CCNA Wireless, IoT and Cloud Security Questions

24 questions · Wireless, IoT and Cloud Security · All types, answers revealed

1
Matchingmedium

Match each footprinting technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Query domain registration details

Gathering DNS records and subdomains

Using advanced search operators to find sensitive info

Manipulating people to reveal information

Search engine for internet-connected devices

Why these pairings

These techniques are used in the reconnaissance phase of ethical hacking.

2
MCQhard

During a penetration test, an ethical hacker captures a WPA2 handshake and successfully cracks the PSK. Which additional action must be taken to decrypt previously captured traffic?

A.Compute the Pairwise Master Key Identifier (PMKID) from the PSK and AP MAC.
B.Capture the nonce values from the access point.
C.Use the PSK directly to compute the Michael Integrity Check (MIC).
D.Obtain the Group Temporal Key (GTK) from the access point.
AnswerA

The PMKID is used to derive the PTK, enabling decryption.

Why this answer

Option A is correct because after cracking the WPA2 Pre-Shared Key (PSK), the Pairwise Master Key (PMK) is derived from the PSK, SSID, and hashing iterations (PBKDF2). To decrypt previously captured traffic, you need the Pairwise Transient Key (PTK), which is computed from the PMK, the client nonce (SNonce), the AP nonce (ANonce), and both MAC addresses. However, the nonces are exchanged during the 4-way handshake and are present in the captured handshake; the missing piece is the PMKID, which is derived from the PMK, AP MAC, and STA MAC.

Computing the PMKID from the cracked PSK and AP MAC allows tools like aircrack-ng to verify the correct PMK and then derive the PTK to decrypt the traffic.

Exam trap

The trap here is that candidates often think the PSK alone is sufficient to decrypt traffic, but the PSK only gives the PMK; the PTK requires the nonces and MACs from the handshake, and the PMKID is the verification step that ensures the correct PMK is used for decryption.

How to eliminate wrong answers

Option B is wrong because the nonce values (ANonce and SNonce) are already captured as part of the WPA2 4-way handshake; capturing them again is unnecessary and does not enable decryption without the PMK. Option C is wrong because the Michael Integrity Check (MIC) is a field in the handshake messages used to verify integrity, not to derive encryption keys; using the PSK directly to compute the MIC is meaningless and does not yield the PTK needed for decryption. Option D is wrong because the Group Temporal Key (GTK) is used for broadcast/multicast traffic and is encrypted in the handshake using the PTK; obtaining the GTK from the AP is not possible without first having the PTK, and the GTK alone cannot decrypt unicast traffic.

3
MCQhard

During a penetration test of a corporate wireless network, you capture a WPA2 handshake and successfully recover the PSK. Later, you notice that some clients are using WPA3-Personal. Which attack could be used to downgrade a WPA3 client to WPA2 and capture its handshake?

A.Perform a PMKID attack on the WPA3 client to capture the handshake.
B.Use a WPS PIN brute-force attack against the WPA3 client.
C.Send deauthentication packets to the WPA3 client and capture the reconnection handshake.
D.Set up a rogue access point broadcasting a WPA2 network with the same SSID, forcing the client to reconnect using WPA2.
AnswerD

Rogue AP can entice client to downgrade.

Why this answer

Option D is correct because WPA3 clients are designed to fall back to WPA2 when the access point only supports WPA2. By setting up a rogue AP with the same SSID but configured for WPA2, the client will attempt to connect using WPA2, allowing you to capture the 4-way handshake and potentially recover the PSK if the same password is used for both security modes.

Exam trap

EC-Council often tests the misconception that deauthentication alone can force a protocol downgrade, but in WPA3, deauthentication only triggers a reconnection using the same security protocol unless the AP changes its capabilities.

How to eliminate wrong answers

Option A is wrong because a PMKID attack targets WPA2/3 access points that expose the PMKID in the first EAPOL frame, but it does not downgrade a WPA3 client; it is used to recover the PSK without a full handshake, not to capture a handshake from a downgraded client. Option B is wrong because WPS PIN brute-force attacks target WPS-enabled access points, not clients, and WPA3-Personal does not use WPS; this attack is irrelevant for downgrading a WPA3 client. Option C is wrong because sending deauthentication packets to a WPA3 client will only cause it to reconnect using WPA3 (if the AP supports it), not downgrade to WPA2; the client will re-authenticate with its current security protocol, not fall back automatically.

4
MCQmedium

A security analyst reviews the iptables firewall configuration on a Linux server acting as a gateway for a small office. The server has two interfaces: eth0 (external) and eth1 (internal, 192.168.1.0/24). Based on the exhibit, which of the following is a valid security concern?

