SANS GISCP and GIAC UPDATED Exam
Questions and CORRECT Answers
Ack Piggybacking - Correct Answer- The Practice of sending an ACK inside another packet
going to the same destination
Address resolution protocol - Correct Answer- Protocol for mapping an IP address to a
physical machine address that is recognized on the local network.
A table, usually called the ARP cache, is used to maintain a correlation between each MAC
and its corresponding IP address
What are the five threat vectors? - Correct Answer- Outside attack from network
Outsider attack from telephone
Insider attack from local network
insider attack from local system
attack from malicious code
What are some external threat concerns? - Correct Answer- -Malicious code might execute
destructive overwrite to hard disks
-Malicious mas mailing code might expose sensitive information to the internet
- web server compromise might expose organization to ridicule
- Web server compromise might expose customer private data
What are some ways to bypass firewall protections? - Correct Answer- - Worms and Wireless
- modems
- tunnel anything through HTTP
- social engineering
What is social engineering? - Correct Answer- - attempt to manipulate or trick a person into
providing information or access
- bypass network security by exploiting humans
,- vector is often outside attack by telephone or visitor inside
What is Hping? - Correct Answer- - a TCP version of ping
- sends custom TCP packets to a host and listens for replies
- enables port scanning and spoofing simultaneously
What is a group? - Correct Answer- A group means multiple iterations won't matter. If you
encrypt with a key, then re-encrypt, it's the same as using one key.
What is a port scan? - Correct Answer- - common backdoor to open a port
- port scan scans for open ports on remote host
- scans 0 - 65,535 twice. TCP and UDP
What is nmap? - Correct Answer- Network scanner.
What are nmap scanning techniques? - Correct Answer- - Full open
- half open (stealth scan)
- UDP
- Ping
What is network stumbler? - Correct Answer- - free windows based wireless scanner for
802.1b
- detects access point settings
- supports GSP integration
- identifies networks as encrypted or unencrypted
What is Kismet? - Correct Answer- - Free linux WLAN analysis tool
- completely passive, cannot be detected
- supports advanced GPS integration and mapping features
- used for wardriving, WLAN vulerability assessment
,What is Wardriving? - Correct Answer- Going around with equipment to detect wireless
networks
What is War Dialing? - Correct Answer- - trying to ID modems in a telephone exchange that
may be susceptible to compromise
What are some Pen Test techniques? - Correct Answer- - War dialing
- war driving
- Sniffing
- eavesdropping
- dumpster diving
- social engineering
What is IDS? - Correct Answer- - intrusion detection system
- it reports attacks against monitored systems/networks
What is IDS not? - Correct Answer- - not a replacement for firewalls, hardening, strong
policies, or other DiD methods
- low maintenance
- inexpensive
What are the four types of events reported by IDS? - Correct Answer- - true positive
- false positive
- true negative
- false negative
How does IDS signature analysis work? - Correct Answer- - rules indicate criteria in packets
that represent events of interest
- rules are applied to packets as they are received
- alerts are created when matches are found
, How does anomaly analysis work? - Correct Answer- - flags anomalous conditions in traffic
on the network
- requires understanding on what is normal
- bases good traffic as a baseline
What is deep packet inspection? - Correct Answer- - slow, requires stateful data tracking
- inspects all fields, including variable-length fields
What is shallow packet inspection? - Correct Answer- - fast, with little fidelity
- examines header information and limited payload data
What is Honeyd? - Correct Answer- - low interaction production honeypot
- network daemon that can simulate other hosts
- each host can appear as a different OS
What is a netcat listener? - Correct Answer- - simplest form of a research honeypot
- useful in identifying nature of TCP scans, allows attacker to complete 3-way handshake
- listens on a defined port, logs incoming requests for analysis
What are some disadvantages of honeypots? - Correct Answer- - improper deployment can
increase attack risk - if production systems aren't sufficiently protected, they can be
vulnerable from a honeypot
- legal liability
What are some honeypot advantages? - Correct Answer- - provides insight into the tactics,
motives, and attacker tools
What is a honeypot? - Correct Answer- - a system resource that has no legitimate purpose or
reason for someone to connect to it
- its purpose is to draw in attackers to understand how they break into a system
Questions and CORRECT Answers
Ack Piggybacking - Correct Answer- The Practice of sending an ACK inside another packet
going to the same destination
Address resolution protocol - Correct Answer- Protocol for mapping an IP address to a
physical machine address that is recognized on the local network.
