GIAC Systems and Network Auditor v1.0 (GSNA)

Page:    1 / 28   
Total 413 questions

Which of the following mechanisms is closely related to authorization?

  • A. Sending secret data such as credit card information.
  • B. Allowing access to a particular resource.
  • C. Verifying username and password.
  • D. Sending data so that no one can alter it on the way.

Answer : Answer: C is incorrect. Verifying username and password describes the mechanism of authentication. Authentication is the process of verifying the identity of a

Authorization is a process that verifies whether a user has permission to access a Web resource. A Web server can restrict access to some of its resources to only those clients that log in using a recognized username and password. To be authorized, a user must first be authenticated. user. This is usually done using a user name and password. This process compares the provided user name and password with those stored in the database of an authentication server. that the data is not modified during transmission from source to destination. This means that the data received at the destination should be exactly the same as that sent from the source. ensures that only the intended, Authorized recipients are able to read data. The data is so encrypted that even if an unauthorized user gets access to it, he will not get any meaning out of it.

An auditor assesses the database environment before beginning the audit. This includes various key tasks that should be performed by an auditor to identify and prioritize the users, data, activities, and applications to be monitored.
Which of the following tasks need to be performed by the auditor manually?

  • A. Classifying data risk within the database systems
  • B. Monitoring data changes and modifications to the database structure, permission and user changes, and data viewing activities
  • C. Analyzing access authority
  • D. Archiving, analyzing, reviewing, and reporting of audit information

Answer : AC

The Internal Audit Association lists the following as key components of a database audit:
Create an inventory of all database systems and use classifications. This should include production and test data. Keep it up-to-date.
Classify data risk within the database systems. Monitoring should be prioritized for high, medium, and low risk data.
Implement an access request process that requires database owners to authorize the "roles" granted to database accounts (roles as in Role Based Access and not the native database roles).
Analyze access authority. Users with higher degrees of access permission should be under higher scrutiny, and any account for which access has been suspended should be monitored to ensure access is denied, attempts are identified.
Assess application coverage. Determine what applications have built-in controls, and prioritize database auditing accordingly. All privileged user access must have audit priority. Legacy and custom applications are the next highest priority to consider, followed by the packaged applications.
Ensure technical safeguards. Make sure access controls are set properly.
Audit the activities. Monitor data changes and modifications to the database structure, permission and user changes, and data viewing activities. Consider using network-based database activity monitoring appliances instead of native database audit trails.
Archive, analyze, review, and report audit information. Reports to auditors and IT managers must communicate relevant audit information, which can be analyzed and reviewed to determine if corrective action is required. Organizations that must retain audit data for long-term use should archive this information with the ability to retrieve relevant data when needed.
The first five steps listed are to be performed by the auditor manually.
Answers B, D are incorrect. These tasks are best achieved by using an automated solution.

Which of the following statements about session tracking is true?

  • A. When using cookies for session tracking, there is no restriction on the name of the session tracking cookie.
  • B. When using cookies for session tracking, the name of the session tracking cookie must be jsessionid.
  • C. A server cannot use cookie as the basis for session tracking.
  • D. A server cannot use URL rewriting as the basis for session tracking.

Answer : B

If you are using cookies for session tracking, the name of the session tracking cookie must be jsessionid. A jsessionid can be placed only inside a cookie header.
You can use HTTP cookies to store information about a session. The servlet container takes responsibility of generating the session ID, making a new cookie object, associating the session ID into the cookie, and setting the cookie as part of response.

The SALES folder has a file named XFILE.DOC that contains critical information about your company. This folder resides on an NTFS volume. The company's
Senior Sales Manager asks you to provide security for that file. You make a backup of that file and keep it in a locked cupboard, and then you deny access on the file for the Sales group. John, a member of the Sales group, accidentally deletes that file. You have verified that John is not a member of any other group.
Although you restore the file from backup, you are confused how John was able to delete the file despite having no access to that file. What is the most likely cause?

  • A. The Sales group has the Full Control permission on the SALES folder.
  • B. The DenyAccess permission does not restrict the deletion of files.
  • C. John is a member of another group having the Full Control permission on that file.
  • D. The Deny Access permission does not work on files.

Answer : Answer: C is incorrect. In the event of any permission conflict, the most restrictive one prevails. Moreover, the question clearly states that John is not a member of

Although NTFS provides access controls to individual files and folders, users can perform certain actions even if permissions are set on a file or folder to prevent access. If a user has been denied access to any file and he has Full Control rights in the folder on which it resides, he will be able to delete the file, as Full Control rights in the folder allow the user to delete the contents of the folder. any other group.

Adam works on a Linux system. He is using Sendmail as the primary application to transmit e-mails. Linux uses Syslog to maintain logs of what has occurred on the system.
Which of the following log files contains e-mail information such as source and destination IP addresses, date and time stamps etc?

  • A. /var/log/mailog
  • B. /var/log/logmail
  • C. /log/var/mailog
  • D. /log/var/logd

Answer : Answer: B, C, D are incorrect. All these files are not valid log files.

