GIAC Certified Enterprise Defender Certification Exam GCED Dumps Questions

1. When an IDS system looks for a pattern indicating a known worm, what type of detection method is it using?

2. Why would an incident handler acquire memory on a system being investigated?

3. Which could be described as a Threat Vector?

4. A security device processes the first packet from 10.62.34.12 destined to 10.23.10.7 and recognizes a malicious anomaly. The first packet makes it to 10.23.10.7 before the security devices sends a TCP RST to 10.62.34.12.

What type of security device is this?

5. Which tool uses a Snort rules file for input and by design triggers Snort alerts?

6. Network administrators are often hesitant to patch the operating systems on CISCO router and switch operating systems, due to the possibility of causing network instability, mainly because of which of the following?

7. A company estimates a loss of $2,374 per hour in sales if their website goes down. Their webserver hosting site’s documented downtime was 7 hours each quarter over the last two years. Using the information, what can the analyst determine?

8. To detect worms and viruses buried deep within a network packet payload, Gigabytes worth of traffic content entering and exiting a network must be checked with which of the following technologies?

9. When identifying malware, what is a key difference between a Worm and a Bot?

10. Monitoring the transmission of data across the network using a man-in-the-middle attack presents a threat against which type of data?

11. Which type of media should the IR team be handling as they seek to understand the root cause of an incident?

12. An incident response team is handling a worm infection among their user workstations. They created an IPS signature to detect and block worm activity on the border IPS, then removed the worm’s artifacts or workstations triggering the rule. Despite this action, worm activity continued for days after. Where did the incident response team fail?

13. A legacy server on the network was breached through an OS vulnerability with no patch available. The server is used only rarely by employees across several business units. The theft of information from the server goes unnoticed until the company is notified by a third party that sensitive information has been posted on the Internet.

Which control was the first to fail?

14. Analyze the screenshot below.

Which of the following attacks can be mitigated by these configuration settings?

15. Of the following pieces of digital evidence, which would be collected FIRST from a live system involved in an incident?

16. Which of the following attacks would use “..” notation as part of a web request to access restricted files and directories, and possibly execute code on the web server?

17. At the start of an investigation on a Windows system, the lead handler executes the following commands after inserting a USB drive.

What is the purpose of this command?

C: >dir / s / a dhsra d: > a: IRCD.txt

18. Why might an administrator not be able to delete a file using the Windows del command without specifying additional command line switches?

19. Why would the pass action be used in a Snort configuration file?

20. On which layer of the OSI Reference Model does the FWSnort utility function?

21. Which command tool can be used to change the read-only or hidden setting of the file in the screenshot?

22. Which Unix administration tool is designed to monitor configuration changes to Cisco, Extreme and Foundry infrastructure devices?

23. If a Cisco router is configured with the “service config” configuration statement, which of the following tools could be used by an attacker to apply a new router configuration?

24. Who is ultimately responsible for approving methods and controls that will reduce any potential risk to an organization?

25. An internal host at IP address 10.10.50.100 is suspected to be communicating with a command and control whenever a user launches browser window.

What features and settings of Wireshark should be used to isolate and analyze this network traffic?

26. Michael, a software engineer, added a module to a banking customer’s code. The new module deposits small amounts of money into his personal bank account. Michael has access to edit the code, but only code reviewers have the ability to commit modules to production. The code reviewers have a backlog of work, and are often willing to trust the software developers’ testing and confidence in the code.

Which technique is Michael most likely to engage to implement the malicious code?

27. A company wants to allow only company-issued devices to attach to the wired and wireless networks. Additionally, devices that are not up-to-date with OS patches need to be isolated from the rest of the network until they are updated.

Which technology standards or protocols would meet these requirements?

28. When attempting to collect data from a suspected system compromise, which of the following should generally be collected first?

29. Before re-assigning a computer to a new employee, what data security technique does the IT department use to make sure no data is left behind by the previous user?

30. What feature of Wireshark allows the analysis of one HTTP conversation?