EC-COUNCIL 212-89 Online Practice Questions and Exam Preparation

EC-COUNCIL 212-89 Online Questions & Answers

• Question 121:

  Khai was tasked with examining the logs from a Linux email server. The server uses Sendmail to execute the command to send emailsand Syslog to maintain logs. To validate the data within email headers, which of the following directories should Khai check for information such as source and destination IP addresses, dates, and timestamps?

  A. /Var/log/mailog
  B. /#ar/log/sendmail
  C. /va r/log/mai11og
  D. /va r/log/sendmail/mailog
  A. /Var/log/mailog

  ---

  In a Linux environment, email servers such as Sendmail log events, including details about sent and received emails, in a specific log file. The correct directory and file for examining email logs, particularly for Sendmail and using Syslog for logging, is /Var/log/maillog. This file contains vital information for forensic and incident response purposes, including source and destination IP addresses, email addresses, timestamps, and other data relevant to the email traffic handled by the server. By analyzing this log, incident responders can gather evidence related to email-based incidents, trace the source of malicious emails, and understand the scope of an incident. It's crucial for individuals like Khai, who are tasked with examining logs, to know the correct log file locations and their contents to effectively validate and analyze email header information and other relevant data.

  References: Incident Handler (ECIH v3) study materials often cover the logging mechanisms of common services and applications on Linux systems, including email servers like Sendmail, and the importance of log files like /var/log/maillog in incident investigation and response activities.

• Question 122:

  Which document formally defines roles, responsibilities, communication flow, and escalation paths during a security incident?

  A. Business continuity plan
  B. Disaster recovery plan
  C. Incident response plan
  D. Risk assessment report
  C. Incident response plan

  ---

  An incident response plan provides structured guidance on how incidents are handled, including roles, responsibilities, communication procedures, and escalation paths. It ensures coordinated and effective incident management.

• Question 123:

  Who is mainly responsible for providing proper network services and handling network-related incidents in all the cloud service models?

  A. Cloud consumer
  B. Cloud auditor
  C. Cloud brokers
  D. Cloud service provide
  D. Cloud service provide

  ---

  In cloud computing environments, the responsibility for providing and managing network services, as well as handling incidents related to these services, primarily falls on the cloud service provider. This includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) models. The cloud service provider is tasked with ensuring the availability, integrity, and security of the network services they offer. This responsibility includes managing and responding to incidents that may affect these services, ranging from security breaches to performance issues. The cloud service provider employs a variety of tools and techniques to monitor the network, identify potential threats, and implement corrective actions to mitigate any impact on the services and their users.

  References: Incident Handler (ECIH v3) courses and study guides focus on the roles and responsibilities in cloud computing, where the distinction of responsibilities between cloud service providers and cloud consumers is emphasized. Specifically, the management of network services and incident handling in the cloud environment is highlighted as a key responsibility of the service provider.

• Question 124:

  BadGuy Bob hid files in the slack space, changed the file headers, hid suspicious files in executables, and changed the metadata for all types of files on his hacker laptop. What has he committed?

  A. Anti-forensics
  B. Adversarial mechanics
  C. Felony
  D. Legal hostility
  A. Anti-forensics

  ---

  Anti-forensics refers to techniques used to hinder the forensic analysis of a computer system. By hiding files in slack space, changing file headers, embedding suspicious files in executables, and altering metadata, BadGuy Bob is attempting to make it difficult for forensic analysts to find, analyze, and attribute the malicious activities and data on his laptop. These actions are designed to conceal evidence, manipulate digital artifacts, and obstruct investigations, making them clear examples of anti-forensic techniques. While such actions could be part of broader criminal activities, constituting a felony, and could be seen as adversarial mechanics or legal hostility in specific contexts, the most accurate classification of these techniques is anti- forensics.

  References: The ECIH v3 certification program includes discussions on forensic analysis and the challenges posed by anti-forensic techniques, teaching incident handlers how to recognize and counteract attempts to obstruct investigations.

• Question 125:

  Which of the following techniques helps incident handlers to detect man-in-the-middle attack by finding the new APs and trying to connect an already established channel, even if the spoofed AP consists similar IP and MAC addresses as of the original AP?

  A. Wireless client monitoring
  B. Network traffic monitoring
  C. General wireless traffic monitoring
  D. Access point monitoring
  D. Access point monitoring

  ---

  Access point monitoring is the technique that helps incident handlers to detect man-in-the-middle (MitM) attacks by continuously observing and managing the wireless access points (APs) within a network. This includes identifying unauthorized or new APs attempting to connect to the network or mimic existing APs, even if they present similar IP and MAC addresses to legitimate access points. Through access point monitoring, incident handlers can quickly identify and mitigate spoofed APs, thus preventing MitM attacks that exploit wireless networks by intercepting and manipulating communications.

  References: Incident Handler (ECIH v3) courses and study materials discuss network security monitoring strategies, including the importance of monitoring access points to detect and prevent MitM attacks and other threats to wireless networks.

• Question 126:

  Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices. What is the main purpose of the reconstitution plan?

