Free ECCouncil 212-89 Practice Exam with Questions & Answers | Set: 2

This scenario reflects a suspected cloud workload compromise. The ECIH Cloud Incident Handling module stresses that responders must balance containment, evidence preservation, and service continuity.

Option D is correct because creating snapshots preserves forensic evidence while isolating instances using network ACLs or security groups immediately halts malicious communication. This approach aligns with ECIH guidance to preserve evidence before destructive actions while still containing the threat.

Option B destroys evidence and hinders investigation. Option C alters system state and may trigger attacker countermeasures. Option A delays containment.

ECIH explicitly warns against terminating or rebooting compromised cloud assets before evidence capture. Snapshot-and-isolate is therefore the most effective immediate containment step.

The statement "Do not download or execute applications from trusted sources" is incorrect and not considered a good practice for maintaining information security and eradicating malware incidents. In contrast, downloading or executing applications from trusted sources is a fundamental security best practice. Trusted sources are vetted and are generally considered safe for downloading software, updates, and applications. This practice helps to minimize the risk of introducing malware into the organizational environment. The other options (A, B, C) represent good practices that help in reducing the likelihood of malware infections by avoiding potentially harmful actions.

Avoiding VPN (Virtual Private Network) and other secure network channels is not a countermeasure to eradicate inappropriate usage incidents. On the contrary, using VPNs and secure network channels is a best practice for enhancing security, as these technologies help protect data in transit, ensuring that it is encrypted and less susceptible to interception or eavesdropping. Countermeasures for inappropriate usage typically involve enhancing security and monitoring, not reducing the security of communications.

The EC-Council Incident Handler (ECIH) curriculum defines Post-Incident Activity as the phase focused on lessons learned, root cause analysis, and process improvement. Conducting a formal retrospective with cross-functional stakeholders to reconstruct timelines, evaluate decision-making, and identify coordination gaps aligns directly with a structured postmortem analysis.

ECIH emphasizes that post-incident reviews should promote a no-blame culture to encourage transparency and honest feedback. The objective is continuous improvement of incident response playbooks, communication protocols, escalation procedures, and overall organizational readiness. Root cause analysis (RCA) is a key component, ensuring that both technical and procedural weaknesses are identified and corrected.

Option B (reclassification) is an administrative adjustment, not a comprehensive review. Option C (vendor notification) relates to external communication. Option D (checklist updates) may result from the review but does not describe the primary activity being executed.

Therefore, the organization is performing a formal postmortem to analyze root causes and operational effectiveness.

The EC-Council Incident Handler (ECIH) curriculum identifies excessive privileges as a major contributor to insider threats. In this scenario, Daniel had unrestricted access to all file servers, violating the Principle of Least Privilege (PoLP). The absence of enforcement mechanisms or alerts further indicates a lack of access governance.

Zero Trust architecture operates on the principle of “never trust, always verify.” It enforces strict identity verification, continuous authentication, micro-segmentation, and role-based access control. Under Zero Trust, users are granted access only to specific resources required for their job role, and all access attempts are logged and monitored.

User segmentation ensures that even administrators are restricted to only authorized systems and datasets. ECIH stresses the importance of monitoring privileged accounts, implementing least privilege, enabling access auditing, and enforcing real-time alerting for unauthorized data access attempts.

Option A (manual surveillance) is impractical and ineffective at scale. Option B (personal firewall rules) protects network traffic but does not restrict file server permissions. Option C (disabling removable media) addresses data exfiltration via USB devices, not unauthorized file access.

Therefore, user segmentation through Zero Trust access would have prevented Daniel from accessing irrelevant encrypted project files and aligns directly with ECIH insider threat mitigation strategies.

BrowsingHistoryView is a tool designed to collect and analyze history data from various web browsers, including Microsoft Edge. It allows users to view the browsing history stored by their browsers in one unified interface. This includes URLs visited, page titles, visit times, and the number of visits to each page. While ChromeHistoryView is specific to Google Chrome, BrowsingHistoryView supports multiple browsers, making it versatile for analyzing history data across different platforms. MZCacheView and MZHistoryView do not exist as tools recognized for this purpose in the context of Microsoft Edge or other browser history analysis.

In the scenario where Dolphin Investment needs to implement a ticketing system for employees like Jacob to report IT-related issues, ManageEngine ServiceDesk Plus is the most suitable option among the choices provided. ManageEngine ServiceDesk Plus is a comprehensive IT help desk software that facilitates issue tracking, incident management, and efficient resolution of IT-related problems and requests. It enables users to submit tickets through various channels, including email, web portal, phone, or chat, and allows IT support teams to manage these tickets through a centralized platform. This system is designed to streamline the process of reporting, tracking, and resolving IT issues and incidents, making it an ideal solution for organizations looking to establish a formalized incident reporting and resolution process. Other options like IBM X-Force Exchange, ThreatConnect, and MISP focus more on threat intelligence sharing and security incident analysis rather than functioning as an IT help desk or ticketing system.

MxToolbox is a comprehensive tool designed for analyzing email headers and diagnosing various email delivery issues. When Francis received a spoofed email asking for his bank information, using MxToolbox to analyze the email headers would be appropriate. This tool helps in examining the source of the email, tracking the email's path across the internet from the sender to the receiver, and identifying any signs of email spoofing or malicious activity. It provides detailed information about the email servers encountered along the way and can help in verifying the authenticity of the email sender. Other options like EventLog Analyzer, Email Checker, and PoliteMail are tools used for different purposes such as analyzing system event logs, checking email address validity, and managing email communications, respectively, and do not specifically focus on analyzing email headers to the extent required for investigating a spoofed email incident.

If a hacker influences an employee or a disgruntled staff member to gain access to an organization's resources or sensitive information, this is classified as an insider attack. Insider attacks are perpetrated by individuals within the organization, such as employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. The threat from insiders can be intentional, as in the case of a disgruntled employee seeking to harm the organization, or unintentional, where an employee is manipulated or coerced by external parties without realizing the implications of their actions. Phishing attacks, footprinting, and identity theft represent different types of cybersecurity threats where the attacker's method or objective differs from that of insider attacks.

The EC-Council Incident Handler (ECIH) curriculum explains that Stored Cross-Site Scripting (Stored XSS) occurs when malicious scripts are permanently stored on a web server (e.g., within blog posts, comments, or database entries). When users access the infected content, the malicious script executes in their browser.

In this scenario, the attacker posted malicious content using a valid account, and subsequent users were redirected to a phishing site containing session cookies in the URL. This indicates that malicious code was embedded and stored within the blog platform, affecting multiple visitors.

Reflected XSS (Option A) requires the victim to click a crafted link and is not persistently stored. Man-in-the-middle (Option B) involves interception of communications. Directory traversal (Option D) involves accessing restricted directories on a server.

ECIH highlights that stored XSS attacks are particularly dangerous because they impact all users who access the compromised content and can lead to session hijacking, credential theft, and redirection to phishing sites.

Therefore, the attack described is Stored XSS.