GSEC-Q&A-practice-test-example
In which directory can executable programs that are part of the operating system be
found?
(/) (/var) (/lib) (/dev) (/usr/bin) (/home)
INCORRECT ON PT - *answers */usr/bin
The Windows Firewall (WF) provides a popup when a new service attempts to listen on
your machine. Which of the following should you train users to select from a security
perspective if they are unsure of which option to select?
(Keep Blocking) (Increase Security Level) (Safe Mode) (Send Request to Administrator)
- *answers *Keep Blocking
( Explanation )
The three available options for Windows Firewall are Keep Blocking, Unblock and Ask
Me Later. Keep Block does not allow the program to acquire a listening port. You should
train your users to choose this option when there is any doubt as to what they should
do. There are no Safe Mode or Send Request to Admin options.
Which Threat will be reduced when avoiding system calls from within a web app? -
*answers *OS command injection
( Explanation )
The primary way to avoid OS command injection attacks is to avoid system calls from
your web application, especially when the system call is built based on user input. In
most cases, you should be able to find a function or library within your programming
language that can perform the same action.
How often by default does Windows Group Policy check for updated policies?
(Once a day) (Within 30 minutes of an applied policy change) (Every quarter hour)
(Every 90-120 minutes)
INCORRECT ON PT - *answers *Every 90-120 minutes
( Explanation )
When a computer boots up, it downloads the GPO's assigned to it and executes them
automatically. Every 90-120 minutes thereafter, the computer checks that none of the
GPO's assigned to it have changed, if any have, those are downloaded and run
automatically even if the computer has not rebooted. 0-30minutes, 30-60 minutes and
120-180 minutes are durations a group policy could possibly be modified to use, the
standard duration used by Group Policy is 90-120 minutes.
Which of the following best describes Defense-in-Depth?
,GSEC-Q&A-practice-test-example
Layered controls - Separation of duties - Hardened perimeter security - Risk
management - *answers *Layered controls
( Explanation )
Defense-in-depth is best characterized by layered defenses. The idea is that any layer
of defense may eventually fail, but a Layered Defense offers better protection. Risk
management, separation of duties, and hardened perimeters are part of a layered
defense but do not describe the full concept of DiD.
Which of the following is considered a recommended practice but not a business
requirement?
Guideline - Standard - Baseline - Procedure
INCORRECT ON PT - *answers *Guideline
( Explanation )
Guidelines, unlike standards and policies, are not mandatory. Guidelines are more of a
recommendation of how something should be done.
Which of the following is a characteristic of Quality Updates for Windows?
Are released less frequently than Feature Updates - Support deferring installation on
Home edition devices - Include bug fixes and security patches - Increment the version
of Windows - *answers *Include bug fixes and security patches
( Explanation )
Quality Updates are smaller improvements to already existing software on Windows
systems, and include bug fixes and security fixes. They are released about every 30
days, whereas Feature Updates are released a couple of times a year and increment
the Windows version. Installation of Quality Updates may be deferred for up to 30 days,
except on Home edition devices.
When does applying an encryption algorithm multiple times provide additional security?
When the algorithm is a group - When the algorithm is not a group - The algorithm uses
xor - The algorithm is weak
INCORRECT ON PT - *answers *When the algorithm is not a group
( Explanation )
Whether an algorithm is a group is an important statistical consideration. If it is a group,
then applying the algorithm multiple times is a waste of time. In 1992, it was proven that
DES is not a group, in fact, so encrypting multiple times with DES is not equivalent to
encrypting once.
,GSEC-Q&A-practice-test-example
How is a TCP/IP Packet generated as it moves down through the TCP/IP stack?
(Network Layer -> Transport Layer -> Internet Layer -> Application Layer ) (Network
Layer -> Internet Layer -> Transport Layer -> Application Layer) (Application Layer ->
Transport Layer -> Internet Layer -> Network Layer) (Application Layer -> Internet Layer
-> Transport Layer -> Network Layer) - *answers *Application Layer -> Transport Layer
-> Internet Layer -> Network Layer
( Explanation )
As a packet is generated the packet goes from the Application Layer to the Transport
Layer to the Internet Layer and finally to the Network Layer.
Which type of event classification is missed by a NIDS and has the most potential to be
a serious event?
True positive - False positive - True negative - False negative - *answers *False
negative
( Explanation )
• False negative: A false negative event is when the IDS identifies data as benign when,
in fact, it is malicious. A false negative does not generate an alert for the analyst and
therefore these can be dangerous because the analyst cannot take action.• True
negative: A true negative event is what we want the IDS to see, the cases where data
does not indicate any malicious activity, and the data is correct. In the case of a true
negative, the IDS does notgenerate an alert for the analyst.• True positive: In these
cases, the IDS worked as intended and correctly flagged the activity asanomalous
behavior that might be malicious. True positives generate alerts for the analyst to
process.• False positive: A false positive case is where the IDS generates an alert
flagging hostile activity,which was benign. False positives generate alerts for the analyst
to process, who then must decide how to handle the activity.
