP
D.
SNMP
Answer: A,B
Explanation:
SSL and TLS protocols are used to provide secure communication between a client and a server
over the Internet.
QUESTION NO: 338
You have made a program secure.c to display which ports are open and what types of services
are running on these ports. You want to write the program's output to standard output and
simultaneously copy it into a specified file.

GIAC GSNA Exam
Which of the following commands will you use to accomplish the task?
A.
cat
B.
more
C.
less
D.
tee
Answer: D
Explanation:
You will use the tee command to write its content to standard output and simultaneously copy it
into the specified file. The tee command is used to split the output of a program so that it can be
seen on the display and also be saved in a file. It can also be used to capture intermediate output
before the data is altered by another command or program. The tee command reads standard
input, then writes its content to standard output, and simultaneously copies it into the specified
file(s) or variables. The syntax of the tee command is as follows: tee [-a] [-i] [File] where, the -a
option appends the output to the end of File instead of writing over it and the -i option is used to
ignore interrupts.
Answer: A is incorrect. The concatenate (cat) command is used to display or print the contents of
a file. Syntax: cat filename For example, the following command will display the contents of the
/var/log/dmesg file: cat /var/log/dmesg Note: The more command is used in conjunction with the
cat command to prevent scrolling of the screen while displaying the contents of a file. Answer: C is
incorrect. The less command is used to view (but not change) the contents of a text file, one
screen at a time. It is similar to the more command. However, it has the extended capability of
allowing both forward and backward navigation through the file. Unlike most Unix text
load times with large files. The command syntax of the less command is as follows: less [options]
file_name Where,
Answer B is incorrect. The more command is used to view (but not modify) the contents of a text
file on the terminal screen at a time. The syntax of the more command is as follows: more [options]
file_name Where,
GIAC GSNA Exam
QUESTION NO: 339
Victor wants to use Wireless Zero Configuration (WZC) to establish a wireless network connection
using his computer running on Windows XP operating system.
Which of the following are the most likely threats to his computer? (Choose two.)
A.
Information of probing for networks can be viewed using a wireless analyzer and may be used to
gain access.
B.
Attacker can use the Ping Flood DoS attack if WZC is used.
C.
Attacker by creating a fake wireless network with high power antenna cause Victor's computer to
associate with his network to gain access.
D.
It will not allow the configuration of encryption and MAC filtering. Sending information is not secure
on wireless network.
Answer: A,C
Explanation:
Wireless Zero Configuration (WZC), also known as Wireless Auto Configuration, or WLAN
AutoConfig is a wireless connection management utility included with Microsoft Windows XP and
later operating systems as a service that dynamically selects a wireless network to connect to
based on a user's preferences and various default settings. This can be used instead of, or in the
absence of, a wireless network utility from the manufacturer of a computer's wireless networking
device. The drivers for the wireless adapter query the NDIS Object IDs and pass the available
network names to the service. WZC also introduce some security threats, which are as follows:
WZC will probe for networks that are already connected. This information can be viewed by
anyone using a wireless analyzer and can be used to set up fake access points to connect. WZC
attempts to connect to the wireless network with the strongest signal. Attacker can create fake
wireless networks with high- power antennas and cause computers to associate with his access
point.
Answer: D is incorrect. WZC does not interfere in the configuration of encryption and MAC filtering.
GIAC GSNA Exam
Answer: B is incorrect. In a ping flood attack, an attacker sends a large number of ICMP packets
to the target computer using the ping command, i.e., ping -f target_IP_address. When the target
computer receives these packets in large quantities, it does not respond and hangs.
QUESTION NO: 340
Which of the following statements about Secure Sockets Layer (SSL) are true? (Choose two.)
A.
It provides connectivity between Web browser and Web server.
B.
It provides mail transfer service.
C.
It provides communication privacy, authentication, and message integrity.
D.
It uses a combination of public key and symmetric encryption for security of data.
Answer: C,D
Explanation:
Secure Sockets Layer (SSL) is a protocol used to transmit private documents via the Internet. SSL
uses a combination of public key and symmetric encryption to provide communication privacy,
authentication, and message integrity. Using the SSL protocol, clients and servers can
communicate in a way that prevents eavesdropping and tampering of data on the Internet. Many
Web sites use the SSL protocol to obtain confidential user information, such as credit card
numbers. By convention, URLs that require an SSL connection start with https: instead of http:. By
default, SSL uses port 443 for secured communication. For a SSL connection between a Web
browser and Web server, you must enter https, for example, "https://www.mycompany.com",
instead of http as the protocol type in the URL. This will instruct the Web browser to use a different
port for communication. SSL uses TCP port 443 for communication.
QUESTION NO: 341
You work as a Network Administrator for InfraTech Inc. You have been assigned the task of
designing the firewall policy for the company.
Which of the following statements can be considered acceptable in the 'contracted worker
GIAC GSNA Exam
statement' portion of the firewall policy?
A.
No contractors shall have access to the authorized resources.
B.
No contractors shall be permitted to scan the network.
C.
No contractors shall have access to the unauthorized resources.
D.
No contractors can access FTP unless specifically granted permissions to use it.
Answer: B,C,D
Explanation:
There are different portions that can be included in the firewall policy. These portions include the
acceptable use statement, the network connection statement, the contracted worker statement,
and the firewall administrator statement. The contracted worker statement portion of the policy is
related to the contracted or the temporary workers. It states the rights and permissions for these
workers. Some of the items hat can be included in this portion are as follows:
Answer: A is incorrect. Only authorized resources should be accessed by the contractors.
QUESTION NO: 342
You work as a Network Administrator for XYZ CORP. The company has a TCP/IP-based network
environment. The network contains Cisco switches and a Cisco router. A user is unable to access
the Internet from Host B. You also verify that Host B is not able to connect to other resources on
the network. The IP configuration of Host B is shown below:

GIAC GSNA Exam
Which of the following is the most likely cause of the issue?
A.
An incorrect subnet mask is configured on Host B.
B.
The IP address of Host B is not from the correct IP address range of the network.
C.
There is an IP address conflict on the network.
D.
An incorrect default gateway is configured on Host B.
Answer: A
Explanation:
According to the network diagram, the IP address range used on the network is from the class C
private address range. The class C IP address uses the following default subnet mask:
255.255.255.0.
The question specifies that the subnet mask used in Host B is 255.255.0.0, which is an incorrect
subnet mask.

GIAC GSNA Exam
QUESTION NO: 343
ACID (atomicity, consistency, isolation, and durability) is an acronym and mnemonic device for
learning and remembering the four primary attributes ensured to any transaction by a transaction
manager.
Which of the following attributes of ACID confirms that the committed data will be saved by the
system such that, even in the event of a failure or system restart, the data will be available in its
correct state?
A.
Durability
B.
Atomicity
C.
Isolation
D.
Consistency
Answer: A
Explanation:
Durability is the attribute of ACID which confirms that the committed data will be saved by the
system such that, even in the event of a failure or system restart, the data will be available in its
correct state.
Answer: B is incorrect. Atomicity is the attribute of ACID which confirms that, in a transaction
involving two or more discrete pieces of information, either all of the pieces are committed or none
are.
Answer: D is incorrect. Consistency is the attribute of ACID which confirms that a transaction
either creates a new and valid state of data, or, if any failure occurs, returns all data to its state
before the transaction was started.
Answer: C is incorrect. Isolation is the attribute of ACID which confirms that a transaction in
process and not yet committed must remain isolated from any other transaction.
QUESTION NO: 344
Which TCP and UDP ports can be used to start a NULL session attack in NT and 2000 operating
systems?

GIAC GSNA Exam
A.
149 and 133
B.
203 and 333
C.
139 and 445
D.
198 and 173
Answer: C
Explanation:
A null session is an anonymous connection to a freely accessible network share called IPC$ on
Windows-based servers. It allows immediate read and write access with Windows NT/2000 and
read-access with Windows XP and 2003. The command to be inserted at the DOS-prompt is as
follows: net use \\IP address_or_host name\ipc$ "" "/user:" net use Port numbers 139 TCP and
445 UDP can be used to start a NULL session attack.
QUESTION NO: 345
Which of the following is a method of the HttpSession interface and is used to retrieve the time
when the session was created?
A.
getCreationTime()
B.
getSessionCreationTime()
C.
getSessionTime()
D.
getTime()
Answer: A
Explanation:
The getCreationTime() method returns the time when the session was created. The time is
measured in milliseconds since midnight January 1, 1970. This method throws an
IllegalStateException if it is called on an invalidated session.

