EC-COUNCIL 212-89 Online Practice Questions and Exam Preparation

EC-COUNCIL 212-89 Online Questions & Answers

• Question 101:

  An incident responder captures network traffic in real time without sending packets to the target systems. Which assessment approach is being used?

  A. Active assessment
  B. External assessment
  C. Passive assessment
  D. Internal assessment
  C. Passive assessment

  ---

  Passive assessment involves monitoring and analyzing network traffic without actively probing or interacting with target systems. This approach minimizes disruption while still allowing identification of suspicious activity.

• Question 102:

  Which of the following is a term that describes the combination of strategies and services intended to restore data, applications, and other resources to the public cloud or dedicated service providers?

  A. Mitigation
  B. Analysis
  C. Eradication
  D. Cloud recovery
  D. Cloud recovery

  ---

  The term that describes the combination of strategies and services intended to restore data, applications, and other resources to the public cloud or dedicated service providers is "Cloud recovery." This term encompasses disaster recovery efforts focused on ensuring that an organization's digital assets can be quickly and effectively restored or moved to cloud environments in the event of data loss, system failure, or a disaster. Cloud recovery strategies are part of a broader disaster recovery and business continuity planning, ensuring minimal downtime and data loss by leveraging cloud computing's scalability and flexibility. Mitigation, analysis, and eradication are terms associated with other aspects of incident response and risk management, not specifically with the restoration of resources to cloud environments.

  References: The Incident Handler (ECIH v3) curriculum includes discussions on disaster recovery and business continuity planning, highlighting cloud recovery as a vital component of ensuring organizational resilience against disruptions.

• Question 103:

  According to NITS, what are the 5 main actors in cloud computing?

  A. Provider, carrier, auditor, broker, and seller
  B. Consumer, provider, carrier, auditor, ano broker
  C. Buyer, consumer, carrier, auditor, and broker
  D. None of these
  B. Consumer, provider, carrier, auditor, ano broker

  ---

  According to the National Institute of Standards and Technology (NIST), which is a primary source for cloud computing standards and guidelines, the five main actors in cloud computing are Consumer, Provider, Carrier, Auditor, and Broker. These roles are defined as follows:

  Consumer: The person or organization that uses cloud computing services.

  Provider: The entity that provides the cloud services to consumers.

  Carrier: The organization that offers connectivity and transport services to cloud providers and consumers.

  Auditor: An independent party that assesses and verifies the cloud services, security controls, and operations.

  Broker: An entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between cloud providers and consumers.

  These actors play critical roles in the ecosystem of cloud computing, ensuring the services are delivered and used securely, efficiently, and effectively.

  References: NIST's documentation on cloud computing, including the NIST Cloud Computing Standards Roadmap and the NIST Cloud Computing Reference Architecture, detail these roles and their importance in cloud computing frameworks.

• Question 104:

  Your company sells SaaS, and your company itself is hosted in the cloud (using it as a PaaS). In case of a malware incident in your customer's database, who is responsible for eradicating the malicious software?

  A. Your company
  B. Building management
  C. The PaaS provider
  D. The customer
  A. Your company

  ---

  In the scenario where your company sells Software as a Service (SaaS) and is hosted on the cloud using it as a Platform as a Service (PaaS), your company is responsible for eradicating malware in your customer's database. This is because, as the SaaS provider, your company manages the software and is responsible for its security and maintenance, including the databases that store customer data. While the PaaS provider is responsible for the underlying infrastructure, platform, and possibly some middleware security aspects, the application layer security, including data and application management, falls to the SaaS provider. Building management would not be involved in digital security matters, and while customers are responsible for their data, the actual software maintenance and security in a SaaS model are the provider's responsibility.

  References: Incident Handler (ECIH v3) certification materials often discuss cloud service models (IaaS, PaaS, SaaS) and their associated security responsibilities, highlighting the importance of understanding who is responsible for what in cloud environments.

• Question 105:

  An attacker traced out and found the kind of websites a target company/individual is frequently surfing and tested those particular websites to identify any possible vulnerabilities. When the attacker detected vulnerabilities in the website, the attacker started injecting malicious script/code into the web application that can redirect the webpage and download the malware onto the victim's machine. After infecting the vulnerable web application, the attacker waited for the victim to access the infected web application.

  Identify the type of attack performed by the attacker.

