GDSA Practice Questions: Zero Trust Endpoints and Host Hardening Domain

Correct answer (A): Host-based firewalls are especially valuable when network segmentation is incomplete or can be bypassed. In this case, the attacker moved laterally across peer workstations within the same internal segment, so blocking unnecessary inbound east-west traffic at the endpoint is the most direct and effective containment measure available now.

Why the other options are wrong:
- Option B: Perimeter filtering mainly affects north-south traffic and does not address peer-to-peer movement inside the same internal VLAN.
- Option C: Antivirus can help with initial malware detection, but it does not directly limit the lateral movement channels described in the scenario.
- Option D: Additional authentication at unlock may improve user assurance, but it does not block unwanted inbound workstation-to-workstation traffic.

Correct answer (B): The best design is automated, policy-driven patch deployment that still works for remote or intermittently connected devices. The scenario explicitly identifies missed maintenance cycles as the main weakness, so the architecture must reach roaming endpoints directly, measure compliance, and catch them up when they reconnect. That reduces exploit exposure more effectively than manual or VPN-dependent processes.

Why the other options are wrong:
- Option A: Requiring VPN first keeps patching dependent on user behavior and tunnel availability, which is the problem the organization is already facing.
- Option C: Detection can help after exploitation, but it does not reduce the known exposure window created by delayed patching.
- Option D: Manual verification and ticketing do not scale well and are less defensible than enforceable, policy-driven patching across the fleet.

Correct answer (B): Zero Trust endpoint strategy does not treat VPN connectivity or internal network presence as proof that a device should be trusted. The better design evaluates both identity and device posture and continuously revalidates access decisions. That directly addresses the risk shown here: a real user credential was used from an endpoint that should not have been granted broad trust.

Why the other options are wrong:
- Option A: Stronger passwords do not address the core architectural flaw of granting broad trust based on VPN presence rather than device posture and continuous verification.
- Option C: Reauthenticating the tunnel more often still leaves the organization relying on VPN presence as the trust boundary.
- Option D: Using corporate DNS does not provide meaningful assurance that the endpoint is appropriately patched or otherwise trustworthy.

Correct answer (A): Zero Trust endpoint decisions should include both identity and device security posture. Managed devices provide greater confidence in patching, configuration, logging, and incident response support, so they can appropriately receive broader access. Unmanaged devices should not receive equivalent trust simply because the user authenticated successfully or came from an expected location.

Why the other options are wrong:
- Option B: VPN and MFA strengthen authentication and transport, but they do not establish equal device trust between managed and unmanaged endpoints.
- Option C: Awareness training does not provide assurance of patch status, configuration, logging coverage, or response capability on personal devices.
- Option D: Source location is not a reliable basis for endpoint trust and conflicts with Zero Trust principles described in the scenario.

Correct answer (A): The best design is the one that combines host-based protection with centralized telemetry. HIDS/HIPS-style controls can prevent or detect suspicious behavior on the endpoint, but without enterprise collection and analysis of those events, the organization cannot effectively build detections, hunt across systems, or scope incidents at scale. Centralized endpoint visibility is not interchangeable with network telemetry because host data exposes process execution, privilege escalation, persistence, and user context that network tools often cannot see directly.

Why the other options are wrong:
- Option B: Network data is valuable, but it does not replace the host context needed for process execution, persistence, and local privilege abuse analysis.
- Option C: Monthly reviews are too slow and too indirect for detection engineering or incident scoping. They do not provide timely operational telemetry.
- Option D: Per-device review does not scale to 20,000 endpoints and would significantly hinder detection, triage, and organization-wide scoping.

Correct answer (A): Removing unnecessary local administrator rights is the best answer because it directly limits the ability of malware or users to install software, tamper with security settings, and establish durable persistence. In this scenario, the attack succeeded because excessive privileges allowed endpoint changes after compromise. A defensible endpoint architecture reduces default privilege and uses controlled elevation or approved software deployment for legitimate exceptions rather than trusting users to act safely.

Why the other options are wrong:
- Option B: MFA strengthens authentication, but it does not stop malware from abusing existing local administrator rights after the user is already logged in.
- Option C: Network vulnerability scanning may improve awareness, but it does not remove the endpoint privilege that enabled the malware to make local changes.
- Option D: Alerting on software installation is useful for detection, but it is weaker than preventing broad admin access in the first place.

Correct answer (B): HIDS/HIPS improves host-level prevention and visibility, but its value drops sharply at enterprise scale when alerts remain only on local systems. Centralized endpoint telemetry with retention and alerting gives analysts the ability to detect privilege abuse, suspicious processes, persistence, and post-compromise behavior across the environment. That is the specific gap described in the incident review.

Why the other options are wrong:
- Option A: Hardening is useful, but removing or ignoring centralized host visibility makes investigations and response weaker, not stronger.
- Option C: Manual weekly review is too slow and incomplete for active intrusions and does not solve the problem of fragmented, short-lived endpoint evidence.
- Option D: Network IDS can miss critical host events such as privilege abuse, process execution, and persistence that endpoint telemetry is designed to capture.

Correct answer (B): Remote endpoints often bypass internal monitoring, so network-only visibility is insufficient for defensible architecture. Host-based telemetry with centralized endpoint log collection provides direct evidence of process execution, authentication events, configuration changes, and persistence activity regardless of user location. This improves both detection and investigation quality and makes the environment more response-ready.

Why the other options are wrong:
- Option A: Tuning internal IDS may help some VPN traffic, but it still misses host events that occur off-network or are invisible to network-only monitoring.
- Option C: Forcing periodic office connectivity is not a scalable security architecture and does not provide continuous visibility.
- Option D: Asset inventory is useful, but it does not provide the event-level detection and investigation data needed for suspicious endpoint changes.

Correct answer (A): Host firewalls provide local traffic enforcement wherever the device operates, including home, hotel, and other untrusted networks. They also help control east-west communication that may bypass traditional perimeter controls. In a hybrid workforce, centrally enforced host firewall policy is a direct answer to the problem of laptops accepting unnecessary connections outside corporate network boundaries.

Why the other options are wrong:
- Option B: VPN may route some corporate traffic, but it does not inherently block unnecessary local inbound traffic when the laptop is on untrusted networks.
- Option C: More perimeter firewalls help only when traffic crosses headquarters boundaries; they do not protect laptops operating away from the office.
- Option D: Scanning can identify weaknesses, but it does not provide the local traffic enforcement needed to reduce the current exposure.

Correct answer (A): Broad local administrator rights make it much easier for attackers to disable controls, dump credentials, install persistence, and move laterally after initial compromise. In this scenario, the best architectural improvement is to remove that broad privilege while preserving narrowly scoped elevation for the small number of real business exceptions. That reduces attacker capability without requiring the organization to wait for full application replacement.

Why the other options are wrong:
- Option B: MFA strengthens authentication, but it does not prevent malicious code on a compromised endpoint from abusing local administrator rights or disabling controls.
- Option C: Signature updates and scans are useful, but they do not address the core problem that excessive privilege allows attackers to tamper with defenses and escalate impact.
- Option D: A stricter VPN segment may reduce some exposure when devices are connected, but it does not solve the local privilege problem that enabled control tampering and credential theft.