Certified Ethical Hacker (CEH) Practice Test

Due care is the establishment of prudent, high-level security measures such as policies, user notices, or insurance to show management's intent to protect assets. Due diligence is the continuing, hands-on effort to verify that those measures are actually implemented and effective. Running regular vulnerability scans to confirm that multifactor authentication is enforced exemplifies due diligence because it actively tests and monitors the control's operation. The other options represent largely administrative or one-time actions, which fall under due care but do not provide the continuous technical validation required for due diligence.

Security controls are commonly grouped by the function they perform.

• Preventive controls are designed to stop an unwanted event from occurring. An access control list (ACL) blocks unauthorized users from opening protected files, so it is preventive.
• Detective controls identify or record events after they have begun. An intrusion detection system (IDS) monitors traffic and generates alerts, making it detective.
• Corrective controls help restore normal operations after an incident. Off-site backups are used to recover data following loss or corruption, so they are corrective.

Therefore, the correct classification, in the order ACL, IDS, off-site backups, is Preventive, Detective, Corrective. The other sequences mix up these established definitions and are incorrect.

The aircrack-ng component responsible for actively injecting frames is aireplay-ng. Its deauth option (-- deauth) sends IEEE 802.11 management frames that disassociate or deauthenticate a client, causing the client to reauthenticate and generate a fresh four-way handshake that can be captured by airodump-ng for offline cracking with aircrack-ng.

• airdecap-ng is only for decrypting previously captured traffic; it does not transmit frames.
• airbase-ng sets up rogue access points or performs KARMA-style attacks but is not used for deauthentication injection.
• packetforge-ng creates custom packets (e.g., ARP requests) for WEP injection attacks and likewise does not handle deauthentication.

Therefore, aireplay-ng is the correct choice for forcing reconnections during WPA/WPA2 handshake harvesting.

The injected WAITFOR DELAY statement instructs Microsoft SQL Server to pause execution for a specific period. Because the tester must judge success solely by the presence or absence of the delay-without any returned data or visible error-the technique falls under time-based blind SQL injection. Error-based injection relies on verbose database errors, union-based injection appends a UNION SELECT to return data directly, and boolean-based blind injection infers information from true or false conditions without timing side channels.

The Rules of Engagement (ROE) document spells out the agreed-upon scope, limitations, notification procedures, and stop-test conditions for an assessment. Having the ROE signed before any hands-on activity protects the tester from accusations of unauthorized access and gives the client confidence that business-critical assets will not be affected. An NDA only covers confidentiality, an SLA defines service performance metrics, and a project closure report is produced after the engagement, so none of them establish legal testing boundaries up front.

Because the attacker has obtained a legitimate pipeline trigger token, they can craft and launch a malicious pipeline that contains arbitrary shell commands. If a shared GitLab runner is mistakenly configured to run in privileged or root context, those commands execute on the runner's host, granting the attacker remote code execution and a foothold for further lateral movement. The other options are not realistic: the endpoint does not build SQL queries (ruling out SQL injection), it does not perform redirects, and directory traversal requires a different class of vulnerability.

The General Data Protection Regulation (GDPR) is the EU-wide privacy law that governs the processing of personal data of EU residents. Article 33 mandates that a data controller must notify the competent supervisory authority of a personal data breach within 72 hours of becoming aware of it. Article 83 authorizes administrative fines of up to 20 million EUR or 4 percent of the organization's total worldwide annual turnover, whichever is higher. PCI DSS is an industry security standard, not a law, and it does not impose a statutory breach-notification window or percentage-of-turnover fines. HIPAA applies only to protected health information in the United States, and the Gramm-Leach-Bliley Act focuses on U.S. financial institutions; neither matches the described 72-hour requirement or fine structure. Therefore, GDPR is the only option that fulfills both conditions in the scenario.

Audit logging does not block an action; instead, it observes activity and raises an alert so that a potential incident can be investigated. Because the function is implemented in software on the SaaS platform rather than through policies or physical barriers, it is considered a technical (logical) control. Controls that observe and report rather than prevent or repair are detective in nature. By contrast, preventive controls attempt to stop an event from occurring, corrective controls aim to restore conditions after an incident, and physical deterrent controls involve hardware or environmental mechanisms such as locks or lighting.

The tester is using pivoting. By turning the compromised web server into an intermediary, all traffic to the database appears to originate from a trusted host in VLAN 10, allowing the attacker to move deeper into the environment. This is not privilege escalation (which raises permission levels on the same host), banner grabbing (which only collects service information), nor session fixation (which targets web authentication tokens). Pivoting is the concept of leveraging control over one system to attack additional internal assets that were previously inaccessible.

