[UPDATED 2025] EC-COUNCIL 212-89 Questions Prepare with Free Demo of PDF [Q74-Q93]

[UPDATED 2025] EC-COUNCIL 212-89 Questions Prepare with Free Demo of PDF

NEW 2025 Certification Sample Questions 212-89 Dumps & Practice Exam

The EC-Council Certified Incident Handler certification is recognized globally and is highly respected in the industry. It is designed to validate the skills and knowledge of individuals in incident handling and response. EC Council Certified Incident Handler (ECIH v3) certification exam covers a wide range of topics, including incident handling fundamentals, network security threats, incident reporting and documentation, and incident recovery.

 

NEW QUESTION # 74
Alice is an incident handler and she has been informed by her lead that the data on affected systems must be backed up so that it can be retrieved if it is damaged during the incident response process. She was also told that the system backup can also be used for further investigation of the incident.
In which of the following stages of the incident handling and response (IH&R) process does Alice need to do a complete backup of the infected system?

• A. Eradication
• B. Containment
• C. Incident recording
• D. Incident triage

Answer: C

NEW QUESTION # 75
James has been appointed as an incident handling and response (IH&R) team lead and he was assigned to build an IH&R plan along with his own team in the company.
Identify the IH&R process step James is currently working on.

• A. Eradication
• B. Preparation
• C. Notification
• D. Recovery

Answer: B

Explanation:
In the context of incident handling and response (IH&R), the preparation phase is the initial step where teams and resources are organized to effectively respond to potential security incidents. This phase involves building the IH&R team, developing incident response plans and policies, setting up communication channels, and ensuring that the team has the necessary tools and authority to act. James, being assigned to build an IH&R plan and organize his team, is engaging in the preparation step of the incident response process. This foundational step is crucial for ensuring a coordinated and efficient response to incidents when they occur.
References:The importance of the preparation phase in the incident response lifecycle is emphasized in various cybersecurity frameworks and guidelines, including those covered in ECIH v3 certification materials, which detail the roles, responsibilities, and planning necessary to establish an effective incident response capability.

NEW QUESTION # 76
Oscar receives an email from an unknown source containing his domain name oscar.com. Upon checking the link, he found that it contains a malicious URL that redirects to the website evilsite.org. What type of vulnerability is this?

• A. Unvalidated redirects and forwards
• B. Bolen
• C. Malware
• D. SQL injection

Answer: A

Explanation:
The scenario described, where Oscar receives an email with a link that contains a malicious URL redirecting to evilsite.org, exemplifies a vulnerability related to unvalidated redirects and forwards. This type of vulnerability occurs when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. Attackers can exploit this vulnerability by crafting a malicious URL that leads unsuspecting users to phishing sites or other malicious websites, under the guise of a legitimate domain. This is distinct from malware, which refers to malicious software; SQL injection, which involves inserting malicious SQL queries through input fields to manipulate or exploit databases; and is not a term related to cybersecurity vulnerabilities.References:The Incident Handler (ECIH v3) certification materials often cover web application vulnerabilities, including unvalidated redirects and forwards, emphasizing the need for proper validation and sanitization of user input to prevent such exploits.

NEW QUESTION # 77
Stanley works as an incident responder at a top MNC based in Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company. While investigating the incident, he collected evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of a jury so that the evidence clarifies the facts and further helps in obtaining an expert opinion on the incident to confirm the investigation process. In the above scenario, which of the following characteristics of the digital evidence did Stanley attempt to preserve?

• A. Authenticity
• B. Admissibility
• C. Believability
• D. Completeness

Answer: B

Explanation:
In the scenario described, Stanley's effort to present evidence in a clear and comprehensible manner to the members of a jury, with the intention of clarifying facts and aiding in obtaining expert opinion, aligns with the characteristic of admissibility. The admissibility of digital evidence pertains to its acceptability in a court of law, which hinges on the evidence being collected, handled, and presented in a manner that complies with legal standards and procedures. This includes ensuring the evidence is relevant, reliable, and not overly prejudicial. By preparing to present the evidence in a way that the jury can understand and use to confirm the investigation process, Stanley is focusing on ensuring that the evidence meets the criteria for admissibility in the legal proceedings. Completeness, believability, and authenticity are also important characteristics of digital evidence, but the context provided indicates that Stanley's primary focus is on meeting the legal requirements for the evidence to be considered valid in court.References:The Incident Handler (ECIH v3) certification materials cover the legal aspects of incident response, including the importance of ensuring the admissibility of evidence in legal proceedings as a fundamental objective of the evidence collection and presentation process.

NEW QUESTION # 78
Which of the following is a common tool used to help detect malicious internal or compromised actors?

