GCIH Online Practice Questions and Answers

In which of the following steps of the incident handling processes does the Incident Handler make sure that all business processes and functions are back to normal and then also wants to monitor the system or processes to ensure that the system is not compromised again?

A. Eradication

B. Lesson Learned

C. Recovery

D. Containment

You are concerned about rootkits on your network communicating with attackers outside your network. Without using an IDS how can you detect this sort of activity?

A. By examining your domain controller server logs.

B. You cannot, you need an IDS.

C. By examining your firewall logs.

D. By setting up a DMZ.

Which of the following threats is a combination of worm, virus, and Trojan horse characteristics?

A. Spyware

B. Heuristic

C. Blended

D. Rootkits

Observe the following command; what is the analyst doing? $ rekal -f /cases/20160726_39/RAM/memimage.dd

A. Analyzing volatile evidence

B. Capturing a memory image

C. Verifying the integrity of an image

D. Creating a hash of original evidence

Which of the following accurately describes a "Bot"?

A. Bots normally infect a carrier file and need human interaction to spread from computer to computer

B. Bots are distribution channels that worms and viruses use to spread across the network

C. Bots normally infect a carrier file but need no human interaction to spread from computer to computer

D. Bots are software programs that perform an action on behalf of a human

An attacker wants to intercept their target's network traffic using ARP cache poisoning. How should the attacker setup IP forwarding?

A. On the victim host, directed to the attacker host

B. On whichever network host that is the next hop from the victim, directed to the default gateway

C. On their own host, directed to the default gateway

D. On the default gateway, directed to the attacker host

How does a web application that is vulnerable to SQL injection attacks usually tie into a database?

A. Through SQL stored procedures directly invoked by the web application

B. Through binding to SQL Remote Procedure Calls on the database server

C. By formatting user input into an SQL statement that is sent to and run at the database

D. By establishing a SQL Secured Link (SSL) session with the database server

Which of the following techniques can malware employ to avoid detection by honey ports installed on virtual machines?

A. The malware can detect the virtual machine by its MAC address and disables certain features

B. The malware can periodically move its host directory in order to evade file integrity monitoring

C. The malware can run under a new user that was previously unknown to the system

D. The malware can spawn a new process for VMware tools and disable the internal communications channel to the host

How can the information below be used in a penetration test?

A. Attempt to use an Apache exploit on the server

B. Make a zone transfer request on the DNS server

C. Harvest the user information to attempt to gain access

D. Use the heartbleed vulnerability to pull all user data off the server

Why do protocol parsers such as sniffers often run with root or system privileges?

A. So they can attach to port numbers higher than 1024 on Unix systems

B. So they can scan open files for application data

C. So they can run with application-level functionality

D. So they can run the network card in promiscuous mode