/var/log/mailog generally contains the source and destination IP addresses, date and time stamps, and other information that may be used to check the information contained within an e-mail header. Linux uses Syslog to maintain logs of what has occurred on the system. The configuration file /etc/syslog.conf is used to determine where the Syslog service (Syslogd) sends its logs. Sendmail can create event messages and is usually configured to record the basic information such as the source and destination addresses, the sender and recipient addresses, and the message ID of e-mail. The syslog.conf will display the location of the log file for e-mail.

You work as a Java Programmer for JavaSkills Inc. You are working with the Linux operating system. Nowadays, when you start your computer, you notice that your OS is taking more time to boot than usual. You discuss this with your Network Administrator. He suggests that you mail him your Linux bootup report.
Which of the following commands will you use to create the Linux bootup report?

  • A. touch bootup_report.txt
  • B. dmesg > bootup_report.txt
  • C. dmesg | wc
  • D. man touch

Answer : B

According to the scenario, you can use dmesg > bootup_report.txt to create the bootup file. With this command, the bootup messages will be displayed and will be redirected towards bootup_report.txt using the > command.

You work as a Network Administrator for Tech Perfect Inc. For security issues, the company requires you to harden its routers. You therefore write the following code:

Router#config terminal -
Router(config) #no ip bootp server
Router(config) #no ip name-server

Router(config) #no ntp server -

Router(config) #no snmp server -
Router(config) #no ip http server
Router(config) #^Z Router#
What services will be disabled by using this configuration fragment?

  • A. BootP service
  • B. Finger
  • C. CDP
  • D. DNS function Explanation:

Answer : AD

The above configuration fragment will disable the following services from the router:
The BootP service The DNS function

The Network Time Protocol -
The Simple Network Management Protocol Hyper Text Transfer Protocol

Which of the following attacks allows the bypassing of access control lists on servers or routers, and helps an attacker to hide? (Choose two)

  • A. DNS cache poisoning
  • B. DDoS attack
  • C. IP spoofing attack
  • D. MAC spoofing

Answer : Answer: A is incorrect. DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate

Either IP spoofing or MAC spoofing attacks can be performed to hide the identity in the network. MAC spoofing is a hacking technique of changing an assigned
Media Access Control (MAC) address of a networked device to a different one. The changing of the assigned MAC address may allow the bypassing of access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another computer. MAC spoofing is the activity of altering the
MAC address of a network card.
from authoritative Domain Name System (DNS) sources. Once a DNS server has received such non-authentic data, Caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request. infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for a DDoS attack.

You work as a Network Administrator for XYZ CORP. The company has a Windows-based network. You have been assigned the task to design the authentication system for the remote users of the company. For security purposes, you want to issue security tokens to the remote users. The token should work on the one-time password principle and so once used, the next password gets generated.
Which of the following security tokens should you issue to accomplish the task?

  • A. Virtual tokens
  • B. Event-based tokens
  • C. Bluetooth tokens
  • D. Single sign-on software tokens

Answer : Answer: C is incorrect. Bluetooth tokens are often combined with a USB token, and hence work in both a connected and disconnected state. Bluetooth

An event-based token, by its nature, has a long life span. They work on the one-time password principle and so once used, the next password is generated. Often the user has a button to press to receive this new code via either a token or via an SMS message. All CRYPTOCard's tokens are event-based rather than time- based. authentication works when closer than 32 feet (10 meters). If the Bluetooth is not available, the token must be inserted into a USB input device to function. sharing the token generation process between the Internet website and the user's computer and have the advantage of not requiring the distribution of additional hardware or software. In addition, since the user's device is communicating directly with the authenticating website, the solution is resistant to man-in-the-middle attacks and similar forms of online fraud. solutions, like enterprise single sign-on, use this token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned.

Which of the following is the default port for Hypertext Transfer Protocol (HTTP)?

  • A. 20
  • B. 443
  • C. 80
  • D. 21

Answer : Answer: B is incorrect. Port 443 is the default port for Hypertext Transfer Protocol Secure (HTTPS) and Secure Socket Layer (SSL).

Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.
For example, when a client application or browser sends a request to the server using HTTP commands, the server responds with a message containing the protocol version, success or failure code, server information, and body content, depending on the request. HTTP uses TCP port 80 as the default port.

You work as a Network Administrator for XYZ CORP. The company has a Windows-based network. You are concerned about the vulnerabilities existing in the network of the company.
Which of the following can be a cause for making the network vulnerable? (Choose two)

  • A. Use of well-known code
  • B. Use of uncommon code
  • C. Use of uncommon software
  • D. Use of more physical connections

Answer : AD

In computer security, the term vulnerability is a weakness which allows an attacker to reduce a system's Information Assurance. A computer or a network can be vulnerable due to the following reasons:
Complexity: Large, complex systems increase the probability of flaws and unintended access points.
Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.
Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability.
Password management flaws: The computer user uses weak passwords that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites.
Fundamental operating system design flaws: The operating system designer chooses to enforce sub optimal policies on user/program management. For example, operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator.
Internet Website Browsing: Some Internet websites may contain harmful Spyware or Adware that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals.
Software bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application.
Unchecked user input: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection or other non-validated inputs).
Answers B, C are incorrect. Use of common software and common code can make a network vulnerable.

