EC-Council 212-89 Exam Dumps [2022] To Achieve Success In EC-Council Certified Incident Handler Certification

1. Rose is an incident-handler and is responsible for detecting and eliminating any kind of scanning attempts over the network by malicious threat actors. Rose uses Wire shark to sniff the network and detect any malicious activities going on.

Which of the following Wire shark filters can be used by her to detect TCP Xmas scan attempt by the attacker?

2. Elizabeth, working for OBC organization as an incident responder, is assessing the risks facing the organizational security. During the assessment process, she calculates the probability of a threat source exploiting an existing system vulnerability.

Identify the risk assessment step Elizabeth is currently in.

3. Which of the following methods help incident responders to reduce the false-positive alert rates and further provide benefits of focusing on top priority issues, thereby reducing potential risk and corporate liabilities?

4. Computer Forensics is the branch of forensic science in which legal evidence is found in any computer or any digital media device.

Of the following, who is responsible for examining the evidence acquired and separating the useful evidence?

5. An organization named Sam Morison Inc.decided to use cloud-based services to reduce the cost of their maintenance. They first identified various risks and threats associated with cloud service adoption and

migrating critical business data to third-party systems. Hence, the organization decided to deploy cloud-based security tools to prevent upcoming threats.

Which of the following tools would help the organization to secure cloud resources and services?

6. Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices.

What is the main purpose of the reconstitution plan?

7. Except for some common roles, the roles in an IRT are distinct for every organization.

Which among the following is the role played by the Incident Coordinator of an IRT?

8. A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency’s reporting timeframe guidelines, this incident should be reported within two (2) HOURS of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity.

Which incident category of the US Federal Agency does this incident belong to?

9. When an employee is terminated from his or her job, what should be the next immediate step taken by an organization?

10. Multiple component incidents consist of a combination of two or more attacks in a system.

Which of the following is not a multiple component incident?

11. Shally, an incident handler, is working for a company named Texas Pvt. Ltd. based in Florida. She was asked to work on an incident response plan. As part of the plan, she decided to enhance and improve the security infrastructure of the enterprise. She has incorporated a security strategy that allows security professionals to use several protection layers throughout their information system. Due to multiple layer protection, this security strategy assists in preventing direct attacks against the organization's information system as a break in one layer only leads the attacker to the next layer.

Identify the security strategy Shally has incorporated in the incident response plan.

12. The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/ services that are not required.

Which service listed below, if blocked, can help in preventing Denial of Service attack?

13. Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures.

Which of the following policies authorizes a group of users to perform a set of actions on a set of resources?

14. Identify a standard national process which establishes a set of activities, general tasks and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site.

15. Organizations or incident response teams need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. EVIDENCE PROTECTION is also required to meet legal compliance issues.

Which of the following documents helps in protecting evidence from physical or logical damage:

16. Risk is defined as the probability of the occurrence of an incident.

Risk formulation generally begins with the likeliness of an event’s occurrence, the harm it may cause and is usually denoted as Risk = ∑(events)X (Probability of occurrence) X?

17. An attacker uncovered websites a target individual was frequently surfing. The attacker then tested those particular websites to identify possible vulnerabilities. After detecting vulnerabilities within a website, the attacker started injecting malicious script/code into the web application that would redirect the webpage and download the malware on to the victim's machine. After infecting the vulnerable web application, the attacker waited for the victim to access the infected web application.

Identify the type of attack performed by the attacker.

18. A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack, where a single system is targeted by a large number of infected machines over the Internet.

In a DDoS attack, attackers first infect multiple systems which are known as:

19. 1.Which stage of the incident response and handling process involves auditing the system and network logfiles?

20. Which of the following is not a countermeasure to eradicate inappropriate usage incidents?

21. Which among the following CERTs is an Internet provider to higher education institutions and various other research institutions in the Netherlands and deals with all cases related to computer security incidents in which a customer is involved either as a victim or as a suspect?

22. Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit. To accomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources(processor cache) to steal data (cryptographic key/plaintext secrets) from the victim machine.

Identify the type of attack Alice is performing in the above scenario.

23. Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy.

Identify the plan which is mandatory part of a business continuity plan?

24. An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, application or user activities.

Which of the following statements is NOT true for an audit trail policy:

25. Michael is an incident handler at CyberTech Solutions. He is performing detection and analysis of a cloud

security incident. He is also analyzing the filesystems, slack spaces, and metadata within the storage units to find hidden malware and evidence of malice.

Identify the cloud security incident handled by Michael:

26. The goal of incident response is to handle the incident in a way that minimizes damage and reduces recovery time and cost.

