Free Practice Questions for GIAC GSNA Exam

sed and grep are the two commands that can be used to search a specified string in all text files without opening them. sed is a stream editor that is used to perform basic text transformations on an input stream (a file or input from a pipeline).

The yy key combination in the vi editor is used to copy the current line. The vi editor is an interactive, cryptic, and screen-based text editor used to create and edit a file. It operates in either Input mode or Command mode. In Input mode, the vi editor accepts a keystroke as text and displays it on the screen, whereas in Command mode, it interprets keystrokes as commands. As the vi editor is case sensitive, it interprets the same character or characters as different commands, depending upon whether the user enters a lowercase or uppercase character. When a user starts a new session with vi, he must put the editor in Input mode by pressing the "I" key. If he is not able to see the entered text on the vi editor's screen, it means that he has not put the editor in Insert mode. The user must change the editor to Input mode before entering any text so that he can see the text he has entered. Answer: D is incorrect. It deletes next char on the right. Answer: A is incorrect. It deletes the current line and one line above. Answer: C is incorrect. It deletes from the cursor till the end of the line.

Data mining is a process of sorting through data to identify patterns and establish relationships. Following are the data mining parameters: Association: Looking for patterns where one event is connected to another event. Sequence or path analysis: Looking for patterns where one event leads to another later event. Classification: Looking for new patterns (may result in a change in the way the data is organized but is acceptable). Clustering: Finding and visually documenting groups of facts not previously known. Forecasting: Discovering patterns in data that can lead to reasonable predictions about the future (This area of data mining is known as predictive analytics).

Following are the limitations of cross site request forgeries to be successful: Explanation: Following are the limitations of cross site request forgeries to be successful:

1. The attacker must target either a site that doesn't check the Referer header (which is common) or a victim with a browser or plugin bug that allows Referer spoofing (which is rare).

2. The attacker must find a form submission at the target site that does something useful to the attacker (e.g., transfers money, or changes the victim's e-mail address or password).

3. The attacker must determine the right values for all the form inputs: if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will fail.

4. The attacker must lure the victim to a Web page with malicious code while the victim is logged in to the target site. Since, the attacker can't see what the target Web site sends back to the victim in response to the forged requests, unless he exploits a cross- site scripting or other bug at the target Web site.

Similarly, the attacker can only "click" any links or submit any forms that come up after the initial forged request, if the subsequent links or forms are similarly predictable. (Multiple "clicks" can be simulated by including multiple images on a page, or by using JavaScript to introduce a delay between clicks). from cross site request forgeries (CSRF) by applying the following countermeasures available: Requiring authentication in GET and POST parameters, not only cookies. Checking the HTTP Referer header. Ensuring there's no crossdomain.xml file granting unintended access to Flash movies. Limiting the lifetime of authentication cookies. Requiring a secret, user-specific token in all form submissions prevents CSRF; the attacker's site can't put the right token in its submissions. Individual Web users can do relatively little to prevent cross-site request forgery. Logging out of sites and avoiding their "remember me" features can mitigate CSRF risk; not displaying external images or not clicking links in "spam" or unreliable e-mails may also help.

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability). Answer: B is incorrect. In information security, security risks are considered as an indicator of threats coupled with vulnerability. In other words, security risk is a probabilistic function of a given threat agent exercising a particular vulnerability and the impact of that risk on the organization. Security risks can be mitigated by reviewing and taking responsible actions based on possible risks. Answer: C is incorrect. Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware , operating systems, firmware, applications, and configuration files. Vulnerability has been variously defined in the current context as follows: 1.A security weakness in a Target of Evaluation due to failures in analysis, design, implementation, or operation and such. 2.Weakness in an information system or components (e.g. system security procedures, hardware design, or internal controls that could be exploited to produce an information-related misfortune.) 3.The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or protocol involved.

The following are the drawbacks of the NTLM Web Authentication Scheme: NTLM Web authentication is not entirely safe because NTLM hashes (or challenge/response pairs) can be cracked with the help of brute force password guessing. The "cracking" program would repeatedly try all possible passwords, hashing each and comparing the result to the hash that the malicious user has obtained. When it discovers a match, the malicious user will know that the password that produced the hash is the user's password. This authentication technique works only with Microsoft Internet Explorer. Answer: A, C are incorrect. NTLM authentication does not send the user's password (or hashed representation of the password) across the network. Instead, NTLM authentication utilizes challenge/response mechanisms to ensure that the actual password never traverses the network. How does it work? When the authentication process begins, the client sends a login request to the telnet server. The server replies with a randomly generated 'token' to the client. The client hashes the currently logged-on user's cryptographically protected password with the challenge and sends the resulting "response" to the server. The server receives the challenge-hashed response and compares it in the following manner:

The server takes a copy of the original token. Now it hashes the token against the user's password hash from its own user account database. If the received response matches the expected response, the user is successfully authenticated to the host.

Pervasive IS controls can be used across all the internal departments and external contractors. If the Pervasive IS controls are implemented properly, it improves the reliability of the following: Software development System implementation Overall service delivery Security administration Disaster recovery Business continuity planning Answer: A is incorrect. Pervasive IS controls do not have any relation with the reliability of the hardware development.

In Unix, the /etc/usertty file is used to impose some special access restrictions on users. Answer: B is incorrect. In Unix, the /etc/terminfo file contains the details for the terminal I/O. Answer: A is incorrect. In Unix, the /var/run/utmp file is the configuration file that contains information about the currently logged in users. Mostly, the 'Who' and 'w' commands use this file. Answer: D is incorrect. In Unix, the /etc/termcap file works as a terminal capability database.

Separation of duties (SoD) is the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in the political realm, separation of powers. Segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA's Segregation of Duties Control matrix, some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined. Answer: A is incorrect. Cisco Security Agent (CSA) is an endpoint intrusion prevention system. It is rule-based and examines system activity and network traffic, determining which behaviors are normal and which may indicate an attack. CSA uses a two or three-tier client- server architecture. The Management Center 'MC' (or Management Console) contains the program logic; an MS SQL database backend is used to store alerts and configuration information; the MC and SQL database may be co-resident on the same system. The Agent is installed on the desktops and/or servers to be protected. The Agent communicates with the Management Center, sending logged events to the Management Center and receiving updates in rules when they occur. Answer: C is incorrect. Internal auditing is a profession and activity involved in helping organizations achieve their stated objectives. It does this by using a systematic methodology for analyzing business processes, procedures and activities with the goal of highlighting organizational problems and recommending solutions. Answer: D is incorrect. Risk assessment is a step in a risk management process.