Pass the GIAC Cyber Security GICSP Questions and answers with ExamsMirror

Comprehensive and Detailed Explanation From Exact Extract:

A Business Impact Analysis (BIA) primarily produces a prioritization of the business’s processes (B) based on their criticality and impact on organizational goals.

While BIAs help understand downtime tolerance (A) and financial impacts (C), prioritization is the core output guiding recovery efforts.

Understanding technology functions (D) is part of broader asset and risk management but not the primary BIA output.

GICSP highlights BIA as essential for aligning ICS recovery priorities with business needs.

The Common Weakness Enumeration (CWE) (A) is a comprehensive list and taxonomy of common software weaknesses and vulnerabilities. It provides standardized names and definitions that help organizations identify and mitigate software security issues.

CVSS (B) is a scoring system used to rate the severity of vulnerabilities but does not categorize them.

CSC (C) refers to Critical Security Controls, a set of best practices, not a vulnerability catalog.

CIP (D) relates to Critical Infrastructure Protection standards, not vulnerability taxonomy.

GICSP includes CWE as an essential resource for understanding and classifying software vulnerabilities within ICS.

General-purpose PLCs are designed to perform a wide range of control tasks, programmed to execute complex control logic and interact with multiple I/O points, making them versatile controllers in industrial automation.

In contrast, smart field devices (like smart transmitters or actuators) are typically dedicated to specific measurement or control functions and may have embedded intelligence for self-calibration, diagnostics, or simple control, but with a more limited purpose and function (C).

(A) is incorrect because smart field devices often can be managed remotely.

(B) is true but not a differentiating functional characteristic.

(D) is incorrect; smart field devices often have configurable logic or settings.

GICSP training differentiates these device classes to tailor cybersecurity controls effectively.

Network Address Translation (NAT) is a technique used to hide private IP addresses behind a public IP address (C), providing security benefits by masking internal network structures from external networks. NAT also conserves public IP addresses and allows multiple devices to share a single IP when accessing external networks.

While NAT affects routing and firewall operations, its primary purpose is not to maximize firewall functionality (A), simplify access lists (B), or enable routing (D), although it may indirectly impact these functions.

GICSP training stresses NAT as part of network security design, especially at the boundary between enterprise and ICS networks.

An Ethernet switch (C) is a network device that learns the MAC addresses of connected devices and forwards packets only to the port associated with the destination node, reducing unnecessary traffic and improving security and efficiency.

An Ethernet hub (A) broadcasts incoming packets to all ports, not selectively.

A wireless access point (B) broadcasts signals to multiple wireless clients within range.

A wireless bridge (D) connects two network segments wirelessly but forwards traffic according to device types, not necessarily selectively to single nodes.

GICSP’s ICS network segmentation and architecture domain underline the use of switches to limit broadcast traffic and reduce attack surfaces.

Round-robin scheduling is a common time-sharing CPU scheduling algorithm used in general-purpose operating systems to allocate processor time fairly among processes.

An operator workstation (C) typically runs a general-purpose OS (like Windows), which uses round-robin or similar scheduling algorithms.

Embedded devices (A, B) often use real-time operating systems (RTOS) with priority-based or deterministic scheduling.

A data diode (D) is a hardware device and does not use process scheduling.

GICSP discusses scheduling differences in the context of embedded and general-purpose systems.

Comprehensive and Detailed Explanation From Exact Extract:

In the context ofIndustrial Control Systems (ICS)andOT network security, the principle of least privilege and explicit access control is fundamental for protecting critical infrastructure assets. According to the GICSP framework, when usingapplication-aware firewallsbetween different trust zones (e.g., corporate network to OT network), any traffic that doesnot explicitly match a defined ruleshould be blocked by default. This is referred to as the“default deny” policy.

Default denymeans that unless traffic is explicitly allowed by firewall rules, it should be denied. This ensures that no unknown or unauthorized packets traverse trust boundaries, reducing the attack surface significantly.

Thedefault alertoption (A) is useful for monitoring but does not prevent unauthorized access, so it’s insufficient as a security control.

Application deny list(C) andapplication allow list(D) refer to sets of permitted or denied applications, but the firewall still needs an overarching policy to handle unmatched packets; that policy must be deny for safety.

This approach is emphasized in theICS Security Architecture and Network Segmentationdomain of GICSP, reinforcing that all unknown or unexpected network traffic should be blocked unless explicitly permitted by policy. This aligns withNIST SP 800-82 Rev 2guidance on ICS security, which GICSP incorporates.

The diagram shows two networks (Business Network and Control Server Network) connected by a switch, suggesting a single organization’s infrastructure with logical segmentation.

Best practices per GICSP for ICS and enterprise network integration recommend a single Active Directory domain with groups and organizational units to separate roles and permissions. This approach simplifies management, maintains centralized authentication, and supports role-based access control.

Creating multiple domains (B or C) introduces unnecessary complexity and potential trust relationship issues. A transitive trust (D) is relevant when multiple domains exist, which is not required here.

The GICSP framework supports minimizing complexity in domain design to reduce attack surfaces while maintaining proper segmentation through groups and policies.

Legacy devices using RS-232 interfaces require a communications gateway (C) to translate between the serial communication protocol and the new TCP/IP network.

A data diode (A) is a unidirectional security device, not a protocol translator.

An engineering workstation (B) is a computer, not a protocol conversion device.

An industrial switch (D) operates at the Ethernet layer and does not perform protocol conversion.

GICSP emphasizes gateways as essential for integrating legacy ICS devices into modern IP networks while maintaining protocol integrity.

Comprehensive and Detailed Explanation From Exact Extract:

The grep command (C) is a powerful and widely used Linux utility for searching text or data patterns within files and returning matching lines to the screen. It supports regular expressions, making it flexible for complex searches.

type (A) displays the kind of command (shell builtin, file, alias).

cat (B) outputs entire file contents but does not search.

tail (D) shows the last lines of a file but also does not perform searches.

In ICS security and forensic investigations (covered in GICSP), grep is essential for quickly finding relevant log entries or configuration data.