The most likely missing BYOD guideline is reviewing application permissions before installation. In CEH mobile security guidance, a major risk in BYOD environments is the introduction of untrusted or malicious applications that abuse the mobile permission model to access corporate data, intercept authentication tokens, read storage, capture keystrokes via accessibility services, or communicate externally. When users install apps without scrutinizing requested permissions, they may unknowingly grant excessive privileges that enable data theft or access-control bypass, especially if the app leverages OS weaknesses or misconfigurations.

The scenario states Javier “installs a malicious app that bypasses access controls” and gains access to sensitive financial data because devices “lack a specific security measure to restrict app access.” This maps directly to a policy gap around controlling and validating apps and their permission requests. CEH emphasizes that organizations should reduce attack surface by limiting app privileges, avoiding sideloading from untrusted sources, and enforcing least privilege through user awareness and enterprise controls such as MDM application allowlisting and permission governance. Reviewing permissions is the user-facing guideline that prevents employees from granting dangerous access (for example, SMS, storage, contacts, accessibility, device admin, or VPN configuration permissions) that can enable credential theft or unauthorized data access.

Option B adds an extra layer for local access but does not stop a malicious app with granted permissions from accessing corporate data. Option C helps if a device is physically stolen, but it does not prevent malicious apps already running under the user context. Option D protects data at rest, yet a malicious app can still exfiltrate data once it is decrypted and accessed by the user session. Therefore, permission review is the most directly relevant missing BYOD guideline.

The described behavior aligns precisely with ARP spoofing, also known as ARP poisoning, a common man-in-the-middle attack technique covered extensively in CEH materials. ARP operates at Layer 2 of the OSI model and is responsible for mapping IP addresses to MAC addresses within a local network. Because ARP lacks authentication mechanisms, any host can send forged ARP replies to other devices on the LAN.

In this scenario, Marcus injects crafted messages that alter how two hosts identify each other. This strongly indicates forged ARP replies were sent to both the payroll workstation and the authentication server. By telling each system that his machine’s MAC address corresponds to the other party’s IP address, Marcus positions himself logically between the two endpoints. As a result, traffic is transparently routed through his system without requiring changes to switch configurations, proxies, or VPN tunnels.

This technique enables interception and potential modification of credentials in transit. DNS spoofing affects domain name resolution rather than direct Layer 2 host identification. MAC flooding overflows the switch CAM table to force broadcast behavior but does not specifically manipulate IP-to-MAC mappings between two targeted hosts. Switch port stealing targets MAC table entries but does not rely on altering host identity mappings in the same way ARP poisoning does.

Therefore, ARP spoofing is the most accurate technique described in this scenario.

The most accurate classification is Design Flaws. CEH web application guidance explains that some vulnerabilities exist not because of a coding typo or a missing patch, but because the underlying workflow, trust model, or business process is architected insecurely. In this scenario, the application relies on sequential client-driven steps for identity verification, yet the server does not independently enforce that each stage is truly completed before granting access. That means the weakness lies in the way the authentication flow was designed, specifically in trusting the client-side sequence more than it should. Poor patch management would relate to unpatched software components. Misconfigurations or weak configurations usually involve deployment or server settings. Application flaws is broader, but the question asks for the best classification, and the bypass of a security workflow due to inadequate stage enforcement is best understood as a design-level weakness. CEH references often connect such issues with business logic flaws, where attackers tamper with parameters or transaction flow to violate expected process integrity. Because the core problem is the insecure design of the multi-step validation sequence, Design Flaws is the best answer.

AES is the industry-standard symmetric encryption algorithm endorsed by CEH v13. It provides strong confidentiality and resists traffic analysis when used with proper modes (e.g., CBC, GCM).

DES is obsolete, HMAC ensures integrity not encryption, PSA is not a standard encryption algorithm.

Thus, Option B is correct.

The correct choice is C because Nessus Essentials is fundamentally a vulnerability assessment scanner. Its core purpose is to identify security weaknesses by checking systems and services against a large vulnerability knowledge base, which includes detecting outdated or vulnerable versions of operating systems, server software, databases, web servers, and common network services. In practical scanning, Nessus performs remote checks such as banner/version identification, configuration and patch-level assessment (where possible), and vulnerability plugin checks to flag software releases that are known to be insecure or end-of-life. This directly matches the scenario emphasis: supporting “diverse technologies including operating systems, databases, web servers, and virtual environments,” and asking for a capability it provides “as part of its scanning process.”

Why the other options are incorrect:

A (Patch management) is not what Nessus Essentials is designed to do. Nessus identifies missing patches and vulnerabilities, but it does not serve as an operating system and third-party application patch deployment platform.

B (High-speed asset discovery) is more characteristic of dedicated asset discovery/attack surface tools or broader platform features; while Nessus can discover hosts during scans, “high-speed asset discovery” is not the defining, primary capability being tested here.

D (Agent-based detection) refers to endpoint agents running locally for continuous monitoring. Nessus Essentials is primarily used for scanner-driven vulnerability assessment; agent-based functionality is a separate approach/tooling concept and not the main Essentials scanning capability being targeted in this question.

