Question 1

Which of the following should be used to test antivirus software?

Accepted Answer

D

Explanation: The European Institute for Computer Antivirus Research (EICAR) test file is the industry standard for testing the functionality of antivirus software. It is a harmless, non-viral text file containing a specific string of 68 characters. This file is designed to be detected by antivirus programs as if it were a real virus. This allows administrators and users to safely verify that their antivirus scanner is configured and working correctly without using actual, malicious code, which would pose a significant security risk.

Question 2

Which of the following is a reliable way to test backed up data?

Accepted Answer

D

Explanation: The most reliable and comprehensive method to test backed-up data is to perform a full restoration to a separate, non-production system. This procedure validates the entire recovery chain: the integrity of the backup media, the functionality of the backup and restore software, and the usability of the recovered data itself. Successfully restoring and verifying the data provides the highest level of assurance that the backup is viable and can be depended upon in a real disaster recovery scenario. While other methods provide partial checks, only a full restore tests the end-to-end process.

Question 3

Which of the following CIS Controls is used to manage the security lifecycle by validating that the documented controls are in place?

Accepted Answer

D

Explanation: CIS Control 18, "Penetration Tests and Red Team Exercises," is specifically designed to manage and improve the security lifecycle by actively testing and validating the effectiveness of an enterprise's security controls. This control simulates real-world attacker tactics, techniques, and procedures to measure how well the implemented security measures (technical, physical, and personnel) can detect and respond to an attack. The results provide direct feedback on control gaps and misconfigurations, thereby validating that documented controls are in place and functioning as intended.

Question 4

An organization is implementing a control for the Limitation and Control of Network Ports, Protocols,
and Services CIS Control. Which action should they take when they discover that an application
running on a web server is no longer needed?

Accepted Answer

A

Explanation: The principle of least functionality, which is central to CIS Control 9 (Limitation and Control of Network Ports, Protocols, and Services), dictates that systems should be configured to provide only essential capabilities. When an application is no longer needed, the most secure and definitive action is to uninstall it completely. This removes the application's code, its associated services, and any potential vulnerabilities from the host system. Disabling the service or blocking network access are less secure alternatives, as the unused software remains on the system and could be inadvertently or maliciously re-activated.

Question 5

Implementing which of the following will decrease spoofed e-mail messages?

Accepted Answer

B

Explanation: Sender Policy Framework (SPF) is an email authentication method designed to prevent sender address forgery. A domain owner publishes a special DNS record (an SPF record) that lists all the IP addresses of the mail servers authorized to send email on behalf of that domain. When an inbound mail server receives an email, it checks the SPF record of the purported sending domain. If the IP address of the sending server is not on the authorized list, the receiving server can identify the message as potentially spoofed and can subsequently reject it or flag it as spam, thereby decreasing the effectiveness of spoofed email messages.

Question 6

An organization has implemented a policy to detect and remove malicious software from its network. Which of the following actions is focused on correcting rather than preventing attack?

Accepted Answer

B

Explanation: A corrective control is implemented to remediate a problem after it has been detected. In this scenario, Network Access Control (NAC) takes action after a host has been identified as infected with a virus. The act of disabling the host's communication is a corrective measure designed to contain the threat and fix the immediate security issue by isolating the compromised system from the network. This action directly addresses and corrects an existing security failure, which is the core function of a corrective control. The other options are preventive controls, which aim to stop an incident from occurring in the first place.

Question 7

Why is it important to enable event log storage on a system immediately after it is installed?

Accepted Answer

B

Explanation: Enabling event log storage immediately after a system's installation is crucial for establishing a baseline of normal operational activity. This initial set of logs captures the standard processes, services, and configurations of a clean system. During a future security incident, this baseline serves as a reference point, allowing security analysts to more easily and accurately distinguish between normal system behavior and anomalous or malicious activities. Without this baseline, identifying the subtle indicators of a compromise becomes significantly more difficult.

Question 8

Which of the following best describes the CIS Controls?

Accepted Answer

B

Explanation: The Center for Internet Security (CIS) Controls are a prioritized, prescriptive, and actionable set of technical safeguards designed to help organizations defend against the most common and damaging cyber-attacks. Their development is community-driven and informed by analysis of actual attack data from a wide range of threat sources. This threat-informed approach ensures that the controls focus on the defensive actions that have the greatest impact on improving an organization's security posture against prevalent, real-world threats.

Question 9

John is implementing a commercial backup solution for his organization. Which of the following steps should be on the configuration checklist?