  A. To restore the original site, tests systems to prevent the incident and terminates operations
  B. To define the notification procedures, damage assessments and offers the plan activation
  C. To provide the introduction and detailed concept of the contingency plan
  D. To provide a sequence of recovery activities with the help of recovery procedures
  A. To restore the original site, tests systems to prevent the incident and terminates operations

  ---

  Explanation

• Question 127:

  Which of the following has been used to evade IDS and IPS?

  A. Fragmentation
  B. TNP
  C. HTTP
  D. SNMP
  A. Fragmentation

  ---

  Fragmentation is a technique used by attackers to evade detection by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). By breaking down packets into smaller fragments, attackers can make it more difficult for these security systems to detect malicious payloads or signature-based patterns associated with known attacks. This method exploits the fact that some IDS/IPS solutions may not properly reassemble packet fragments for analysis, thereby allowing malicious fragments to pass through undetected.

  References: In its coverage of network security mechanisms and evasion techniques, the ECIH v3 certification details how attackers exploit vulnerabilities in the implementation of IDS and IPS systems, including the use of packet fragmentation.

• Question 128:

  An attacker after performing an attack decided to wipe evidences using artifact wiping techniques to evade forensic investigation. He applied magnetic field to the digital media device, resulting in an entirely clean device of any previously stored data.

  Identify the artifact wiping technique used by the attacker.

  A. File wiping utilities
  B. Disk degaussing/destruction
  C. Disk cleaning utilities
  D. Syscall proxying
  B. Disk degaussing/destruction

  ---

  The technique described, where an attacker applies a magnetic field to a digital media device to clean it of any previously stored data, is known as disk degaussing. Degaussing is a method used to erase a disk or tape by exposing it to a strong magnetic field, destroying the magnetic data storage mechanism and leaving the device clean of any data. This process is effectively used for wiping digital evidence in a way that makes recovery impossible, serving as a method of anti-forensics. Unlike file wiping utilities or disk cleaning utilities, which overwrite or delete data (potentially leaving traces that can be recovered), degaussing physically alters the storage medium itself, making data recovery unfeasible.

  References: The ECIH v3 certification program discusses various artifact wiping techniques, including degaussing, as part of understanding anti-forensic methods that attackers use to evade detection and investigation.

• Question 129:

  Which of the following does NOT reduce the success rate of SQL injection?

  A. Close unnecessary application services and ports on the server.
  B. Automatically lock a user account after a predefined number of invalid login attempts within a predefined interval.
  C. Constrain legitimate characters to exclude special characters.
  D. Limit the length of the input field.
  A. Close unnecessary application services and ports on the server.

  ---

  Reducing the success rate of SQL injection attacks is focused on minimizing vulnerabilities within the application's database interactions, rather than the broader server or network services. SQL injection prevention techniques typically involve input validation, parameterized queries, and the use of stored procedures, rather than changes to the network or server configuration.

  A) Closing unnecessary application services and ports on the server is a general security best practice to reduce the attack surface but does not directly impact the success rate of SQL injection attacks. This action limits access to potential vulnerabilities across the network and server but doesn't address the specific ways SQL injection exploits input handling within web applications.

  B) Automatically locking a user account after a predefined number of invalid login attempts within a predefined interval can help mitigate brute force attacks but has no direct effect on preventing SQL injection, which exploits code vulnerabilities to manipulate database queries.

  C) Constraining legitimate characters to exclude special characters and D) Limiting the length of the input field are both direct methods to reduce the risk of SQL injection. They focus on controlling user input, which is the vector through which SQL injection attacks are launched. By restricting special characters that could be used in SQL commands and limiting input lengths, an application can reduce the potential for malicious input to form a part of SQL queries executed by the backend database.

  References: EC-Council's Certified Incident Handler (ECIH v3) program includes strategies for preventing various types of cyber attacks, including SQL injection, by emphasizing secure coding practices and application design.

• Question 130:

  Malicious downloads that result from malicious office documents being manipulated are caused by which of the following?

  A. Clickjacking
  B. Impersonation
  C. Registry key manipulation
  D. Macro abuse
  D. Macro abuse

  ---

  Malicious downloads initiated through manipulated office documents typically involve macro abuse. Macros are scripts that can automate tasks within documents and are embedded within Office documents like Word, Excel, and PowerPoint files. While macros can be used for legitimate purposes, they can also be abused by attackers to execute malicious code. When an office document with a malicious macro is opened, and macros are enabled, the macro can run arbitrary code that leads to malicious

  downloads, installing malware or performing other unauthorized actions on the victim's system.

  Macro abuse has become a common vector for cyber attacks, as it exploits the functionality of widely used office applications. Attackers often craft phishing emails with attachments or links to documents that contain malicious macros, tricking users into enabling macros to execute the malicious code. This method is effective for bypassing some security measures since it relies on user interaction and exploitation of legitimate features.

  References: In the ECIH v3 course by EC-Council, there is a focus on various methods used by attackers to compromise systems, including macro abuse in office documents. The curriculum stresses the importance of understanding these attack vectors for effective incident handling and response strategies.