GCED GIAC Certified Enterprise Defender Questions and Answers

TFTP is a protocol to transfer files and commonly used with routers for configuration files, IOS images, and more. It requires no authentication. To download a file you need only know (or guess) its name. CDP, SNMP and ARP are not used for accessing or transferring IOS configuration files.

Follow TCP Stream is a feature of Wireshark that allows the analysis of a single TCP conversation between two hosts over multiple packets. Filtering packets using tcp in the filter box will return all TCP packets, not grouping by a single TCP conversation. HTTP is TCP not UDP, so you cannot follow a HTTP stream over UDP.

Both BPDU Guard and Root Guard are used to prevent a new switch from becoming the Root Bridge. They are very similar but use different mechanisms.

Rootguard allows devices to use STP, but if they send superior BDPUs (i.e. they attempt to become the Root Bridge), Root Guard disables the port until the offending BPDUs cease. Recovery is automatic.

If Portfast is enabled on a port, BPDU Guard will disable the port if a BPDU is received. The port stays disabled until it is manually re-enabled. Devices behind such ports cannot use STP, as the port would be disabled as soon as they send BPDUs (which is the default behavior of switches).

When using tcpdump, a –n switch will tell the tool to not resolve hostnames; as this network makes no use of DNS this is efficient. The –vv switch increases the tools output verbosity. The – s0 increases the snaplength to “all” rather than the default of 96 bytes. The –nnvvX would make sense here except that the port in the filter is 6514 which is the default port for encrypted Syslog transmissions.

Identifying and scoping an incident during triage is important to successfully handling a security incident. The detection methods used by the team didn’t detect all the infected workstations.

Once sensitive data is identified and classified, preventive measures can be taken. Among these are software-based controls, such as auditing and access control, as well as human controls such as background checks, psychological examinations, and such.

A company needs to classify its information as a key step in valuing it and knowing where to focus its protection.

Rotation of duties and separation of duties are both key elements in reducing the scope of information access and the ability to conceal malicious behavior.

Separation of duties helps minimize “empire building” within a company, keeping one individual from controlling a great deal of information, reducing the insider threat.

Security awareness programs can help other employees notice the signs of an insider attack and thus reduce the insider threat.

Detection is a reactive method and only occurs after an attack occurs. Only preventative methods can stop or limit an attack.

Management Controls include: Policies, guidelines, checklists, and reporting.

Detective management controls include personnel security. As a detective control, we are referring to indepth background investigations, clearances, and rotation of duties.

Domain login credentials are needed to kill a process on a remote system using taskkill.

When deploying an IPS, you should carefully monitor and tune your systems and be aware of the risks involved. You should also have an in-depth understanding of your network, its traffic, and both its normal and abnormal characteristics. It is always recommended to run IPS and active response technologies in test mode for a while to thoroughly understand their behavior.

If the IPS had been previously powered off the performance issues would have impacted all network traffic, not just critical resources, and the issue would have begun on day 1 of deployment.

A hardware failure of the TAP would bring connectivity to a stop, not just impact users access to critical resources.

If the IPS and/or TAP cannot keep up with traffic, the user’s issues would have been more sporadic, rather than focused on a sudden loss to critical resources.

Many administrators are hesitant to upgrade the IOS on routers based on past experience with the code introducing instability into the network. It is often difficult to completely test an IOS software upgrade in a production environment because the monolithic kernel requires that the IOS be replaced before the device can be tested. Because of these reasons, IOS upgrades to resolve security flaws are often left undone in many organizations.