The Certified Ethical Hacker (CEH) Network and Perimeter Hacking module describes MAC flooding as an attack targeting switch CAM (Content Addressable Memory) tables. The attacker overwhelms the switch by sending frames with spoofed MAC addresses, forcing the switch to broadcast traffic like a hub.

Option D is the correct indicator because MAC flooding results in many different MAC addresses being learned on a single switch port, which is abnormal behavior. CEH documentation identifies this as the primary forensic sign of a MAC flooding attack.

Option A relates more closely to ARP poisoning rather than MAC flooding.

Option B can occur in network misconfigurations but is not a primary MAC flooding indicator.

Option C is common in NAT environments and is not malicious by itself.

CEH emphasizes monitoring CAM table behavior and port security violations to detect MAC flooding attacks effectively.

The requirements map most directly to WPA3, because WPA3-Personal replaces the legacy WPA2-PSK handshake with SAE (Simultaneous Authentication of Equals). SAE is designed to resist offline dictionary attacks: even if an attacker captures the handshake, they cannot simply take it offline and test password guesses at high speed the way they can with WPA2-PSK handshakes. This directly addresses management’s concern that a captured handshake plus a weak passphrase could enable offline cracking and eventual session key recovery.

WPA3 also strengthens per-session protection by improving how keys are established and by supporting stronger cryptographic defaults. In enterprise contexts, WPA3 aligns with stronger authentication and encryption suites, and in IoT scenarios it supports modern onboarding and improved security posture compared to older WPA2/TKIP-era configurations. The “per-session encryption” and “stronger protection” goals are consistent with WPA3’s modern design focus.

Why the other options are less suitable:

MAC address filtering (A) is not a security control against credential capture or offline attacks; MACs are easily spoofed and do not provide cryptographic protection.

802.1X authentication (B) (WPA2/WPA3-Enterprise) is very strong and removes reliance on a single shared PSK by using per-user/device credentials and dynamic keys. However, the question’s key requirement explicitly calls out preventing offline dictionary attacks even if a handshake is captured—this is most directly the hallmark improvement of WPA3-Personal (SAE). (In practice, WPA3-Enterprise with 802.1X is also excellent, but “upgrade to WPA3” is the single best match to the stated offline dictionary concern.)

Disabling TKIP (D) is good hygiene (prefer AES/CCMP), but it does not prevent WPA2-PSK handshake capture and offline cracking if PSK is used.

Therefore, the best measure to meet the stated modernization goals is C. Upgrade to WPA3.

Cloud-based DDoS mitigation services provide upstream traffic scrubbing, detecting and filtering high-volume attacks such as DNS amplification and HTTP floods before the traffic reaches the victim’s network. These services use distributed infrastructures capable of handling multi-vector attacks that surpass the capacity of traditional on-premises firewalls and IDS. Traffic scrubbing centers distinguish legitimate traffic from malicious traffic, allowing normal operations to continue without service disruption.

CEH documentation explains that WPA-TKIP was a transitional security protocol and does not use AES encryption, relying instead on RC4-based mechanisms.

The lack of AES-based encryption makes WPA-TKIP vulnerable to injection and replay attacks.

Option C is correct.

Options A applies to WEP.

Option B affects authentication, not TKIP weakness.

Option D is not the primary TKIP flaw.

CEH recommends WPA2/WPA3 with AES.

The Spearphone attack, covered in CEH v13 Mobile Platform Hacking, exploits smartphone accelerometers to infer speech vibrations from loudspeakers—without microphone permissions.

This attack demonstrates how built-in sensors can be abused for covert surveillance, making it ideal for assessing privacy risks.

Other options involve different attack vectors not related to sensor-based eavesdropping.

Thus, Option C is correct.

Remote File Inclusion occurs when an application allows external resources to be loaded from user-controlled input. CEH teaches that an attacker can supply a remote URL pointing to a malicious script (for example, a PHP shell). When the vulnerable application includes this external file, the attacker ' s code executes on the server. This can lead to full system compromise, remote command execution, or lateral movement.

