Question 1

A legacy server on the network was breached through an OS vulnerability with no patch available.
The server is used only rarely by employees across several business units. The theft of information
from the server goes unnoticed until the company is notified by a third party that sensitive
information has been posted on the Internet. Which control was the first to fail?

Accepted Answer

C

Explanation: The first and most fundamental control to fail was data classification. Proper data classification would have identified the information on the server as "sensitive." This classification is a prerequisite for risk assessment and the subsequent application of appropriate security controls. Had the data been correctly classified, a risk assessment would have deemed it unacceptable to store such information on a legacy server with known, unpatchable vulnerabilities. This initial failure in classification led to the failure to apply other necessary controls, such as decommissioning the server, implementing compensating controls, or applying stricter access and monitoring rules, which ultimately enabled the breach.

Question 2

How does data classification help protect against data loss?

Accepted Answer

D

Explanation: Data classification is a foundational process in information security that involves categorizing data based on its level of sensitivity, value, and criticality to the organization. The primary benefit of this process is that it enables a risk-based approach to security. By identifying the most critical data assets, an organization can strategically focus its security budget, resources, and controls (such as encryption, access restrictions, and Data Loss Prevention (DLP) policies) where they are most needed. This appropriate allocation ensures that the most sensitive data receives the highest level of protection, directly reducing the risk of data loss.

Question 3

An outside vulnerability assessment reveals that users have been routinely accessing Gmail from
work for over a year, a clear violation of this organization’s security policy. The users report “it just
started working one day”. Later, a network administrator admits he meant to unblock Gmail for just
his own IP address, but he made a mistake in the firewall rule.
Which security control failed?

Accepted Answer

A

Explanation: The core of the issue is a misconfigured firewall rule. Firewalls are a fundamental technical mechanism for enforcing network access control policies. Their purpose is to permit or deny traffic between networks based on a defined rule set, thereby controlling access to resources. In this scenario, the firewall was intended to block access to Gmail for most users, but due to an error, it granted broad, unauthorized access. This represents a direct failure of the access control function to enforce the organization's security policy.

Question 4

A company classifies data using document footers, labeling each file with security labels “Public”,
“Pattern”, or “Company Proprietary”. A new policy forbids sending “Company Proprietary” files via
email. Which control could help security analysis identify breaches of this policy?

Accepted Answer

D

Explanation: The policy aims to prevent the exfiltration of data labeled "Company Proprietary". A Data Loss Prevention (DLP) system is the appropriate control. By configuring a DLP tool to perform deep packet inspection on outbound SMTP traffic, security analysts can scan the content of emails and their attachments for the specific keyword "Company Proprietary". When this string is detected, the system can log the event and alert the security team, allowing them to identify the policy breach. This method directly inspects the data content for the specific classification label defined in the policy.

Question 5

Which of the following applies to newer versions of IOS that decrease their attack surface?

Accepted Answer

C

Explanation: Modern security practices emphasize a "secure by default" posture to minimize the attack surface of a device. In line with this principle, newer versions of Cisco IOS and IOS XE ship with more non-essential services disabled by default. Services such as the HTTP server, finger, and various TCP/UDP small servers, which might have been enabled in older versions for administrative convenience, are now typically disabled. This forces administrators to explicitly enable only the services they require, reducing the number of open ports and potential vulnerabilities an attacker could exploit.

Question 6

The creation of a filesystem timeline is associated with which objective?

Accepted Answer

A

Explanation: The creation of a filesystem timeline is a foundational technique in digital forensic analysis. By extracting and correlating file metadata—specifically Modified, Accessed, Created, and Change (MACC) timestamps—investigators can reconstruct a chronological sequence of events on a system. This timeline is essential for understanding an attacker's actions, such as when a malicious file was introduced, when data was exfiltrated, or when system files were altered. The primary objective is to analyze evidence to determine the scope and details of an incident, which is the core purpose of the forensic analysis phase.

Question 7

How does an Nmap connect scan work?

Accepted Answer

D

Explanation: An Nmap connect scan (-sT) uses the operating system's high-level connect() system call to establish a full connection to a target port. This process precisely follows the standard TCP three-way handshake. The scanner initiates by sending a SYN packet. If the port is open, the target responds with a SYN/ACK packet. The scanner's OS completes the handshake by sending an ACK packet. A successful completion of this handshake indicates the port is open. Because a full connection is established, this scan type is easily detectable and logged by the target system.

Question 8

An analyst wants to see a grouping of images that may be contained in a pcap file. Which tool natively meets this need?

