Last Updated on February 19, 2022 by Admin 2

GSNA : GIAC Systems and Network Auditor : Part 02

  1. Which of the following encryption modes are possible in WEP?

    • 128 bit encryption
    • No encryption
    • 256 bit encryption
    • 40 bit encryption

    Explanation: 
    WEP supports three encryption modes, i.e., no encryption, 40 bit encryption, and 128 bit encryption. Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks (WLANs). It has two components, authentication and encryption. It provides security, which is equivalent to wired networks, for wireless networks. WEP encrypts data on a wireless network by using a fixed secret key. WEP incorporates a checksum in each frame to provide protection against the attacks that attempt to reveal the key stream.
    Answer: C is incorrect. WEP does not support 256 bit encryption.

  2. Which of the following responsibilities does not come under the audit process?

    • Reporting all facts and circumstances of their regular and illegal acts.
    • Planning the IT audit engagement based on the assessed level of risk.
    • Reviewing the results of the audit procedures.
    • Applying security policies.
    Explanation:

    According to the standards of ISACA, an auditor should hold the following responsibilities:
    Planning the IT audit engagement based on an assessed level of risk.
    Designing audit procedures of irregular and illegal acts.
    Reviewing the results of the audit procedures.
    Assuming that acts are not isolated.
    Determining why the internal control system failed for that act.
    Conducting additional audit procedures.
    Evaluating the results of the expanded audit procedures.
    Reporting all facts and circumstances of the irregular and illegal acts.
    Distributing the report to the appropriate internal parties, such as managers.

    Answer: D is incorrect. The auditor is not responsible for applying security policies.

  3. You are responsible for a large network that has its own DNS servers. You periodically check the log to see if there are any problems. Which of the following are likely errors you might encounter in the log? (Choose three)

    • The DNS server could not create FTP socket for address [IP address of server]
    • The DNS server could not create an SMTP socket
    • Active Directory Errors
    • The DNS server could not create a Transmission Control Protocol (TCP) socket
    • The DNS server could not initialize the Remote Procedure Call (RPC) service
    Explanation: 
    There are a number of errors one could find in a Windows Server 2003 DNS log. They are as follows:
    The DNS server could not create a Transmission Control Protocol.
    The DNS server could not open socket for address.
    The DNS server could not initialize the Remote Procedure Call (RPC) service.
    The DNS server could not bind the main datagram socket.
    The DNS Server service relies on Active Directory to store and retrieve information for Active Directory-integrated zones.
    And several active directory errors are possible.
    Answer: B is incorrect. DNS Servers do not create FTP connections.
    Answer: A is incorrect. DNS Servers do not create SMTP connections.
  4. TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack fingerprinting?

    • nmap -sS
    • nmap -sU -p
    • nmap -O -p
    • nmap -sT Explanation:
    Explanation: 
    The nmap -O -p switch can be used to perform TCP/IP stack fingerprinting. Nmap is a free open-source utility for network exploration and security auditing. It is used to discover computers and services on a computer network, thus creating a “map” of the network. Just like many simple port scanners, Nmap is capable of discovering passive services. In addition, Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card. Nmap runs on Linux, Microsoft Windows etc.
    Answer: B is incorrect. The nmap -sU -p switch can be used to perform UDP port scanning.
    Answer: A is incorrect. The nmap -sS switch is used to perform a TCP half scan. TCP SYN scanning is also known as half-open scanning because in this a full TCP connection is never opened.
    Answer: D is incorrect. The nmap -sT switch is used to perform a TCP full scan.
  5. You work as a Network Administrator for XYZ CORP. The company has a Linux-based network. The company needs to provide secure network access. You have configured a firewall to prevent certain ports and applications from forwarding the packets to the company’s intranet. What does a firewall check to prevent these ports and applications from forwarding the packets to the intranet?

    • The network layer headers and the session layer port numbers
    • The application layer port numbers and the transport layer headers
    • The transport layer port numbers and the application layer headers
    • The presentation layer headers and the session layer port numbers
    Explanation: 
    A firewall stops delivery of packets that are not marked safe by the Network Administrator. It checks the transport layer port numbers and the application layer headers to prevent certain ports and applications from forwarding the packets to an intranet.
    Answer: D, A, and B are incorrect. These are not checked by a firewall.
  6. John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based network. John is working as a root user on the Linux operating system. You want to run two programs, foo and bar. You also want to ensure that bar is executed if and only if foo has executed successfully. Which of the following command sequences will John use to accomplish the task?