GIAC GSNA Exam
QUESTION NO: 346
You work as an IT Technician for XYZ CORP. You have to take security measures for the wireless
network of the company. You want to prevent other computers from accessing the company's
wireless network.
On the basis of the hardware address, which of the following will you use as the best possible
method to accomplish the task?
A.
RAS
B.
MAC Filtering
C.
SSID
D.
WEP
Answer: B
Explanation:
MAC filtering is a security access control technique that allows specific network devices to access,
or prevents them from accessing, the network. MAC filtering can also be used on a wireless
network to prevent certain network devices from accessing the wireless network. MAC addresses
are allocated only to hardware devices, not to persons.
QUESTION NO: 347
Which of the following tools monitors the radio spectrum for the presence of unauthorized, rogue
access points and the use of wireless attack tools?
A.
Snort
B.
IDS
C.

GIAC GSNA Exam
Firewall
D.
WIPS
Answer: D
Explanation:
Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of
unauthorized, rogue access points and the use of wireless attack tools. The system monitors the
radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever
a rogue access point is detected. Conventionally it is achieved by comparing the MAC address of
the participating wireless devices. Rogue devices can spoof MAC address of an authorized
network device as their own. WIPS uses fingerprinting approach to weed out devices with spoofed
MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by
each wireless device against the known signatures of pre-authorized, known wireless devices.
Answer B is incorrect. An Intrusion detection system (IDS) is used to detect unauthorized attempts
to access and manipulate computer systems locally or through the Internet or an intranet. It can
detect several types of attacks and malicious behaviors that can compromise the security of a
network and computers. This includes network attacks against vulnerable services, unauthorized
logins and access to sensitive data, and malware (e.g. viruses, worms, etc.). An IDS also detects
attacks that originate from within a system. In most cases, an IDS has three main components:
Sensors generate security events. A console is used to alert and control sensors and to monitor
events. An engine is used to record events and to generate security alerts based on received
security events. In many IDS implementations, these three components are combined into a single
device.
Basically, following two types of IDS are used:
Answer: A is incorrect. Snort is an open source network intrusion prevention and detection system
that operates as a network sniffer. It logs activities of the network that is matched with the
predefined signatures. Signatures can be designed for a wide range of traffic, including Internet
Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet
Control Message Protocol (ICMP). The three main modes in which Snort can be configured are as
follows:
Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the
console.
Packet logger mode: It logs the packets to the disk.
Network intrusion detection mode: It is the most complex and configurable configuration, allowing
Snort to analyze network traffic for matches against a user-defined rule set.
Answer: C is incorrect. A firewall is a tool to provide security to a network. It is used to protect an

internal network or intranet against unauthorized access from the Internet or other outside
networks. It restricts inbound and outbound access and can analyze all traffic between an internal

GIAC GSNA Exam
network and the Internet. Users can configure a firewall to pass or block packets from specific IP
addresses and ports.
QUESTION NO: 348
You work as a Network Administrator for ABC Inc. The company needs a secured wireless
network. To provide network security to the company, you are required to configure a device that
provides the best network perimeter security.
Which of the following devices would you use to accomplish the task?
A.
Proxy server
B.
IDS
C.
D.
honeypot
Answer: C
Explanation:
Packet filtering firewalls work on the first three layers of the OSI reference model, which means all
the work is done between the network and physical layers. When a packet originates from the
sender and filters through a firewall, the device checks for matches to any of the packet filtering
rules that are configured in the firewall and drops or rejects the packet accordingly. In a software
firewall, packet filtering is done by a program called a packet filter. The packet filter examines the
header of each packet based on a specific set of rules, and on that basis, decides to prevent it
from passing (called DROP) or allow it to pass (called ACCEPT). A packet filter passes or blocks
packets at a network interface based on source and destination addresses, ports, or protocols.
The process is used in conjunction with packet mangling and Network Address Translation (NAT).
Packet filtering is often part of a firewall program for protecting a local network from unwanted
intrusion. This type of firewall can be best used for network perimeter security.
Answer: B is incorrect. An Intrusion detection system (IDS) is software and/or hardware designed
to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems,
mainly through a network, such as the Internet. These attempts may take the form of attacks, as
examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect
attacks within properly encrypted traffic. An intrusion detection system is used to detect several
types of malicious behaviors that can compromise the security and trust of a computer system.
GIAC GSNA Exam
This includes network attacks against vulnerable services, data driven attacks on applications,
host based attacks such as privilege escalation, unauthorized logins and access to sensitive files,
and malware (viruses, Trojan horses, and worms).
Answer: A is incorrect. A proxy server exists between a client's Web-browsing program and a real
Internet server. The purpose of the proxy server is to enhance the performance of user requests
and filter requests. A proxy server has a database called cache where the most frequently
accessed Web pages are stored. The next time such pages are requested, the proxy server is
able to suffice the request locally, thereby greatly reducing the access time. Only when a proxy
server is unable to fulfill a request locally does it forward the request to a real Internet server. The
proxy server can also be used for filtering user requests. This may be done in order to prevent the
users from visiting non-genuine sites.
Answer: D is incorrect. A honeypot is a term in computer terminology used for a trap that is set to
detect, deflect, or in some manner counteract attempts at unauthorized use of information
systems. Generally it consists of a computer, data, or a network site that appears to be part of a
network, but is actually isolated, and monitored, and which seems to contain information or a
resource of value to attackers.
QUESTION NO: 349
Which of the following tools can be used to perform ICMP tunneling? (Choose two.)
A.
Itunnel
B.
Ptunnel
C.
WinTunnel
D.
Ethereal
Answer: A,B
Explanation:
Ptunnel and Itunnel are the tools that are used to perform ICMP tunneling. In ICMP tunneling, an
attacker establishes a covert connection between two remote computers (a client and proxy),
using ICMP echo requests and reply packets. ICMP tunneling works by injecting arbitrary data into
an echo packet sent to a remote computer. The remote computer replies in the same manner,
injecting an answer into another ICMP packet and sending it back. The client performs all
communication using ICMP echo request packets, while the proxy uses echo reply packets.

GIAC GSNA Exam
Normally, ICMP tunneling involves sending what appear to be ICMP commands but really they are
the Trojan communications.
Answer: C is incorrect. WinTunnel is used to perform TCP tunneling.
Answer: D is incorrect. Ethereal is a network sniffer.
QUESTION NO: 350
You work as the Network Administrator of a Windows 2000 Active Directory network. Your
company's offices are at Dallas and New York. Your company wants to configure a secure, direct
Internet link. The company's management wants to accomplish the following tasks:
Keep the offices' internal resources secure from outsiders.
Keep communication secure between the two offices.
You install a firewall in each office.
Which of the tasks does this action accomplish?
A.
The action taken will fulfill the secure communication concern.
B.
The action taken will accomplish neither of the goals.
C.
The action taken will fulfill the internal resource security concern.
D.
The action taken will accomplish both the goals.
Answer: C
Explanation:
The action taken will fulfill the internal resource security concern. It has nothing to do with the
secured communication. Firewall is used to protect the network from external attacks by hackers.
Firewall prevents direct communication between computers in the network and the external
computers, through the Internet. Instead, all communication is done through a proxy server,
outside the organization's network, which decides whether or not it is safe to let a file pass
through. To achieve the secured communication goal, you will have to configure a virtual private
network (VPN) between the two offices.

GIAC GSNA Exam
QUESTION NO: 351
Sam works as a Network Administrator for XYZ CORP. The computers in the company run
Windows Vista operating system, and they are continuously connected to the Internet. This makes
the network of the company susceptible to attacks from unauthorized users.
Which of the following will Sam choose to protect the network of the company from such attacks?
A.
Firewall
B.
Windows Defender
C.
Software Explorer
D.
Quarantined items
Answer: A
Explanation:
A firewall is a set of related programs configured to protect private networks connected to the
Internet from intrusion. It is used to regulate the network traffic between different computer
networks. It permits or denies the transmission of a network packet to its destination based on a
set of rules. A firewall is often installed on a separate computer so that an incoming packet does
not get into the network directly.
Answer: B is incorrect. Windows Defender is a software product designed by Microsoft to provide

continuous security against malware. If it detects anything suspicious, an alert will appear on the
screen. Windows Defender can also be used to scan a computer for suspicious software. It can
remove or quarantine any malware or spyware it finds.
Answer: C is incorrect. Software Explorer is a tool of Windows Defender. It is used to remove,

enable, or disable the programs running on a computer.
Answer: D is incorrect. Quarantined items is a tool of Windows Defender. It is used to remove or

restore a program blocked by Windows Defender.
QUESTION NO: 352

GIAC GSNA Exam
security of www.we-are-secure.com. He begins to perform a pre-attack test before conducting an
attack on the We-are-secure server.
Which of the following will John perform in the pre-attack phase?
A.
Determining network range
B.
Identifying active machines
C.
Enumeration
D.
Finding open ports and applications
E.
Information gathering
Answer: A,B,D,E
Explanation:
In the pre-attack phase, there are seven steps, which have been defined by the EC-Council, as
follows:
1. Information gathering
2. Determining network range
3. Identifying active machines
4. Finding open ports and applications
5. OS fingerprinting
6. Fingerprinting services
7.Mapping the network
Answer: C is incorrect. In the enumeration phase, the attacker gathers information such as the
network user and group names, routing tables, and Simple Network Management Protocol
(SNMP) data.
The techniques used in this phase are as follows:
1. Obtaining Active Directory information and identifying vulnerable user accounts
2. Discovering NetBIOS names

