[GIAC] GIAC - GSLC Exam Dumps & Study Guide

Free [GIAC] GIAC - GSLC Practice Questions Preview

• Question 1

  Which system is designed to analyze, detect, and report on security-related events?
  

  • A. HIPS
  • B. NIPS
  • C. NIDS
  • D. HIDS

  Correct Answer: B

  Explanation:

  I disagree with the suggested answer B and agree with the community choice C. The question focuses on a system designed to analyze, detect, and report. While Prevention systems (IPS) include detection capabilities, the fundamental definition of a Detection system (IDS) is to monitor and alert without active intervention.

  Reason

  Option C is the most accurate choice because a Network Intrusion Detection System (NIDS) is specifically designed to monitor network traffic, analyze it for suspicious patterns, detect potential threats, and report (alert) administrators. Its primary function is visibility rather than mitigation.

  Why the other options are not as suitable

  • Option A is incorrect because a Host Intrusion Prevention System (HIPS) is designed to actively block or prevent attacks at the host level, which goes beyond the 'report' scope of the question.
  • Option B is incorrect because a Network Intrusion Prevention System (NIPS) is an active device designed to sit in-line and drop malicious packets; while it detects, its primary purpose is prevention.
  • Option D is incorrect because while a Host Intrusion Detection System (HIDS) also analyzes and reports, it is localized to a single host's logs and events rather than the broader network-level analysis typically implied in general security event reporting contexts, though NIDS is the more traditional answer for broad 'security-related event' monitoring in GIAC curriculum.

  Citations

  • https://www.giac.org/certifications/security-leadership-gslc/
  • https://www.nist.gov/publications/guide-intrusion-detection-and-prevention-systems-idps

• Question 2

  What can be determined from the NIST SP800-53 related screenshot below?
  

  • A. Previous Logon (Access) Notification is required in all baselines
  • B. Account Management must be implemented before Unsuccessful Logon Attempts
  • C. Session Lock has the most control enhancements
  • D. Account Management must be implemented before Separation of Duties

  Correct Answer: D

  Explanation:

  I disagree with the suggested answer D and agree with the community choice B. The screenshot displays a list of NIST SP 800-53 controls with a Priority column. In NIST guidance, the priority code (P1, P2, P3) indicates the recommended sequencing for implementation, where P1 has the highest priority and should be implemented before P2 and P3. Account Management is P1 and Unsuccessful Logon Attempts is P2, making B the logically correct determination based solely on the provided image.

  Reason

  Option B is correct because Account Management (AC-2) is assigned a priority of P1, while Unsuccessful Logon Attempts (AC-7) is assigned a priority of P2. According to NIST SP 800-53 (specifically in earlier revisions like Rev 4 where these priority codes were prominent), higher priority controls (P1) are intended to be implemented before lower priority ones (P2, P3) to establish a foundational security posture.

  Why the other options are not as suitable

  • Option A is incorrect because the table shows Previous Logon (Access) Notification (AC-9) is Not selected for the Low and High baselines, and Not selected (implied by the empty/not selected status) for Moderate.
  • Option C is incorrect because Account Management (AC-2) clearly shows the most control enhancements, specifically reaching up to (13) in the High baseline, whereas Session Lock (AC-11) only has (1).
  • Option D is incorrect because both Account Management and Separation of Duties are P1; while both are high priority, the priority coding alone does not establish a requirement for one P1 to be implemented before another P1 in the same way it does for a P1 vs a P2.

  Citations

  • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

• Question 3

  Which of the following provides security by implementing authentication and encryption on Wireless LAN (WLAN)?
  

  • A. WEP
  • B. WAP
  • C. L2TP
  • D. IPSec

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. While WEP (Wired Equivalent Privacy) is technically deprecated and considered insecure by modern standards, it is the only option listed that is a native WLAN (802.11) security protocol specifically designed to provide both authentication and encryption for wireless traffic.

  Reason

  Option A is correct because WEP was the original security protocol for 802.11 wireless networks. It uses the RC4 stream cipher for encryption and provides mechanisms for both Open System and Shared Key authentication to secure the wireless link.

  Why the other options are not as suitable

  • Option B is incorrect because WAP (Wireless Application Protocol) is a technical standard for accessing information over a mobile wireless network, not a WLAN security or encryption protocol.
  • Option C is incorrect because L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used to support VPNs; while it can be used over a wireless connection, it is not a WLAN-specific security standard.
  • Option D is incorrect because IPSec (Internet Protocol Security) is a suite of protocols used to secure IP communications at the network layer (Layer 3), typically for VPNs, rather than being a native WLAN data link layer security mechanism.

  Citations

  • https://standards.ieee.org/ieee/802.11/7030/
  • https://csrc.nist.gov/publications/detail/sp/800-97/final

• Question 4

  At which stage of the Security Awareness Maturity Model is annual training first implemented?

  • A. Long-term sustainment and cultural change
  • B. Metrics framework
  • C. Compliance-focused
  • D. Promoting awareness and behavioral change

  Correct Answer: D

  Explanation:

  I disagree with the suggested answer D and agree with the community choice C. The SANS Security Awareness Maturity Model identifies the Compliance-Focused stage as the first level where a program is formal enough to implement annual training and newsletters to meet regulatory or audit requirements.

