Last Updated on February 19, 2022 by Admin 2

GSNA : GIAC Systems and Network Auditor : Part 15

  1. You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP-based network. Rick, your assistant, is configuring some laptops for wireless access. For security, WEP needs to be configured for wireless communication. By mistake, Rick configures different WEP keys in a laptop than that is configured on the Wireless Access Point (WAP). Which of the following statements is true in such situation?

    • The laptop will be able to access the wireless network but the security will be compromised.
    • The WAP will allow the connection with the guest account’s privileges.
    • The laptop will be able to access the wireless network but other wireless devices will be unable to communicate with it.
    • The laptop will not be able to access the wireless network.

    Explanation:
    In order to communicate with WAP, a wireless device needs to be configured with the same WEP key. If there is any difference in the key, the device will not be able to access and communicate with the wireless network.

  2. You work as the Network Administrator for XYZ CORP. The company has a Unix-based network. You want to set the user login features on the systems with the shadow passwords. Which of the following Unix configuration files can you use to accomplish the task?

    • /etc/logrotate.conf
    • /etc/login.defs
    • /etc/magic
    • /etc/filesystems
    Explanation:
    In Unix, the /etc/login.defs file is used by system administrators to set the user login features on the systems with the shadow passwords.
    Answer: A is incorrect. In Unix, the /etc/logrotate.conf file configures the logrotate program used for managing log files.
    Answer: C is incorrect. In Unix, the /etc/magic file contains the descriptions of various file formats for the file command.
    Answer: D is incorrect. In Unix, the /etc/filesystems file is used to set the filesystem probe order when filesystems are mounted with the auto option.
  3. You work as a Network Administrator for XYZ CORP. The company has a Windows Server 2008 network environment. The network is configured as a Windows Active Directory-based single forest single domain network. You have installed a Windows Server 2008 computer as the domain controller. The client computers of the company use the Windows XP Professional operating system. When a user logs on to a client computer, it gets authenticated by the domain controller. You want to audit the logon events that would be generated on the domain controller. Which of the following audit settings do you need to configure to accomplish the task?

    • Audit account management
    • Audit logon events
    • Audit directory service access
    • Audit account logon events
    Explanation:Explanation:
    ‘Audit account logon events’ is one of the nine audit settings that can be configured on a Windows computer. This performs auditing whenever a user logs on or off from a different computer in which the computer performing the auditing is used for validating the account, for example, when a user logs on to a Windows XP Professional computer, but gets authenticated by a domain controller. The event would be generated on the domain controller, as it is actually being used for validating the user.
    Answer: A is incorrect. Audit account management is one of the nine audit settings that can be configured on a Windows computer. This option is enabled to audit each event that is related to a user managing an account in the user database on the computer where the auditing is configured.
    These events include the following:
    – Creating a user account
    – Adding a user account to a group
    – Renaming a user account
    – Changing password for a user account
    This option is also used to audit the changes to the domain account of the domain controllers.
    Answer: C is incorrect. The ‘Audit directory service access’ option is enabled to capture the events that are related to the users accessing the Active Directory object which has been configured to track user access through the System Access Control List (SACL) of the object.
    Answer: B is incorrect. The ‘Audit logon events’ option is enabled to audit each event that is related to a user logging on to, logging off from, or making a network connection to the computer configured to audit logon events.
  4. Which of the following types of servers are dedicated to provide resources to hosts on the network? (Choose three.)

    • Web servers
    • Monitoring servers
    • Mail servers
    • Default gateway servers
    • Print servers
    Explanation:
    Following types of servers are dedicated to provide resources to other hosts on the network:
    – Mail servers
    – Print servers
    – Web servers
    Default gateway does not provide resources to hosts on the network. Monitoring server is not a type of server.
  5. Mark works as a Network Administrator for We-are-secure Inc. He finds that the We-are-secure server has been infected with a virus. He presents to the company a report that describes the symptoms of the virus.
    A summary of the report is given below:
    This virus has a dual payload, as the first payload of the virus changes the first megabyte of the hard drive to zero. Due to this, the contents of the partition tables are deleted and the computer hangs. The second payload replaces the code of the flash BIOS with garbage values. This virus spreads under the Portable Executable File Format under Windows 95, Windows 98, and Windows ME.

    Which of the following viruses has the symptoms as the one described above?

