Question 1

What is the key difference between Electronic Codebook mode and other block cipher modes like Cipher Block Chaining, Cipher-Feedback and Output-Feedback?

Accepted Answer

C

Explanation: The defining characteristic and primary weakness of Electronic Codebook (ECB) mode is its deterministic nature. Each block of plaintext is encrypted independently of all other blocks using the same secret key. Consequently, if two plaintext blocks are identical, their corresponding ciphertext blocks will also be identical. This preserves plaintext patterns, allowing an attacker to infer information about the underlying data structure. In contrast, modes like Cipher Block Chaining (CBC), Cipher-Feedback (CFB), and Output-Feedback (OFB) use an Initialization Vector (IV) and a chaining or feedback mechanism. This ensures that the encryption of each block is dependent on the previous blocks, thus concealing patterns and making identical plaintext blocks result in different ciphertext blocks.

Question 2

Which of the following systems acts as a NAT device when utilizing VMware in NAT mode?

Accepted Answer

C

Explanation: When using VMware in Network Address Translation (NAT) mode, the host system acts as the NAT device. The virtualization software on the host creates a private virtual network for the guest virtual machines. When a guest system needs to communicate with the external network, the host system intercepts the traffic, translates the guest's private source IP address to its own IP address, and forwards the packet. This allows the guest system to access external resources using the host's network identity, without requiring its own unique IP address on the external network.

Question 3

Fill in the blank with the correct answer to complete the statement below. The permission is the minimum required permission that is necessary for a user to enter a directory and list its contents.

Accepted Answer

FIVE

Explanation: In Unix-like operating systems, permissions for directories are distinct from those for files. To "enter" or traverse a directory (e.g., using the cd command), a user requires the execute (x) permission. To "list its contents" (e.g., using the ls command), the user needs the read (r) permission. The question requires the minimum permission for both actions. In octal notation, read is represented by 4, and execute is represented by 1. Therefore, the minimum required permission is the sum of these values: 4 (read) + 1 (execute) = 5. This permission level (r-x) allows a user to both enter the directory and view its contents.

Question 4

You are doing some analysis of malware on a Unix computer in a closed test network. The IP address
of the computer is 192.168.1.120. From a packet capture, you see the malware is attempting to do a
DNS query for a server called iamabadserver.com so that it can connect to it. There is no DNS server
on the test network to do name resolution. You have another computer, whose IP is 192.168.1.115,
available on the test network that you would like for the malware connect to it instead. How do you
get the malware to connect to that computer on the test network?

Accepted Answer

B

Explanation: The name resolution process on a Unix system first checks the local /etc/hosts file before querying a DNS server. The goal is to make the malware running on the infected computer (192.168.1.120) connect to the analysis computer (192.168.1.115). To achieve this, the hosts file on the infected machine must be modified. An entry must be added that maps the hostname the malware is trying to resolve (iamabadserver.com) to the IP address of the desired destination (192.168.1.115). This redirects the malware's network traffic to the controlled analysis machine, a common technique in dynamic malware analysis.

Question 5

You work as a Network Administrator for McNeil Inc. The company has a Linux-based network. David,
a Sales Manager, wants to know the name of the shell that he is currently using. Which of the
following commands will he use to accomplish the task?

Accepted Answer

B

Explanation: In Unix-like operating systems, including Linux, environment variables store information about the shell session. The $SHELL environment variable specifically holds the path to the user's default login shell (e.g., /bin/bash, /bin/zsh). The echo command is a shell built-in that prints its arguments to the standard output. Therefore, executing echo $SHELL (or $shell, assuming a common typo in the question, as environment variables are case-sensitive and typically uppercase) retrieves the value of this variable and displays it on the screen, directly answering the user's question about which shell they are using.

Question 6

Which of the following services resolves host name to IP Address?

Accepted Answer

C

Explanation: The Domain Name System (DNS) is the hierarchical and distributed naming system used to identify computers and resources reachable through the internet. Its primary function is to translate human-readable hostnames (e.g., www.sans.org) into the numerical IP addresses (e.g., 104.20.1.24) required by networking protocols to locate and route traffic to the correct destination. This resolution process is a fundamental operation for nearly all internet activity, including web browsing and email.

Question 7

What does PowerShell remoting use to authenticate to another host in a domain environment?

Accepted Answer

D

Explanation: PowerShell remoting is built upon the Windows Remote Management (WinRM) service. In a Windows Active Directory domain environment, WinRM defaults to using Kerberos for authentication. When a user on a domain-joined machine initiates a remote session to another, the client machine obtains a Kerberos service ticket from the domain controller's Key Distribution Center (KDC). This ticket is then presented to the target server to authenticate the user's identity securely without transmitting passwords or other secrets over the network. This is the standard mechanism for integrated Windows Authentication within a domain.

Question 8

You work as a Network Administrator for McRobert Inc. You want to know the NetBIOS name of your computer. Which of the following commands will you use?

