Pass the GIAC Audit GSNA GSNA Questions and answers with ExamsMirror

Contactless tokens are the third main type of physical tokens. Unlike connected tokens, they form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result, contactless tokens are a popular choice for keyless entry systems and electronic payment solutions such as Mobil Speedpass, which uses RFID to transmit authentication information from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at Johns Hopkins University and RSA Laboratories discovered that RFID tags could be easily cracked and cloned. Another downside is that contactless tokens have relatively short battery lives, usually only 3-5 years, which is low compared to USB tokens which may last up to 10 years. However, some tokens do allow the batteries to be changed, thus reducing costs. Answer: A is incorrect. Virtual tokens are a new concept in multi-factor authentication first introduced in 2005 by security company Sestus. Virtual tokens work by sharing the token generation process between the Internet website and the user's computer and have the advantage of not requiring the distribution of additional hardware or software. In addition, since the user's device is communicating directly with the authenticating website, the solution is resistant to man-in-the-middle attacks and similar forms of online fraud. Answer: B is incorrect. Connected tokens are tokens that must be physically connected to the client computer. Tokens in this category will automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are smart cards and USB tokens, which require a smart card reader and a USB port, respectively. Answer: C is incorrect. Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.

The IDLE scan is initiated with the IP address of a third party. Hence, it becomes a stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the hacker. Answer: B is incorrect. The RPC (Remote Procedure Call) scan is used to find the RPC applications. After getting the RPC application port with the help of another port scanner, RPC port scanner sends a null RPC packet to all the RPC service ports, which are open into the target system. Answer: A is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target system. If the remote port is closed, the server replies that the remote port is unreachable. If the remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at that time the UDP port scanning may be useful. Certain IDS and firewalls can detect UDP port scanning easily. Answer: D is incorrect. TCP SYN scanning is also known as half-open scanning because in this a full TCP connection is never opened. The steps of TCP SYN scanning are as follows:

1. The attacker sends SYN packet to the target port.

2. If the port is open, the attacker receives SYN/ACK message.

3. Now the attacker breaks the connection by sending an RST packet.

4. If the RST packet is received, it indicates that the port is closed. This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake connection and most sites do not create a log of incomplete TCP connections.

A multidimensional database management system (MDDBMS) implies the ability to rapidly process the data in the database so that answers to the queries can be generated quickly. A number of vendors provide products that use multidimensional databases. The approach behind this system is to manage that how data should be stored in the database, and depending upon that storage, how user interface should vary. Conceptually, an MDDBMS uses the idea of a data cube to represent the dimensions of data available to a user. For example, "sales" could be viewed in the dimensions of product model, geography, time, or some additional dimension. In this case, "sales" is known as the measure attribute of the data cube and the other dimensions are seen as feature attributes. Additionally, a database creator can define hierarchies and levels within a dimension (for example, state and city levels within a regional hierarchy). Answer: C is incorrect. A federated database system is a type of meta-database management system (DBMS) that transparently integrates multiple autonomous database systems into a single federated database. The constituent databases are interconnected via a computer network, and may be geographically decentralized. Since the constituent database systems remain autonomous, a federated database system is a contrastable alternative to the (sometimes daunting) task of merging together several disparate databases. A federated database (or virtual database) is the fully-integrated, logical composite of all constituent databases in a federated database system. Answer: A is incorrect. SYSDBA is a system privilege that allows a user to perform basic database administrative tasks, such as creating a database, altering a database, starting up and shutting down an Oracle instance, performing time-based recovery etc. The SYSDBA contains all system privileges with the ADMIN OPTION. It also contains the SYSOPER system privilege. Granting the SYSDBA system privilege to a user automatically adds him to the password file that is used to authenticate administrative users. Therefore, a user possessing the SYSDBA system privilege can connect to a database by using the password file authentication method. Answer: D is incorrect. A hierarchical database is a database management system that implements the hierarchical data model. A hierarchical database system organizes data in a family tree structure such that each record has only one owner and the hierarchy is in a parent and child data segment. This implies that the record can have repeated information in a child segment. The best-known hierarchical DBMS is IMS.

