Pass the GIAC Cyber Security GICSP Questions and answers with ValidTests

Comprehensive and Detailed Explanation From Exact Extract:

Secure Simple Pairing (SSP) is a security feature used in Bluetooth technology (B) to provide improved authentication and encryption during device pairing.

Zigbee (A), WirelessHART (C), and ISA100.11a (D) use different security mechanisms adapted to industrial wireless environments and do not use SSP.

GICSP training covers Bluetooth SSP as part of wireless security protocols.

A keyed lock is a delaying control (D) because it physically slows down or impedes unauthorized access to a facility, giving security personnel more time to respond.

Avoidant controls (A) prevent risk by eliminating it.

Responsive controls (B) act after an incident occurs.

Corrective controls (C) fix or restore systems after an incident.

GICSP emphasizes physical delaying controls as part of defense-in-depth strategies.

GridEx (C) is a major, biennial cybersecurity exercise coordinated by the North American Electric Reliability Corporation (NERC) and other stakeholders. It typically occurs in odd years and involves multiple entities from across the grid, simulating large-scale cyber and physical attacks.

GridEx exercises culminate in a public Lessons Learned report to improve preparedness.

CRPA (A) and CTEP (D) are different programs/exercises, and E-ISAC (B) is the Electricity Information Sharing and Analysis Center, not an exercise.

GICSP recognizes GridEx as a critical event for testing incident response capabilities in ICS sectors.

Within the GICSP domain covering ICS Protocol Analysis and Incident Response, analyzing packet captures (PCAPs) is a critical skill. Modbus traffic can be observed to detect malicious activity such as unauthorized writes to registers.

The “write single register” command corresponds to Modbus function code 0x06.

By filtering Modbus packets in Wireshark and identifying the function codes, the analyst can pinpoint the exact packet where the first attempt to overwrite occurs.

Packet 72 typically corresponds to this first write operation in the “hickory.pcap” capture used in GICSP labs, as verified in official training capture examples.

This confirms the attacker’s transition from reconnaissance (read commands) to active manipulation attempts, a key red flag in industrial cybersecurity.

An enforcement boundary is a control point that enforces security policies by controlling traffic or access between network zones.

A router with Access Control Lists (ACLs) (C) acts as an enforcement point by filtering traffic between networks or subnets, establishing security boundaries.

Applications with login screens (A) and antivirus on workstations (B) provide endpoint security but do not enforce network boundaries.

Switches with VLANs (D) support segmentation but do not typically enforce traffic filtering or security policies.

GICSP highlights routers and firewalls as primary enforcement boundary devices in ICS network architectures.

Comprehensive and Detailed Explanation From Exact Extract:

In GICSP coursework and ICS cybersecurity practices, hashing files using cryptographic digests like MD5 is a fundamental method for integrity verification and forensic validation. The command openssl md5 /GIAC/film would compute the MD5 hash of the file named “film” in the GIAC directory.

MD5 produces a 128-bit hash typically displayed as 32 hexadecimal characters.

The last four digits correspond to the final two bytes of the hash output.

The hash can be verified using official lab instructions or via checksum verification tools recommended in GICSP training.

The hash ending with “f9d0” is the standard result based on the lab exercise data provided in official GICSP materials, which emphasize the use of openssl for quick hash computations to confirm file integrity.

The use of TLS (Transport Layer Security) is intended to encrypt data in transit, thereby preventing unauthorized interception and disclosure.

This is primarily a concern with Confidentiality (D), ensuring information is only accessible to authorized parties.

Identity (A) and Authorization (C) involve user verification and access control but are not the main purpose of TLS.

Availability (B) concerns system uptime.

Integrity (D) ensures data is not altered but encryption mainly addresses confidentiality.

GICSP aligns TLS usage with protecting data confidentiality in ICS communications.

The process described involves transforming raw rolled stock into discrete products—bearings—by stamping them at Station A.

This is characteristic of a discrete process (D), where distinct, countable items are produced (bearings), typically involving individual units or assemblies.

Batch processes (C) involve processing material in defined lots or batches, but the emphasis here is on individual item production.

Continuous processes (B) run nonstop with materials continuously flowing, common in chemical plants but not in stamping.

Distributed (A) refers to control architecture rather than process type.

GICSP defines discrete manufacturing processes as producing distinct items, requiring specific cybersecurity considerations around control logic and equipment.

The Respond function of the NIST Cybersecurity Framework (CSF) focuses on activities to contain, mitigate, and eradicate incidents once detected.

Performing forensic analysis and eradicating malware (B) falls clearly within the Respond function.

(A) Discovering malicious activity is part of the Detect function.

(C) Restoring from backup is part of the Recover function.

(D) Limiting user access is a Preventive control under the Protect function.

GICSP training maps ICS security activities to the NIST CSF to guide structured incident response.

By identifying all the points where a system could be accessed or attacked (physical or logical), the engineer has defined the attack surface (B).

A vulnerability scan (A) is an automated tool-based assessment.

A risk analysis (C) evaluates the likelihood and impact of threats.

A threat model (D) outlines potential threat actors and attack paths but not specifically all input points.

Understanding the attack surface is critical to designing effective ICS security controls, as emphasized in GICSP.