EC-COUNCIL 212-89 Online Practice Questions and Exam Preparation

EC-COUNCIL 212-89 Online Questions & Answers

• Question 161:

  A Host is infected by worms that propagates through a vulnerable service; the sign(s) of the presence of the worm include:

  A. Decrease in network usage
  B. Established connection attempts targeted at the vulnerable services
  C. System becomes instable or crashes
  D. All the above
  C. System becomes instable or crashes

  ---

  Explanation

• Question 162:

  Which of the following is an attack that occurs when a malicious program causes a user's browser to perform an unwanted action on a trusted site for which the user is currently authenticated?

  A. Cross-site scripting
  B. Insecure direct object references
  C. Cross-site request forgery
  D. SQL injection
  C. Cross-site request forgery

  ---

  Cross-site request forgery (CSRF or XSRF) is an attack that tricks the victim's browser into executing unauthorized actions on a website where they are currently authenticated. In this scenario, the attacker exploits the trust that a site has in the user's browser, effectively forcing the browser to perform actions without the user's knowledge or consent. For example, if the user is logged into their bank's website, an attacker could craft a malicious request to transfer funds without the user's direct interaction. CSRF attacks rely on authenticated sessions and typically target state-changing requests to compromise user or application data.

  References: The Certified Incident Handler (ECIH v3) curriculum by EC-Council discusses various web-based attacks, including CSRF, detailing their mechanisms, implications, and preventive measures to safeguard against such threats.

• Question 163:

  Shiela is working at night as an incident handler. During a shift, servers were affected by a massive cyberattack. After she classified and prioritized the incident, she must report the incident, obtain necessary permissions, and perform other incident response functions. What list should she check to notify other responsible personnel?

  A. HR log book
  B. Point of contact
  C. Email list
  D. Phone number list
  B. Point of contact

  ---

  In the context of incident handling, the "point of contact" list is essential for ensuring that Sheila, the incident handler working at night, can quickly notify the responsible personnel within the organization about the cyberattack. This list typically includes the contact information of key stakeholders and decision-makers who need to be informed about security incidents, allowing for timely communication, decision-making, and response coordination.

  References: Incident Handler (ECIH v3) courses and study guides stress the importance of having a well- maintained point of contact list as part of an organization's incident response plan to facilitate efficient and effective communication during and after cybersecurity incidents.

• Question 164:

  Which of the following is the ECIH phase that involves removing or eliminating the root cause of an incident and closing all attack vectors to prevent similar incidents in the future?

  A. Recovery
  B. Containment
  C. Eradication
  D. Vulnerability management phase
  C. Eradication

  ---

  Eradication is the phase in the incident response process where the root cause of an incident is removed or eliminated, and all attack vectors are closed to prevent similar incidents in the future. This step follows the containment phase, where the immediate threat is isolated to prevent further damage, and precedes the recovery phase, where normal operations are restored. Eradication involves thoroughly removing malware, unauthorized access mechanisms, or any other elements used in the attack, and securing any vulnerabilities that were exploited. The goal is to ensure that the threat cannot re-emerge and that the systems are secure before they are returned to operational status.

  References: The EC-Council's Incident Handler (ECIH v3) certification guide outlines the incident response process, including the specific tasks involved in the eradication phase, to ensure that incident handlers are prepared to effectively remove threats from an organization's environment.

• Question 165:

  Which of the following information security personnel handles incidents from management and technical point of view?

  A. Network administrators
  B. Incident manager (IM)
  C. Threat researchers
  D. Forensic investigators
  B. Incident manager (IM)

  ---

  In the context of information security, the Incident Manager (IM) plays a crucial role in handling incidents from both a management and technical perspective. The Incident Manager is responsible for overseeing the entire incident response process, coordinating with relevant stakeholders, ensuring that incidents are analyzed, contained, and eradicated efficiently, and that recovery processes are initiated promptly. They are pivotal in ensuring communication flows smoothly between technical teams and upper management and that all actions taken are aligned with the organization's broader security policies and objectives. Unlike network administrators, threat researchers, or forensic investigators who may play more specialized roles within the incident response process, the Incident Manager has a broad oversight role that encompasses both technical and managerial aspects to ensure a comprehensive and coordinated response to security incidents.

  References: Incident Handler (ECIH v3) courses and study guides emphasize the role of the Incident Manager as integral to the incident handling process, underscoring their importance in bridging the gap between technical response actions and strategic management decisions.

• Question 166:

  Tibson works as an incident responder for MNC based in Singapore. He is investigating a web application security incident recently faced by the company. The attack is performed on a MS SQL Server hosted by the company. In the detection and analysis phase, he used regular expressions to analyze and detect SQL meta-characters that led to SQL injection attack. Identify the regular expression used by Tibson to detect SQL injection attack on MS SQL Server.

