GIAC gced practice test

GIAC Certified Enterprise Defender Exam


Question 1

Which statement below is the MOST accurate about insider threat controls?
A. Classification of information assets helps identify data to protect.
B. Security awareness programs have a minimal impact on reducing the insider threat.
C. Both detective and preventative controls prevent insider attacks.
D. Rotation of duties makes an insider threat more likely.
E. Separation of duties encourages one employee to control a great deal of information.

Answer:

A
A company needs to classify its information as a key step in valuing it and knowing where to focus its
protection.
Rotation of duties and separation of duties are both key elements in reducing the scope of
information access and the ability to conceal malicious behavior.
Separation of duties helps minimize empire building within a company, keeping one individual
from controlling a great deal of information, reducing the insider threat.
Security awareness programs can help other employees notice the signs of an insider attack and thus
reduce the insider threat.
Detection is a reactive method and only occurs after an attack occurs. Only preventative methods can
stop or limit an attack.

Discussions

Question 2

Which tool keeps a backup of all deleted items, so that they can be restored later if need be?
A. ListDLLs
B. Yersinia
C. Ettercap
D. ProcessExplorer
E. Hijack This

Answer:

E
After selecting fix it! with Hijack This you can always restore deleted items, because Hijack This
keeps a backup of them.

Discussions

Question 3

A compromised router is reconfigured by an attacker to redirect SMTP email traffic to the attackers
server before sending packets on to their intended destinations. Which IP header value would help
expose anomalies in the path outbound SMTP/Port 25 traffic takes compared to outbound packets
sent to other ports?
A. Checksum
B. Acknowledgement number
C. Time to live
D. Fragment offset

Answer:

C
In a case study of a redirect tunnel set up on a router, some anomalies were noticed while watching
network traffic with the TCPdump packet sniffer.
Packets going to port 25 (Simple Mail Transfer Protocol [SMTP] used by mail servers and other Mail
Transfer Agents [MTAs] to send and receive e-mail) were apparently taking a different network path.
The TLs were consistently three less than other destination ports, indicating another three network
hops were taken.
Other IP header values listed, such as fragment offset. The acknowledgement number is a TCP, not IP,
header field.

Discussions

Question 4

What is needed to be able to use taskkill to end a process on remote system?
A. Svchost.exe running on the remote system
B. Domain login credentials
C. Port 445 open
D. Windows 7 or higher on both systems

Answer:

B
Domain login credentials are needed to kill a process on a remote system using taskkill.

Discussions

Question 5

What are Browser Helper Objects (BHO)s used for?
A. To provide multi-factor authentication support for Firefox
B. To provide a more feature-rich interface for Internet Explorer
C. To allow Internet Explorer to process multi-part URLs
D. To allow Firefox to process JavaScript in a sandbox

Answer:

B
When scanning your system, you may notice many BHOs since they are widely used by software
developers to provide a more feature rich interface for Microsoft Internet Explorer.

Discussions

Question 6

What information would the Wireshark filter in the screenshot list within the display window?

  • A. Only HTTP traffic to or from IP address 192.168.1.12 that is also destined for port 80
  • B. Only traffic to or from IP address 192.168.1.12 and destined for port 80
  • C. Only traffic with a source address of 192.168.1.12 to or from port 80
  • D. Only traffic with a destination address of 192.168.1.12 to or from port 80
Answer:

B

Discussions

Question 7

What would the output of the following command help an incident handler determine?
cscript manage-bde . wsf status

  • A. Whether scripts can be run from the command line
  • B. Which processes are running on the system
  • C. When the most recent system reboot occurred
  • D. Whether the drive has encryption enabled
Answer:

D

Discussions

Question 8

Which of the following is a major problem that attackers often encounter when attempting to
develop or use a kernel mode rootkit?

  • A. Their effectiveness depends on the specific applications used on the target system.
  • B. They tend to corrupt the kernel of the target system, causing it to crash.
  • C. They are unstable and are easy to identify after installation
  • D. They are highly dependent on the target OS.
Answer:

B

Discussions

Question 9

Which of the following is an SNMPv3 security feature that was not provided by earlier versions of the
protocol?

  • A. Authentication based on RSA key pairs
  • B. The ability to change default community strings
  • C. AES encryption for SNMP network traffic
  • D. The ability to send SNMP traffic over TCP ports
Answer:

C

Discussions

Question 10

What is the BEST sequence of steps to remove a bot from a system?

  • A. Terminate the process, remove autoloading traces, delete any malicious files
  • B. Delete any malicious files, remove autoloading traces, terminate the process
  • C. Remove autoloading traces, delete any malicious files, terminate the process
  • D. Delete any malicious files, terminate the process, remove autoloading traces
Answer:

A

Discussions
To page 2