GIAC GSNA Exam
3. Employing Windows DNS queries
4. Establishing NULL sessions and queries
QUESTION NO: 353
An attacker wants to connect directly to an unsecured station to circumvent the AP security or to

attack the station.
Which of the following tools can be used to accomplish the task?
A.
Wireless card
B.
MacChanger
C.
SirMACsAlot
D.
USB adapter
Answer: A,D
Explanation:
Ad Hoc Association is a type of attack in which an attacker tries to connect directly to an

unsecured station to circumvent the AP security or to attack the station. Any wireless card or USB
adapter can be used to perform this attack.
QUESTION NO: 354
Which of the following commands can be used to format text files?
A.
wc
B.
ps

GIAC GSNA Exam
C.
tail
D.
pr
Answer: D
Explanation:
The pr command is used to format text files according to the specified options. This command is
usually used to paginate or columnate files for printing.
Answer: B is incorrect. The ps command reports the status of processes that are currently running
on a Linux computer.
Answer: A is incorrect. The wc command is used to count the number of bytes, words, and lines in
a given file or in the list of files.
Answer: C is incorrect. The tail command is used to display the last few lines of a text file or piped
data.
QUESTION NO: 355
Which of the following NFS mount options specifies whether a program using a file via an NFS
connection should stop and wait for the server to come back online, if the host serving the
exported file system is unavailable, or if it should report an error?
A.
intr
B.
hard or soft
C.
nfsvers=2 or nfsvers=3
D.
fsid=num
Answer: B
Explanation:
The hard or soft NFS mount options are used to specify whether a program using a file via an NFS
connection should stop and wait (hard) for the server to come back online, if the host serving the

GIAC GSNA Exam
exported file system is unavailable, or if it should report an error.
Answer: A is incorrect. The intr NFS mount option allows NFS requests to be interrupted if the
server goes down or cannot be reached.
Answer: C is incorrect. The nfsvers=2 or nfsvers=3 NFS mount options are used to specify which
version of the NFS protocol to use.
Answer: D is incorrect. The fsid=num NFS mount option forces the file handle and file attributes
settings on the wire to be num.
QUESTION NO: 356
network. John is working as a root user on the Linux operating system. He wants to break a dat
a.txt file, 200MB in size, into two files in which the size of the first file named data.txt.aa should be
150MB and that of the second file named data.txt.ab should be 50MB. To accomplish his task and
to further delete the data.txt file, he enters the following command:
split --verbose -b 150m data.txt data.txt. ; rm -vf data.txt
Which of the following commands can John use to join the splitted files into a new data.txt file?
A.
vi data.txt.* > data.txt
B.
less data.txt.* > data.txt
C.
vi data.txt.*
D.
cat data.txt.* > data.txt
Answer: D
Explanation:
The cat data.txt.* command will display both the splitted files, and the > command will redirect the
output into a new data.txt file.

GIAC GSNA Exam
QUESTION NO: 357
In which of the following attacking methods does an attacker distribute incorrect IP address?
A.
DNS poisoning
B.
IPspoofing
C.
Mac flooding
D.
Man-in-the-middle
Answer: A
Explanation:
In DNS poisoning attack, an attacker distributes incorrect IP address. DNS cache poisoning is a
maliciously created or unintended situation that provides data to a caching name server that did
not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has
received such non-authentic data, Caches it for future performance increase, it is considered
poisoned, supplying the non-authentic data to the clients of the server. To perform a cache
poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly
validate DNS responses to ensure that they are from an authoritative source, the server will end
up caching the incorrect entries locally and serve them to other users that make the same request.
Answer: B is incorrect. IP (Internet Protocol) address spoofing is an attack in which an attacker

creates the IP packets with a forged (spoofed) source IP address with the purpose of concealing
the identity of the sender or impersonating another computing system. The basic protocol for
sending data over the Internet and many other computer networks is the Internet Protocol ("IP").
The header of each IP packet contains, among other things, the numerical source and destination
address of the packet. The source address is normally the address that the packet was sent from.
By forging the header so it contains a different address, an attacker can make it appear that the
packet was sent by a different machine. The machine that receives spoofed packets will send
response back to the forged source address, which means that this technique is mainly used when
the attacker does not care about the response or the attacker has some way of guessing the
response.
Answer: D is incorrect. Man-in-the-middle attacks occur when an attacker successfully inserts an

intermediary software or program between two communicating hosts. The intermediary software or
program allows attackers to listen to and modify the communication packets passing between the
two hosts. The software intercepts the communication packets and then sends the information to
the receiving host. The receiving host responds to the software, presuming it to be the legitimate
client.
Answer: C is incorrect. MAC flooding is a technique employed to compromise the security of

GIAC GSNA Exam
network switches. In a typical MAC flooding attack, a switch is flooded with packets, each
containing different source MAC addresses. The intention is to consume the limited memoryset
aside in the switch to store the MAC address-to-physical port translation table. The result of this
attack causes the switch to enter a state called fail open mode, in which all incoming packets are
broadcast out on all ports (as with a hub), instead of just down the correct port as per normal
operation. A malicious user could then use a packet sniffer (such as Wireshark) running in
promiscuous mode to capture sensitive data from other computers(such as unencrypted
passwords, e-mail and instant messaging conversations), which would not be accessible were the
switch operating normally.
QUESTION NO: 358
Which of the following evidences are the collection of facts that, when considered together, can be
used to infer a conclusion about the malicious activity/person?
A.
Incontrovertible
B.
Corroborating
C.
Direct
D.
Circumstantial
Answer: D
Explanation:
Circumstantial evidences are the collection of facts that, when considered together, can be used to
infer a conclusion about the malicious activity/person.
Answer: B is incorrect. Corroborating evidence is evidence that tends to support a proposition that
is already supported by some evidence.
Answer: A is incorrect. Incontrovertible evidence is a colloquial term for evidence introduced to

prove a fact that is supposed to be so conclusive that there can be no other truth as to the matter;
evidence so strong, it overpowers contrary evidence, directing a fact-finder to a specific and
certain conclusion.
Answer: C is incorrect. Direct evidence is testimony proof for any evidence, which expressly or
straight-forwardly proves the existence of a fact.

GIAC GSNA Exam
QUESTION NO: 359
Web applications are accessed by communicating over TCP ports via an IP address. Choose the
two most common Web Application TCP ports and their respective protocol names. (Choose two.)
A.
TCP Port 443 / S-HTTP or SSL
B.
TCP Port 80 / HTTPS or SSL
C.
TCP Port 443 / HTTPS or SSL
D.
TCP Port 80 / HTTP
Answer: C,D
Explanation:
The two most common Web Application TCP ports are Port 443 and Port 80. HTTPS or SSL uses
TCP port 443, whereas HTTP uses TCP Port 80.
Answer: B is incorrect. Port 80 is used for HTTP, not HTTPS. Answer: A is incorrect. S-HTTP is
not the protocol name for Port 443. HTTPS or SSL is the name used for Port 443 traffic.
QUESTION NO: 360
You work as a programmer for uCertify.Inc. You have a session object named session1 with an
attribute named Attribute1, and an HttpSessionBindingEvent object binding1 bound to session1.
Which of the following will be used to retrieve Attribute1?
A.
Object obj=binding1.getSession().getAttribute("Attribute1");
B.
Object obj=binding1.getAttribute("Attribute1");
C.
Long MyAttribute=session1.getAttribute("Attribute1");

