Free Practice Questions for GIAC GICSP Exam

The diagram shows multiple subnets/zones (Levels 0-3) connected via routers and switches. To enforce traffic flow policies between these zones/subnets, the router should implement Access Control Lists (ACLs) (B).

ACLs can:

Filter traffic between subnets based on IP addresses, ports, and protocols

Enforce security boundaries as per ICS segmentation principles

(A) MAC-based port security controls device-level access but is less effective for inter-subnet traffic control.

(C) Secure Shell (SSH) is for secure device management, not traffic control.

(D) 802.1x provides port-based network access control but is less relevant for routing traffic between subnets.

GICSP highlights ACLs as fundamental tools for network segmentation enforcement in ICS.

An attacker often tries to cover their tracks by deleting or modifying logs on the compromised system to hide evidence of their activities.

Centralized logging (D) forwards log data in real-time or near real-time to a secure, remote logging server that the attacker cannot easily alter or delete. This makes it much more difficult for attackers to erase their footprints because even if local logs are tampered with, copies remain intact elsewhere.

Attack surface analysis (A) is a proactive security activity to identify vulnerabilities, not a forensic or logging mechanism.

Application allow lists (B) control what software can execute but do not directly preserve evidence of actions taken.

Sandboxing (C) isolates processes for security testing but is unrelated to preserving evidence.

The GICSP materials emphasize centralized logging and secure log management as critical controls for incident detection and forensic analysis within ICS environments.

Log aggregation involves collecting log data from multiple devices and systems into a centralized repository. This provides a holistic view of the environment and enables security teams to correlate events across disparate sources. The key benefit of log aggregation is that it:

Assists in analysis of log data from multiple sources (D) by providing a unified platform for searching, filtering, and correlating events, enabling quicker detection of security incidents and comprehensive forensic investigations.

While log aggregation can help improve management, it does not simplify initial setup (A), nor does it inherently reduce system load (B) because devices still generate logs locally. It also does not eliminate the need for baselining normal activity (C), which remains essential for detecting anomalies.

GICSP stresses centralized logging as a critical component of effective ICS security monitoring and incident response.

Comprehensive and Detailed Explanation From Exact Extract:

In environments where workstations arenot managed by Active Directory (AD), deploying security policies in an automated and scripted manner requires command-line tools that can export, configure, and apply security templates locally or remotely. Among the listed options:

secedit.exeis a command-line utility included in Windows that allows administrators toexport, import, and apply security templateson local or remote systems without needing Active Directory. This makes it ideal for scripted deployment of security configurations over the network in environments without centralized management.

secpol.mscis a graphical snap-in for the Local Security Policy editor, intended for manual configuration on a per-machine basis anddoes not support scripted deployment or remote application.

gpedit.mscis the Group Policy Editor snap-in, used primarily for managing local or domain Group Policies interactively and is reliant on the Group Policy infrastructure. It isnot effective for scripted deployment in non-AD environments.

Therefore,secedit.exeprovides the capability to import and apply security templates via command line and scripts, making it the preferred tool for automated security policy deployment across workstations not managed by Active Directory.

This is consistent with GICSP’s emphasis onsecure configuration management and automationwithin ICS environments, where centralized domain services may not always be available, and robust tools for local policy enforcement are essential.

Containment in incident handling involves limiting the damage caused by an incident and preventing its spread.

Re-imaging a compromised workstation (C) is a direct containment action to remove malicious software and restore system integrity.

(A) Patch verification and (D) validation scans are part of recovery or prevention phases.

(B) Creating forensic images is an evidence preservation task, not containment.

The GICSP incident handling process emphasizes containment as an immediate action to stabilize the environment before eradication and recovery.

GridEx (C) is a major, biennial cybersecurity exercise coordinated by the North American Electric Reliability Corporation (NERC) and other stakeholders. It typically occurs in odd years and involves multiple entities from across the grid, simulating large-scale cyber and physical attacks.

GridEx exercises culminate in a public Lessons Learned report to improve preparedness.

CRPA (A) and CTEP (D) are different programs/exercises, and E-ISAC (B) is the Electricity Information Sharing and Analysis Center, not an exercise.

GICSP recognizes GridEx as a critical event for testing incident response capabilities in ICS sectors.

The Common Weakness Enumeration (CWE) (A) is a comprehensive list and taxonomy of common software weaknesses and vulnerabilities. It provides standardized names and definitions that help organizations identify and mitigate software security issues.

CVSS (B) is a scoring system used to rate the severity of vulnerabilities but does not categorize them.

CSC (C) refers to Critical Security Controls, a set of best practices, not a vulnerability catalog.

CIP (D) relates to Critical Infrastructure Protection standards, not vulnerability taxonomy.

GICSP includes CWE as an essential resource for understanding and classifying software vulnerabilities within ICS.

The Wireshark capture filter is set to modbus_tcp.func_code == 5. According to the Modbus protocol specification:

Function code 5 corresponds to Write Single Coil (A).

Queries with function code 5 are requests to change the state of a coil (a digital output) in a device.

The packet details confirm "function 5: Write coil" with the reference number and data.

Other function codes (such as read coils or read registers) use different function codes, so options C and E are incorrect. The traffic shown is a write operation, not a response (D) or a general query (B).

Comprehensive and Detailed Explanation From Exact Extract:

SQL injection attacks often exploit the ability to inject SQL code into input fields to alter the logic of database queries. To bypass authentication, attackers often:

Use database comment characters (B) (e.g., -- in many SQL dialects) to ignore the rest of the original query, effectively bypassing the password check.

An unencrypted login page (A) is unrelated to the SQL injection logic.

Two pipe characters (||) (C) are logical OR operators in some databases but not universally required.

The correct password (D) is not required for bypass in SQL injection scenarios.

GICSP training covers SQL injection and defensive coding practices as common ICS web application vulnerabilities.

Comprehensive and Detailed Explanation From Exact Extract:

Relaxing password policies during disaster recovery often leads to increased risk (C) by weakening authentication controls and potentially allowing unauthorized access.

Recovery Point Objective (RPO) (A) relates to data loss tolerance and is unlikely directly affected by password policies.

Recovery Time Objective (RTO) (B) relates to restoration speed, and while relaxed policies may speed access, this is outweighed by security risk.

Reduced insurance needs (D) is not a direct consequence of relaxed security policies.

GICSP stresses that even during emergencies, security controls should be maintained to prevent additional vulnerabilities.