Weekend Sale - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65percent

Welcome To DumpsPedia
  1. Home
  2. GIAC
  3. Security Certification: GASF
  4. GCED
  5. GIAC Certified Enterprise Defender Questions and Answers

GCED Sample Questions Answers

Questions 4

An incident response team is handling a worm infection among their user workstations. They created an IPS signature to detect and block worm activity on the border IPS, then removed the worm’s artifacts or workstations triggering the rule. Despite this action, worm activity continued for days after. Where did the incident response team fail?

Options:

A.

The team did not adequately apply lessons learned from the incident

B.

The custom rule did not detect all infected workstations

C.

They did not receive timely notification of the security event

D.

The team did not understand the worm’s propagation method

Buy Now
Questions 5

From a security perspective, how should the Root Bridge be determined in a Spanning Tree Protocol (STP) environment?

Options:

A.

Manually selected and defined by the network architect or engineer.

B.

Defined by selecting the highest Bridge ID to be the root bridge.

C.

Automatically selected by the Spanning Tree Protocol (STP).

D.

All switch interfaces become root bridges in an STP environment.

Buy Now
Questions 6

An incident response team investigated a database breach, and determined it was likely the result of an internal user who had a default password in place. The password was changed. A week later, they discover another loss of database records. The database admin provides logs that indicate the attack came from the front-end web interface. Where did the incident response team fail?

Options:

A.

They did not eradicate tools left behind by the attacker

B.

They did not properly identify the source of the breach

C.

They did not lock the account after changing the password

D.

They did not patch the database server after the event

Buy Now
Questions 7

You have been tasked with searching for Alternate Data Streams on the following collection of Windows partitions; 2GB FAT16, 6GB FAT32, and 4GB NTFS. How many total Gigabytes and partitions will you need to search?

Options:

A.

4GBs of data, the NTFS partition only.

B.

12GBs of data, the FAT16, FAT32, and NTFS partitions.

C.

6GBs of data, the FAT32 partition only.

D.

10GBs of data, both the FAT32 and NTFS partitions.

Buy Now
Questions 8

When running a Nmap UDP scan, what would the following output indicate?

Options:

A.

The port may be open on the system or blocked by a firewall

B.

The router in front of the host accepted the request and sent a reply

C.

An ICMP unreachable message was received indicating an open port

D.

An ACK was received in response to the initial probe packet

Buy Now
Questions 9

A legacy server on the network was breached through an OS vulnerability with no patch available. The server is used only rarely by employees across several business units. The theft of information from the server goes unnoticed until the company is notified by a third party that sensitive information has been posted on the Internet. Which control was the first to fail?

Options:

A.

Security awareness

B.

Access control

C.

Data classification

D.

Incident response

Buy Now
Questions 10

Which action would be the responsibility of the First Responder once arriving at the scene of a suspected incident as part of a Computer Security Incident Response Plan (CSIRP)?

Options:

A.

Making the decision of whether or not to notify law enforcement on behalf of the organization.

B.

Performing timeline creation on the system files in order to identify and remove discovered malware.

C.

Copying critical data from suspected systems to known good systems so productivity is not affected by the investigation.

D.

Conducting initial interviews and identifying the systems involved in the suspected incident.

Buy Now
Questions 11

Which of the following is best defined as “anything that has the potential to target known or existing vulnerabilities in a system?”

Options:

A.

Vector

B.

Gateway

C.

Threat

D.

Exploit

Buy Now
Questions 12

What should happen before acquiring a bit-for-bit copy of suspect media during incident response?

Options:

A.

Encrypt the original media to protect the data

B.

Create a one-way hash of the original media

C.

Decompress files on the original media

D.

Decrypt the original media

Buy Now
Questions 13

The creation of a filesystem timeline is associated with which objective?

Options:

A.

Forensic analysis

B.

First response

C.

Access control

D.

Incident eradication

Buy Now
Questions 14

The matrix in the screen shot below would be created during which process?

Options:

A.

Risk Assessment

B.

System Hardening

C.

Data Classification

D.

Vulnerability Scanning

Buy Now
Questions 15

What does the following WMIC command accomplish?

process where name=’malicious.exe’ delete

Options:

A.

Removes the ‘malicious.exe’ process form the Start menu and Run registry key

B.

Stops current process handles associated with the process named ‘malicious.exe’

C.

Removes the executable ‘malicious.exe’ from the file system

D.

