Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Home
GIAC
Security Certification: GASF
GCED
GIAC Certified Enterprise Defender Questions and Answers

Pass the GIAC Security Certification: GASF GCED Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam GCED Premium Access

View all detail and faqs for the GCED exam

Go to Exam

408 Students Passed

97% Average Score

93% Same Questions

Viewing page 1 out of 3 pages

Viewing questions 1-10 out of questions

Questions # 1:

What is needed to be able to use taskkill to end a process on remote system?

Options:

Svchost.exe running on the remote system

Domain login credentials

Port 445 open

Windows 7 or higher on both systems

Answer

Explanation

Domain login credentials are needed to kill a process on a remote system using taskkill.

Questions # 2:

Why would a Cisco network device with the latest updates and patches have the service config setting enabled, making the device vulnerable to the TFTP Server Attack?

Options:

Disabling telnet enables the setting on the network device.

This setting is enabled by default in the current Cisco IOS.

Allowing remote administration using SSH under the Cisco IOS also enables the setting.

An attack by Cisco Global Exploiter will automatically enable the setting.

This older default IOS setting was inherited from an older configuration despite the upgrade.

Answer

Explanation

Enabling the service config setting causes a Cisco router to be vulnerable to the TFTP Server Attack since it will actively try to retrieve a new configuration file from the nearest TFTP server. An attacker can insert a malicious update file in this process to compromise the Cisco router.

The service config setting was disabled by default in the Cisco IOS in version 12.0, but had been enabled by default in the 11.x series of the IOS trains. This feature is often enabled in later versions since organizations don’t always realize the risk of this setting and will leave it enabled as the migrate through multiple IOS upgrades.

The other items listed don’t enable the service config setting.

Questions # 3:

A legacy server on the network was breached through an OS vulnerability with no patch available. The server is used only rarely by employees across several business units. The theft of information from the server goes unnoticed until the company is notified by a third party that sensitive information has been posted on the Internet. Which control was the first to fail?

Options:

Security awareness

Access control

Data classification

Incident response

Answer

Explanation

The legacy system was not properly classified or assigned an owner. It is critical that an organization identifies and classifies information so proper controls and measures should be put in place. The ultimate goal of data classification is to make sure that all information is properly protected at the correct level.

This was not a failure of incident response, access control or security awareness training.

Questions # 4:

What does the following WMIC command accomplish?

process where name=’malicious.exe’ delete

Options:

Removes the ‘malicious.exe’ process form the Start menu and Run registry key

Stops current process handles associated with the process named ‘malicious.exe’

Removes the executable ‘malicious.exe’ from the file system

Stops the ‘malicious.exe’ process from running and being restarted at the next reboot

Answer

Questions # 5:

A security device processes the first packet from 10.62.34.12 destined to 10.23.10.7 and recognizes a malicious anomaly. The first packet makes it to 10.23.10.7 before the security devices sends a TCP RST to 10.62.34.12. What type of security device is this?

Options:

Host IDS

Active response

Intrusion prevention

Network access control

Answer

Explanation

An active response device dynamically reconfigures or alters network or system access controls, session streams, or individual packets based on triggers from packet inspection and other detection devices. Active response happens after the event has occurred, thus a single packet attack will be successful on the first attempt and blocked in future attempts. Network intrusion prevention devices are typically inline devices on the network that inspect packets and make decisions before forwarding them on to the destination. This type of device has the capability to defend against single packet attacks on the first attempt by blocking or modifying the attack inline.

Questions # 6:

What attack was indicated when the IDS system picked up the following text coming from the Internet to the web server?

select user, password from user where user= “jdoe” and password= ‘myp@55!’ union select “text”,2 into outfile “/tmp/file1.txt” - - ’

Options:

Remote File Inclusion

URL Directory Traversal

SQL Injection

Binary Code in HTTP Headers

Answer

Explanation

An example of manipulating SQL statements to perform SQL injection includes using the semi-colon to perform multiple queries. The following example would delete the users table:

Username: ‘ or 1=1; drop table users; - -

Password: [Anything]

Questions # 7:

Which tasks would a First Responder perform during the Identification phase of Incident Response?

Options:

Verify the root cause of the incident and apply any missing security patches.

Install or reenable host-based firewalls and anti-virus software on suspected systems.

Search for sources of data and information that may be valuable in confirming and containing an incident.

Disconnect network communications and search for malicious executables or processes.

Answer

Questions # 8:

Before re-assigning a computer to a new employee, what data security technique does the IT department use to make sure no data is left behind by the previous user?

Options:

Fingerprinting

Digital watermarking

Baselining

Wiping

Answer

Questions # 9:

Which command is the Best choice for creating a forensic backup of a Linux system?

Options:

Run form a bootable CD: tar cvzf image.tgz /

Run from compromised operating system: tar cvzf image.tgz /

Run from compromised operating system: dd if=/ dev/hda1 of=/mnt/backup/hda1.img

Run from a bootable CD: dd if=/dev/hda1 of=/mnt/backup/hda1.img

Answer

Explanation

Using dd from a bootable CD is the only forensically sound method of creating an image. Using tar does not capture slack space on the disk. Running any command from a compromised operating system will raise integrity issues.

Questions # 10:

How would an attacker use the following configuration settings?

Question # 10