New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

ECCouncil 212-89 EC Council Certified Incident Handler (ECIH v3) Exam Practice Test

Demo: 50 questions
Total 168 questions

EC Council Certified Incident Handler (ECIH v3) Questions and Answers

Question 1

Your company sells SaaS, and your company itself is hosted in the cloud (using it as a PaaS). In case of a malware incident in your customer's database, who is responsible for eradicating the malicious software?

Options:

A.

Your company

B.

Building management

C.

The PaaS provider

D.

The customer

Question 2

An incident handler is analyzing email headers to find out suspicious emails.

Which of the following tools he/she must use in order to accomplish the task?

Options:

A.

Barracuda Email Security Gateway

B.

Gophish

C.

SPAMfighter

Question 3

Which of the following is an attack that occurs when a malicious program causes a user’s browser to perform an unwanted action on a trusted site for which the user is currently authenticated?

Options:

A.

Cross-site scripting

B.

Insecure direct object references

C.

Cross-site request forgery

D.

SQL injection

Question 4

Smith employs various malware detection techniques to thoroughly examine the

network and its systems for suspicious and malicious malware files. Among all

techniques, which one involves analyzing the memory dumps or binary codes for the

traces of malware?

Options:

A.

Live system

B.

Dynamic analysis

C.

Intrusion analysis

D.

Static analysis

Question 5

John is a professional hacker who is performing an attack on the target organization where he tries to redirect the connection between the IP address and its target server such that when the users type in the Internet address, it redirects them to a rogue website that resembles the original website. He tries this attack using cache poisoning technique. Identify the type of attack John is performing on the target organization.

Options:

A.

War driving

B.

Pharming

C.

Skimming

D.

Pretexting

Question 6

You are talking to a colleague who Is deciding what information they should include in their organization’s logs to help with security auditing. Which of the following items should you tell them to NOT log?

Options:

A.

Timestamp

B.

Session ID

C.

Source IP eddross

D.

userid

Question 7

Your company holds a large amount of customer PH. and you want to protect those data from theft or unauthorized modification. Among other actions, you classify and encrypt the data. In this process, which of the following OWASP security risks are you guarding against?

Options:

A.

Insecure deserialization

B.

Security misconfiguration

C.

Broken authentication

D.

Sensitive data exposure

Question 8

Ikeo Corp, hired an incident response team to assess the enterprise security. As part of the incident handling and response process, the IR team is reviewing the current security policies implemented by the enterprise. The IR team finds that employees of the organization do not have any restrictions on Internet access: they are allowed to visit any site, download any application, and access a computer or network from a remote location. Considering this as the main security threat, the IR team plans to change this policy as it can be easily exploited by attackers. Which of the following security policies is the IR team planning to modify?

Options:

A.

Paranoic policy

B.

Prudent policy

C.

Promiscuous policy

D.

Permissive policy

Question 9

Which of the following is NOT a network forensic tool?

Options:

A.

Capsa Network Analyzer

B.

Tcpdurnp

C.

Advancec NTFS Journaling Parser

D.

Wireshark

Question 10

Which of the following details are included in the evidence bags?

Options:

A.

Error messages that contain sensitive information and files containing passworos

B.

Software version information and web application source code

C.

Sensitive cirectories, personal, and organizational email adcress

D.

Date and time of seizure, exhibit number, anc name of incident responder

Question 11

Marley was asked by his incident handling and response (IH&R) team lead to collect volatile datasuch as system information and network information present in the

registries, cache, and RAM of victim’s system.

Identify the data acquisition method Marley must employ to collect volatile data.

Options:

A.

Validate data acquisition

B.

Static data acquisition

C.

Live data acquisition

D.

Remote data acquisition

Question 12

A malicious, security-breaking program is disguised as a useful program. Such executable programs, which are installed when a file is opened, allow others to control a user's system. What is this type of program called?

Options:

A.

Trojan

B.

Worm

C.

Virus

D.

Spyware

Question 13

What is the most recent NIST standard for incident response?

Options:

A.

800-61r2

B.

800-61r3

C.

800-53r3

D.

800-171r2

Question 14

Otis is an incident handler working in an organization called Delmont. Recently, the organization faced several setbacks in business, whereby its revenues are decreasing. Otis was asked to take charge and look into the matter. While auditing the enterprise security, he found traces of an attack through which proprietary information was stolen from the enterprise network and passed onto their competitors. Which of the following information security incidents did Delmont face?

