GSEC Exam Prep Free practice test →

Free GSEC Practice Questions

10 free, exam-style GIAC Security Essentials (GSEC) practice questions with answers and explanations. No signup required. Work through them below, then take the full free GSEC practice test to study every exam domain.

Question 1

A security analyst is reviewing a pcap file and notices a series of TCP SYN packets sent to a single host on ports 21, 22, 23, 25, 80, 110, 143, 443, 993, and 3389 in rapid succession. Each SYN receives either a SYN-ACK or RST response. What activity does this MOST likely represent?

  1. A brute force login attack targeting multiple services
  2. A TCP port scan to identify open services
  3. Normal web browsing activity
  4. A denial-of-service attack against the target host
Show answer & explanation

Correct answer: B - A TCP port scan to identify open services

Question 2

An MFA push notification is sent to an employee's phone, but the employee did not initiate a login attempt. Someone repeatedly sends push notifications hoping the user will approve one by accident. What is this attack called?

  1. Credential stuffing
  2. Password spraying
  3. MFA fatigue / push bombing
  4. Brute force attack
Show answer & explanation

Correct answer: C - MFA fatigue / push bombing

Question 3

A user is logged into their bank's website. They then visit a malicious page that contains a hidden form that automatically submits a fund transfer request to the bank using the user's authenticated session. What type of attack is this?

  1. Cross-Site Scripting (XSS) with session hijacking
  2. Session hijacking through cookie manipulation
  3. Cross-Site Request Forgery (CSRF)
  4. Clickjacking with iframe overlay techniques
Show answer & explanation

Correct answer: C - Cross-Site Request Forgery (CSRF)

Question 4

A SIEM correlation rule detects that a user account logged in from New York at 9:00 AM and then from London at 9:15 AM. What type of detection is this?

  1. Brute force attack pattern detection
  2. Impossible travel / geographic anomaly detection
  3. Unauthorized privilege escalation detection
  4. Suspicious data exfiltration detection
Show answer & explanation

Correct answer: B - Impossible travel / geographic anomaly detection

Question 5

In practice, most encrypted communications use a hybrid approach. How does hybrid encryption work?

  1. Two symmetric keys are used simultaneously
  2. Asymmetric encryption exchanges symmetric keys for data encryption
  3. Only hashing is used for encryption and authentication
  4. Symmetric encryption handles key exchange, asymmetric handles data
Show answer & explanation

Correct answer: B - Asymmetric encryption exchanges symmetric keys for data encryption

Question 6

A shared folder has Share permissions set to Read for a user, but NTFS permissions grant Modify. When the user accesses the folder over the network, what is their effective permission?

  1. Modify permissions apply
  2. Read permissions apply
  3. Full Control permissions apply
  4. No access permissions apply
Show answer & explanation

Correct answer: B - Read permissions apply

Question 7

A security analyst sees 500 Event ID 4625 entries (failed logons) from the same source IP within 10 minutes in the Security log, followed by a single Event ID 4624 (successful logon). What does this sequence MOST likely indicate?

  1. Normal user activity with a forgotten password
  2. A successful brute force attack
  3. A scheduled task running with incorrect credentials
  4. A firewall misconfiguration causing authentication errors
Show answer & explanation

Correct answer: B - A successful brute force attack

Question 8

A Windows server's Security log shows Event ID 4720 (user account created) at 3:00 AM by the local Administrator account, followed by Event ID 4732 (member added to Administrators group) for the newly created account. No authorized changes were scheduled. What does this suggest?

  1. Normal automated account provisioning
  2. An attacker created a backdoor account
  3. A scheduled Windows Update process
  4. Active Directory replication activity
Show answer & explanation

Correct answer: B - An attacker created a backdoor account

Question 9

An attacker gains shell access as the 'www-data' user (web server account). They find a SUID binary '/usr/local/bin/backup' owned by root with a known buffer overflow vulnerability. What can the attacker potentially achieve?

  1. Nothing - web users cannot execute binaries
  2. Privilege escalation to root
  3. Only reading backup files
  4. Automatic account lockout
Show answer & explanation

Correct answer: B - Privilege escalation to root

Question 10

Running a Docker container as root (--privileged or user root inside the container) is a security risk because:

  1. Root containers consume excessive system resources
  2. Container compromise can lead to host system privilege escalation
  3. Root containers lose network connectivity capabilities
  4. Root containers expose sensitive data to other processes
Show answer & explanation

Correct answer: B - Container compromise can lead to host system privilege escalation

Ready for the real thing?

Practice hundreds more GSEC questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing