Eccouncil

212-89 Exam
Certified Incident Handler

Questions & Answers

(Demo Version - Limited Content)

Thank you for Downloading 212-89 exam PDF Demo

Get Full File:

https://www.certsland.com/212-89-dumps/

www.certsland.com
Questions & Answers PDF Page 2

Version:10.0

Question: 1

ZYX company experienced a DoS/DDoS attack on their network. Upon investigating the incident, they
concluded that the attack is an application-layer attack. Which of the following attacks did the
attacker use?

A. Slowloris attack
B. UDP flood attack
C. SYN flood attack
D. Ping of ceath

Answer: A
Explanation:

The Slowloris attack is a type of application-layer attack that targets the web server by establishing
and maintaining many simultaneous HTTP connections to the target server. Unlike traditional
network-layer DoS/DDoS attacks such as UDP flood or SYN flood, Slowloris is designed to hold as
many connections to the target web server open for as long as possible. It does so by sending partial
requests, which are never completed, and periodically sending subsequent HTTP headers to keep the
connections open. This consumes the server's resources, leading to denial of service as legitimate
users cannot establish connections. The Slowloris attack is effective even against servers with a high
bandwidth because it targets the server's connection pool, not its network bandwidth.
Reference: Incident Handler (ECIH v3) courses and study guides particularly emphasize
understanding different types of attacks, including application-layer attacks like Slowloris, as part of
the incident handling and response process.

Question: 2

Ross is an incident manager (IM) at an organization, and his team provides support to all users in the
organization who are affected by threats or attacks. David, who is the organization's internal auditor,
is also part of Ross's incident response team. Which of the following is David's responsibility?

A. Configure information security controls.

B. Identify and report security loopholes to the management for necessary action.
C. Coordinate incicent containment activities with the information security officer (ISO).
D. Perform the- necessary action to block the network traffic from the suspectoc intruder.

www.certsland.com
Questions & Answers PDF Page 3

Answer: B
Explanation:

In the context of an incident response team, the role of an internal auditor like David includes
identifying, evaluating, and reporting on information security risks and vulnerabilities within the
organization. His responsibility is to ensure that the organization's security controls are effective and
to identify any security loopholes that could be exploited by attackers. Once identified, he reports
these vulnerabilities to management so that they can take the necessary actions to mitigate the
risks. This role is critical in maintaining the organization's overall security posture and ensuring
compliance with relevant laws, regulations, and policies.
Reference: Incident Handler (ECIH v3) courses and study guides cover the roles and responsibilities of
incident response team members, highlighting the importance of internal auditors in identifying and
addressing security vulnerabilities.

Question: 3

Dash wants to perform a DoS attack over 256 target URLs simultaneously.
Which of the following tools can Dash employ to achieve his objective?

A. HOIC
B. IDAPro
C. Ollydbg
D. OpenVAS

Answer: A
Explanation:

High Orbit Ion Cannon (HOIC) is a tool designed to perform stress testing on networks or servers. It
can launch a Distributed Denial of Service (DDoS) attack by enabling an attacker to overwhelm a
target with HTTP POST and GET requests. HOIC's distinctive feature is its ability to attack multiple
targets (up to 256 URLs simultaneously) with configurable HTTP flood attacks. This capability makes it
a preferred choice for attackers aiming to disrupt services on a large scale. Unlike tools designed for
debugging or vulnerability scanning (e.g., IDA Pro, Ollydbg, OpenVAS), HOIC is specifically crafted for
launching DoS/DDoS attacks, making it the correct answer for Dash's objective.
Reference: The Incident Handler (ECIH v3) courses and study guides delve into various cyber attack
tools, including HOIC, explaining their functionalities and potential impact as part of the
comprehensive cybersecurity threat landscape education.

Question: 4

Which of the following information security personnel handles incidents from management and
technical point of view?