A.All traffic to the loopback interface is accepted, which could allow local attacks to bypass firewall rules.
B.The OUTPUT chain policy is set to ACCEPT, which allows any outbound traffic.
C.The FORWARD chain only allows traffic from 192.168.1.0/24 to any destination, which is too permissive.
D.UDP port 53 is allowed, which could permit DNS tunneling attacks.
AnswerA

Loopback acceptance can be exploited if local services are vulnerable.

Why this answer

Option A is correct because the iptables rules show that all traffic to the loopback interface (lo) is accepted in the INPUT chain. This means any process on the local host can send packets to 127.0.0.1 without being filtered, potentially allowing local privilege escalation or local attacks to bypass firewall restrictions. In a gateway configuration, this can be exploited if an attacker gains local access and uses the loopback to communicate with services that should be protected.

Exam trap

The trap here is that candidates often overlook the loopback interface rules and focus on external-facing chains, assuming that only external interfaces matter for security, while the question specifically tests awareness of local attack vectors through the loopback interface.

How to eliminate wrong answers

Option B is wrong because the OUTPUT chain policy being set to ACCEPT is not inherently a security concern; it is a common default that allows the gateway itself to initiate outbound connections, which is expected for normal operation. Option C is wrong because the FORWARD chain rule only allowing traffic from 192.168.1.0/24 to any destination is a typical and correct configuration for a gateway that forwards internal traffic to the internet; it is not 'too permissive' as it restricts forwarding to the internal subnet only. Option D is wrong because allowing UDP port 53 (DNS) is necessary for name resolution and does not inherently permit DNS tunneling; tunneling requires additional exploitation and is not a direct consequence of allowing standard DNS traffic.

5
MCQeasy

Refer to the exhibit. A security analyst reviews a CloudTrail log entry. What is the primary security concern indicated by this log?

A.The action was performed by the AWS root account, which should be avoided for routine tasks.
B.The AMI ID (ami-0abcdef1234567890) is from a trusted source.
C.The source IP address (203.0.113.5) is suspicious.
D.The instance type is t2.micro, which may be vulnerable.
AnswerA

Root should only be used for specific tasks.

Why this answer

The log entry shows that the action was performed by the AWS root account (userIdentity.type: Root). AWS best practices mandate that the root account be used only for tasks that require it, such as changing account settings or closing the account. Routine operations like launching an EC2 instance should be performed using IAM roles or users with least-privilege permissions.

Using the root account for everyday actions increases the risk of credential compromise and violates the principle of least privilege.

Exam trap

EC-Council often tests the concept that the root account should never be used for routine tasks, and candidates may mistakenly focus on the AMI ID, source IP, or instance type as potential threats, overlooking the critical security violation of root account usage.

How to eliminate wrong answers

Option B is wrong because the AMI ID (ami-0abcdef1234567890) being from a trusted source does not indicate a security concern; the log entry does not provide any evidence of compromise or malicious activity related to the AMI. Option C is wrong because the source IP address (203.0.113.5) is a public IP from a TEST-NET-3 range (RFC 5737), which is reserved for documentation and not a real, routable IP, so it cannot be considered suspicious in a real-world context. Option D is wrong because the instance type t2.micro is a standard, low-cost instance type and is not inherently vulnerable; security vulnerabilities depend on the OS, applications, and configurations, not the instance type itself.

6
Multi-Selectmedium

Which THREE of the following are best practices for securing IoT devices in a home automation network?

Select 3 answers
A.Enable Universal Plug and Play (UPnP) for easy integration.
B.Segment IoT devices on a separate VLAN or subnet.
C.Change default usernames and passwords.
D.Disable unnecessary features and services.
E.Ensure all devices are connected directly to the internet for remote access.
AnswersB, C, D

Limits lateral movement.

Why this answer

Segmenting IoT devices on a separate VLAN or subnet (Option B) is a best practice because it isolates potentially insecure IoT devices from the main trusted network. If an IoT device is compromised, the attacker cannot easily pivot to other devices on the primary LAN. This leverages Layer 2 or Layer 3 segmentation to enforce network access controls, reducing the attack surface in a home automation environment.

Exam trap

EC-Council often tests the misconception that UPnP simplifies integration and is safe, when in fact it is a well-known security risk due to its lack of authentication and automatic port forwarding.