Separation of duties divides a critical business process into distinct tasks that must be performed by different people. Because no single insider can execute every step, an attacker would need to recruit at least one accomplice, significantly raising the difficulty of fraudulent transfers. Job rotation swaps roles over time but does not split a single transaction, least-privilege limits system permissions but still lets one authorized user complete the workflow, and security awareness training raises knowledge but does not add a procedural gate.

Collecting data exclusively from publicly available sources-without interacting with the target's systems-is known as passive reconnaissance (often called footprinting). Because no traffic is sent to the victim network, the activity is unlikely to trigger intrusion-detection alarms or violate scope limitations, making it a safe first step for understanding the environment. Active scanning, enumeration, or exploitation would require direct contact with the target and are normally conducted only after passive information gathering is complete, while covering tracks happens after attacks have been executed.

A TCP ACK scan (-sA) sends packets with only the ACK flag set, making them appear to belong to an established connection. Because most stateful firewalls create state entries only when they see a SYN flag, an unsolicited ACK often slips through the rule set. If the packet reaches the target, the host replies with RST, showing that the port is unfiltered. If no response arrives, the firewall likely blocked the probe, so the port is marked filtered. Other scans such as SYN half-open (-sS), NULL (-sN), and FIN (-sF) are designed to determine a port's open/closed state on the host, not to map firewall rules, and therefore do not provide the same information about which ports the firewall passes.

In information security, risk is typically expressed as the combination of the likelihood that a threat will exploit a vulnerability and the magnitude of the resulting impact on the business. A vulnerability, by contrast, is simply a weakness that could be exploited; a threat is the potential cause of harm; and a safeguard or countermeasure is a control implemented to lower either the likelihood of exploitation or the severity of impact. Consequently, the definition that explicitly includes both likelihood (probability) and potential business damage most accurately captures the concept of risk.

In serverless environments, the cost model is based on the number of invocations and execution time. Flooding an unauthenticated function with automated requests drives up compute usage and charges, exhausting the organization's budget rather than system resources. This threat is referred to as a Denial of Wallet attack. It differs from a traditional Denial of Service, which aims to exhaust capacity; cold-start abuse relates to latency, and container escape targets the sandbox rather than financial impact.

Security controls are often grouped by functional type (preventive, detective, corrective, deterrent) and by implementation type (physical, technical, administrative). CCTV is a physical mechanism because it involves tangible hardware installed in the environment. Its primary purpose is to record and alert staff after suspicious activity occurs, allowing them to discover and investigate incidents. That makes it a detective control. It does not automatically stop or block access (preventive), does not restore normal operations after an event (corrective), and is not primarily intended to discourage actions through psychological means (deterrent). Therefore, CCTV used for post-incident review is best categorized as a detective physical control.

The rules of engagement (RoE) document is prepared before testing begins and spells out operational boundaries: which systems may be touched, the hours testing may occur, techniques that are off-limits, and points of contact. By defining scope and constraints in writing, the RoE protects both the client and the tester from accidental law or policy violations. A statement of work may outline deliverables and cost but usually lacks detailed technical restrictions. A non-disclosure agreement focuses only on confidentiality, while a master services agreement governs overall business terms; neither establishes day-to-day testing limits. Therefore, the RoE is the correct choice.

Disabling USB ports and using data-loss-prevention software stop an unwanted action from occurring in the first place; they do not merely detect or correct it after the fact. Therefore, they are classified as preventive controls. Detective controls (such as log monitoring) alert when an event occurs, corrective controls (such as patching) fix a condition after detection, and deterrent controls (like warning banners) only discourage misconduct without technically blocking it.

A data classification policy is a written directive created and enforced by management. Policies, standards, and procedures that influence how people act fall under administrative (sometimes called managerial) controls. Technical controls rely on technology (firewalls, encryption), physical controls protect the environment (locks, guards), and corrective controls attempt to restore systems after an incident. Because the recommendation concerns governance rather than technology or physical safeguards, it is an administrative control.

The extra latency for valid usernames indicates the server performs additional work-such as password hashing-only when the account exists. By scripting repeated login attempts and measuring response times, an attacker can distinguish existing usernames from nonexistent ones without guessing passwords, evading lockout thresholds. Password spraying and credential stuffing rely on knowing usernames first, while NULL-byte poisoning or HTTP verb tricks do not exploit timing discrepancies.

The document described is the Rules of Engagement (RoE). In an ethical hacking or penetration-testing engagement, the RoE clearly defines the scope, constraints, timeline, and escalation procedures, and it provides explicit written authorization so that the test remains legal and aligned with the client's expectations. A Statement of Work focuses on commercial terms, a Service Level Agreement defines operational performance metrics, and a Non-Disclosure Agreement governs confidentiality; none of these substitute for the RoE's role of granting consent and setting detailed testing boundaries.