Options:

A.

Network and resource abuses

B.

Espionage

C.

Email-based abuse

D.

Unauthorized access

Question 15

Which of the following is a technique used by attackers to make a message difficult to understand through the use of ambiguous language?

Options:

A.

Steganography

B.

Spoofing

C.

Encryption

D.

Obfuscation

Question 16

Which of the following is not a best practice to eliminate the possibility of insider attacks?

Options:

A.

Disable the users from installing unauthorized software or accessing malicious websites using the corporate network

B.

Monitor employee behaviors and the computer systems used by employees

C.

Implement secure backup and disaster recovery processes for business continuity

D.

Always leave business details over voicemail or email broadcast message

Question 17

Ren is assigned to handle a security incident of an organization. He is tasked with forensics investigation to find the evidence needed by the management. Which of the following steps falls under the investigation phase of the computer forensics investigation process?

Options:

A.

Secure the evidence

B.

Risk assessment

C.

Setup a computer forensics lab

D.

Evidence assessment

Question 18

Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit. To acccomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources (processor cache) to steal data (cryptographic key/plain text secrets) from the victim machine. Identify the type of attack Alice is performing in the above scenario.

Options:

A.

Side channel attack

B.

Service hijacking

C.

SQL injection attack

D.

Man-in-the-cloud attack

Question 19

Patrick is doing a cyber forensic investigation. He is in the process of collecting physical

evidence at the crime scene.

Which of the following elements he must consider while collecting physical evidence?

Options:

A.

Open ports, services, and operating system (OS) vulnerabilities

B.

DNS information including domain and subdomains

C.

Published name servers and web application source code

D.

Removable media, cable, and publications

Question 20

Mr. Smith is a lead incident responder of a small financial enterprise having few

branches in Australia. Recently, the company suffered a massive attack losing USD 5

million through an inter-banking system. After in-depth investigation on the case, it was

found out that the incident occurred because 6 months ago the attackers penetrated the

network through a minor vulnerability and maintained the access without any user

being aware of it. Then, he tried to delete users’ fingerprints and performed a lateral

movement to the computer of a person with privileges in the inter-banking system.

Finally, the attacker gained access and did fraudulent transactions.

Based on the above scenario, identify the most accurate kind of attack.

Options:

A.

Ransomware attack

B.

Denial-of-service attack

C.

APT attack

D.

Phishing

Question 21

Chandler is a professional hacker who is targeting Technote organization. He wants to obtain important organizational information that is being transmitted between

different hierarchies. In the process, he is sniffing the data packets transmitted through the network and then analyzing them to gather packet details such as network, ports,

protocols, devices, issues in network transmission, and other network specifications. Which of the following tools Chandler must employ to perform packet analysis?

Options:

A.

BeEf

B.

IDAPro

C.

Omnipeek

D.

shARP

Question 22

Robert is an incident handler working for Xsecurity Inc. One day, his organization

faced a massive cyberattack and all the websites related to the organization went

offline. Robert was on duty during the incident and he was responsible to handle the

incident and maintain business continuity. He immediately restored the web application

service with the help of the existing backups.

According to the scenario, which of the following stages of incident handling and

response (IH&R) process does Robert performed?

Options:

A.

Evidence gathering and forensics analysis

B.

Eradication

C.

Notification

D.

Recovery

Question 23

Bran is an incident handler who is assessing the network of the organization. In the

process, he wants to detect ping sweep attempts on the network using Wireshark tool.

Which of the following Wireshark filter he must use to accomplish this task?

Options:

A.

icmp.seq

B.

icmp.redir_gw

C.

icmp.type==8

D.

icmp.ident

Question 24

Eric works as a system administrator in ABC organization. He granted privileged users with unlimited permissions to access the systems. These privileged users can misuse

their rights unintentionally or maliciously or attackers can trick them to perform malicious activities.

Which of the following guidelines helps incident handlers to eradicate insider attacks by privileged users?

Options:

A.

Do not use encryption methods to prevent administrators and privileged users from accessing backup tapes and sensitive information

B.

Do not control the access to administrators and privileged users

C.

Do not enable the default administrative accounts to ensure accountability

D.

Do not allow administrators to use unique accounts during the installation process

Question 25

Raven is a part of an IH&R team and was informed by her manager to handle and lead the removal of the root cause for an incident and to close all attack vectors to prevent similar incidents in the future. Raven notifies the service providers and developers of affected resources. Which of the following steps of the incident handling and response process does Raven need to implement to remove the root cause of the incident?