GIAC GSNA Exam
D.
Object obj=session1.getAttribute("Attribute1");
E.
Stringstr1=session1.getAttribute("Attribute1");
Answer: A,D
Explanation:
The following two code are used to retrieve Attribute1:
1.Object obj=session1.getAttribute("Attribute1"); The getAttribute() method is used to retrieve the

bound object with the specified name in this session, or null if no object is bound under the name.
2.Object obj=binding1.getSession().getAttribute("Attribute1"); The getSession() gets the current

valid session associated with this request. a String object.
Answer: B is incorrect. The HttpSessionBindingEvent object cannot use the getAttribute() method.
QUESTION NO: 361
The following output is generated by running the show ip route command: RouterA#show ip route
< - - Output Omitted for brevity - ->
Which next hop address will RouterA use in forwarding traffic to 10.10.100.0/24?
A.
192.168.10.0
B.
172.18.60.1
C.
172.18.50.1
D.
172.18.1.1
Answer: D
Explanation:
The routing table displays various RIP and Connected routes. There is no routing entry for
10.10.100.0/24, but there is a default route in the routing table using 172.18.1.1 as the next hop
router. Given that 10.10.100.0/24 does not have a direct entry in the routing table, Router A will
GIAC GSNA Exam
forward traffic to the default route next hop address of 172.18.1.1.
Answer: A is incorrect. The address does not appear in the routing table as a next hop router, in
addition to being an actual subnet number for 192.168.10.0/24.
Answer: C is incorrect. 172.18.50.1 is the next hop for reaching 192.168.11.0.
Answer: B is incorrect. 172.18.60.1 is the next hop for reaching 192.168.12.0.
QUESTION NO: 362
A Cisco router can have multiple connections to networks. These connections are known as
interfaces for Cisco Routers. For naming each interface, Cisco generally uses the type of interface
as part of the name.
Which of the following are true about the naming conventions of Cisco Router interfaces?
A.
An interface connected to a serial connection always starts with an S.
B.
An interface connected to a Token Ring segment always starts with To.
C.
An Ethernet interface that is fast always starts with an F.
D.
An interface connected to an Ethernet segment of the network always starts with an En.
Answer: A,B,C
Explanation:
A Cisco router can have multiple connections to networks. These connections are known as
interfaces for Cisco Routers. For naming each interface, Cisco generally uses the type of interface
as part of the name.
Following are some of the naming conventions of Cisco Router interfaces:
QUESTION NO: 363
You work as a Software Developer for UcTech Inc. You want to create a new session.
GIAC GSNA Exam
Which of the following methods can you use to accomplish the task?
A.
getNewSession(true)
B.
getSession(false)
C.
getSession()
D.
getSession(true)
E.
getNewSession()
Answer: C,D
Explanation:
The getSession() method of the HttpServletRequest interface returns the current session
associated with the request, or creates a new session if no session exists. The method has two
syntaxes as follows:
Answer: B is incorrect. The getSession(false) method returns a pre-existing session. It returns null
if the client has no session associated with it.
QUESTION NO: 364
Which of the following services are provided by the proxy servers?
A.
Intrusion detection
B.
Logging
C.
Hiding network resources
D.
Caching
Answer: B,C,D
GIAC GSNA Exam
Explanation:
A proxy server is a very important element for firewall applications. The services that it provides
are as follows:
Hide network resources: Proxy replaces the network IP address with a single IP address. Multiple
systems can use a single IP address.
Logging: A proxy server can log incoming and outgoing access, allowing a user to see every
possible details of successful and failed connections.
Cache: A proxy server can save information obtained from the Internet. It regularly updates these
copies and automatically shows these pages, and will thus not need to access the Internet to view
them.
QUESTION NO: 365
Which of the following tools can be used by a user to hide his identity?
A.
War dialer
B.
IPchains
C.
Proxy server
D.
Rootkit
E.
Anonymizer
Answer: B,C,E
Explanation:
A user can hide his identity using any firewall (such as IPChains), a proxy server, or an
anonymizer.
QUESTION NO: 366

GIAC GSNA Exam
You want to identify the secure terminals from where the root can be allowed to log in.
Which of the following Unix configuration files can you use to accomplish the task?
A.
/etc/services
B.
/etc/ioports
C.
/proc/interrupts
D.
/etc/securetty
Answer: D
Explanation:
In Unix, the /etc/securetty file is used to identify the secure terminals from where the root can be
allowed to log in.
Answer: B is incorrect. In Unix, the /etc/ioports fileshows which I/O ports are in use at the moment.
Answer: A is incorrect. In Unix, the /etc/services file is the configuration file that lists the network
services that the system supports.
Answer: C is incorrect. In Unix, the /proc/interrupts file is the configuration file that shows the
interrupts in use and how many of each there has been.
QUESTION NO: 367
You are the Security Consultant and you frequently do vulnerability assessments on client
computers. You want to have a standardized approach that would be applicable to all of your
clients when doing a vulnerability assessment.
What is the best way to do this?
A.
Utilize OVAL.
B.

GIAC GSNA Exam
Create your own standard and use it with all clients.
C.
Utilize each client's security policies when doing a vulnerability assessment for that client.
D.
Utilize the Microsoft security recommendations.
Answer: A
Explanation:
Open Vulnerability Assessment Language (OVAL) is a common language for security

professionals to use when checking for the presence of vulnerabilities on computer systems.
OVAL provides a baseline method for performing vulnerability assessments on local computer
systems.
Answer: D is incorrect. While Microsoft security standards will be appropriate for many of your
clients, they won't help clients using Linux, Macintosh, or Unix. They also won't give you insight
into checking your firewalls or routers.
Answer: C is incorrect. This would not fulfill the requirement of having a standardized approach
applicable to all clients.
Answer: B is incorrect. This would not be the best way. You should use common industry
standards, like OVAL.
QUESTION NO: 368 DRAG DROP
network. Three Cisco IOS routers- router1, router2, and router3 are currently working in the
network. You want to accomplish the following tasks:
Configure router1 to act as an SSH server.
Configure domain name 'network.com'.
Generate a general-purpose RSA key pair and specify the IP key size of 1024.
Configure SSH time-out of 30 seconds and SSH authentication retries value 4.
Drag and drop the appropriate commands beside their respective command prompts in order to
accomplish the tasks.

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:
In order to accomplish the given tasks, you will have to use the following commands:
router1(config)#ip domain-name network.com
router1(config)#crypto key zeroize rsa
router1(config)#crypto key generate rsa general-keys modulus 1024
router1(config)#ip ssh time-out 30
router1(config)#ip ssh authentication-retries 4
router1(config)#line vty 0 4
router1(config-line)#transport input ssh

GIAC GSNA Exam
QUESTION NO: 369 HOTSPOT
In the image of the Screened Host Firewall Architecture given below, select the element that is
commonly known as the access router.
Answer:
Explanation:

GIAC GSNA Exam
An access router is the common name of the exterior router present in the screened host firewall
architecture. It is attached to the perimeter network and the Internet. An access router is used to
protect both the perimeter network and the internal network from the Internet. It allows anything
that is outbound from the perimeter network. Access routers seldom do packet filtering. The rules
for packet filtering regarding the protection of internal machines are always the same on both the
interior router and the exterior router.
A Screened Host Firewall Architecture is used to provide services from a host that is attached only
to the internal network by using a separate router. In this type of firewall architecture, the key
security is provided by packet filtering.
The host exists in the internal network. The packet filtering on the screening router is configured in
such a way that the bastion host is the only system in the internal network that is open to the
Internet connections. If any external system tries to access internal systems or services, then it will
connect only to this host. The bastion host therefore needs to be at a high level of security.

GIAC GSNA Exam
You work as a Network Administrator of a Windows 2000 Active Directory-based single domain
network. You have configured your Windows XP Professional computer at home to have a static
IP address assigned by your Internet service provider (ISP). It is always connected to the Internet
through a modem. You have enabled the Internet Connection Firewall for the Internet connection.
You use the PING command to check the connectivity of your home computer from office, but you
receive the following error message:
Request timed out.
On examining the log file of the Internet Connection Firewall on your home computer, you find
DROP ICMP messages. You want to ping your home computer without compromising on security.
Select the option in the Internet Connection Firewall Advanced Settings dialog box, which will be
required to be checked to accomplish the task.

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:

GIAC GSNA Exam
The Internet Connection Firewall setting on your home computer is preventing PING from echoing
messages. Selecting the Allow incoming echo request check box on the ICMP tab of the Internet
Connection Firewall Advanced Settings dialog box will enable your computer to echo messages
back to the sender.

GIAC GSNA Exam
In Unix, there are different commands used for editing and viewing files. Drag and drop the
appropriate commands (available in Unix) in front of their respective functions that they perform.
Answer:

GIAC GSNA Exam
Explanation:
Following are the basic file editing and viewing commands in Unix:

GIAC GSNA Exam
You work as a Network Administrator for Hail International. The company has a Windows Server
2008 network environment. The network is configured as a Windows Active Directory-based single
forest single domain network. The company's headquarters is located at Los Angeles. The
company has branch offices in San Jose, Oakland, and San Francisco. All branch offices are
connected to the headquarters by using T1 leased lines. The fragment of the company's network
is shown below:
The routers are used to connect to the T1 lines to configure the private network. Each router at
each location is a server that is running Microsoft Windows Server 2008. The management of the
company wants to secure the WAN communication between the offices. The solution provided by
you must not be expensive.
Choose and place the correct actions required to configure the necessary components of the
network in order to accomplish the task.

