GIAC GSEC Exam Dumps & Practice Test Questions

Question 1:

In Linux, which file contains the list of all processes that are configured to start automatically during the system boot?

A. inetd
B. netsrv
C. initd
D. inittab

Correct Answer: D

Explanation:

In Linux systems, the inittab file is a fundamental configuration file that controls what processes are launched at system startup. It resides typically in the /etc directory and is read by the init process—the first program the kernel executes when booting up. The init process uses inittab to determine the system’s runlevels (states like single-user mode, multi-user mode, graphical mode) and to identify which services or scripts to start for each runlevel.

Breaking down the options helps clarify why inittab is the right choice:

• Option A: inetd
  This is a daemon responsible for managing network services. It listens for incoming connection requests on various ports and launches the appropriate service (such as FTP or Telnet). However, it is not involved in boot-time process management, so it’s unrelated to the question.

• Option B: netsrv
  This is not a standard Linux file or command. It might refer to a specific application or service in some contexts but has no role in boot-time process configuration.

• Option C: initd
  While it sounds similar, initd is not a recognized standard file or service. The Linux init system relies on inittab (or other modern init systems like systemd), not a file named initd.

• Option D: inittab
  This is the correct answer. The inittab file explicitly lists processes or scripts that should run at various runlevels during boot. It directs init on how to properly initialize the system environment and services.

In summary, the inittab file serves as a blueprint for boot-time service startup and system state control, making Option D the correct and most relevant choice.

Question 2:

As a Network Administrator managing a Linux-based network, which commands can you use to mount an SMBFS share from a Linux workstation? (Choose two)

A. smbmount
B. mount smb
C. smbfsmount
D. mount -t smbfs

Correct Answers: A and D

Explanation:

In Linux environments, mounting SMB (Server Message Block) shares—commonly used for accessing Windows file shares—requires specific commands. SMBFS (SMB File System) allows Linux to interact with SMB/CIFS shares, enabling file sharing across platforms.

Let's review each option:

• Option A: smbmount
  Historically, smbmount was the go-to command to mount SMB shares on Linux systems. It allowed users to mount Windows shares to a local directory. Although modern Linux distributions have largely deprecated smbmount in favor of CIFS-based mounting, it remains valid and usable on many older systems or those configured to use SMBFS.

• Option B: mount smb
  This is not a valid command. The Linux mount utility requires the -t flag to specify the file system type (for example, -t smbfs or -t cifs). Simply running mount smb lacks the proper syntax and will not work.

• Option C: smbfsmount
  This command does not exist in standard Linux toolsets. It is neither a recognized nor valid command for mounting SMB shares, so it is incorrect.

• Option D: mount -t smbfs
  This is a correct and common method for mounting SMBFS shares. The -t smbfs option explicitly tells the mount command to use the SMB file system type. While many systems now use -t cifs (Common Internet File System) as a more modern alternative, smbfs remains functional on older or specific setups.

In conclusion, both smbmount and mount -t smbfs are valid commands for mounting SMBFS shares in Linux, with A and D being the correct answers.

Question 3:

Which of the following best describes the process known as data sanitization?

A Evaluating the risks involved in disposing of specific information
B Confirming the identity of a user, device, or system process
C Physically destroying the storage media and its data
D Erasing data from storage media to make recovery difficult or impossible

Correct Answer: D

Explanation:

Data sanitization is a critical security process focused on ensuring that sensitive information stored on electronic media is permanently removed or rendered unrecoverable. This is especially important when devices like hard drives, USB sticks, or other storage media are being reused, discarded, or transferred to prevent unauthorized access to confidential data.

Option A involves assessing risks related to data disposal, which is more aligned with risk management or data governance practices. While understanding risks is important in information security, it does not directly define the sanitization process itself. Sanitization is specifically about removing data securely rather than evaluating risk.

Option B describes authentication, which is the process of verifying identity — whether of a person, device, or system. Authentication ensures that only authorized entities gain access to systems or data, but it is unrelated to the removal of data from storage media.

