ECCouncil Updated 312-50v13 Exam Questions and Answers by rafi

The scenario best illustrates loss of governance because the core problem is not a specific technical exploit but a failure in management oversight, accountability, and control assignment for cloud/serverless security responsibilities. The question describes “lack of defined responsibilities for monitoring, auditing, and securing serverless services,” resulting in critical functions being “unmanaged,” which led to downtime and delayed alerts. That is a governance failure: the organization did not establish clear ownership, policies, and operational processes to ensure cloud workloads—specifically serverless functions—were properly monitored, audited, and secured.

In cloud environments, governance includes defining roles and responsibilities (shared responsibility model understanding), establishing security baselines, ensuring logging/monitoring coverage, enforcing configuration management, and maintaining compliance oversight. When governance is weak, services may be deployed without consistent security controls, alerts may be misconfigured or ignored, and incident response can be delayed because no team is clearly accountable. Serverless increases this risk because it can be rapidly adopted by developers, spun up quickly, and overlooked by traditional infrastructure processes if the organization’s governance framework doesn’t explicitly include it.

While “insufficient logging and monitoring” (A) is closely related, the scenario frames the root cause as management’s lack of defined responsibilities, which is broader than missing logs. It’s about the absence of governance structures that ensure logging/monitoring are implemented and owned. Privilege escalation and side-channel attacks are technical attack categories not suggested by the description.

Therefore, the cloud threat illustrated is B. Loss of governance.

This scenario describes Linear Cryptanalysis, a technique detailed in CEH v13 Cryptography. Linear cryptanalysis involves finding linear approximations that relate plaintext bits, ciphertext bits, and key bits using XOR operations. By analyzing a large number of known plaintext–ciphertext pairs, attackers can identify statistical biases that reveal information about the secret key.

CEH v13 explains that linear cryptanalysis differs from differential cryptanalysis in its approach. While differential cryptanalysis studies how differences in plaintext affect differences in ciphertext, linear cryptanalysis focuses on linear relationships and probability distributions.

The mention of XOR combinations and statistical analysis of plaintext–ciphertext pairs directly aligns with linear cryptanalysis. Brute-force attacks attempt all keys without analysis. Differential cryptanalysis focuses on input differences, not linear equations. Side-channel attacks exploit physical characteristics such as power consumption or timing.

Modern block ciphers like AES are designed to resist linear cryptanalysis by ensuring that linear approximations occur with probabilities close to random. CEH v13 highlights linear cryptanalysis as a foundational attack method used to evaluate cipher strength.

Therefore, Option C is correct.

The correct answer is B. BitLocker Drive Encryption because the requirements describe native Windows full-disk encryption that integrates tightly with enterprise Windows security features and centralized management. BitLocker is Microsoft’s built-in disk encryption technology designed to provide transparent encryption for the operating system volume and additional fixed/removable drives. It supports hardware-backed startup protection through integration with the Trusted Platform Module (TPM), which can help protect encryption keys and validate boot integrity before unlocking the OS volume. This matches the prompt’s requirement for “hardware-backed startup protection.”

The scenario also emphasizes “centralized key escrow via Active Directory/management policies.” In enterprise deployments, BitLocker recovery information can be backed up to Active Directory and managed through Group Policy / MDM controls, enabling standardized enforcement (encryption settings, recovery key handling, compliance reporting) across servers and endpoints. This is a core operational advantage in regulated environments like healthcare: it enables rapid response (recoverability), consistent policy application, and audit-friendly control of encryption keys—without requiring third-party key management tooling for basic escrow needs.

Additionally, the prompt calls for securing the “system partition and attached data volumes” in a way that is compatible with Windows platform behavior and minimizes disruption. BitLocker supports encrypting both the OS volume and data volumes, and it is designed for transparent operation once enabled, so normal server use and domain authentication continue as expected.

Why the other options are not correct: FileVault is Apple’s full-disk encryption for macOS, not Windows. VeraCrypt and Rohos Disk Encryption are third-party solutions that can provide disk encryption, but they do not match the stated preference for deep Windows enterprise integration with TPM-based startup protection and Active Directory–based recovery key escrow through standard Microsoft management policies.

Therefore, the best solution for this Windows enterprise requirement is BitLocker Drive Encryption.

CEH v13 highlights behavioral analytics as one of the most effective techniques for identifying ambiguous or stealthy threats such as data exfiltration, command-and-control traffic, and insider abuse. When interactions appear suspicious but not definitively malicious, behavioral profiling provides the most direct visibility.

Behavioral analytics tools establish a baseline of normal system and network behavior, including typical communication patterns, data transfer volumes, destinations, and timing. Deviations from this baseline trigger alerts, allowing analysts to detect previously unknown threats without relying on signatures.

Option C is the most appropriate because it both identifies anomalies and supports continuous mitigation. A full zero-trust shutdown (Option A) is disruptive. Forensics (Option B) is reactive and better suited after confirmation of compromise. Training (Option D) does not address system-level interactions.

CEH v13 emphasizes that modern attacks often blend into normal traffic, making behavioral analysis essential. Therefore, Option C is the correct answer.