GSNA GIAC Systems and Network Auditor Questions and Answers

In the TCP FTP proxy (bounce attack) scanning, a scanner connects to an FTP server and requests that server to start data transfer to the third system. Now, the scanner uses the PORT FTP command to declare whether or not the data transfer process is listening to the target system at the certain port number. Then the scanner uses LIST FTP command to list the current directory. This result is sent over the server. If the data transfer is successful, it is clear that the port is open. If the port is closed, the attacker receives the connection refused ICMP error message. Answer: A is incorrect. Xmas Tree scanning is just the opposite of null scanning. In Xmas Tree scanning, all packets are turned on. If the target port is open, the service running on the target port discards the packets without any reply. According to RFC 793, if the port is closed, the remote system replies with the RST packet. Active monitoring of all incoming packets can help system network administrators detect an Xmas Tree scan. Answer: B is incorrect. TCP FIN scanning is a type of stealth scanning, through which the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker. If the port is open, the FIN packet will be ignored and the port will drop that packet. TCP FIN scanning is useful only for identifying ports of non Windows operating system because Windows operating systems send only RST packets irrespective of whether the port is open or closed. Answer: C is incorrect. TCP SYN scanning is also known as half-open scanning because in this a full TCP connection is never opened. The steps of TCP SYN scanning are as follows: 1.The attacker sends SYN packet to the target port. 2.If the port is open, the attacker receives SYN/ACK message. 3.Now the attacker breaks the connection by sending an RST packet. 4.If the RST packet is received, it indicates that the port is closed. This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake connection and most sites do not create a log of incomplete TCP connections.

FAT16 file system was developed for disks larger than 16MB. It uses 16-bit allocation table entries. FAT16 file system supports all Microsoft operating systems. It also supports OS/2 and Linux. Answer: C, D are incorrect. All these statements are true about FAT16 file system.

Server security is the process of limiting access to the database server. This is one of the most basic and most important components of database security. It is imperative that an organization not let their database server be visible to the world. If an organization's database server is supplying information to a web server, then it should be configured to allow connections only from that web server. Also, every server should be configured to allow only trusted IP addresses. Answer: B is incorrect. With regard to database connections, system administrators should not allow immediate unauthenticated updates to a database. If users are allowed to make updates to a database via a web page, the system administrator should validate all updates to make sure that they are warranted and safe. Also, the system administrator should not allow users to use their designation of "sa" when accessing the database. This gives employees complete access to all of the data stored on the database regardless of whether or not they are authenticated to have such access. Answer: A is incorrect. Table access control is related to an access control list, which is a table that tells a computer operating system which access rights each user has to a particular system object. Table access control has been referred to as one of the most overlooked forms of database security. This is primarily because it is so difficult to apply. In order to properly use table access control, the system administrator and the database developer need to collaborate with each other. Answer: C is incorrect. Restricting database access is important especially for the companies that have their databases uploaded on the Internet. Internet-based databases have been the most recent targets of attacks, due to their open access or open ports. It is very easy for criminals to conduct a "port scan" to look for ports that are open that popular database systems are using by default. The ports that are used by default can be changed, thus throwing off a criminal looking for open ports set by default. Following are the security measures that can be implemented to prevent open access from the Internet: Trusted IP addresses: Servers can be configured to answer pings from a list of trusted hosts only. Server account disabling: The server ID can be suspended after three password attempts. Special tools: Products can be used to send an alert when an external server is attempting to breach the system's security. One such example is RealSecure by ISS.

Audit trail or audit log comes under detective controls. Detective controls are the audit controls that are not needed to be restricted. Any control that performs a monitoring activity can likely be defined as a Detective Control. For example, it is possible that mistakes, either intentional or unintentional, can be made. Therefore, an additional Protective control is that these companies must have their financial results audited by an independent Certified Public Accountant. The role of this accountant is to act as an auditor. In fact, any auditor acts as a Detective control. If the organization in question has not properly followed the rules, a diligent auditor should be able to detect the deficiency which indicates that some control somewhere has failed. Answer: B is incorrect. Reactive or corrective controls typically work in response to a detective control, responding in such a way as to alert or otherwise correct an unacceptable condition. Using the example of account rules, either the internal Audit Committee or the SEC itself, based on the report generated by the external auditor, will take some corrective action. In this way, they are acting as a Corrective or Reactive control. Answer: A, D are incorrect. Protective or preventative controls serve to proactively define and possibly enforce acceptable behaviors. As an example, a set of common accounting rules are defined and must be followed by any publicly traded company. Each quarter, any particular company must publicly state its current financial standing and accounting as reflected by an application of these rules. These accounting rules and the SEC requirements serve as protective or preventative controls.