Which of the following does NOT constitute a goal of incident response?

27. A threat source does not present a risk if NO vulnerability that can be exercised for a particular threat source.

Identify the step in which different threat sources are defined:

28. An organization faced an information security incident where a disgruntled employee passed sensitive access control information to a competitor. The organization’s incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness.

How would you categorize such information security incident?

29. Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the user’s information and system. These programs may unleash dangerous programs that may erase the unsuspecting user’s disk and send the victim’s credit card numbers and passwords to a stranger.

30. The insider risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:

31. Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism.

Select the technique that helps in detecting insider threats:

32. The flow chart gives a view of different roles played by the different personnel of CSIRT.





Identify the incident response personnel denoted by A, B, C, D, E, F and G.

33. Which of the following terms refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs?

34. In which of the steps of NIST’s risk assessment methodology are the boundary of the IT system, along with the resources and the information that constitute the system identified?

35. In the Control Analysis stage of the NIST’s risk assessment methodology, technical and none technical control methods are classified into two categories.

What are these two control categories?

36. One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure.

According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms?

37. Which one of the following is the correct sequence of flow of the stages in an incident response:

38. Computer forensics is methodical series of techniques and procedures for gathering evidence from computing equipment, various storage devices and or digital media that can be presented in a course of law in a coherent and meaningful format.

Which one of the following is an appropriate flow of steps in the computer forensics process?

39. The data on the affected system must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigations of the incident.

Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?

40. Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with high volume of traffic that consumes all existing network resources.

41. Incident handling and response steps help you to detect, identify, respond and manage an incident.

Which of the following steps focus on limiting the scope and extent of an incident?

42. Which of the following information security personnel handles incidents from management and technical point of view?

43. A computer Risk Policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is NOT part of the computer risk policy?

44. John is performing a memory dump analysis in order to find traces of malware. He has employed Volatility tool in order to achieve his objective.

Which of the following volatility framework command she will use in order to analyze the running process

from the memory dump?

45. An incident is analyzed for its nature, intensity and its effects on the network and systems.

Which stage of the incident response and handling process involves auditing the system and network log files?

46. Which of the following GPG 18 and Forensic readiness planning(SPF) principles states that “organizations should adopt a scenario based Forensic Readiness Planning approach that learns from experience gained within the business"?

47. Which of the following terms may be defined as “a measure of possible inability to achieve a goal, objective, or target within a defined security, cost plan and technical limitations that adversely affects the organization’s operation and revenues?

48. James is working as an incident responder at Cyber Sol Inc. The management instructed James to investigate a cybersecurity incident that recently happened in the company. As a part of the investigation process, James started collecting volatile information from a system running on Windows operating system.

Which of the following commands helps James in determining all the executable files for running processes?

49. Which policy recommends controls for securing and tracking organizational resources:

50. An incident recovery plan is a statement of actions that should be taken before, during or after an incident.

Identify which of the following is NOT an objective of the incident recovery plan?

51. Quantitative risk is the numerical determination of the probability of an adverse event and the extent of the losses due to the event. Quantitative risk is calculated as:

52. Which of the following incident recovery testing methods works by creating a mock disaster, like fire to identify the reaction of the procedures that are implemented to handle such situations?

53. US-CERT and Federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization.

What is the timeframe required to report an incident under the CAT 4 Federal Agency category?

54. Which of the following is an appropriate flow of the incident recovery steps?

55. Identify the Sarbanes-Oxley Act (SOX) Title, which consists of only one section, that includes measures designed to help restore investor confidence in the reporting of securities analysts.

56. Risk management consists of three processes, risk assessment, mitigation and evaluation. Risk assessment determines the extent of the potential threat and the risk associated with an IT system through its SDLC.

How many primary steps does NIST’s risk assessment methodology involve?

57. A computer virus hoax is a message warning the recipient of non-existent computer virus. The message is usually a chain e-mail that tells the recipient to forward it to every one they know.

Which of the following is NOT a symptom of virus hoax message?

58. Alexis is working as an incident responder in XYZ organization. She was asked to identify and attribute the actors behind an attack that took place recently. In order to do so, she is performing threat attribution that deals with the identification of the specific person, society, or country sponsoring a well-planned and executed intrusion or attack on its target.

Which of the following types of threat attributions has Alexis performed?

59. Joseph is an incident handling and response(IH&R) team lead in Toro Network Solutions Company. As a part of the IH&R process, Joseph alerted the service providers, developers, and manufacturers about the affected resources.

Identify the stage of IH&R process Joseph is currently in.

60. In a qualitative risk analysis, risk is calculated in terms of: