EC-COUNCIL 212-89 Online Practice Questions and Exam Preparation

EC-COUNCIL 212-89 Online Questions & Answers

• Question 91:

  Which of the following is defined as the identification of the boundaries of an IT system along with the resources and information that constitute the system?

  A. System characterization
  B. Vulnerability identification
  C. Threat ioenLificalion
  D. Control analysis
  A. System characterization

  ---

  System characterization is the process of defining the boundaries of an IT system, which includes identifying the resources, information, and functionality that constitute the system. This process is crucial for understanding the scope of the system, the data it processes, and the technology it employs. By characterizing a system, incident handlers can better understand the system's normal operations and behaviors, which is essential for identifying anomalies that may indicate a security incident. System characterization involves documenting the hardware, software, network configuration, data flows, and other critical elements of the IT environment. This foundational knowledge supports effective incident handling by providing a baseline against which suspicious activities can be compared.

  References: EC-Council's Certified Incident Handler (ECIH v3) courses and study guides emphasize the importance of system characterization in the incident handling and response process. It serves as a prerequisite for subsequent steps such as threat identification, vulnerability identification, and the implementation of appropriate controls.

• Question 92:

  Rica works as an incident handler for an international company. As part of her role, she must review the present security policy implemented. Upon inspection, Rica finds that the policy is wide open, and only known dangerous services/attacks or behaviors are blocked. Which of the following is the current policy that Rica identified?

  A. Prudent policy
  B. Paranoic policy
  C. Permissive policy
  D. Promiscuous policy
  C. Permissive policy

  ---

  A permissive security policy is characterized by allowing all activities except those that are explicitly blocked. This approach starts with a default state of allowing access and functionality, with restrictions applied only to known dangerous services, attacks, or behaviors. Such a policy can lead to a wider attack surface because it assumes services and behaviors are safe unless proven otherwise.

  A prudent policy would typically involve more conservative security measures, applying necessary restrictions to protect against identified and potential threats.

  A paranoic policy would be at the extreme end of security measures, possibly blocking more than necessary to ensure the highest level of security, often at the expense of usability or functionality.

  A promiscuous policy, in contrast, would be even more open than a permissive policy, essentially allowing nearly all traffic or actions with minimal restrictions, which is not what Rica observed.

  References: In the context of the ECIH v3 course by EC-Council, reviewing and understanding the implications of security policies, like the permissive policy identified by Rica, is crucial for incident handlers to assess and improve organizational security postures.

• Question 93:

  An organization faced an information security incident where a disgruntled employee passed sensitive access control information to a competitor. The organization's incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incident?

  A. High level incident
  B. Middle level incident
  C. Ultra-High level incident
  D. Low level incident
  B. Middle level incident

  ---

  Explanation

• Question 94:

  Francis received a spoof email asking for his bank information. He decided to use a tool to analyze the email headers. Which of the following should he use?

  A. EventLog Analyzer
  B. MxTooIbox
  C. Email Checker
  D. PoliteMail
  B. MxTooIbox

  ---

  Explanation

  MxToolbox is a comprehensive tool designed for analyzing email headers and diagnosing various email delivery issues. When Francis received a spoofed email asking for his bank information, using MxToolbox to analyze the email headers would be appropriate. This tool helps in examining the source of the email, tracking the email's path across the internet from the sender to the receiver, and identifying any signs of email spoofing or malicious activity. It provides detailed information about the email servers encountered along the way and can help in verifying the authenticity of the email sender. Other options like EventLog Analyzer, Email Checker, and PoliteMail are tools used for different purposes such as analyzing system event logs, checking email address validity, and managing email communications, respectively, and do not specifically focus on analyzing email headers to the extent required for investigating a spoofed email incident.

  References: The use of MxToolbox in incident handling and email security analysis is commonly recommended in Incident Handler (ECIH v3) study materials as a practical tool for email header analysis and spoofing investigation.

• Question 95:

  Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?

