Passed Exam Today 312-50v13

The requirement that each device authenticate through a centralized server using unique usernames and passwords aligns directly with 802.1X authentication, which CEH materials describe as port-based Network Access Control used in enterprise wired and wireless environments. In Wi-Fi, 802.1X is typically implemented as WPA2-Enterprise or WPA3-Enterprise and relies on EAP methods with a backend AAA server, most commonly RADIUS. The access point acts as the authenticator, forwarding the client’s authentication exchange to the RADIUS server, which validates the user or device identity and returns an accept or reject decision along with session keys and policy attributes. This provides strong control and auditing because access can be tied to individual identities, supports account disablement, and can enforce different access levels.

The other options do not match the “centralized server with unique credentials” description. Disabling TKIP improves security by removing an outdated encryption protocol, but it does not provide per-user authentication. MAC address filtering is weak because MAC addresses are easily discovered and spoofed, and it does not use centralized identity validation. Upgrading to WPA3 improves cryptographic strength, and WPA3-Enterprise can work with 802.1X, but WPA3 alone does not guarantee centralized username and password authentication unless the enterprise mode with 802.1X is specifically deployed. Therefore, the correct countermeasure that fits the described design is to use 802.1X authentication with a centralized authentication server, enabling strong access control, accountability, and improved resistance to unauthorized device connections.

The correct answer is B. Distributed Reflection Denial-of-Service (DRDoS) because the scenario describes the two defining elements of DRDoS: reflection and amplification at scale using third-party systems. Maria “forges requests” (i.e., spoofs the victim’s IP address as the source) to “multiple open services across the internet.” Those services then send their replies to the spoofed source—the victim—so the victim receives a large volume of unsolicited responses. This is reflection: the attacker does not attack the victim directly; instead, the attacker reflects traffic off other servers. The “multiplying the amount of traffic” indicates amplification: many protocols/services respond with packets significantly larger than the request, so the attacker’s small outbound traffic results in a much larger inbound flood against the target.

The mention of “multiple open services” and being overwhelmed by a “flood of responses” is classic DRDoS behavior. From a defender’s perspective, DRDoS attacks are difficult because the traffic often appears to come from legitimate servers, and the victim is receiving replies to requests it never sent. Mitigations include source address validation (BCP 38 anti-spoofing), rate limiting, filtering/ACLs for abused UDP services, and upstream scrubbing/CDN or DDoS protection.

Why the other options are less accurate: Smurf is a specific reflection/amplification attack using ICMP to a broadcast address (now largely mitigated by disabling directed broadcasts). Botnet describes the attacker’s infrastructure (many compromised machines) but not the reflection/amplification mechanism; a botnet can be used to launch many types of DDoS attacks. NTP amplification is one specific DRDoS variant using misconfigured NTP servers (UDP/123). The question describes the broader technique across “multiple open services” rather than naming NTP specifically, so the best match is the general category DRDoS.

Therefore, Maria is demonstrating a Distributed Reflection Denial-of-Service (DRDoS) attack.

The Certified Ethical Hacker (CEH) Incident Response lifecycle begins with Identification, followed by containment, eradication, recovery, and lessons learned. CEH documentation stresses that understanding the scope and nature of an incident is critical before taking disruptive action.

Option A is the correct initial response because it focuses on real-time monitoring and log analysis, which are essential during the identification phase. CEH materials emphasize analyzing logs, authentication failures, and traffic anomalies to confirm whether an incident has occurred and determine the attacker’s techniques, persistence level, and impact.

Option B, while valuable, is more appropriate after initial identification. Conducting deep outbound traffic audits without first understanding the attack vector can delay containment decisions.

Option C is premature. CEH warns that changing credentials too early may alert the attacker and cause them to escalate or destroy evidence.

Option D represents a containment strategy, not an initial response. CEH guidelines advise against immediately disconnecting systems unless there is confirmed active data exfiltration that cannot be otherwise controlled, as this may disrupt business operations and erase volatile forensic evidence.

Therefore, the CEH-approved approach is to monitor, analyze, and identify the incident before moving to containment and eradication.

According to CEH v13 Cloud Computing, improper identity and access management (IAM) is one of the most common causes of cloud security incidents. When former employees retain access to cloud resources, it represents a failure in user lifecycle management, specifically in the de-provisioning phase.

Timely user de-provisioning ensures that when an employee leaves the organization or changes roles, all associated access rights—API keys, IAM roles, credentials, tokens, and permissions—are immediately revoked. CEH v13 emphasizes that cloud environments magnify this risk because access is often centralized and remote, meaning former employees can access systems from anywhere.

Options A, B, and C are supportive security practices but do not directly address the root cause. Multi-cloud models do not prevent unauthorized access. Traffic analysis may detect misuse after the fact but does not prevent it. Penetration testing identifies vulnerabilities but does not manage user access.

CEH v13 explicitly identifies timely de-provisioning as a critical cloud security control to prevent insider threats, privilege abuse, and compliance violations. Therefore, Option D is the correct answer.