A. Network administrators
B. Incident manager (IM)

www.certsland.com
Questions & Answers PDF Page 4

C. Threat researchers
D. Forensic investigators

Answer: B
Explanation:

In the context of information security, the Incident Manager (IM) plays a crucial role in handling
incidents from both a management and technical perspective. The Incident Manager is responsible
for overseeing the entire incident response process, coordinating with relevant stakeholders,
ensuring that incidents are analyzed, contained, and eradicated efficiently, and that recovery
processes are initiated promptly. They are pivotal in ensuring communication flows smoothly
between technical teams and upper management and that all actions taken are aligned with the
organization's broader security policies and objectives. Unlike network administrators, threat
researchers, or forensic investigators who may play more specialized roles within the incident
response process, the Incident Manager has a broad oversight role that encompasses both technical
and managerial aspects to ensure a comprehensive and coordinated response to security incidents.
Reference: Incident Handler (ECIH v3) courses and study guides emphasize the role of the Incident
Manager as integral to the incident handling process, underscoring their importance in bridging the
gap between technical response actions and strategic management decisions.

Question: 5

Francis received a spoof email asking for his bank information. He decided to use a tool to analyze
the email headers. Which of the following should he use?

A. EventLog Analyzer
B. MxTooIbox
C. Email Checker
D. PoliteMail

Answer: B
Explanation:

MxToolbox is a comprehensive tool designed for analyzing email headers and diagnosing various
email delivery issues. When Francis received a spoofed email asking for his bank information, using
MxToolbox to analyze the email headers would be appropriate. This tool helps in examining the
source of the email, tracking the email's path across the internet from the sender to the receiver, and
identifying any signs of email spoofing or malicious activity. It provides detailed information about
the email servers encountered along the way and can help in verifying the authenticity of the email
sender. Other options like EventLog Analyzer, Email Checker, and PoliteMail are tools used for
different purposes such as analyzing system event logs, checking email address validity, and
managing email communications, respectively, and do not specifically focus on analyzing email
headers to the extent required for investigating a spoofed email incident.
Reference: The use of MxToolbox in incident handling and email security analysis is commonly
recommended in Incident Handler (ECIH v3) study materials as a practical tool for email header
analysis and spoofing investigation.

www.certsland.com
Questions & Answers PDF Page 5

Question: 6

Zaimasoft, a prominent IT organization, was attacked by perpetrators who directly targeted the
hardware and caused irreversible damage to the hardware. In result, replacing or reinstalling the
hardware was the only solution.
Identify the type of denial-of-service attack performed on Zaimasoft.

A. ddos
B. DoS
C. PDoS
D. DRDoS

Answer: C
Explanation:

A Permanent Denial-of-Service (PDoS) attack, also known as "phlashing," is a form of attack that
targets hardware, causing irreversible damage to the hardware components, thereby making the
device unusable without a replacement or significant hardware intervention. In the scenario
described with Zaimasoft, the attackers' actions leading to the damage of hardware components
align with the characteristics of a PDoS attack. Unlike Distributed Denial-of-Service (DDoS) or Denial-
of-Service (DoS) attacks, which generally aim to overwhelm a system's resources temporarily, or
DRDoS (Distributed Reflection Denial of Service), which involves amplification techniques using third-
party servers, a PDoS attack directly damages the physical hardware, necessitating its replacement or
reinstallation. This makes PDoS particularly severe due to its permanent impact on the targeted
organization's hardware infrastructure.
Reference: Incident Handler (ECIH v3) educational resources detail various types of denial-of-service
attacks, including PDoS, highlighting the distinct nature of each attack and its implications on the
affected systems, with PDoS being noted for its physical, irreparable impact on hardware
components.

Question: 7

Which of the following terms refers to the personnel that the incident handling and response (IH&R)
team must contact to report the incident and obtain the necessary permissions?

A. Civil litigation
B. Point of contact
C. Criminal referral
D. Ticketing

Answer: B
Explanation:

In the context of incident handling and response (IH&R), the term "Point of contact" refers to
individuals or departments within an organization that are designated to be contacted by the IH&R
team in case of an incident. These personnel are crucial for the reporting process and for obtaining
the necessary permissions to proceed with incident response activities. They serve as the liaison

www.certsland.com
Questions & Answers PDF Page 6

between the incident response team and other parts of the organization, external agencies, or
partners involved in the incident response process. The point of contact is responsible for facilitating
communication, coordinating actions, and ensuring that the appropriate stakeholders are engaged in
the response to an incident. This role is pivotal in ensuring a swift and effective response to security
incidents, minimizing damage, and restoring operations.
Reference: Incident Handler (ECIH v3) courses and study guides typically emphasize the importance
of clearly defined roles and responsibilities within the incident response process, including the
designation of points of contact.

