New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

212-89 EC Council Certified Incident Handler (ECIH v3) Questions and Answers

Questions 4

Which of the following is a common tool used to help detect malicious internal or compromised actors?

Options:

A.

User behavior analytics

B.

SOC2 compliance report

C.

Log forward ng

D.

Syslog configuration

Buy Now
Questions 5

Rica works as an incident handler for an international company. As part of her role, she must review the present security policy implemented. Upon inspection, Rica finds that the policy is wide open, and only known dangerous services/attacks or behaviors are blocked. Which of the following is the current policy that Rica identified?

Options:

A.

Prudent policy

B.

Paranoic policy

C.

Permissive policy

D.

Promiscuous policy

Buy Now
Questions 6

Richard is analyzing a corporate network. After an alert in the network’s IPS. he identified that allthe servers are sending huge amounts of traffic to the website abc.xyz. What type of information security attack vectors have affected the network?

Options:

A.

Botnet

B.

Advance persistent three Is

C.

Ransomware

D.

IOT threats

Buy Now
Questions 7

Bran is an incident handler who is assessing the network of the organization. He wants to detect ping sweep attempts on the network using Wireshark. Which of the following Wireshark filters would Bran use to accomplish this task?

Options:

A.

icmp.scq

B.

icmp.lype==8

C.

icmp.ident

D.

icmp.redir_gw

Buy Now
Questions 8

Which of the following GPG18 and Forensic readiness planning (SPF) principles states

that “organizations should adopt a scenario based Forensic Readiness Planning

approach that learns from experience gained within the business”?

Options:

A.

Principle 3

B.

Principle 2

C.

Principle 5

D.

Principle 7

Buy Now
Questions 9

Smith employs various malware detection techniques to thoroughly examine the

network and its systems for suspicious and malicious malware files. Among all

techniques, which one involves analyzing the memory dumps or binary codes for the

traces of malware?

Options:

A.

Live system

B.

Dynamic analysis

C.

Intrusion analysis

D.

Static analysis

Buy Now
Questions 10

Stenley is an incident handler working for Texa Corp. located in the United States. With the growing concern of increasing emails from outside the organization, Stenley was

asked to take appropriate actions to keep the security of the organization intact. In the process of detecting and containing malicious emails, Stenley was asked to check the

validity of the emails received by employees.

Identify the tools he can use to accomplish the given task.

Options:

A.

PointofMail

B.

Email Dossier

C.

PoliteMail

D.

EventLog Analyzer

Buy Now
Questions 11

Marley was asked by his incident handling and response (IH&R) team lead to collect volatile datasuch as system information and network information present in the

registries, cache, and RAM of victim’s system.

Identify the data acquisition method Marley must employ to collect volatile data.

Options:

A.

Validate data acquisition

B.

Static data acquisition

C.

Live data acquisition

D.

Remote data acquisition

Buy Now
Questions 12

John is performing memory dump analysis in order to find out the traces of malware.

He has employed volatility tool in order to achieve his objective.

Which of the following volatility framework commands he will use in order to analyze running process from the memory dump?

Options:

A.

python vol.py svcscan --profile=Win2008SP1x86 –f /root/Desktop/memdump.mem | more

B.

python vol.py pslist --profile=Win2008SP1x86 –f /root/Desktop/memdump.mem

C.

python vol.py hivelist --profile=Win2008SP1x86 –f /root/Desktop/memdump.mem

D.

python vol.py imageinfo -f /root/Desktop/memdump.mem

Buy Now
Questions 13

Which of the following is not a countermeasure to eradicate cloud security incidents?

Options:

A.

Patch the database vulnerabilities and improve the isolation mechanism

B.

Remove the malware files and traces from the affected components

C.

Check for data protection at both design and runtime

D.

Disable security options such as two factor authentication and CAPTCHA

Buy Now
Questions 14

Tibson works as an incident responder for MNC based in Singapore. He is investigating

a web application security incident recently faced by the company. The attack is

performed on a MS SQL Server hosted by the company. In the detection and analysis

phase, he used regular expressions to analyze and detect SQL meta-characters that led

to SQL injection attack.

Identify the regular expression used by Tibson to detect SQL injection attack on MS

SQL Server.

Options:

A.

/exec(\s|\+)+(s|x)p\w+/ix

B.

((\.\.\\)|(\.\.\/))

C.

((\.|%2E)(\.|%2E)(\/|%2F|\\|%5C))

D.