• A. Syslog configuration
• B. SOC2 compliance report
• C. Log forward ng
• D. User behavior analytics

Answer: D

Explanation:
User Behavior Analytics (UBA) is a cybersecurity process or tool that utilizes machine learning, algorithms, and statistical analyses to detect potentially harmful activities within an organization's network by comparing them against established patterns of users' behavior. It is particularly effective in identifying malicious internal actors or compromised users who may be conducting activities that deviate from their normal behavior patterns, such as accessing unauthorized data or systems, excessive file downloads, or unusual login times.
UBA tools can flag these activities for further investigation, often before traditional security tools detect a breach. In contrast, SOC2 compliance reports, log forwarding, and syslog configuration are important for maintaining and auditing security standards and for infrastructure monitoring, but they are not primarily focused on detecting malicious behavior based on deviations from established user behavior patterns.References:The Incident Handler (ECIH v3) curriculum discusses various tools and methodologies for detecting and responding to security incidents, highlighting User Behavior Analytics as a key tool for identifying insider threats and compromised accounts through behavioral monitoring and analysis.

NEW QUESTION # 79
Alexis is working as an incident responder in XYZ organization. She was asked to identify and attribute the actors behind an attack that took place recently. In order to do so, she is performing threat attribution that deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target. Which of the following types of threat attributions Alexis performed?

• A. Nation-state attribution
• B. True attribution
• C. Intrusion-set attribution
• D. Campaign attributio

Answer: B

Explanation:
True attribution in the context of cyber incidents involves the identification of the actual individuals, groups, or entities behind an attack. This can include pinpointing specific persons, organizations, societies, or even countries that sponsor or carry out cyber intrusions or attacks. Alexis's efforts to identify and attribute the actors behind a recent attack by distinguishing the specific origins of the threat align with the concept of true attribution, which goes beyond mere speculation to provide concrete evidence about the perpetrators.
References:Threat attribution, especially true attribution, is a complex and nuanced area within cyber incident response, dealing with the identification of attackers. This concept iscovered in cybersecurity courses and certifications, such as the ECIH v3 by EC-Council, focusing on the methodologies and challenges associated with attributing cyber attacks to their true sources.

NEW QUESTION # 80
Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with
supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism. Select the
technique that helps in detecting insider threats:

• A. Categorizing information according to its sensitivity and access rights
• B. Correlating known patterns of suspicious and malicious behavior
• C. Making is compulsory for employees to sign a none disclosure agreement
• D. Protecting computer systems by implementing proper controls

Answer: B

Explanation:
Explanation

NEW QUESTION # 81
Jacobi san employee at a firm called Dolphin Investment. While he was on duty, he identified that his computer was facing some problems, and he wanted to convey the issue to the c once med authority in his organization. However, this organization currently does not have a ticketing system to address such types of issues.
In the above scenario, which of the following ticketing systems can be employed by Dolphin Investment to allow Jacob to inform the c once med team about the incident?

• A. MISP
• B. ManageEngine ServiceDesk Plus
• C. IBM X Force Exchange
• D. Threat Connect

Answer: B

NEW QUESTION # 82
Darwin is an attacker residing within the organization and is performing network sniffing by running his system in promiscuous mode. He is capturing and viewing all the network packets transmitted within the organization. Edwin is an incident handler in the same organization.
In the above situation, which of the following Nmap commands Edwin must use to detect Darwin's system that is running in promiscuous mode?

• A. nmap -sV -T4 -O -F -version-light
• B. nmap --script hostmap
• C. nmap -sU -p 500
• D. nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]

Answer: D

Explanation:
The GPG18 and Forensic readiness planning (SPF) principles outline various guidelines to enhance an organization's readiness for forensic investigation and response. Principle 5, which suggests that organizations should adopt a scenario-based Forensic Readiness Planning approach that learns from experience gained within the business, emphasizes the importance of being prepared for a wide range of potential incidents by leveraging lessons learned from past experiences. This approach helps in continuously improving forensic readiness and response capabilities by adapting to the evolving threat landscape and organizational changes.
References:While specific documentation from GPG18 and SPF might detail these principles, the ECIH v3 program by EC-Council covers the concept of forensic readiness planning, including adopting scenario-based approaches and learning from past incidents as a fundamental aspect of enhancing an organization's incident response and forensic capabilities.

NEW QUESTION # 83
Rose is an incident-handling person and she is responsible for detecting and eliminating any kind of scanning attempts over the network by any malicious threat actors. Rose uses Wireshark tool to sniff the network and detect any malicious activities going on.
Which of the following Wireshark filters can be used by her to detect TCP Xmas scan attempt by the attacker?

• A. tcp.dstport==7
• B. tcp.flags==0X000
• C. tcp.flags==0X029
• D. tcp.flags.reset==1

Answer: C

NEW QUESTION # 84
Which of the following options describes common characteristics of phishing emails?