    • I Love You
    • Nimda
    • Chernobyl
    • Melissa
    Explanation:
    The Chernobyl (CIH) virus is a good example of a dual payload virus. Since the first payload of the virus changes the first megabyte of a computer’s hard drive to zero, the contents of the partition tables are deleted, resulting in the computer hanging. The second payload of CIH replaces the code of the flash BIOS with garbage values so that the flash BIOS is unable to give a warning, the end result being that the user is incapable of changing the BIOS settings. CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME.
    Answer: A is incorrect. The I LOVE YOU virus is a VBScript virus in which a victim gets an email attachment titled as “I Love You” with an attachment file named as “Love-Letter-For-You.txt.vbs”. When the victim clicks on this attachment, the virus script infects the victim’s computer. The virus first scans system’s memory for passwords, which are sent back to the virus’ creator. In the next step, the virus replicates itself and sends its copy to each address in the victim’s Outlook address book. Finally, the virus corrupts files with extensions .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp2, and .mp3 by overwriting them with a copy of itself.
    Answer: D is incorrect. The Melissa virus infects Word 97 documents and the NORMAL.DOT file of Word 97 and Word 2000. This macro virus resides in word documents containing one macro named as “Melissa”. The Melissa virus has the ability to spread itself very fast by using an e-mail. When the document infected by the Melissa virus is opened for the first time, the virus checks whether or not the user has installed Outlook on the computer. If it finds the Outlook, it sends e-mail to 50 addresses from the address book of the Outlook. This virus can spread only by using the Outlook. This virus is also known as W97M/Melissa, Kwyjibo, and Word97.Melissa.
    Answer: B is incorrect. Nimda is a mass mailing virus that spreads itself in attachments named README.EXE. It affects Windows 95, 98, ME, NT4, and Windows 2000 users. Nimda uses the Unicode exploit to infect IIS Web servers.
  6. You work as the Network Administrator for XYZ CORP. The company has a Unix-based network. You want to identify the list of users with special privileges along with the commands that they can execute. Which of the following Unix configuration files can you use to accomplish the task?

    • /proc/meminfo
    • /etc/sysconfig/amd
    • /proc/modules
    • /etc/sudoers
    Explanation:
    In Unix, the /etc/sudoers file contains a list of users with special privileges along with the commands that they can execute.
    Answer: A is incorrect. In Unix, the /proc/meminfo file shows information about the memory usage, both physical and swap.
    Answer: B is incorrect. In Unix, the /etc/sysconfig/amd file is the configuration file that is used to configure the auto mount daemon.
    Answer: C is incorrect. In Unix, the /proc/modules file shows the kernel modules that are currently loaded.
  7. Which of the following statements about the <web-resource-collection> element are true?

    • It has <web-resource-name> as one of its sub-elements.
    • If there is no <http-method> sub-element, no HTTP method will be constrained.
    • It can have at the most one <url-pattern> sub-element.
    • It is a sub-element of the <security-constraint> element.
    Explanation:
    The <web-resource-collection> element is a sub-element of the <security-constraint> element and specifies the resources that will be constrained. Each <security-constraint> element should have one or more <web-resource-collection> sub-elements. The syntax of the <web-resource-collection> element is as follows: <security-constraint> <web-resource-collection> <web-resource-name>ResourceName</web-resource-name> <http-method>GET</http-method> <url-pattern>PatternName</url-pattern> </web-resource-collection> </security-constraint>
    The sub-elements of the <web-resource-collection> element are as follows:
    <web-resource-name>: This mandatory sub-element is the name of the Web resource collection.
    <description>: This is an optional sub-element that specifies a text description of the current security constraint.
    <http-method>: This optional sub-element specifies HTTP methods that are constrained.
    <url-pattern>: This sub-element specifies the URL to which the security constraint applies. There should be at least one url-pattern element; otherwise, the <web-resource-collection> will be ignored.
    Answer: C is incorrect. The <web-resource-collection> element can have any number of <url-pattern> sub-elements.
    Answer: B is incorrect. If there is no <http-method> sub-element, no HTTP methods will be allowed.
  8. Which of the following processes are involved under the COBIT framework?

    • Managing the IT workforce.
    • Correcting all risk issues.
    • Conducting IT risk assessments.
    • Developing a strategic plan.
    Explanation:

    The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management, which provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. It has the following 11 processes:
    – Developing a strategic plan.
    – Articulating the information architecture.
    – Finding an optimal stage between the IT and the organization’s strategy.
    – Designing the IT function to match the organization’s needs.
    – Maximizing the return of the IT investment.
    – Communicating IT policies to the user’s community.
    – Managing the IT workforce.
    – Obeying external regulations, laws, and contracts.
    – Conducting IT risk assessments.
    – Maintaining a high-quality systems-development process.
    – Incorporating sound project-management techniques.

