EC-COUNCIL 212-89 Online Practice Questions and Exam Preparation

EC-COUNCIL 212-89 Online Questions & Answers

• Question 141:

  Which stage of the incident response and handling process involves auditing the system and network log files?

  A. Containment
  B. Incident triage
  C. Incident disclosure
  D. Incident eradication
  B. Incident triage

  ---

  Auditing the system and network log files is a crucial step in the incident triage phase of the incident response and handling process. During incident triage, incident handlers assess and prioritize incidents based on their severity, impact, and the urgency of the response required. Part of this assessment involves reviewing log files to understand the nature of the incident, its scope, and the systems or networks affected. This information helps in categorizing the incident and deciding on the appropriate response actions. Unlike containment, which aims to limit the damage, incident disclosure, which involves communicating about the incident, or incident eradication, which focuses on removing the threat, incident triage is about evaluating and prioritizing the incident based on detailed log analysis among other factors.

  References: The Incident Handler (ECIH v3) courses and study guides emphasize the role of incident triage in the early stages of the incident response process, highlighting the importance of log file analysis in assessing and prioritizing incidents.

• Question 142:

  Matt is an incident handler working for one of the largest social network companies, which was affected by malware. According to the company's reporting timeframe guidelines, a malware incident should be reported within 1 h of discovery/detection after its spread across the company. Which category does this incident belong to?

  A. CAT 1
  B. CAT 4
  C. CAT 2
  D. CAT 3
  A. CAT 1

  ---

  In incident response protocols, incidents are categorized based on their severity, impact, and the urgency of the response required. The categorization helps in prioritizing incident response activities and allocating resources accordingly. A CAT 1 (Category 1) incident is typically considered the highest priority, involving significant threats that require immediate response. Given the scenario where a malware incident in one of the largest social network companies must be reported within 1 hour of discovery/ detection, this indicates a high- priority incident due to the potential widespread impact and the need for a rapid response to contain and mitigate the malware's spread. The urgency of the reporting timeframe suggests that the incident is considered critical, aligning with the characteristics of a CAT 1 incident, which necessitates immediate action to prevent significant damage or disruption to the company's operations and services.

  References: The Incident Handler (ECIH v3) curriculum emphasizes the importance of incident categorization and the establishment of clear reporting and response protocols based on the severity and urgency of incidents. This framework enables organizations to respond effectively to incidents like malware attacks by ensuring that high-priority threats are quickly identified and addressed.

• Question 143:

  An organization's customers are experiencing either slower network communication or unavailability of services. In addition, network administrators are receiving alerts from security tools such as IDS/IPS and firewalls about a possible DoS/DDoS attack. In result, the organization requests the incident handling and response (IHandR) team further investigates the incident. The IHandR team decides to use manual techniques to detect DoS/DDoS attack. Which of the following commands helps the IHandR team to manually detect DoS/DDoS attack?

  A. netstat -r
  B. nbtstat /c
  C. netstat an
  D. nbtstat/S
  C. netstat an

  ---

  The netstat -an command is used to display network connections, routing tables, and a number of network interface statistics. It is particularly useful for identifying unusual volumes of traffic to and from a system, which can be indicative of a DoS/DDoS attack. The option shows all active connections and the TCP and -a UDP ports on which the computer is listening, and -n displays addresses and port numbers in numerical form. This can help the incident handling and response (IHandR) team to identify

  suspicious patterns, such as a large number of connections from a single source or to a specific port, which are common during DoS/DDoS attacks.

  References: The Certified Incident Handler (ECIH v3) program from EC-Council teaches incident handlers about various manual and automated techniques to detect and respond to incidents, including the use of system and network commands like netstat -an for identifying signs of DoS/DDoS attacks.

• Question 144:

  Farheen is an incident responder at reputed IT Firm based in Florida. Farheen was asked to investigate a recent cybercrime faced by the organization. As part of this process, she collected static data from a victim system. She used DD tool command to perform forensic duplication to obtain an NTFS image of the original disk. She created a sector-by-sector mirror imaging of the disk and saved the output image file as image.dd. Identify the static data collection process step performed by Farheen while collecting static data.

