ECCouncil Updated 312-50v13 Exam Questions and Answers by demi

https://www.infocyte.com/blog/2019/02/16/cybersecurity-101-what-you-need-to-know-about-false-positives-and-false-negatives/

False positives are mislabeled security alerts, indicating there is a threat when in actuality, there isn’t. These false/non-malicious alerts (SIEM events) increase noise for already over-worked security teams and can include software bugs, poorly written software, or unrecognized network traffic.

False negatives are uncaught cyber threats — overlooked by security tooling because they’re dormant, highly sophisticated (i.e. file-less or capable of lateral movement) or the security infrastructure in place lacks the technological ability to detect these attacks.

ARP (Address Resolution Protocol) spoofing/poisoning is a common attack in which an attacker sends falsified ARP messages to associate their MAC address with the IP address of another host. To defend against ARP spoofing:

A. Port Security: Limits the number of MAC addresses per port; prevents MAC flooding and spoofing.

B. ARPwatch: Monitors ARP traffic and alerts on unusual changes.

D. Static ARP Entries: Prevent ARP responses from overwriting MAC-IP mappings, effective in small networks.

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

Module 20: Network Security

Incorrect Options:

C: Firewalls operate at Layer 3+; ARP is a Layer 2 protocol, so firewalls don’t prevent ARP spoofing.

E: Static IP addresses do not prevent ARP poisoning.

Promiscuous mode is a configuration for a network interface card (NIC) that allows it to pass all network traffic to the CPU for processing, not just the traffic addressed to that NIC. It is commonly used in:

Network sniffing and monitoring

Packet analysis tools like Wireshark

IDS/IPS systems

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“Promiscuous mode allows a NIC to capture all packets on the network segment, regardless of the destination MAC address.”

Incorrect Options:

A. Multicast mode handles group address traffic, not all frames

C. WEM is not a valid network mode term

D. Port forwarding redirects traffic to specific internal IPs

=

CEH v13 identifies Man-in-the-Browser (MitB) attacks as one of the most dangerous and difficult-to-detect session hijacking techniques, especially in online banking environments. In MitB attacks, malware operates inside the user’s browser, intercepting and manipulating transactions in real time.

Unlike XSS or session fixation attacks, MitB bypasses server-side security controls entirely. Even strong encryption, multi-factor authentication, and secure cookies are ineffective because the attack occurs after authentication, within a trusted session.

Passive sniffing is limited by encryption, and session fixation relies on poor session management. Covert XSS requires injection points and is more easily mitigated.

CEH v13 emphasizes that MitB attacks can modify transaction details without user awareness, making detection extremely difficult. Therefore, Option B is correct.