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:
In order to accomplish the task, you will have to configure the routers at all locations to use IPSec
GIAC GSNA Exam
in tunnel mode. Tunnel mode protects the WAN traffic. If you configure IPSec on routers, no
security for the WAN communication is required on other servers and workstations.
Drag and Drop the layers of TCP/IP model according to their level of data encapsulation.
Answer:

GIAC GSNA Exam
Explanation:
In the above diagram, the raw data is available in the Application layer of the TCP/IP model. The
data coded according to the Application layer protocols is encapsulated into one or more transport
layer protocols, which finally used by the lower layer protocols to affect the actual data transfer.
In the Transport layer, the data is combined with the UDP header. The responsibilities of the
Transport Layer include end-to-end message transfer capabilities independent of the underlying
network, along with error control, segmentation, flow control, congestion control, and application
GIAC GSNA Exam
addressing (port numbers).
In the Internet layer, the data and UDP header are combined to form an IP data, which is
navigated by the IP header across the Internet for its exact destination.
In the Link layer, the IP data and IP header combine to form the final frame data, which is
accompanied by the Frame header and Frame Footer. The Link Layer is used to move packets
between the Internet Layer interfaces of two different hosts on the same link. Main function of the
Link layer is to add a packet header to prepare it for transmission and then actually transmit the
frame over a physical medium.
Drag and drop the corresponding prompt that is displayed in the command-line interface of a
Cisco switch IOS for different access modes.
Answer:

GIAC GSNA Exam
Explanation:
There are four major CLI access modes:
User: When a user accesses the command-line interface (CLI) of a Cisco switch IOS, the IOS puts
the user in user mode. The user mode allows the user to look around; it does not permit the user
to change or break any configuration. When the user enters a command, the switch executes the
command and displays the command result. A Limited set of commands is available for use in the
user mode. User mode is also called user EXEC mode. The prompt in this mode is displayed as
hostname > Enable: Privileged EXEC mode is an area from where more powerful commands can
be run while accessing CLI of a switch IOS. In this mode, more commands are added to the set of
commands available in user mode. Privileged EXEC mode is also known as privileged mode or
enable mode. For reaching privileged EXEC mode, the enable command is required to be run
from user mode. By default, a user cannot get into privileged EXEC mode through SSH and Telnet
sessions. The prompt changes from hostname > to hostname # when a user moves to privileged
EXEC mode from user mode.
Global configuration: Global configuration mode is an access mode of Cisco command-line

interface (CLI). The configuration commands can be run in this mode only. Commands run in this
mode update the active configuration file as soon as the Enter key is pressed at the end of a
command. The config command is required to be run from the enable mode to switch to the global
configuration mode. The prompt changes to hostname (config)# from hostname# when access
mode is changed to global configuration mode from enable mode.
GIAC GSNA Exam
Interface configuration: Interface configuration mode is a subcommand mode of the global
configuration access mode of Cisco command-line interface (CLI). The interface command is used
to move from global configuration mode to the interface configuration mode. The prompt changes
to hostname (config-if)# from hostname (config)# when a user moves from global configuration
mode to interface configuration mode. After entering the interface configuration mode, the
commands executed affects only the interface that the user has selected. For example, the
interface FastEthernet 0/1 command will put a user in the interface configuration mode.
Commands executed afterwards will affect only the FastEthernet 0/1.
You work as a Software Developer for UcTech Inc. You create a session object and want that it be
destroyed if it is not called for 20 minutes.
Drag and drop the appropriate statements that you will use to accomplish the task.
Answer:

GIAC GSNA Exam
Explanation:
Session timeout is an event that occurs when a session is invalidated if a user does not use the
session for a specified period of time. Session timeout can be set in the following two ways:
1.Setting timeout in deployment descriptor: This can be done by specifying timeout between the
<session-timeout> tags as follows:
<session-config>
<session-timeout> 10 </session-timeout>
<session-config>
This will set the time for session timeout to ten minutes.
2.Setting timeout programmatically: This will set the timeout for a specific session. The syntax for
setting the timeout programmatically is as follows:
GIAC GSNA Exam
session.setMaxInactiveInterval(10*60)
In this method, the timeout is specified in seconds. Hence, this will set the time for session timeout
to ten minutes.
In Unix, 'less' is a program that allows backward as well as forward movement in a file. This
program is invoked with several options to change its behavior. Place the options of the less
program in front of their functions.
Answer:

GIAC GSNA Exam
Explanation:
Less is a program in Unix that allows backward as well as forward movement in the file. The
syntax of the less command is as follows:
less [options] file_name
Following are the options that can be used with the less command:

GIAC GSNA Exam
John works as a Network Administrator for Blue Well Inc. All client computers in the company run
the Windows Vista operating system. He wants to view the status of Windows Defender. What
steps will he take to accomplish the task?
Answer:
Explanation:

GIAC GSNA Exam
Windows Defender is a software product designed by Microsoft to provide continuous security

against malware. If it detects anything suspicious, an alert will appear on the screen. Windows
Defender can also be used to scan a computer for suspicious software. It can remove or
quarantine any malware or spyware it finds.
Clicking on the Security Center icon will show the status of malware protection, status of firewall,
and other security settings.
Clicking on the Windows Firewall icon will open the Windows Firewall dialog box and allow a user
to configure the Windows Firewall settings.
You have designed a TCP/IP based routed network. Diagram of the network is given below:

GIAC GSNA Exam
You are configuring IS-IS protocol as an IP routing protocol in the given network. Drag and drop
the appropriate commands beside their respective command prompts which you are using at
router C.

GIAC GSNA Exam
Answer:
Explanation:
The commands that are configured on router C are as follows:
Router C(config)#router isis

GIAC GSNA Exam
Router C(config)#net 49.0001.0000.0000.000c.00
RouterC(config)#interface ethernet 1
Router C(config-if)#ip router isis
Router C(config-if)#exit
Router C(config)#interface ethernet 2
Router C(config-if)#ip router isis
You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Server
2008 network environment. The network is configured as a Windows Active Directory-based single
forest single domain network. The company has recently provided laptops to its sales team
members. You have configured access points in the network to enable a wireless network. The
company's security policy states that all users using laptops must use smart cards for
authentication. Select and place the authentication method you are required to configure to
implement the security policy of the company.
Answer:

GIAC GSNA Exam
Explanation:
QUESTION NO: 380
You are responsible for security at a company that uses a lot of Web applications. You are most
concerned about flaws in those applications allowing some attacker to get into your network. What
method would be best for finding such flaws?
A.
Manual penetration testing
B.
Automated penetration testing

GIAC GSNA Exam
C.
Vulnerability scanning
D.
Code review
Answer: C
Explanation:
Vulnerability scanning will be the best method to find flaws in applications allowing some attacker
to get into your network. There are a number of tools available that will check Web applications for
security flaws. They examine the application and identify any potential flaws due to improper
coding, such as SQL injection attacks.
Answer: B and A are incorrect. Penetration testing is used to test the network defenses. It is an
excellent tool to check your firewall, IDS, policies, default shares, and other facets of your network
infrastructure. However, it is not as useful in finding programming flaws in Web applications.
Answer D is incorrect. A code review might well discover some issues with the Web applications.
But it is long, tedious, and depends on the human reviewer noticing the coding flaws. So it is not
as good a solution as vulnerability scanning.
You work as a Network Administrator for McRobert Inc. The company has a Windows Active
Directory-based single domain single forest network. The network includes fifty client computers
running different Windows client operating systems.
A member server named MRIFS is configured as a file server on the network.
You are required to implement the following:
The data communication must be encrypted whenever possible.
Each client computer must be able to access the server.
Configure the required options in the dialog box given below in order to accomplish the task.

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:

GIAC GSNA Exam
In order to accomplish the task, you will have to select the Allow unsecured communication with
non-IPSec -aware computers check box.
By enabling this option, IPSec will allow unsecured communication, if necessary. Disabling the
option blocks communication with computers that cannot initiate IPSec, such as legacy systems.
This option should be disabled to secure computers connected to the Internet.
Choose and select the information present in the header of a single IP packet that are helpful in
packet filtering.