  A. /exec(\s|\+)+(s|x)p\w+/ix
  B. ((\.\.\\)|(\.\.\/))
  C. ((\.|%2E)(\.|%2E)(\/|%2F|\\|%5C))
  D. ((\%3C)|)
  A. /exec(\s|\+)+(s|x)p\w+/ix

  ---

  The regular expression /exec(\s|\+)+(s|x)p\w+/ix is designed to match patterns that resemble SQL injection attempts, specifically targeting MS SQL Server. This expression looks for the use of the exec command followed by one or more spaces or plus signs, and then patterns that start with sp xp or , which are prefixes commonly used in SQL Server stored procedures and extended stored procedures. These are often targeted in SQL injection attacks to execute malicious SQL statements. The regular expression provided is a tool used by incident responders like Tibson to identify and analyze potential SQL injection attempts by looking for suspicious patterns in SQL queries.

• Question 167:

  Dan is a newly appointed information security professional in a renowned organization. He is supposed to follow multiple security strategies to eradicate malware incidents. Which of the following is not considered as a good practice for maintaining information security and eradicating malware incidents?

  A. Do not download or execute applications from third-party sources
  B. Do not click on web browser pop-up windows
  C. Do not open files with file extensions such as .bat, .com, ,exe, .pif, .vbs, and so on
  D. Do not download or execute applications from trusted sources
  D. Do not download or execute applications from trusted sources

  ---

  The statement "Do not download or execute applications from trusted sources" is incorrect and not considered a good practice for maintaining information security and eradicating malware incidents. In contrast, downloading or executing applications from trusted sources is a fundamental security best practice. Trusted sources are vetted and are generally considered safe for downloading software, updates, and applications. This practice helps to minimize the risk of introducing malware into the organizational environment. The other options (A, B, C) represent good practices that help in reducing the likelihood of malware infections by avoiding potentially harmful actions.

  References: The ECIH v3 materials from EC-Council provide guidance on best practices for malware prevention and response, underscoring the importance of relying on trusted sources for software and application downloads as part of a robust information security strategy.

• Question 168:

  Sam received an alert through an email monitoring tool indicating that their company was targeted by a phishing attack. After analyzing the incident, Sam identified that most of the targets of the attack are high- profile executives of the company. What type of phishing attack is this?

  A. Pharming
  B. Whaling
  C. Puddle phishing
  D. Spear phishing
  B. Whaling

  ---

  Whaling is a specific type of phishing attack that targets high-profile executives or individuals within an organization, often with the intent to steal sensitive information or gain access to their accounts for financial fraud. The term "whaling" is used because it targets the "big fish" of an organization. Given that Sam identified the targets of the attack as high-profile executives, the described scenario is indicative of a whaling attack.

  References: The ECIH v3 curriculum includes a section on different types of phishing attacks, including whaling, emphasizing the strategies attackers use to target individuals based on their roles within an organization.

• Question 169:

  Rose is an incident-handling person and she is responsible for detecting and eliminating any kind of scanning attempts over the network by any malicious threat actors. Rose uses Wireshark tool to sniff the network and detect any malicious activities going on. Which of the following Wireshark filters can be used by her to detect TCP Xmas scan attempt by the attacker?

  A. tcp.dstport==7
  B. tcp.flags==0X000
  C. tcp.flags.reset==1
  D. tcp.flags==0X029
  D. tcp.flags==0X029

  ---

  A TCP Xmas scan is a type of network scanning technique used by attackers to identify open ports on a target machine. The name "Xmas" comes from the set of flags that are turned on within the packet, making it 'lit up like a Christmas tree'. Specifically, the FIN, PSH, and URG flags are set, which corresponds to the hexadecimal value 0X029 in the TCP header's flags field. Wireshark, a popular network protocol analyzer, allows users to create custom filters to detect specific types of network traffic, including malicious scanning attempts. By using the filter tcp.flags==0X029 , Rose can detect packets that have these specific flags set, indicating a potential TCP Xmas scan attempt.

  References: The technique of using Wireshark to detect specific types of scans, including the TCP Xmas scan, is covered in cybersecurity training materials and documentation related to network analysis and incident handling, such as those associated with the ECIH certification.

• Question 170:

  A payroll system has a vulnerability that cannot be exploited by current technology. Which of the following is correct about this scenario:

  A. The risk must be urgently mitigated
  B. The risk must be transferred immediately
  C. The risk is not present at this time
  D. The risk is accepted
  C. The risk is not present at this time

  ---

  Explanation