GSNA | Top Tips Of Renew GSNA Study Guide

Ucertify offers free demo for GSNA exam. "GIAC Systems and Network Auditor", also known as GSNA exam, is a GIAC Certification. This set of posts, Passing the GIAC GSNA exam, will help you answer those questions. The GSNA Questions & Answers covers all the knowledge points of the real exam. 100% real GIAC GSNA exams and revised by experts!

Check GSNA free dumps before getting the full version:


You work as a Database Administrator for BigApple Inc. The Company uses Oracle as its database. You enabled standard database auditing. Later, you noticed that it has a huge impact on performance of the database by generating a large amount of audit data. How will you keep control on this audit data?

  • A. By implementing principle of least privilege.
  • B. By removing some potentially dangerous privileges.
  • C. By setting the REMOTE_LOGIN_PASSWORDFILE instance parameter to NONE.
  • D. By limiting the number of audit records generated to only those of interest.

Answer: D


Auditing is the process of monitoring and recording the actions of selected users in a database. Auditing is of the following types: Mandatory auditing Standard auditing Fine-grained auditing By focusing the audits as narrow as possible, you will get audit records for events that are of significance. If it is possible then try doing audit by session, not by access. When auditing a database the SYS.AUD$ table may grow many
gigabytes. You may delete or truncate it periodically to control the load of audit data. minimum set of privileges that are just sufficient to accomplish their requisite roles, so that even if the users try, they cannot perform those actions that may critically endanger the safety of data in the event of any malicious attacks. It is important to mention that some damage to data may still be unavoidable. Therefore, after identifying the scope of their role, users are allocated only those minimal privileges just compatible with that role. This helps in minimizing the damage to data due to malicious attacks. Grant of more privileges than necessary may make data critically vulnerable to malicious exploitation. The principle of least privilege is also known as the principle of minimal privilege and is sometimes also referred to as POLA, an abbreviation for the principle of least authority. The principle of least privilege is implemented to enhance fault tolerance, i.e. to protect data from malicious attacks. While applying the principle of least privilege, one should ensure that the parameter 07_DICTIONARY_ACCESSIBILITY in the data dictionary is set to FALSE, and revoke those packages and roles granted to a special pseudo-user known as Public that are not necessary to perform the legitimate actions, after reviewing them. This is very important since every user of the database, without exception, is automatically allocated the Public pseudo-user role. Some of the packages that are granted to the special pseudo- user known as Public are as follows: UTL_TCP UTL_SMTP UTL_HTTP UTL_FILE REMOTE_LOGIN_PASSWORDFILE is an initialization parameter used to mention whether or not Oracle will check for a password file and by which databases a password file can be used. The various properties of this initialization parameter are as follows: Parameter type: String Syntax: REMOTE_LOGIN_PASSWORDFILE = {NONE | SHARED | EXCLUSIVE}
Default value: NONE Removing some potentially dangerous privileges is a security option. All of the above discussed options are security steps and are not involved in standard database auditing.


You are the Network Administrator for a software development company. Your company creates various utilities and tools. You have noticed that some of the files your company creates are getting deleted from systems. When one is deleted, it seems to be deleted from all the computers on your network. Where would you first look to try and diagnose this problem?

  • A. Antivirus log
  • B. IDS log
  • C. System log
  • D. Firewall log

Answer: A


Check the antivirus log and see if it is detecting your file as a virus and deleting it. All antivirus programs have a certain rate of false positives. Since the file is being deleted from all computers, it seems likely that your antivirus has mistakenly identified that file as a virus. Answer D is incorrect. The firewall log can help you identify traffic entering or leaving your network, but won't help with files being deleted. Answer B is incorrect. An IDS log would help you identify possible attacks, but this scenario is unlikely to be from an external attack. Answer C is incorrect. Your system log can only tell you what is happening on that individual computer.


You work as a Network Administrator for XYZ CORP. The company has a TCP/IP-based network environment. The network contains Cisco switches and a Cisco router. A user is unable to access the Internet from Host B. You also verify that Host B is not able to connect to other resources on the network. The IP configuration of Host B is shown below:
GSNA dumps exhibit
Which of the following is the most likely cause of the issue?