Options:

A.

Evidence gathering and forensic analysis

B.

Eracicotion

C.

Containment

D.

Incident triage

Question 26

QualTech Solutions is a leading security services enterprise. Dickson works as an incident responder with this firm. He is performing vulnerability assessment to identify

the security problems in the network, using automated tools to identify the hosts, services, and vulnerabilities present in the enterprise network.

Based on the above scenario, identify the type of vulnerability assessment performed by Dickson.

Options:

A.

Internal assessment

B.

Active assessment

C.

Passive assessment

D.

External assessmen

Question 27

Richard is analyzing a corporate network. After an alert in the network’s IPS. he identified that allthe servers are sending huge amounts of traffic to the website abc.xyz. What type of information security attack vectors have affected the network?

Options:

A.

Botnet

B.

Advance persistent three Is

C.

Ransomware

D.

IOT threats

Question 28

Adam is an incident handler who intends to use DBCC LOG command to analyze a database and retrieve the active transaction log files for the specified database. The syntax of DBCC LOG command is DBCC LOG(, ), where the output parameter specifies the level of information an incident handler wants to retrieve. If Adam wants to retrieve the full information on each operation along with the hex dump of a current transaction row, which of the following output parameters should Adam use?

Options:

A.

2

B.

3

C.

4

D.

1

Question 29

Sam. an employee of a multinational company, sends emails to third-party organizations with a spoofed email address of his organization. How can you categorize this type of incident?

Options:

A.

Network intrusion incident

B.

Inappropriate usage incident

C.

Unauthorized access incident.

D.

Denial-of-service incicent

Question 30

Which of the following is a common tool used to help detect malicious internal or compromised actors?

Options:

A.

User behavior analytics

B.

SOC2 compliance report

C.

Log forward ng

D.

Syslog configuration

Question 31

Auser downloaded what appears to be genuine software. Unknown to her, when she installed the application, it executed code that provided an unauthorized remote attacker access to her computer. What type of malicious threat displays this characteristic?

Options:

A.

Backdoor

B.

Trojan

C.

Spyware

D.

Virus

Question 32

Which of the following options describes common characteristics of phishing emails?

Options:

A.

Written in French

B.

Sent from friends or colleagues

C.

Urgency, threatening, or promising subject lines

D.

No BCC fields

Question 33

Ross is an incident manager (IM) at an organization, and his team provides support to all users in the organization who are affected by threats or attacks. David, who is the organization's internal auditor, is also part of Ross's incident response team. Which of the following is David's responsibility?

Options:

A.

Configure information security controls.

B.

Identify and report security loopholes to the management for necessary action.

C.

Coordinate incicent containment activities with the information security officer (ISO).

D.

Perform the- necessary action to block the network traffic from the suspectoc intruder.

Question 34

Matt is an incident handler working for one of the largest social network companies, which was affected by malware. According to the company’s reporting timeframe guidelines, a malware incident should be reported within 1 h of discovery/detection after its spread across the company. Which category does this incident belong to?

Options:

A.

CAT 1

B.

CAT 4

C.

CAT 2

D.

CAT 3

Question 35

John, a professional hacker, is attacking an organization, where he is trying to destroy the connectivity between an AP and client to make the target unavailable to other

wireless devices.

Which of the following attacks is John performing in this case?

Options:

A.

Routing attack

B.

EAP failure

C.

Disassociation attack

D.

Denial-of-service

Question 36

Eric works as a system administrator at ABC organization and previously granted several users with access privileges to the organizations systems with unlimited permissions. These privileged users could prospectively misuse their rights unintentionally, maliciously, or could be deceived by attackers that could trick them to perform malicious activities. Which of the following guidelines would help incident handlers eradicate insider attacks by privileged users?

Options:

A.

Do not allow administrators to use unique accounts during the installation process

B.

Do not enable default administrative accounts to ensure accountability

C.

Do not control the access to administrator ano privileged users

D.

Do not use encryption methods to prevent, administrators and privileged users from accessing backup tapes and sensitive information

Question 37

Adam is an attacker who along with his team launched multiple attacks on target organization for financial benefits. Worried about getting caught, he decided to forge

his identity. To do so, he created a new identity by obtaining information from different victims.

