CEH v13 identifies misconfigured cloud security groups as the leading cause of cloud data exposure. Open ports, public storage buckets, and overly permissive firewall rules frequently expose sensitive data.

Brute force and DoS do not directly expose stored data, and side-channel attacks are rare and advanced.

CEH v13 emphasizes that well-secured applications use HTTPS, secure cookies, and session regeneration to defend against common session hijacking techniques. In such hardened environments, traditional attacks like session fixation or simple XSS-based token theft often fail because session IDs change at login and secure flags prevent exposure. The remaining viable approach is session token prediction, an advanced attack that analyzes statistical patterns, entropy weaknesses, or timing issues in session ID generation algorithms. CEH discusses that weak pseudorandom number generators (PRNGs) or predictable sequences can allow attackers to compute a valid session ID without intercepting traffic. This method bypasses cookie security and does not rely on manipulating user input, making it suitable for environments with strong defenses. MITM attacks (Option A) require certificate compromise, which is impractical. Session fixation (Option B) fails because the application regenerates tokens. XSS (Option D) is ineffective when secure flags prevent JavaScript access to cookies. Thus, token prediction is the correct answer.

The correct answer is B. BitLocker Drive Encryption because the requirements describe native Windows full-disk encryption that integrates tightly with enterprise Windows security features and centralized management. BitLocker is Microsoft’s built-in disk encryption technology designed to provide transparent encryption for the operating system volume and additional fixed/removable drives. It supports hardware-backed startup protection through integration with the Trusted Platform Module (TPM), which can help protect encryption keys and validate boot integrity before unlocking the OS volume. This matches the prompt’s requirement for “hardware-backed startup protection.”

The scenario also emphasizes “centralized key escrow via Active Directory/management policies.” In enterprise deployments, BitLocker recovery information can be backed up to Active Directory and managed through Group Policy / MDM controls, enabling standardized enforcement (encryption settings, recovery key handling, compliance reporting) across servers and endpoints. This is a core operational advantage in regulated environments like healthcare: it enables rapid response (recoverability), consistent policy application, and audit-friendly control of encryption keys—without requiring third-party key management tooling for basic escrow needs.

Additionally, the prompt calls for securing the “system partition and attached data volumes” in a way that is compatible with Windows platform behavior and minimizes disruption. BitLocker supports encrypting both the OS volume and data volumes, and it is designed for transparent operation once enabled, so normal server use and domain authentication continue as expected.

Why the other options are not correct: FileVault is Apple’s full-disk encryption for macOS, not Windows. VeraCrypt and Rohos Disk Encryption are third-party solutions that can provide disk encryption, but they do not match the stated preference for deep Windows enterprise integration with TPM-based startup protection and Active Directory–based recovery key escrow through standard Microsoft management policies.

Therefore, the best solution for this Windows enterprise requirement is BitLocker Drive Encryption.

This scenario describes a Slowloris attack, a classic application-layer DoS attack covered in CEH v13 Network and Perimeter Hacking. Slowloris works by opening many HTTP connections and sending data very slowly, preventing the server from closing the connections.

Because the connections appear legitimate, the server keeps them open, eventually exhausting its connection pool. This causes legitimate users to experience timeouts and service unavailability—exactly as described.

ICMP and UDP floods consume bandwidth, which was ruled out. Fragmentation attacks target packet handling, not application-layer sessions.

CEH v13 highlights Slowloris as particularly dangerous because it requires minimal bandwidth and bypasses many traditional DoS defenses. Therefore, Option A is correct.

A FIN scan is a classic “stealth” TCP scan technique discussed in CEH network scanning methodology. Unlike a TCP Connect scan, which completes the full three-way handshake and is highly visible in logs, a FIN scan sends a TCP packet with only the FIN flag set to a target port. The scan then interprets the target’s response to infer whether the port is open or closed, without establishing a normal TCP session. This matches the scenario’s requirement to “infer port states without completing a full connection” and to keep visibility low.

The logic relies on expected TCP behavior defined for many TCP/IP stacks. For a closed port, the target typically responds with an RST packet, indicating there is no service listening. For an open port, many systems do not respond at all to an unexpected FIN packet (because it does not correspond to an existing connection). That “no response” behavior becomes the signal the tester uses to suspect the port may be open or filtered. CEH emphasizes that because FIN scans do not perform a handshake, they can be less likely to trigger certain basic connection-based logging, and they generate fewer obvious connection events than TCP Connect scans.

Option D, NULL scan, is also a stealth method, but it uses a packet with no flags set. The question specifically highlights leveraging TCP flags and is commonly mapped in CEH-style questions to FIN scanning as the representative “TCP flag stealth scan.” Option B is too generic, and option A is the most detectable. Therefore, FIN scan best aligns with the described stealth reconnaissance strategy.

The CEH Footprinting and Reconnaissance module describes DNS interrogation as a valuable technique for extracting publicly available infrastructure information such as A records, MX records, NS records, and subdomains.

DNS can reveal:

Subdomains (via zone transfers, brute forcing, or enumeration)

Mail server IP addresses (MX records)

Server locations inferred from IP geolocation

However, DNS does not store authentication credentials. Usernames and passwords are protected within authentication systems and directories, not DNS records.

Therefore, option A is correct.

CEH clearly states that DNS reconnaissance is limited to infrastructure metadata, not sensitive user credentials.

