GIAC GCED 시험

Question No : 1

What feature of Wireshark allows the analysis of one HTTP conversation?

• A.Follow UDP Stream
• B.Follow TCP Stream
• C.Conversation list > IPV4
• D.Setting a display filter to ‘tcp’

답을 확인하기

정답:
Explanation:
Follow TCP Stream is a feature of Wireshark that allows the analysis of a single TCP conversation between two hosts over multiple packets. Filtering packets using tcp in the filter box will return all TCP packets, not grouping by a single TCP conversation. HTTP is TCP not UDP, so you cannot follow a HTTP stream over UDP.

Question No : 2

Before re-assigning a computer to a new employee, what data security technique does the IT department use to make sure no data is left behind by the previous user?

• A.Fingerprinting
• B.Digital watermarking
• C.Baselining
• D.Wiping

답을 확인하기

정답:

Question No : 3

When attempting to collect data from a suspected system compromise, which of the following should generally be collected first?

• A.The network connections and open ports
• B.The contents of physical memory
• C.The current routing table
• D.A list of the running services

답을 확인하기

정답:

Question No : 4

A company wants to allow only company-issued devices to attach to the wired and wireless networks. Additionally, devices that are not up-to-date with OS patches need to be isolated from the rest of the network until they are updated.
Which technology standards or protocols would meet these requirements?

• A.802.1x and Network Access Control
• B.Kerberos and Network Access Control
• C.LDAP and Authentication, Authorization and Accounting (AAA)
• D.802.11i and Authentication, Authorization and Accounting (AAA)

답을 확인하기

정답:

Question No : 5

Michael, a software engineer, added a module to a banking customer’s code. The new module deposits small amounts of money into his personal bank account. Michael has access to edit the code, but only code reviewers have the ability to commit modules to production. The code reviewers have a backlog of work, and are often willing to trust the software developers’ testing and confidence in the code.
Which technique is Michael most likely to engage to implement the malicious code?

• A.Denial of Service
• B.Race Condition
• C.Phishing
• D.Social Engineering

답을 확인하기

정답:

Question No : 6

An internal host at IP address 10.10.50.100 is suspected to be communicating with a command and control whenever a user launches browser window.
What features and settings of Wireshark should be used to isolate and analyze this network traffic?

• A.Filter traffic using ip.src = = 10.10.50.100 and tcp.srcport = = 80, and use Expert Info
• B.Filter traffic using ip.src = = 10.10.50.100 and tcp.dstport = = 53, and use Expert Info
• C.Filter traffic using ip.src = = 10.10.50.100 and tcp.dstport = = 80, and use Follow TCP stream
• D.Filter traffic using ip.src = = 10.10.50.100, and use Follow TCP stream

답을 확인하기

정답:

Question No : 7

Who is ultimately responsible for approving methods and controls that will reduce any potential risk to an organization?

• A.Senior Management
• B.Data Owner
• C.Data Custodian
• D.Security Auditor

답을 확인하기

정답:

Question No : 8

If a Cisco router is configured with the “service config” configuration statement, which of the following tools could be used by an attacker to apply a new router configuration?

• A.TFTPD
• B.Hydra
• C.Ettercap
• D.Yersinia

답을 확인하기

정답:

Question No : 9

Which Unix administration tool is designed to monitor configuration changes to Cisco, Extreme and Foundry infrastructure devices?

• A.SNMP
• B.Netflow
• C.RANCID
• D.RMON

답을 확인하기

정답:
Explanation:
RANCID is a Unix tool which can be used to monitor changes to the following networked devices and more: IOS, CatOS, PIX, Juniper, Foundry, HP ProCurve, Extreme.

Question No : 10

Which command tool can be used to change the read-only or hidden setting of the file in the screenshot?

• A.attrib
• B.type
• C.tasklist
• D.dir

답을 확인하기

정답:
Explanation:
attrib Cr or +r will remove or add the read only attribute from a file.

Question No : 11

On which layer of the OSI Reference Model does the FWSnort utility function?

• A.Physical Layer
• B.Data Link Layer
• C.Transport Layer
• D.Session Layer
• E.Application Layer

답을 확인하기

정답:
Explanation:
The FWSnort utility functions as a transport layer inline IPS.

Question No : 12

Why would the pass action be used in a Snort configuration file?

• A.The pass action simplifies some filtering by specifying what to ignore.
• B.The pass action passes the packet onto further rules for immediate analysis.
• C.The pass action serves as a placeholder in the snort configuration file for future rule updates.
• D.Using the pass action allows a packet to be passed to an external process.
• E.The pass action increases the number of false positives, better testing the rules.

답을 확인하기

정답:
Explanation:
The pass action is defined because it is sometimes easier to specify the class of data to ignore rather than the data you want to see. This can cut down the number of false positives and help keep down the size of log data. False positives occur because rules failed and indicated a threat that is really not one. They should be minimized whenever possible. The pass action causes the packet to be ignored, not passed on further. It is an active command, not a placeholder.

Question No : 13

Why might an administrator not be able to delete a file using the Windows del command without specifying additional command line switches?

• A.Because it has the read-only attribute set
• B.Because it is encrypted
• C.Because it has the nodel attribute set
• D.Because it is an executable file

답을 확인하기

정답:

Question No : 14

At the start of an investigation on a Windows system, the lead handler executes the following commands after inserting a USB drive.
What is the purpose of this command?
C:\ >dir / s / a dhsra d: \ > a: \ IRCD.txt

• A.To create a file on the USB drive that contains a listing of the C: drive
• B.To show hidden and archived files on the C: drive and copy them to the USB drive
• C.To copy a forensic image of the local C: drive onto the USB drive
• D.To compare a list of known good hashes on the USB drive to files on the local C: drive

답을 확인하기

정답:
Explanation:
This command will create a text file on the collection media (in this case you would probably be using a USB flash drive) named IRCD.txt that should contain a recursive directory listing of all files on the desk.

Question No : 15

Which of the following attacks would use “..” notation as part of a web request to access restricted files and directories, and possibly execute code on the web server?

• A.URL directory
• B.HTTP header attack
• C.SQL injection
• D.IDS evasion
• E.Cross site scripting

답을 확인하기

정답: