GIAC GCIH Exam Dumps & Practice Test Questions
Adam, working as an Incident Handler for Umbrella Inc., is conducting a training session with the California incident response team. During a simulated drill, he instructs the team to perform actions such as unplugging network cables, moving a system to an isolated VLAN, applying firewalls or access control lists to block communication, and redirecting DNS traffic away from a compromised device.
These activities fall under which phase of the incident response lifecycle?
A. Identification
B. Containment
C. Eradication
D. Recovery
Correct Answer: B
Explanation:
The actions described in the scenario—disconnecting a system, network segmentation, restricting communication through firewall rules, and redirecting traffic via DNS changes—are classic examples of incident containment, one of the key stages in the incident handling process.
The incident response lifecycle typically consists of the following phases:
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
Let’s understand why the correct answer is Containment:
The containment phase is activated once an incident has been identified and confirmed. The primary objective during this stage is to limit the spread and impact of the security event. In the given scenario:
Unplugging network cables helps immediately cut off the affected device from communicating with others.
Isolating the system via VLANs restricts its network visibility and confines potential lateral movement.
Implementing firewall rules or ACLs ensures malicious traffic is blocked both inbound and outbound.
Changing DNS entries can prevent access to or from command-and-control servers and malicious destinations.
All these tactics aim to neutralize the immediate threat and prevent it from affecting additional systems or networks. These steps buy responders time to investigate, clean up, and restore systems without allowing the incident to escalate.
Here’s why the other options don’t apply:
Identification is the earlier phase focused solely on recognizing and confirming an incident, not taking action.
Eradication comes after containment and involves removing the threat (e.g., deleting malware, disabling compromised accounts).
Recovery involves restoring services to a secure operational state, such as reconnecting systems or restoring backups.
Therefore, the described actions are proactive mitigation techniques typical of the Containment stage, making Option B the most accurate choice.
Adam is a home-based medical professional who notices his new computer gradually becoming sluggish after a few months, despite having antivirus and anti-spyware software and regularly installing updates. He also observes mysterious pop-up windows that vanish quickly and finds his 200 GB hard drive has only 10 GB of free space left.
What is the most likely cause of these symptoms?
A. Infection with a stealth kernel-level rootkit
B. Infection with a stealth virus
C. Infection with a Stealth Trojan Virus
D. Infection with a Self-Replication Worm
Correct Answer: A
Explanation:
Adam’s experience demonstrates a severe and sophisticated form of malware infection. Despite taking routine precautions—running antivirus, anti-spyware, and applying system patches—his system is progressively slowing down, exhibiting disappearing pop-up windows, and rapidly losing disk space. These indicators point to a deeply embedded, stealthy threat—most likely a kernel-level rootkit.
Here’s how the symptoms map to this diagnosis:
Progressive system slowness implies background processes consuming significant resources, often hidden from standard monitoring tools.
Pop-up windows that flash and vanish, especially while offline, suggest the presence of concealed processes or scheduled tasks that operate independently of the browser.
Massive disk space consumption (190 GB used out of 200 GB) could indicate hidden file creation, log dumping, or malware replication by processes invisible to the user or antivirus software.
A kernel-level rootkit is designed to operate at the lowest level of the operating system—below the detection capabilities of most traditional security software. These rootkits:
Hide files, processes, and registry entries
Enable long-term unauthorized access and control
Consume system resources while evading user awareness
Compromise core system functions, making detection nearly impossible without specialized tools
Now let’s examine why the other options don’t fit:
Stealth virus (Option B): While it can mask its presence by manipulating system calls, it doesn’t typically explain such aggressive symptoms like disk space loss or deeply embedded persistence.
Stealth Trojan (Option C): Trojans aim to disguise themselves as legitimate software but usually act at the application level. They don’t inherently cause system-wide slowdowns or disk consumption to this extent.
Self-Replication Worm (Option D): Worms spread across systems and can use storage space, but their behaviors are usually caught by well-maintained antivirus tools. Since Adam’s system is fully patched and protected, a worm is less likely to have gone undetected.
In conclusion, Adam’s case matches the profile of a kernel-level rootkit, the most elusive and destructive type of malware, capable of maintaining stealth, consuming resources, and rendering traditional defenses ineffective. Therefore, Option A is the best answer.