• A. Sent from friends or colleagues
• B. Urgency, threatening, or promising subject lines
• C. No BCC fields
• D. Written in French

Answer: B

Explanation:
Phishing emails often share common characteristics designed to manipulate the recipient into taking immediate action. One of the hallmark features is the use of urgency, threatening language, or promising subject lines in the emails. These tactics are intended to create a sense of urgency or fear, compelling the recipient to respond quickly without giving due consideration to the legitimacy of the email. Phishing emails may claim that the recipient's account has been compromised, that they need to confirm personal information immediately, or that they have won a prize. The goal is to trick the recipient into clicking on malicious links, opening attachments, or providing sensitive information.
References:The Certified Incident Handler (ECIH v3) program by EC-Council covers the identification and handling of phishing incidents, including the analysis of phishing emails and the importance of educating users on recognizing and responding to phishing attempts.

NEW QUESTION # 85
The sign(s) of the presence of malicious code on a host infected by a virus which is delivered via e-mail could
be:

• A. Increase in the number of e-mails sent and received
• B. System files become inaccessible
• C. All the above
• D. Antivirus software detects the infected files

Answer: C

NEW QUESTION # 86
Which of the following is a common tool used to help detect malicious internal or compromised actors?

• A. Syslog configuration
• B. SOC2 compliance report
• C. Log forward ng
• D. User behavior analytics

Answer: D

NEW QUESTION # 87
Zaimasoft, a prominent IT organization, was attacked by perpetrators who directly targeted the hardware and caused irreversible damage to the hardware. In result, replacing or reinstalling the hardware was the only solution.
Identify the type of denial-of-service attack performed on Zaimasoft.

• A. DoS
• B. DRDoS
• C. PDoS
• D. ddos

Answer: C

Explanation:
A Permanent Denial-of-Service (PDoS) attack, also known as "phlashing," is a form of attack that targets hardware, causing irreversible damage to the hardware components, thereby making the device unusable without a replacement or significant hardware intervention. In the scenario described with Zaimasoft, the attackers' actions leading to the damage of hardware components align with the characteristics of a PDoS attack. Unlike Distributed Denial-of-Service (DDoS) or Denial-of-Service (DoS) attacks, which generally aim to overwhelm a system's resources temporarily, or DRDoS (Distributed Reflection Denial of Service), which involves amplification techniques using third-party servers, aPDoS attack directly damages the physical hardware, necessitating its replacement or reinstallation. This makes PDoS particularly severe due to its permanent impact on the targeted organization's hardware infrastructure.References:Incident Handler (ECIH v3) educational resources detail various types of denial-of-service attacks, including PDoS, highlighting the distinct nature of each attack and its implications on the affected systems, with PDoS being noted for its physical, irreparable impact on hardware components.

NEW QUESTION # 88
Your company holds a large amount of customer Pll, and you want to protect those data from theft or unauthorized modification. Among other actions, you classify and encrypt the data.
In this process, which of the following OWASP security risks are you guarding against?

• A. Insecure deserialization
• B. Sensitive data exposure
• C. Security misconfiguration
• D. Broken authentication

Answer: B

NEW QUESTION # 89
The process of rebuilding and restoring the computer systems affected by an incident to normal operational stage including all the processes, policies and tools is known as:

• A. Incident Recovery
• B. Incident Response
• C. Incident Handling
• D. Incident Management

Answer: A

NEW QUESTION # 90
What command does a Digital Forensic Examiner use to display the list of all open ports and the associated IP addresses on a victim computer to identify the established connections on it:

• A. "ifconfig" command
• B. "dd" command
• C. "arp" command
• D. "netstat -an" command

Answer: D

NEW QUESTION # 91
Which of the following methods help incident responders to reduce the false positive alert rates and further provide ben efts of focusing on top priority issues, thereby reducing potential risk and corporate liabilities?

• A. Threat contextualization
• B. Threat profiling
• C. Threat attribution
• D. Threat co relation

Answer: D

NEW QUESTION # 92
Business Continuity provides a planning methodology that allows continuity in business operations:

• A. During and after a disaster
• B. Before, during and after a disaster
• C. Before and after a disaster
• D. Before a disaster

Answer: B

NEW QUESTION # 93
......

EC-COUNCIL 212-89, also known as the EC Council Certified Incident Handler (ECIH v2) Exam, is a certification program designed to equip individuals with fundamental knowledge and skills necessary to respond effectively to security incidents. It is focused on comprehensive incident handling and response techniques and emphasizes the importance of proper incident management procedures and methodologies.

 

212-89 Deluxe Study Guide with Online Test Engine: https://www.actual4cert.com/212-89-real-questions.html

212-89 Test Prep Training Practice Exam Questions Practice Tests: https://drive.google.com/open?id=1zO7Ul6JQ4lBN0sBogPx9gfaOJH9jndKe