7
MCQmedium

A cloud security engineer notices that an S3 bucket containing sensitive customer data is configured with a bucket policy that allows 'Principal': '*' and 'Action': 's3:GetObject'. The bucket is not publicly accessible via the AWS Management Console, but the engineer is concerned about data exposure. What is the most likely risk?

A.Anyone on the internet can read objects in the bucket if they know the object URL.
B.The data is encrypted at rest, so no exposure risk exists.
C.The bucket policy is misconfigured but only affects objects with server-side encryption.
D.Only authenticated AWS users can access the bucket, so the risk is limited.
AnswerA

Public read access is granted to all objects.

Why this answer

The bucket policy allows 'Principal': '*' with 'Action': 's3:GetObject', which grants anonymous read access to any object in the bucket. Even if the bucket is not publicly listed in the AWS Management Console, anyone on the internet who knows or guesses the object URL can retrieve the object directly via HTTP/HTTPS. This is a classic data exposure risk because the policy overrides any console-level restrictions.

Exam trap

The trap here is that candidates confuse 'not publicly accessible via the AWS Management Console' with 'not publicly accessible via direct object URLs,' but S3 bucket policies control access at the API level, not just the console UI.

How to eliminate wrong answers

Option B is wrong because encryption at rest protects data only if it is accessed without proper decryption keys, but the policy allows direct object retrieval without authentication, so encryption does not prevent exposure. Option C is wrong because the bucket policy applies to all objects regardless of server-side encryption status; the misconfiguration affects all objects, not just encrypted ones. Option D is wrong because 'Principal': '*' means any unauthenticated user (not just authenticated AWS users) can access the bucket; the policy does not require AWS authentication.

8
Multi-Selectmedium

Which TWO of the following are common security risks associated with bring-your-own-device (BYOD) policies in a corporate environment?

Select 2 answers
A.Lack of visibility into device security posture
B.Data leakage through personal apps
C.Enhanced network segmentation
D.Stronger encryption of corporate data
E.Increased control over device configurations
AnswersA, B

IT may not know if devices are compromised.

Why this answer

Option A is correct because BYOD devices are personally owned and not under direct corporate management, leading to a lack of visibility into their security posture. Without a Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution, the organization cannot assess patch levels, antivirus status, or jailbreak/root status, leaving the network exposed to compromised devices.

Exam trap

EC-Council often tests the distinction between risks and controls; the trap here is that candidates confuse security mitigations (like segmentation or encryption) with inherent risks, leading them to select options C, D, or E instead of recognizing them as countermeasures.

9
MCQeasy

A security analyst discovers that an IoT device in a smart building is periodically sending small DNS queries to an external domain known for command-and-control activity. Which security control should be implemented to detect and block such traffic without disrupting legitimate operations?

A.Install a host-based firewall on the IoT device to restrict outbound traffic.
B.Deploy an intrusion detection system (IDS) on the network to alert on suspicious DNS queries.
C.Configure egress filtering on the firewall to block outbound connections to known malicious domains.
D.Disable DNS resolution on the IoT device to prevent any external communication.
AnswerC

Egress filtering prevents malicious outbound traffic.

Why this answer

Option C is correct because egress filtering on the firewall can block outbound DNS queries to known malicious domains by using a blocklist or threat intelligence feed, preventing command-and-control (C2) communication without affecting legitimate traffic to other domains. This control operates at the network perimeter, inspecting DNS requests against a reputation database and dropping matches, which is the most effective way to stop C2 traffic while allowing normal operations.

Exam trap

The trap here is that candidates confuse detection (IDS) with prevention (firewall filtering), assuming an alert is sufficient to stop the threat, but CEH emphasizes that blocking at the perimeter is required for active defense against C2 traffic.

How to eliminate wrong answers

Option A is wrong because host-based firewalls on IoT devices are often impractical due to resource constraints, lack of centralized management, and the device's limited ability to maintain dynamic blocklists; they also cannot block DNS queries if the device itself is compromised. Option B is wrong because an IDS only alerts on suspicious traffic but does not block it, so the C2 communication would still succeed, leaving the network exposed until manual intervention occurs. Option D is wrong because disabling DNS resolution entirely would break all legitimate external communications (e.g., firmware updates, time synchronization), causing operational disruption and potentially rendering the IoT device non-functional.

