Exactprep 312-50v13 Questions

The correct answer is A. Firmware update attack because the scenario describes an attacker delivering an unauthenticated, non-cryptographically verified update/package to a controller and successfully altering its operational logic. In IoT/OT environments, controllers (PLCs, RTUs, PACs, and embedded industrial devices) often support updating firmware or logic over the network for maintenance. If the device does not verify the source, integrity, and authenticity of update packages—typically through signed firmware, certificates, and secure update channels—an attacker can replace legitimate code with a maliciously modified version.

Sameer’s demonstration maps directly to a firmware/logic update compromise: he uploads “altered instructions” and changes how the controller processes commands during operations. This is exactly the type of risk highlighted in OT security: unauthorized modification of controller logic can cause unsafe states, disrupt production, damage equipment, or create stealthy manipulation that is difficult to detect. The explicit mention of “without checking the origin or cryptographic validity” indicates missing controls like digital signatures, hash verification, and trusted update mechanisms, which are central to firmware update security.

Why the other options are less accurate: Forged malicious device usually refers to introducing a rogue or cloned device into the environment to impersonate legitimate equipment. Remote access using backdoor implies an existing hidden access mechanism rather than abuse of the update mechanism itself. Exploit kits are typically collections of exploits used to compromise systems, commonly discussed more in endpoint/web contexts; they don’t specifically describe the act of pushing an altered firmware/logic package that the controller accepts due to missing validation.

Therefore, the technique is best categorized as a firmware update attack, leveraging weak or absent authenticity/integrity checks on update packages to modify OT controller behavior.

The correct answer is Search Engine Phishing. CEH social engineering material explains that search engine phishing involves creating fraudulent websites and manipulating search visibility so that victims discover and visit the malicious site through search results rather than through a direct email or message lure. In this scenario, patients searching for the clinic’s appointment system are led to a fake portal that closely resembles the official one and is positioned prominently in search engine results. That is the defining pattern of search engine phishing. Pharming would involve silently redirecting users to a fraudulent site through DNS or host-resolution manipulation, but the question specifically states that internal DNS servers were not altered and that users voluntarily navigated there through search results. Spear phishing would require targeted communications sent directly to victims, and whaling is aimed at high-profile executives. CEH guidance emphasizes that search engine phishing can be especially effective because users believe they are independently finding the legitimate service. Since the attacker relied on a cloned portal and manipulated search visibility rather than direct messaging or DNS tampering, Search Engine Phishing is the best answer.

The correct answer is B, Residual risk. In CEH risk-management terminology, residual risk is the amount of risk that remains after security controls, safeguards, countermeasures, or mitigation strategies have been applied. A penetration test identifies vulnerabilities, threats, and weaknesses that may expose an organization to risk. After the tester recommends controls such as patching, access control improvements, network segmentation, monitoring, hardening, or user awareness training, those controls reduce the likelihood or impact of exploitation. However, security controls rarely remove all risk completely. The remaining exposure is known as residual risk, and management must decide whether to accept, transfer, avoid, or further mitigate it. Inherent risk is the original level of risk before any controls are applied. Gap analysis is a comparison between the current security state and the desired or required state. Total risk usually refers to the overall risk before accounting for implemented safeguards. Therefore, the best term for risk remaining after controls is residual risk.

When partial root access exists, preventing further privilege abuse is the immediate priority. CEH v13 explains that Mobile Application Management (MAM) enforces granular access control, application isolation, and permission enforcement—even on compromised devices.

Secure coding (Option A) and testing (Option C) are preventative measures but do not contain an active compromise. Certificate pinning (Option B) protects communications, not application control.

MAM solutions allow administrators to revoke access, enforce policies, and isolate apps, limiting attacker capabilities post-compromise. Therefore, Option D is correct.