10 Endpoint Security
Mini Quiz Answers

Question 1: A hospital's IT department discovers that medical workstations deployed six months ago now have inconsistent security settings, with some having disabled firewalls and others running unauthorized software. The team needs to ensure all new deployments start from a standardized, secure state and prevent future deviations. What solution should they implement to establish consistent security configurations across all endpoints and prevent configuration drift?

Question 1 Explanation: Hardened system images based on CIS benchmarks provide standardized configurations that ensure all new OS deployments begin from an approved security state.

Manual configuration checklists introduce human error and inconsistency between deployments, and they are time consuming.

Individual system hardening performed after each device is deployed is time-consuming and results in configuration inconsistencies.

Automated scripts can check compliance but do not enforce the same configuration on every device.

Question 2: A financial analyst's laptop containing sensitive customer data is stolen from their vehicle during a business trip. The organization needs to ensure that even if the hard drive is removed and accessed externally, the data remains inaccessible to unauthorized users. Which security control should have been implemented?

Question 2 Explanation: Full Disk Encryption protects data at rest by encrypting the entire drive, ensuring that even if the hard drive is removed and accessed, the data remains inaccessible to unauthorized users without the decryption key.

File-level encryption for documents marked as confidential only protects specific files, leaving other sensitive data unencrypted and vulnerable.

BIOS passwords prevent unauthorized booting of the system but do not protect the data if the hard drive is physically removed.

Remote wipe capabilities require the device to connect to the internet and do not protect data if the drive is removed.

Question 3: A manufacturing company's workstations are running outdated operating system versions with known vulnerabilities, but the IT team is hesitant to deploy updates during operational hours due to fear of disrupting critical processes. They need a systematic approach to handle updates that minimizes risk. What strategy should they implement to manage OS and application updates effectively?

Question 3 Explanation:  Updating once a year and applying all accumulated updates leaves systems vulnerable to known exploits for extended periods.

Manual patching is inconsistent and results in outdated systems with known vulnerabilities remaining unpatched for extended periods.

Immediately deploying all available updates without testing risks introducing instability and compatibility issues.

Automated patch deployment with testing environments and scheduled maintenance windows provides a systematic approach that minimizes risk.

Question 4: During a security audit of a corporate accounting department, assessors discover multiple unauthorized gaming applications, legacy browsers, and administrative tools installed on workstations. These applications have known vulnerabilities and create potential entry points for attackers. Which hardening practice should the organization enforce to minimize these risks?

Question 4 Explanation: Removal of unnecessary software directly reduces the attack surface, and is a standard security practice.

Installing additional antivirus software does not eliminate the vulnerabilities present in the software and still allows potential exploitation of these applications before detection occurs.

Creating network segmentation rules does not remove the software from the endpoints and may not prevent all attack vectors.

Requiring users to sign policiesn administrative control that does not technically prevent installation or remove existing unauthorized software, and fails to address the technical vulnerabilities present.

Question 5: A company's traditional signature-based antivirus solution failed to detect a sophisticated ransomware attack that encrypted files across multiple endpoints. The security team needs a solution that detects threats in real-time. Which technology should they deploy to replace their legacy antivirus and provide automated response capabilities?

Question 5 Explanation: EDR (Endpoint Detection & Response) provides real-time monitoring and automated response, which meets the requirements of the question.

IDS (Intrusion Detection System) does not respond to threats, which does not meet the requirements of the question.

DLP (Data Loss prevention) focuses on preventing data exfiltration and unauthorized data movement,rather than detecting and responding to malware infections like ransomware in real-time.

Manual incident response procedures requiring administrator intervention are too slow to prevent the rapid encryption and spread of modern ransomware.

Question 6: An organization notices that its staff continue to download and install a popular game at work. Administrators block the web address where the game is available for download, but the company that produces the game changes the URL regularly. What is the BEST approach to prevent installation of this game?

Question 6 Explanation: A firewall rule blocking all inbound traffic on port 443 would prevent legitimate HTTPS traffic and business operations, so it is unsuitable.

A content filter rule banning the download URL fails, because the game company changes the URL regularly, allowing downloads to continue through new addresses not yet blocked by the filter.

Application deny listing requires maintaining an updated list of known bad applications and signatures, which is difficult when the application vendor frequently changes distribution methods and may not block modified versions.

Application allow listing is the industry standard approach, which implements a default deny posture where only explicitly approved applications can execute, regardless of how frequently the download source changes URLs.

Question 7: A cybersecurity team for a technology company specializes in developing mobile applications for various industries. The team is working on a new app that utilizes location services to provide users with real-time updates on nearby events and activities, based on their location. However, the project stakeholders have expressed concerns about certain aspects of location services. What is the PRIMARY concern surrounding location services in mobile devices?

Question 7 Explanation: Battery consumption is not a primary security risk.

Lack of accuracy affects functionality but does not constitute a fundamental risk to users or organizations.

Privacy is the primary concern surrounding location services in mobile devices, because continuous tracking of user location creates significant risks regarding surveillance data collection.

Limited availability is a technical constraint in certain environments, but does not represent the core security or ethical concern regarding location services.

Question 8: A contractor's compromised credentials are used to access sensitive databases at 3 AM from an unusual geographic location, downloading large amounts of data in patterns that differ significantly from the user's normal baseline. Traditional security tools show successful authentication and authorized access. Which technology would best identify this anomalous activity?

Question 8 Explanation: UEBA (User & Entity Behavioural Analytics) utilizes machine learning to establish behavioral baselines for users, detecting anomalies such as impossible travel, out-of-hours access, and unusual data download patterns that differ significantly from normal behavior.

RBAC (Role Based Access Control) limits permissions based on job functions but does not detect anomalous usage patterns.

DLP focuses on preventing data loss by blocking or monitoring data movement, but does not inherently detect behavioral anomalies.

Geographic IP blocking restricts access based on location, but can be bypassed using VPNs and does not detect anomalous behavior within allowed geographic areas.

Question 9: A Windows enterprise environment needs to enforce strict security requirements including complex password policies, disabling USB storage devices, preventing installation of unauthorized software, and standardizing registry settings across thousands of domain-joined workstations. Which technology provides this centralized management and policy enforcement capability?

Question 9 Explanation: SELinux security policies applied to each workstation provides Mandatory Access Control for Linux systems but is not applicable to Windows environments, so it does not apply to this question.

GPO (Group Policy Objects) deployed through AD (Active Directory) enables centralized management and enforcement of security requirements, like password policies, USB restrictions, software installation restrictions, and registry settings, across thousands of domain-joined workstations from a single administrative interface.

Local security policies configured individually on each machine requires administrative access to every workstation, is time-consuming, and results in configuration inconsistencies across the enterprise environment.

Manual registry edits distributed via batch scripts or PowerShell lacks centralized enforcement, and is difficult to maintain consistently across thousands of systems.

Question 10: A company wants to provide mobile devices to sales representatives who need to install personal applications for travel and entertainment, while ensuring IT can enforce encryption, remotely wipe only corporate data if the device is lost, and prevent backups to personal cloud accounts. Which deployment model and solution combination supports these requirements?