    Answer: B is incorrect. Correcting all risk issues does not come under auditing processes.

  9. Which of the following commands can be used to convert all lowercase letters of a text file to uppercase?

    • tac
    • tr
    • cat
    • less
    Explanation:
    You can use the tr command to convert all lowercase letters of a text file to uppercase. The tr command is used to translate, squeeze, and/or delete characters from standard input, writing to standard output. If you want to change all lowercase letters to uppercase, you will use the tr [a-z] [A-Z] command. commands cannot translate the text from one form to another.
  10. You work as the Network Administrator for XYZ CORP. The company has a Linux-based network. You are a root user on the Red Hat operating system. You want to see first five lines of the file /etc/passwd. Which of the following commands should you use to accomplish the task?

    • head -n 5 /etc/passwd
    • head 5 -n /etc/passwd
    • tail -n 5 /etc/passwd
    • head /etc/passwd
    Explanation:
    The head -n 5 /etc/passwd command will show the first 5 lines of the file /etc/passwd.
  11. In an IT organization, some specific tasks require additional detailed controls to ensure that the workers perform their job correctly. What do these detailed controls specify? (Choose three.)

    • How the department handles acquisitions, security, delivery, implementation, and support of IS services
    • How to lock a user account after unsuccessful logon attempts
    • How output data is verified before being accepted into an application
    • The way system security parameters are set
    Explanation:
    Some of the specific tasks require additional detailed controls to ensure that the workers perform their job correctly. These controls refer to some specific tasks or steps to be performed such as:
    – The way system security parameters are set.
    – How input data is verified before being accepted into an application.
    – How to lock a user account after unsuccessful logon attempts.
    – How the department handles acquisitions, security, delivery, implementation, and support of IS services.
    Answer: C is incorrect. Input data should be verified before being accepted into an application.
  12. You are tasked with creating an ACL to apply to Fa0/0 based on the following requirements:

    The ACL must be protocol specific.

    All traffic from host 10.10.45.2 and subnet 10.10.1.32/27 must be denied access through the router.

    Telnet and SSH must be denied for ALL hosts except the management host with the IP address of 10.10.0.100.

    This management host must not only have Telnet and SSH access, but access to any port in the TCP and UDP suite to any destination.

    HTTP, HTTPS, and DNS requests must be allowed for all hosts on subnets 10.10.2.0/24 and 10.10.3.0/24 to any destination.

    All remaining traffic must be denied.

    Cisco IOS applies an implied deny all at the end of an ACL.

    However, you must provide this configuration manually so that engineers can see hit counts on the deny all traffic when running the show ip access-lists command. Which of the following sets of commands will you choose to complete the configuration on Router A?