Stops the ‘malicious.exe’ process from running and being restarted at the next reboot

Buy Now
Questions 16

Which tasks would a First Responder perform during the Identification phase of Incident Response?

Options:

A.

Verify the root cause of the incident and apply any missing security patches.

B.

Install or reenable host-based firewalls and anti-virus software on suspected systems.

C.

Search for sources of data and information that may be valuable in confirming and containing an incident.

D.

Disconnect network communications and search for malicious executables or processes.

Buy Now
Questions 17

An outside vulnerability assessment reveals that users have been routinely accessing Gmail from work for over a year, a clear violation of this organization’s security policy. The users report “it just started working one day”. Later, a network administrator admits he meant to unblock Gmail for just his own IP address, but he made a mistake in the firewall rule.

Which security control failed?

Options:

A.

Access control

B.

Authentication

C.

Auditing

D.

Rights management

Buy Now
Questions 18

What feature of Wireshark allows the analysis of one HTTP conversation?

Options:

A.

Follow UDP Stream

B.

Follow TCP Stream

C.

Conversation list > IPV4

D.

Setting a display filter to ‘tcp’

Buy Now
Questions 19

Which tool uses a Snort rules file for input and by design triggers Snort alerts?

Options:

A.

snot

B.

stick

C.

Nidsbench

D.

ftester

Buy Now
Questions 20

Which of the following tools is the most capable for removing the unwanted add-on in the screenshot below?

Options:

A.

ProcessExplorer

B.

Taskkill

C.

Paros

D.

Hijack This

Buy Now
Questions 21

You are responding to an incident involving a Windows server on your company’s network. During the investigation you notice that the system downloaded and installed two files, iexplorer.exe and iexplorer.sys. Based on the behavior of the system you suspect that these files are part of a rootkit. If this is the case what is the likely purpose of the .sys file?

Options:

A.

It is a configuration file used to open a backdoor

B.

It is a logfile used to collect usernames and passwords

C.

It is a device driver used to load the rootkit

D.

It is an executable used to configure a keylogger

Buy Now
Questions 22

What attack was indicated when the IDS system picked up the following text coming from the Internet to the web server?

select user, password from user where user= “jdoe” and password= ‘myp@55!’ union select “text”,2 into outfile “/tmp/file1.txt” - - ’

Options:

A.

Remote File Inclusion

B.

URL Directory Traversal

C.

SQL Injection

D.

Binary Code in HTTP Headers

Buy Now
Questions 23

Which of the following would be included in a router configuration standard?

Options:

A.

Names of employees with access rights

B.

Access list naming conventions

C.

Most recent audit results

D.

Passwords for management access

Buy Now
Questions 24

Michael, a software engineer, added a module to a banking customer’s code. The new module deposits small amounts of money into his personal bank account. Michael has access to edit the code, but only code reviewers have the ability to commit modules to production. The code reviewers have a backlog of work, and are often willing to trust the software developers’ testing and confidence in the code.

Which technique is Michael most likely to engage to implement the malicious code?

Options:

A.

Denial of Service

B.

Race Condition

C.

Phishing

D.

Social Engineering

Buy Now
Questions 25

The security team wants to detect connections that can compromise credentials by sending them in plaintext across the wire. Which of the following rules should they enable on their IDS sensor?

Options:

A.

alert tcp any 22 < > any 22 (msg:SSH connection; class type:misc-attack;sid: 122:rev:1;)

B.

alert tcp any any < > any 6000: (msg:X-Windows session; flow:from_server,established;nocase;classtype:misc-attack;sid:101;rev:1;)

C.

alert tcp any 23 < > any 23 (msg:Telnet shell; class type:misc-attack;sid:100; rev:1;)

D.

alert udp any any < > any 5060 (msg:VOIP message; classtype:misc-attack;sid:113; rev:2;)

Buy Now
Questions 26

A company classifies data using document footers, labeling each file with security labels “Public”, “Pattern”, or “Company Proprietary”. A new policy forbids sending “Company Proprietary” files via email. Which control could help security analysis identify breaches of this policy?

Options:

A.

Monitoring failed authentications on a central logging device

B.

Enforcing TLS encryption for outbound email with attachments

C.

Blocking email attachments that match the hashes of the company’s classification templates

D.

Running custom keyword scans on outbound SMTP traffic from the mail server

Buy Now
Exam Code: GCED
Exam Name: GIAC Certified Enterprise Defender
Last Update: Sep 15, 2025
Questions: 88
$57.75  $164.99
$43.75  $124.99
$36.75  $104.99
buy now GCED