Pass the GIAC Cyber Security GICSP Questions and answers with ValidTests

Containment in incident handling involves limiting the damage caused by an incident and preventing its spread.

Re-imaging a compromised workstation (C) is a direct containment action to remove malicious software and restore system integrity.

(A) Patch verification and (D) validation scans are part of recovery or prevention phases.

(B) Creating forensic images is an evidence preservation task, not containment.

The GICSP incident handling process emphasizes containment as an immediate action to stabilize the environment before eradication and recovery.

Legacy devices using RS-232 interfaces require a communications gateway (C) to translate between the serial communication protocol and the new TCP/IP network.

A data diode (A) is a unidirectional security device, not a protocol translator.

An engineering workstation (B) is a computer, not a protocol conversion device.

An industrial switch (D) operates at the Ethernet layer and does not perform protocol conversion.

GICSP emphasizes gateways as essential for integrating legacy ICS devices into modern IP networks while maintaining protocol integrity.

The diagram shows two networks (Business Network and Control Server Network) connected by a switch, suggesting a single organization’s infrastructure with logical segmentation.

Best practices per GICSP for ICS and enterprise network integration recommend a single Active Directory domain with groups and organizational units to separate roles and permissions. This approach simplifies management, maintains centralized authentication, and supports role-based access control.

Creating multiple domains (B or C) introduces unnecessary complexity and potential trust relationship issues. A transitive trust (D) is relevant when multiple domains exist, which is not required here.

The GICSP framework supports minimizing complexity in domain design to reduce attack surfaces while maintaining proper segmentation through groups and policies.

The process described involves maintaining a consistent condition during and between batches of production, characteristic of a batch process.

Batch processes are executed in defined quantities or lots where the process starts, runs for a set time, and then stops or resets for the next batch. The fermentor's glycol jacket temperature must be carefully controlled throughout the batch to ensure product quality.

Continuous processes (A) run nonstop with steady-state conditions, typical in chemical refineries but not in batch fermentation.

Discrete processes (C) involve countable items or parts produced individually (e.g., manufacturing of assembled products).

Manual (B) refers to human-driven control rather than an automated process type.

Batch processing is common in brewing and food industries and is covered in GICSP’s ICS Fundamentals and Operations domain, which differentiates process types to tailor cybersecurity strategies for control systems.

The DHS (Department of Homeland Security) patch decision tree provides a systematic approach for patch management in ICS environments, balancing security and operational availability.

When a vulnerability is identified and a patch is available, but no workaround exists, the recommended next step is to test and apply the patch (C). This ensures that the system is protected as quickly as possible while verifying that the patch does not disrupt critical ICS operations.

(A) Identifying if the vulnerability affects the ICS typically comes earlier in the decision tree.

(B) Evaluating operational needs versus risk is part of risk management but comes after confirming patch availability.

(D) Identifying the vulnerability and patch is a prerequisite step.

This approach aligns with GICSP’s emphasis on structured patch management and testing before deployment in critical environments.

Integrity in cybersecurity ensures that data and systems are not altered or tampered with in an unauthorized manner. To protect integrity, controls must verify that data originates from a trusted source and has not been changed.

Digital signatures (D) provide cryptographic proof of data origin and integrity by enabling recipients to verify that the data has not been altered since it was signed.

Firewall egress filtering (A) limits outbound traffic but primarily protects confidentiality and availability, not directly integrity.

Logging IDS alerts (B) supports detection and auditing but is reactive rather than preventive.

Centralized LDAP authentication (C) manages user authentication and access control, mainly protecting confidentiality and accountability.

GICSP highlights digital signatures as a core control to maintain data integrity, especially for firmware, configuration files, and critical commands within ICS.

Comprehensive and Detailed Explanation From Exact Extract:

PLC logic project files contain the source code and configuration used to program a programmable logic controller (PLC). These files often reveal:

Control logic and operational sequences

Network addressing information

Interconnections between devices and systems

Thus, an attacker with access to these files can infer details about the network architecture (B), including how devices communicate, which protocols are used, and possibly the network topology.

Personnel data (A), firewall rulesets (C), and vendor release schedules (D) are not typically stored within PLC logic projects.

The GICSP framework stresses protecting such engineering artifacts because their compromise can provide an attacker with valuable insight to facilitate targeted attacks on ICS.

The configuration line denies a specific Modbus function code, which is a command-level filter for industrial protocols.

This type of control is typical of an application firewall (D) designed to understand and filter industrial control system protocols at the application layer.

A network firewall (A) typically filters traffic based on IP addresses, ports, and protocols, but not protocol function codes.

NIDS (B) detects and alerts on suspicious traffic but does not usually enforce blocking rules.

SIEM (C) collects and analyzes logs, not real-time blocking.

GICSP emphasizes the role of application-layer firewalls in protecting ICS protocols like Modbus.

In risk analysis, high consequence, low probability risks—such as catastrophic failures or attacks—require special attention. The best approach to ensure these risks are properly considered is to prioritize risks based on impact (A), focusing on the potential severity of consequences if the event occurs, regardless of its frequency.

Giving frequency or likelihood (B, D) a higher weight can lead to underestimating rare but highly damaging risks.

Mitigation cost (C) is a factor in decision-making but does not ensure identification or prioritization of high-impact risks.

GICSP emphasizes a balanced risk management process where impact or consequence is a critical criterion, especially in ICS environments where safety and critical infrastructure availability are paramount.

The host with IP 10.10.4.11 in the network diagram is labeled as the Historian Server. ICS historians are specialized databases designed to collect and store process data from control systems over time for analysis, reporting, and feedback to control processes.

10.10.31.217 is a Microsoft Access Workstation (not a database server).

10.10.4.123 represents NTP servers (time servers), not data storage.

10.10.4.239 is an Engineering Workstation.

10.103.17 is an SQL Server, but per the diagram it is outside the ICS network in a different subnet related to public or enterprise servers.

Thus, 10.10.4.11 (A) is the host intended to store ICS process data.