GIAC GSNA Exam
Answer:
Explanation:
An IP packet is a formatted unit of data carried by a packet mode computer network. A packet
consists of two kinds of data:
control information and user data (also known as payload). The control information provides data
the network needs to deliver the user data, for example: source and destination addresses, error
detection codes like checksums, and sequencing information. Typically, control information is
found in packet headers and trailers, with user data in between.
IP packets are composed of a header and payload. Every IP packet has a set of headers
containing certain information. The main information is as follows:

GIAC GSNA Exam
The structure of an IP packet is as follows:
George works as an Office Assistance in TechSoft Inc. All client computers in the company run
Windows Vista operating system. He has turned on the Windows Firewall for security purposes.
He prepares a document and wants to share it with other users of the company. When he tries to
share the document, he gets a message that firewall has blocked the sharing of the files on his
computer. He wants to ensure that that the firewall does not block sharing of the document. He
opens Windows Firewall dialog box.
What actions will he perform in the dialog box to accomplish the task?

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:

GIAC GSNA Exam
George will click on the Allow a program through Windows Firewall link to open the Windows
Firewall Settings dialog box. He will then insert a check mark in the File and Printer Sharing
checkbox in the Exceptions tab of the Windows Firewall Settings dialog box.
Server 2003. The company has recently provided laptops to its sales team members. You have
configured access points in the network to enable a wireless network. The company's security
policy states that all users using laptops must use smart cards for authentication. Select and place
GIAC GSNA Exam
the authentication method you are required to configure to implement the security policy of the
company.
Answer:
Explanation:

GIAC GSNA Exam
The network infrastructure of a company consists of a perimeter network. For security purposes,
the network zones have been created and divided into a firewall-based Border network and a
DMZ. The enterprise internal network is attacked by a latest Internet worm.
Which of the following devices in the enterprise network should be upgraded or reconfigured to
counter this type of attack?

GIAC GSNA Exam
Answer:
Explanation:

GIAC GSNA Exam
The firewall in the enterprise network should be reconfigured or upgraded to detect and filter an
Internet worm. Firewall is used to protect the network from external attacks by hackers. Firewall
prevents direct communication between computers in the network and the external computers,
through the Internet. Instead, all communication is done through a proxy server, outside the
organization's network, which decides whether or not it is safe to let a file pass through.
Your company has been hired to provide consultancy, development, and integration services for a
company named Soul International. You have prepared a case study to plan the upgrade for the
company.
You are designing policy settings for the Web servers at the headquarters.
Place Allow or Deny in front of the type of traffic received by or sent to the Web servers from the
internal clients and the Internet.

GIAC GSNA Exam
Answer:
Explanation:
Use for transferring HTML pages over the network. Hence, you should allow it for both the Internet
and internal clients traffic.
The Remote Desktop Protocol (RDP) is used to connect to servers remotely. Allowing it for the
GIAC GSNA Exam
Internet traffic is definitely a security threat. Hence, you should deny this for the Internet traffic.
According to the case study, the administrators must use RDP to connect to the servers in the
perimeter network. Hence, you will have to allow it for the internal clients traffic.
QUESTION NO: 387 CORRECT TEXT
Fill in the blank with the appropriate tool name.
__________ is a wireless network cracking tool that exploits the vulnerabilities in the RC4
Algorithm, which comprises the WEP security parameters.
Answer:
WEPcrack
Explanation:
WEPcrack is a wireless network cracking tool that exploits the vulnerabilities in the RC4 algorithm,
which comprises the WEP security parameters. It mainly consists of three tools:
• WeakIVGen: It allows a user to emulate the encryption output of 802.11 networks to weaken the
secret key used to encrypt the network traffic.
• Prism-getIV: It analyzes packets of information until ultimately matching patterns to the one
known to decrypt the secret key.
• WEPcrack: It pulls all beneficial data of WeakIVGen and Prism-getIV to decipher the network
encryption.
You work as a Network Administrator for SoftWorld Inc. All client computers in the company run
Windows Vista. You want to view the status of Windows Firewall. Choose in the correct order the
steps you will take to accomplish the task.

GIAC GSNA Exam
Answer:
Explanation:
The steps to display the status of Windows Firewall are as follows:
1.Click the Start button, then click Control Panel.

GIAC GSNA Exam
2.In the Control Panel window, click Security.
3.In the Security window, click Windows Firewall.

GIAC GSNA Exam
4.The Windows Firewall dialog box appears, displaying the status of Windows Firewall.
Fill in the blank with the appropriate command.
You want to search the most recent command that starts with the string 'user'. For this, you will
enter the ________ command to get the desired result.
Answer:
history !user

GIAC GSNA Exam
Explanation:
Here, you will use the history !user command to search the most recent command that starts with
the string 'user'. In the bash shell, the history command is used to view the recently executed
commands. History is on by default. A user can turn off history using the command set +o history
and turn it on using set -o history. An environment variable HISTSIZE is used to inform bash about
how many history lines should be kept. The following commands are frequently used to view and
manipulate history:
Auditing is used to track user accounts for file and object access, logon attempts, system
shutdown, and many more vulnerabilities to enhance the security of the network. It encompasses
a wide variety of activities.
Place the different auditing activities in front of their descriptions.

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:

GIAC GSNA Exam
Auditing encompasses a wide variety of activities as follows:
Logging: It is the activity of recording information to a log file or database about events or
occurrences.
Log Analysis: It is a systematic form of monitoring where the logged information is analyzed in
detail. It is done to find out the trends and patterns as well as abnormal, unauthorized, illegal, and
policy-violating activities.
Intrusion Detection: It is a process to detect unwanted system access by monitoring both recorded
information and real time events.
Alarm Triggers: These are the notifications that are sent to an administrator whenever a specific
event occurs.
Monitoring: It is the activity of manually or programmatically reviewing logged information.

GIAC GSNA Exam
You work as a Network Administrator for Blue Well Inc. The company has a TCP/IP-based
network environment. The network contains Cisco switches and a Cisco Catalyst router. The
network is configured as shown in the image below:
You want to enable Host A to access the Internet. For this, you need to configure the default
gateway settings. Choose the appropriate address to accomplish the task.
Answer:

GIAC GSNA Exam
Explanation:
According to the question, you are required to configure the default gateway setting on Host A so
that users can access the Internet through it. For a computer to communicate with computers on
another segment in a routed network, it is important to configure the default gateway. In order to
accomplish the task, you will have to set the address 192.168.19.203 as the default gateway
address.
You are developing a business solution for Haynes Super Leather Inc. A case study for the
organization is given in the exhibit. Based on the case study, you create different modules and

GIAC GSNA Exam
interfaces and want to define the functionality between them. Drag and drop the appropriate
functionalities that will make the interaction possible between modules and/or interfaces. Here,
functionalities can be repetitive.
Answer:
Explanation:
the external network, i.e., the Internet through the restricted HTTP and HTTPS protocols.
GIAC GSNA Exam
Therefore, the functionality between the Corporate Intranet interface and the Internet interface in
this diagram should be the HTTP and HTTPS protocols.
In the case study, it is mentioned that the company uses a Web-based CustomerOrder application
for the existing order placement process.
Therefore, the functionality between the Corporate Intranet interface and the Customer Order
Form module in this diagram should be the Order Placement Process.
The Board of Directors wants to ensure that as soon as a customer clicks the SUBMIT button in
the customer order Web form, he is redirected to a Web page displaying the order payment
details, i.e., the customer payment Web form. Therefore, the functionality between the Customer
Order Form module and the Customer Payment Form module in this diagram should be the Order
Payment Process.
It is very obvious that both the customer order Web form and the customer payment Web form will
interact with the Internet through a client Web browser. Therefore, the functionality between the
Internet interface and the Customer Order Form and Customer Payment Form modules in this
diagram should be the Client Web Browser.
A wireless network uses multiple modulation schemes to make the signal strong so that it can
travel far. These modulation schemes work with a certain IEEE standard. Choose and drop the
correct standards in the right pane according to the modulation scheme.