    • RouterA(config)#access-list 110 deny ip host 10.10.45.2 anyRouterA(config)#access-list 110 deny ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 110 permit tcp host 10.10.0.100 anyRouterA(config)#access-list 110 permit udp host 10.10.0.100 anyRouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq 443RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.1.255 any eq 53RouterA(config)#access-list 110 deny ip any anyRouterA(config)#interface fa0/0RouterA(config-if)#ip access-group 110 out
    • RouterA(config)#access-list 110 deny ip host 10.10.45.2 anyRouterA(config)#access-list 110 deny ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 110 permit ip host 10.10.0.100 anyRouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq 443RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.1.255 any eq 53RouterA(config)#access-list 110 deny ip any any RouterA(config)#interface fa0/0RouterA(config-if)#ip access-group 110 in
    • RouterA(config)#access-list 110 deny ip host 10.10.45.2 anyRouterA(config)#access-list 110 deny ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 110 permit tcp host 10.10.0.100 anyRouterA(config)#access-list 110 permit udp host 10.10.0.100 anyRouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.1.255 any eq 443RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.1.255 anyeq 53RouterA(config)#access-list 110 deny ip any any RouterA(config)#interface fa0/0RouterA(config-if)#ip access-group 110 in
    • RouterA(config)#access-list 99 deny ip host 10.10.45.2 anyRouterA(config)#access-list 99 deny ip 10.10.1.32 0.0.0.31 anyRouterA(config)#access-list 99 permit tcp host 10.10.0.100 anyRouterA(config)#access-list 99 permit udp host 10.10.0.100 anyRouterA(config)#access-list 99 permit tcp 10.10.2.0 0.0.1.255 any eq 80RouterA(config)#access-list 99 permit tcp 10.10.2.0 0.0.1.255 any eq 443RouterA(config)#access-list 99 permit udp 10.10.2.0 0.0.1.255 any eq 53RouterA(config)#access-list 99 deny ip any anyRouterA(config)#interface fa0/0 RouterA(config-if)#ip access-group 99 in
    Explanation:
    This ACL is an extended ACL. It meets the traffic requirements and is applied to Fa0/0 in the appropriate direction of in, which matches traffic going into the interface. In addition, this ACL meets the needs for subnets 10.10.2.0/24 and 10.10.3.0/24 by applying the subnet and wildcard mask of 10.10.2.0 0.0.1.255 for the lines that apply http, https, and dns. These subnets are covered by the wildcard mask 0.0.1.255. This wildcard mask is applied to a range of hosts from 10.10.2.0 through 10.10.3.255 which covers both of the subnets required. This is handy since both subnets are next to each other in their network numbers. Note: If the network numbers were not next to each other, for example 10.10.2.0/24 and 10.10.20.0/24, then the wildcard mask of 0.0.1.255 would be incorrect. A wildcard mask of 0.0.0.255 would be required. The configuration of the ACL would then be applied using the following commands: <!– Only the relevant commands are displayed –> RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.0.255 any eq 80 RouterA(config)#access-list 110 permit tcp 10.10.2.0 0.0.0.255 any eq 443 RouterA(config)#access-list 110 permit udp 10.10.2.0 0.0.0.255 any eq 53 RouterA(config)#access-list 110 permit tcp 10.10.20.0 0.0.0.255 any eq 80 RouterA(config)#access-list 110 permit tcp 10.10.20.0 0.0.0.255 any eq 443 RouterA(config)#access-list 110 permit udp 10.10.20.0 0.0.0.255 any eq 53
  13. Which of the following statements about system hardening are true? (Choose two.)

    • It is used for securing the computer hardware.
    • It can be achieved by installing service packs and security updates on a regular basis.
    • It can be achieved by locking the computer room.
    • It is used for securing an operating system.
    Explanation:
    System hardening is a term used for securing an operating system. It can be achieved by installing the latest service packs, removing unused protocols and services, and limiting the number of users with administrative privileges.
  14. Which of the following are known as safety critical software?

    • Software that is used to apply a critical decision-making process
    • Software that manages safety critical data including display of safety critical information
    • Software that intervenes when a safe condition is present or is about to happen
    • Software that is used to create safety critical functions
    Explanation:
    The following types of software are safety critical software:
    – Software that is used to apply a critical decision-making process
    – Software that is used to manage or monitor safety critical functions
    – Software that intervenes when an unsafe condition is present or is about to happen
    – Software that executes on the same target system as safety critical software
    – Software that impacts the systems on which safety critical software runs
    – Software that manages safety critical data including display of safety critical information
    – Software that is used to validate and verify safety critical software
    Answer: D is incorrect. Software that is used to manage or monitor safety critical functions is known as safety critical software.
    Answer: C is incorrect. Software that intervenes when an unsafe condition is present or is about to happen is known as safety critical software.
  15. Which of the following wireless security standards supported by Windows Vista provides the highest level of security?

    • WPA-EAP
    • WEP
    • WPA-PSK
    • WPA2
    Explanation:
    WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2 offers enhanced protection to wireless networks than WPA and WEP standards. It is also available as WPA2-PSK and WPA2-EAP for home and enterprise environment respectively. Answer: B is incorrect. than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and WPA-EAP. Each of these is described as follows:
    – WPA-PSK: PSK stands for Preshared key. This standard is meant for home environment. WPA-PSK requires a user to enter an 8- character to 63-character passphrase into a wireless client. The WPA converts the passphrase into a 256-bit key.
    – WPA-EAP: EAP stands for Extensible Authentication Protocol. This standard relies on a back-end server that runs Remote Authentication Dial-In UserService for user authentication. Note: Windows Vista supports a user to use a smart card to connect to a WPA-EAP protected network.
  16. The Security Auditor’s Research Assistant (SARA) is a third generation network security analysis tool. Which of the following statements are true about SARA? (Choose two.)

