Download Full Version 312-50v13 ECCouncil Exam

Blowfish is the only option that matches all the technical characteristics described. In CEH cryptography concepts, symmetric algorithms are commonly distinguished by their structure (block cipher versus stream cipher), block size, and supported key lengths. The question states the algorithm encrypts data in 64-bit blocks and supports a variable key size ranging from 32 bits up to 448 bits, and it was introduced as a replacement for DES. Blowfish fits precisely: it is a symmetric block cipher with a 64-bit block size and a configurable key length from 32 to 448 bits, designed to be fast in software and positioned historically as an alternative to older ciphers such as DES.

The other choices do not align with these identifying properties. RC4 is a stream cipher and does not operate on fixed-size blocks, so it cannot match the 64-bit block requirement. AES is a block cipher but uses a 128-bit block size with fixed key sizes of 128, 192, or 256 bits, not 32 to 448 bits. Twofish, while related historically as a successor-era design, also uses a 128-bit block size and fixed key sizes up to 256 bits, so it does not match either.

From a CEH perspective, the mention of variable key sizes also hints at risk evaluation: shorter keys in any cipher can be brute-forced, so secure deployments require strong key length selection and proper key management. Additionally, Blowfish’s 64-bit block size can be a concern in large-volume encryption scenarios due to block collision risks, which is why modern systems often prefer 128-bit block ciphers for new designs.

CEH v13 explains that LDAP enumeration is often restricted by Access Control Lists (ACLs). Sensitive directory objects and attributes are frequently protected to prevent unauthorized disclosure.

Even when LDAP is accessible, ACLs can limit the visibility of users, groups, and configuration data.

CEH v13 defines a Trojan as malware that appears as a legitimate, trusted software application while secretly executing malicious actions behind the scenes. Trojans rely on deception rather than replication, often masquerading as tools, utilities, updates, or installers. Once executed, they may install backdoors, steal credentials, exfiltrate data, or modify system settings. The defining characteristic emphasized in CEH is the legitimate-looking façade combined with hidden malicious intent, which matches the scenario perfectly. Spyware (Option B) focuses on monitoring and data collection but does not necessarily disguise itself as legitimate software. Worms (Option C) self-replicate across networks, which is not described here. Rootkits (Option D) hide system compromise but do not necessarily pose as legitimate software. Therefore, the malware described is a Trojan.

Insufficient logging and monitoring is the most direct threat highlighted by the scenario. In CEH-aligned cloud security concepts, visibility is foundational: without adequate telemetry, security teams cannot detect, investigate, or respond to malicious activity in time. The question explicitly states attackers “remained undetected” because the organization lacked mechanisms to track function-level activity and capture anomalous events. In a serverless architecture, this visibility gap can be especially damaging because there are no traditional servers for defenders to log into, and many security signals must be collected from cloud-native sources such as function invocation logs, API gateway logs, identity events, and centralized monitoring pipelines.

While privilege escalation is a common cloud threat, the question’s root cause is not described as excessive permissions or role abuse; it is the lack of detection capability. Loss of governance refers to weak policies, mismanaged accounts, and lack of control over cloud resources, which may contribute indirectly but is not the immediate failure described. Side-channel attacks are specialized and do not match the evidence of missed alerts and absent operational telemetry.

CEH guidance emphasizes implementing centralized logging, continuous monitoring, alerting, and anomaly detection as core controls. For serverless, this includes capturing detailed function execution logs, tracing, identity and access events, and integrating them into a SIEM/SOAR workflow. Effective monitoring enables rapid detection of abnormal invocation patterns, suspicious API calls, unusual data access, and persistence attempts—reducing dwell time and preventing small compromises from becoming major outages.