Therefore, the best answer is C: Nessus Essentials is designed to scan and identify vulnerabilities, including detecting outdated/vulnerable versions across many server and service technologies.

The correct answer is RSA. CEH cryptography coverage describes RSA as a widely used asymmetric algorithm that supports encryption and digital signatures and is commonly deployed in public-key infrastructures. The question states that the transaction data is hashed, the hash is signed with the sender’s private key, and the recipient verifies the signature with the matching public key. That is the classic RSA signature model presented in CEH materials. The additional clue is that the same algorithm is said to support encryption, digital signatures, and secure communications use cases. Diffie-Hellman is mainly a key exchange mechanism and is not used for digital signatures in the way described here. DSA is designed for digital signatures, but not for general encryption. ElGamal can support encryption and signatures, but CEH exam framing most strongly associates this full combination of encryption plus digital-signature verification with RSA. CEH references repeatedly emphasize RSA as the standard asymmetric cryptosystem for confidentiality, authentication, integrity, and nonrepudiation in enterprise communications. Because the described implementation combines hashing, private-key signing, and public-key verification within a broad asymmetric framework, RSA is the most accurate answer.

The firewall described is doing more than simple header checks: it is validating session state and also performing some application-level analysis. That combination is characteristic of a Stateful Multilayer Inspection Firewall. This firewall type expands beyond traditional packet filtering by tracking the state of network connections (e.g., TCP handshake progression, established sessions, expected flags and sequence behavior) and applying inspection across multiple OSI layers. Because it understands whether traffic belongs to a legitimate, established session, it can block many spoofed or out-of-context packets that might pass a stateless filter.

The mention of being harder to bypass with fragmentation or tunneling attacks further supports this. Stateless packet-filtering firewalls mainly rely on source/destination IP, port, and protocol fields. Attackers may attempt fragmentation to split payloads across packets and evade simplistic inspection, or use tunneling to encapsulate traffic to hide prohibited content. A stateful multilayer firewall, by maintaining connection tables and reassembling or correlating traffic with session context, is better equipped to detect anomalies that do not align with valid session behavior and to apply deeper inspection policies.

Why the other choices are less fitting:

A Packet Filtering Firewall (A) focuses on basic header fields and is typically stateless, matching the opposite of what Mia observed.

An Application-Level Firewall (C) (proxy firewall) can do deep application inspection, but the scenario emphasizes a multilayer approach combining state tracking with application-level checks—more aligned with stateful multilayer inspection than a pure application proxy model.

A Circuit-Level Gateway Firewall (D) validates session establishment (e.g., TCP handshakes) and creates virtual circuits, but it generally does not perform meaningful application-level analysis of the content.

Therefore, the best match is B. Stateful Multilayer Inspection Firewall.

Passive reconnaissance involves gathering information without directly interacting with the target. WHOIS, search engines, and social media are all passive techniques highlighted in CEH v13 Reconnaissance.

Nmap scanning, however, actively probes target systems and generates traffic that can be logged and detected. This makes it an active reconnaissance technique.

Therefore, Option D is least useful in a passive phase.

The correct answer is B. Password Spraying because the pattern described is the defining behavior of a spraying attack: the attacker tries a small set of common or likely passwords (for example, seasonal passwords, default patterns, or organization-themed guesses) across many different user accounts, using only a few attempts per account to avoid account lockout thresholds. The scenario explicitly states that “many accounts each receive only a few login attempts,” the attacker “reuses a very small set of likely credentials across a large number of accounts,” and the activity is “spread out over several days and IP ranges to avoid triggering automated lockouts.” These are the exact operational traits that distinguish password spraying from traditional brute force.

In CEH-aligned credential attack concepts, brute force is typically characterized by repeated attempts against a single account (or a small set of accounts), often cycling through many password candidates until the correct one is found. That approach is noisy and quickly triggers lockouts and detection. Password spraying flips the strategy: it keeps the per-account attempt count low and distributes attempts widely and slowly, which reduces alerting and lockout events. This is why the attacker was able to successfully access “several low-privilege accounts” before the pattern was noticed—spraying often compromises accounts with weak or reused passwords while staying below detection thresholds.

Why the other options are incorrect: Session hijacking involves stealing or replaying session tokens/cookies after authentication, not repeated login attempts across accounts. CSRF forces a logged-in user’s browser to perform unintended actions; it does not produce distributed authentication failures in logs. Brute force is related, but the avoidance of lockouts through minimal attempts per account and broad targeting is the signature of password spraying.

Therefore, the observed behavior most clearly indicates a password spraying attack.

The most clearly demonstrated vulnerability is Lack of authentication. In CEH-aligned network device security principles, authentication is the fundamental control that verifies a user or device is permitted to access administrative functions or participate in trusted communications. The scenario states that the router allows external administrative access without requiring a password. That directly indicates that authentication is not being enforced for management access, meaning an unauthorized user could potentially gain administrative control simply by reaching the management interface.