    • foo; bar;
    • foo || bar;
    • foo | bar;
    • foo && bar;
    Explanation: 
    According to the scenario, John will execute the foo && bar; command. Because of the && operator, bar will execute if and only if foo completes successfully.
    Answer: A is incorrect. The foo; bar; command sequence will run foo and bar in a sequential manner, but the successful completion of the first command does not matter.
    Answer: B is incorrect. The foo || bar; command sequence will run the bar if and only if foo fails to complete successfully.
    Answer: C is incorrect. In the foo | bar; command sequence, the output of the foo command will be the input for the bar command.
  7. John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based network. John is working as a root user on the Linux operating system. He is configuring the Apache Web server settings. He does not want the commands being used in the settings to be stored in the history. Which of the following commands can he use to disable history?

    • history !!
    • set +o history
    • history !N
    • set -o history
    Explanation: 
    According to the scenario, John can use the set +o history command to disable history.
    Answer: D is incorrect. John cannot use the set -o history command to accomplish his task. This command is used to enable disabled history.
    Answer: A is incorrect. John cannot use the history !! command to accomplish his task. This command is used to see the most recently typed command.
    Answer: C is incorrect. John cannot use the history !N command to accomplish his task. This command is used to display the Nth history command.
  8. You are the Network Administrator for a software development company. Your company creates various utilities and tools. You have noticed that some of the files your company creates are getting deleted from systems. When one is deleted, it seems to be deleted from all the computers on your network. Where would you first look to try and diagnose this problem?

    • Antivirus log
    • IDS log
    • System log
    • Firewall log
    Explanation: 
    Check the antivirus log and see if it is detecting your file as a virus and deleting it. All antivirus programs have a certain rate of false positives. Since the file is being deleted from all computers, it seems likely that your antivirus has mistakenly identified that file as a virus.
    Answer: D is incorrect. The firewall log can help you identify traffic entering or leaving your network, but won’t help with files being deleted.
    Answer: B is incorrect. An IDS log would help you identify possible attacks, but this scenario is unlikely to be from an external attack.
    Answer: C is incorrect. Your system log can only tell you what is happening on that individual computer.
  9. Which of the following statements about a screened host is true?

    • It facilitates a more efficient use of the Internet connection bandwidth and hides the real IP addresses of computers located behind the proxy.
    • It is a small network that lies in between the Internet and a private network.
    • It provides added security by using Internet access to deny or permit certain traffic from the Bastion Host.
    • It provides a physical connection between computers within a network.
    Explanation: 
    A screened host provides added security by using Internet access to deny or permit certain traffic from the Bastion Host.
    Answer: D is incorrect. A network interface card provides a physical connection between computers within a network.
    Answer: B is incorrect. Demilitarized zone (DMZ) or perimeter network is a small network that lies in between the Internet and a private network. It is the boundary between the Internet and an internal network, usually a combination of firewalls and bastion hosts that are gateways between inside networks and outside networks. DMZ provides a large enterprise network or corporate network the ability to use the Internet while still maintaining its security.
    Answer: A is incorrect. A proxy server facilitates a more efficient use of the Internet connection bandwidth and hides the real IP addresses of computers located behind the proxy.
  10. John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He notices that UDP port 137 of the We-are-secure server is open. Assuming that the Network Administrator of We-are-secure Inc. has not changed the default port values of the services, which of the following services is running on UDP port 137?

    • HTTP
    • TELNET
    • NetBIOS
    • HTTPS
    Explanation: 
    NetBIOS is a Microsoft service that enables applications on different computers to communicate within a LAN. NetBIOS systems identify themselves with a 15-character unique name and use Server Message Block, which allows Remote directory, file and printer sharing, etc. The default port value of NetBIOS Name Resolution Service is 137/UDP.
    Answer: A is incorrect. Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when a client application or browser sends a request to the server using HTTP commands, the server responds with a message containing the protocol version, success or failure code, server information, and body content, depending on the request. HTTP uses TCP port 80 as the default port.
    Answer: D is incorrect. The default port of HTTPS is TCP/443. Hypertext Transfer Protocol Secure (HTTPS) protocol is a protocol used in the Universal Resource Locater (URL) address line to connect to a secure site. If a site has been made secure by using the Secure Sockets Layer (SSL) then HTTPS, instead of HTTP protocol, should be used as a protocol type in the URL.
    Answer: B is incorrect. TELNET is a command-line connectivity tool that starts terminal emulation with a remote host running the telnet server service. TELNET allows users to communicate with a remote computer, offers the ability to run programs remotely, and facilitates remote administration. The TELNET utility uses the Telnet protocol for connecting to a remote computer running the Telnet server software, to access files. It uses TCP port 23 by default.
  11. Which of the following statements about a session are true? (Choose two.)