((\%3C)|<)((\%2F)|\/)*(script)((\%3E)|>)

Buy Now
Questions 15

Clark, a professional hacker, exploited the web application of a target organization by

tampering the form and parameter values. He successfully exploited the web

application and gained access to the information assets of the organization.

Identify the vulnerability in the web application exploited by the attacker.

Options:

A.

Broken access control

B.

Security misconfiguration

C.

SQL injection

D.

Sensitive data exposure

Buy Now
Questions 16

Employee monitoring tools are mostly used by employers to find which of the following?

Options:

A.

Lost registry keys

B.

Conspiracies

C.

Malicious insider threats

D.

Stolen credentials

Buy Now
Questions 17

Miko was hired as an incident handler in XYZ company. His first task was to identify the PING sweep attempts inside the network. For this purpose, he used Wireshark to analyze the traffic. Whatfilter did he use to identify ICMP ping sweep attempts?

Options:

A.

tcp.typc == icmp

B.

icrrip.lype == icmp

C.

icmp.type == 8 or icmp.type ==0

D.

udp.lype — 7

Buy Now
Questions 18

Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack occurred in the client company. He acquired the evidence data, preserved it, and started

performing analysis on acquired evidentiary data to identify the source of the crime and the culprit behind the incident.

Identify the forensic investigation phase in which Bob is currently in.

Options:

A.

Vulnerability assessment phase

B.

Post-investigation phase

C.

Pre-investigation phase

D.

Investigation phas

Buy Now
Questions 19

BadGuy Bob hid files in the slack space, changed the file headers, hid suspicious files in executables, and changed the metadata for all types of files on his hacker laptop. What has he committed?

Options:

A.

Anti-forensics

B.

Adversarial mechanics

C.

Felony

D.

Legal hostility

Buy Now
Questions 20

Which of the following email security tools can be used by an incident handler to

prevent the organization against evolving email threats?

Options:

A.

Email Header Analyzer

B.

G Suite Toolbox

C.

MxToolbox

D.

Gpg4win

Buy Now
Questions 21

Which of the following has been used to evade IDS and IPS?

Options:

A.

Fragmentation

B.

TNP

C.

HTTP

D.

SNMP

Buy Now
Questions 22

Which of the following is the ECIH phase that involves removing or eliminating the root cause of an incident and closing all attack vectors to prevent similar incidents in the future?

Options:

A.

Recovery

B.

Containment

C.

Eradication

D.

Vulnerability management phase

Buy Now
Questions 23

Bran is an incident handler who is assessing the network of the organization. In the

process, he wants to detect ping sweep attempts on the network using Wireshark tool.

Which of the following Wireshark filter he must use to accomplish this task?

Options:

A.

icmp.seq

B.

icmp.redir_gw

C.

icmp.type==8

D.

icmp.ident

Buy Now
Questions 24

Eric works as a system administrator at ABC organization and previously granted several users with access privileges to the organizations systems with unlimited permissions. These privileged users could prospectively misuse their rights unintentionally, maliciously, or could be deceived by attackers that could trick them to perform malicious activities. Which of the following guidelines would help incident handlers eradicate insider attacks by privileged users?

Options:

A.

Do not allow administrators to use unique accounts during the installation process

B.

Do not enable default administrative accounts to ensure accountability

C.

Do not control the access to administrator ano privileged users

D.

Do not use encryption methods to prevent, administrators and privileged users from accessing backup tapes and sensitive information

Buy Now
Questions 25

Which of the following is a standard framework that provides recommendations for implementing information security controls for organizations that initiate, implement, or maintain information security management systems (ISMSs)?

Options:

A.

ISO/IEC 27002

B.

ISO/IEC 27035

C.

PCI DSS

D.

RFC 219G

Buy Now
Questions 26

Which of the following is not called volatile data?

Options:

A.

Open sockets er open ports

B.

The dale a no Lime of the system

C.

Creation dates of files

D.

State of the network interface

Buy Now
Questions 27

QualTech Solutions is a leading security services enterprise. Dickson, who works as an incident responder with this firm, is performing a vulnerability assessment to identify the security problems in the network by using automated tools for identifying the hosts, services, and vulnerabilities in the enterprise network. In the above scenario, which of the following types of vulnerability assessment is Dickson performing?

Options:

A.

Active assessment

B.

External assessment

C.

Internal assessment

D.