10
MCQeasy

You are a security consultant for a mid-sized company that recently migrated its customer relationship management (CRM) system to a public cloud provider (AWS). The CRM is a web application behind an Application Load Balancer (ALB) with WAF enabled. The application stores sensitive customer data in an RDS MySQL database. The security team has configured security groups to allow only HTTPS (443) from the internet to the ALB, and from the ALB to the application servers on port 8080. The application servers can connect to the database on port 3306. During a routine vulnerability scan, you discover that the database is publicly accessible from the internet on port 3306, which contradicts the intended design. You verify that the security group for the database allows inbound traffic from 0.0.0.0/0 on port 3306. The database contains unencrypted personal identifiable information (PII). What is the most effective immediate action to remediate this vulnerability?

A.Modify the database security group to remove the 0.0.0.0/0 inbound rule and add a rule allowing only the application servers' security group on port 3306.
B.Enable RDS Enhanced Monitoring and log all connections to the database for forensic analysis.
C.Enable deletion protection on the RDS instance to prevent accidental removal.
D.Enable encryption at rest for the RDS instance using AWS KMS.
AnswerA

This restricts access to only authorized sources, closing the exposure.

Why this answer

The most effective immediate action is to restrict the database security group to allow inbound traffic only from the application servers' security group on port 3306. This directly removes the public exposure (0.0.0.0/0) and enforces the principle of least privilege, ensuring only the intended application tier can communicate with the database. Since the database contains unencrypted PII, closing the public access is the highest priority remediation to prevent data exfiltration.

Exam trap

The trap here is that candidates may focus on encryption or logging as a quick fix, but the most critical and immediate action is to close the direct public network access to the database, as encryption and logging do not prevent an active attacker from connecting and stealing data.

How to eliminate wrong answers

Option B is wrong because enabling Enhanced Monitoring and logging does not remediate the public exposure; it only provides visibility into connections, which is a detective control, not a preventive one. Option C is wrong because enabling deletion protection prevents accidental deletion of the RDS instance but does not address the inbound security group rule allowing public access on port 3306. Option D is wrong because enabling encryption at rest protects data stored on disk but does not prevent an attacker from connecting to the database over the network and exfiltrating unencrypted data in transit.

11
MCQeasy

A company uses a cloud-based identity provider (IdP) for single sign-on (SSO). Which security control is most effective in preventing account takeover due to credential stuffing?

A.Enforce complex password policies.
B.Enable multi-factor authentication (MFA) for all users.
C.Implement CAPTCHA on the login page.
D.Enable account lockout after 3 failed attempts.
AnswerB

MFA prevents credential stuffing.

Why this answer

Multi-factor authentication (MFA) is the most effective control against credential stuffing because it requires an additional verification factor beyond the password. Even if an attacker obtains valid credentials through a previous breach, they cannot complete authentication without the second factor (e.g., a one-time passcode from an authenticator app or a hardware token). This directly neutralizes the core attack vector of credential stuffing, which relies solely on reused passwords.

Exam trap

The trap here is that candidates often choose account lockout (Option D) thinking it stops brute-force attacks, but credential stuffing uses valid passwords from breaches, so lockout is ineffective and can be easily evaded with distributed IPs.

How to eliminate wrong answers

Option A is wrong because complex password policies do not prevent credential stuffing; they only make it harder to guess or crack a single password, but attackers use already compromised credentials from other breaches, not brute force. Option C is wrong because CAPTCHA only slows down automated login attempts but does not stop an attacker who has valid credentials from manually logging in or using sophisticated bots that can solve CAPTCHAs. Option D is wrong because account lockout after 3 failed attempts can be bypassed by attackers using distributed credential stuffing attacks from many different IP addresses, and it also creates a denial-of-service risk for legitimate users.

12
MCQeasy

A company deploys IoT sensors in a remote facility with limited bandwidth. The sensors send small data packets every few seconds. Which wireless technology is most appropriate for this application?

A.4G LTE
B.Wi-Fi 6
C.Bluetooth 5
D.LoRaWAN
AnswerD

Optimized for low-power, long-range IoT.

Why this answer

LoRaWAN is designed for low-power, long-range communication with small data payloads, making it ideal for IoT sensors in remote facilities with limited bandwidth. It operates in sub-GHz ISM bands (e.g., 868 MHz or 915 MHz) and supports data rates from 0.3 kbps to 50 kbps, perfectly matching the requirement of sending small packets every few seconds over kilometers.

Exam trap

The trap here is that candidates often confuse 'low power' and 'short range' technologies like Bluetooth 5 with the specific requirements of remote, long-range IoT, failing to recognize that LoRaWAN is the only option explicitly designed for low-power wide-area networks (LPWAN) with kilometer-scale range.