Option C refers to physically destroying the media, such as shredding hard drives or melting optical discs. Physical destruction is a strong method of data sanitization but it is just one of several methods. Data sanitization also includes logical approaches like overwriting or degaussing. Therefore, physical destruction alone does not fully encompass what sanitization means.

Option D accurately captures the essence of data sanitization. It refers to methods that remove or overwrite data on storage media to make it extremely difficult or impossible to recover using standard or specialized recovery tools. This process can involve techniques such as multiple overwrites with specific patterns, cryptographic erasure, or degaussing to ensure the data is irretrievable.

In summary, while physical destruction (Option C) is a form of sanitization, the broader and more accurate definition is found in Option D, which covers all methods aimed at securely erasing data so it cannot be restored. Thus, D is the correct answer.

Question 4:

Which two statements correctly describe the functions of IPSec? (Select two.)

A It utilizes Internet Protocol (IP) to ensure data integrity.
B It employs the Authentication Header (AH) protocol to maintain data integrity.
C It uses the Password Authentication Protocol (PAP) for authenticating users.
D It relies on the Encapsulating Security Payload (ESP) protocol to provide data confidentiality.

Correct Answers: B and D

Explanation:

IPSec (Internet Protocol Security) is a suite of protocols designed to secure IP communications by authenticating and encrypting each packet transmitted over a network. It is widely used in virtual private networks (VPNs) and other secure communication systems to protect data integrity, confidentiality, and authenticity.

Option A incorrectly states that Internet Protocol (IP) itself ensures data integrity. The base IP protocol does not include mechanisms to guarantee integrity or confidentiality. Instead, IPSec adds specific protocols on top of IP to provide these security features.

Option B is correct. Authentication Header (AH) is one of IPSec’s main protocols designed to ensure data integrity and authenticity. AH adds a cryptographic checksum to each IP packet, allowing the recipient to verify that the packet has not been altered during transmission. AH protects against tampering and ensures that the data truly originates from the claimed sender. However, AH does not encrypt the data, so it does not provide confidentiality.

Option C is incorrect. Password Authentication Protocol (PAP) is an outdated and insecure method used for simple user authentication in PPP connections. IPSec does not use PAP; instead, it uses stronger methods such as the Internet Key Exchange (IKE) protocol to negotiate keys and authenticate peers.

Option D is correct. Encapsulating Security Payload (ESP) is another fundamental IPSec protocol primarily responsible for providing data confidentiality through encryption. Besides encryption, ESP also offers optional data integrity and authentication features, as well as protection against replay attacks.

To summarize, IPSec’s core mechanisms for protecting data integrity and confidentiality are Authentication Header (AH) and Encapsulating Security Payload (ESP), making B and D the accurate choices.

Question 5:

Which Windows 7 feature enables administrators to both monitor installed applications and enforce policies that block outdated or unauthorized software from running?

A Direct Access
B Software Restriction Policies
C AppLocker
D User Account Control

Correct Answer: C

Explanation:

AppLocker is a security feature introduced in Windows 7 that provides administrators with granular control over which applications can run on the system. It allows creating rules based on application attributes such as publisher identity, file path, or file hash. This helps ensure that only trusted and approved software is executed, effectively preventing out-of-date, unauthorized, or potentially insecure applications from running.

In addition to active enforcement, AppLocker supports a “audit” mode that lets administrators passively monitor software usage without immediately blocking programs. This feature enables review and assessment of installed applications, helping identify software that may pose a risk or should be restricted.

Comparing AppLocker to other features:

• Direct Access (A): This feature is designed to provide seamless remote connectivity to corporate networks without traditional VPNs. It has no capabilities related to application control or software monitoring, so it is not relevant here.

• Software Restriction Policies (B): While this older feature also allows defining rules to block or allow applications, it lacks the advanced flexibility and granularity of AppLocker. For example, it cannot filter based on the digital signature (publisher) or file hashes, making it less precise and more cumbersome to manage. AppLocker essentially builds on and improves these policies.

• User Account Control (D): UAC enhances security by prompting users when administrative changes are attempted, but it does not offer the ability to review or restrict software execution on the basis of policy. It is focused on privilege elevation rather than software control.