    • The creation time can be obtained using the getSessionCreationTime() method of the HttpSession.
    • The getAttribute() method of the HttpSession interface returns a String.
    • The time for the setMaxInactiveInterval() method of the HttpSession interface is specified in seconds.
    • The isNew() method is used to identify if the session is new.
    Explanation: 
    The setMaxInactiveInterval() method sets the maximum time in seconds before a session becomes invalid. The syntax of this method is as follows: public void setMaxInactiveInterval(int interval)
    Here, interval is specified in seconds. The isNew() method of the HttpSession interface returns true if the client does not yet know about the session, or if the client chooses not to join the session. This method throws an IllegalStateException if called on an invalidated session.
    Answer B is incorrect. The getAttribute(String name) method of the HttpSession interface returns the value of the named attribute as an object. It returns a null value if no attribute with the given name is bound to the session. This method throws an IllegalStateException if it is called on an invalidated session.
    Answer: A is incorrect. The creation time of a session can be obtained using the getCreationTime() method of the HttpSession.
  12. Which of the following statements is true about a relational database?

    • It is difficult to extend a relational database.
    • The standard user and application program interface to a relational database is Programming Language (PL).
    • It is a collection of data items organized as a set of formally-described tables.
    • It is a set of tables containing data fitted into runtime defined categories.
    Explanation: 
    A relational database is a collection of data items organized as a set of formally-described tables from which data can be accessed or reassembled in many different ways without having to reorganize the database tables.
    Answer: B is incorrect. The standard user and application program interface to a relational database is the structured query language (SQL).
    Answer: A is incorrect. In addition to being relatively easy to create and access, a relational database has the important advantage of being easy to extend.
    Answer: D is incorrect. A relational database is a set of tables containing data fitted into predefined categories. Each table (which is sometimes called a relation) contains one or more data categories in columns. Each row contains a unique instance of data for the categories defined by the columns.
  13. You work as a Network Administrator for BetaTech Inc. You have been assigned the task of designing the firewall policy for the company. Which of the following statements is unacceptable in the ‘acceptable use statement’ portion of the firewall policy?

    • The computers and their applications should be used for organizational related activities only.
    • Computers may not be left unattended with a user account still logged on.
    • Applications other than those supplied or approved by the company can be installed on any computer.
    • The installed e-mail application can only be used as the authorized e-mail service.
    Explanation: 
    Applications other than those supplied or approved by the company shall not be installed on any computer.
    Answer: A, B, D are incorrect. All of these statements stand true in the ‘acceptable use statement’ portion of the firewall policy.
  14. You have recently joined as a Network Auditor in XYZ CORP. The company has a Windows-based network. You have been assigned the task to determine whether or not the company’s goal is being achieved. As an auditor, which of the following tasks should you perform before conducting the data center review? Each correct answer represents a complete solution. (Choose three.)

    • Review the future IT organization chart.
    • Meet with IT management to determine possible areas of concern.
    • Review the company’s IT policies and procedures.
    • Research all operating systems, software applications, and data center equipment operating within the data center.
    Explanation: 
    The auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine if whether or not the client’s goal is being achieved, the auditor should perform the following before conducting the review:
    Meet with IT management to determine possible areas of concern.
    Review the current IT organization chart.
    Review job descriptions of data center employees.
    Research all operating systems, software applications, and data center equipment operating within the data center.
    Review the company’s IT policies and procedures.
    Evaluate the company’s IT budget and systems planning documentation.
    Review the data center’s disaster recovery plan.
    Answer: A is incorrect. An auditor should review the current organization chart. Reviewing the future organization chart would not help in finding the current threats to the organization.
  15. Patricia joins XYZ CORP., as a Web Developer. While reviewing the company’s Web site, she finds that many words including keywords are misspelled. How will this affect the Web site traffic?

    • Leave a bad impression on users.
    • Search engine relevancy may be altered.
    • Link exchange with other sites becomes difficult.
    • The domain name cannot be registered.
    Explanation: 
    Web site traffic depends upon the number of users who are able to locate a Web site. Search engines are one of the most frequently used tools to locate Web sites. They perform searches on the basis of keywords contained in the Web pages of a Web site. Keywords are simple text strings that are associated with one or more topics of a Web page. Misspelled keywords prevent Web pages from being displayed in the search results.
  16. You work as a Network Administrator for ABC Inc. The company uses a secure wireless network. John complains to you that his computer is not working properly. What type of security audit do you need to conduct to resolve the problem?

