Examen de incidentes certificados por EC-Convil (ECIH) Examen 212-89 Guía de estudio para el aprendizaje

Posted by: Martina Comments: 0 Post Date: junio 7, 2022

Martina2022-06-07T08:18:41+00:00

El examen 212-89 es para la certificación de incidentes certificados por EC-Convil (ECIH) para proporcionar a los profesionales una mayor aceptación de la industria como manejador de incidentes experimentado. La Guía de estudio de EC-Concil 212-89 es excelente para aprender a practicar todas las preguntas y respuestas del examen 212-89 antes de asistir al examen de incidentes certificados por EC-Council (ECIH) 212-89. La guía de estudio 212-89 apropiada de Realexam.es es un estudio de estudio en línea extremadamente efectivo. Debe obtener las preguntas y respuestas del examen EC-Council 212-89 si necesita obtener una ventaja maravillosa a su examen de certificación de controlador de incidentes certificado por EC-Council. Para más información, tenemos las preguntas de examen gratuitas EC-Consejo ECIH 212-89 a continuación para aprender primero.

Page 1 of 6

1. In a qualitative risk analysis, risk is calculated in terms of:

(Attack Success + Criticality) C(Countermeasures)

Asset criticality assessment C (Risks and Associated Risk Levels)

Probability of Loss X Loss

(Countermeasures + Magnitude of Impact) C (Reports from prior risk assessments)

2. 1.Which stage of the incident response and handling process involves auditing the system and network logfiles?

Incident triage

Incident eradication

Containment

Incident disclosure

3. Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy.

Identify the plan which is mandatory part of a business continuity plan?

Forensics Procedure Plan

Business Recovery Plan

Sales and Marketing plan

New business strategy plan

4. John is performing a memory dump analysis in order to find traces of malware. He has employed Volatility tool in order to achieve his objective.

Which of the following volatility framework command she will use in order to analyze the running process

from the memory dump?

python vol.py pslist--profile=Win2008SP1x86 -f/root/Desktop/memdump.mem

python vol.py imageinfo -f/root/Desktop/memdump.mem

python vol.py hivelist --prof le=Win2008SP1x86 -f/root/Desktop/mem dump.mem

python vol.py svcscan--profile=Win2008SP1x86 -f/root/Desktop/mem dump.mem | more

5. A threat source does not present a risk if NO vulnerability that can be exercised for a particular threat source.

Identify the step in which different threat sources are defined:

Identification Vulnerabilities

Control analysis

Threat identification

System characterization

6. US-CERT and Federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization.

What is the timeframe required to report an incident under the CAT 4 Federal Agency category?

Weekly

Within four (4) hours of discovery/detection if the successful attack is still ongoing and agency is unable to successfully mitigate activity

Within two (2) hours of discovery/detection

Monthly

7. Which of the following terms refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs?

Risk assessment

Threat assessment

Data analysis

Forensic readiness

8. Which of the following GPG 18 and Forensic readiness planning(SPF) principles states that “organizations should adopt a scenario based Forensic Readiness Planning approach that learns from experience gained within the business"?

Principle 2

Principle 5

Principle 3

Principle 7

9. Shally, an incident handler, is working for a company named Texas Pvt. Ltd. based in Florida. She was asked to work on an incident response plan. As part of the plan, she decided to enhance and improve the security infrastructure of the enterprise. She has incorporated a security strategy that allows security professionals to use several protection layers throughout their information system. Due to multiple layer protection, this security strategy assists in preventing direct attacks against the organization's information system as a break in one layer only leads the attacker to the next layer.

Identify the security strategy Shally has incorporated in the incident response plan.

Exponential back off algorithm

Defense-in-depth

Three-way handshake

Covert channels

10. Identify the Sarbanes-Oxley Act (SOX) Title, which consists of only one section, that includes measures designed to help restore investor confidence in the reporting of securities analysts.

Title VI: Stud is and Reports

Title IX: White-Collar-Crime Penalty Enhancement

Title V: Analyst Conflicts of Interest

Title VIII: Corporate and Criminal Fraud Accountability

Page 2 of 6

11. An attacker uncovered websites a target individual was frequently surfing. The attacker then tested those particular websites to identify possible vulnerabilities. After detecting vulnerabilities within a website, the attacker started injecting malicious script/code into the web application that would redirect the webpage and download the malware on to the victim's machine. After infecting the vulnerable web application, the attacker waited for the victim to access the infected web application.

Identify the type of attack performed by the attacker.