How to eliminate wrong answers

Option A is wrong because 4G LTE is a cellular technology optimized for high-bandwidth, low-latency applications (e.g., video streaming) and consumes significantly more power, making it unsuitable for battery-powered IoT sensors in remote areas with limited bandwidth. Option B is wrong because Wi-Fi 6 (802.11ax) is designed for high-density, high-throughput local area networks with a typical range of tens of meters, not for long-range, low-power IoT deployments in remote facilities. Option C is wrong because Bluetooth 5, while offering low power and mesh capabilities, has a maximum range of approximately 200-400 meters in ideal conditions, which is insufficient for remote facilities spanning kilometers, and its data rate (up to 2 Mbps) is overkill for small packets sent every few seconds.

13
Drag & Dropmedium

Drag and drop the steps to perform a SQL injection attack manually into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Identify vulnerability, test, find columns, use UNION, extract data.

14
Multi-Selecthard

Which THREE of the following are common security risks associated with cloud computing?

Select 3 answers
A.Physical theft of servers from the data center.
B.Misconfigured cloud storage leading to data exposure.
C.Shared technology vulnerabilities in multi-tenant environments.
D.Insecure application programming interfaces (APIs).
E.Hypervisor compromise due to unpatched vulnerabilities.
AnswersB, C, D

Common misconfiguration.

Why this answer

Option B is correct because misconfigured cloud storage, such as an Amazon S3 bucket with overly permissive ACLs or a publicly accessible Azure Blob container, is one of the most common cloud security risks. This misconfiguration can expose sensitive data to the internet without authentication, leading to data breaches. The Cloud Security Alliance (CSA) consistently lists misconfiguration as a top cloud threat.

Exam trap

The trap here is that candidates often confuse 'hypervisor compromise' (Option E) as a common risk, but the CEH exam emphasizes that misconfiguration, shared technology vulnerabilities, and insecure APIs are the three most prevalent cloud security risks according to the CSA and NIST guidelines.

15
MCQmedium

A security analyst notices unusual traffic from a smart thermostat to an external IP address. The thermostat is on a separate IoT VLAN. Which action should the analyst take to investigate and mitigate the threat?

A.Disconnect the thermostat from the network.
B.Block all outbound traffic from the IoT VLAN.
C.Uninstall the companion app from the user's smartphone.
D.Create a firewall rule to block traffic from the thermostat's MAC address to the external IP.
AnswerD

This precisely blocks the suspicious traffic without affecting other devices.

Why this answer

Option D is correct because creating a firewall rule to block traffic from the thermostat's MAC address to the specific external IP is a targeted, least-disruptive mitigation. It preserves the IoT VLAN's functionality for other devices while stopping the suspicious communication. This approach allows the analyst to investigate further without losing visibility into the threat, as the thermostat remains on the network for forensic analysis.

Exam trap

The trap here is that candidates often choose Option A (disconnect) because it seems like an immediate containment step, but CEH emphasizes that disconnecting destroys forensic evidence and prevents further analysis, whereas a targeted firewall rule allows both mitigation and investigation.

How to eliminate wrong answers

Option A is wrong because disconnecting the thermostat removes the device from the network, preventing further monitoring and forensic analysis of the suspicious traffic; it also disrupts legitimate functionality without confirming the threat. Option B is wrong because blocking all outbound traffic from the IoT VLAN is overly broad and would break legitimate IoT services (e.g., firmware updates, cloud connectivity) for all devices on that VLAN, causing unnecessary operational impact. Option C is wrong because uninstalling the companion app from the user's smartphone does not address the network-level traffic from the thermostat itself; the thermostat communicates directly with the external IP, independent of the app, and the app may be unrelated to the malicious activity.

16
Multi-Selecteasy

Which TWO of the following are characteristics of a Bluetooth Low Energy (BLE) IoT device that make it suitable for a battery-powered sensor?

Select 2 answers
A.High data throughput.
B.Long range (up to 1 km).
C.Low energy consumption.
D.Low data transfer rates.
E.Operates in unlicensed spectrum like Wi-Fi.
AnswersC, D

BLE is optimized for low power.

Why this answer

Option C is correct because BLE is specifically designed for ultra-low power consumption, enabling battery-powered sensors to operate for months or years on a coin cell battery. BLE achieves this by using short bursts of data transmission and then entering a deep sleep mode, drastically reducing energy usage compared to classic Bluetooth or Wi-Fi.

Exam trap

EC-Council often tests the misconception that 'low energy' means low data rate, but the trap here is that candidates might incorrectly select 'High data throughput' (A) or 'Long range' (B) because they confuse BLE with classic Bluetooth or other IoT protocols, overlooking BLE's explicit design trade-off for power efficiency over speed and distance.