  A. Comparison
  B. Administrative consideration
  C. System preservation
  D. Physical presentatio
  C. System preservation

  ---

  Farheen's activity of using the DD tool to create a sector-by-sector mirror image of the original disk is an example of system preservation. This process is crucial in digital forensics for creating an exact copy of a storage device to ensure that the original data remains unchanged during the investigation. By making a forensic duplication, or image, of the disk, Farheen ensures that the static data on the disk is preserved in its current state for thorough analysis, without altering the original evidence. This step allows investigators to work with a precise replica of the data, protecting the integrity of the original evidence.

  References: The Incident Handler (ECIH v3) certification materials discuss various methods and tools for data acquisition and preservation, highlighting the importance of system preservation in the initial stages of forensic analysis.

• Question 145:

  Eric works as a system administrator in ABC organization. He granted privileged users with unlimited permissions to access the systems. These privileged users can misuse their rights unintentionally or maliciously or attackers can trick them to perform malicious activities. Which of the following guidelines helps incident handlers to eradicate insider attacks by privileged users?

  A. Do not use encryption methods to prevent administrators and privileged users from accessing backup tapes and sensitive information
  B. Do not control the access to administrators and privileged users
  C. Do not enable the default administrative accounts to ensure accountability
  D. Do not allow administrators to use unique accounts during the installation process
  C. Do not enable the default administrative accounts to ensure accountability

  ---

  The guideline that helps incident handlers to eradicate insider attacks by privileged users is to ensure accountability by not enabling default administrative accounts. Instead, organizations should require administrators and privileged users to use individual accounts that can be audited and traced back to specific actions and users. This practice enhances security by ensuring that all actions taken on the system can be attributed to individual users, reducing the risk of misuse of privileges and making it easier to identify the source of malicious activities or policy violations. The other options listed either present insecure practices or misunderstandings of security protocols that would not help in eradicating insider attacks.

  References: The ECIH v3 certification materials discuss strategies for managing and mitigating the risks associated with privileged users, including the importance of accountability and the controlled use of administrative privileges to prevent insider threats.

• Question 146:

  A colleague wants to minimize their security responsibility because they are in a small organization. They are evaluating a new application that is offered in different forms. Which form would result in the least amount of responsibility for the colleague?

  A. On-prom installation
  B. saaS
  C. laaS
  D. PaaS
  B. saaS

  ---

  Software as a Service (SaaS) offers the least amount of security responsibility for the end-user or organization, as the service provider manages the underlying infrastructure, software maintenance, security patching, and updates. Choosing a SaaS application means the colleague's organization would not be responsible for the physical servers, operating systems, or the application's security configurations, making it the best option for minimizing their security responsibilities.

  References: In the Certified Incident Handler (ECIH v3) course materials, the various cloud service models (IaaS, PaaS, SaaS) are discussed with a focus on their implications for security responsibilities and management.

• Question 147:

  XYZ Inc. was affected by a malware attack and James, being the incident handling and response (IHandR) team personnel handling the incident, found out that the root cause of the incident is a backdoor that has bypassed the security perimeter due to an existing vulnerability in the deployed firewall. James had contained the spread of the infection and removed the malware completely. Now the organization asked him to perform incident impact assessment to identify the impact of the incident over the organization and he was also asked to prepare a detailed report of the incident.

  Which of the following stages in IHandR process is James working on?

  A. Notification
  B. Evidence gathering and forensics analysis
  C. Post-incident activities
  D. Eradication
  C. Post-incident activities

  ---

  James is working on the post-incident activities stage of the Incident Handling and Response (IHandR) process. After containing the spread of the infection and removing the malware, the focus shifts to assessing the impact of the incident on the organization and preparing a detailed report. This phase involves analyzing the extent of the damage, determining the cost of the attack, evaluating how well the incident was managed, and identifying lessons learned to improve future response efforts. The objective is to restore systems to normal operation, ensure no remnants of the threat remain, and implement measures to prevent recurrence.