In summary, AppLocker combines both passive monitoring and active policy enforcement to control software usage, making it the most suitable feature for managing application security on Windows 7 systems.

Question 6:

How many bytes are required to store the hexadecimal number 0xFEDCBA in memory?

A 12
B 2
C 3
D 6

Correct Answer: C

Explanation:

Understanding how many bytes a hexadecimal value occupies involves knowing the relationship between bits, bytes, and hex digits. Each hexadecimal digit corresponds to 4 bits because it can represent 16 values (0–15), which equals 4 binary bits.

The given number, 0xFEDCBA, consists of 6 hex digits: F, E, D, C, B, and A. To calculate the total bits:

• 6 hex digits × 4 bits per digit = 24 bits

Since 1 byte equals 8 bits, we convert bits to bytes by dividing:

• 24 bits ÷ 8 bits per byte = 3 bytes

Therefore, it takes 3 bytes to represent the hexadecimal value 0xFEDCBA in memory.

Let’s review why the other choices are incorrect:

• A (12): This number would imply 12 hex digits (which equals 48 bits or 6 bytes). Since the value only has 6 hex digits, this is incorrect.

• B (2): Two bytes equals 16 bits, which is too small to represent 6 hex digits.

• D (6): Six bytes would be 48 bits or 12 hex digits, which is double the length of the provided hex value.

Thus, the correct answer is C because 6 hex digits equate to 24 bits, or 3 bytes, the exact size needed to store the value 0xFEDCBA.

Question 7:

Why should an ingress filter drop all incoming packets that claim a source address within the protected network's own IP range?

A The packets might be corrupted
B The packets could have been mistakenly routed onto the public Internet
C The packets could be intentionally spoofed by attackers
D The packets indicate excessive fragmentation
E Both A and B
F Both B and C
G Both B and D
H Both A and D

Correct Answer: F

Explanation:

Ingress filtering is a key network security practice designed to prevent unauthorized or malicious packets from entering a protected network. One important rule of ingress filtering is to drop any inbound packets that appear to originate from within the network’s own IP address space. This rule is grounded in the fact that legitimate internal IP addresses should never be seen as the source of packets arriving from outside the network, such as the public Internet.

Let’s analyze why this is important:

• Packets mistakenly routed onto the Internet (Option B): Sometimes, due to network misconfigurations or errors, internal IP addresses might be inadvertently sent out to the Internet. This results in packets with source addresses belonging to the protected network arriving from an external source, which is abnormal and should be blocked.

• Spoofing by attackers (Option C): Attackers often forge (spoof) IP source addresses to disguise the origin of their malicious traffic, making it appear to come from within the internal network. Dropping packets with internal source addresses coming from outside helps to prevent such spoofing attempts and increases network security.

Other options are less relevant here:

• Packet corruption (Option A) and excessive fragmentation (Option D) concern data integrity and packet structure, not source IP validation. These issues, while problematic, do not justify dropping packets based on their source IP address.

• Combining options A or D with others is incorrect because the main rationale for dropping packets with internal source addresses is to prevent spoofing and accidental misrouting.

Hence, the correct answer is F (Both B and C) because ingress filtering focuses on blocking both accidentally misrouted packets and intentionally spoofed packets that claim to be from inside the network but are actually coming from outside. This prevents a range of security threats and network confusion.

Question 8:

Which service is responsible for translating hostnames into their corresponding IP addresses?

A Computer Browser
B DHCP
C DNS
D WINS

Correct Answer: C

Explanation:

The service tasked with converting human-readable hostnames into IP addresses is the Domain Name System (DNS). DNS is an essential part of how the internet and networks function, enabling users to access websites and network resources by typing easy-to-remember names rather than numeric IP addresses.

Here’s how DNS works: when you enter a URL like www.example.com into your browser, the DNS service looks up the domain name and returns the associated IP address that computers use to route traffic. This translation process is critical because while humans think in names, devices communicate using IP addresses.

