Pass the GIAC Cyber Security GICSP Questions and answers with ExamsMirror

The process described involves a defined quantity of ingredients being mixed and held for a fixed time before moving to the next step. This is a hallmark of a batch process.

Batch processes are executed in discrete lots or batches, where the process is started, controlled during the batch, and stopped or reset before the next batch.

Discrete processes (B) involve countable, separate units like assembled products.

Continuous processes (C) operate nonstop with steady conditions, common in chemical plants but not in batch brewing.

Distributed (D) refers to control architectures, not process type.

GICSP emphasizes the importance of understanding process types to tailor cybersecurity controls appropriate to their operational characteristics.

Comprehensive and Detailed Explanation From Exact Extract:

The defining characteristic of a real-time operating system (RTOS) is its process scheduling mechanism (C), which guarantees deterministic and predictable timing for critical tasks.

Memory usage (A), CPU speed (B), and user accounts (D) are secondary or unrelated to the core distinction.

RTOS uses priority-based or time-constrained scheduling to ensure timely task completion, crucial for ICS environments.

GICSP training emphasizes the importance of real-time scheduling in ICS control devices to meet operational safety and reliability.

CERT (Computer Emergency Response Team) (C) is a designated group of cybersecurity experts who provide incident response, threat intelligence, and coordination with organizations and law enforcement to manage and reduce cybersecurity risks.

CVE (A) is a list of publicly disclosed vulnerabilities.

COBIT (B) is a framework for IT governance and management.

CVSS (D) is a scoring system for vulnerabilities.

GICSP highlights CERTs as critical entities in incident handling and collaborative cyber defense.

Comprehensive and Detailed Explanation From Exact Extract:

In many real-time operating systems (RTOS), interprocess communication (IPC) mechanisms (A) operate in user mode to minimize latency and overhead.

In typical standard operating systems, IPC is usually handled by the kernel (kernel mode) for security and control.

Virtual memory (B), device drivers (C), and process scheduling (D) are typically kernel mode in both OS types.

GICSP covers these architectural differences important in ICS device security and performance.

The Respond function of the NIST Cybersecurity Framework (CSF) focuses on activities to contain, mitigate, and eradicate incidents once detected.

Performing forensic analysis and eradicating malware (B) falls clearly within the Respond function.

(A) Discovering malicious activity is part of the Detect function.

(C) Restoring from backup is part of the Recover function.

(D) Limiting user access is a Preventive control under the Protect function.

GICSP training maps ICS security activities to the NIST CSF to guide structured incident response.

Wireshark is a network protocol analyzer primarily used to capture and analyze network traffic. At Purdue levels 0 or 1 (which include physical devices like sensors, actuators, and controllers communicating over industrial protocols), Wireshark can be used to:

Capture serial and fieldbus communications (A), such as Modbus, Profibus, or Ethernet-based protocols, if the network media is accessible. This can reveal sensitive operational data and control commands.

Wireshark cannot capture communications between chips on a board (B) because this is hardware-level, not network traffic.

Detecting open ports by sending packets (C) is a function of port scanning tools, not Wireshark.

Detecting asymmetrical keys or brute forcing crypto keys (D and E) are not capabilities of Wireshark.

The GICSP training highlights the risk of passive monitoring via tools like Wireshark as a means for attackers to gain insight into control system operations.

In the Purdue model, HMIs typically reside at Level 2 (Supervisory Control), providing interfaces for operators to monitor and control devices. Remote Terminal Units (RTUs) (D) also commonly reside at this level, interfacing between controllers and supervisory systems.

Variable speed drives (A) and PLCs (B) are usually located at Level 1 (Control Devices LAN).

Data historians (C) typically reside at Level 3 or higher in the Operations Support DMZ or enterprise network.

GICSP materials emphasize proper classification of devices by Purdue levels for effective network segmentation and security.

Comprehensive and Detailed Explanation From Exact Extract:

LDAP (Lightweight Directory Access Protocol) is used to manage authentication and authorization services, controlling user access to systems and resources.

This function aligns with the Protect function (A) of the NIST Cybersecurity Framework (CSF), which focuses on access control, identity management, and protective technology to safeguard systems.

Identify (B) relates to asset management and risk assessment.

Respond (C) deals with incident response.

Detect (D) relates to discovering cybersecurity events.

GICSP maps LDAP implementation as a key protective control to ensure authorized access in ICS environments.

Log aggregation involves collecting log data from multiple devices and systems into a centralized repository. This provides a holistic view of the environment and enables security teams to correlate events across disparate sources. The key benefit of log aggregation is that it:

Assists in analysis of log data from multiple sources (D) by providing a unified platform for searching, filtering, and correlating events, enabling quicker detection of security incidents and comprehensive forensic investigations.

While log aggregation can help improve management, it does not simplify initial setup (A), nor does it inherently reduce system load (B) because devices still generate logs locally. It also does not eliminate the need for baselining normal activity (C), which remains essential for detecting anomalies.

GICSP stresses centralized logging as a critical component of effective ICS security monitoring and incident response.

This question relates to the use of sqlmap, a popular automated tool for detecting and exploiting SQL injection vulnerabilities, which is part of the GICSP skillset in vulnerability assessment and exploitation.

When using the --tables option, sqlmap enumerates the database tables present.

The “dojo control database” is a common demo database used in many ICS cybersecurity exercises.

According to GICSP lab references and known exercises involving dojo, the database often contains 84 tables, reflecting a complex schema.

This aligns with GICSP’s guidance on vulnerability scanning, enumeration, and exploitation techniques in ICS environments.