Obfuscation application

Cookie/Session poisoning

Directory traversal

Watering hole

12. A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack, where a single system is targeted by a large number of infected machines over the Internet.

In a DDoS attack, attackers first infect multiple systems which are known as:

Trojans

Zombies

Spyware

Worms

13. The goal of incident response is to handle the incident in a way that minimizes damage and reduces recovery time and cost.

Which of the following does NOT constitute a goal of incident response?

Dealing with human resources department and various employee conflict behaviors.

Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data.

Helping personal to recover quickly and efficiently from security incidents, minimizing loss or theft and disruption of services.

Dealing properly with legal issues that may arise during incidents.

14. Which of the following is not a countermeasure to eradicate inappropriate usage incidents?

Registering user activity logs and keep monitoring them regularly

Avoiding VPN and other secure network channels

Always storing the sensitive data in far located servers and restricting its access

Installing firewall and IDS/IPS to block services that violate the organization's policy

15. Which of the following incident recovery testing methods works by creating a mock disaster, like fire to identify the reaction of the procedures that are implemented to handle such situations?

Scenario testing

Facility testing

Live walk-through testing

Procedure testing

16. An incident recovery plan is a statement of actions that should be taken before, during or after an incident.

Identify which of the following is NOT an objective of the incident recovery plan?

Creating new business processes to maintain profitability after incident

Providing a standard for testing the recovery plan

Avoiding the legal liabilities arising due to incident

Providing assurance that systems are reliable

17. Except for some common roles, the roles in an IRT are distinct for every organization.

Which among the following is the role played by the Incident Coordinator of an IRT?

Links the appropriate technology to the incident to ensure that the foundation’s offices are returned to normal operations as quickly as possible

Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management

Applies the appropriate technology and tries to eradicate and recover from the incident

Focuses on the incident and handles it from management and technical point of view

18. The flow chart gives a view of different roles played by the different personnel of CSIRT.

Identify the incident response personnel denoted by A, B, C, D, E, F and G.

A-Incident Analyst, B- Incident Coordinator, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Manager

A- Incident Coordinator, B-Incident Analyst, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Manager

A- Incident Coordinator, B- Constituency, C-Administrator, D-Incident Manager, E- Human Resource, F-Incident Analyst, G-Public relations

A- Incident Manager, B-Incident Analyst, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Coordinator

19. An organization faced an information security incident where a disgruntled employee passed sensitive access control information to a competitor. The organization’s incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness.

How would you categorize such information security incident?

High level incident

Middle level incident

Ultra-High level incident

Low level incident

20. Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit. To accomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources(processor cache) to steal data (cryptographic key/plaintext secrets) from the victim machine.

Identify the type of attack Alice is performing in the above scenario.

Man-in-the-cloud attack

Service hijacking

Side channel attack

SQL injection attack

Page 3 of 6

21. Risk management consists of three processes, risk assessment, mitigation and evaluation. Risk assessment determines the extent of the potential threat and the risk associated with an IT system through its SDLC.

How many primary steps does NIST’s risk assessment methodology involve?

Twelve

Four

Six

Nine

22. Rose is an incident-handler and is responsible for detecting and eliminating any kind of scanning attempts over the network by malicious threat actors. Rose uses Wire shark to sniff the network and detect any malicious activities going on.

Which of the following Wire shark filters can be used by her to detect TCP Xmas scan attempt by the attacker?

tcp.flags==0X 000

tcp.flags==0X 029

tcp.dstport== 7

tcp.flags.reset== 1

23. The insider risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:

If the insider’s technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant.

If the insider’s technical literacy and process knowledge are high, the risk posed by the threat will be insignificant.

If the insider’s technical literacy is high and process knowledge is low, the risk posed by the threat will be high.

If the insider’s technical literacy and process knowledge are high, the risk posed by the threat will be high.

24. Which of the following methods help incident responders to reduce the false-positive alert rates and further provide benefits of focusing on top priority issues, thereby reducing potential risk and corporate liabilities?

Threat attribution

Threat correlation

Threat contextualization

Threat profiling

25. In the Control Analysis stage of the NIST’s risk assessment methodology, technical and none technical control methods are classified into two categories.

What are these two control categories?

Preventive and Detective controls

Detective and Disguised controls

Predictive and Detective controls

Preventive and predictive controls

26. Which of the following terms may be defined as “a measure of possible inability to achieve a goal, objective, or target within a defined security, cost plan and technical limitations that adversely affects the organization’s operation and revenues?