Identify the type of identity theft Adam has performed.

Options:

A.

Medical identity theft

B.

Tax identity theft

C.

Synthetic identity theft

D.

Social identity theft

Question 38

If the browser does not expire the session when the user fails to logout properly, which of the following OWASP Top 10 web vulnerabilities is caused?

Options:

A.

A7: Cross-site scripting

B.

A3: Sensitive- data exposure

C.

A2: Broken authentication

D.

A5: Broken access control

Question 39

Zaimasoft, a prominent IT organization, was attacked by perpetrators who directly targeted the hardware and caused irreversible damage to the hardware. In result, replacing or reinstalling the hardware was the only solution.

Identify the type of denial-of-service attack performed on Zaimasoft.

Options:

A.

ddos

B.

DoS

C.

PDoS

D.

DRDoS

Question 40

Which of the following types of digital evidence is temporarily stored in a digital device that requires constant power supply and is deleted if the power supply is interrupted?

Options:

A.

Slack space

B.

Process memory

C.

Event logs

D.

Swap file

Question 41

Rica works as an incident handler for an international company. As part of her role, she must review the present security policy implemented. Upon inspection, Rica finds that the policy is wide open, and only known dangerous services/attacks or behaviors are blocked. Which of the following is the current policy that Rica identified?

Options:

A.

Prudent policy

B.

Paranoic policy

C.

Permissive policy

D.

Promiscuous policy

Question 42

In which of the following stages of incident handling and response (IH&R) process do

the incident handlers try to find out the root cause of the incident along with the threat

actors behind the incidents, threat vectors, etc.?

Options:

A.

Post-incident activities

B.

Incident triage

C.

Evidence gathering and forensics analysis

D.

Incident recording and assignment

Question 43

Stenley is an incident handler working for Texa Corp. located in the United States. With the growing concern of increasing emails from outside the organization, Stenley was

asked to take appropriate actions to keep the security of the organization intact. In the process of detecting and containing malicious emails, Stenley was asked to check the

validity of the emails received by employees.

Identify the tools he can use to accomplish the given task.

Options:

A.

PointofMail

B.

Email Dossier

C.

PoliteMail

D.

EventLog Analyzer

Question 44

You are a systems administrator for a company. You are accessing your file server remotely for maintenance. Suddenly, you are unable to access the server. After contacting others in your department, you find out that they cannot access the file server either. You can ping the file serverbut not connect to it via RDP. You check the Active Directory Server, and all is well. You check the email server and find that emails are sent and received normally. What is the most likely issue?

Options:

A.

An e-mail service issue

B.

The file server has shut down

C.

A denial-of-service issue

D.

An admin account issue

Question 45

In which of the following types of insider threats an insider who is uneducated on

potential security threats or simply bypasses general security procedures to meet

workplace efficiency?

Options:

A.

Compromised insider

B.

Negligent insider

C.

Professional insider

D.

Malicious insider

Question 46

Joseph is an incident handling and response (IH&R) team lead in Toro Network Solutions Company. As a part of IH&R process, Joseph alerted the service providers,

developers, and manufacturers about the affected resources.

Identify the stage of IH&R process Joseph is currently in.

Options:

A.

Eradication

B.

Containment

C.

Incident triage

D.

Recovery

Question 47

Elizabeth, who works for OBC organization as an incident responder, is assessing the risks to the organizational security. As part of the assessment process, she is calculating the probability of a threat source exploiting an existing system vulnerability. Which of the following risk assessment steps is Elizabeth currently in?

Options:

A.

Vulnerability identification

B.

Impact analysis

C.

Likelihood analysis

D.

System characterization

Question 48

Which of the following is defined as the identification of the boundaries of an IT system along with the resources and information that constitute the system?

Options:

A.

System characterization

B.

Vulnerability identification

C.

Threat ioenLificalion

D.

Control analysis

Question 49

In which of the following phases of the incident handling and response (IH&R) process is the identified security incidents analyzed, validated, categorized, and prioritized?

Options:

A.

Incident triage

B.

Incident recording and assignment

C.

Containment

D.

Notification

Question 50

For analyzing the system, the browser data can be used to access various credentials.

Which of the following tools is used to analyze the history data files in Microsoft Edge browser?

Options:

A.

ChromeHistoryView

B.

BrowsingHistoryView

C.

MZCacheView

D.

MZHistoryView

Demo: 50 questions
Total 168 questions