To apply the same style consistently throughout your Web site you should use external style sheet. Cascading style sheets (CSS) are used so that the Web site authors can exercise greater control on the appearance and presentation of their Web pages. And also because they increase the ability to precisely point to the location and look of elements on a Web page and help in creating special effects. Cascading Style Sheets have codes, which are interpreteA, Dpplied by the browser on to the Web pages and their elements. There are three types of cascading style sheets. External Style Sheets Embedded Style Sheets Inline Style Sheets External Style Sheets are used whenever consistency in style is required throughout a Web site. A typical external style sheet uses a .css file extension, which can be edited using a text editor such as a Notepad. Embedded Style Sheets are used for defining styles for an active page.

Inline Style Sheets are used for defining individual elements of a page. Reference: TechNet, Contents: Microsoft Knowledgebase, February 2000 issue PSS ID Number: Q179628

Zorp is a proxy firewall suite developed by Balabit IT Security. Its core framework allows the administrator to fine-tune proxy decisions (with its built-in script language), and fully analyze embedded protocols (such as SSL with an embedded POP3 or HTTP protocol). The FTP, HTTP, FINGER, WHOIS, TELNET, and SSL protocols are fully supported with an application-level gateway. Zorp aims for compliance with the Common Criteria/Application Level Firewall Protection Profile for Medium Robustness. Zorp is released under GNU/GPL and commercial license too. The GPL version is completely usable and functional; however, it lacks some of the more advanced functions available in the commercially available version only. Some of the Zorp supported protocols are Finger, Ftp, Http, Pop3, NNTP, IMAP4, RDP, RPC, SIP, SSL, SSH, Telnet, Whois, LDAP, RADIUS, TFtp, SQLNet NET8, Rsh, etc. Answer: D is incorrect. The GPL version of Zorp is completely usable and functional; however, it lacks some of the more advanced functions available in the commercially available version only.

According to the scenario, you want to implement a security policy to keep safe your data when you connect your Laptop to the office network over IEEE 802.11 WLANs. For this, you will use the following two options:

1. Using IPSec enabled VPN for remote connectivity: Internet Protocol Security (IPSec) is a standard-based protocol that provides the highest level of VPN security. IPSec can encrypt virtually everything above the networking layer. It is used for VPN connections that use the L2TP protocol. It secures both data and password.

2. Using personal firewall software on your Laptop: You can also create a firewall rule to block malicious packets so that you can secure your network. Answer: C is incorrect. Portscanner is used for scanning port and tells which ports are open. However, this tool is very much useful in information gathering step of the attacking process, it cannot be used to protect a WLAN network. Answer: B is incorrect. You cannot use the packet analyzer to protect your network. Packet analyzer is used to analyze data packets flowing in the network.

A multidimensional database management system (MDDBMS) implies the ability to rapidly process the data in the database so that answers to the queries can be generated quickly. A number of vendors provide products that use multidimensional databases. The approach behind this system is to manage that how data should be stored in the database, and depending upon that storage, how user interface should vary. Conceptually, an MDDBMS uses the idea of a data cube to represent the dimensions of data available to a user. For example, "sales" could be viewed in the dimensions of product model, geography, time, or some additional dimension. In this case, "sales" is known as the measure attribute of the data cube and the other dimensions are seen as feature attributes. Additionally, a database creator can define hierarchies and levels within a dimension (for example, state and city levels within a regional hierarchy). Answer: C is incorrect. A federated database system is a type of meta-database management system (DBMS) that transparently integrates multiple autonomous database systems into a single federated database. The constituent databases are interconnected via a computer network, and may be geographically decentralized. Since the constituent database systems remain autonomous, a federated database system is a contrastable alternative to the (sometimes daunting) task of merging together several disparate databases. A federated database (or virtual database) is the fully-integrated, logical composite of all constituent databases in a federated database system. Answer: A is incorrect. SYSDBA is a system privilege that allows a user to perform basic database administrative tasks, such as creating a database, altering a database, starting up and shutting down an Oracle instance, performing time-based recovery etc. The SYSDBA contains all system privileges with the ADMIN OPTION. It also contains the SYSOPER system privilege. Granting the SYSDBA system privilege to a user automatically adds him to the password file that is used to authenticate administrative users. Therefore, a user possessing the SYSDBA system privilege can connect to a database by using the password file authentication method. Answer: D is incorrect. A hierarchical database is a database management system that implements the hierarchical data model. A hierarchical database system organizes data in a family tree structure such that each record has only one owner and the hierarchy is in a parent and child data segment. This implies that the record can have repeated information in a child segment. The best-known hierarchical DBMS is IMS.