Passive assessment

Buy Now
Questions 28

Which of the following details are included in the evidence bags?

Options:

A.

Error messages that contain sensitive information and files containing passworos

B.

Software version information and web application source code

C.

Sensitive cirectories, personal, and organizational email adcress

D.

Date and time of seizure, exhibit number, anc name of incident responder

Buy Now
Questions 29

During the process of detecting and containing malicious emails, incident responders

should examine the originating IP address of the emails.

The steps to examine the originating IP address are as follow:

1. Search for the IP in the WHOIS database

2. Open the email to trace and find its header

3. Collect the IP address of the sender from the header of the received mail

4. Look for the geographic address of the sender in the WHOIS database

Identify the correct sequence of steps to be performed by the incident responders to

examine originating IP address of the emails.

Options:

A.

4-->1-->2-->3

B.

2-->1-->4-->3

C.

1-->3-->2-->4

D.

2-->3-->1-->4

Buy Now
Questions 30

Which of the following terms refers to an organization’s ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs?

Options:

A.

Threat assessment

B.

Data analysis

C.

Risk assessment

D.

Forensic readiness

Buy Now
Questions 31

During the vulnerability assessment phase, the incident responders perform various

steps as below:

1. Run vulnerability scans using tools

2. Identify and prioritize vulnerabilities

3. Examine and evaluate physical security

4. Perform OSINT information gathering to validate the vulnerabilities

5. Apply business and technology context to scanner results

6. Check for misconfigurations and human errors

7. Create a vulnerability scan report

Identify the correct sequence of vulnerability assessment steps performed by the

incident responders.

Options:

A.

3-->6-->1-->2-->5-->4-->7

B.

1-->3-->2-->4-->5-->6-->7

C.

4-->1-->2-->3-->6-->5-->7

D.

2-->1-->4-->7-->5-->6-->3

Buy Now
Questions 32

Identify Sarbanes–Oxley Act (SOX) Title, which consists of only one section, that includes measures designed to help restore investor confidence in the reporting of

securities analysts.

Options:

A.

Title VIII: Corporate and Criminal Fraud Accountability

B.

Title V: Analyst Conflicts of Interest

C.

Title VII: Studies and Reports

D.

Title IX: White-Collar-Crime Penalty Enhancement

Buy Now
Questions 33

Which of the following terms refers to vulnerable account management functions, including account update, recovery of forgotten or lost passwords, and password reset, that might weaken valid authentication schemes?

Options:

A.

SQL injection

B.

Broken account management

C.

Directory traversal

D.

Cross-site scripting

Buy Now
Questions 34

Matt is an incident handler working for one of the largest social network companies, which was affected by malware. According to the company’s reporting timeframe guidelines, a malware incident should be reported within 1 h of discovery/detection after its spread across the company. Which category does this incident belong to?

Options:

A.

CAT 1

B.

CAT 4

C.

CAT 2

D.

CAT 3

Buy Now
Questions 35

Robert is an incident handler working for Xsecurity Inc. One day, his organization

faced a massive cyberattack and all the websites related to the organization went

offline. Robert was on duty during the incident and he was responsible to handle the

incident and maintain business continuity. He immediately restored the web application

service with the help of the existing backups.

According to the scenario, which of the following stages of incident handling and

response (IH&R) process does Robert performed?

Options:

A.

Evidence gathering and forensics analysis

B.

Eradication

C.

Notification

D.

Recovery

Buy Now
Questions 36

James is a professional hacker and is employed by an organization to exploit their cloud services. In order to achieve this, James created anonymous access to the cloud services to carry out various attacks such as password and key cracking, hosting malicious data, and DDoS attacks. Which of the following threats is he posing to the cloud platform?

Options:

A.

Insecure interface and APIs

B.

Data breach/loss

C.

Insufficient duo diligence

D.

Abuse end nefarious use of cloud services

Buy Now
Questions 37

Which of the following is a type of malicious code or software that appears legitimate but can take control of your computer?

Options:

A.

Phishing attack

B.

DDoS

C.

Trojan attack

D.

Password attack

Buy Now
Questions 38

An insider threat response plan helps an organization minimize the damage caused by malicious insiders. One of the approaches to mitigate these threats is setting up controls from the human resources department. Which of the following guidelines can the human resources department use?

Options:

A.

Access granted to users should be documented and vetted by a supervisor.

B.

Disable the default administrative account to ensure accountability.

C.

Implement a person-to-person rule to secure the backup process and physical media.