Question 3:
Which type of cyberattack is specifically aimed at disrupting access to a computer resource, making it inaccessible to legitimate users?
A. Denial of Service attack
B. Replay attack
C. Teardrop attack
D. Land attack
Correct Answer: A
Explanation:
Cyberattacks can be categorized based on their intent—some aim to steal sensitive data, others exploit system vulnerabilities to gain unauthorized access, while certain types focus solely on rendering services unavailable. The scenario presented in this question clearly targets an attack that disrupts availability, which aligns with the "Availability" aspect of the CIA triad (Confidentiality, Integrity, Availability), a foundational concept in cybersecurity.
Let’s review the options:
A. Denial of Service attack:
This is the correct choice. A Denial of Service (DoS) attack is deliberately designed to overwhelm a computer system, server, or network with excessive traffic or requests, effectively exhausting its resources such as bandwidth, CPU, or memory. As a result, legitimate users are unable to access services, applications, or websites. These attacks can take many forms—flood attacks, application layer attacks, or protocol attacks. The core purpose, however, is always the same: to deny access by overloading the system. A more aggressive variant is the Distributed Denial of Service (DDoS) attack, which uses multiple compromised machines to flood the target simultaneously, increasing effectiveness and making it harder to mitigate.
B. Replay attack:
Incorrect. A replay attack involves intercepting and resending valid data transmissions (like session tokens or credentials) to trick the system into unauthorized operations. The goal is not service disruption but unauthorized access, making this choice irrelevant to the question.
C. Teardrop attack:
This is a specific type of DoS attack, which exploits vulnerabilities in the reassembly of fragmented IP packets. While it does result in denial of service in older, unpatched systems, it is a method, not a general category. The question asks for a type, so "Denial of Service attack" is a more comprehensive and accurate answer.
D. Land attack:
Similar to the teardrop attack, a land attack is also a subtype of DoS. It involves sending a spoofed packet with the same source and destination IP address, causing confusion within the system that may crash it. Again, this is a specific implementation, not the overarching attack type.
While Teardrop and Land attacks fall under the umbrella of Denial of Service, "Denial of Service attack" is the most appropriate answer because it refers to the general category of attacks that disrupt service availability. This makes A the correct and most precise answer.
A. Brute force attack
B. Evasion attack
C. Denial of Service attack
D. Teardrop attack
Correct Answer: A
Explanation:
Password security is often enforced using hashing algorithms that transform readable passwords into fixed-length encrypted values. While hashing adds a layer of security, it is not impenetrable. Attackers can still attempt to reverse-engineer or guess hashed passwords using various techniques. Among these, brute force attacks are particularly notable for their persistence and effectiveness against weak or poorly protected hashes.
A. Brute force attack:
Correct. A brute force attack works by systematically trying every possible combination of characters until the correct password is found. In the context of hashed passwords, the attacker uses known hashing algorithms to generate hashes from guessed inputs and compares them to the stolen hashed value. Brute force attacks can be slow, especially against long or complex passwords, but they are effective if the system uses:
Weak password policies,
Outdated or fast hashing algorithms (like MD5 or SHA-1),
No salting (random data added to a password before hashing).
Popular tools like John the Ripper, Hashcat, and rainbow tables (precomputed hash values) are often used for this purpose. This type of attack directly targets the confidentiality aspect of cybersecurity by attempting to uncover user credentials.
B. Evasion attack:
Incorrect. Evasion attacks are used to bypass detection mechanisms like Intrusion Detection Systems (IDS) or firewalls. These attacks manipulate the structure or delivery of malicious data to avoid pattern recognition. They do not attempt to crack passwords or hashes.
C. Denial of Service attack:
Incorrect. A DoS attack aims to make a system or resource unavailable by overwhelming it with traffic. While it disrupts availability, it has no role in password cracking or hash guessing.
D. Teardrop attack:
Incorrect. This is a subtype of a DoS attack that causes system crashes by exploiting IP fragmentation. Like option C, it does not relate to passwords or hashing.
Only brute force attacks are designed to guess or crack hashed passwords through repetitive attempts. The other options serve different malicious objectives unrelated to password guessing. Therefore, the correct answer is A.
