During a routine security audit, administrators discover that cloud storage backups were illegally accessed and modified. Which countermeasure would most directly mitigate such incidents in the future?
Correct Answer: D
The Certified Ethical Hacker (CEH) Cloud Computing and Data Protection module emphasizes the importance of resilient backup strategies to protect against data tampering, ransomware, and unauthorized modification. The 3-2-1 backup model is a widely recommended best practice referenced in CEH materials. It requires maintaining: * 3 copies of data * Stored on 2 different media types * With 1 copy stored offsite This approach ensures that even if cloud backups are compromised or altered, clean and uncompromised versions remain available. CEH documentation highlights this model as a core defense against data integrity attacks in cloud environments. Option D directly mitigates the risk of backup tampering. Options A, B, and C address unrelated security concerns and do not protect backup integrity.
312-50v13 Exam Question 72
During a penetration test at Triangle FinTech in Raleigh, North Carolina, ethical hacker Ethan attempts to bypass the company ' s perimeter firewall. Instead of sending obvious malicious payloads, he encapsulates his traffic inside standard web requests on port 80, blending in with normal browsing activity. This method allows his packets to slip past perimeter defenses that are not performing deep application inspection. Which firewall evasion technique is Ethan most likely using?
Correct Answer: A
The described technique is HTTP tunneling because Ethan is encapsulating his traffic inside standard web requests on port 80 to blend with normal browsing activity and bypass perimeter defenses that only perform basic port/protocol filtering. HTTP tunneling leverages the fact that many organizations allow outbound (and sometimes inbound) HTTP/HTTPS traffic through firewalls for business needs. If a firewall is not doing deep inspection (such as application-layer proxying, WAF inspection, or strict egress controls), encapsulated traffic can traverse allowed ports while carrying non-HTTP payloads inside the HTTP structure. The scenario's core clues are: (1) "encapsulates his traffic inside standard web requests," (2) uses port 80, and (3) success depends on the firewall "not performing deep application inspection." These are exactly the conditions where HTTP tunneling is effective: the traffic appears as ordinary HTTP sessions, so the firewall treats it as permitted web traffic even though the content is being used as a carrier for another protocol or command channel. Why the other options don't fit: DNS tunneling (D) also encapsulates traffic, but it uses DNS queries/responses (typically UDP/TCP 53), not HTTP requests on port 80. Tiny fragments (C) is an evasion method that breaks packets into very small fragments to confuse filtering /IDS reassembly; the scenario is about encapsulation in web requests, not fragmentation. Source routing (B) attempts to influence packet path using IP options; it is not described here and is commonly blocked/ignored in modern networks. Therefore, the firewall evasion technique is A. HTTP Tunneling.
312-50v13 Exam Question 73
A regional e-commerce company in Dallas, Texas operates an Apache-based web server to manage product catalogs and promotional campaigns. During an authorized assessment, a security consultant analyzes how the platform processes a referral parameter embedded in product-sharing links. While reviewing responses through an intercepting proxy, he observes that values supplied in the referral parameter are incorporated into metadata returned to the browser. By introducing carefully crafted delimiter characters into the parameter, he notices that the structure of the server's outbound response changes in an unexpected manner. Further testing shows that the manipulated input causes the server to generate multiple logically distinct response segments within what should have been a single transaction. When the crafted link is accessed through a standard browser, the client interprets the injected portion as a separate directive, resulting in redirection behavior influenced by the attacker-controlled input. Identify the web server attack technique being demonstrated in this scenario.
Correct Answer: C
The correct answer is HTTP Response-Splitting Attack. CEH web server coverage explains that HTTP response splitting occurs when attacker-controlled input is inserted into HTTP headers or response metadata in a way that allows the server to split one intended response into two separate responses or response segments. The question specifically describes crafted delimiter characters changing the structure of the outbound response and causing the browser to interpret the injected content as a separate directive, including attacker-influenced redirection. That is the classic behavior of response splitting. Directory traversal would involve unauthorized path navigation to restricted files or directories. Web cache poisoning focuses on corrupting cached responses so later users receive malicious or altered content, which is related conceptually but not the direct mechanism described here. CEH materials present HTTP response splitting as a means to an end, often used to trigger redirect behavior or facilitate secondary attacks by controlling the second response or header content. Because the attacker manipulates server output into multiple response components within a single transaction, HTTP Response-Splitting is the most precise answer.