Let’s consider the other options and why they do not perform hostname resolution:

• Computer Browser (Option A): This Windows service maintains a list of computers and shared resources on a local network, aiding in network discovery. It does not perform hostname to IP address resolution.

• DHCP (Option B): The Dynamic Host Configuration Protocol assigns IP addresses dynamically to devices on a network. DHCP manages IP address allocation but does not translate hostnames to IPs.

• WINS (Option D): Windows Internet Name Service is a legacy system designed to resolve NetBIOS names to IP addresses within older Windows networks. Unlike DNS, WINS does not resolve internet domain names and has largely been replaced by DNS.

Thus, DNS (Option C) is the correct and modern system used universally to map domain names to IP addresses, making network communication intuitive and efficient.

Question 9:

An organization periodically checks the hard drives of its employees' computers. Which company policy does this activity most likely relate to?

A Privacy policy
B Backup policy
C User password policy
D Network security policy

Correct answer: A

Explanation:

When an organization inspects the hard disks of employees’ computers, this activity falls under the umbrella of the privacy policy. A privacy policy governs how an organization handles, monitors, and protects personal and sensitive information belonging to employees and other stakeholders. It sets clear guidelines about what data may be accessed, how monitoring is conducted, and the extent to which employee privacy is maintained within the workplace environment.

Monitoring hard drives can include reviewing files, logs, or usage patterns to ensure compliance with company rules, detect unauthorized data storage or transfers, and safeguard proprietary information. This directly affects employee privacy because the organization is accessing data stored on devices assigned to them, which may contain both personal and professional information.

The backup policy (option B) primarily deals with procedures to protect data by creating and maintaining copies for recovery purposes. It is focused on data preservation, not on active monitoring of employee data.

The user password policy (option C) concerns password management protocols such as complexity requirements, expiration, and user responsibilities. It has no direct relation to inspecting hard disk contents.

The network security policy (option D) is about protecting the organization’s networks against unauthorized access or attacks. While it includes monitoring network traffic, it does not usually cover direct access or inspection of employees' hard drives unless related to network-based threats.

Therefore, since monitoring employee hard disks involves managing and potentially accessing personal or sensitive information stored locally, the activity is best categorized under the organization’s privacy policy (option A). This policy ensures that any monitoring respects legal and ethical boundaries and informs employees about the scope and intent of such activities.

Question 10:

An employee reports encountering a specific error when trying to access the company’s wireless portal. Which situation best explains this problem?

A A denial-of-service attack is blocking the portal’s response.
B A rogue access point is repeatedly disconnecting legitimate users.
C Encrypted wireless data is being intercepted and decrypted.
D An unauthorized access point is attempting to capture network traffic.

Correct answer: B

Explanation:

The scenario involves an employee struggling to connect to a wireless portal and receiving an error message. To diagnose this, it’s important to consider the nature of each possible cause.

Option A, a denial-of-service (DoS) attack, would flood the portal with excessive traffic to overwhelm it, potentially causing complete unavailability. However, this typically results in a total service outage, not intermittent connection errors or authentication problems.

Option B describes a deauthentication attack, which is a common wireless network attack where a rogue access point or attacker sends forged deauthentication frames. These frames cause legitimate users to be forcibly disconnected from the wireless network repeatedly. This matches the employee’s symptoms perfectly—being disconnected or unable to maintain a stable connection—leading to repeated errors when accessing the portal.

Option C suggests the encrypted data is being intercepted and decrypted, possibly implying a man-in-the-middle attack. While this is a serious security concern, it would not generally cause connection errors or disconnections; instead, it would allow an attacker to view or alter communications without disrupting connectivity directly.

Option D refers to an “evil twin” scenario where a fake access point tries to intercept users’ data by masquerading as a legitimate network. While this attack can redirect traffic and capture data, it typically doesn’t cause the specific disconnection errors described, but rather users may unknowingly connect to the rogue AP.

Given the symptoms—repeated disconnections and connection errors—the most plausible explanation is B: a rogue access point is launching a deauthentication attack, actively disconnecting legitimate clients from the network.