Free GDSA Quick Practice Test — 10 Questions Across All 8 Domains

This free GDSA quick-start practice test includes 10 mixed-domain questions sampled from the FlashGenius GDSA question bank. Perfect for a fast readiness check before committing to full-length mock exams.

What's on This GDSA Quick Test?

10 Free GDSA Quick Start Practice Questions

Each question below includes 4 answer options, the correct answer, and a detailed explanation drawn directly from the FlashGenius GDSA question bank.

Sample Question 1 — Cloud-Based and Hybrid Security Architecture

A retailer lifted a claims-processing application from on-premises virtual machines into an IaaS environment. A review found the cloud instances are still unpatched, security rules are overly broad, and workload logs are not being collected. Operations argues that because the application is now in the cloud, the provider owns server security. The application cannot be rewritten this quarter. What is the best architecture decision to close the most important gap?

  1. A. Rely on provider-managed infrastructure controls and focus on application fixes and user training.
  2. B. Add a perimeter firewall to the cloud subnet and defer host, identity, and logging work.
  3. C. Establish customer-managed patching, network controls, IAM, and centralized logging for the IaaS instances. (Correct answer)
  4. D. Plan a future move to SaaS so the provider will own server security and monitoring immediately.

Correct answer: C

Explanation: Correct answer (C): In IaaS, the provider secures the underlying infrastructure, but the customer still owns major responsibilities including guest OS patching, workload configuration, network controls, identity, and logging. The current gap is not the cloud platform itself but the missing customer-managed security baseline. Establishing patching, tighter access control, and centralized logging improves both prevention and detection without requiring application refactoring. Why the other options are wrong: - Option A: This repeats the shared-responsibility mistake in the stem. Provider-managed infrastructure does not remove customer responsibility for instance hardening, access control, and telemetry in IaaS. - Option B: A subnet firewall may help with some north-south filtering, but it does not solve the unpatched hosts, broad trust relationships, or missing workload logs. It is too narrow for the stated problem. - Option D: A future SaaS move may change responsibility boundaries later, but it does nothing to reduce the present risk in the current IaaS deployment.

Sample Question 2 — Cloud-Based and Hybrid Security Architecture

A manufacturer migrated a three-tier legacy application into cloud IaaS and connected it to on-premises shared services. To speed migration, the team preserved broad allow rules across peered cloud networks and the data center. The application cannot be refactored this year, but leadership wants to reduce lateral movement if one workload is compromised. Which architecture change is best?

  1. A. Require MFA for application users and keep the current east-west trust model.
  2. B. Implement workload-based segmentation between tiers and limit peering, routes, and security rules to required flows. (Correct answer)
  3. C. Deploy a larger internet-edge firewall and keep internal cloud networks broadly reachable.
  4. D. Mirror all traffic to monitoring tools and postpone segmentation until refactoring is complete.

Correct answer: B

Explanation: Correct answer (B): The primary weakness is preserved east-west trust across hybrid networks, not user authentication or internet-edge filtering. In hybrid lift-and-shift environments, broad peering, routes, and security rules can allow a compromised workload to pivot widely. Workload-based segmentation that allows only required flows is the best architectural control because it reduces attack paths now, even when the legacy application cannot yet be redesigned. Why the other options are wrong: - Option A: MFA for users is useful, but it does not contain workload-to-workload movement after a server compromise. The stated goal is lateral movement reduction inside the hybrid estate. - Option C: A bigger edge firewall mainly addresses north-south exposure. It does not fix the broad internal trust relationships that are enabling hybrid lateral movement. - Option D: Additional monitoring helps detection, but leaving segmentation unchanged preserves the attack path. The question asks for the best architecture change to reduce movement, not only observe it.

Sample Question 3 — Data Discovery, Governance, Mobility, and Data-Centric Security

A manufacturer has had several recent data leaks through email attachments and USB copies. Leadership wants the security team to deploy broad DLP controls immediately, but the team does not yet know which files contain sensitive data, where those files reside, or which business processes move them. What is the best first architectural step?

