[GIAC] GIAC - GSEC Exam Dumps & Study Guide

Free [GIAC] GIAC - GSEC Practice Questions Preview

• Question 1

  Which of the following are advantages of Network Intrusion Detection Systems (NIDS)?
  

  • A. B, C, and D
  • B. A, C, and E
  • C. B, D, and E
  • D. A, B, and C
  • E. Inexpensive to manage

  Correct Answer: C

  Explanation:

  I agree with the suggested answer C, though it relies on the context provided in the community discussion since the original question body was truncated. Based on the clarified options, statements B, D, and E represent classic advantages of a Network Intrusion Detection System (NIDS), such as providing visibility into traffic and being generally cost-effective compared to widespread HIDS deployment.

  Reason

  The correct option (B, D, and E) is right because: B (Provide insight into network traffic) is a primary function of NIDS, allowing administrators to see what is traversing the wire. D (Provide logs for other security measures) highlights how NIDS data feeds into SIEMs and incident response forensics. E (Inexpensive to manage) refers to the fact that a single NIDS sensor can monitor hundreds of hosts, making it more cost-effective and easier to maintain than installing and managing individual agents on every single host (HIDS).

  Why the other options are not as suitable

  • Option A is incorrect because it includes statement A (Analysis of encrypted traffic); NIDS typically cannot inspect the payload of encrypted packets without a decryption proxy or man-in-the-middle solution, making this a known limitation rather than an advantage.
  • Option B is incorrect because it includes statement A, which is a technical limitation of NIDS, not an advantage.
  • Option D is incorrect because it includes statement A and excludes statement E, failing to capture the management efficiency advantage inherent to network-based detection.

  Citations

  • https://www.nist.gov/publications/guide-intrusion-detection-and-prevention-systems-idps
  • https://www.giac.org/certifications/security-essentials-gsec/

• Question 2

  Which of the following protocols is used by a host that knows its own MAC (Media Access Control) address to query a server for its own IP address?
  

  • A. RARP
  • B. ARP
  • C. DNS
  • D. RDNS

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. RARP (Reverse Address Resolution Protocol) is specifically designed for diskless workstations or devices that know their hardware (MAC) address upon booting but need to discover their assigned IP address from a centralized server.

  Reason

  Option A is correct because RARP (Reverse Address Resolution Protocol) functions as the functional inverse of ARP; it broadcasts a request containing its own MAC address, and a RARP server responds with the corresponding IP address assigned to that hardware.

  Why the other options are not as suitable

  • Option B is incorrect because ARP (Address Resolution Protocol) is used when a host knows an IP address and needs to find the corresponding MAC address for local delivery.
  • Option C is incorrect because DNS (Domain Name System) maps human-readable domain names (like www.google.com) to IP addresses, not MAC addresses to IP addresses.
  • Option D is incorrect because RDNS (Reverse DNS) is a process used to resolve a known IP address back into a domain name (PTR record), which is unrelated to hardware address resolution.

  Citations

  • https://datatracker.ietf.org/doc/html/rfc903
  • https://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml

• Question 3

  What is the motivation behind SYN/FIN scanning?
  

  • A. The SYN/FIN combination is useful for signaling to certain Trojans.
  • B. SYN/FIN packets are commonly used to launch denial of service attacks against BSD hosts.
  • C. The crafted SYN/FIN packet sometimes gets past firewalls and filtering routers.
  • D. A SYN/FIN packet is used in session hijacking to take over a session.

  Correct Answer: C

  Explanation:

  I agree with the suggested answer C. SYN/FIN scanning is a technique designed to exploit inconsistencies in how different firewalls and intrusion detection systems (IDS) handle invalid TCP flag combinations.

  Reason

  Option C is correct because a SYN/FIN packet is a violation of the RFC 793 TCP specification. Many older or poorly configured firewalls and routers are designed to look for only one flag at a time or might allow the packet through because it does not match a standard 'danger' profile (like a pure SYN for a new connection). This allows the scanner to bypass security filters to determine if a port is open.

  Why the other options are not as suitable

  • Option A is incorrect because while some malware uses custom flags for communication, the specific SYN/FIN combination is primarily a scanning technique rather than a standard signaling protocol for Trojans.
  • Option B is incorrect because while malformed packets can cause issues on some systems, SYN/FIN is not a recognized or common method for specifically targeting BSD hosts in a Denial of Service (DoS) capacity.
  • Option D is incorrect because session hijacking usually involves sequence number prediction or man-in-the-middle (MITM) attacks to take over an existing connection; it does not rely on the initial SYN/FIN scanning flags.

  Citations

  • https://nmap.org/book/man-port-scanning-techniques.html
  • https://datatracker.ietf.org/doc/html/rfc793

• Question 4

  There is not universal agreement on the names of the layers in the TCP/IP networking model. Which of the following is one of the functions of the bottom layer which is sometimes called the Network Access or Link Layer?
  