17
Multi-Selectmedium

Which TWO of the following are effective countermeasures against rogue access point attacks on a corporate wireless network?

Select 2 answers
A.Deploy a Wireless Intrusion Prevention System (WIPS).
B.Use WPA2-PSK with a strong passphrase.
C.Implement MAC address filtering on the access points.
D.Use 802.1X authentication with a RADIUS server.
E.Disable SSID broadcast on the corporate network.
AnswersA, D

WIPS detects and blocks rogues.

Why this answer

A Wireless Intrusion Prevention System (WIPS) continuously monitors the radio frequency spectrum to detect, locate, and block rogue access points. It can automatically classify devices based on their behavior and signatures, and when a rogue AP is identified, the WIPS can launch a de-authentication attack against the rogue device or its clients, effectively neutralizing the threat. This makes WIPS the most direct and proactive countermeasure against rogue APs.

Exam trap

EC-Council often tests the misconception that encryption or authentication methods (like WPA2-PSK or 802.1X) alone can prevent rogue APs, when in fact they only secure the legitimate network and do not address the rogue device's ability to operate on the same frequency.

18
MCQeasy

A cloud security engineer wants to ensure that only authorized users can access an S3 bucket containing sensitive data. Which AWS service should be used to enforce fine-grained access control?

A.AWS Key Management Service (KMS)
B.AWS CloudTrail
C.AWS CloudFront
D.AWS Identity and Access Management (IAM)
AnswerD

IAM policies define permissions for users and roles.

Why this answer

AWS Identity and Access Management (IAM) is the correct service because it allows the cloud security engineer to define fine-grained permissions using IAM policies that specify which users, groups, or roles can perform specific actions (e.g., s3:GetObject, s3:PutObject) on the S3 bucket. IAM integrates directly with S3 to enforce access control based on the principle of least privilege, ensuring only authorized users can access sensitive data.

Exam trap

The trap here is that candidates often confuse encryption services (KMS) or logging services (CloudTrail) with access control, but only IAM provides the fine-grained authorization policies needed to control user actions on S3 resources.

How to eliminate wrong answers

Option A is wrong because AWS Key Management Service (KMS) is used for encryption key management, not for enforcing access control policies; it protects data at rest but does not define who can access the bucket. Option B is wrong because AWS CloudTrail is a logging and monitoring service that records API calls for auditing, not a mechanism to enforce access control decisions. Option C is wrong because AWS CloudFront is a content delivery network (CDN) that can be used to distribute content with signed URLs or cookies, but it does not provide native fine-grained access control to the S3 bucket itself; it is a separate service for caching and delivery, not for authorization management.

19
MCQmedium

A security analyst detects multiple failed authentication attempts on a cloud-based SSH server from a single IP address. The analyst implements a rule to block that IP. However, the attacks continue from different IPs. Which additional control should be implemented to reduce the attack surface?

A.Disable password authentication and use SSH key-based authentication.
B.Install fail2ban to automatically block IPs after failures.
C.Implement rate-limiting on SSH connections per IP.
D.Change the SSH port to a non-standard port.
AnswerA

Keys are resistant to brute-force.

Why this answer

Disabling password authentication and enforcing SSH key-based authentication eliminates the attack vector of brute-forcing passwords entirely. Since the attacker is using multiple IPs to perform credential stuffing, blocking individual IPs (as done initially) or using tools like fail2ban only treats the symptom, not the root cause. Key-based authentication uses asymmetric cryptography (RSA/ECDSA/Ed25519) and is not susceptible to online guessing attacks, thus permanently reducing the attack surface.

Exam trap

The trap here is that candidates focus on reactive IP-blocking solutions (fail2ban, rate-limiting) or obscurity (port changing) instead of recognizing that the fundamental vulnerability is the use of passwords, which must be eliminated at the protocol level.

How to eliminate wrong answers

Option B (fail2ban) is wrong because it only blocks IPs after repeated failures, but the attacker is rotating through many IPs, so each new IP can still attempt logins before being blocked. Option C (rate-limiting per IP) is wrong because it similarly assumes a single source; with distributed IPs, each IP stays under the rate limit, allowing the attack to continue. Option D (changing the SSH port) is wrong because it only obscures the service via security through obscurity; an attacker scanning all ports will quickly discover the new port, and the password-based authentication remains vulnerable.

20
MCQhard

During a wireless penetration test, you discover that the target network uses WPA2-Enterprise with PEAP-MSCHAPv2. You capture the authentication traffic of a legitimate user. Which attack can you perform to recover the user's domain credentials?

