Employees of a large financial company are continuously being infected by strands of malware that are not detected by EDR tools. Which of the following is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites?
Employees are being infected with malware that evades EDR tools, and this occurs while they are at client sites. The best solution to mitigate this risk is to use a Virtual Desktop Infrastructure (VDI) environment. A VDI allows employees to access their desktops remotely within a secure and controlled environment that is centralized. This isolation ensures that any potential infections do not impact the endpoint systems directly, as the interaction with the desktop is virtualized. Consequently, even if the client's network has compromised endpoints or files, the central server hosting the VDI can be more robustly defended and monitored, significantly reducing the corporate risk of malware spreading.
C found in older guide
Confirmed also with chatGPT - selected also F. Explanation: Network segmentation involves dividing a network into separate segments or subnetworks to isolate different types of users, systems, or applications. By implementing network segmentation, the financial company can create separate network zones or segments for employees who frequently exchange files at client sites. Benefits of network segmentation include: Containment of malware: By isolating the segment where employees exchange files, any malware infections or threats introduced in that segment would be limited to that specific network zone. Enhanced visibility and control: Network segmentation allows for improved visibility and control over network traffic. Reduced lateral movement: Segmented networks limit the ability of malware to move laterally across the network.
This points out the biggest issue with ChatGPT: I ran the question through 5 times, and it flip-flopped it's answer between C and F every time. Since we are talking about client sites, I have to go with C, since we wouldn't be allowed to segment someone else's network.
You are not segmenting their network - you are adding your salesmen group to a segment in your network.
I'm not sure if network segmentation would help in this scenario because they are talking about employees exchanging files in the client sites. Same logic applies for network access control (NAC) that only applies when someone attempts to connect to a corporate network in specific but how would be that possible if the employees are visiting several clients? (assuming there are a lot). I think C is the most logical answer (discarding encryption, MFA, and firewall host-based rules).
Reference: https://www.vmware.com/topics/glossary/content/virtual-desktop-infrastructure-security.html
thanks for the reference
Agreed. I had to read this question a couple times, but you are correct. VDI is the best solution if employees are onsite with a client and need to be protected while also sharing files.
They can still share files using protocols such as SFTP if the networks are segmented.
The BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites in the scenario described is option C, VDI environment. A VDI (Virtual Desktop Infrastructure) environment is a virtualized desktop environment that runs on centralized servers and is accessed remotely by end-users. A VDI environment can help to reduce the risk of malware infections by isolating the end-user environment from the underlying operating system and by using virtualization technologies to provide a secure and controlled environment for end-users to work in.
C. VDI environment (Virtual Desktop Infrastructure). This allows employees to access a secure, controlled desktop environment remotely, which can help prevent malware infections from spreading to the corporate network. It also facilitates secure file exchange at client sites.
The one that makes more sense
A Virtual Desktop Infrastructure (VDI) could be very effective in this case. In a VDI setup, the operating system and applications run inside a virtual machine on a centralized server. This makes it easier to manage and secure the environment. If an infection occurs, it's easier to revert to a clean snapshot, reducing the impact.
Implementing a VDI environment would provide a layer of isolation between the client site and the company's network, thus reducing the risk of malware spreading. It would also make it easier to manage and rollback changes if an infection occurs.
The question said "while allowing employees to exchange files at client sites". Only vdi environment allows to give answers to the two options raised in the question (reduce corporate risk and exchange files at client sites)
I would go for Network Segmentation (F) because they are asking for a Security Control. VDI is not a security control per se.
C, VDI - the issue is the EDR tools are not finding the malware - a problem with their endpoints. Using VDI will have more robust detection on the endpoints, presumably.
F. is correct
The best security control to implement to reduce corporate risk while allowing employees to exchange files at client sites is Network Segmentation (F). By separating the financial company's network into smaller segments, the risk of malware infections can be reduced by limiting the spread of an infection if it does occur. Additionally, using network access control (E) can help ensure that only authorized devices are able to access the network and reduce the risk of malware infections. Implementing hard drive encryption (D) can also help secure sensitive data on the employees' devices, but it alone may not prevent malware infections.
How is network segmentation going to help "reduce corporate risk while allowing employees to exchange files at client sites?" You gonna segment the client sites?
First priority is limiting the spread of the malware that edr isn't catching.
The issue here is that you can segment the financial company's network, but the question asks to protect reduce corporate risk and allow employees to share files while at CLIENT sites. VDI will do both of these things.