Which Denial of Service (DoS) technique involves sending an Internet Control Message Protocol (ICMP) packet that exceeds the 65,535-byte size limit?
A. Ping of death
B. Jolt
C. Fraggle
D. Teardrop
Correct Answer: A
Explanation:
Denial of Service (DoS) attacks are intended to render a system, service, or network resource inaccessible to its intended users. One infamous technique is the Ping of Death attack, which involves sending ICMP packets larger than the maximum size allowed by the IP protocol, which is 65,535 bytes. The uniqueness of this attack lies in how it manipulates the packet structure to exploit system vulnerabilities.
ICMP packets, commonly used for "ping" requests, are typically quite small—well under the IP limit. However, attackers can intentionally construct oversized ICMP packets and then fragment them so that each packet fragment appears legitimate during transit. Once these fragments reach the destination system, the reassembly process causes the packet size to exceed allowable limits, triggering a buffer overflow or system crash. This technique was highly effective in the 1990s and early 2000s, particularly against unpatched versions of Windows, Linux, and Unix systems.
Let’s examine the incorrect options:
B. Jolt is another DoS method that also targets ICMP vulnerabilities, but it operates by sending fragmented ICMP packets with invalid header fields to crash systems, especially those running older Windows operating systems. It does not involve creating packets that exceed the maximum byte limit.
C. Fraggle is a UDP-based variation of the Smurf attack. Instead of oversized packets, it floods a target with UDP echo replies by sending spoofed packets to broadcast addresses. This causes a flood of responses directed at the spoofed source. It overwhelms bandwidth but is unrelated to ICMP packet sizing.
D. Teardrop involves sending fragmented IP packets with overlapping fragment offsets, confusing the receiving system’s reassembly logic. Many older operating systems couldn’t handle the overlap correctly, leading to crashes. Again, this doesn’t rely on packet size but rather malformed packet structure.
In summary, only the Ping of Death attack specifically exploits the size limit of ICMP packets by constructing packets that exceed 65,535 bytes, making Option A the correct answer. Though now largely mitigated by modern operating system patches, understanding this attack is essential for recognizing the evolution of DoS techniques.
However, he notices fluctuating internet speeds and finds an unknown device using the same MAC address as his laptop. What type of wireless attack is most likely occurring?
A. NAT spoofing
B. DNS cache poisoning
C. MAC spoofing
D. ARP spoofing
Correct Answer: C
Explanation:
Adam has implemented standard wireless security measures—like using WPA encryption, changing the default SSID, and enabling MAC filtering. These steps are commendable, but unfortunately, they are not foolproof against more advanced threats such as MAC spoofing.
MAC spoofing is a technique used by attackers to forge a legitimate device's MAC address in order to gain unauthorized access to a network. In Adam’s scenario, the attacker likely observed or captured the MAC address of his laptop, possibly through passive sniffing in a public or shared environment. The attacker then manually assigned that MAC address to their own device.
As a result, both Adam’s device and the attacker’s device are using the same MAC address simultaneously, causing network conflicts. This would explain the reduced connection speeds and the presence of an unrecognized device in the router's logs. Despite MAC filtering being enabled, the router sees the familiar MAC address and grants access, mistaking the attacker's device for Adam’s legitimate one.
Let’s explore why the other options are incorrect:
A. NAT spoofing typically involves the manipulation of Network Address Translation to intercept or redirect traffic—more commonly used in gateway-level attacks than in Wi-Fi authentication bypasses. It doesn't explain the MAC conflict or dual device presence.
B. DNS cache poisoning targets the DNS resolution process, redirecting users to malicious sites by injecting false DNS entries into a system’s cache. It’s unrelated to device authentication or MAC addresses.
D. ARP spoofing involves sending falsified Address Resolution Protocol messages on a local network to associate the attacker’s MAC address with the IP of another device. While this does manipulate MAC addresses, it doesn’t result in multiple devices using the same MAC—it manipulates IP-to-MAC associations instead.
In conclusion, the attack in Adam’s case is a MAC spoofing attack, where the attacker impersonates his laptop’s MAC address to gain network access. This bypasses MAC filtering and leads to inconsistent connectivity due to MAC address conflicts. Organizations are encouraged to implement stronger identity verification mechanisms, such as 802.1X authentication, to prevent such spoofing attacks.