Whois queries are used to determine the IP address ranges associated with clients. A whois query can be run on most UNIX environments. In a Windows environment, the tools such as WsPingPro and Sam Spade can be used to perform whois queries. Whois queries can also be executed over the Web from www.arin.net and www.networksolutions.com. Answer: B is incorrect. A SQL injection attack is a process in which an attacker tries to execute unauthorized SQL statements. These statements can be used to delete data from a database, delete database objects such as tables, views, stored procedures, etc. An attacker can either directly enter the code into input variables or insert malicious code in strings that can be stored in a database. For example, the following line of code illustrates one form of SQL injection attack: query = "SELECT * FROM users WHERE name = '" + userName + "';" This SQL code is designed to fetch the records of any specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious hacker, the SQL statement may do more than the code author intended. For example, if the attacker puts the "userName" value as ' or ''=', the SQL statement will now be as follows: SELECT * FROM users WHERE name = '' OR ''=''; Answer: D is incorrect. Web ripping is a technique in which the attacker copies the whole structure of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker to trace the loopholes of the Web site. Answer: C is incorrect. Snooping is an activity of observing the content that appears on a computer monitor or watching what a user is typing. Snooping also occurs by using software programs to remotely monitor activity on a computer or network device. Hackers or attackers use snooping techniques and equipment such as keyloggers to monitor keystrokes, capture passwords and login information, and to intercept e-mail and other private communications. Sometimes, organizations also snoop their employees legitimately to monitor their use of organizations' computers and track Internet usage.

David system is a network management system that allows a user to manage the resources and services through both Intranet and Internet. It provides auto-discovering and network topology building features to facilitate in keeping an intuitive view of the IT infrastructure. The resources, real-time monitoring, and accessibility of historical data facilitate reaction to failures. Configured interfaces for monitored devices permit a user to focus on the most important aspects of their work. Answer: B is incorrect. dopplerVUe is a network management tool that facilitates network discovery, mapping, alerts and alarm management, and bandwidth management system. It enables monitoring of Ping, SNMP, syslog, and WMI performance metrics. It can also be used to monitor IPv6 devices, as well as services such as DNS, http, and email. Answer: A is incorrect. eBox is an open source distribution and web development framework. This framework is used to manage server application configuration. It is based on Ubuntu Linux. It is projected to manage services in a computer network. The modular design of eBox allows a user to pick and choose the services. Answer: D is incorrect. EM7 is a network monitoring system that is used to measure IT infrastructure health and performance. It is an NMS integrated system. It is designed to help in optimizing the performance and availability of the networks, systems, and applications. It facilitates trouble-ticketing, event management, reporting, IP management, DNS, and monitoring.

According to the question, you highest priority is to scan the Web applications for vulnerability.

You took 3 seconds to establish a connection. During this time, the value of the Initial Sequence Number would become [24171311 + (1 * 64000) + (3 * 128000)], i.e., 24619311.

Ptunnel and Itunnel are the tools that are used to perform ICMP tunneling. In ICMP tunneling, an attacker establishes a covert connection between two remote computers (a client and proxy), using ICMP echo requests and reply packets. ICMP tunneling works by injecting arbitrary data into an echo packet sent to a remote computer. The remote computer replies in the same manner, injecting an answer into another ICMP packet and sending it back. The client performs all communication using ICMP echo request packets, while the proxy uses echo reply packets. Normally, ICMP tunneling involves sending what appear to be ICMP commands but really they are the Trojan communications. Answer: C is incorrect. WinTunnel is used to perform TCP tunneling. Answer: D is incorrect. Ethereal is a network sniffer.

