GIAC SEC530 Final Exam Study Guide
Latest Update 2024-2025
802.11 (xx) - Solution 802.11ac/Wireless AC - Dual-band Wi-Fi supporting simultaneous
connections across bands. As much as 1300 Mbps on 5 GHz and up to 450 Mbps on
2.4GHz [p95 / b1]
802.11 x Standards - Solution 802.11 n, w, ac [p95 / b1]
802.11W Protected Management Frames - Solution - (PMF) Protected Management
Frames; add encryption to management frames. Key SHA256, broad/multi cast
cryptography / integrity, blocked spoofing attacks. [p96 / b1]
DMARC Domain-Based Message Authentication Reporting and Compliance - Unlike SPF
and DKIM both check whether email is from owner domain of sender, don't check the
display 'from' header address if the email is from the verified domain. function enables
enforcing of alignment of the visible 'from' in emails DMARC requires a different DNS
TXT record to define the policy and alignment. [p167 / b2]
DHCP Rogue Server - Answer Follows a DHCP starvation attack in which the rogue
DHCP server serves up addresses, launch man-in-the-middle attacks, forged DNS
responses. [p121 / b1]
File classification & File protection - Answer File classification is not directly securing
the data it is classifying. If anything, file classification is more closely akin to an access
control list. Furthermore, there is such a thing as file classification for labeling the data
in order for the systems and software to be guided on how to deal with it. It can be used
to enforce data policy, but its classification properties can be removed by a malicious
insider or hacker. The misconception, however, is that file classification is intended to
keep the hacker from stealing data. File classification is mostly to assist an organization
in managing its data properly and not really to prevent a hacker from stealing the data
[p88 / b4]
,Granular Auditing - Answer With the auditing tab of a file or folder conditional access
settings can be applied and then monitor the logs to see whether access be accidentally
denied. Enables testing and rule staging. [p116 / b4]
Hyper-converged Storage-Answer A virtualization platform pools CPU, memory, and
disks managed by a hypervisor. In these solutions, a VM acts as the controller that
manages the local disks or PCI storage cards to provide high-speed storage. The
controller VMs must constantly talk to each other over the network. A breach of one
controller administrator can reach all disks. To secure this, restrict SSH and other
network communication to only the controllers. Restrict access to console level to deny
unauthorized access. [p154 / b4]
IPv6 (Duplicate Address Detection) - Answer IPv6 hosts using privacy extension
addresses also perform duplicate address detection (DAD), per RFC 4941: The node
MUST perform duplicate address detection on the generated temporary address. If DAD
indicates the address is already in use, the node MUST generate a new randomized
interface identifier. Privacy-enhanced IPv6 addresses are used when the utilization of
SLAAC creates an IP address from the system. This is because, in SLAAC, the system's
globally unique MAC address is used in defining the IP address. This presents a concern
for privacy. The privacy extensions create a random host portion of the IPv6 address.
This brings up a very slight chance of duplicate addresses. [p90 / b2]
Physical Access (Switch Router Pots, SSHd) - Answer Physical access should be put in
secure locations such as locked mgmt. Closets, AUX secured w/ password or disabled if
console is used for terminal access, force SSHv2 only, default key 512, use ,
ssh authentication retries to 3 drop connection after 3 failed logins. [p16 / b2]
Segmentation - Answer It has to Segment with authentication and access control per
user/device. Segmentation can be defined as the ability to enforce separation either
logically or physically. In security, that would be interpreted as network segmentation. It
is where an organization invests enormous amounts of time in actually planning out the
networks, subnets, and methods for controlling access between each layer within a
design. The problem is, segmentation at the network level alone is simply not enough.
Organizations should plan and design how the segmentation is done at each endpoint
and system-to-system authorized through network segmentation to communicate.
Controls to access authority shall not stop at the network. Access controls shall involve
authentication and validation of users and devices. [p119 / b2]
, Virtualization (Segmentation productivity applications and privileged applications) -
Solution Virtualization solution such as VirtualBox or VMware Workstation/Fusion can be
implemented as a local version of jump boxes. One solution is to leverage the host
operating system for administrative or business applications but do productivity access
on a local virtual machine. Compromise will most likely be constrained to the local VM in
that design. Although it is possible for an attacker to break out of the virtual machine to
mount an attack on the host, this is far less likely than permitting a user to perform
administrative tasks and launch productivity applications directly on one system [p132 /
b3]
A_Content Discovery (SQL Query IF EXISTS) - Solution Stored SQL procedure creation
for usage. [p0 / b0]
A_Privileged Access View Console Permissions Answer View Console: obtain local
admin access, Copy & Paste possible use of data exfiltration, Clone: create offline
copies of systems, DVD/USB: autorun attacks or mounting malware, Snapshots: denial
of service to storage space. [p0 / b0]
Access Controls Mapping - Answer Powershell & Python script to find files that have
excessive permissions like everyone, email/report to owner recertifications using
automatic alerting using windows event ID's [p58 / b4]
Access-Denied Assistance - Answer Windows built in. notification of policy. Policy
enforced access, when it fails provide input to user, request assistance, policy enforce
data access. [p108 / b4]
Active Directory Account Management - Solution Sheet group changes: PowerShell
logging enable script block logs gets logged if enabled; Local account creation event ID:
4720 audit user account management; domain admins audit security group and
distribution groups less information than security groups, audit other account
management events. [p124 / b5]
Dynamic Access Control Advanced Example - Answer Device, training, member of AD
Group. Flow chart on the page. [p110 / b4]