  A. Watering hole
  B. Obfuscation application
  C. Directory traversal
  D. Cookie/Session poisoning
  A. Watering hole

  ---

  The described attack is a "Watering hole" attack. This type of attack targets specific groups of users by infecting websites they are known to frequently visit. The attacker first identifies websites that are popular with the target group, then finds vulnerabilities in those websites to inject malicious code. When the victims visit the compromised site, the code redirects them to other sites or automatically downloads malware onto their machines. This attack leverages the trust users have in regularly visited sites to distribute malware. Unlike obfuscation application, directory traversal, or cookie/session poisoning attacks, watering hole attacks specifically aim to compromise a commonly used and trusted website to target its users.

  References: The ECIH v3 certification materials discuss various cyber attack strategies, including watering hole attacks, and provide insights into how attackers exploit trusted relationships between websites and their users.

• Question 106:

  Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit. To acccomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources (processor cache) to steal data (cryptographic key/plain text secrets) from the victim machine. Identify the type of attack Alice is performing in the above scenario.

  A. Side channel attack
  B. Service hijacking
  C. SQL injection attack
  D. Man-in-the-cloud attack
  A. Side channel attack

  ---

  A side channel attack, as described in the scenario, involves an attacker using indirect methods to gather information from a system. In this case, Alice is exploiting the shared physical resources, specifically the processor cache, of a virtual machine host to steal data from another virtual machine on the same host. This type of attack does not directly breach the system through conventional means like breaking encryption but instead takes advantage of the information leaked by the physical implementation of the system, such as timing information, power consumption, electromagnetic leaks, or, as in this case, shared resource utilization, to infer the secret data.

  References: The EC-Council's Certified Incident Handler (ECIH v3) program covers various types of cyber attacks, including advanced techniques like side channel attacks, highlighting the need for comprehensive security strategies that consider both direct and indirect attack vectors.

• Question 107:

  In which of the following stages of incident handling and response (IHandR) process do the incident handlers try to find out the root cause of the incident along with the threat actors behind the incidents, threat vectors, etc.?

  A. Post-incident activities
  B. Incident triage
  C. Evidence gathering and forensics analysis
  D. Incident recording and assignment
  C. Evidence gathering and forensics analysis

  ---

  During the incident handling and response (IHandR) process, the stage of "Evidence gathering and forensics analysis" involves the collection of evidence, forensic analysis, and detailed investigation to uncover the root cause of the incident. This stage is crucial for understanding how the incident occurred, identifying the threat actors involved, the methods they used (threat vectors), and the extent of the impact. By analyzing evidence, incident responders can reconstruct the sequence of events, identify the vulnerabilities exploited, and determine the scope of the incident. This information is vital for resolving the incident effectively and taking steps to prevent future occurrences.

  References: The importance of evidence gathering and forensic analysis in the incident handling and response process is emphasized in ECIH v3 courses and study materials. These resources provide guidance on how to conduct thorough investigations to understand the nature of security incidents fully and develop effective mitigation strategies.

• Question 108:

  Which of the following is a characteristic of adware?

  A. Gathering information
  B. Displaying popups
  C. Intimidating users
  D. Replicating
  B. Displaying popups

  ---

  Explanation

• Question 109:

  Alice is an incident handler and she has been informed by her lead that the data on affected systems must be backed up so that it can be retrieved if it is damaged during the incident response process. She was also told that the system backup can also be used for further investigation of the incident. In which of the following stages of the incident handling and response (IHandR) process does Alice need to do a complete backup of the infected system?

  A. Containment
  B. Incident recording
  C. Incident triage
  D. Eradication
  A. Containment

  ---

  In the incident handling and response (IHandR) process, backing up the data on affected systems is a critical step that usually falls under the Containment phase. The Containment phase is crucial for limiting the scope and severity of an incident, ensuring that it does not spread further or affect additional systems. Backing up affected systems during containment is essential for several reasons: it preserves a snapshot of the system in its current state for forensic analysis, ensures that data is not lost if the

  system needs to be wiped or altered during the response process, and helps in the recovery process if data is corrupted or lost.

  By performing a complete backup of the infected system during the Containment phase, Alice ensures that there is a reliable copy of all data and system states before any major actions, such as eradication or deeper forensic analysis, are taken. This step is also preparatory for the potential use of the backup in analyzing how the incident occurred and in restoring system functionality after the incident is resolved.

  References: EC-Council's Certified Incident Handler (ECIH v3) courses and study guides highlight the importance of the Containment phase in the IHandR process, including the practice of backing up affected systems to prevent data loss and to aid in the investigation and recovery processes.

• Question 110:

  Which log source is MOST useful for identifying repeated failed login attempts across multiple systems?

  A. Application logs
  B. Network traffic captures
  C. Authentication logs
  D. Database transaction logs
  C. Authentication logs

  ---

  Authentication logs record login successes and failures and are critical for detecting brute-force attempts, credential stuffing, and unauthorized access patterns.