Hacktivists are the most likely category because the scenario is driven by an ideological or political motive rather than direct financial gain. The attackers selectively accessed internal systems and leaked communications, then paired the leak with a manifesto accusing the agency of biased reporting. They also publicly claimed responsibility on social media and framed the intrusion as a fight against misinformation. In CEH-aligned terminology, hacktivism commonly involves unauthorized access, defacement, doxxing, or data leakage intended to influence public opinion, embarrass a target, or push a political or social agenda. The public messaging and justification are key indicators of hacktivist intent.

The other options do not fit as well. Script kiddies typically use ready-made tools with limited sophistication and usually do not produce coordinated ideological messaging or targeted, narrative-driven leaks. Black hat hackers are defined by malicious intent, but they are most commonly associated with theft for profit, extortion, fraud, or ransomware. This incident explicitly notes there was no ransomware and no financial tampering, reducing the likelihood that profit was the primary objective. White hat hackers operate with authorization and documented scope, and they do not leak sensitive whistleblower communications or publish manifestos.

Therefore, the combination of unauthorized access, selective exposure of sensitive information, and public ideological justification aligns most strongly with hacktivists.

TCP port 102 is strongly associated with Siemens S7 communications, commonly referred to as S7comm, which is used by Siemens SIMATIC S7 PLC families and related engineering and HMI components in OT environments. In CEH coverage of ICS and SCADA reconnaissance, identifying industrial protocols by their well-known ports is a standard first step because it quickly narrows down device type, vendor ecosystem, and likely attack surface. When Ethan targets TCP 102 and the scan reveals PLC models used in the automation process, that aligns directly with enumerating Siemens SIMATIC S7 PLCs, since S7comm typically operates over ISO-on-TCP on port 102.

The other options do not match the port-protocol pairing described. Modbus TCP most commonly uses TCP port 502, so “scanning Modbus devices” would be associated with 502 rather than 102. “Capturing Modbus TCP traffic using Wireshark” is passive sniffing and also would focus on Modbus traffic patterns on 502, not an active Nmap sweep on 102. Omron PLCs may use different protocols and ports depending on model and configuration, but TCP 102 is the canonical indicator for Siemens S7 in most defensive and offensive playbooks taught for OT discovery.

From a defensive perspective, CEH-aligned best practices emphasize segmenting OT networks, restricting access to engineering ports like 102, monitoring for scanning behavior, and enforcing allowlisted communications between SCADA, HMIs, and PLCs to reduce the risk of unauthorized enumeration and follow-on manipulation.

The requirement is specifically for a framework that explains how to identify, assess, and treat information security risks within the context of an Information Security Management System (ISMS). The ISO standard dedicated to information security risk management is ISO/IEC 27005. It provides guidance on establishing a risk management process aligned with the ISO/IEC 27000 family and supports the ISMS by describing risk context, risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, and ongoing risk communication and monitoring.

This focus on the “how” of risk management is what distinguishes ISO/IEC 27005 from the other options. ISO/IEC 27001:2022 is the standard that specifies the requirements to establish, implement, maintain, and continually improve an ISMS. It requires that risk assessment and treatment be performed, but it is not primarily a detailed methodology standard for conducting those activities. ISO/IEC 27002:2022 is a code of practice that provides a catalog of security controls (the “what” controls you can select), rather than a risk assessment/treatment methodology. ISO/IEC 27701:2019 extends ISO/IEC 27001/27002 to privacy information management (PIMS) and focuses on privacy controls and requirements—not the general information security risk management lifecycle.

Because the question asks for a standard that addresses identification, assessment, and treatment of information security risks as part of an ISMS, ISO/IEC 27005 is the best match. It complements ISO/IEC 27001 by giving organizations practical guidance for building and running the risk management process that ISO/IEC 27001 requires, ensuring risk decisions are systematic, repeatable, and suitable for governance and continual improvement.

The indicators described align most strongly with the Search and Exfiltration phase of the APT lifecycle. In CEH-aligned APT models, attackers typically progress from initial access to establishing footholds, expanding access through internal reconnaissance and lateral movement, then locating valuable data and exfiltrating it. While spear-phishing is a common Initial Intrusion technique, the scenario explicitly includes multiple signals that the attackers are already deep inside the environment and actively handling sensitive information.