312-50v13 Exam Question 74
As part of a quarterly security review at EvoTrans Logistics, a global freight optimization firm, you have been brought in as a senior cybersecurity analyst to audit perimeter firewall configurations across cloud-hosted application clusters. During your investigation, you notice that TCP port 1433 is open on a virtual machine tagged as svc-node-east-14, which was provisioned by a now-defunct third-party vendor. The node is not referenced in any current infrastructure diagrams, yet live traffic logs suggest it is still handling requests during peak hours. No documentation exists regarding its service role, but you are tasked with flagging misconfigurations that may violate policy or expose critical services unnecessarily. Based on your understanding of standard port assignments, you must determine what service this port likely represents and whether its exposure warrants escalation. Which of the following services is most likely running on this port and requires immediate review?
Correct Answer: C
TCP port 1433 is the well-known default port for Microsoft SQL Server, formally registered as ms-sql-s. In CEH network and perimeter security coverage, identifying services by their default port assignments is a critical reconnaissance and defensive skill. When reviewing firewall rules and exposed services, analysts correlate open ports with their associated protocols to determine risk exposure. Port 1433 is widely recognized as the primary listening port for Microsoft SQL Server instances configured with default settings. The presence of an undocumented virtual machine actively handling traffic on port 1433 is particularly concerning because database services often store sensitive operational or customer data. If exposed unnecessarily, SQL Server can be targeted for brute-force authentication attacks, SQL injection exploitation, misconfiguration abuse, or exploitation of unpatched vulnerabilities. CEH materials emphasize that database services should not be directly exposed to the internet unless absolutely necessary and must be protected by strict access controls, segmentation, encryption, and monitoring. Option B, SqlNet, typically refers to Oracle database communication over port 1521. Option D, ms-sql-m, is associated with SQL Server Browser service over UDP 1434, not TCP 1433. Option A, sqlsrv, is not the formal IANA-registered service name for port 1433. Because ms-sql-s is the standard designation for Microsoft SQL Server on TCP port 1433, and given the risk of exposing database services, this finding warrants immediate escalation and review.
312-50v13 Exam Question 75
In Miami, Florida, a luxury resort deploys smart climate control units in guest rooms. During a red team engagement, ethical hacker Sophia Bennett discovers that once a compromised device is restarted, it continues running altered instructions without any integrity check before the operating system loads. This allows tampered firmware to run as if it were legitimate. Which secure development practice would most directly prevent this weakness?
Correct Answer: D
The weakness described is that a device can reboot and still execute tampered firmware or pre-boot code "without any integrity check before the operating system loads." The secure development practice that most directly prevents this is Secure Boot. Secure boot establishes a chain of trust starting at power-on, where each stage of the boot process verifies the integrity and authenticity of the next stage (bootloader, kernel, firmware components) before execution. If the verification fails (because firmware was modified, unsigned, or improperly signed), the device can halt, fall back to a known-good image, or enter a recovery mode- preventing malicious pre-OS code from running as if it were legitimate. This matters especially for IoT devices such as smart climate control units, where attackers may attempt to persist by modifying firmware so that malware survives reboots. Without pre-boot integrity verification, a compromised device can continually load attacker-controlled instructions, making detection and remediation difficult. Why the other options are less direct: Code signing (A) is important, but by itself it does not guarantee the device will verify signatures at boot time. Secure boot is the enforcement mechanism that validates signed boot components before they run. Secure firmware/software updates (B) reduce the chance of malicious updates being installed (e.g., signed OTA updates, authenticated update channels), but they do not necessarily prevent execution of already- tampered firmware at startup if boot-time verification is missing. Secure communication protocols (C) protect data in transit and device communications, but they do not address firmware integrity during the boot process. Therefore, the most direct preventive practice for this pre-OS integrity gap is D. Ensure secure boot.