  • A. Provides end-to-end data delivery service for user applications
  • B. Handles the routing of the data packets over the network
  • C. Manages IP addressing and encryption for data packets
  • D. Defines the procedures for interfacing with Ethernet devices

  Correct Answer: D

  Explanation:

  I agree with the suggested answer D. The Network Access Layer (also known as the Link Layer or Network Interface Layer) is the lowest level of the TCP/IP stack and is responsible for the physical transmission of data and the protocols used to communicate with local network hardware.

  Reason

  Option D is correct because the Network Access Layer provides the interface between the software-defined networking stack and the physical hardware. It defines how data frames are formatted for specific physical media, such as Ethernet (IEEE 802.3), Wi-Fi (IEEE 802.11), or Fiber Optics, allowing the operating system to send bits across a wire or through the air.

  Why the other options are not as suitable

  • Option A is incorrect because providing end-to-end data delivery is the primary function of the Transport Layer (Layer 4), utilizing protocols like TCP or UDP.
  • Option B is incorrect because routing data packets across different networks is the responsibility of the Internet Layer (equivalent to the OSI Network Layer).
  • Option C is incorrect because IP addressing is handled at the Internet Layer, and while encryption can happen at various levels (like IPsec at the Internet layer or TLS at the Application layer), it is not a defining characteristic of the bottom Network Access Layer.

  Citations

  • https://datatracker.ietf.org/doc/html/rfc1122
  • https://www.sans.org/white-papers/626/

• Question 5

  Which of the following is a private, RFC 1918 compliant IP address that would be assigned to a DHCP scope on a private LAN?
  

  • A. 127.0.0.100
  • B. 169.254.1.50
  • C. 10.254.1.50
  • D. 172.35.1.100

  Correct Answer: C

  Explanation:

  I agree with the suggested answer C. It is the only IP address listed that falls within the designated private address ranges defined by RFC 1918 and is suitable for a standard DHCP scope on a private network.

  Reason

  Option C (10.254.1.50) is correct because it falls within the 10.0.0.0/8 range (10.0.0.0 to 10.255.255.255), which is one of the three blocks reserved by RFC 1918 for private internet use. These addresses are not routable on the public internet and are intended for internal LAN use.

  Why the other options are not as suitable

  • Option A is incorrect because 127.0.0.100 is part of the 127.0.0.0/8 block reserved for loopback testing and internal host communications; these addresses are not assigned to network interfaces via DHCP for LAN communication.
  • Option B is incorrect because 169.254.1.50 is an APIPA (Automatic Private IP Addressing) or Link-Local address; while private, it is defined under RFC 3927 rather than RFC 1918 and is used only when a DHCP server is unavailable.
  • Option D is incorrect because 172.35.1.100 is a public IP address; the RFC 1918 range for the 172 prefix ends at 172.31.255.255 (172.16.0.0/12).

  Citations

  • https://datatracker.ietf.org/doc/html/rfc1918
  • https://datatracker.ietf.org/doc/html/rfc3927
  • https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml

• Question 6

  When using Pretty Good Privacy (PGP) to digitally sign a message, the signature is created in a two-step process. First, the message to be signed is submitted to
  PGP's cryptographic hash algorithm. What is one of the hash algorithms used by PGP for this process?
  

  • A. Blowfish
  • B. DES
  • C. SHA-l
  • D. Cast

  Correct Answer: C

  Explanation:

  I agree with the suggested answer C. In the context of PGP (Pretty Good Privacy) and the GSEC curriculum, SHA-1 is a historically significant and widely supported cryptographic hash algorithm used for creating digital signatures.

  Reason

  Option C is correct because SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function that produces a 160-bit hash value. In the PGP digital signature process, the message is first hashed (often using SHA-1 or members of the SHA-2 family) to create a message digest, which is then encrypted with the sender's private key.

  Why the other options are not as suitable

  • Option A is incorrect because Blowfish is a symmetric-key block cipher used for data encryption, not a hashing algorithm.
  • Option B is incorrect because DES (Data Encryption Standard) is an older symmetric-key algorithm used for encryption and is not a hash function.
  • Option D is incorrect because CAST (specifically CAST-128 or CAST5) is a symmetric-key block cipher used by PGP for bulk data encryption, not for generating message digests.

  Citations

  • https://datatracker.ietf.org/doc/html/rfc4880
  • https://www.giac.org/certifications/security-essentials-gsec/

• Question 7

  You are the security director for an off-shore banking site. From a business perspective, what is a major factor to consider before running your new vulnerability scanner against the company's business systems?
  

  • A. It may harm otherwise healthy systems.
  • B. It may produce false negative results.
  • C. It may generate false positive results.
  • D. It may not return enough benefit for the cost.

  Correct Answer: C

  Explanation:

  I disagree with the suggested answer C and believe that Option A is the correct choice from a business perspective in a GSEC/SANS context.

  Reason

  Option A is correct because the primary business concern when scanning production systems, especially critical ones like an off-shore bank, is the risk of causing a Denial of Service (DoS) or crashing legacy/fragile services. In the SANS/GSEC curriculum, ensuring system availability and preventing operational downtime is the highest priority for a Security Director before initiating active scanning.