  1. A. Conduct data discovery and flow mapping, classify sensitive data, and then tune channel-specific DLP policies (Correct answer)
  2. B. Deploy network egress DLP immediately and block large outbound transfers until classifications mature
  3. C. Encrypt all file shares immediately and defer formal classification until incident volume decreases
  4. D. Add a reverse proxy for collaboration tools and tune upload alerts before labeling the data

Correct answer: A

Explanation: Correct answer (A): DLP policy quality depends on knowing which data is sensitive, where it resides, and how it moves. The most defensible first step is to discover and classify the data, map its flows, and then apply DLP policies by channel. That sequencing improves detection accuracy, aligns controls to real business workflows, and reduces disruption from poorly targeted blocking. Why the other options are wrong: - Option B: Network egress DLP can help, but deploying it before classification usually creates noisy or incomplete policies and misses non-network channels such as endpoint actions. - Option C: Encryption is useful for confidentiality, but it does not identify sensitive content, define business rules, or replace classification and DLP policy design. - Option D: A reverse proxy may improve visibility for one channel, but it does not solve the broader problem of unknown data locations, unknown sensitivity, and multiple leakage paths.

Sample Question 4 — Data Discovery, Governance, Mobility, and Data-Centric Security

A healthcare organization stores regulated records in on-premises databases accessed by both application service accounts and database administrators. The security team needs better visibility into queries, privileged actions, and unusual access patterns for investigations, but the database owners do not want a new inline control that could affect availability. Which control is the best fit?

  1. A. Implement database activity monitoring to log queries, privileged actions, and anomalous access patterns (Correct answer)
  2. B. Implement a database firewall to block unexpected database commands before they reach the server
  3. C. Implement email DLP to inspect attachments leaving the user mail system for regulated content
  4. D. Implement a reverse proxy to mediate user access to the web application before login

Correct answer: A

Explanation: Correct answer (A): Database activity monitoring is designed to provide visibility into database queries, access patterns, privileged actions, and anomalous behavior. It supports detection and investigation without making inline enforcement the primary architectural goal. That aligns with the requirement for visibility and forensic value while minimizing operational risk to database availability. Why the other options are wrong: - Option B: A database firewall is focused on policy enforcement for database traffic and query behavior. It may be valuable in other cases, but it is not the best match when the primary goal is visibility without adding inline dependency. - Option C: Email DLP addresses one exfiltration channel, not direct visibility into database queries, privileged behavior, or application-driven access. - Option D: A reverse proxy can help with web application access patterns, but it does not provide the database-level visibility requested in the scenario.

Sample Question 5 — Fundamental Security Architecture Concepts

A manufacturing company has strong internet perimeter filtering, but once an attacker phished one employee, the attacker could reach file servers, engineering workstations, and IT management systems over the internal network. Leadership wants the single best architectural change to make a similar compromise less damaging without assuming the perimeter will always hold. What should the security architect recommend first?

  1. A. Segment critical systems from user networks and enforce access rules with monitoring between the segments (Correct answer)
  2. B. Increase perimeter firewall strictness and block more outbound traffic from the internet edge
  3. C. Replace user antivirus with a newer endpoint tool and keep the internal network largely unchanged
  4. D. Require longer employee passwords and keep broad internal network reachability for productivity

Correct answer: A

Explanation: Correct answer (A): Flat internal networks increase blast radius after a single host is compromised. The most defensible first architectural improvement is to separate critical systems from general user networks and apply explicit enforcement plus monitoring between them. That recommendation assumes compromise is possible, directly limits lateral movement, and improves validation of whether segmentation is working instead of relying only on the perimeter. Why the other options are wrong: - Option B: A stronger perimeter may reduce some external attack paths, but it does little once an attacker already has a foothold on the internal network. The scenario specifically shows perimeter-only security was insufficient. - Option C: Improving endpoint protection can help, but leaving the network flat means a successful bypass still gives an attacker broad access. The question asks for the best architectural change to reduce damage after compromise. - Option D: Better passwords may reduce some account abuse, but they do not address the main architectural weakness: broad internal reachability after a single workstation is compromised.