  References: Incident Handler (ECIH v3) courses and study guides outline the IHandR process, emphasizing the importance of post-incident activities for organizational recovery and improvement of future security measures.

• Question 148:

  Which one of the following is the correct flow of the stages in an incident handling and response (IHandR) process?

  A. Preparation -* Incident recording -> Incident triage -* Containment -*# Eradication -?Recovery -* Post-incident activities
  B. Containment -* Incident recording -* Incident triage -> Preparation -* Recovery -> Eradication -* Post-incident activities
  C. Incident recording -> Preparation -> Containment * Incident triage -> Recovery > Eradication -?Post- incident activities
  D. Incident triage -?Eradication -# Containment -* Incident recording -* Preparation -* Recovery -* Post-incident activities
  A. Preparation -* Incident recording -> Incident triage -* Containment -*# Eradication -?Recovery -* Post-incident activities

  ---

  The correct flow of stages in an Incident Handling and Response (IHandR) process as outlined in the Incident Handler (ECIH v3) by EC-Council begins with Preparation. This phase involves getting ready for potential incidents by developing plans, policies, and procedures, and ensuring that tools and team training are up to date. Incident Recording is the next stage, where incidents are documented and reported. Incident Triage follows, prioritizing incidents based on their impact and urgency. Containment is next, aiming to limit the damage of the incident and prevent further spread. Eradication comes after containment, where the root cause of the incident is removed. Recovery is the stage where affected systems are restored to their operational status. Post-Incident Activities conclude the process, reviewing and learning from the incident to improve future response efforts.

  References: This structured approach is foundational in the ECIH v3 program, ensuring that incident handlers are prepared to systematically address and manage cybersecurity incidents efficiently.

• Question 149:

  In which of the following phases of the incident handling and response (IHandR) process is the identified security incidents analyzed, validated, categorized, and prioritized?

  A. Incident triage
  B. Incident recording and assignment
  C. Containment
  D. Notification
  A. Incident triage

  ---

  Incident triage is the phase in the Incident Handling and Response (IHandR) process where identified security incidents are analyzed, validated, categorized, and prioritized. This step is crucial for determining the severity of incidents and deciding on the order in which they should be addressed. During triage, incident handlers assess the impact, urgency, and potential harm of an incident to prioritize their response efforts effectively. This ensures that resources are allocated efficiently, and the most critical incidents are handled first. Incident recording and assignment involve logging incidents and assigning them to handlers, containment focuses on limiting the extent of damage, and notification involves informing stakeholders about the incident.

  References: The Incident Handler (ECIH v3) courses and study guides detail the IHandR process, emphasizing the importance of triage in managing and responding to security incidents effectively.

• Question 150:

  Which of the following email security tools can be used by an incident handler to prevent the organization against evolving email threats?

  A. Email Header Analyzer
  B. G Suite Toolbox
  C. MxToolbox
  D. Gpg4win
  C. MxToolbox

  ---

  Explanation

  MxToolbox is an online tool that provides various network diagnostics and email security checks, including looking up DNS and MX records, SPF records, and more. It can be used by incident handlers to prevent the organization against evolving email threats by analyzing domain health, checking blacklists, verifying email delivery issues, and more. While Email Header Analyzer is useful for analyzing specific emails for traces of phishing or spoofing, G Suite Toolbox might be specific to Google's services, and Gpg4win is more focused on email encryption. MxToolbox provides a broader set of functionalities for monitoring and troubleshooting email delivery issues and security threats, making it a versatile tool for incident handlers.

  References: Incident Handler (ECIH v3) courses and study guides often include sections on email security and the tools used to maintain it, among which MxToolbox is commonly recommended for its comprehensive features.