There are different portions that can be included in the firewall policy. These portions include the acceptable use statement, the network connection statement, the contracted worker statement, and the firewall administrator statement. The contracted worker statement portion of the policy is related to the contracted or the temporary workers. It states the rights and permissions for these workers. Some of the items hat can be included in this portion are as follows: No contractors can use FTP unless specifically granted to use it. No contractors shall have access to TELNET unless specifically granted to use it. No contractors shall have access to unauthorized resources. No contractors shall have access to scan the network. Answer: A is incorrect. Only authorized resources should be accessed by the contractors.

The following two code are used to retrieve Attribute1: 1.Object obj=session1.getAttribute("Attribute1"); The getAttribute() method is used to retrieve the bound object with the specified name in this session, or null if no object is bound under the name. 2.Object obj=binding1.getSession().getAttribute("Attribute1"); The getSession() gets the current valid session associated with this request. a String object. Answer: B is incorrect. The HttpSessionBindingEvent object cannot use the getAttribute() method.

A demilitarized zone (DMZ) is the most secure place to host a server that will be accessed publicly through the Internet. Demilitarized zone (DMZ) or perimeter network is a small network that lies in between the Internet and a private network. It is the boundary between the Internet and an internal network, usually a combination of firewalls and bastion hosts that are gateways between inside networks and outside networks. DMZ provides a large enterprise network or corporate network the ability to use the Internet while still maintaining its security. Answer: B is incorrect. Hosting a server on the intranet for public access will not be good from a security point of view.

John can use the UserInfo, PsFile, and PsPasswd tools in the enumeration phase. UserInfo is a utility that retrieves all available information about any known user from any Windows 2000/NT operating system (accessible by TCP port 139). UserInfo returns mainly the following information: SID and Primary group Logon restrictions and smart card requirements Special group Password expiration Note: UserInfo works as a NULL user even if the RestrictedAnonymous value in the LSA key is set to 1 to specifically deny anonymous enumeration. PsFile is a command-line utility that shows a list of files on a system that are opened remotely. It also allows a user to close opened files either by name or by a file identifier. The command syntax for PsFile is as follows: psfile [\\RemoteComputer [-u Username [-p Password]]] [Id | path] [-c] -u specifies the optional user name for logging in to a remote computer. -p specifies a password for a user name. If this is omitted, the user is prompted to enter the password without it being echoed to the screen. Id is the identifier of the file about which the user wants to display information. -c closes the files identifed by the ID or path. PsPasswd is a tool that helps Network Administrators change an account password on the local or remote system. The command syntax of PsPasswd is as follows: pspasswd [\\computer[,computer[,..] | @file [-u user [-p psswd]] Username [NewPassword]

The nmap utility, also commonly known as port scanner, is used to view the open ports on a Linux computer. It is used by administrators to determine which services are available for external users. This utility helps administrators in deciding whether to disable the services that are not being used in order to minimize any security risk. Answer: B is incorrect. NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems. It performs its function by sending queries to the DNS server and obtaining detailed responses at the command prompt. This information can be useful for diagnosing and resolving name resolution issues, verifying whether or not the resource records are added or updated correctly in a zone, and debugging other server-related problems. This tool is installed along with the TCP/IP protocol through the Control Panel.

Answer: C is incorrect. NETSH is a command line tool to configure TCP/IP settings such as the IP address, Subnet Mask, Default Gateway, DNS, WINS addresses, etc. Answer: A is incorrect. L0phtcrack is a tool which identifies and remediate security vulnerabilities that result from the use of weak or easily guessed passwords. It recovers Windows and Unix account passwords to access user and administrator accounts.

The two most common Web Application TCP ports are Port 443 and Port 80. HTTPS or SSL uses TCP port 443, whereas HTTP uses TCP Port 80. Answer: B is incorrect. Port 80 is used for HTTP, not HTTPS. Answer: A is incorrect. S-HTTP is not the protocol name for Port 443. HTTPS or SSL is the name used for Port 443 traffic.

Ad Hoc Association is a type of attack in which an attacker tries to connect directly to an unsecured station to circumvent the AP security or to attack the station. Any wireless card or USB adapter can be used to perform this attack.