Latest Update 2024-2025
802.11 (xx) - Solution 802.11ac/Wireless AC - Dual-band Wi-Fi supporting simultaneous
connections across bands. As much as 1300 Mbps on 5 GHz and up to 450 Mbps on
2.4GHz [p95 / b1]
802.11 x Standards - Solution 802.11 n, w, ac [p95 / b1]
802.11W Protected Management Frames - Solution - (PMF) Protected Management
Frames; add encryption to management frames. Key SHA256, broad/multi cast
cryptography / integrity, blocked spoofing attacks. [p96 / b1]
DMARC Domain-Based Message Authentication Reporting and Compliance - Unlike SPF
and DKIM both check whether email is from owner domain of sender, don't check the
display 'from' header address if the email is from the verified domain. function enables
enforcing of alignment of the visible 'from' in emails DMARC requires a different DNS
TXT record to define the policy and alignment. [p167 / b2]
DHCP Rogue Server - Answer Follows a DHCP starvation attack in which the rogue
DHCP server serves up addresses, launch man-in-the-middle attacks, forged DNS
responses. [p121 / b1]
File classification & File protection - Answer File classification is not directly securing
the data it is classifying. If anything, file classification is more closely akin to an access
control list. Furthermore, there is such a thing as file classification for labeling the data
in order for the systems and software to be guided on how to deal with it. It can be used
to enforce data policy, but its classification properties can be removed by a malicious
insider or hacker. The misconception, however, is that file classification is intended to
keep the hacker from stealing data. File classification is mostly to assist an organization
in managing its data properly and not really to prevent a hacker from stealing the data
[p88 / b4]
,Granular Auditing - Answer With the auditing tab of a file or folder conditional access
settings can be applied and then monitor the logs to see whether access be accidentally
denied. Enables testing and rule staging. [p116 / b4]
Hyper-converged Storage-Answer A virtualization platform pools CPU, memory, and
disks managed by a hypervisor. In these solutions, a VM acts as the controller that
manages the local disks or PCI storage cards to provide high-speed storage. The
controller VMs must constantly talk to each other over the network. A breach of one
controller administrator can reach all disks. To secure this, restrict SSH and other
network communication to only the controllers. Restrict access to console level to deny
unauthorized access. [p154 / b4]
IPv6 (Duplicate Address Detection) - Answer IPv6 hosts using privacy extension
addresses also perform duplicate address detection (DAD), per RFC 4941: The node
MUST perform duplicate address detection on the generated temporary address. If DAD
indicates the address is already in use, the node MUST generate a new randomized
interface identifier. Privacy-enhanced IPv6 addresses are used when the utilization of
SLAAC creates an IP address from the system. This is because, in SLAAC, the system's
globally unique MAC address is used in defining the IP address. This presents a concern
for privacy. The privacy extensions create a random host portion of the IPv6 address.
This brings up a very slight chance of duplicate addresses. [p90 / b2]
Physical Access (Switch Router Pots, SSHd) - Answer Physical access should be put in
secure locations such as locked mgmt. Closets, AUX secured w/ password or disabled if
console is used for terminal access, force SSHv2 only, default key 512, use ,
ssh authentication retries to 3 drop connection after 3 failed logins. [p16 / b2]
Segmentation - Answer It has to Segment with authentication and access control per
user/device. Segmentation can be defined as the ability to enforce separation either
logically or physically. In security, that would be interpreted as network segmentation. It
is where an organization invests enormous amounts of time in actually planning out the
networks, subnets, and methods for controlling access between each layer within a
design. The problem is, segmentation at the network level alone is simply not enough.
Organizations should plan and design how the segmentation is done at each endpoint
and system-to-system authorized through network segmentation to communicate.
Controls to access authority shall not stop at the network. Access controls shall involve
authentication and validation of users and devices. [p119 / b2]
, Virtualization (Segmentation productivity applications and privileged applications) -
Solution Virtualization solution such as VirtualBox or VMware Workstation/Fusion can be
implemented as a local version of jump boxes. One solution is to leverage the host
operating system for administrative or business applications but do productivity access
on a local virtual machine. Compromise will most likely be constrained to the local VM in
that design. Although it is possible for an attacker to break out of the virtual machine to
mount an attack on the host, this is far less likely than permitting a user to perform
administrative tasks and launch productivity applications directly on one system [p132 /
b3]
A_Content Discovery (SQL Query IF EXISTS) - Solution Stored SQL procedure creation
for usage. [p0 / b0]
A_Privileged Access View Console Permissions Answer View Console: obtain local
admin access, Copy & Paste possible use of data exfiltration, Clone: create offline
copies of systems, DVD/USB: autorun attacks or mounting malware, Snapshots: denial
of service to storage space. [p0 / b0]
Access Controls Mapping - Answer Powershell & Python script to find files that have
excessive permissions like everyone, email/report to owner recertifications using
automatic alerting using windows event ID's [p58 / b4]
Access-Denied Assistance - Answer Windows built in. notification of policy. Policy
enforced access, when it fails provide input to user, request assistance, policy enforce
data access. [p108 / b4]
Active Directory Account Management - Solution Sheet group changes: PowerShell
logging enable script block logs gets logged if enabled; Local account creation event ID:
4720 audit user account management; domain admins audit security group and
distribution groups less information than security groups, audit other account
management events. [p124 / b5]
Dynamic Access Control Advanced Example - Answer Device, training, member of AD
Group. Flow chart on the page. [p110 / b4]
