GIAC GSEC Sample Questions & Practice Test

GIAC Security Essentials (GSEC) is a security-foundations route for candidates who need practical judgment across defense-in-depth, access control, network security, cryptography, vulnerability management, operations, and incident response.

Use this page to preview the kind of security decisions a GSEC practice route should test. The questions below are original IT Mastery sample questions, not official GIAC exam questions.

What this route should test

• recognizing practical security controls and when they reduce risk
• connecting identity, network, endpoint, data, and logging controls into layered defense
• choosing evidence-based incident and vulnerability responses
• avoiding single-control answers when a scenario needs process, monitoring, and verification

Sample Exam Questions

Question 1

Topic: defense-in-depth

A company relies on perimeter firewall rules but has weak endpoint hardening and little monitoring. Which improvement best reflects defense-in-depth?

• A. Remove endpoint controls because the firewall already blocks threats
• B. Add layered controls such as endpoint hardening, authentication policy, logging, monitoring, and tested response procedures
• C. Allow all internal traffic because it is already inside the network
• D. Replace all policies with an annual awareness email only

Best answer: B

Explanation: Defense-in-depth uses multiple preventive, detective, and response controls. A perimeter firewall is useful, but it is not enough by itself.

Question 2

Topic: least privilege

A service account runs one scheduled backup task but has domain administrator rights. What is the best correction?

• A. Share the account password with the operations team
• B. Disable logging because the account is trusted
• C. Keep the rights because the task is important
• D. Reduce permissions to the minimum rights needed for the backup task and monitor use

Best answer: D

Explanation: Least privilege limits blast radius. Service accounts should have scoped rights, strong credential controls, and monitoring.

Question 3

Topic: log review

An analyst sees repeated failed VPN logins from many countries against one account. What is the best first action?

• A. Treat the pattern as a possible credential attack, preserve evidence, protect the account, and check related activity
• B. Ignore it because failed logins prove access was denied
• C. Delete the logs to reduce storage use
• D. Disable VPN for all users permanently

Best answer: A

Explanation: Repeated failures can indicate password spraying, credential stuffing, or targeted access attempts. The right response protects the account while preserving evidence.

Question 4

Topic: cryptography

A developer proposes storing passwords with reversible encryption so support staff can read them back to users. What is the better design?

• A. Store passwords in plaintext and restrict file access
• B. Email passwords only to managers
• C. Store salted password hashes and use reset flows instead of recovering passwords
• D. Use the same encryption key for every environment

Best answer: C

Explanation: Passwords should not be recoverable by support staff. Salted hashes and reset workflows reduce exposure if the store is compromised.

Question 5

Topic: vulnerability management

A scanner reports a critical internet-facing vulnerability on a production system. What should the team do first?

• A. Wait for the next annual maintenance window
• B. Confirm exposure, asset criticality, exploitability, compensating controls, and remediation or mitigation priority
• C. Patch every low-risk internal system first
• D. Turn off all scanning tools

Best answer: B

Explanation: Vulnerability response should be risk-based. Internet exposure, exploitability, asset value, and compensating controls determine urgency.

Question 6

Topic: secure configuration

An administrator deploys a new server with default credentials, unused services, and no baseline hardening. What should happen before production use?

• A. Publish the default credentials in a runbook
• B. Open all ports to simplify testing
• C. Skip hardening because the server is new
• D. Apply a secure baseline, remove or disable unnecessary services, change defaults, and verify logging

Best answer: D

Explanation: New systems should be hardened before production. Default credentials and unnecessary services create preventable attack paths.

Question 7

Topic: segmentation

Payment systems and general office workstations currently share one flat network. What is the most useful control direction?

• A. Segment sensitive systems, restrict allowed flows, and monitor cross-segment access
• B. Put all systems in the same subnet for convenience
• C. Disable authentication between systems
• D. Allow workstation-to-payment-system access by default

Best answer: A

Explanation: Segmentation reduces lateral movement and limits exposure. Sensitive systems should have restricted, monitored access paths.

Question 8

Topic: phishing response

A user reports entering credentials into a suspicious login page. What should happen next?

• A. Congratulate the user and close the ticket
• B. Delete the report because the user made a mistake
• C. Reset or revoke credentials, review sign-in activity, preserve indicators, and check for similar reports
• D. Tell everyone to stop using email permanently

Best answer: C

Explanation: Phishing response should protect the account, preserve evidence, and assess scope. Blaming the user does not reduce risk.

Question 9

Topic: incident escalation

A workstation shows suspicious PowerShell execution, outbound connections, and credential-access alerts. What is the best escalation posture?

• A. Treat it as normal user behavior until month-end
• B. Escalate as a potential incident, isolate if approved by procedure, and preserve evidence
• C. Reimage immediately without recording evidence
• D. Disable all monitoring tools

Best answer: B

Explanation: Multiple suspicious indicators justify incident escalation. Response should follow procedure and preserve evidence for scope analysis.

Question 10

Topic: backups

Ransomware encrypted a file server and the backup share because it was writable from the same compromised account. What control would have reduced impact?

• A. Larger disks on the file server
• B. A longer hostname
• C. No backup testing
• D. Isolated, immutable, or access-controlled backups with restore testing

Best answer: D

Explanation: Backups must be protected from the same compromise path as production data. Restore testing proves recovery is possible.

Question 11

Topic: authentication

A remote-access portal still accepts password-only login for privileged administrators. What control is most appropriate?

• A. Require strong multi-factor authentication and restrict privileged access paths
• B. Increase the password length but keep password-only access forever
• C. Disable logging for administrators
• D. Allow a shared administrator account

Best answer: A

Explanation: Privileged remote access should require stronger authentication and careful access control. Shared or password-only admin access creates high risk.

Question 12

Topic: risk prioritization

Two findings compete for remediation: a low-severity internal issue and a critical unauthenticated vulnerability on an internet-facing server. Which should usually be prioritized?

• A. The low-severity issue because it is easier
• B. Neither, because vulnerabilities are only theoretical
• C. The critical internet-facing exposure, while tracking the internal issue
• D. Whichever system owner replies first

Best answer: C

Explanation: Prioritization should consider severity, exposure, exploitability, and business impact. Internet-facing critical issues usually warrant faster action.

Quick readiness checklist

Related IT Mastery pages

• GIAC GCIH for incident-handler scenarios
• GIAC GCIA for intrusion-analysis scenarios
• CompTIA Security+ for vendor-neutral security foundations
• ISC2 Certified in Cybersecurity for entry-level security coverage