Risk

Vulnerability

Threat

Incident Response

27. A computer Risk Policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is NOT part of the computer risk policy?

Procedure to identify security funds to hedge risk

Procedure to monitor the efficiency of security controls

Procedure for the ongoing training of employees authorized to access the system

Provisions for continuing support if there is an interruption in the system or if the system crashes

28. Computer forensics is methodical series of techniques and procedures for gathering evidence from computing equipment, various storage devices and or digital media that can be presented in a course of law in a coherent and meaningful format.

Which one of the following is an appropriate flow of steps in the computer forensics process?

Examination> Analysis > Preparation > Collection > Reporting

Preparation > Analysis > Collection > Examination > Reporting

Analysis > Preparation > Collection > Reporting > Examination

Preparation > Collection > Examination > Analysis > Reporting

29. Which policy recommends controls for securing and tracking organizational resources:

Access control policy

Administrative security policy

Acceptable use policy

Asset control policy

30. An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, application or user activities.

Which of the following statements is NOT true for an audit trail policy:

It helps calculating intangible losses to the organization due to incident

It helps tracking individual actions and allows users to be personally accountable for their actions

It helps in compliance to various regulatory laws, rules,and guidelines

It helps in reconstructing the events after a problem has occurred

Page 4 of 6

31. An organization named Sam Morison Inc.decided to use cloud-based services to reduce the cost of their maintenance. They first identified various risks and threats associated with cloud service adoption and

migrating critical business data to third-party systems. Hence, the organization decided to deploy cloud-based security tools to prevent upcoming threats.

Which of the following tools would help the organization to secure cloud resources and services?

Alert Logic

Wire shark

Burp Suite

Nmap

32. The data on the affected system must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigations of the incident.

Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?

Containment

Eradication

Incident recording

Incident investigation

33. The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/ services that are not required.

Which service listed below, if blocked, can help in preventing Denial of Service attack?

SAM service

POP3 service

SMTP service

Echo service

34. An incident is analyzed for its nature, intensity and its effects on the network and systems.

Which stage of the incident response and handling process involves auditing the system and network log files?

Incident recording

Reporting

Containment

Identification

35. Which among the following CERTs is an Internet provider to higher education institutions and various other research institutions in the Netherlands and deals with all cases related to computer security incidents in which a customer is involved either as a victim or as a suspect?

NET-CERT

DFN-CERT

Funet CERT

SURFnet-CERT

36. When an employee is terminated from his or her job, what should be the next immediate step taken by an organization?

All access rights of the employee to physical locations, networks, systems, applications and data should be disabled

The organization should enforce separation of duties

The access requests granted to an employee should be documented and vetted by the supervisor

The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information

37. Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with high volume of traffic that consumes all existing network resources.

URL Manipulation

XSS Attack

SQL Injection

Denial of Service Attack

38. A computer virus hoax is a message warning the recipient of non-existent computer virus. The message is usually a chain e-mail that tells the recipient to forward it to every one they know.

Which of the following is NOT a symptom of virus hoax message?

The message prompts the end user to forward it to his / her e-mail contact list and gain monetary benefits in doing so

The message from a known email id is caught by SPAM filters due to change of filter settings

The message warns to delete certain files if the user does not take appropriate action

The message prompts the user to install Anti-Virus

39. One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure.

According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms?

Protection

Preparation

Detection

Triage

40. Which of the following is an appropriate flow of the incident recovery steps?

System Operation-System Restoration-System Validation-System Monitoring

System Validation-System Operation-System Restoration-System Monitoring

System Restoration-System Monitoring-System Validation-System Operations

System Restoration-System Validation-System Operations-System Monitoring

Page 5 of 6

41. Alexis is working as an incident responder in XYZ organization. She was asked to identify and attribute the actors behind an attack that took place recently. In order to do so, she is performing threat attribution that deals with the identification of the specific person, society, or country sponsoring a well-planned and executed intrusion or attack on its target.

Which of the following types of threat attributions has Alexis performed?

intrusion-set attribution

Campaign attribution

True attribution

Nation-state attribution

42. Michael is an incident handler at CyberTech Solutions. He is performing detection and analysis of a cloud

security incident. He is also analyzing the filesystems, slack spaces, and metadata within the storage units to find hidden malware and evidence of malice.

Identify the cloud security incident handled by Michael:

Storage-related incident

Application-related incident

Server-related incident

Network-related incident

43. Multiple component incidents consist of a combination of two or more attacks in a system.

Which of the following is not a multiple component incident?

