GIAC-GCIH

What is one of the functions CyberCPR performs?

Analyze the nmap results shown. What is the first step the security administrator should take?

If an accounting department's computer system was compromised, who should make the decision about when that system is put back into production?

Failing DNS, what will modern Windows systems use to resolve names of other systems?

The incident response team has been working with the various systems teams to find a way to gain root access to systems in event of an incident. It has been proposed that the system teams keep copies of all system passwords and crypto keys in sealed envelopes in a safe in the IT director's office. The envelopes are kept updated by the systems teams and access to the envelopes is logged by the IT director. However, the VMware system team is concerned about unqualified handlers having root access to the VMware host servers. What additional qualifier would make this agreement more agreeable to the VMware system team?

What can you do to proactively protect against DLL injection on your organization's Exchange server?

If an attacker is attempting to use the Kaminsky method of DNS cache poisoning, what is the maximum number of unique Query IDs which must be presented to the victim DNS server before a match is made?

You are responding to an incident in which the organization's Extranet server has been compromised. The Extranet is the browser home page for most users in the organization. You have been instructed to watch the attacker, but minimize the business impact and the risk of further compromise. How can you continue providing services to the organization's users while isolating the compromised server?

To defend against network mapping, which of the following packets should be denied at the border router?

As related to buffer overflows, what is the purpose of the Instruction Pointer?

Which stage of an attack typically involves little or no direct interaction with the attack target(s)? E. Denial of Service

A client wants a system so that they can monitor connection queues on network equipment for too many half-open connections, as well as look for bandwidth consumption from the same types of connections. What kind of attacks will this type of system defend against?

If virtual machines are relatively easy for an attacker to detect, the next best thing might be to put so much honey in your honeypot, attackers won't be able to resist. Which actions would result in the most meaningful traffic on your honeypot?

Which reconnaissance source would you expect to provide the information in the below screen capture?

A new helpdesk employee at a multinational corporation took it upon himself to test the security of the servers that holds highly confidential information regarding specific government projects. Which of the following is a well-known technique for deterring such individuals?

You are a member of your organization's security team. A new ticket just came into your service desk and was escalated to you. One of the system administrators noticed the following entry in a Windows Server 2008 R2 file server Security event log:Log Name: Security -Source: Microsoft-Windows-Security-AuditingDate: 2/1/2012 2:24:07 AM -Event ID: 4674 -Task Category: Sensitive Privilege UseLevel: Information -Keywords: Audit Failure -User: N/A -Computer: somehost.somecompany.comDescription: An operation was attempted on a privileged object.Subject:Security ID: LOCAL SERVICE -Account Name: LOCAL SERVICE -Account Domain: NT AUTHORITY -Logon ID: 0x3e5 -Object:Object Server: LSA -Object Type: -Object Name: -Object Handle: 0x0 -Process Information:Process ID: 0x1d8 -Process Name: C:\Windows\System32\Isass.exeRequested Operation:Desired Access: 16777216 -Privileges: SeSecurityPrivilege -What is your next step?

The Network Operations Center has identified and escalated an active denial of service incident on the mail server and several externally facing web sites to the security team for review. What are the next steps for the NOC team?

Analysis of malicious code identifies a function that searches for specific processes and hardware on a victim host. If the processes or hardware are found, the malicious executable does not install itself. What is a common purpose of this type of malware functionality?

Which of the following is the most effective at eradicating a system infected with a Rootkit?

An attacker is tunneling TLS encrypted traffic within ICMP echo and reply packets. How will most network appliances see this?

Which of the following is an effective method of detecting a covert communication tunnel such as ptunnel?

Which of the following processes should be prioritized for examination during live response?

An attacker compromises a host and runs the following commands. What did the attacker do?

Which of the following can be used in a USB attack to bypass authentication by hijacking the password libraries on a Windows system?

An attacker is launching an attack against an input field in a form that is used to retrieve restricted information that is filtered dependent upon the privileges of the logged in user. This attacker inserts "' or 1=1;--" into this field. What is most likely the attacker's desired result from this insertion?

An organization has an SSH server that was compromised, but later eradicated and recovered. The system disks were wiped clean, the OS reinstalled, and patches re-applied. After this process is complete, a security analyst noticed multiple simultaneous SSH logins from a single, valid, user-account on that system.Which of the following is the most likely explanation?

Which Microsoft tool can be used to mitigate the risk of an adversary reusing a stolen local administrator password hash?

Which endpoint security bypass technique modifies the assembly of an executable?

An attacker has determined a web application is running the SQL command shown below. What could she enter for VALUE to get a list of all email addresses in the employee table and avoid syntax errors? select email from employee where name = `˜[VALUE]';

An engineer is using Hashcat to brute force passwords from a file of hashes. How should the following hash be handled in the scenario? aad3b435b51404eeaad3b435b51404ee