Pass the GIAC Audit GSNA GSNA Questions and answers with ExamsMirror

NetStumbler, a war driving tool, uses an organizationally unique identifier (OID) of 0x00601A, D protocol identifier (PID) of 0x0001. Each version has a typical payload string. For example, NetStumbler 3.2.3 has a payload string: 'All your 802.11b are belong to us'. Therefore, when you see the OID and PID values, you discover that the attacker is using NetStumbler, and when you see the payload string, you are able to ascertain that the attacker is using NetStumbler 3.2.3.

A demilitarized zone (DMZ) is the most secure place to host a server that will be accessed publicly through the Internet. Demilitarized zone (DMZ) or perimeter network is a small network that lies in between the Internet and a private network. It is the boundary between the Internet and an internal network, usually a combination of firewalls and bastion hosts that are gateways between inside networks and outside networks. DMZ provides a large enterprise network or corporate network the ability to use the Internet while still maintaining its security. Answer: B is incorrect. Hosting a server on the intranet for public access will not be good from a security point of view.

Port redirection is a technique by which an attacker takes network traffic coming towards a host at one port and redirects it from that host to another host. For example, tools such as Fpipe and Datapipe are port redirection tools that accept connections at any specified port and resend them to other specified ports on specified hosts. For example, the following command establishes a listener on port 25 on the test system and then redirects the connection to port 80 on the target system using the source port of 25. C.\>fpipe -l 25 -s 25 -r 80 IP_address Answer: C is incorrect. Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in transit" message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP "administratively prohibited" message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective. Answer: A is incorrect. Snooping is an activity of observing the content that appears on a computer monitor or watching what a user is typing. Snooping also occurs by using software programs to remotely monitor activity on a computer or network device. Hackers or attackers use snooping techniques and equipment such as keyloggers to monitor keystrokes, capture passwords and login information, and to intercept e-mail and other private communications. Sometimes, organizations also snoop their employees legitimately to monitor their use of organizations' computers and track Internet usage. Answer: B is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target system. If the remote port is closed, the server replies that the remote port is unreachable. If the remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at that time the UDP port scanning may be useful. Certain IDS and firewalls can detect UDP port scanning easily.

In Unix, the ls command is used to view the directories in alphabetical order. Answer: A is incorrect. In Unix, the cat command in Unix is used to create or display short files. Answer: B is incorrect. In Unix, the chmod command is used to change permissions. Answer: C is incorrect. In Unix, the cp command is used for copying files.

Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Conventionally it is achieved by comparing the MAC address of the participating wireless devices. Rogue devices can spoof MAC address of an authorized network device as their own. WIPS uses fingerprinting approach to weed out devices with spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known signatures of pre-authorized, known wireless devices.

Answer: B is incorrect. An Intrusion detection system (IDS) is used to detect unauthorized attempts to access and manipulate computer systems locally or through the Internet or an intranet. It can detect several types of attacks and malicious behaviors that can compromise the security of a network and computers. This includes network attacks against vulnerable services, unauthorized logins and access to sensitive data, and malware (e.g. viruses, worms, etc.). An IDS also detects attacks that originate from within a system. In most cases, an IDS has three main components: Sensors, Console, and Engine. Sensors generate security events. A console is used to alert and control sensors and to monitor events. An engine is used to record events and to generate security alerts based on received security events. In many IDS implementations, these three components are combined into a single device. Basically, following two types of IDS are used : Network-based IDS Host-based IDS Answer: A is incorrect. Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). The three main modes in which Snort can be configured are as follows: Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console. Packet logger mode: It logs the packets to the disk. Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set. Answer: C is incorrect. A firewall is a tool to provide security to a network. It is used to protect an internal network or intranet against unauthorized access from the Internet or other outside networks. It restricts inbound and outbound access and can analyze all traffic between an internal network and the Internet. Users can configure a firewall to pass or block packets from specific IP addresses and ports.

The tar -u command is used to append a tar file if the on-disk version of the tar file has a modification date more recent than its copy in the tar archive. Answer: B is incorrect. The tar -t command is used to list the contents of an archive. Answer: D is incorrect. The tar -x command is used to extract the files from an archive. Answer: C is incorrect. The tar -c command is used to create a new archive of specified files.

With either encryption method (WEP or WPA) you can give the password to customers who need it, and even change it frequently (daily if you like). So this won't be an inconvenience for customers.

According to the scenario, you have enabled system message logging (syslog) service on all the routers that are currently working in the network. If you want to store all the repots, important error and notification messages sent by the routers, you can store all of these in the buffer, console, syslog server, and tty lines. You can use buffer, if you want to store syslog messages for later analysis of the network. Buffer is the memory of the router. The syslog messages that you have stored in the buffer are later available for the network analysis until the router is rebooted. You can use console port of the routers to send syslog messages to the attached terminal. You can also use vty and tty lines to send syslog messages to the remote terminal. However, the messages send through the console, vty, and tty lines are not later available for network analysis. You can use syslog server to store all the reports, and important error and notification messages. It is the best option to store all these because it is easy to configure a syslog server and you can store a large volume of logs. Note: If you have configured to run an SNMP agent, the routers send all the reports, and important error and messages in the form of SNMP traps to an SNMP server. Using this you can store the reports and messages for a long period of time. Answer: A is incorrect. You cannot store syslog messages in the auxiliary line.

A firewall is a set of related programs configured to protect private networks connected to the Internet from intrusion. It is used to regulate the network traffic between different computer networks. It permits or denies the transmission of a network packet to its destination based on a set of rules. A firewall is often installed on a separate computer so that an incoming packet does not get into the network directly. Answer: B is incorrect. Windows Defender is a software product designed by Microsoft to provide continuous security against malware. If it detects anything suspicious, an alert will appear on the screen. Windows Defender can also be used to scan a computer for suspicious software. It can remove or quarantine any malware or spyware it finds. Answer: C is incorrect. Software Explorer is a tool of Windows Defender. It is used to remove, enable, or disable the programs running on a computer. Answer: D is incorrect. Quarantined items is a tool of Windows Defender. It is used to remove or restore a program blocked by Windows Defender.

Circumstantial evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person. Answer: B is incorrect. Corroborating evidence is evidence that tends to support a proposition that is already supported by some evidence. Answer: A is incorrect. Incontrovertible evidence is a colloquial term for evidence introduced to prove a fact that is supposed to be so conclusive that there can be no other truth as to the matter; evidence so strong, it overpowers contrary evidence, directing a fact-finder to a specific and certain conclusion. Answer: C is incorrect. Direct evidence is testimony proof for any evidence, which expressly or straight-forwardly proves the existence of a fact.