  • A. An incorrect subnet mask is configured on Host B.
  • B. The IP address of Host B is not from the correct IP address range of the network.
  • C. There is an IP address conflict on the network.
  • D. An incorrect default gateway is configured on Host B.

Answer: A


According to the network diagram, the IP address range used on the network is from the class C private address range. The class C IP address uses the following default subnet mask: The question specifies that the subnet mask used in Host B is, which is an incorrect subnet mask.


You are the Network Administrator for a company. You have decided to conduct a user access and rights review. Which of the following would be checked during such a review? (Choose three)

  • A. Access Control Lists
  • B. Encryption Methods
  • C. User Roles
  • D. Firewalls
  • E. Group Membership

Answer: ACE

A user access and rights review must check all users, what groups they belong to, what roles they have, and what access they have. Furthermore, such a review should also check logs to see if users are appropriately utilizing their system rights and privileges.


Which of the following commands will you use to watch a log file /var/adm/messages while the log file is updating continuously?

  • A. less -g /var/adm/messages
  • B. tail /var/adm/messages
  • C. cat /var/adm/messages
  • D. tail -f /var/adm/messages

Answer: D


The tail command is used to display the last few lines of a text file or piped data. It has a special command line option -f (follow) that allows a file to be monitored. Instead of displaying the last few lines and exiting, tail displays the lines and then monitors the file. As new lines are added to the file by another process, tail updates the display. This is particularly useful for monitoring log files. The following command will display the last 10 lines of messages and append new lines to the display as new lines are added to messages: tail -f /var/adm/messages Answer B is incorrect. The tail command will display the last 10 lines (default) of the log file. Answer C is incorrect. The concatenate (cat) command is used to display or print the contents of a file. Syntax: cat filename For example, the following command will display the contents of the /var/log/dmesg file: cat /var/log/dmesg Note: The more command is used in conjunction with the cat command to prevent scrolling of the screen while displaying the contents of a file. Answer A is incorrect. The less command is used to view (but not change) the contents of a text file, one screen at a time. It is similar to the more command. However, it has the extended capability of allowing both forward and backward navigation through the file. Unlike most Unix text editors/viewers, less does not need to read the entire file before starting; therefore, it has faster load times with large files. The command syntax of the less command is as follows: less [options] file_name Where,


John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He is using the Linux operating system. He wants to use a wireless sniffer to sniff the We-are-secure network. Which of the following tools will he use to accomplish his task?

  • A. WEPCrack
  • B. Kismet
  • C. Snadboy's Revelation
  • D. NetStumbler

Answer: B


According to the scenario, John will use Kismet. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks: To identify networks by passively collecting packets To detect standard named networks To detect masked networks
To collect the presence of non-beaconing networks via data traffic Answer D is incorrect. NetStumbler is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. It detects wireless networks and marks their relative position with a GPS. Answer A is incorrect. WEPCrack is an open source tool that breaks IEEE 802.11 WEP secret keys. Answer C is incorrect. Snadboy's Revelation is not a sniffer. It is used to see the actual password behind the asterisks.


Adam works on a Linux system. He is using Sendmail as the primary application to transmit e-mails. Linux uses Syslog to maintain logs of what has occurred on the system. Which of the following log files contains e-mail information such as source and destination IP addresses, date and time stamps etc?

  • A. /var/log/mailog
  • B. /var/log/logmail
  • C. /log/var/mailog
  • D. /log/var/logd

Answer: A


/var/log/mailog ?le generally contains the source and destination IP addresses, date and time stamps, and other information that may be used to check the information contained within an e-mail header. Linux uses Syslog to maintain logs of what has occurred on the system. The configuration file /etc/syslog.conf is used to determine where the Syslog service (Syslogd) sends its logs. Sendmail can create event messages and is usually configured to record the basic information such as the source and destination addresses, the sender and recipient addresses, and the message ID of e-mail. The syslog.conf will display the location of the log file for e-mail. Answer B, C, D are incorrect. All these files are not valid log files.