You are the security manager of Microliss Inc. Your enterprise uses a wireless network infrastructure with access points ranging 150-350 feet. The employees using the network complain that their passwords and important official information have been traced.
You discover the following clues:
-> The information has proved beneficial to another company.
-> The other company is located about 340 feet away from your office.
-> The other company is also using wireless network.
-> The bandwidth of your network has degraded to a great extent.
Which of the following methods of attack has been used?

  • A. A piggybacking attack has been performed.
  • B. A DOS attack has been performed.
  • C. The information is traced using Bluebugging.
  • D. A worm has exported the information.

Answer : Answer: C is incorrect. Bluebugging is an attack used only in a Bluetooth network. Bluebugging is a form of bluetooth attack often caused by a lack of awareness.

Piggybacking refers to access of a wireless Internet connection by bringing one's own computer within the range of another's wireless connection, and using that service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary in jurisdictions around the world. While completely outlawed in some jurisdictions, it is permitted in others. The process of sending data along with the acknowledgment is called piggybacking.
Bluebugging tools allow attacker to "take control" of the victim's phone via the usage of the victim's Bluetooth phone headset. It does this by pretending to be the users bluetooth headset and therefore "tricking" the phone to obey its call commands. performs malicious actions, such as using the resources of computers as well as shutting down computers.
It is also known as a network saturation attack or bandwidth consumption attack. Attackers perform DoS attacks by sending a large number of protocol packets to the network. The effects of a DoS attack are as follows:
-> Saturates network resources
-> Disrupts connections between two computers, thereby preventing communications between services
-> Disrupts services to a specific computer
-> Causes failure to access a Web site
-> Results in an increase in the amount of spam
-> A Denial-of-Service attack is very common on the Internet because it is much easier to accomplish.
-> Most of the DoS attacks rely on the weaknesses in the TCP/IP protocol.

Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. It ensures the privacy of the user in this manner. After the user anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously.
Which of the following are limitations of anonymizers?

  • A. ActiveX controls
  • B. Plugins
  • C. Secure protocols
  • D. Java applications
  • E. JavaScript

Answer : ABCDE

Anonymizers have the following limitations:
1. HTTPS: Secure protocols such as 'https:' cannot be properly anonymized, as the browser needs to access the site directly to properly maintain the secure encryption.
2.Plugins: If an accessed site invokes a third-party plugin, there is no guarantee of an established independent direct connection from the user computer to a remote site.
3.Java: Any Java application accessed through an anonymizer will not be able to bypass the Java security wall.
4.ActiveX: ActiveX applications have almost unlimited access to the user's computer system.
5.JavaScript: The JavaScript scripting language is disabled with URL-based anonymizers.

You work as a Network Administrator for XYZ CORP. The company has a Linux-based network. You need to configure a firewall for the company. The firewall should be able to keep track of the state of network connections traveling across the network.
Which of the following types of firewalls will you configure to accomplish the task?

  • A. A network-based application layer firewall
  • B. Host-based application firewall
  • C. An application firewall
  • D. Stateful firewall

Answer : Answer: B is incorrect. A host-based application firewall can monitor any application input, output, and/or system service calls made from, to, or by an application.

A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
This is done by examining information passed through system calls instead of, or in addition to, a network stack. A host-based application firewall can only provide protection to the applications running on the same host. An example of a host-based application firewall that controls system service calls by an application is
AppArmor or the Mac OS X application firewall. Host-based application firewalls may also provide network-based application firewalling. operates at the application layer of a protocol stack. Application firewalls specific to a particular kind of network traffic may be titled with the service name, such as a Web application firewall. They may be implemented through software running on a host or a stand-alone piece of network hardware. Often, it is a host using various forms of proxy servers to proxy traffic before passing it on to the client or server. Because it acts on the application layer, it may inspect the contents of the traffic, blocking specified content, such as certain websites, viruses, and attempts to exploit known logical flaws in client software. monitoring and potentially blocking the input, output, or system service calls that do not meet the configured policy of the firewall. The application firewall is typically built to monitor one or more specific applications or services (such as a web or database service), unlike a stateful network firewall, which can provide some access controls for nearly any kind of network traffic.
There are two primary categories of application firewalls:
-> Network-based application firewalls
-> Host-based application firewalls

Which of the following Windows processes supports creating and deleting processes and threads, running 16-bit virtual DOS machine processes, and running console windows?

  • A. smss.exe
  • B. services.exe
  • C. csrss.exe
  • D. System

Answer : Answer: B is incorrect. This process is the Windows Service Controller, which is responsible for starting and stopping system services running in the background.

csrss.exe is a process that supports creating and deleting processes and threads, running 16-bit virtual DOS machine processes, and running console windows.

Page:    1 / 28   
Total 413 questions