  Reason

  Option C is correct because the Compliance-Focused stage is characterized by the organization moving beyond having no program at all to establishing a baseline of activity. This stage typically involves 'checking the box' for audit requirements, which is primarily achieved through annual training and intermittent communication like newsletters.

  Why the other options are not as suitable

  • Option A is incorrect because Long-term sustainment and cultural change is the final and most advanced stage of the model, focusing on metrics and long-term habits rather than the initial implementation of basic training.
  • Option B is incorrect because the Metrics framework stage occurs after training is established; it focuses on measuring the effectiveness of the program rather than the initial rollout.
  • Option D is incorrect because Promoting awareness and behavioral change is a more mature stage than compliance; while it involves training, it is focused on continuous engagement and shifting user behavior, whereas the first appearance of annual training is strictly for compliance purposes.

  Citations

  • https://www.sans.org/security-awareness-training/security-awareness-maturity-model/

• Question 5

  An organization wants a perimeter device to inspect and transmit email requests from the internet to the internal email server.
  Which of the following is used for this purpose?

  • A. Web proxy
  • B. WAF
  • C. Reverse proxy
  • D. NIDS

  Correct Answer: B

  Explanation:

  I disagree with the suggested answer B and agree with the community choice of C. A Reverse proxy is the standard architectural component used to sit at the perimeter to receive requests from the internet and forward them to internal servers, effectively hiding the internal server's identity and providing a layer of inspection and security.

  Reason

  Option C is correct because a Reverse proxy acts as an intermediary for resources requested from the internal network by clients on the internet. It terminates the connection from the external sender, inspects the traffic (such as email protocol requests), and then initiates a new connection to the internal email server. This aligns perfectly with the requirement to inspect and transmit requests from the internet to internal infrastructure.

  Why the other options are not as suitable

  • Option A is incorrect because a Web proxy (or forward proxy) is typically used by internal clients to access resources on the internet, focusing on outbound traffic rather than inbound requests to an internal server.
  • Option B is incorrect because a WAF (Web Application Firewall) is specifically designed to filter and monitor HTTP/HTTPS traffic for web applications; while it is a type of proxy, it is not the primary tool used for general email request transmission and inspection.
  • Option D is incorrect because a NIDS (Network Intrusion Detection System) monitors network traffic for malicious activity but does not act as a transmission gateway or proxy to forward requests to an internal server.

  Citations

  • https://www.giac.org/certifications/security-leadership-gslc/
  • https://content.sans.org/whitepaper/401

• Question 6

  What can be used to segment a virtual private cloud into smaller network segments?

  • A. Network access control lists
  • B. Availability zones
  • C. CIDR subnets
  • D. Internet gateways

  Correct Answer: C

  Explanation:

  I agree with the community choice of Option C. Within a Virtual Private Cloud (VPC), the fundamental mechanism for dividing a large IP address range into smaller, manageable, and isolated logical segments is the creation of subnets using Classless Inter-Domain Routing (CIDR) blocks.

  Reason

  Option C is correct because CIDR subnets are the primary architectural components used to partition a VPC IP address range. By assigning specific CIDR blocks to subnets, administrators can logically separate resources (e.g., public-facing web servers vs. private databases) and apply distinct routing and security policies to each segment.

  Why the other options are not as suitable

  • Option A is incorrect because Network Access Control Lists (NACLs) are a security layer that acts as a firewall for controlling traffic in and out of subnets; they control traffic flow but do not define the network boundaries themselves.
  • Option B is incorrect because Availability Zones (AZs) are physically isolated locations within a region designed for fault tolerance and high availability, not for logical network segmentation.
  • Option D is incorrect because an Internet Gateway (IGW) is a VPC component that allows communication between the VPC and the internet; it is a gateway, not a segmentation tool.

  Citations

  • https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html
  • https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

• Question 7

  What process is demonstrated in the diagram shown below?
  

  • A. Continuous Delivery
  • B. Continuous Integration
  • C. Continuous Improvement
  • D. Continuous Deployment

  Correct Answer: A

  Explanation:

  I disagree with the suggested answer A and agree with the community consensus of D. The diagram explicitly shows that the final stage, Deploy to Production, is AUTO (automated), which is the defining characteristic that distinguishes Continuous Deployment from Continuous Delivery.

  Reason

  Option D is correct because Continuous Deployment refers to a software engineering approach in which code changes are automatically prepared, tested, and released to the production environment without manual intervention. In the provided diagram, every transition—including the final step into production—is labeled as AUTO, fitting this definition perfectly.

  Why the other options are not as suitable

  • Option A is incorrect because Continuous Delivery involves automating the entire software release process up to the point of production, but the actual deployment to production typically requires a manual trigger or approval. If the final 'AUTO' label were missing or replaced with 'Manual,' this would be the correct choice.
  • Option B is incorrect because Continuous Integration (CI) only covers the initial stages of the pipeline, specifically the automation of building and Unit Tests whenever code is committed; it does not encompass the automated deployment to production.
  • Option C is incorrect because Continuous Improvement is a general management philosophy (such as Kaizen) focused on incremental enhancements to processes and products over time, rather than a specific technical pipeline for software deployment.