Accepted Answer

B

Explanation: NetworkMiner is a Network Forensic Analysis Tool (NFAT) specifically designed for parsing pcap files to extract application-level data and artifacts. A core, native feature of NetworkMiner is its ability to automatically carve files, including various image formats (e.g., JPG, PNG, GIF), from captured network traffic. It then presents these extracted files in a user-friendly graphical interface, conveniently grouped under dedicated tabs such as "Images" and "Files." This directly fulfills the analyst's requirement to see a grouping of images contained within a pcap file without needing to write scripts or perform complex manual extractions.

Question 9

What attack was indicated when the IDS system picked up the following text coming from the
Internet to the web server?
select user, password from user where user= “jdoe” and password= ‘myp@55!’ union select “text”,2
into outfile “/tmp/file1.txt” - - ’

Accepted Answer

C

Explanation: The provided text is a classic example of a SQL Injection (SQLi) attack. The attacker is appending malicious SQL code to an existing query. The UNION SELECT clause is used to combine the results of the original, legitimate query with a new, attacker-controlled query. The INTO OUTFILE clause, specific to databases like MySQL, attempts to write the output of this combined query to a file on the web server's filesystem (/tmp/file1.txt). The trailing -- is a comment operator in SQL, used to nullify the rest of the original application's query to prevent syntax errors.

Question 10

Which statement below is the MOST accurate about insider threat controls?

Accepted Answer

A

Explanation: The most accurate statement is that classification of information assets is a foundational control for mitigating insider threats. Data classification is the process of categorizing data based on its sensitivity, criticality, and value to the organization. This process is essential because it allows an organization to understand which assets are most important to protect. Once critical assets are identified, appropriate security controls—such as principle of least privilege, access controls, and data loss prevention (DLP) policies—can be applied in a targeted and cost-effective manner to protect them from unauthorized insider access, modification, or exfiltration.

Question 11

Which tasks would a First Responder perform during the Identification phase of Incident Response?

Accepted Answer

C

Explanation: The Identification phase (also known as Detection and Analysis) of the incident response lifecycle focuses on determining whether a security incident has occurred. A first responder's primary tasks during this phase are to analyze precursors and indicators from various data sources, such as logs, network traffic, and alerts. The goal is to validate a potential incident, assess its scope, and gather initial information. This involves searching for and correlating data to confirm the event's nature and impact, which directly aligns with the activities described in the correct option.

Question 12

In order to determine if network traffic adheres to expected usage and complies with technical standards, an organization would use a device that provides which functionality?

Accepted Answer

C

Explanation: Protocol anomaly detection is a security mechanism that involves defining a model of legitimate network protocol behavior based on its technical standards (e.g., RFCs) and observed normal usage. A device using this functionality analyzes network traffic and flags any activity that deviates from this established baseline. This directly addresses the requirement to determine if traffic adheres to expected usage and complies with technical standards, as it can detect malformed packets or misuse of a protocol, even for novel attacks without a known signature.

Question 13

An internal host at IP address 10.10.50.100 is suspected to be communicating with a command and
control whenever a user launches browser window. What features and settings of Wireshark should
be used to isolate and analyze this network traffic?

Accepted Answer

C

Explanation: The scenario requires isolating and analyzing potential Command and Control (C2) traffic initiated when a user launches a web browser from the host 10.10.50.100. The most effective method is to first apply a specific display filter. The filter ip.src == 10.10.50.100 correctly isolates all traffic originating from the suspect host. Since the trigger is a browser, filtering on tcp.dstport == 80 narrows the capture to outbound HTTP requests, a common channel for C2 communication. After filtering, using the "Follow TCP Stream" feature is essential. This tool reconstructs the TCP conversation, allowing the analyst to view the full application-layer data (e.g., HTTP headers and content) in a human-readable format to identify malicious commands or responses.

Question 14

Which of the following is an outcome of the initial triage during incident response?

Accepted Answer

B

Explanation: The initial triage phase of incident response is designed to quickly assess an event, determine its severity, and take immediate action to limit the impact. A primary outcome of this process is containment. Segmenting the network to isolate compromised systems from critical assets is a fundamental containment strategy. This action directly prevents the lateral movement of an attacker and stops the incident from escalating, which is the core goal of the triage and initial containment steps in the incident response lifecycle.

Question 15

To detect worms and viruses buried deep within a network packet payload, Gigabytes worth of traffic content entering and exiting a network must be checked with which of the following technologies?

Accepted Answer

B

Explanation: To detect known threats like worms and viruses within high-volume network traffic, security systems perform deep packet inspection (DPI). The core technology used in this process is signature matching. This technique involves comparing the data within packet payloads against a large database of predefined patterns (signatures) that correspond to known malicious code, attack vectors, or malware characteristics. When a match is found, an alert is generated or the packet is blocked. This method is fundamental to the operation of Network Intrusion Detection and Prevention Systems (NIDS/NIPS) and Next-Generation Firewalls (NGFWs).

Free GIAC GCED Actual Exam Questions