    • It operates under Unix, Linux, MAC OS/X, or Windows (through coLinux) OS.
    • It cannot be used to perform exhaustive XSS tests.
    • It cannot be used to perform SQL injection tests.
    • It supports plug-in facility for third party apps.
    Explanation:

    The Security Auditor’s Research Assistant (SARA) is a third generation network security analysis tool. It has the following functions:
    – It operates under Unix, Linux, MAC OS/X, or Windows (through coLinux) OS.
    – It integrates the National Vulnerability Database (NVD).
    – It can be used to perform SQL injection tests.
    – It can be used to perform exhaustive XSS tests.
    – It can be adapted to multiple firewalled environments.
    – It supports remote self scan and API facilities.
    – It is used for CIS benchmark initiatives.
    – It also supports plug-in facility for third party apps.
    – It supports CVE standards.
    – It works as an enterprise search module.
    – It works in both standalone or demo mode.

    Answer: C is incorrect. SARA can be used to perform SQL injection tests.
    Answer: B is incorrect. SARA can be used to perform exhaustive XSS tests.

    GSNA GIAC Systems and Network Auditor Part 15 Q16 015
    GSNA GIAC Systems and Network Auditor Part 15 Q16 015
  17. You work as a Desktop Support Technician for XYZ CORP. The company uses a Windows-based network comprising 50 Windows XP Professional computers. You want to include the Safe Mode with Command Prompt feature into the boot.ini file of a Windows XP Professional computer.

    Which of the following switches will you use?

    • /safeboot:network /sos /bootlog /noguiboot
    • /safeboot:minimal /sos /bootlog /noguiboot
    • /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
    • /safeboot:dsrepair /sos
    Explanation:
    Safe-mode boot switches are used in the Windows operating systems to use the afe-mode boot feature. To use this feature the user should press F8 during boot. These modes are available in the Boot.ini file. Users can also automate the boot process using this feature.
  18. Which of the following Web authentication techniques uses a single sign-on scheme?

    • NTLMauthentication
    • Digest authentication
    • Microsoft Passport authentication
    • Basic authentication
    Explanation:
    Microsoft Passport authentication is based on single sign-on authentication in which a user needs to remember only one username and password to be authenticated for multiple services. The Passport is a suite of services for authenticating users across a number of applications. The Passport single sign-on service is an authentication service allowing users to create a single set of credentials that will enable them to sign in to any participating site that supports the Passport service. It enables the use of one set of credentials to access any Passport-enabled site such as MSN, Hotmail, and MSN Messenger.
  19. Which of the following features of a switch helps to protect network from MAC flood and MAC spoofing?

    • Multi-Authentication
    • Port security
    • MAC Authentication Bypass
    • Quality of Service (QoS)
    Explanation:
    If a switch has the ability to enable portsecurity, this will help to protect network from both the MAC Flood and MAC Spoofing attacks.
    Answer: D is incorrect. Quality of Service (QoS) feature is useful for prioritizing VOIP traffic. Switches are offering the ability to assign a device a Quality of Service (QoS) value or a rate limiting value based on the RADIUS response.
    Answer: A is incorrect. Multi-Authentication feature is used to allow multiple devices to use a single port.
    Answer: C is incorrect. MAC Authentication Bypass feature is used to allow the RADIUS server to specify the default VLAN/ACL for every device that doesn’t authenticate by 802.1X.
  20. You work as a Security manager for Qualoxizz Inc. Your company has number of network switches in the site network infrastructure. Which of the following actions will you perform to ensure the security of the switches in your company?

    • Open up all the unused management ports.
    • Set similar passwords for each management port.
    • Set long session timeouts.
    • Ignore usage of the default account settings.
    Explanation:
    A switch with a management port using a default user account permits an attacker to intrude inside by making connections using one or more of the well-known default user accounts (e.g., administrator, root, security). Therefore, the default account settings should not be used.
    Answer: A is incorrect. The unused management ports on a switch should always be blocked to prevent port scanning attacks from the attackers.
    Answer: B is incorrect. Setting similar passwords on all management ports increases the vulnerability of password cracking. The matching passwords on all ports can be used by the attacker to break into all ports once the password of one of the ports is known.
    Answer: C is incorrect. Short timeout sessions should always be set to reduce the session period. If the connections to a management port on a switch do not have a timeout period set or have a large timeout period (greater than 9 minutes), then the connections will be more available for an attacker to hijack them.