You work as a Network Administrator for Net World International. The company has a Windows Active Directory-based single domain single forest network. The functional level of the forest is Windows Server 2003. There are ten Sales Managers in the company. The company has recently provided laptops to all its Sales Managers. All the laptops run Windows XP Professional. These laptops will be connected to the company's network through wireless connections. The company's management wants to implement Shared Key authentication for these laptops. When you try to configure the network interface card of one of the laptops for Shared Key authentication, you find no such option. What will you do to enable Shared Key authentication?

  • A. Install PEAP-MS-CHAP v2
  • B. Enable WEP
  • C. Install Service Pack 1
  • D. Install EAP-TLS.

Answer: B


Shared Key authentication requires the use of the Wired Equivalent Privacy (WEP) algorithm. If the WEP is not implemented, then the option for Shared Key authentication is not available. In order to accomplish the task, you will have to enable the WEP on all the laptops.


A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over the network, it is broken into fragments (packets) at the source and reassembled at the destination system. Each packet contains a sequence number that is used by the destination system to reassemble the data packets in the correct order. The Initial Sequence Number of your computer is 24171311 at login time. You connect your computer to a computer having the IP address This whole process takes three seconds. What will the value of the Initial Sequence Number be at this moment?

  • A. 24171811
  • B. 24619311
  • C. 24171111
  • D. 24171311

Answer: B


You took 3 seconds to establish a connection. During this time, the value of the Initial Sequence Number would become [24171311 + (1 * 64000) + (3 * 128000)], i.e., 24619311.


In which of the following techniques does an attacker take network traffic coming towards a host at one port and forward it from that host to another host?
GSNA dumps exhibit

  • A. Snooping
  • B. UDP port scanning
  • C. Firewalking
  • D. Port redirection

Answer: D


Port redirection is a technique by which an attacker takes network traffic coming towards a host at one port and redirects it from that host to another host. For example, tools such as Fpipe and Datapipe are port redirection tools that accept connections at any specified port and resend them to other specified ports on specified hosts. For example, the following command establishes a listener on port 25 on the test system and then redirects the connection to port 80 on the target system using the source port of 25. C.\>fpipe -l 25 -s 25 -r 80 IP_address Answer C is incorrect. Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in transit" message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP "administratively prohibited" message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective. Answer A is incorrect. Snooping is an activity of observing the content that appears on a computer monitor or watching what a user is typing. Snooping also occurs by using software programs to remotely monitor activity on a computer or network device. Hackers or attackers use snooping techniques and equipment such as keyloggers to monitor keystrokes, capture passwords and login information, and to intercept e-mail and other private communications. Sometimes, organizations also snoop their employees legitimately to monitor their use of organizations' computers and track Internet usage. Answer B is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target system. If the remote port is closed, the server replies that the remote port is unreachable. If the remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at that time the UDP port scanning may be useful. Certain IDS and firewalls can detect UDP port scanning easily.


You work as a Network Administrator for XYZ CORP. The company has a Windows Server 2008 network environment. The network is configured as a Windows Active Directory- based single forest network. You configure a new Windows Server 2008 server in the network. The new server is not yet linked to Active Directory. You are required to accomplish the following tasks: Add a new group named "Sales". Copy the "Returns" group from the older server to the new one. Rename the "Returns" group to "Revenue". View all group members, including for multiple groups/entire domain. You use Hyena to simplify and centralize all of these tasks. Which of the assigned tasks will you be able to accomplish?

  • A. Copy the "Returns" group to the new server.
  • B. Rename the "Returns" group to "Revenue".
  • C. Add the new group named "Sales".
  • D. View and manage all group members, including for multiple groups/entire domain.

Answer: ABC


Hyena supports the following group management functions: Full group administration such as add, modify, delete, and copy Rename groups Copy groups from one computer to another View both direct and indirect (nested) group members for one or more groups [only for Active Directory] View all group members, including for multiple groups/entire domain [only for Active Directory] Answer D is incorrect. All group members can neither be viewed nor managed until the new server is linked to Active Directory.


Which of the following tools uses Internet Control Message Protocol (ICMP)?