Accepted Answer

C

Explanation: The nbtstat (NetBIOS over TCP/IP Statistics) command is a diagnostic tool for NetBIOS over TCP/IP. It is used to troubleshoot NetBIOS name resolution problems. The -n switch specifically displays the local NetBIOS name table registered by the local computer. This table includes the computer's unique NetBIOS name (type ) and the workgroup or domain name (type ), making it the direct command to view the local machine's NetBIOS name.

Question 9

An attacker gained physical access to an internal computer to access company proprietary dat
a. The facility is protected by a fingerprint biometric system that records both failed and successful
entry attempts. No failures were logged during the time periods of the recent breach. The account
used when the attacker entered the facility shortly before each incident belongs to an employee who
was out of the area. With respect to the biometric entry system, which of the following actions will
help mitigate unauthorized physical access to the facility?

Accepted Answer

B

Explanation: The scenario describes a Type II error, where an unauthorized individual was incorrectly authenticated by the biometric system. This is known as a False Accept. To mitigate this specific vulnerability, the system's matching threshold must be made more stringent. Lowering the False Accept Rate (FAR) directly addresses this by reducing the probability that an imposter is accepted as a legitimate user. This adjustment makes the system more secure against unauthorized access, although it may consequently increase the False Reject Rate (FRR), potentially inconveniencing valid users.

Question 10

A program has allocated 10 characters of space for user’s response on a form. The application does
not validate the number of characters that a user can input into the field before accepting the dat
a. Which type of attack Is the application vulnerable to?

Accepted Answer

B

Explanation: The scenario describes a classic buffer overflow vulnerability. The application allocates a fixed-size memory buffer (10 characters) but fails to perform bounds checking on the user-supplied input. When a user enters more data than the buffer can hold, the excess data overwrites adjacent memory locations. This can lead to program instability, crashes, or the execution of malicious code if an attacker carefully crafts the input. The core issue is the lack of input length validation against the allocated memory space.

Question 11

What is the maximum passphrase length in Windows 2000/XP/2003?

Accepted Answer

B

Explanation: For Windows 2000, Windows XP, and Windows Server 2003, the maximum supported length for a user password or passphrase is 127 characters. This limit is enforced by the Local Security Authority (LSA). While the older and deprecated LAN Manager (LM) hash could only handle a 14-character, case-insensitive password, the NTLM (NT LAN Manager) hashing protocol used by these operating systems was designed to support this much longer and more complex passphrase length, significantly improving security over its predecessor, Windows NT 4.0.

Question 12

Which of the following is more commonly used for establishing high-speed backbones that interconnect smaller networks and can carry signals over significant distances?

Accepted Answer

D

Explanation: Asynchronous Transfer Mode (ATM) is a high-speed, cell-switching network technology designed to be a single, unified standard for transporting various types of traffic, including data, voice, and video. It was widely implemented by telecommunications carriers to build high-speed backbone networks, often over SONET/SDH fiber optic infrastructure. Its use of fixed-size 53-byte cells allows for predictable latency and efficient hardware switching, making it highly suitable for interconnecting smaller, diverse networks over significant geographical distances with guaranteed Quality of Service (QoS).

Question 13

What is log, pre-processing?

Accepted Answer

B

Explanation: Log pre-processing is a critical phase in log management and Security Information and Event Management (SIEM) where raw log data is prepared for analysis. The most fundamental step in this phase is normalization, which involves parsing and converting log entries from their many different native source formats into a single, standardized, or common format. This conversion is essential for the SIEM to effectively correlate and analyze events from disparate systems, such as firewalls, operating systems, and applications. Without a common format, comparing and understanding the relationship between events from different sources would be impossible.

Question 14

You are reviewing a packet capture file from your network intrusion detection system. In the packet
stream, you come across a long series of "no operation" (NOP) commands. In addition to the NOP
commands, there appears to be a malicious payload. Of the following, which is the most appropriate
preventative measure for this type of attack?

Accepted Answer

B

Explanation: The scenario describes a NOP (no operation) sled, which is a classic component of a buffer overflow exploit. This attack occurs when a program fails to validate the size of user-supplied input, allowing an attacker to write data beyond the boundaries of an allocated memory buffer. This overwrites adjacent memory, including the instruction pointer, to redirect execution to a malicious payload. The NOP sled serves as a large target, increasing the chances of a successful jump to the payload. The most direct and effective preventative measure is to implement strict boundary checks on all program inputs, ensuring that data cannot be written past the end of a buffer, thus preventing the overflow from occurring.

Question 15

Which of the following statements about policy is FALSE?

Accepted Answer

B

Explanation: A well-written policy is a high-level, strategic document that defines security goals and states what is required, not how it should be implemented. Policies are intentionally broad and technology-neutral to remain relevant over time. The specific, tactical details of "how" to implement a policy are contained in separate, more granular documents such as standards (which mandate specific technologies or configurations) and procedures (which provide step-by-step instructions for a task). Including the "how" in a policy makes it too rigid, difficult to maintain, and blurs the line between strategic direction and operational execution.

Free GIAC GSEC Actual Exam Questions