What is the term for the technique where a modem is used to automatically dial a sequence of telephone numbers in search of systems like computers, fax machines, or bulletin board services (BBS)?
A. Demon dialing
B. Warkitting
C. War driving
D. Wardialing
Correct Answer: D
Explanation:
The technique known as wardialing refers to the use of a modem to systematically dial a large range of telephone numbers, typically within a local area code, to identify active devices such as modems, fax machines, and bulletin board systems (BBS). The goal is to find systems that are listening for inbound modem connections, which can potentially be exploited or used for unauthorized access.
The term gained popularity from the 1983 movie WarGames, in which the protagonist automates the dialing of hundreds of phone numbers to locate computer systems that could be accessed remotely. This technique was especially prevalent in the early days of network security when modems were commonly used for remote access to corporate systems.
Let’s examine the other options and why they are incorrect:
A. Demon dialing: This is often a misused or misunderstood term and not officially recognized in cybersecurity terminology. While it sounds similar to wardialing, it lacks technical specificity and is not used to describe the systematic scanning of telephone numbers for modems or BBS systems.
B. Warkitting: This term refers to compromising Wi-Fi routers or wireless access points and placing malware or backdoors in them. It's a malicious follow-up to war driving and has nothing to do with dialing phone numbers or scanning analog lines.
C. War driving: This involves using a laptop or mobile device to search for unsecured wireless networks while moving through areas—typically while driving. It’s a wireless-based reconnaissance technique, not related to modem-based telephone scanning.
Wardialing is an outdated but historically important method used to discover systems connected via dial-up modems. Although rare today due to the decline of analog modems, the concept is still relevant in cybersecurity history and foundational knowledge. It introduced the idea of automated discovery and reconnaissance, which has now evolved into more modern methods like IP scanning and wireless sniffing.
In summary, wardialing remains the accurate term for automatically dialing phone numbers to discover connected computer systems, making D the correct answer.
Which of the following is NOT typically included in the process of manually mapping a network for security assessment purposes?
A. Identifying public and private IP addresses
B. Gathering employee data
C. Conducting banner grabbing
D. Running traceroute analysis
Correct Answer: B
Explanation:
Manual network mapping is a crucial early step in penetration testing and security assessments. It involves the systematic collection and analysis of data about an organization’s network infrastructure, including its topology, services, hosts, and communication paths. The objective is to understand how systems are interconnected and where potential vulnerabilities may exist.
Let’s explore what is typically included in manual network mapping:
A. Identifying public and private IP addresses: This is essential for understanding the network's architecture. Knowing which IPs are exposed externally (public) and which are internal (private) helps define the attack surface and internal trust boundaries. It is one of the core tasks during network reconnaissance.
C. Banner grabbing: This technique involves connecting to open network services (like HTTP, FTP, SMTP) to retrieve metadata banners, which often reveal software types and versions. It helps security teams identify outdated or vulnerable services running on a system.
D. Running traceroute analysis (also known as Neotracerouting): Traceroute tools help map the path that packets take through the network to reach a target. This reveals intermediary routers, latency patterns, and potential bottlenecks or filtering devices (e.g., firewalls or NAT devices). It contributes significantly to understanding network layout.
Now, the incorrect or not typically included option:
B. Gathering employee data: While information about employees might be useful in other phases of security assessments—like social engineering or phishing campaigns—it is not part of network mapping. Network mapping focuses on infrastructure, not human resources. Collecting names, job titles, or email addresses may be part of open-source intelligence (OSINT) or pretexting, but it does not assist in identifying IP structures, services, or connectivity paths.
In summary, network mapping is a technical exercise focused on the organization’s infrastructure and services. Collecting employee data falls outside this scope and aligns more with social engineering tactics. Therefore, B is the correct answer as it is not part of manual network mapping activities.
Tools
Certainly! Below are the rephrased versions of Questions 9 and 10, along with fully rewritten 450-word detailed explanations for each, based on your format and content style preferences.
Which of the following accurately describe the functions and characteristics of TCP Wrappers? (Select all that apply.)
