The scenario describes an authentication endpoint that allows a high volume of repeated login attempts with no additional friction, enabling automated scripts to rapidly try large password lists. This is typical of online password guessing and credential stuffing/brute-force style automation. The countermeasure being requested is explicitly one that "forces interaction steps designed to disrupt automation," which best matches CAPTCHA. CAPTCHA mechanisms introduce a challenge-response test intended to distinguish humans from automated bots, thereby reducing the effectiveness of scripted, high-rate credential attempts.
CAPTCHA is commonly deployed on login and registration pages (and sometimes on password reset flows) to slow down or block automated abuse. When triggered-often after a threshold of failed attempts or suspicious behavior-it forces the requester to complete an interactive step (image selection, puzzle, checkbox with behavioral analysis, etc.). This breaks fully automated attack loops and increases the attacker's cost, especially when combined with additional controls such as account lockout thresholds, IP reputation, device fingerprinting, and rate limiting.
Why the other options are less aligned to the "disrupt automation" requirement:
Strong hashing algorithms (A) protect stored passwords at rest (e.g., if a database is compromised). They do not directly stop online automated login attempts.
2FA/MFA (B) is excellent for reducing account takeover impact, but it does not inherently prevent high- volume credential submissions; it adds a second factor after correct credentials are provided. Also, the question's wording strongly points to a bot-disruption interaction step.
Forced periodic password changes (D) is not a primary control for stopping automated login attempts and can introduce usability issues; it does not directly add friction to repeated submissions.
Therefore, the most appropriate countermeasure described is C. Use CAPTCHA challenges on login and registration pages.

The correct choice is the SOA record because it uniquely provides authoritative administrative and operational metadata about a DNS zone. In CEH reconnaissance techniques, DNS enumeration is a high-value passive and semi-passive method to learn about an organization's infrastructure without actively attacking hosts. The Start of Authority record defines core parameters of the zone and identifies the primary authoritative name server for that domain. Most importantly for this question, the SOA record contains fields that directly match "serial number and refresh interval," which are classic SOA elements used for zone replication and synchronization behavior between primary and secondary DNS servers.
An SOA record typically includes the primary name server, the responsible party field often formatted like an email address for the zone administrator, the zone serial number, and timing values such as refresh, retry, expire, and minimum TTL. These details can reveal change frequency, operational practices, and sometimes administrative contact clues, all of which are relevant in reconnaissance and reporting.
The other record types do not meet the requirement. MX records identify mail exchangers for the domain but do not include serial or refresh parameters. NS records list authoritative name servers but lack administrative timing metadata. TXT records store arbitrary text such as SPF, DKIM, DMARC, or verification strings and are useful for email security posture analysis, but they do not provide the zone control fields the question references. Since the question explicitly calls out serial and refresh interval, the SOA record is the only option that fits completely.

The scenario best illustrates loss of governance because the core problem is not a specific technical exploit but a failure in management oversight, accountability, and control assignment for cloud/serverless security responsibilities. The question describes "lack of defined responsibilities for monitoring, auditing, and securing serverless services," resulting in critical functions being "unmanaged," which led to downtime and delayed alerts. That is a governance failure: the organization did not establish clear ownership, policies, and operational processes to ensure cloud workloads-specifically serverless functions-were properly monitored, audited, and secured.
In cloud environments, governance includes defining roles and responsibilities (shared responsibility model understanding), establishing security baselines, ensuring logging/monitoring coverage, enforcing configuration management, and maintaining compliance oversight. When governance is weak, services may be deployed without consistent security controls, alerts may be misconfigured or ignored, and incident response can be delayed because no team is clearly accountable. Serverless increases this risk because it can be rapidly adopted by developers, spun up quickly, and overlooked by traditional infrastructure processes if the organization's governance framework doesn't explicitly include it.
While "insufficient logging and monitoring" (A) is closely related, the scenario frames the root cause as management's lack of defined responsibilities, which is broader than missing logs. It's about the absence of governance structures that ensure logging/monitoring are implemented and owned. Privilege escalation and side-channel attacks are technical attack categories not suggested by the description.
Therefore, the cloud threat illustrated is B. Loss of governance.

The CEH Footprinting and Reconnaissance module describes DNS interrogation as a valuable technique for extracting publicly available infrastructure information such as A records, MX records, NS records, and subdomains.
DNS can reveal:
Subdomains (via zone transfers, brute forcing, or enumeration)
Mail server IP addresses (MX records)
Server locations inferred from IP geolocation
However, DNS does not store authentication credentials. Usernames and passwords are protected within authentication systems and directories, not DNS records.
Therefore, option A is correct.
CEH clearly states that DNS reconnaissance is limited to infrastructure metadata, not sensitive user credentials.

The core weakness described is that the IoT devices "lack any mechanism to verify the integrity or authenticity of software prior to execution," which directly maps to the need for code signing. In CEH-aligned IoT security guidance, code signing ensures that firmware and software images are cryptographically signed by a trusted authority and verified on the device before they are installed or executed. This verification confirms two critical properties: integrity, meaning the code has not been altered or tampered with, and authenticity, meaning the code genuinely originated from an authorized publisher. If an attacker attempts to introduce modified binaries or malicious instructions, signature verification fails and the device can reject execution, preventing unauthorized code from running.
While secure boot is closely related, it is specifically a boot-time chain-of-trust mechanism that verifies the bootloader and early-stage firmware during startup. The question, however, emphasizes a general lack of verification "prior to execution," which is broader than boot only and is most directly addressed by code signing as a secure development and release practice. Secure firmware or software updates is also important, but secure updates typically rely on code signing as the fundamental control that makes updates trustworthy.
Secure communication protocols protect data in transit, but they do not stop tampered code already on the device from executing.
Therefore, the most appropriate secure development practice to ensure only authorized, validated code runs on the devices is to implement code signing with mandatory signature verification.