Question: 8

Khai was tasked with examining the logs from a Linux email server. The server uses Sendmail to
execute the command to send emailsand Syslog to maintain logs. To validate the data within email
headers, which of the following directories should Khai check for information such as source and
destination IP addresses, dates, and timestamps?

A. /Var/log/mailog
B. /✓ar/log/sendmail
C. /va r/log/mai11og
D. /va r/log/sendmail/mailog

Answer: A
Explanation:

In a Linux environment, email servers such as Sendmail log events, including details about sent and
received emails, in a specific log file. The correct directory and file for examining email logs,
particularly for Sendmail and using Syslog for logging, is /Var/log/maillog. This file contains vital
information for forensic and incident response purposes, including source and destination IP
addresses, email addresses, timestamps, and other data relevant to the email traffic handled by the
server. By analyzing this log, incident responders can gather evidence related to email-based
incidents, trace the source of malicious emails, and understand the scope of an incident. It's crucial
for individuals like Khai, who are tasked with examining logs, to know the correct log file locations
and their contents to effectively validate and analyze email header information and other relevant
data.
Reference: Incident Handler (ECIH v3) study materials often cover the logging mechanisms of
common services and applications on Linux systems, including email servers like Sendmail, and the
importance of log files like /var/log/maillog in incident investigation and response activities.

Question: 9

A malicious, security-breaking program is disguised as a useful program. Such executable programs,

which are installed when a file is opened, allow others to control a user's system. What is this type of
program called?

A. Trojan
B. Worm
C. Virus

www.certsland.com
Questions & Answers PDF Page 7

D. Spyware

Answer: A
Explanation:

A Trojan, short for Trojan horse, is a type of malicious software that misleads users of its true intent.
It disguises itself as a legitimate and useful program, but once executed, it allows unauthorized
access to the user's system. Unlike viruses and worms, Trojans do not replicate themselves but can
be just as destructive. They are often used to create a backdoor to a computer system, allowing an
attacker to gain access to the system or to deliver other malware. Trojans can be used for a variety of
purposes, including stealing information, downloading or uploading files, monitoring the user's
screen and keyboard, and more. The term "Trojan" comes from the Greek story of the wooden horse
that was used to sneak soldiers into the city of Troy, which is analogous to the deceptive nature of
this type of malware in cyber security.
Reference: The EC-Council's Certified Incident Handler (ECIH v3) program covers various types of
malware, including Trojans, in detail, explaining their mechanisms, how they can be identified, and
the steps to take in response to such threats.

Question: 10

Which of the following details are included in the evidence bags?

A. Error messages that contain sensitive information and files containing passworos
B. Software version information and web application source code
C. Sensitive cirectories, personal, and organizational email adcress
D. Date and time of seizure, exhibit number, anc name of incident responder

Answer: B
Explanation:

In the practice of digital forensics and incident handling, evidence bags play a crucial role in
preserving the integrity and chain of custody of physical and digital evidence. The information
typically included in the documentation on evidence bags encompasses the date and time of seizure,
which provides a timestamp for when the evidence was collected; the exhibit number, which is a
unique identifier assigned to each piece of evidence for tracking and reference purposes; and the
name of the incident responder or individual who collected the evidence, ensuring accountability
and traceability. This documentation is essential for maintaining the chain of custody, a critical
element in legal proceedings, as it helps establish the evidence's authenticity and integrity by
detailing its handling from collection to presentation in court. Options A, B, and C describe types of
digital evidence but are not directly related to the content typically documented on evidence bags.
Reference: Incident Handler (ECIH v3) courses and study guides emphasize the importance of
accurately documenting evidence bags as part of the evidence collection and preservation process in
incident handling and digital forensics.

www.certsland.com
 Thank You for trying 212-89 PDF Demo

https://www.certsland.com/212-89-dumps/

Start Your 212-89 Preparation

[Limited Time Offer] Use Coupon " SAVE20 " for extra 20%
discount on the purchase of PDF file. Test your
212-89 preparation with actual exam questions

www.certsland.com