Free Practice Questions for GIAC GCED Exam

Identifying and scoping an incident during triage is important to successfully handling a security incident. The detection methods used by the team didn’t detect all the infected workstations.

Routers, layer 3 switches, some firewalls, and other gateways are packet filtering devices that use access control lists (ACLs) and perform packet inspection. This type of device uses a small subset of the packet to make filtering decisions, such as source and destination IP address and protocol. These devices will then allow or deny protocols based on their associated ports. This type of packet inspection and access control is still highly susceptible to malicious attacks, because payloads and other areas of the packet are not being inspected. For example, application level attacks that are tunneled over open ports such as HTTP (port 80) and HTTPS (port 443).

The pass action is defined because it is sometimes easier to specify the class of data to ignore rather than the data you want to see. This can cut down the number of false positives and help keep down the size of log data.

False positives occur because rules failed and indicated a threat that is really not one. They should be minimized whenever possible.

The pass action causes the packet to be ignored, not passed on further. It is an active command, not a placeholder.

Enabling the service config setting causes a Cisco router to be vulnerable to the TFTP Server Attack since it will actively try to retrieve a new configuration file from the nearest TFTP server. An attacker can insert a malicious update file in this process to compromise the Cisco router.

The service config setting was disabled by default in the Cisco IOS in version 12.0, but had been enabled by default in the 11.x series of the IOS trains. This feature is often enabled in later versions since organizations don’t always realize the risk of this setting and will leave it enabled as the migrate through multiple IOS upgrades.

The other items listed don’t enable the service config setting.

Both BPDU Guard and Root Guard are used to prevent a new switch from becoming the Root Bridge. They are very similar but use different mechanisms.

Rootguard allows devices to use STP, but if they send superior BDPUs (i.e. they attempt to become the Root Bridge), Root Guard disables the port until the offending BPDUs cease. Recovery is automatic.

If Portfast is enabled on a port, BPDU Guard will disable the port if a BPDU is received. The port stays disabled until it is manually re-enabled. Devices behind such ports cannot use STP, as the port would be disabled as soon as they send BPDUs (which is the default behavior of switches).

The annualized loss expectancy (ALE) is deduced by multiplying the single loss expectancy (SLE) by the annual rate of occurrence (ARO); in this example $2, 374 × (7 × 4), respectively. This is a form of Quantitative risk analysis. Qualitative risk posture is deduced by measuring and contrasting the likelihood (probability of occurrence) with the level of impact and by definition does not address risk using monetary figures. Total cost of ownership (TCO) is the sum of all costs (technical, administrative, environmental, et al) that are involved for a specific system, service, etc. CVSS risk scoring is not based off of this type of loss data.