Which access control mechanism requires a high amount of maintenance since all data
must be classified, and all users granted appropriate clearance?
Mandatory - Role-Based - Ruleset-based - Discretionary
INCORRECT ON PT - *answers *Mandatory
Mandatory Access Control (MAC) is a control that is set by the system and cannot be
overwritten by the administrator. MAC will require more effort to maintain, due to data
classification requirements and user clearance.
What is the preferred method of setting up decoy ports on a server?
Set up the host to use a very small window size to manage flow control to the ports -
Use software which makes ports appear to be open but is not related to the real
services - Configure a host-based firewall to respond with RST packets when the decoy
, GSEC-Q&A-practice-test-example
port is the destination port - Enable the actual services for the decoy ports and then
keep them patched and up to date - *answers *Use software which makes ports appear
to be open but is not related to the real services
( Explanation )
To set up decoy ports, the systems administrator should not enable the actual services.
Even if fully patched, each additional service would make the system more vulnerable.
Installing software which makes the ports appear to be open but are not running the
actual services is a better option. Another recommended option is to set up a gateway
device which would lead an outsider to believe more ports were open. Configuring a
host based firewall to send reset packets for ports would not give the illusion the ports
were open. Changing the window size to manage flow control could be used to tie up an
attacker's resources, but would have nothing to do with decoy ports.
A system administrator thinks an attacker is sending malicious data to a router. Which
tool will help show this?
Router configuration guide - Packet sniffer - Remote access tool - NTP device -
*answers *Packet sniffer
( Explanation )
Sniffers can be hardware devices that physically attach to the network, but more
commonly, they are software programs that run on networked computers. The sniffers
that come bundled with your operating system are designed as tools for the system
administrator.
Which item, when created with default options, is ciphertext?
An automobile license plate - An Apple Lossless audio file - A ZIP file - A Windows
executable file - A digital signature - *answers *A digital signature
( Explanation )
To digitally sign a message (that is, give some type of "digital proof" as to the signer's
identity), we might choose an asymmetric algorithm, such as RSA or ECC with a
hashing algorithm.
The .exe, .m4a, and .zip files are able to be encrypted, some by using options when the
file is created and others by a separate program. However, by default they are all not
encrypted and therefore plaintext. The automobile license plate is also plaintext - it is a
sequence that passes no information and is loosely coupled to the auto.
Before deploying a web server in a production environment, what process could a
systems administrator put in place to detect an attacker modifying data in the document
root folder?
Set up an automated job that runs daily and determines if the web server's files have
been altered - Set up an Intrusion Detection System to detect malicious packets coming
In which directory can executable programs that are part of the operating system be
found?
(/) (/var) (/lib) (/dev) (/usr/bin) (/home)
INCORRECT ON PT - *answers */usr/bin
The Windows Firewall (WF) provides a popup when a new service attempts to listen on
your machine. Which of the following should you train users to select from a security
perspective if they are unsure of which option to select?
(Keep Blocking) (Increase Security Level) (Safe Mode) (Send Request to Administrator)
- *answers *Keep Blocking
( Explanation )
The three available options for Windows Firewall are Keep Blocking, Unblock and Ask
Me Later. Keep Block does not allow the program to acquire a listening port. You should
train your users to choose this option when there is any doubt as to what they should
do. There are no Safe Mode or Send Request to Admin options.
Which Threat will be reduced when avoiding system calls from within a web app? -
*answers *OS command injection
( Explanation )
The primary way to avoid OS command injection attacks is to avoid system calls from
your web application, especially when the system call is built based on user input. In
most cases, you should be able to find a function or library within your programming
language that can perform the same action.
How often by default does Windows Group Policy check for updated policies?
(Once a day) (Within 30 minutes of an applied policy change) (Every quarter hour)
(Every 90-120 minutes)
INCORRECT ON PT - *answers *Every 90-120 minutes
( Explanation )
When a computer boots up, it downloads the GPO's assigned to it and executes them
automatically. Every 90-120 minutes thereafter, the computer checks that none of the
GPO's assigned to it have changed, if any have, those are downloaded and run
automatically even if the computer has not rebooted. 0-30minutes, 30-60 minutes and
120-180 minutes are durations a group policy could possibly be modified to use, the
standard duration used by Group Policy is 90-120 minutes.
Which of the following best describes Defense-in-Depth?
,GSEC-Q&A-practice-test-example
Layered controls - Separation of duties - Hardened perimeter security - Risk
management - *answers *Layered controls
( Explanation )
Defense-in-depth is best characterized by layered defenses. The idea is that any layer
of defense may eventually fail, but a Layered Defense offers better protection. Risk
management, separation of duties, and hardened perimeters are part of a layered
defense but do not describe the full concept of DiD.
Which of the following is considered a recommended practice but not a business
requirement?
Guideline - Standard - Baseline - Procedure
INCORRECT ON PT - *answers *Guideline
( Explanation )
Guidelines, unlike standards and policies, are not mandatory. Guidelines are more of a
recommendation of how something should be done.
Which of the following is a characteristic of Quality Updates for Windows?