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:

GIAC GSNA Exam
Can travel far. The modulation schemes and IEEE standards working with these modulation
schemes are given below:
QUESTION NO: 394
Which of the following statements are true about a data mart?
Each correct answer represents a complete solution.
A.
Most writers believe that the design of a data mart tends to start from an analysis of the data
already existing.
B.
Users of a data mart can expect to have data presented in terms that are familiar to them.
C.
A data mart is a repository of data gathered from operational data.
D.
The emphasis of a data mart is on meeting the specific demands of a particular group of
knowledge users.
Answer: B,C,D
Explanation:
A data mart is a repository of data gathered from operational data and other sources that is
designed to serve a particular community of knowledge workers. In scope, the data may derive
from an enterprise-wide database or data warehouse or be more specialized. The emphasis of a
data mart is on meeting the specific demands of a particular group of knowledge users in terms of
analysis, content, presentation, and ease-of-use. Users of a data mart can expect to have data
presented in terms that are familiar.
In practice, the terms data mart and data warehouse each tend to imply the presence of the other
in some form. However, most writers using the term seem to agree that the design of a data mart
tends to start from an analysis of user needs and that a data warehouse tends to start from an
analysis of what data already exists and how it can be collected in such a way that the data can
GIAC GSNA Exam
later be used. A data warehouse is a central aggregation of data (which can be distributed
physically); a data mart is a data repository that may derive from a data warehouse or not and that
emphasizes ease of access and usability for a particular designed purpose. In general, a data
warehouse tends to be a strategic but somewhat unfinished concept; a data mart tends to be
tactical and aimed at meeting an immediate need.
Answer: A is incorrect. Writers using a data mart believe that the design of a data mart tends to
start from an analysis of user needs.
Sam works as a network administrator in Bluewell Inc. The company uses Windows Vista
operating system. He wants to restore a program that is blocked by Windows Defender. He opens
the Windows Defender window and clicks on the Tools link. He clicks on a link to view the list of
programs blocked by Windows Defender, selects a program and then clicks on the Restore button
to restore it. Mark the option that Sam had chosen to view the list of programs blocked by
Windows Defender.

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:

GIAC GSNA Exam
The user can then select a program and restore it.
You work as a Network Administrator for uCertify Inc. The company's Windows 2000-based
network is configured with Internet Security and Acceleration (ISA) Server 2000. All clients on the
network run Windows 2000 Professional. The company policy prevents you from installing the
Firewall Client software or configuring the Web Proxy service on any client computer. You
configure access policy rules to allow all the users to use the HTTP protocol for accessing all
Internet sites. However, users on the network report that they are unable to do so.
Mark the option that is configured incorrectly.

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:

GIAC GSNA Exam
The company policy states that you cannot install the Firewall Client software or configure the
Web Proxy service on any client computer. Therefore, you will have to configure all client
computers as SecureNAT clients. The users are unable to access Internet Web sites because you
have enabled the Ask unauthenticated users for identification check box. SecureNAT clients do
not provide user name or computer name information to ISA Server when making requests.
Hence, all SecureNAT client requests are denied.
To resolve the issue, you will have to disable the Ask unauthenticated users for identification
check box.
You work as a Network Administrator for Net Perfect Inc. The company has a TCP/IP-based
network environment. The network has two switches and a router as shown in the image below:
GIAC GSNA Exam
The router connects the network to the Internet. For security, you want to disable CDP for the
interface connected to the Internet. However, you do not want to disable this information for the
internal network. Select the command (or series of commands) that you will issue to accomplish
this task.
Answer:

GIAC GSNA Exam
Explanation:
In order to accomplish this task, you will have to issue the following commands:
interface s0/0
no cdp enable
According to the question, you are required to disable CDP only on the interface that is connected
to the Internet. For this, you will have to run the no cdp enable command on the interface. To
select the interface, the interface <interface id> command is issued. This will disable CDP only on
the interface selected.
The no cdp run command is a global command and is used to disable CDP for the entire switch.
the Windows Vista operating system. He installs an application on his computer. The application is
not running properly. Therefore, he wants to disable the application. What steps will he take to
GIAC GSNA Exam
Answer:
Explanation:
John will click the Disable button in the Software Explorer page to Disable the application running
on his computer.
Windows Defender is a software product designed by Microsoft to provide continuous security

against malware. If it detects anything suspicious, an alert will appear on the screen. Windows
Defender can also be used to scan a computer for suspicious software. It can remove or
quarantine any malware or spyware it finds.
The Quarantined items link will open the Quarantined items page that will help a user to remove or
restore software that Windows Defender has prevented from running.

GIAC GSNA Exam
The Allowed items link will open the Allowed items page that will help a user to view software that
are not monitored with Windows Defender.
John works as an office assistance in an office. The office uses Windows Vista operating system.
He wants to disable a program from running on a computer. He opens the Windows Defender
window and clicks on the Tools link. He clicks on a link to view the list of programs running on the
computer, selects a program and then clicks on the Disable button to disable it. Mark the option
that John had chosen to view the list of programs running on the computer.
Answer:

GIAC GSNA Exam
Explanation:

GIAC GSNA Exam
The Software Explorer link will open a list of programs running on the computer.
In the image of the Screened Host Firewall Architecture given below, select the element that is
commonly known as the choke router.

GIAC GSNA Exam
Answer:
Explanation:

GIAC GSNA Exam
A choke router is an interior router present in the screened host firewall architecture. It is attached
to the perimeter network and protects the internal network from the Internet and the perimeter net.
A choke router is basically employed for the job of packet filtering for the firewall. It is also used to
provide access to selected services that are outbound from the internal net to the Internet. These
services may include outgoing Telnet, FTP, WAIS, Archie, Gopher, etc.
A Screened Host Firewall Architecture is used to provide services from a host that is attached only
to the internal network by using a separate router. In this type of firewall architecture, the key
security is provided by packet filtering.
The host exists in the internal network. The packet filtering on the screening router is configured in
such a way that the bastion host is the only system in the internal network that is open to the
Internet connections. If any external system tries to access internal systems or services, then it will
connect only to this host. The bastion host therefore needs to be at a high level of security.

GIAC GSNA Exam
John works as a Network Administrator for Blue Well Inc. The company uses Windows Vista
operating system. He wants to configure the firewall access for specific programs. What steps will
he take to accomplish the task?
Answer:

GIAC GSNA Exam
Explanation:
Each listener interface method has an event associated with it. Drag and drop the appropriate
event names to match the respective listener interface methods.

GIAC GSNA Exam
Answer:
Explanation:
The HttpSessionBindingEvent class extends the HttpSessionEvent class. The

HttpSessionBindingEvent class is used with the following listeners:
HttpSessionBindingListener: It notifies the attribute when it is bound or unbound from a session.
HttpSessionAttributeListener: It notifies the class when an attribute is bound, unbound, or replaced

in a session.
The session binds the object by a call to the HttpSession.setAttribute() method and unbinds the
object by a call to the HttpSession.removeAttribute() method.
HttpSessionEvent is a class that is used with the following listeners:
HttpSessionListener: It notifies the class when a session is created or destroyed.
HttpSessionActivationListener: It notifies the attributes when a session is activated or passivated.

GIAC GSNA Exam
In Unix, there are different commands used for editing and viewing files. Drag and drop the
appropriate commands (available in Unix) in front of their respective functions that they perform.
Answer:

GIAC GSNA Exam
Explanation:
Following are the basic file editing and viewing commands in Unix:
George works as a Network Administrator for Blue Soft Inc. The company uses Windows Vista
operating system. The network of the company is continuously connected to the Internet.
What will George use to protect the network of the company from intrusion?

GIAC GSNA Exam
Answer:
Explanation:

GIAC GSNA Exam
Place the protocols on the TCP/IP layer to which they are associated.

GIAC GSNA Exam
Answer:

GIAC GSNA Exam
Explanation:

GIAC GSNA Exam
TCP/IP defines a large set of protocols that allow communication between various devices on a
network. TCP/IP classifies the various protocols into different layers. Some of the common
protocols are listed in the table below:
You work as a Network Auditor for Net Perfect Inc. The company has a Windows-based network.
You need to audit the network of the company. You need to plan the audit process to minimize the
audit risk. What steps will you take to minimize the possibility of audit risk?

GIAC GSNA Exam
Answer:
Explanation:
The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an
incorrect conclusion based on the audit findings) will be limited to an acceptable level. To eliminate
the possibility of assessing audit risk too low, the auditor should perform the following steps:
Obtain an Understanding of the Organization and its Environment: The understanding of the
organization and its environment is used to assess the risk of material misstatement/weakness
and to set the scope of the audit. The auditor's understanding should include information on the
nature of the entity, management, governance, objectives and strategies, and business processes.
Identify Risks that May Result in Material Misstatements: The auditor must evaluate an

GIAC GSNA Exam
organization's business risks (threats to the organization's ability to achieve its objectives). An
organization's business risks can arise or change due to new personnel, new or restructured
information systems, corporate restructuring, and rapid growth to name a few.
Evaluate the Organization's Response to those Risks: Once the auditor has evaluated the
organization's response to the assessed risks, the auditor should then obtain evidence of
management's actions toward those risks. The organization's response (or lack thereof) to any
business risks will impact the auditor's assessed level of audit risk.
Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the
organization's responses to business risks, the auditor then assesses the risk of material
misstatements and determines specific audit procedures that are necessary based on that risk
assessment.
Evaluate Results and Issue Audit Report: At this level, the auditor should determine if the
assessments of risks were appropriate and whether sufficient evidence was obtained. The auditor
will issue either an unqualified or qualified audit report based on their findings.
You have created VLANs in your network and have assigned interfaces to each VLAN. You want
to configure trunking for carrying traffic of VLANs over a point-to-point link between a switch and a
wireless LAN controller. Drag and drop the appropriate commands beside their respective
command prompts.

