GDSA Practice Questions: Fundamental Security Architecture Concepts Domain

Correct answer (A): When resources are constrained, defensible architecture should prioritize the paths and systems whose compromise would create the greatest impact. Securing the administrative path to high-value clinical systems yields more immediate enterprise risk reduction than spreading the same controls evenly across lower-value assets. This reflects asset criticality, trust-boundary awareness, and risk-based prioritization.

Why the other options are wrong:
- Option B: Uniform treatment may appear consistent, but it ignores asset criticality and the outsized risk of privileged paths into the most sensitive environment.
- Option C: Waiting for perfect uniformity delays risk reduction on the most important systems and is inconsistent with constrained, risk-based architecture planning.
- Option D: Guest networks can matter, but the scenario makes clear that the administrative path to the electronic health record platform is the more consequential target.

Correct answer (A): The scenario identifies a detection and investigation weakness, not a primary prevention gap. In a defensible architecture, prevention, detection, and response must be balanced. Adding telemetry at key control points helps validate existing controls, reveals abuse of trusted channels or approved tools, and improves investigation and response when attackers bypass blocking controls or use legitimate credentials.

Why the other options are wrong:
- Option B: Another blocking layer may be helpful in a different scenario, but it does not address the stated problem: poor visibility and slow investigations after suspicious activity occurs.
- Option C: Periodic testing is useful, but it does not provide the ongoing telemetry needed to detect and investigate real attacks in daily operations.
- Option D: Password improvements can reduce some risk, but the scenario already states that attackers may use valid credentials, making visibility and response capability more important here.

Correct answer (B): Zero Trust is an architectural model, not a single product purchase or a gateway upgrade. MFA is valuable, but it only strengthens one part of the access process. In an environment with remote users, internal applications, and cloud workloads, defensibility still requires explicit access decisions close to resources, continuous verification, and reduced implicit trust after initial login. The architect should correct the leadership assumption that gateway MFA alone means the organization has finished Zero Trust.

Why the other options are wrong:
- Option A: This reflects a perimeter-era assumption that once a user passes one check, the rest of the environment can be broadly trusted. That is the opposite of the architectural idea being tested.
- Option C: Stronger authentication helps, but Zero Trust is not completed by edge authentication alone. It also requires access policy, trust reduction, and verification throughout the environment.
- Option D: Endpoint and perimeter controls are useful, but they do not eliminate the need for architectural trust decisions across users, workloads, and data.

Correct answer (B): Segmentation and data-centric controls fail when architects do not understand what systems exist, how they communicate, and which dependencies are critical to operations. Establishing asset inventory, business criticality, trust boundaries, and traffic flows is the defensible prerequisite because it reduces outage risk and improves later control placement.

Why the other options are wrong:
- Option A: Learning through outages is risky and especially poor practice in healthcare environments with sensitive operational dependencies.
- Option C: DLP alerts can supplement understanding, but they are not a substitute for foundational asset and dependency mapping.
- Option D: Perimeter sensors do not solve the internal planning problem for segmentation and data protection.

Correct answer (B): Prevention-only architectures are brittle because some attacks will bypass preventive controls. The failure described here is a visibility and response problem: responders lacked the evidence needed to determine what happened after suspicious access occurred. The most defensible next step is to improve complementary telemetry across identity, endpoints, applications, and network flows, then connect that data to investigation and response workflows. That adds detection depth without discarding existing preventive investments.

Why the other options are wrong:
- Option A: More prevention at the edge does not solve the problem described in the incident, which was the inability to determine what happened after suspicious access occurred.
- Option C: Outbound filtering can help in some cases, but it does not address the architectural problem of incomplete evidence across identity, endpoint, and internal traffic sources.
- Option D: A single control point is not the goal of defensible architecture. The scenario specifically shows the need for broader, layered telemetry rather than concentrating everything in one place.

Correct answer (A): The main problem is not internet ingress but post-compromise lateral movement inside a flat network. Segmenting finance systems creates a meaningful internal trust boundary, restricts reachable paths, and adds visibility where the attack actually occurred. That is a defensible first-phase improvement because it reduces blast radius without requiring a full redesign and balances prevention with monitoring.

Why the other options are wrong:
- Option B: A newer perimeter firewall mainly improves north-south control. It does little to stop a compromised internal endpoint from reaching finance systems.
- Option C: Stronger passwords may help in some cases, but they do not fix the architectural issue of broad internal reachability from user devices.
- Option D: A WAF protects public web applications, not internal file-server access from a compromised workstation.

Correct answer (A): Architects cannot rationally segment, monitor, or prioritize protection without understanding what the important assets are and how they communicate. Asset and data-flow mapping is the foundational step that lets the organization define trust boundaries, identify crown jewels, choose sensible enforcement points, and avoid breaking business-critical dependencies. Trying to infer importance from alerts or buying controls first reverses the design sequence and increases the chance of poor placement.

Why the other options are wrong:
- Option B: More sensors may add visibility, but they are not a substitute for understanding business-critical assets and dependencies before redesigning segmentation.
- Option C: A default-deny posture can be useful when carefully engineered, but applying it blindly without dependency mapping is operationally risky and not the best first step here.
- Option D: Buying a platform before identifying assets and flows reverses the logical design sequence and risks poor control placement.

Correct answer (A): The lesson from the incident is not simply that phishing occurred; it is that a compromised identity could traverse permissive internal pathways toward a sensitive system. VLANs alone do not provide strong defensibility when policy inside those segments is broad and poorly monitored. The best architectural improvement is to place payroll systems and their administrative paths behind tighter access controls and add authentication and traffic monitoring at those boundaries. That combination reduces blast radius and improves the chance of detecting misuse of allowed paths.

Why the other options are wrong:
- Option B: Better email filtering may reduce some initial compromises, but it does not address the observed internal movement once credentials are stolen.
- Option C: A separate IP range without meaningful policy improvement preserves the same broad trust problem and does not materially improve detection.
- Option D: Password rotation alone does not correct weak internal trust boundaries or improve the organization's ability to detect misuse of allowed pathways.

Correct answer (A): Defense-in-depth is not the mere presence of multiple products. It is the intentional placement of complementary controls across layers so that failure or bypass of one control does not create total compromise. The right architectural response is to redesign coverage around important assets, access paths, and supporting telemetry so the layers reinforce each other.

Why the other options are wrong:
- Option B: Owning multiple tools does not guarantee layered defense if the tools are misaligned, inconsistently deployed, or unable to support detection and response when bypassed.
- Option C: An integrated platform may simplify operations, but it does not automatically create defensible architecture and may even increase single-point dependency if used as the only answer.
- Option D: Perimeter centralization can be useful, but relying mainly on the edge contradicts the need to protect assets internally and assume compromise is possible.

Correct answer (B): Encryption changes what can be inspected, but it does not remove the need for strong visibility planning. In encrypted east-west environments, architects should rely on complementary telemetry rather than expecting payload inspection to answer everything. Flow data can show unusual paths and connection patterns, authentication logs can reveal abnormal account use, and endpoint telemetry can expose suspicious host behavior. Together, those sources provide useful monitoring around a high-value system even without decrypting every internal session.

Why the other options are wrong:
- Option A: Payload inspection remains useful where possible, but relying mainly on it leaves major blind spots in an environment where east-west traffic is increasingly encrypted.
- Option C: Vulnerability scans help identify exposures, but they are not a primary monitoring source for detecting live internal misuse or movement.
- Option D: DNS logs can support investigations, but they do not provide sufficient coverage for internal movement toward a specific HR system, especially if the movement stays inside trusted networks.