  • A. Port scanner
  • B. Brutus
  • C. Fragroute
  • D. Ping scanner

Answer: D


A ping scanner is a tool that sends ICMP ECHO requests across a network and rapidly makes a list of responding nodes. Internet Control Message Protocol (ICMP) is an integral part of IP. It is used to report an error in datagram processing. The Internet Protocol (IP) is used for host-to-host datagram service in a network. The network is configured with connecting devices called gateways. When an error occurs in datagram processing, gateways or destination hosts report the error to the source hosts through the
ICMP protocol. The ICMP messages are sent in various situations, such as when a datagram cannot reach its destination, when the gateway cannot direct the host to send traffic on a shorter route, when the gateway does not have the buffering capacity, etc. Answer A, B, C are incorrect. These tools do not use ICMP to perform their functions.


Which of the following types of firewall functions at the Session layer of OSI model?

  • A. Packet filtering firewall
  • B. Circuit-level firewall
  • C. Switch-level firewall
  • D. Application-level firewall

Answer: B


Circuit-level firewall operates at the Session layer of the OSI model. This type of firewall regulates traffic based on whether or not a trusted connection has been established.


John works as a professional Ethical Hacker. He is assigned a project to test the security of He is working on the Linux operating system. He wants to sniff the we-are-secure network and intercept a conversation between two employees of the company through session hijacking. Which of the following tools will John use to accomplish the task?

  • A. IPChains
  • B. Tripwire
  • C. Hunt
  • D. Ethercap

Answer: C

In such a scenario, John will use Hunt which is capable of performing both the hacking techniques, sniffing and session hijacking. Answer D is incorrect. Ethercap is a network sniffer and packet generator. It may be an option, but John wants to do session hijacking as well. Hence, he will not use Ethercap. Answer A is incorrect. IPChains is a firewall. Answer B is incorrect. Tripwire is a file and directory integrity checker.


You work as the Project Engineer for XYZ CORP. The company has a Unix-based network. Your office consists of one server, seventy client computers, and one print device. You raise a request for printing a confidential page. After 30 minutes, you find that your print request job is not processed and is at the seventh position in the printer queue. You analyze that it shall take another one hour to print. You decide to remove your job from the printer queue and get your page printed outside the office. Which of the following Unix commands can you use to remove your job from the printer queue?

  • A. tunelp
  • B. pr
  • C. lprm
  • D. gs

Answer: C


The basic Unix printing commands are as follows: banner: It is used to print a large banner on a printer. lpr: It is used to submit a job to the printer. lpc: It enables one to check the status of the printer and set its state. lpq: It shows the contents of a spool directory for a given printer. lprm: It is used to remove a job from the printer queue. gs: It works as a PostScript interpreter. pr: It is used to print a file. tunelp: It is used to set various parameters for the lp device.


You work as a Network Administrator for ABC Inc. The company uses a secure wireless network. John complains to you that his computer is not working properly. What type of security audit do you need to conduct to resolve the problem?

  • A. Non-operational audit
  • B. Dependent audit
  • C. Independent audit
  • D. Operational audit

Answer: C


An independent audit is an audit that is usually conducted by external or outside resources. It is the process of reviewing detailed audit logs for the following purposes: To examine the system activities and access logs To assess the adequacy of system methods To assess the adequacy of system controls To examine compliance with established enterprise network system policies To examine compliance with established enterprise network system procedures To examine effectiveness of enabling, support, and core processes Answer B is incorrect. It is not a valid type of security audit. Answer D is incorrect. It is done to examine the operational and ongoing activities within a network. Answer B is incorrect. It is not a valid type of security audit. Answer D is incorrect. It is done to examine the operational and ongoing activities within a network. Answer A is incorrect. It is not a valid type of security audit.


Which of the following statements is NOT true about FAT16 file system?

  • A. FAT16 file system works well with large disks because the cluster size increases as thedisk partition size increases.
  • B. FAT16 file system supports file-level compression.
  • C. FAT16 does not support file-level security.
  • D. FAT16 file system supports Linux operating system.

Answer: AB


FAT16 file system was developed for disks larger than 16MB. It uses 16-bit allocation table entries. FAT16 file system supports all Microsoft operating systems. It also supports OS/2 and Linux. Answer C, D are incorrect. All these statements are true about FAT16 file system.


P.S. Easily pass GSNA Exam with 368 Q&As Certshared Dumps & pdf Version, Welcome to Download the Newest Certshared GSNA Dumps: (368 New Questions)