A. TCP Wrappers offer capabilities like access control, detection of spoofed hosts, and user identity lookups.
B. When TCP Wrappers are used, the inetd service launches the tcpd wrapper program before running the actual server.
C. TCP Wrappers can use IP addresses, hostnames, or ident responses as filters for controlling access.
D. TCP Wrappers prevent IP address spoofing attacks on Linux systems.
Correct Answers: A, B, C
TCP Wrappers are a host-based access control mechanism used on Unix-like systems to filter incoming network connections. Their core purpose is to regulate which clients can connect to certain network services running on the system. When properly implemented, TCP Wrappers provide an additional layer of security by validating the identity or location of incoming requests before permitting access.
Option A is correct. TCP Wrappers are widely recognized for their flexible access control capabilities. They use configuration files—hosts.allow and hosts.deny—to define rules for client access. These rules can be based on IP addresses, hostnames, and even usernames retrieved using the ident protocol. In addition to allowing or denying access, TCP Wrappers can log connection attempts, which aids in tracking unauthorized activities. However, while it can detect host spoofing based on mismatched hostnames and IPs, it does not actively prevent spoofing.
Option B is correct. When a service is configured under the inetd (Internet super-server), and TCP Wrappers are in place, inetd launches the tcpd program instead of the service itself. The tcpd program acts as a gatekeeper: it checks the access control rules, and only if access is granted, it passes control to the actual service. This pre-check ensures that unauthorized clients never reach the application layer, thus enhancing security.
Option C is correct. One of the distinguishing features of TCP Wrappers is its ability to filter based on various identifiers. You can control access using specific IP addresses, subnetworks, domain names, or results from an ident query (which attempts to identify the user on the client side). This level of granularity allows for detailed and flexible policy enforcement.
Option D is incorrect. TCP Wrappers do not prevent IP spoofing. They make access decisions based on the information received, but if an attacker spoofs an IP address to mimic a trusted host, TCP Wrappers cannot detect this deception. Preventing spoofing requires additional security layers, such as firewall configurations, Reverse Path Filtering (RPF), or intrusion detection systems.
In conclusion, TCP Wrappers are a useful but limited tool in network security. They provide access control and logging features based on simple configuration rules, but they do not replace more advanced protection systems against spoofing or intrusion.
Which type of cyberattack stems specifically from flaws in code due to improper memory handling or input validation?
A. Evasion attack
B. Denial-of-Service (DoS) attack
C. Ping of death attack
D. Buffer overflow attack
Correct Answer: D
Among the different forms of cyberattacks, buffer overflow attacks are particularly dangerous because they exploit vulnerabilities caused by poor programming techniques, especially in the handling of memory and user input.
Option D is correct. A buffer overflow occurs when a program writes more data to a fixed-length block of memory (a buffer) than it is allocated to hold. When the program fails to validate the length of incoming data, that excess data can overwrite adjacent memory areas. This unintended memory overwrite can lead to erratic program behavior, crashes, or even provide an attacker with the ability to execute malicious code. The root cause of buffer overflows is improper bounds checking, which is a result of flawed coding practices. Languages like C and C++ are particularly vulnerable due to their direct memory access features and lack of automatic bounds checking.
Option A is incorrect. An evasion attack is an attempt to bypass security mechanisms such as intrusion detection systems (IDS) by altering the attack pattern (e.g., through encryption or fragmentation). These attacks are not necessarily caused by bad coding in the target application but by weaknesses in the detection logic.
Option B is also incorrect. A Denial-of-Service (DoS) attack aims to overwhelm a server or application, making it unavailable to legitimate users. While some DoS attacks may exploit coding flaws, not all of them are tied to programming errors. Many use sheer volume or traffic patterns to incapacitate systems.
Option C is misleading. The Ping of Death is a specific DoS attack that involves sending a malformed ping packet exceeding the maximum packet size. While it historically leveraged buffer vulnerabilities, it is categorized more appropriately as a DoS vector. Furthermore, most modern systems are immune to it due to kernel-level fixes.
Ultimately, buffer overflow stands out as a textbook example of how programming errors—such as failing to validate input—can lead to security vulnerabilities. It is both a programming and security concern and is taught widely in secure coding practices as something to avoid. Modern programming frameworks, memory-safe languages, and compiler protections like stack canaries and ASLR (Address Space Layout Randomization) are designed to mitigate such threats.
Site Search:
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
MIN10OFF
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from support@examcollection.com and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.