An insider intentionally deleting files from a workstation

An attacker redirecting user to a malicious website and infects his system with Trojan

An attacker infecting a machine to launch a DDoS attack

An attacker using email with malicious code to infect internal workstation

44. Quantitative risk is the numerical determination of the probability of an adverse event and the extent of the losses due to the event. Quantitative risk is calculated as:

(Probability of Loss) X (Loss)

(Loss) / (Probability of Loss)

(Probability of Loss) / (Loss)

Significant Risks X Probability of Loss X Loss

45. Which one of the following is the correct sequence of flow of the stages in an incident response:

Containment - Identification - Preparation - Recovery - Follow-up - Eradication

Preparation - Identification - Containment - Eradication - Recovery - Follow-up

Eradication - Containment - Identification - Preparation - Recovery - Follow-up

Identification - Preparation - Containment - Recovery - Follow-up - Eradication

46. Computer Forensics is the branch of forensic science in which legal evidence is found in any computer or any digital media device.

Of the following, who is responsible for examining the evidence acquired and separating the useful evidence?

Evidence Supervisor

Evidence Documenter

Evidence Manager

Evidence Examiner/ Investigator

47. James is working as an incident responder at Cyber Sol Inc. The management instructed James to investigate a cybersecurity incident that recently happened in the company. As a part of the investigation process, James started collecting volatile information from a system running on Windows operating system.

Which of the following commands helps James in determining all the executable files for running processes?

doskey/history

date/t& time/t

netstat-ab

top

48. Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism.

Select the technique that helps in detecting insider threats:

Correlating known patterns of suspicious and malicious behavior

Protecting computer systems by implementing proper controls

Making is compulsory for employees to sign a none disclosure agreement

Categorizing information according to its sensitivity and access rights

49. A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency’s reporting timeframe guidelines, this incident should be reported within two (2) HOURS of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity.

Which incident category of the US Federal Agency does this incident belong to?

CAT 5

CAT 1

CAT 2

CAT 6

50. Risk is defined as the probability of the occurrence of an incident.

Risk formulation generally begins with the likeliness of an event’s occurrence, the harm it may cause and is usually denoted as Risk = ∑(events)X (Probability of occurrence) X?

Magnitude

Probability

Consequences

Significance

Page 6 of 6

51. Which of the following information security personnel handles incidents from management and technical point of view?

Network administrators

Forensic investigators

Inc dent manager(IM)

Threat researchers

52. Organizations or incident response teams need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. EVIDENCE PROTECTION is also required to meet legal compliance issues.

Which of the following documents helps in protecting evidence from physical or logical damage:

Network and host log records

Chain-of-Custody

Forensic analysis report

Chain-of-Precedence

53. Joseph is an incident handling and response(IH&R) team lead in Toro Network Solutions Company. As a part of the IH&R process, Joseph alerted the service providers, developers, and manufacturers about the affected resources.

Identify the stage of IH&R process Joseph is currently in.

Eradication

Recovery

Containment

Incident triage

54. Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures.

Which of the following policies authorizes a group of users to perform a set of actions on a set of resources?

Access control policy

Audit trail policy

Logging policy

Documentation policy

55. Elizabeth, working for OBC organization as an incident responder, is assessing the risks facing the organizational security. During the assessment process, she calculates the probability of a threat source exploiting an existing system vulnerability.

Identify the risk assessment step Elizabeth is currently in.

System characterization

Impact analysis

Likelihood analysis

vulnerability identification

56. Incident handling and response steps help you to detect, identify, respond and manage an incident.

Which of the following steps focus on limiting the scope and extent of an incident?

Eradication

Containment

Identification

Data collection

57. Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the user’s information and system. These programs may unleash dangerous programs that may erase the unsuspecting user’s disk and send the victim’s credit card numbers and passwords to a stranger.

Cookie tracker

Worm

Trojan

Virus

58. Identify a standard national process which establishes a set of activities, general tasks and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site.

NIASAP

NIAAAP

NIPACP

NIACAP

59. In which of the steps of NIST’s risk assessment methodology are the boundary of the IT system, along with the resources and the information that constitute the system identified?

Likelihood Determination

Control recommendation

System characterization

Control analysis

60. Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices.

What is the main purpose of the reconstitution plan?

To restore the original site, tests systems to prevent the incident and terminates operations

To define the notification procedures, damage assessments and offers the plan activation

To provide the introduction and detailed concept of the contingency plan

To provide a sequence of recovery activities with the help of recovery procedures

Examen de incidentes certificados por EC-Convil (ECIH) Examen 212-89 Guía de estudio para el aprendizaje

Author

Deja una respuesta Cancelar la respuesta