A.Decrypt the traffic using the captured handshake to get the credentials.
B.WPS PIN brute-force to recover the PSK.
C.PMKID attack to crack the pre-shared key.
D.Set up a rogue RADIUS server to capture the challenge-response and perform an offline brute-force attack.
AnswerD

Rogue RADIUS can capture hashes for cracking.

Why this answer

In WPA2-Enterprise with PEAP-MSCHAPv2, the authentication is based on a challenge-response mechanism between the client and a RADIUS server. By setting up a rogue RADIUS server, you can capture the challenge and the client's encrypted response, then perform an offline brute-force attack against the MSCHAPv2 hash to recover the user's domain credentials. This works because the MSCHAPv2 response is derived from the user's password and can be cracked offline.

Exam trap

The trap here is that candidates confuse WPA2-Enterprise with WPA2-Personal and incorrectly apply attacks like PMKID or handshake decryption, not realizing that enterprise mode relies on RADIUS-based authentication and is vulnerable to rogue server attacks rather than PSK cracking.

How to eliminate wrong answers

Option A is wrong because WPA2-Enterprise traffic is encrypted with per-session keys derived from the EAP exchange, and the captured handshake does not contain the user's credentials in a decryptable form; the handshake is used for key derivation, not for revealing plaintext credentials. Option B is wrong because WPS PIN brute-force targets WPA/WPA2-Personal networks using a PIN to recover the PSK, but WPA2-Enterprise does not use a pre-shared key or WPS, so this attack is irrelevant. Option C is wrong because the PMKID attack is used against WPA/WPA2-Personal networks to crack the PSK from the PMKID field in the beacon frame, but WPA2-Enterprise uses 802.1X authentication and does not have a PMKID derived from a PSK.

21
Multi-Selecthard

A penetration tester is assessing the security of a smart building's IoT infrastructure. The building uses Zigbee sensors for temperature and motion detection, and some devices communicate using MQTT over Wi-Fi. During the assessment, the tester captures traffic and notices that some Zigbee devices are sending unencrypted frames containing sensor IDs and values. Which TWO actions should the tester recommend to mitigate the identified vulnerabilities? (Choose two.)

Select 2 answers
A.Enable Zigbee security suite (AES-128 encryption) on all sensor devices.
B.Configure MQTT to use TLS 1.2 with mutual authentication between brokers and clients.
C.Disable encryption on MQTT to reduce latency and improve performance.
D.Implement device authentication using pre-shared keys only for Zigbee devices.
E.Segment the IoT devices into a separate VLAN and restrict access with ACLs.
AnswersA, B

Zigbee supports encryption; enabling it protects data in transit.

Why this answer

Option A is correct because Zigbee's security suite uses AES-128 encryption to protect over-the-air frames, preventing eavesdropping on sensor IDs and values. Enabling this suite ensures that captured unencrypted frames are no longer readable, directly mitigating the observed vulnerability. Option B is correct because MQTT over Wi-Fi without TLS exposes all communication in plaintext; configuring TLS 1.2 with mutual authentication encrypts the payload and verifies both broker and client identities, preventing man-in-the-middle attacks.

Exam trap

The trap here is that candidates often confuse network segmentation (VLANs) with data encryption, thinking that isolating IoT devices on a separate VLAN alone protects the confidentiality of unencrypted wireless frames.

22
MCQhard

You are the security lead for a multinational corporation that uses a hybrid cloud architecture with AWS and on-premises data centers. The company recently deployed a fleet of IoT sensors in a remote factory to monitor equipment. These sensors communicate via MQTT to an AWS IoT Core endpoint, which forwards data to an S3 bucket and a DynamoDB table. The factory network is isolated but has a site-to-site VPN to the corporate HQ. Over the past week, the S3 bucket has experienced an unusual number of PUT requests from an IP address that resolves to a known malicious host. The DynamoDB table shows write spikes at odd hours. The MQTT broker logs indicate that some sensors are publishing data with invalid client IDs. Meanwhile, the VPN logs show no anomalies. You need to identify the likely attack vector and recommend a course of action. Which of the following is the BEST course of action?

A.Disable the site-to-site VPN and require all traffic to go through a bastion host.
B.Implement client certificate authentication on AWS IoT Core and revoke any unregistered client IDs.
C.Move the S3 bucket and DynamoDB table to the on-premises data center to reduce cloud exposure.
D.Replace all IoT sensors with new ones that have firmware-level encryption.
AnswerB

This ensures only authenticated sensors can publish, blocking the malicious PUT requests.