Storage and retention policies will determine how long you keep records (such as records of customers Web activity), how you will store them, and how you will dispose of them. This will allow you to know what records you should still have on hand should a legal request for such records come in. Answer: C is incorrect. User policies might determine what a customer has access to, but won't help you identify what they actually did access. Answer: A is incorrect. Group policies are usually pertinent to network administration, not the open and uncontrolled environment of an ISP. Answer: B is incorrect. Backup policies dictate how data is backed up and stored.

Publishing rules are applied on SMTP servers to accept inbound mail delivery. There are three basic rules of ISA Server, which are as follows: Access rules: These rules determine what network traffic from the internal network is allowed to access the external network. Publishing rules: These rules are used for controlling access requests from the external network for the internal resources. These types of rules are usually applied to Web servers that are used for providing public access. These are also applied on SMTP servers to accept inbound mail delivery. Network rules: These rules define the traffic source, traffic destination, and the network relationship. Answer: D is incorrect. These rules are set for controlling outbound traffic. Answer: B is incorrect. These rules define how to handle the traffic. Answer: C is incorrect. There are no such ISA Server rule sets.

Packet filtering firewalls work on the first three layers of the OSI reference model, which means all the work is done between the network and physical layers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. In a software firewall, packet filtering is done by a program called a packet filter. The packet filter examines the header of each packet based on a specific set of rules, and on that basis, decides to prevent it from passing (called DROP) or allow it to pass (called ACCEPT). A packet filter passes or blocks packets at a network interface based on source and destination addresses, ports, or protocols. The process is used in conjunction with packet mangling and Network Address Translation (NAT). Packet filtering is often part of a firewall program for protecting a local network from unwanted intrusion. This type of firewall can be best used for network perimeter security. Answer: B is incorrect. An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic. An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms). Answer: A is incorrect. A proxy server exists between a client's Web-browsing program and a real Internet server. The purpose of the proxy server is to enhance the performance of user requests and filter requests. A proxy server has a database called cache where the most frequently accessed Web pages are stored. The next time such pages are requested, the proxy server is able to suffice the request locally, thereby greatly reducing the access time. Only when a proxy server is unable to fulfill a request locally does it forward the request to a real Internet server. The proxy server can also be used for filtering user requests. This may be done in order to prevent the users from visiting non-genuine sites. Answer: D is incorrect. A honeypot is a term in computer terminology used for a trap that is set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, and monitored, and which seems to contain information or a resource of value to attackers.

Switches differ from hubs in that they break up Collision Domains. Each port on a switch equals one Collision Domain. Therefore, a switch will lower the number of collisions within the infrastructure. Managed switches typically offer the ability to create Virtual LANs. Virtual LANs allow the switch to create multiple LANs/network segments that are Virtual. This allows the switch to create additional environments where needed.

A null session is an anonymous connection to a freely accessible network share called IPC$ on Windows-based servers. It allows immediate read and write access with Windows NT/2000 and read-access with Windows XP and 2003. The command to be inserted at the DOS-prompt is as follows: net use \\IP address_or_host name\ipc$ "" "/user:" net use Port numbers 139 TCP and 445 UDP can be used to start a NULL session attack.

The routing table displays various RIP and Connected routes. There is no routing entry for 10.10.100.0/24, but there is a default route in the routing table using 172.18.1.1 as the next hop router. Given that 10.10.100.0/24 does not have a direct entry in the routing table, RouterA will forward traffic to the default route next hop address of 172.18.1.1. Answer: A is incorrect. The address does not appear in the routing table as a next hop router, in addition to being an actual subnet number for 192.168.10.0/24. Answer: C is incorrect. 172.18.50.1 is the next hop for reaching 192.168.11.0. Answer: B is incorrect. 172.18.60.1 is the next hop for reaching 192.168.12.0.

To configure all the wireless access points and client computers to act in accordance with the company's security policy, Mark will take the following actions: Configure the authentication type for the wireless LAN to Shared Key. Shared Key authentication provides access control. Disable SSID Broadcast and enable MAC address filtering on all the wireless access points. Disabling SSID Broadcast and enabling MAC address filtering will prevent unauthorized wireless client computers from connecting to the access point (AP). Only the computers with particular MAC addresses will be able to connect to the wireless access points. On each client computer, add the SSID for the wireless LAN as the preferred network. Answer: E is incorrect. Setting the authentication type for the wireless LAN to Open System will disable Wired Equivalent Privacy (WEP). This level of WEP will not provide security.