GIAC GSNA Exam
Answer:
Explanation:

GIAC GSNA Exam
Between an access point and a wireless LAN
controller, you will have to execute the following commands in command-line mode:
Switch1(config)#interface fa0/1
Switch1(config-if)#switchport trunk encapsulation dot1q
Switch1(config-if)#switchport mode trunk
Switch1(config-if)#exit
You will have to use the interface fa slot/port global configuration command to select a specific
Fast Ethernet interface that you want to configure.
The switchport trunk encapsulation dot1q command is used to define a trunking protocol as
802.1Q.
The switchport mode trunk command is used to define an interface as a trunk.
The exit command is used to return to the previous mode.

GIAC GSNA Exam
Server 2003. The Sales Managers in the company use laptops for connecting to the network. You
are required to provide wireless connectivity on the network to all the Sales Managers. The
security policy of the company dictates that the laptops should connect only to the access points
on the network. The laptops should not be able to directly communicate with each other. You are
required to implement the security policy of the company.
Choose the steps that you will take to accomplish the task.
Answer:
Explanation:
In order to accomplish the task, you will have to take the following steps:
GIAC GSNA Exam
Install a WLAN access point on the network.
Install wireless network interface adapters on the laptops of the Sales Managers.
Create a Wireless Network policy and configure it to allow infrastructure networking only.
Apply the policy to the laptops of the Sales Managers.
Configuring the Wireless Network policy to allow infrastructure networking only will prevent the
Sales.
Managers from directly communicating with each other.
Although they will be able to communicate with each other by using this configuration, the
communication will be made through the access point.
The Ad hoc topology is used by wireless equipment, which are configured with the wireless
network interface adapters, to communicate directly with each other.
Fill in the blanks with the appropriate protocol.
IEEE encryption protocol created to replace both TKIP and ______.
Answer:
WEP
Explanation:
IEEE 802.11i encryption protocol created to replace both TKIP, the mandatory protocol in WPA,
and WEP, the earlier, insecure protocol. CCMP is a mandatory part of the WPA2 standard, an
optional part of the WPA standard, and a required option for Robust Security Network (RSN)
Compliant networks. CCMP is also used in the ITU-T home and business networking standard.
CCMP, part of the 802.11i standard, uses the Advanced Encryption Standard (AES) algorithm.
Unlike in TKIP, key management and message integrity is handled by a single component built
around AES using a 128-bit key, a 128-bit block, and 10 rounds of encoding per the FIPS 197
standard.

GIAC GSNA Exam
Fill in the blank with the appropriate term.
When two routers are used in a firewall configuration, the internal router is known as a ______
router.
Answer:
choke
Explanation:
When two routers are used in a firewall configuration, the internal router is known as a choke
router. A choke router is an interior router present in the screened host firewall architecture. It is
attached to the perimeter network and protects the internal network from the Internet and the
perimeter net.
A choke router is basically employed for the job of packet filtering for the firewall. It is also used to
provide access to selected services that are outbound from the internal net to the Internet. These
services may include outgoing Telnet, FTP, WAIS, Archie, Gopher, etc.
Fill in the blank with the command to complete the statement below. Do not enter the full path of
the command.
The ________ command supports system logging and kernel message trapping.
Answer:
sysklogd
Explanation:
The sysklogd command is used to support system logging and kernel message trapping. Sysklogd
includes two system utilities: syslogd and klogd, which support system logging and kernel
message trapping. Since, this utility supports both internet and UNIX domain sockets, it also
supports both local and remote logging. Every logged message contains at least a time and a
hostname field and sometimes a program name field as well.
the Windows Vista operating system. He wants to view the status of malware protection.
GIAC GSNA Exam
What steps will he take to accomplish the task?
Answer:
Explanation:
John will click on the Security Center icon to view the malware status.
Malware is a combination of the terms malicious and software. It refers to a variety of hostile
programs, such as a virus or a Trojan horse, designed to damage or disrupt a computer. It gathers
information about a computer without the user's permission or knowledge.
The Windows Update icon is used to manually update Windows Vista and configure the settings
for the update.

GIAC GSNA Exam
The Power Options icon is used configure the settings for various power plans.
QUESTION NO: 413
A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over
the network, it is broken into fragments (packets) at the source and reassembled at the destination
system. Each packet contains a sequence number that is used by the destination system to
reassemble the data packets in the correct order. The Initial Sequence Number of your computer
is 24171311 at login time. You connect your computer to a computer having the IP address
210.213.23.21. This whole process takes three seconds.
What will the value of the Initial Sequence Number be at this moment?
A.
24171811
B.
24619311
C.
24171111
D.
24171311
Answer: B
Explanation:
You took 3 seconds to establish a connection. During this time, the value of the Initial Sequence
Number would become [24171311 + (1 * 64000) + (3 * 128000)], i.e., 24619311.

GSNA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GSNA

Uploaded by

Copyright:

Available Formats

GIAC GSNA

GIAC Systems and Network Auditor

How will she accomplish this?

"Pass Any Exam. Any Time." - www.actualtests.com 2

"Pass Any Exam. Any Time." - www.actualtests.com 3

Answer: A is incorrect. A misconfigured router could possibly cause an increase in broadcast

"Pass Any Exam. Any Time." - www.actualtests.com 4

Answer: B, D are incorrect.

"Pass Any Exam. Any Time." - www.actualtests.com 5

Answer: Dis incorrect.

"Pass Any Exam. Any Time." - www.actualtests.com 6

Answer: A is incorrect. The netstat -e command displays the Ethernet information.

Answer: C is incorrect. The netstat -s command displays per-protocol statistics.

By default, statistics are shown for TCP, UDP and IP.

"Pass Any Exam. Any Time." - www.actualtests.com 7

Software Explorer is used to remove, enable, or disable a program running on a computer.

The wireless network communication should be secured.

In order to accomplish the tasks, you take the following steps:

Configure 802.1x and WEP for the wireless connections.

Configure the PEAP-MS-CHAP v2 protocol for authentication.

What will happen after you have taken these steps?

"Pass Any Exam. Any Time." - www.actualtests.com 10

Magic Lantern works both as an encryption-cracking tool and as a keylogger.

Answer: D is incorrect. SocketShield provides a protection shield to a computer system against

Answer: C is incorrect. In Unix, the /etc/sysconfig/network-scripts/ifcfg-interface file is the

"Pass Any Exam. Any Time." - www.actualtests.com 13

Answer: C is incorrect. A secondary risk is a risk that arises as a straight consequence of

"Pass Any Exam. Any Time." - www.actualtests.com 14

"Pass Any Exam. Any Time." - www.actualtests.com 15

"Pass Any Exam. Any Time." - www.actualtests.com 16

Answer: B is incorrect. Java is an object oriented programming language developed by Sun

"Pass Any Exam. Any Time." - www.actualtests.com 17

Which of the following encryption modes are possible in WEP?

Answer: C is incorrect. WEP does not support 256 bit encryption.

Planning the IT audit engagement based on an assessed level of risk.

Designing audit procedures of irregular and illegal acts.

Reviewing the results of the audit procedures.

Assuming that acts are not isolated.

Conducting additional audit procedures.

Evaluating the results of the expanded audit procedures.

Distributing the report to the appropriate internal parties, such as managers.

"Pass Any Exam. Any Time." - www.actualtests.com 19

The DNS server could not create a Transmission Control Protocol.

The DNS server could not open socket for address.

And several active directory errors are possible.

Answer: B is incorrect. DNS Servers do not create FTP connections.

Answer: A is incorrect. DNS Servers do not create SMTP connections.

"Pass Any Exam. Any Time." - www.actualtests.com 20

"Pass Any Exam. Any Time." - www.actualtests.com 21

Answer: D, A, and B are incorrect. These are not checked by a firewall.

"Pass Any Exam. Any Time." - www.actualtests.com 22

"Pass Any Exam. Any Time." - www.actualtests.com 23

Which of the following statements about a screened host is true?

"Pass Any Exam. Any Time." - www.actualtests.com 24

Answer: D is incorrect. A network interface card provides a physical connection between

NetBIOS is a Microsoft service that enables applications on different computers to communicate

"Pass Any Exam. Any Time." - www.actualtests.com 25

Which of the following statements is true about a relational database?

A relational database is a collection of data items organized as a set of formally-described tables

"Pass Any Exam. Any Time." - www.actualtests.com 27

"Pass Any Exam. Any Time." - www.actualtests.com 28

Meet with IT management to determine possible areas of concern.

Review the current IT organization chart.

Review job descriptions of data center employees.