Exam CS0-002 topic 1 question 266 discussion

C. VDI environment (Virtual Desktop Infrastructure). This allows employees to access a secure, controlled desktop environment remotely, which can help prevent malware infections from spreading to the corporate network. It also facilitates secure file exchange at client sites.

The one that makes more sense

Implementing a VDI environment would provide a layer of isolation between the client site and the company's network, thus reducing the risk of malware spreading. It would also make it easier to manage and rollback changes if an infection occurs.

A Virtual Desktop Infrastructure (VDI) could be very effective in this case. In a VDI setup, the operating system and applications run inside a virtual machine on a centralized server. This makes it easier to manage and secure the environment. If an infection occurs, it's easier to revert to a clean snapshot, reducing the impact.

The question said "while allowing employees to exchange files at client sites". Only vdi environment allows to give answers to the two options raised in the question (reduce corporate risk and exchange files at client sites)

C found in older guide

Confirmed also with chatGPT - selected also F. Explanation: Network segmentation involves dividing a network into separate segments or subnetworks to isolate different types of users, systems, or applications. By implementing network segmentation, the financial company can create separate network zones or segments for employees who frequently exchange files at client sites. Benefits of network segmentation include: Containment of malware: By isolating the segment where employees exchange files, any malware infections or threats introduced in that segment would be limited to that specific network zone. Enhanced visibility and control: Network segmentation allows for improved visibility and control over network traffic. Reduced lateral movement: Segmented networks limit the ability of malware to move laterally across the network.

I would go for Network Segmentation (F) because they are asking for a Security Control. VDI is not a security control per se.

C, VDI - the issue is the EDR tools are not finding the malware - a problem with their endpoints. Using VDI will have more robust detection on the endpoints, presumably.

I'm not sure if network segmentation would help in this scenario because they are talking about employees exchanging files in the client sites. Same logic applies for network access control (NAC) that only applies when someone attempts to connect to a corporate network in specific but how would be that possible if the employees are visiting several clients? (assuming there are a lot). I think C is the most logical answer (discarding encryption, MFA, and firewall host-based rules).

The BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites in the scenario described is option C, VDI environment. A VDI (Virtual Desktop Infrastructure) environment is a virtualized desktop environment that runs on centralized servers and is accessed remotely by end-users. A VDI environment can help to reduce the risk of malware infections by isolating the end-user environment from the underlying operating system and by using virtualization technologies to provide a secure and controlled environment for end-users to work in.

F. is correct

The best security control to implement to reduce corporate risk while allowing employees to exchange files at client sites is Network Segmentation (F). By separating the financial company's network into smaller segments, the risk of malware infections can be reduced by limiting the spread of an infection if it does occur. Additionally, using network access control (E) can help ensure that only authorized devices are able to access the network and reduce the risk of malware infections. Implementing hard drive encryption (D) can also help secure sensitive data on the employees' devices, but it alone may not prevent malware infections.