  A. Links the appropriate technology to the incident to ensure that the foundation's offices are returned to normal operations as quickly as possible
  B. Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management
  C. Applies the appropriate technology and tries to eradicate and recover from the incident
  D. Focuses on the incident and handles it from management and technical point of view
  B. Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management

  ---

  Explanation

• Question 96:

  A malicious, security-breaking program is disguised as a useful program. Such executable programs, which are installed when a file is opened, allow others to control a user's system. What is this type of program called?

  A. Trojan
  B. Worm
  C. Virus
  D. Spyware
  A. Trojan

  ---

  A Trojan, short for Trojan horse, is a type of malicious software that misleads users of its true intent. It disguises itself as a legitimate and useful program, but once executed, it allows unauthorized access to the user's system. Unlike viruses and worms, Trojans do not replicate themselves but can be just as destructive. They are often used to create a backdoor to a computer system, allowing an attacker to gain access to the system or to deliver other malware. Trojans can be used for a variety of purposes, including stealing information, downloading or uploading files, monitoring the user's screen and keyboard, and more. The term "Trojan" comes from the Greek story of the wooden horse that was used to sneak soldiers into the city of Troy, which is analogous to the deceptive nature of this type of malware in cyber security.

  References: The EC-Council's Certified Incident Handler (ECIH v3) program covers various types of malware, including Trojans, in detail, explaining their mechanisms, how they can be identified, and the steps to take in response to such threats.

• Question 97:

  A computer virus hoax is a message warning the recipient of non-existent computer virus. The message is usually a chain e-mail that tells the recipient to forward it to every one they know. Which of the following is NOT a symptom of virus hoax message?

  A. The message prompts the end user to forward it to his / her e-mail contact list and gain monetary benefits in doing so
  B. The message from a known email id is caught by SPAM filters due to change of filter settings
  C. The message warns to delete certain files if the user does not take appropriate action
  D. The message prompts the user to install Anti-Virus
  A. The message prompts the end user to forward it to his / her e-mail contact list and gain monetary benefits in doing so

  ---

  Explanation

• Question 98:

  Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack occurred in the client company. He acquired the evidence data, preserved it, and started performing analysis on acquired evidentiary data to identify the source of the crime and the culprit behind the incident. Identify the forensic investigation phase in which Bob is currently in.

  A. Vulnerability assessment phase
  B. Post-investigation phase
  C. Pre-investigation phase
  D. Investigation phase
  D. Investigation phase

  ---

  Bob is in the Investigation phase of the forensic investigation process. This phase involves the detailed examination and analysis of the collected evidence to identify the source of the crime and the perpetrator behind the incident. It is a crucial step that follows the acquisition and preservation of evidence, where the incident responder applies various techniques and methodologies to analyze the evidentiary data. This analysis aims to uncover how the cybercrime was committed, trace the activities of the culprit, and gather actionable intelligence to support legal actions and prevent future incidents.

  References: The ECIH v3 certification materials discuss the stages of a forensic investigation, emphasizing the investigation phase as the point at which the incident responder analyzes evidence to draw conclusions about the incident's specifics.

• Question 99:

  Smith employs various malware detection techniques to thoroughly examine the network and its systems for suspicious and malicious malware files. Among all techniques, which one involves analyzing the memory dumps or binary codes for the traces of malware?

  A. Live system
  B. Dynamic analysis
  C. Intrusion analysis
  D. Static analysis
  D. Static analysis

  ---

  Static analysis involves examining the malware's memory dumps or binary codes without executing the code. This technique is used to find traces of malware by analyzing the code to understand its purpose, functionality, and potential impact. Static analysis allows for the identification of malicious signatures, strings, or other indicators of compromise within the malware's code. This method is contrasted with dynamic analysis, which studies the malware's behavior during execution, live system analysis, which examines running systems, and intrusion analysis, which focuses on detecting and analyzing breaches.

  References: The ECIH v3 certification program includes malware analysis techniques, highlighting static analysis as a key method for investigating malware without the risk of executing it on a live system.

• Question 100:

  To whom should an information security incident be reported?

  A. It should not be reported at all and it is better to resolve it internally
  B. Human resources and Legal Department
  C. It should be reported according to the incident reporting and handling policy
  D. Chief Information Security Officer
  C. It should be reported according to the incident reporting and handling policy

  ---

  Explanation