  Why the other options are not as suitable

  • Option A is correct for the reasons stated above.
  • Option B is incorrect because while false negatives represent a security gap, they do not pose an immediate business risk to existing operations in the same way a system crash does.
  • Option C is incorrect because false positives are an administrative burden and an efficiency issue, but they do not typically halt business operations or impact the bottom line as severely as system downtime.
  • Option D is incorrect because the cost-benefit analysis is usually performed during the procurement phase; the immediate concern before running a scan is the operational impact on the systems being scanned.

  Citations

  • https://www.giac.org/certifications/security-essentials-gsec/
  • https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/

• Question 8

  Which of the following is a benefit to utilizing Cygwin for Windows?
  

  • A. The ability to install a complete Red Hat operating system Install on Windows.
  • B. The ability to bring much more powerful scripting capabilities to Windows.
  • C. The ability to run a production Apache server.
  • D. The ability to install a complete Ubuntu operating system install on Windows.

  Correct Answer: A

  Explanation:

  I disagree with the suggested answer A and agree with the community consensus that B is the correct choice. Cygwin is a runtime environment that provides a Linux-like interface and shell (Bash), which significantly enhances Windows scripting capabilities, but it does not install a full, standalone Linux operating system.

  Reason

  Option B is correct because Cygwin provides a large collection of GNU and Open Source tools that provide functionality similar to a Linux distribution on Windows. Its primary benefit is the inclusion of the Bash shell and standard Unix utilities (like grep, sed, and awk), which brings much more powerful scripting capabilities to the Windows environment than the native Command Prompt or even basic PowerShell scripts.

  Why the other options are not as suitable

  • Option A is incorrect because Cygwin is not a method for installing a complete Red Hat operating system; it is a compatibility layer and set of tools that run on top of Windows.
  • Option C is incorrect because while Apache can be compiled and run under Cygwin, it is not recommended or standard practice for production environments, which would typically use a native Windows port or a dedicated Linux server.
  • Option D is incorrect because Cygwin does not provide a complete Ubuntu installation; functionality like that is the domain of the Windows Subsystem for Linux (WSL), which is a different technology.

  Citations

  • https://www.cygwin.com/
  • https://www.giac.org/certifications/security-essentials-gsec/

• Question 9

  What technical control provides the most critical layer of defense if an intruder is able to bypass all physical security controls and obtain tapes containing critical data?
  

  • A. Camera Recordings
  • B. Security guards
  • C. Encryption
  • D. Shredding
  • E. Corrective Controls

  Correct Answer: C

  Explanation:

  I agree with the suggested answer C (Encryption). In a defense-in-depth strategy, when physical controls (the outermost layers) fail, technical controls that protect the data itself—such as encryption—become the final and most critical line of defense for maintaining confidentiality.

  Reason

  Option C is correct because Encryption ensures that even if the physical media (tapes) are stolen, the data remains unreadable and unusable without the corresponding cryptographic key. It specifically addresses the risk of data compromise after a physical breach.

  Why the other options are not as suitable

  • Option A is incorrect because Camera Recordings are a detective control; they may document the theft, but they do not prevent the intruder from reading the data on the tapes.
  • Option B is incorrect because Security guards are a physical/administrative control that has already been bypassed according to the question's premise.
  • Option D is incorrect because Shredding is a disposal process; you cannot shred tapes that have already been stolen.
  • Option E is incorrect because Corrective Controls are designed to remediate impact after an incident occurs, whereas encryption provides an active technical barrier to the data's contents during the incident.

  Citations

  • https://www.giac.org/certifications/security-essentials-gsec/
  • https://content.sans.org/whitepapers/defense-in-depth-strategic-security-605

• Question 10

  Two clients connecting from the same public IP address (for example - behind the same NAT firewall) can connect simultaneously to the same web server on the
  Internet, provided what condition is TRUE?
  

  • A. The server is not using a well-known port.
  • B. The server is on a different network.
  • C. The client-side source ports are different.
  • D. The clients are on different subnets.

  Correct Answer: C

  Explanation:

  I agree with the suggested answer C. In a networking context, a unique connection is defined by a 5-tuple: Source IP, Source Port, Destination IP, Destination Port, and Protocol. Since the public IP (Source IP), Destination IP, and Destination Port (typically 80 or 443 for web) are identical for both clients, the Source Port must be unique for the server to distinguish between the two sessions.

  Reason

  Option C is correct because TCP/IP sessions are demultiplexed using the source port when multiple internal hosts share a single public IP via NAT/PAT (Port Address Translation). Each client's traffic is mapped to a unique source port on the firewall, allowing the server to maintain separate state tables for each connection.

  Why the other options are not as suitable

  • Option A is incorrect because the server can use any port; using a well-known port (like 443) does not prevent multiple connections, as the uniqueness is determined by the client's side of the 5-tuple.
  • Option B is incorrect because the physical or logical location of the server's network does not resolve the session collision issue created by identical IP addresses.
  • Option D is incorrect because the server only sees the Public IP address of the NAT gateway; whether the clients are on the same or different internal subnets is irrelevant to the server's ability to differentiate the traffic once it has been translated to the same public source IP.

  Citations

  • https://datatracker.ietf.org/doc/html/rfc3022
  • https://datatracker.ietf.org/doc/html/rfc793