Are released less frequently than Feature Updates - Support deferring installation on
Home edition devices - Include bug fixes and security patches - Increment the version
of Windows - *answers *Include bug fixes and security patches
( Explanation )
Quality Updates are smaller improvements to already existing software on Windows
systems, and include bug fixes and security fixes. They are released about every 30
days, whereas Feature Updates are released a couple of times a year and increment
the Windows version. Installation of Quality Updates may be deferred for up to 30 days,
except on Home edition devices.
When does applying an encryption algorithm multiple times provide additional security?
When the algorithm is a group - When the algorithm is not a group - The algorithm uses
xor - The algorithm is weak
INCORRECT ON PT - *answers *When the algorithm is not a group
( Explanation )
Whether an algorithm is a group is an important statistical consideration. If it is a group,
then applying the algorithm multiple times is a waste of time. In 1992, it was proven that
DES is not a group, in fact, so encrypting multiple times with DES is not equivalent to
encrypting once.
,GSEC-Q&A-practice-test-example
How is a TCP/IP Packet generated as it moves down through the TCP/IP stack?
(Network Layer -> Transport Layer -> Internet Layer -> Application Layer ) (Network
Layer -> Internet Layer -> Transport Layer -> Application Layer) (Application Layer ->
Transport Layer -> Internet Layer -> Network Layer) (Application Layer -> Internet Layer
-> Transport Layer -> Network Layer) - *answers *Application Layer -> Transport Layer
-> Internet Layer -> Network Layer
( Explanation )
As a packet is generated the packet goes from the Application Layer to the Transport
Layer to the Internet Layer and finally to the Network Layer.
Which type of event classification is missed by a NIDS and has the most potential to be
a serious event?
True positive - False positive - True negative - False negative - *answers *False
negative
( Explanation )
• False negative: A false negative event is when the IDS identifies data as benign when,
in fact, it is malicious. A false negative does not generate an alert for the analyst and
therefore these can be dangerous because the analyst cannot take action.• True
negative: A true negative event is what we want the IDS to see, the cases where data
does not indicate any malicious activity, and the data is correct. In the case of a true
negative, the IDS does notgenerate an alert for the analyst.• True positive: In these
cases, the IDS worked as intended and correctly flagged the activity asanomalous
behavior that might be malicious. True positives generate alerts for the analyst to
process.• False positive: A false positive case is where the IDS generates an alert
flagging hostile activity,which was benign. False positives generate alerts for the analyst
to process, who then must decide how to handle the activity.
Which access control mechanism requires a high amount of maintenance since all data
must be classified, and all users granted appropriate clearance?
Mandatory - Role-Based - Ruleset-based - Discretionary
INCORRECT ON PT - *answers *Mandatory
Mandatory Access Control (MAC) is a control that is set by the system and cannot be
overwritten by the administrator. MAC will require more effort to maintain, due to data
classification requirements and user clearance.
What is the preferred method of setting up decoy ports on a server?
Set up the host to use a very small window size to manage flow control to the ports -
Use software which makes ports appear to be open but is not related to the real
services - Configure a host-based firewall to respond with RST packets when the decoy
, GSEC-Q&A-practice-test-example
port is the destination port - Enable the actual services for the decoy ports and then
keep them patched and up to date - *answers *Use software which makes ports appear
to be open but is not related to the real services
( Explanation )
To set up decoy ports, the systems administrator should not enable the actual services.
Even if fully patched, each additional service would make the system more vulnerable.
Installing software which makes the ports appear to be open but are not running the
actual services is a better option. Another recommended option is to set up a gateway
device which would lead an outsider to believe more ports were open. Configuring a
host based firewall to send reset packets for ports would not give the illusion the ports
were open. Changing the window size to manage flow control could be used to tie up an
attacker's resources, but would have nothing to do with decoy ports.
A system administrator thinks an attacker is sending malicious data to a router. Which
tool will help show this?
Router configuration guide - Packet sniffer - Remote access tool - NTP device -
*answers *Packet sniffer
( Explanation )
Sniffers can be hardware devices that physically attach to the network, but more
commonly, they are software programs that run on networked computers. The sniffers
that come bundled with your operating system are designed as tools for the system
administrator.
Which item, when created with default options, is ciphertext?
An automobile license plate - An Apple Lossless audio file - A ZIP file - A Windows
executable file - A digital signature - *answers *A digital signature
( Explanation )
To digitally sign a message (that is, give some type of "digital proof" as to the signer's
identity), we might choose an asymmetric algorithm, such as RSA or ECC with a
hashing algorithm.
The .exe, .m4a, and .zip files are able to be encrypted, some by using options when the
file is created and others by a separate program. However, by default they are all not
encrypted and therefore plaintext. The automobile license plate is also plaintext - it is a
sequence that passes no information and is loosely coupled to the auto.
Before deploying a web server in a production environment, what process could a
systems administrator put in place to detect an attacker modifying data in the document
root folder?
Set up an automated job that runs daily and determines if the web server's files have
been altered - Set up an Intrusion Detection System to detect malicious packets coming