Sample Question 6 — Fundamental Security Architecture Concepts

A security architect is given budget to improve internal security after several near-miss incidents. Different teams want microsegmentation, new endpoint tools, and a larger SIEM, but the company has no shared map of critical assets, trust boundaries, or major application flows. What is the best first architectural step?

  1. A. Perform threat modeling to identify critical assets, trust boundaries, key flows, and likely attack paths (Correct answer)
  2. B. Purchase the broadest platform and rely on default policies to discover misuse over time
  3. C. Deploy controls uniformly to all systems first and refine the design after user complaints
  4. D. Expand internet-edge filtering first because most attacks begin outside the organization

Correct answer: A

Explanation: Correct answer (A): Threat modeling should come before major control-selection decisions. Without understanding asset criticality, trust boundaries, important flows, and realistic attack paths, the organization risks spending budget on controls that are poorly placed or low value. A defensible architecture begins by identifying what matters most and how an attacker could reach or abuse it, then selecting controls based on that analysis. Why the other options are wrong: - Option B: Tool-first decisions often create coverage gaps or wasted spend when the organization has not identified what needs protection and how attackers are likely to move. - Option C: Uniform deployment may look fair, but architectural prioritization should account for asset criticality and the most important attack paths rather than treating all systems identically. - Option D: Edge filtering may help some external threats, but the scenario lacks the foundational analysis needed to decide whether that is the highest-value investment.

Sample Question 7 — IPv6 and Modern Network Risks

A financial firm says it does not use IPv6, but endpoint scans show dual-stack workstations with active IPv6 services and successful host-to-host connectivity over IPv6. Firewall reviews, ACL baselines, and segmentation standards currently cover only IPv4. The firm cannot risk breaking modern operating system functionality with an unvalidated enterprise-wide shutdown. What is the best first architecture action?

  1. A. Create explicit IPv6 ingress, egress, and east-west policy with logging and enforcement parity to the existing IPv4 design (Correct answer)
  2. B. Keep the current IPv4 deny rules because applications were validated only over IPv4 and should follow the same path
  3. C. Move all user systems into separate VLANs and postpone IPv6 policy work until the business requests formal IPv6 deployment
  4. D. Disable all IPv6 functions across the enterprise immediately and address application failures through exception requests afterward

Correct answer: A

Explanation: Correct answer (A): Dual-stack hosts create a second communication path even when the organization thinks it is IPv4-only. Because IPv4 controls do not automatically apply to IPv6, the first defensible step is to build explicit IPv6 policy parity for ingress, egress, and east-west traffic and include logging so the existing security design intent covers both protocol families. This reduces attack surface without taking the operational risk of an unvalidated enterprise-wide IPv6 shutdown. Why the other options are wrong: - Option B: Incorrect. Application validation over IPv4 does not constrain IPv6 behavior, and IPv4 deny rules do not automatically govern IPv6 traffic. - Option C: Incorrect. VLAN changes alone do not provide IPv6 policy enforcement, routing control, or logging parity. Hosts may still communicate over unmanaged IPv6 paths. - Option D: Incorrect. The stem explicitly says an unvalidated shutdown is too risky. Disabling core IPv6 everywhere without validation can break modern operating systems and services.

Sample Question 8 — IPv6 and Modern Network Risks

A remote-work environment uses IPv4 web proxies and IPv4 egress filtering as primary outbound controls. During an investigation, analysts find several laptops reaching external IPv6 destinations through Teredo, with little corresponding visibility in the existing proxy stack. Business applications do not require transition tunneling. What is the best architectural response?

  1. A. Disable unused transition mechanisms such as Teredo, 6to4, and ISATAP, and add monitoring for any remaining IPv6 transport paths (Correct answer)
  2. B. Keep transition mechanisms enabled but increase IPv4 proxy inspection depth for all remote user web sessions
  3. C. Disable all IPv6 features on every endpoint immediately and postpone review of application dependencies until later
  4. D. Accept the tunnel behavior for now and focus on additional malware analysis for files downloaded over the web