Why this answer

Option B is correct because the attack exploits weak authentication on MQTT connections to AWS IoT Core. By implementing client certificate authentication, you ensure only registered devices with valid X.509 certificates can publish data, directly blocking the malicious PUT requests and write spikes. Revoking unregistered client IDs eliminates the invalid client IDs observed in the MQTT broker logs, closing the primary attack vector without disrupting legitimate sensor traffic.

Exam trap

The trap here is that candidates focus on network-level controls (VPN, bastion hosts) or data relocation, missing that the attack exploits weak IoT device authentication at the application layer, which requires identity-based controls like client certificates.

How to eliminate wrong answers

Option A is wrong because disabling the site-to-site VPN would break legitimate corporate connectivity and does not address the MQTT-based attack; the VPN logs show no anomalies, indicating the attack is not traversing the VPN. Option C is wrong because moving S3 and DynamoDB on-premises defeats the purpose of a hybrid cloud architecture and does not fix the root cause—weak IoT device authentication—while increasing latency and operational complexity. Option D is wrong because replacing all sensors with firmware-level encryption is costly, time-consuming, and does not solve the immediate authentication gap; encryption protects data in transit but does not prevent unauthorized devices from connecting to the MQTT broker.

23
MCQhard

Refer to the exhibit. During a wireless audit, you capture a beacon frame from a corporate access point. What is the most significant security concern based on this information?

A.The pairwise cipher is CCMP, which is outdated.
B.The network uses WPA2-PSK, which is easily cracked.
C.The beacon frame reveals the BSSID, which is a security risk.
D.The group cipher is TKIP, which is deprecated and vulnerable.
AnswerD

TKIP should not be used.

Why this answer

Option D is correct because TKIP (Temporal Key Integrity Protocol) is a deprecated encryption protocol that was part of the original WPA standard. It is vulnerable to several attacks, including the Michael attack and the Beck-Tews attack, which can allow an attacker to decrypt traffic or inject packets. In a modern WPA2 network, TKIP should never be used as the group cipher; only CCMP (AES) is considered secure.

Exam trap

The trap here is that candidates often assume WPA2-PSK is inherently insecure (Option B) or that revealing the BSSID is a risk (Option C), but the real security flaw in this scenario is the use of TKIP as the group cipher, which is deprecated and known to be broken.

How to eliminate wrong answers

Option A is wrong because CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) is the most secure cipher available for WPA2, based on AES, and is not outdated. Option B is wrong because while WPA2-PSK can be cracked if a weak passphrase is used, the protocol itself is not 'easily cracked' — the vulnerability lies in the passphrase strength, not the protocol. Option C is wrong because the BSSID (Basic Service Set Identifier) is the MAC address of the access point and is always transmitted in beacon frames; revealing it is not a security risk as it is necessary for client devices to identify and connect to the network.

24
MCQmedium

An organization deploys a fleet of IoT cameras that communicate with a central server over the internet. The cameras use HTTP to send video streams. What is the most critical security improvement to protect the video data in transit?

A.Require strong passwords on the camera web interface.
B.Use a site-to-site VPN between the cameras and the server.
C.Use certificate pinning to prevent man-in-the-middle attacks.
D.Implement TLS/SSL encryption for all camera communications.
AnswerD

Encrypts video streams.

Why this answer

The most critical security improvement is to implement TLS/SSL encryption (HTTPS) for all camera communications. HTTP transmits video data in plaintext, allowing any attacker on the network path to capture and view the video stream. TLS/SSL provides encryption, integrity, and authentication, directly protecting the confidentiality of the video data in transit.

Exam trap

EC-Council often tests the distinction between authentication/access controls (passwords, certificate pinning) and encryption (TLS/SSL), leading candidates to choose a security measure that does not actually protect data in transit.

How to eliminate wrong answers

Option A is wrong because strong passwords protect only the authentication to the camera's web interface, not the video data itself during transmission; an attacker can still intercept unencrypted HTTP streams. Option B is wrong because a site-to-site VPN would encrypt traffic between two network gateways, but if the cameras connect directly over the internet without a VPN client, the traffic remains unencrypted; VPNs also add complexity and latency not required for this specific threat. Option C is wrong because certificate pinning is a defense against man-in-the-middle attacks that validates a specific certificate, but it does not encrypt the data; without TLS/SSL, the video stream is still sent in plaintext and can be intercepted regardless of pinning.

Ready to test yourself?

Try a timed practice session using only Wireless, IoT and Cloud Security questions.