The key evidence is the “unusually large data transfers during non-business hours” tied to the R & D department and “unexpected outbound traffic to unfamiliar IP addresses.” Those are classic signs of staging and exfiltration, where collected data is aggregated internally and then sent out to attacker-controlled infrastructure, often at times chosen to reduce detection. The observation that attackers have “intimate knowledge of the organization’s internal data structure” further supports that they have already performed internal discovery and are now targeting specific high-value repositories.

Unauthorized firmware on printers and routers suggests the attackers may have created durable internal collection points or covert channels, but that activity supports and enables the data-theft mission rather than being the primary phase indicated by the full pattern of events. Therefore, the combination of targeted access to R & D resources, anomalous outbound connections, and large off-hours transfers most closely matches the Search and Exfiltration phase in CEH APT lifecycle coverage.

The described behavior matches DNS Zone Transfer Enumeration. In CEH reconnaissance, DNS enumeration aims to discover hosts and services by querying DNS records. A zone transfer is a special DNS operation intended for legitimate replication between an authoritative primary DNS server and its secondary DNS servers. When misconfigured, a DNS server may allow an unauthorized requester to perform a zone transfer, returning the entire DNS zone database. This can reveal extensive internal naming information such as subdomains, hostnames, mail exchangers, service records, and aliases, exactly like the “full list of internal mappings, including subdomains, mail hosts, and system aliases” described in the question. The clue “secondary system responds unusually” is especially telling, because secondary DNS servers are commonly the ones configured for replication and may be mistakenly left open to transfers from any host.

The other options do not fit the output. LDAP enumeration targets directory services and would not yield DNS-style mappings unless you already had directory access and queries. NTP enumeration relates to time synchronization services and can reveal time/server details, not comprehensive host/subdomain lists. NetBIOS enumeration focuses on Windows networking (names, shares, workgroups) typically on internal networks and would not produce a DNS zone’s record set.

CEH-recommended mitigations include restricting zone transfers to authorized secondary server IPs only, using TSIG keys for authenticated transfers, minimizing publicly exposed DNS data, splitting internal and external DNS (split-horizon), and continuously auditing DNS configurations to prevent inadvertent information leakage.

Operational Technology and ICS environments often suffer from misconfigurations such as unchanged factory-default passwords. CEH identifies exploiting default credentials as a direct and effective method because ICS devices frequently lack strong authentication controls. Using these built-in credentials grants immediate unauthorized access to supervisory controls, enabling adversaries to manipulate configurations, disrupt processes, or escalate attacks across critical systems.

CEH v13 explains that a keylogger is a type of spyware designed to capture user input covertly, often storing or transmitting captured data—such as passwords, emails, chat messages, and financial information—to an attacker. Keyloggers can be implemented as software, firmware, or hardware, and they operate silently in the background without affecting system performance, making them ideal for credential theft. CEH categorizes keyloggers under spying and monitoring malware frequently used in the System Hacking phase to escalate privileges or move laterally once credentials are harvested. Unlike rootkits, which hide processes, or ransomware, which encrypts files, a keylogger’s main purpose is passive surveillance. CEH emphasizes how attackers deploy keyloggers post-compromise or use phishing/social engineering to trick victims into installing them. Their covert nature and ability to bypass traditional AV solutions by masquerading as legitimate processes make identifying them crucial during forensics and incident response activities.

SHA-256 is a cryptographic hash function, and CEH v13 clearly states that hash functions alone provide data integrity, but not authenticity or non-repudiation. If attackers can modify data and recompute the hash, integrity checks will still pass.

The issue arises because SHA-256 does not prove who created or modified the data. To address this weakness, CEH v13 recommends using digital signatures, which combine hashing with asymmetric cryptography. A digital signature ensures:

Integrity (data has not changed)

Authentication (data was signed by a known entity)

Non-repudiation (the signer cannot deny the action)

Digital signatures work by hashing the data and encrypting the hash with the sender’s private key. Any modification to the data invalidates the signature.

Encryption alone (Options A and C) protects confidentiality, not integrity or authenticity. SSL/TLS (Option B) secures data in transit but does not protect stored data from tampering.

CEH v13 explicitly identifies digital signatures as the correct cryptographic control when integrity mechanisms alone are insufficient. Therefore, Option D is correct.