Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > GIAC > GIAC Certifications > GCIH > GCIH Online Practice Questions and Answers

GCIH Online Practice Questions and Answers

Questions 4

What is the major difference between a worm and a Trojan horse?

A. A worm spreads via e-mail, while a Trojan horse does not.

B. A worm is a form of malicious program, while a Trojan horse is a utility.

C. A worm is self replicating, while a Trojan horse is not.

D. A Trojan horse is a malicious program, while a worm is an anti-virus software.

Buy Now

Correct Answer: C

Questions 5

Which of the following is executed when a predetermined event occurs?

A. Trojan horse

B. Logic bomb

C. MAC

D. Worm

Buy Now

Correct Answer: B

Questions 6

Which of the following statements is true about a Trojan engine?

A. It limits the system resource usage.

B. It specifies the signatures that keep a watch for a host or a network sending multiple packets to a single host or a single network.

C. It specifies events that occur in a related manner within a sliding time interval.

D. It analyzes the nonstandard protocols, such as TFN2K and BO2K.

Buy Now

Correct Answer: D

Questions 7

Your company's web server administrator reports that the Apache servers are running slowly, but the IIS servers are not. Based on this report, which of the following pieces of information will help you determine the event should be classified as an incident?

A. Traffic logs from the border routers serving the web server farm

B. The Apache versions from the affected web servers

C. The output of the netstat command from an IIS server

D. The httpd configuration files from the Apache servers

Buy Now

Correct Answer: A

Firewall or router logs from the perimeter can help to identify unusual traffic destined for the affected web servers. Analyzing the processes running on unaffected servers will not help. Checking the versions and configuration of the Apache servers can verify if an identified problem is a misconfiguration.

Questions 8

You are responding to an incident in which the organization's Extranet server has been compromised. The Extranet is the browser home page for most users in the organization. You have been instructed to watch the attacker, but minimize the business impact and the risk of further compromise. How can you continue providing services to the organization's users while isolating the compromised server?

A. Point the domain name to the IP address of a secondary, patched production server

B. Change the server IP address to a different IP address

C. Isolate the switch port and put the system on a quarantined VLAN

D. Rebuild the system during a downtime window and restore the service

Buy Now

Correct Answer: A

The server is accessed via domain name by most users in your organization. To continue to provide service to those users, the best approach is to reroute DNS to another server. Chances are good that the attacker is accessing the server via IP address, so he should continue to have access to the server, which enables you to watch his actions while isolating users from the compromised server. Rebuilding the server during downtime would prevent access, prevent you from investigating, and possibly alert the attacker. Changing the IP address would not prevent users from accessing your site, and wouldn't isolate the server. Quarantining the system would prevent legitimate users from accessing services.

Questions 9

Which approach is recommended to prevent a DoS condition due to account lockouts as a result of a password guessing attack?

A. Limit the attack to a small number of dormant accounts, and maximize the number of password guesses per account

B. Maximize the number of accounts and hosts that are targeted, but try only two password guesses per account

C. Employ a hybrid attack during non-business hours

D. Use a script to automate password guesses at the accounts, limiting the guesses to 1 per every 3-seconds

Buy Now

Correct Answer: B

It is common for an account to become locked (temporarily) after x number of consecutive bad password attempts; it is uncommon to lock the account after only two-consecutive guesses. To avoid account lockout when performing password guessing, some attackers employ an alternative means for testing their guessed passwords ?password spraying. With this technique, instead of trying a large number of passwords for a small number of accounts on a small number of targets (traditional password guessing), attackers choose a small number of potential passwords to try. They then spray these potential password guesses across a large number of account names and machines, hoping that one works.

Questions 10

Examine the image below. Which of the following defensive measures could be taken to control the activity?

A. Block all traffic to the web server until a full investigation has been completed

B. Create an IDS signature that blocks iamawesome.nasl on the web servers

C. Sanitize the input from external users to the web server

D. Ping back to the host that uploaded the script to identify the host

Buy Now

Correct Answer: C

The Nessus CGI testing plugin created this activity on the web server. The server was vulnerable to cross site scripting and allows the nasl script to be uploaded during testing. The appropriate control for the event would be to ensure that the server and applications sanitize their input prior to accepting and processing the information. These steps will ensure that only legitimate information reaches the application and will mitigate XSS.

Questions 11

From the choices below, which type of defense is the best way to protect against User-Mode RootKits?

A. Reactive

B. Directive

C. Responsive

D. Proactive

E. Corrective

Buy Now

Correct Answer: D

The best way to defend against User-Mode RootKits is to be proactive. You should use a file system integrity checking tool. Such tools can create a read-only database of cryptographic hashes for critical system files. Being corrective, directive, and reactive only help after the fact and do not deter hackers from installing User-Mode RootKits.

Questions 12

An attacker wishes to steal browser cookies through a Cross-Site Scripting attack. Which website provides the best attack vector?

A. A user-generated message board

B. A login page protected by Basic Authentication

C. A news aggregator RSS feed in XML format

Buy Now

Correct Answer: A

The attacker searches for a website that reflects input back to a user. The website must reflect back everything the user types in, including special characters included in scripting languages. The attacker doesn't want an application that filters out scripting characters.

Questions 13

Which of the following statements describes the data below from volatility's pstree plugin?

A. Cmd.exe was the child process of OneDrive.exe

B. Chrmstp.exe was launched by MSASCuiL.exe

C. Explorer.exe was the parent process for firefox.exe

D. Notepad.exe was launched with Administrative privileges

Buy Now

Correct Answer: B

Exam Code: GCIH
Exam Name: GIAC Certified Incident Handler (GCIH)
Last Update: Jul 05, 2026
Questions: 705

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2026 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.