The second observation reinforces the same core weakness in a different context: the router uses a protocol that provides neither encryption nor validation. In CEH terms, “validation” in routing and management protocols commonly refers to authentication and integrity checks, ensuring that updates or communications are sent by trusted peers and not altered in transit. When a protocol lacks validation, an attacker may be able to inject rogue updates, impersonate a trusted neighbor, or manipulate routing behavior, depending on the protocol and topology. While this could also be described as “insecure routing protocols,” the question asks what vulnerability is most clearly present based on both observations together. The common denominator is the absence of authentication controls: no password for admin access and no validation for device-to-device protocol exchanges.

“Lack of password protection” addresses only the first issue and is narrower. “Firewall vulnerabilities” is not evidenced. Therefore, the clearest and most comprehensive vulnerability indicated by the observations is Lack of authentication.

According to CEH v13 Cloud Computing, backup integrity and resilience are critical components of cloud security. The 3-2-1 backup model is a widely recommended best practice to mitigate unauthorized access, data corruption, and ransomware-related incidents.

The 3-2-1 rule dictates that organizations should maintain:

3 copies of critical data

Stored on 2 different media types

With 1 copy stored offsite or offline

This approach ensures that even if one backup is compromised, altered, or deleted—as described in the scenario—clean and trusted versions of the data remain available for restoration. CEH v13 emphasizes that offline or immutable backups significantly reduce the impact of malicious modification.

Option A focuses on physical security, which does not protect cloud backups. Option B addresses availability, not integrity. Option C is relevant to web application security, not backup protection.

CEH v13 explicitly highlights backup segregation and redundancy as key countermeasures against cloud data compromise. Therefore, Option D is the most direct and effective mitigation strategy.

Insecure Deserialization is the best match because the scenario explicitly describes user-supplied data being processed during object reconstruction. In CEH-aligned web application security concepts, deserialization is the process of taking serialized data, such as JSON, XML, YAML, or binary objects, and converting it back into in-memory objects the application can use. When an application accepts serialized objects from an untrusted source and reconstructs them without strong validation, integrity checks, and safe type constraints, an attacker can tamper with the serialized content to alter object fields, inject unexpected object types, or trigger unsafe behaviors during reconstruction.

The key clue is that Sophia uploads a crafted template file and gains administrative access and access to restricted dashboards. That outcome commonly occurs when a deserialized object contains role, permission, or account attributes that the server trusts, or when deserialization triggers privileged logic through gadget chains or unsafe callbacks. The prompt also rules out database queries, client-side code execution, and session manipulation, which eliminates common alternatives like SQL injection, XSS, and session hijacking. Local file inclusion would involve forcing the server to include local files using path manipulation, which is not described here. Verbose error messages can leak information but do not directly grant admin access.

Mitigations emphasized in ethical hacking guidance include never deserializing untrusted data when avoidable, enforcing strict allowlists of types, applying cryptographic signing or HMAC integrity validation to serialized data, using safer data formats with explicit schemas, regenerating authorization decisions server-side rather than trusting client-provided object attributes, and logging and blocking anomalous deserialization attempts.

The central failure in the scenario is that a lost smartphone remained capable of accessing sensitive data, which means the organization lacked an effective lost device response control. In CEH-aligned mobile security guidance, one of the most important protections for lost or stolen devices is the ability to remotely secure the endpoint by locking it and wiping corporate data. This is typically implemented through Mobile Device Management tools and enterprise mobility controls. Registering devices with a remote locate and wipe facility ensures the security team can immediately take action once a device is reported missing, reducing the window in which an attacker can use stored sessions, cached credentials, saved tokens, or application access to reach protected resources such as patient records.

Option C is the best answer because it addresses both key needs implied by the incident: location capability to aid recovery and remote wipe to eliminate data exposure if recovery is uncertain. In healthcare environments, where protected health information is highly sensitive, CEH documentation emphasizes compensating controls that protect confidentiality when physical control of the device is lost. Remote wipe supports incident containment by preventing further access and limiting data disclosure.

Option B only provides tracking and does not guarantee data protection if the device cannot be recovered quickly. Option A helps protect data in transit on untrusted networks, but it does not solve the risk of a stolen device already authenticated to internal systems. Option D can help overall hygiene, but antivirus and DLP do not reliably stop misuse of a legitimately authenticated, lost device. Remote locate and wipe is the most direct mitigation for this exact gap.

CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

CEH methodology stresses prioritization based on risk, exploitability, and business impact. High-severity vulnerabilities—especially those related to outdated or unsupported server software—are frequently associated with known, publicly documented exploits. The proper next step after identifying such vulnerabilities is to confirm exploitability safely, typically by researching available exploit code, validating version-specific weaknesses, and determining whether the vulnerability can be successfully leveraged under the defined scope of engagement. CEH highlights that exploitation attempts must be evidence-driven, not arbitrary, and focusing on high-risk vulnerabilities allows testers to demonstrate meaningful security impacts. Brute-forcing (Option A) is unnecessary and high-noise. Ignoring or deprioritizing the high-risk finding (Options B and C) contradicts CEH risk-based assessment principles. Therefore, verifying exploitability of the high-risk vulnerability is the correct step.