  Citations

  • https://www.redhat.com/en/topics/devops/what-is-ci-cd
  • https://aws.amazon.com/devops/continuous-delivery/

• Question 8

  Once the SOC command center notifies the appropriate internal and external parties that an incident is taking place, what should happen next?

  • A. Temporary measures should be put in place to prevent further damage to systems or the network
  • B. The SOC should report the root cause of the incident to incident handlers and IT operations
  • C. Procedures for restoring affected systems should be drafted by the incident handling team
  • D. Forensics analysts should assess affected systems to assure malicious artifacts have been removed

  Correct Answer: B

  Explanation:

  I disagree with the suggested answer B and agree with the community consensus for Option A. In the standard incident response lifecycle followed by GIAC (SANS) and NIST, once an incident is detected and notification occurs (part of the Detection and Analysis phase), the immediate next priority is Containment to stop the bleeding and minimize impact.

  Reason

  Option A is correct because it describes the Containment phase of incident response. After initial notification, the primary goal is to perform short-term or temporary actions—such as isolating affected hosts or disabling compromised accounts—to prevent the threat from spreading further across the network or causing additional data loss.

  Why the other options are not as suitable

  • Option B is incorrect because determining and reporting the root cause typically occurs much later in the lifecycle during the Eradication or Post-Incident Activity phases; identifying the root cause while a system is actively being compromised without first containing it allows for further damage.
  • Option C is incorrect because drafting restoration procedures belongs to the Recovery phase, which should only happen after the threat has been successfully contained and eradicated.
  • Option D is incorrect because forensics assessment to ensure artifacts are removed is part of Eradication and Recovery verification; containment must occur first to ensure the analyst is not working on a live, spreading infection.

  Citations

  • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
  • https://www.sans.org/white-papers/639/

• Question 9

  When developing vulnerability remediation workflows, it is recommended that the majority of patches be categorized as which type of change?

  • A. Manual
  • B. Routine
  • C. Critical
  • D. Exception

  Correct Answer: C

  Explanation:

  I disagree with the Suggested Answer (C) and agree with the Community Most Voted answer (B). While critical vulnerabilities exist, a mature vulnerability remediation workflow aims to treat the vast majority of security patches as Routine or Standard changes to ensure efficiency, speed, and predictability in the maintenance lifecycle.

  Reason

  Option B is correct because Routine (often synonymous with Standard in ITIL frameworks) changes are pre-authorized, low-risk, and follow an established procedure. In a high-functioning GSLC management context, patching should be an operationalized, repetitive task rather than a series of emergency interventions. By categorizing the majority of patches as Routine, organizations can maintain a consistent security posture without the administrative overhead of a full Change Advisory Board (CAB) review for every update.

  Why the other options are not as suitable

  • Option A is incorrect because Manual describes the method of application rather than the change management category; the goal of remediation is often automation, not manual intervention.
  • Option C is incorrect because Critical (or Emergency) changes are reserved for high-stakes, out-of-band threats that require bypassing normal procedures; if the 'majority' of patches were treated as critical, the change management system would collapse under constant emergency pressure and 'alert fatigue.'
  • Option D is incorrect because an Exception refers to a deviation from policy where a patch is intentionally not applied or delayed, which should represent a small minority of cases, not the standard workflow.

  Citations

  • https://www.giac.org/certifications/security-leadership-gslc/
  • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf

• Question 10

  A SOC running 24 hours a day, including weekends, needs to fill a new analyst position.
  How many full time employees should the SOC hire to ensure coverage for all shifts, while still allowing vacations, training, and sick days?

  • A. 3
  • B. 5
  • C. 8
  • D. 2

  Correct Answer: D

  Explanation:

  I disagree with the suggested answer D and agree with the community choice B. Providing 24/7 coverage requires filling 168 hours per week. A single FTE typically provides 40 hours of labor. Simple division (168/40=4.2) shows that at least 5 people are required to cover the schedule while accounting for necessary overhead such as vacations, sick leave, and training.

  Reason

  Option B is correct because 5 FTEs is the industry standard for a 24/7 Security Operations Center (SOC) shift. Mathematical coverage for 168 hours requires 4.2 employees; however, since employees are not available 100% of the time due to PTO, illness, and professional development, rounding up to 5 ensures there is a buffer to maintain constant uptime without violating labor laws or causing extreme burnout.

  Why the other options are not as suitable

  • Option A is incorrect because 3 employees only provide 120 hours of coverage per week, leaving 48 hours completely unstaffed even without accounting for time off.
  • Option C is incorrect because 8 employees would be significantly overstaffed for a single position's 24/7 coverage, leading to unnecessary operational expenditure (OpEx).
  • Option D is incorrect because 2 employees only provide 80 hours of coverage, which does not even cover half of the 168 hours required for a full week.

  Citations

  • https://www.sans.org/white-papers/36027/
  • https://www.giac.org/certifications/security-leadership-gslc/