A table, usually called the ARP cache, is used to maintain a correlation between each MAC
and its corresponding IP address
What are the five threat vectors? - Correct Answer- Outside attack from network
Outsider attack from telephone
Insider attack from local network
insider attack from local system
attack from malicious code
What are some external threat concerns? - Correct Answer- -Malicious code might execute
destructive overwrite to hard disks
-Malicious mas mailing code might expose sensitive information to the internet
- web server compromise might expose organization to ridicule
- Web server compromise might expose customer private data
What are some ways to bypass firewall protections? - Correct Answer- - Worms and Wireless
- modems
- tunnel anything through HTTP
- social engineering
What is social engineering? - Correct Answer- - attempt to manipulate or trick a person into
providing information or access
- bypass network security by exploiting humans
,- vector is often outside attack by telephone or visitor inside
What is Hping? - Correct Answer- - a TCP version of ping
- sends custom TCP packets to a host and listens for replies
- enables port scanning and spoofing simultaneously
What is a group? - Correct Answer- A group means multiple iterations won't matter. If you
encrypt with a key, then re-encrypt, it's the same as using one key.
What is a port scan? - Correct Answer- - common backdoor to open a port
- port scan scans for open ports on remote host
- scans 0 - 65,535 twice. TCP and UDP
What is nmap? - Correct Answer- Network scanner.
What are nmap scanning techniques? - Correct Answer- - Full open
- half open (stealth scan)
- UDP
- Ping
What is network stumbler? - Correct Answer- - free windows based wireless scanner for
802.1b
- detects access point settings
- supports GSP integration
- identifies networks as encrypted or unencrypted
What is Kismet? - Correct Answer- - Free linux WLAN analysis tool
- completely passive, cannot be detected
- supports advanced GPS integration and mapping features
- used for wardriving, WLAN vulerability assessment
,What is Wardriving? - Correct Answer- Going around with equipment to detect wireless
networks
What is War Dialing? - Correct Answer- - trying to ID modems in a telephone exchange that
may be susceptible to compromise
What are some Pen Test techniques? - Correct Answer- - War dialing
- war driving
- Sniffing
- eavesdropping
- dumpster diving
- social engineering
What is IDS? - Correct Answer- - intrusion detection system
- it reports attacks against monitored systems/networks
What is IDS not? - Correct Answer- - not a replacement for firewalls, hardening, strong
policies, or other DiD methods
- low maintenance
- inexpensive
What are the four types of events reported by IDS? - Correct Answer- - true positive
- false positive
- true negative
- false negative
How does IDS signature analysis work? - Correct Answer- - rules indicate criteria in packets
that represent events of interest
- rules are applied to packets as they are received
- alerts are created when matches are found
, How does anomaly analysis work? - Correct Answer- - flags anomalous conditions in traffic
on the network
- requires understanding on what is normal
- bases good traffic as a baseline
What is deep packet inspection? - Correct Answer- - slow, requires stateful data tracking
- inspects all fields, including variable-length fields
What is shallow packet inspection? - Correct Answer- - fast, with little fidelity
- examines header information and limited payload data
What is Honeyd? - Correct Answer- - low interaction production honeypot
- network daemon that can simulate other hosts
- each host can appear as a different OS
What is a netcat listener? - Correct Answer- - simplest form of a research honeypot
- useful in identifying nature of TCP scans, allows attacker to complete 3-way handshake
- listens on a defined port, logs incoming requests for analysis
What are some disadvantages of honeypots? - Correct Answer- - improper deployment can
increase attack risk - if production systems aren't sufficiently protected, they can be
vulnerable from a honeypot
- legal liability
What are some honeypot advantages? - Correct Answer- - provides insight into the tactics,
motives, and attacker tools
What is a honeypot? - Correct Answer- - a system resource that has no legitimate purpose or
reason for someone to connect to it
- its purpose is to draw in attackers to understand how they break into a system
