ECCouncil Updated 312-50v13 Exam Questions and Answers by gianna

This scenario is a classic vishing (voice phishing) attempt: the attacker calls employees, impersonates a vendor, and tries to persuade them to disclose sensitive payment information. The most direct, practical countermeasure that employees can apply in every interaction is verifying the requester’s identity before sharing any information. That means using a trusted verification method—such as calling back using an official number from an internal directory/vendor contract, confirming through a known manager or procurement channel, or following an established verification workflow—rather than trusting the caller ID, the caller’s confidence, or claimed affiliation.

Option B is the best answer because it directly breaks the social engineering tactic being used: pretexting (posing as a vendor) relies on getting the victim to accept identity and urgency without validation. If employees consistently verify identity through independent channels, the attacker’s pretext collapses and the request is denied or escalated. This is the most immediate control at the human decision point, where the data disclosure risk occurs.

Why the other choices are less direct:

Security awareness programs (A) are important, but the question asks for the practical step employees must apply in each interaction. Training supports the behavior; it is not the specific action that stops the call from succeeding.

Policies and procedures (C) provide governance and guidance, but the direct operational control during a phone call is still identity verification.

Two-factor authentication (D) protects login processes but does not prevent an employee from verbally disclosing payment details over the phone.

Therefore, the prioritized countermeasure is B. Employees must verify the identity of individuals requesting information.

The best answer is Remediation because the workflow centers on fixing confirmed vulnerabilities through an organized, prioritized plan and coordinating corrective actions with operations teams. In CEH-aligned vulnerability management, the lifecycle typically moves from asset identification and risk context, to scanning and validation, to analysis and prioritization, and then into remediation where weaknesses are actually reduced or eliminated. The question explicitly states that after vulnerabilities are detected and validated, Priya’s team “develop a structured timeline to address the confirmed vulnerabilities” and prioritize “high-risk findings affecting mission-critical systems.” Creating the remediation plan, assigning owners, scheduling patch windows, implementing configuration hardening, disabling unnecessary services, updating vulnerable software, and applying compensating controls are all core remediation activities.

Although the final step mentions rescanning to confirm resolution and producing a compliance report, that verification step occurs after remediation work has been performed. Verification is an important follow-on phase, but it is not the main phase being executed throughout the described workflow. Vulnerability analysis refers more to interpreting scan results, validating false positives, mapping weaknesses to impact, and determining exploitability. Risk assessment focuses on evaluating business impact and likelihood to prioritize work. Here, those phases are present, but the primary emphasis is on coordinating and executing fixes and driving them to closure, which is remediation.

In short, Priya is in the remediation phase, with verification used afterward to confirm the remediation was effective.

This scenario describes a Slowloris attack, a classic application-layer DoS attack covered in CEH v13 Network and Perimeter Hacking. Slowloris works by opening many HTTP connections and sending data very slowly, preventing the server from closing the connections.

Because the connections appear legitimate, the server keeps them open, eventually exhausting its connection pool. This causes legitimate users to experience timeouts and service unavailability—exactly as described.

ICMP and UDP floods consume bandwidth, which was ruled out. Fragmentation attacks target packet handling, not application-layer sessions.

CEH v13 highlights Slowloris as particularly dangerous because it requires minimal bandwidth and bypasses many traditional DoS defenses. Therefore, Option A is correct.

CEH courseware describes rootkits as specialized malware designed to conceal their presence while providing persistent, unauthorized access to system-level functions. Rootkits typically modify low-level components of the operating system—such as kernel modules, drivers, or system processes—to hide files, processes, registry keys, and network connections. Their primary purpose is to grant attackers administrative privileges without triggering alerts, making them extremely stealthy and dangerous. CEH emphasizes that rootkits often accompany other malware to maintain long-term control after initial compromise. In contrast, viruses replicate by attaching to files, keyloggers record keystrokes but do not hide system-level access, and ransomware encrypts data rather than conceals operations. The defining characteristics in this scenario—cloaking activity, providing admin-level control, persisting undetected—are directly aligned with rootkit behavior as described in CEH training material.