Correct answer: A

Explanation: Correct answer (A): The key issue is not generic web risk but unmanaged IPv6 transition tunneling bypassing IPv4-centric controls. When the business does not need Teredo, 6to4, or ISATAP, disabling those mechanisms is the best attack-surface reduction step. Adding monitoring for remaining IPv6 paths supports detection and response, which is important because simply strengthening IPv4 proxy inspection does not address the bypass channel. Why the other options are wrong: - Option B: Incorrect. Better IPv4 proxy inspection still leaves the actual problem in place because tunneled IPv6 traffic can bypass IPv4-only proxy assumptions. - Option C: Incorrect. Blanket disablement of all IPv6 is broader than necessary and risks breaking systems or services without validation. - Option D: Incorrect. Malware analysis may help with specific payloads, but it does not fix the architectural control bypass created by unmanaged transition tunnels.

Sample Question 9 — Layer 1, Layer 2, and Layer 3 Defense

A company has many open office network jacks in shared workspaces. During a red-team exercise, a tester plugged a laptop into an unused cubicle port and immediately reached the internal user network. The company also has printers and badge readers that cannot run a supplicant. The security architect wants the best architecture change to reduce unauthorized network attachment without breaking those devices. What should the architect recommend?

  1. A. Deploy 802.1X on access ports and place non-supplicant devices into tightly restricted roles or segments (Correct answer)
  2. B. Increase perimeter firewall inspection for inbound and outbound traffic at the Internet edge
  3. C. Move all office systems into a larger shared VLAN so routing policy becomes easier to manage
  4. D. Rely on quarterly switch configuration audits to identify unauthorized endpoint connections

Correct answer: A

Explanation: Correct answer (A): 802.1X is the best architecture change because the failure occurred at the wired access layer: an attacker gained access simply by plugging into an open port. Port-based access control directly addresses that problem. In a defensible design, devices that cannot run a supplicant, such as printers and badge readers, are not left on open access ports; they are placed into tightly restricted roles or segments based on their function. This improves prevention at the point of attachment rather than relying on downstream controls. Why the other options are wrong: - Option B: Perimeter firewall inspection does not stop a device that is already plugged into an internal access port. This is a perimeter-only response to an access-layer problem. - Option C: A larger shared VLAN increases blast radius and does not add attachment control. It makes the unauthorized access problem worse, not better. - Option D: Audits can validate hardening, but they do not enforce access decisions at the port and do not prevent unauthorized attachment in real time.

Sample Question 10 — Layer 1, Layer 2, and Layer 3 Defense

An enterprise campus still uses a large flat internal address space where user workstations, application servers, management systems, and several critical services can all route to each other by default. After a phishing incident, attackers moved from a user subnet to a sensitive server network in minutes. The architect's main goal is to reduce east-west movement between trust zones. Which change is the most defensible?

  1. A. Separate departments into additional VLANs but keep broad inter-VLAN routing open across the campus
  2. B. Create routed trust zones for users, servers, management, and critical services with explicit allowed paths (Correct answer)
  3. C. Add more Internet egress filtering while leaving internal routing reachability unchanged
  4. D. Increase host logging across all endpoints while leaving network paths and trust boundaries unchanged

Correct answer: B

Explanation: Correct answer (B): The attack succeeded because broad internal routing allowed a compromised user system to reach sensitive networks with little resistance. The most defensible containment change is to create routed trust zones with explicit allowed paths between users, servers, management networks, and critical services. That creates enforceable Layer 3 boundaries. More VLANs without routing restrictions only reorganize traffic, while logging or Internet egress controls do not remove the east-west attack path. Why the other options are wrong: - Option A: Additional VLANs may organize traffic, but VLAN membership alone is not strong trust separation if inter-VLAN routing remains broadly open. - Option C: Internet egress filtering may help other risks, but it does not materially reduce internal lateral movement after compromise. - Option D: More logging improves visibility, but the question asks for the best architecture change to reduce movement. Detection alone leaves the path open.

How Should I Use This GDSA Quick Test?

Use it as a fast diagnostic. If you score 63% or higher (the GDSA pass mark), you're close to exam-ready and should drill weak domains. If you score below 63%, build foundations with the SANS SEC530 course and hands-on lab work before attempting more practice tests.

Start the free GDSA quick practice test now | All GDSA domains | All Sample Tests