ECCouncil Updated 312-50v13 Exam Questions and Answers by ernie

Insufficient logging and monitoring is the most direct threat highlighted by the scenario. In CEH-aligned cloud security concepts, visibility is foundational: without adequate telemetry, security teams cannot detect, investigate, or respond to malicious activity in time. The question explicitly states attackers “remained undetected” because the organization lacked mechanisms to track function-level activity and capture anomalous events. In a serverless architecture, this visibility gap can be especially damaging because there are no traditional servers for defenders to log into, and many security signals must be collected from cloud-native sources such as function invocation logs, API gateway logs, identity events, and centralized monitoring pipelines.

While privilege escalation is a common cloud threat, the question’s root cause is not described as excessive permissions or role abuse; it is the lack of detection capability. Loss of governance refers to weak policies, mismanaged accounts, and lack of control over cloud resources, which may contribute indirectly but is not the immediate failure described. Side-channel attacks are specialized and do not match the evidence of missed alerts and absent operational telemetry.

CEH guidance emphasizes implementing centralized logging, continuous monitoring, alerting, and anomaly detection as core controls. For serverless, this includes capturing detailed function execution logs, tracing, identity and access events, and integrating them into a SIEM/SOAR workflow. Effective monitoring enables rapid detection of abnormal invocation patterns, suspicious API calls, unusual data access, and persistence attempts—reducing dwell time and preventing small compromises from becoming major outages.

The correct answer is A. Confidentiality because the scenario describes sensitive information being transmitted in clear text, meaning the contents can be read by any unauthorized party who is able to intercept the traffic. In information security, confidentiality is the principle that ensures information is accessible only to authorized individuals, entities, or processes. When communications are sent without adequate protection—such as encryption—attackers performing network interception (for example, through man-in-the-middle positioning, packet sniffing on compromised routers, malicious Wi-Fi, or upstream monitoring) can directly view the document contents. That is a direct failure of confidentiality controls.

The prompt’s key phrase is that “anyone intercepting the traffic can read the contents.” This is not describing altered messages or forged emails; it is describing unauthorized disclosure. Confidentiality is typically protected using mechanisms such as encryption in transit (e.g., TLS for SMTP submission and server-to-server transport where possible, S/MIME, PGP), secure key management, and policy enforcement at email gateways. In legal environments, confidentiality is particularly critical because client communications and legal documents often contain privileged or regulated information. Clear-text transmission exposes the firm to compliance violations, reputational harm, and potential legal consequences.

Why the other options are not correct: Integrity concerns whether the message or document is altered in transit (tampering, modification, insertion). The scenario does not mention changes—only unauthorized reading. Non-repudiation ensures parties cannot deny sending or receiving a message (often supported by digital signatures and logging). The issue here is not proof-of-origin but exposure. Availability relates to whether systems and data remain accessible when needed (uptime, resilience, DoS). Nothing indicates service disruption.

Therefore, transmitting sensitive legal documents in clear text violates the fundamental security principle of confidentiality.

An Evil Twin access point is a malicious wireless access point that impersonates a legitimate Wi-Fi network by copying its SSID and often mimicking other observable characteristics such as security settings and signal behavior. In CEH-aligned wireless attack coverage, the goal is to trick users into connecting to the attacker-controlled AP instead of the real one. Once a victim device associates, the attacker can perform man in the middle interception, capture credentials, observe sensitive traffic, and potentially downgrade protections if the victim is not properly validating the network.

This scenario strongly matches an Evil Twin because the tablet connects to an access point “broadcasting a name and signal similar to the hospital’s secure Wi-Fi,” and Sarah finds an unauthorized device capturing sensitive traffic from connected systems. That combination indicates active impersonation and client deception, not merely an accidental device. A rogue AP is typically an unauthorized access point connected to the internal network, often deployed by employees for convenience, and may not be designed to impersonate the official SSID to lure clients. A misconfigured AP refers to an access point with weak settings or improper security controls, not an attacker-created clone. A honeypot AP is a deliberate decoy set up by defenders to attract attackers, which is the opposite of what is described.

Mitigations emphasized in CEH best practices include using WPA2 Enterprise or WPA3 Enterprise with certificate validation, enabling protected management frames where supported, deploying wireless intrusion detection and prevention to identify spoofed SSIDs and BSSID anomalies, disabling auto-join where possible, and training users to report suspicious network prompts or unexpected reconnect behavior.

The Certified Ethical Hacker (CEH) Web Application Hacking and DoS/DDoS module identifies Slowloris as an application-layer denial-of-service attack that targets web servers by maintaining a large number of half-open HTTP connections.

Slowloris works by sending partial HTTP requests very slowly, preventing the server from closing the connections. CEH documentation highlights that this attack does not rely on high bandwidth, making it difficult to detect using traditional network-based defenses.

Option C accurately matches the described symptoms and CEH’s definition.

Options A and B are network-layer flooding attacks, which were explicitly ruled out.

Option D is a packet fragmentation attack, not an application-layer DoS technique.

CEH stresses tuning connection timeouts and using reverse proxies as mitigations.