    • Non-operational audit
    • Dependent audit
    • Independent audit
    • Operational audit
    Explanation: 
    An independent audit is an audit that is usually conducted by external or outside resources. It is the process of reviewing detailed audit logs for the following purposes:
    – To examine the system activities and access logs
    – To assess the adequacy of system methods
    – To assess the adequacy of system controls
    – To examine compliance with established enterprise network system policies
    – To examine compliance with established enterprise network system procedures
    – To examine effectiveness of enabling, support, and core processes
    Answer: B is incorrect. It is not a valid type of security audit.
    Answer: D is incorrect. It is done to examine the operational and ongoing activities within a network.
    Answer: B is incorrect. It is not a valid type of security audit.
    Answer: D is incorrect. It is done to examine the operational and ongoing activities within a network. Answer: A is incorrect. It is not a valid type of security audit.
  17. You have an online video library. You want to upload a directory of movies. Since this process will take several hours, you want to ensure that the process continues even after the terminal is shut down or session is closed. What will you do to accomplish the task?

    • Use the bg command to run the process at the background.
    • Add the nohup command in front of the process.
    • Add the nohup command at the end of the process.
    • Run the process inside a GNU Screen-style screen multiplexer.
    Explanation: 
    Whenever the nohup command is added in front of any command or process, it makes the command or process run even after the terminal is shut down or session is closed. All processes, except the ‘at’ and batch requests, are killed when a user logs out. If a user wants a background process to continue running even after he logs out, he must use the nohup command to submit that background command. To nohup running processes, press ctrl+z, enter “bg” and enter “disown”. The other way to accomplish the task is to run the command/process inside a GNU Screen-style screen multiplexer, and then detach the screen. GNU Screen maintains the illusion that the user is always logged in, and allows the user to reattach at any time. This has the advantage of being able to continue to interact with the program once reattached (which is impossible with nohup alone).
    Answer: C is incorrect. The nohup command works when it is added in front of a command.
    Answer: A is incorrect. The bg command cannot run the command or process after the terminal is shut down or session is closed.
  18. You work as a Web Deployer for UcTech Inc. You write the <security constraint> element for an application in which you write the <auth-constraint> sub-element as follows: <auth-constraint> <role-name>*</role-name> </auth-constraint>

    Who will have access to the application?

    • Only the administrator
    • No user
    • All users
    • It depends on the application.
    Explanation: 
    The <auth-constraint> element is a sub-element of the <security-constraint> element. It defines the roles that are allowed to access the Web resources specified by the <web-resource-collection> sub-elements. The <auth-constraint> element is written in the deployment descriptor as follows:
    <security-constraint> <web-resource-collection> —————- </web-resource-collection> <auth-constraint> <role-name>Administrator</role-name> </auth-constraint> </security-constraint>
    Writing Administrator within the <role-name> element will allow only the administrator to have access to the resource defined within the <web-resource-collection> element.
  19. You work as a Network Administrator for XYZ CORP. The company has a TCP/IP-based network environment. The network contains Cisco switches and a Cisco router.

    You run the following command for a router interface:
    show interface serial0

    You get the following output:
    Serial0 is administratively down, line protocol is down

    What will be your conclusion after viewing this output?

    • There is a physical problem either with the interface or the cable attached to it.
    • The router has no power.
    • There is a problem related to encapsulation.
    • The interface is shut down.
    Explanation: 
    According to the question, the output displays that the interface is administratively down. Administratively down means that the interface is shut down. In order to up the interface, you will have to open the interface with the no shutdown command.
    Answer: A is incorrect. Had there been a physical problem with the interface, the output would not have displayed “administratively down”. Instead, the output would be as follows: serial0 is down, line protocol is down
    Answer: B is incorrect. You cannot run this command on a router that is powered off.
    Answer: C is incorrect. Encapsulation has nothing to do with the output displayed in the question.
  20. Sam works as a Web Developer for McRobert Inc. He creates a Web site. He wants to include the following table in the Web site:
    He writes the following HTML code to create the table:

    1. <TABLE BORDER=”1″ WIDTH=”500″>
    2. <TR>
    3.
    4.
    5. </TR>
    6. <TR>
    7. <TD>
    8. </TD>
    9. <TD>
    10. </TD>
    11. <TD>
    12. </TD>
    13. </TR>
    14. <TR>
    15. <TD>
    16. </TD>
    17. <TD>
    18. </TD>
    19. <TD>
    20. </TD>
    21. </TR>
    22. </TABLE>

    Which of the following tags will Sam place at lines 3 and 4 to create the table?

    • at line 3 at line 4
    • at line 3 at line 4
    • at line4 at line
    • at line 3 at line 4
    Explanation: 
    The tag is used to specify each cell of the table. It can be used only within a row in a table. The ROWSPAN attribute of the tag specifies the number of rows that a cell spans over in a table. Since, the first cell of the table spans over three rows, Sam will use specifies the number of columns that the head row contains.
    Answer: C is incorrect.
    Answer: A, B are incorrect. There are no attributes such as SPAN and SPANWIDTH for the tag.