The basic features of Unix are as follows: Multi-user: It supports more than one user to access the system simultaneously through a set of terminals attached to a system. Multi-tasking: A user can execute multiple programs at the same time from a single terminal. Time sharing: The operating system shares CPU time among tasks. Portability: It is highly portable across hardware. Modularity: It allows only needed modules to be loaded into the memory. File structure: It has an inverted tree like file structure, with files and directories created within the file structure. Security: All files can be individually protected using read, write, and execute permissions for the user, group, and others. Network support: It uses the TCP/IP protocol. Advanced graphics: CAD-CAM applications perform the best in a Unix System with its varied support for graphics card.

According to the question, you want to prevent Windows Defender from taking any action automatically during the scanning of your laptop. In order to accomplish this, you will have to clear the Apply default actions to items detected during a scan check box in Defender Options.

C:\Documents and Settings\user-nwz\Desktop\1.JPG

If you clear the Apply default actions to items detected during a scan check box, it will result in Windows Defender only recommending an action to take for detected malicious software.

Except for the HttpSessionActivationListener and the HttpSessionBindingListener, all other listeners must be configured in the deployment descriptor.

HttpSessionBindingListener has methods that notify the object when it is added to or removed from a session. It has methods that informs the attributes when the session is about to be activated or passivated. These methods are related to the attributes and not to the complete session. Hence, the container takes care of them and need not be configured in the deployment descriptor.

Perform Quantitative Risk Analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. This process generally follows the Perform Qualitative Risk Analysis process. It is performed on risks that have been prioritized by the Perform Qualitative Risk Analysis process as potentially and substantially impacting the project's competing demands. The Perform Quantitative Risk Analysis should be repeated after Plan Risk Responses, as well as part of Monitor and Control Risks, to determine if the overall project risk has been decreased. Answer: C is incorrect. This is the process of prioritizing risks for further analysis or action by accessing and combining their probability of occurrence and impact. Answer: D is incorrect. This is the process of determiningbb which risks may affect the project and documenting their characteristics. Answer: B is incorrect. This is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness through the project.

The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management, which provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. It has the following 11 processes: Developing a strategic plan. Articulating the information architecture. Finding an optimal stage between the IT and the organization's strategy. Designing the IT function to match the organization's needs. Maximizing the return of the IT investment. Communicating IT policies to the user's community. Managing the IT workforce. Obeying external regulations, laws, and contracts. Conducting IT risk assessments. Maintaining a high-quality systems-development process. Incorporating sound project-management techniques. Answer: B is incorrect. Correcting all risk issues does not come under auditing processes.

MAC flooding is a technique employed to compromise the security of network switches. In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table. The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. A malicious user could then use a packet sniffer (such as Wireshark) running in promiscuous mode to capture sensitive data from other computers (such as unencrypted passwords, e-mail and instant messaging conversations), which would not be accessible were the switch operating normally. Answer: B is incorrect. Blind spoofing is a type of IP spoofing attack. This attack occurs when the attacker is on a different subnet as the destination host. Therefore, it is more difficult to obtain correct TCP sequence number and acknowledgement number of the data frames. In blind spoofing attack, an attacker sends several packets to the target computer so that he can easily obtain sequence number of each data frame. If the attacker is successful in compromising the sequence number of the data frames, the data is successfully sent to the target computer. Answer: C is incorrect. Dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs available on the Internet to automate and execute dictionary attacks.

Answer: A is incorrect. Man-in-the-middle attacks occur when an attacker successfully inserts an intermediary software or program between two communicating hosts. The intermediary software or program allows attackers to listen to and modify the communication packets passing between the two hosts. The software intercepts the communication packets and then sends the information to the receiving host. The receiving host responds to the software, presuming it to be the legitimate client.

You can use the following methods to investigate Cross-Site Scripting attack:

1. Look at the Web servers logs and normal traffic logging.

2. Use a Web proxy to view the Web server transactions in real time and investigate any communication with outside servers.

3. Review the source of any HTML-formatted e-mail messages for embedded scripts or links in the URL to the company's site. Answer: C is incorrect. This method is not used to investigate Cross-Site Scripting attack.

Kismet can sniff IEEE 802.11a, 802.11b, 802.11g, and 802.11n-based wireless network traffic.