Accepted Answer

A

Explanation: When implementing a commercial backup solution, enabling encryption is a critical security control. Backups contain a complete, point-in-time copy of sensitive organizational data. If this data is not encrypted at rest on the backup media, it is vulnerable to unauthorized access if the media is lost, stolen, or the storage system is compromised. Most reputable commercial solutions offer strong, standardized encryption (e.g., AES-256), and enabling it is a fundamental step in any secure configuration checklist to ensure data confidentiality.

Question 10

Below is a screenshot from a deployed next-generation firewall. These configuration settings would be a defensive measure for which CIS Control? https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/GIAC_GCCC/page_8_img_1.jpg

Accepted Answer

C

Explanation: The screenshot shows a URL Filtering profile on a next-generation firewall (NGFW) configured to block specific web categories, including social networking, web-based email, and peer-to-peer file sharing. This is a direct implementation of a web content filtering policy. Such a measure is designed to protect an organization by preventing users from accessing potentially malicious, unauthorized, or non-business-related websites through their browsers. This action directly aligns with the objectives of CIS Control 9: Email and Web Browser Protections (v8), which focuses on securing against threats from web vectors by controlling the content users can access.

Question 11

Allied services have recently purchased NAC devices to detect and prevent non-company owned
devices from attaching to their internal wired and wireless network. Corporate devices will be
automatically added to the approved device list by querying Active Directory for domain devices.
Non-approved devices will be placed on a protected VLAN with no network access. The NAC also
offers a web portal that can be integrated with Active Directory to allow for employee device
registration which will not be utilized in this deployment. Which of the following recommendations
would make NAC installation more secure?

Accepted Answer

C

Explanation: The principle of least functionality, a core tenet of security hardening, dictates that systems should be configured to provide only essential capabilities. The scenario explicitly states the web portal for employee device registration "will not be utilized." Leaving this unused service enabled, especially a web-based portal with Active Directory integration, creates an unnecessary attack surface. An attacker could potentially exploit a vulnerability in this portal to gain unauthorized access or bypass the NAC controls. Disabling the service entirely eliminates this risk and directly enhances the security of the NAC installation itself.

Question 12

How often should the security awareness program be communicated to employees?

Accepted Answer

A

Explanation: An effective security awareness program is not a one-time event but a continuous, iterative process. The goal is to build and sustain a security-conscious culture, which requires ongoing reinforcement. Continuous communication through multiple channels—such as regular newsletters, simulated phishing exercises, posters, and brief training modules—ensures that security remains a top-of-mind consideration for all employees. This approach is far more effective at influencing long-term behavior change than periodic, event-based training, which is often forgotten shortly after completion.

Question 13

Kenya is a system administrator for SANS. Per the recommendations of the CIS Controls she has a
dedicated host (kenya- adminbox / 10.10.10.10) for any administrative tasks. She logs into the
dedicated host with her domain admin credentials. Which of the following connections should not
exist from kenya-adminbox?
GCCC practice exam questions

Accepted Answer

B

Explanation: The fundamental principle of a dedicated administrative host, often called a Privileged Access Workstation (PAW), is to create a secure, isolated environment for performing sensitive tasks. This isolation is crucial for protecting high-privilege credentials (like domain admin) from common attack vectors. Email is a primary vector for phishing and malware delivery. Therefore, a dedicated administrative host should never be used for general productivity tasks like sending or receiving email (via SMTP, port 25). The other connections shown (RDP, SSH, and HTTPS to a local admin tool) are all legitimate and expected administrative functions.

Question 14

During a security audit which test should result in a source packet failing to reach its intended destination?

Accepted Answer

A

Explanation: A fundamental security principle for any network perimeter is the "default-deny" or "least privilege" posture. This means that all unsolicited inbound traffic originating from an untrusted network, such as the Internet, should be blocked by the firewall. A new connection request from the Internet to a standard host on the internal network is the classic example of such unsolicited traffic. A security audit test that simulates this scenario should be blocked by the firewall, thus failing to reach its destination and validating the effectiveness of this critical security control.

Question 15

As part of an effort to implement a control on E-mail and Web Protections, an organization is monitoring their webserver traffic. Which event should they receive an alert on?

Accepted Answer

C

Explanation: A web server failing to respond to a SYN packet for an extended period, such as 30 minutes, is a critical indicator of a service outage. This event signifies that the server is unable to establish new TCP connections, which is its primary function. The cause could be a server crash, a network failure, a misconfigured firewall, or a Denial of Service (DoS) attack, such as a SYN flood, which exhausts the server's connection resources. Monitoring for this condition is a fundamental aspect of web protection, as it directly relates to the availability of the service, a core tenet of information security (Confidentiality, Integrity, Availability).

Free GIAC GCCC Actual Exam Questions