Ping of Death is a classic Denial-of-Service technique in which an attacker sends oversized or malformed IP packets that exceed the maximum allowed size when reassembled. In IP networks, the maximum packet size is 65,535 bytes. Historically, attackers exploited fragmentation by sending a series of IP fragments that, when reassembled by the target, resulted in a packet larger than the permitted limit or produced an invalid buffer condition. Vulnerable systems could crash, reboot, or become unstable because the network stack mishandled the reassembly process or failed to properly validate packet length and structure.

The scenario matches this behavior precisely: Sofia transmits “oversized, malformed packets” and the server “crashes intermittently due to processing failures.” That symptom is more consistent with a malformed-packet handling flaw than with pure traffic volume. An ICMP flood and an ACK flood are volumetric or resource-exhaustion attacks that overwhelm bandwidth or connection-handling capacity, typically degrading performance rather than directly causing crashes from malformed packet parsing. A Smurf attack is an amplification-based ICMP attack using broadcast addresses to multiply traffic toward a victim; again, it is about volume, not crafted malformed packets that trigger parsing failures.

CEH guidance highlights that PoD-style attacks exploit improper packet validation and reassembly logic. Modern systems are generally patched, but poorly maintained devices, legacy OS stacks, and some embedded implementations can still exhibit instability when exposed to malformed fragmentation and reassembly edge cases.

Creating scheduled tasks is the most likely persistence technique because it can be configured to execute automatically at system startup or on reboot without requiring a user to log in or manually launch anything. In CEH-aligned post-exploitation and persistence concepts, attackers commonly use operating system native mechanisms that blend into normal administrative activity. A scheduled task fits this goal well because it can be named to look legitimate, set to run under a specific account, and triggered by events such as system boot, user logon, or a timed schedule. The scenario explicitly states the payload launches on every reboot without user interaction, which aligns with a boot-triggered scheduled task.

Injecting into the startup folder usually triggers execution when a user logs on, not strictly on system reboot, and it depends on an interactive user session. That contradicts the requirement of no user interaction. Modifying file attributes, such as setting hidden or system attributes, improves stealth and makes a file less noticeable, but it does not create an automatic execution mechanism by itself. Installing a keylogger is a capability for capturing keystrokes, not a persistence method, and it does not inherently guarantee execution after reboot unless paired with an auto-start mechanism.

Therefore, the action that directly ensures the binary runs after each reboot in a controlled and reliable way is creating scheduled tasks, which is a classic persistence method emphasized in ethical hacking workflows for demonstrating real-world attacker behavior and improving defensive detection and hardening.

The finding most directly demonstrates insecure data transfer and storage. The scenario includes two explicit problems: (1) sensitive business records are transmitted “across the network without encryption,” and (2) the same records are “stored in a retrievable format” in the cloud platform. Those two conditions map exactly to data-in-transit and data-at-rest weaknesses. When IoT devices transmit sensitive data without encryption (e.g., plain HTTP, unprotected MQTT, insecure proprietary protocols), attackers who gain network visibility can intercept, read, and potentially modify that data. Similarly, when cloud-stored data is kept in an easily retrievable or improperly protected form (e.g., weak access controls, lack of encryption at rest, overly permissive storage buckets, exposed APIs), attackers can access business records long after transmission.

In IoT ecosystems, data typically flows from sensors to gateways, then to cloud dashboards and analytics services. If encryption and strong access control are not consistently applied across these hops, confidentiality and integrity are at risk. This can lead to competitive harm (exposed inventory/business records), privacy impact (if customer data is included), and operational disruption (tampered records leading to wrong decisions). The scenario is not about the IoT device exposing services like Telnet/FTP (network services), nor about default passwords; it is specifically about how data is transported and stored.

Why the other options are less accurate:

Insecure ecosystem interfaces (A) focuses on APIs, web/mobile apps, and cloud interfaces; while cloud storage access might involve interfaces, the core weakness described is lack of encryption and retrievable storage, which is more directly the data transfer/storage category.

Insecure network services (C) refers to exposed services/ports on IoT devices, not data confidentiality across the pipeline.

Insecure default settings (D) relates to factory defaults (passwords, open ports, insecure configs), not specifically unencrypted transport and weak storage protection.

Therefore, the correct answer is B. Insecure data transfer and storage.

Port scanning is the CEH-aligned technique used to identify available access points into systems, where “access points” refers to open TCP and UDP ports and the services listening on them. In the reconnaissance and scanning phases described in CEH methodology, testers first enumerate live hosts and then perform port scanning to discover which network services are reachable, such as HTTP on 80 or 443, SSH on 22, RDP on 3389, DNS on 53, and many others. This information directly guides the next steps of analysis by revealing the attack surface: what services are exposed, which systems are running them, and which ports may permit remote interaction.

Vulnerability scanning is different because it attempts to identify known weaknesses or misconfigurations and typically requires service detection, versioning, and signature or configuration checks. It is usually performed after ports and services are discovered, not as the first method for finding “available access points.” Topology mapping focuses on understanding how the network is structured, including routing paths, device relationships, and segmentation boundaries. Network scanning is a broader term that can include host discovery and other probes, but it is less precise than port scanning for identifying the specific entry points that an attacker could use to connect.

Under ethical guidelines, port scanning is conducted with proper authorization, scoped targets, controlled timing to avoid disruption, and clear reporting of open ports, detected services, and risk implications so defenders can reduce exposure by closing unnecessary ports and hardening required services.