D.

Monitor and secure the organization's physical environment.

Buy Now
Questions 39

Attackers or insiders create a backdoor into a trusted network by installing an unsecured access point inside a firewall. They then use any software or hardware access point to perform an attack. Which of the following is this type of attack?

Options:

A.

Rogue- access point attack

B.

Password-based attack

C.

Malware attack

D.

Email infection

Buy Now
Questions 40

Darwin is an attacker residing within the organization and is performing network

sniffing by running his system in promiscuous mode. He is capturing and viewing all

the network packets transmitted within the organization. Edwin is an incident handler

in the same organization.

In the above situation, which of the following Nmap commands Edwin must use to

detect Darwin’s system that is running in promiscuous mode?

Options:

A.

nmap -sV -T4 -O -F –version-light

B.

nmap –sU –p 500

C.

nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]

D.

nmap --script hostmap

Buy Now
Questions 41

Dash wants to perform a DoS attack over 256 target URLs simultaneously.

Which of the following tools can Dash employ to achieve his objective?

Options:

A.

HOIC

B.

IDAPro

C.

Ollydbg

D.

OpenVAS

Buy Now
Questions 42

Clark is investigating a cybercrime at TechSoft Solutions. While investigating the case,

he needs to collect volatile information such as running services, their process IDs,

startmode, state, and status.

Which of the following commands will help Clark to collect such information from

running services?

Options:

A.

Openfiles

B.

netstat –ab

C.

wmic

D.

net file

Buy Now
Questions 43

Which stage of the incident response and handling process involves auditing the system and network log files?

Options:

A.

Containment

B.

Incident triage

C.

Incident disclosure

D.

Incident eradication

Buy Now
Questions 44

In which of the following confidentiality attacks attackers try to lure users by posing themselves as authorized AP by beaconing the WLAN's SSID?

Options:

A.

Evil twin AP

B.

Session hijacking

C.

Honeypot AP

D.

Masqueradin

Buy Now
Questions 45

Alexis is working as an incident responder in XYZ organization. She was asked to identify and attribute the actors behind an attack that took place recently. In order to do so, she is performing threat attribution that deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target. Which of the following types of threat attributions Alexis performed?

Options:

A.

Nation-state attribution

B.

Intrusion-set attribution

C.

True attribution

D.

Campaign attributio

Buy Now
Questions 46

If the browser does not expire the session when the user fails to logout properly, which of the following OWASP Top 10 web vulnerabilities is caused?

Options:

A.

A7: Cross-site scripting

B.

A3: Sensitive- data exposure

C.

A2: Broken authentication

D.

A5: Broken access control

Buy Now
Questions 47

John, a professional hacker, is attacking an organization, where he is trying to destroy the connectivity between an AP and client to make the target unavailable to other

wireless devices.

Which of the following attacks is John performing in this case?

Options:

A.

Routing attack

B.

EAP failure

C.

Disassociation attack

D.

Denial-of-service

Buy Now
Questions 48

Sam received an alert through an email monitoring tool indicating that their company was targeted by a phishing attack. After analyzing the incident, Sam identified that most of the targets of the attack are high-profile executives of the company. What type of phishing attack is this?

Options:

A.

Pharming

B.

Whaling

C.

Puddle phishing

D.

Spear phishing

Buy Now
Questions 49

Which of the following is a term that describes the combination of strategies and services intended to restore data, applications, and other resources to the public cloud or dedicated service providers?

Options:

A.

Mitigation

B.

Analysis

C.

Eradication

D.

Cloud recovery

Buy Now
Questions 50

Ross is an incident manager (IM) at an organization, and his team provides support to all users in the organization who are affected by threats or attacks. David, who is the organization's internal auditor, is also part of Ross's incident response team. Which of the following is David's responsibility?

Options:

A.

Configure information security controls.

B.

Identify and report security loopholes to the management for necessary action.

C.

Coordinate incicent containment activities with the information security officer (ISO).

D.

Perform the- necessary action to block the network traffic from the suspectoc intruder.

Buy Now
Exam Code: 212-89
Exam Name: EC Council Certified Incident Handler (ECIH v3)
Last Update: Dec 26, 2024
Questions: 168
212-89 pdf

212-89 PDF

$25.5  $84.99
212-89 Engine

212-89 Testing Engine

$30  $99.99
212-89 PDF + Engine

212-89 PDF + Testing Engine

$40.5  $134.99