
212-89別格な問題集をダウンロードして無料で最新の(212-89テスト問題集をゲット2025年04月10日)
212-89問題集は合格保証します合格できる212-89試験問題2025年更新
質問 # 89
Which of the following is not the responsibility of first responders?
- A. Packaging and transporting the electronic evidence
- B. Identifying the crime scene
- C. Preserving temporary and fragile evidence and then shutdown or reboot the victim's computer
- D. Protecting the crime scene
正解:C
質問 # 90
Matt is an incident handler working for one of the largest social network companies, which was affected by malware. According to the company's reporting timeframe guidelines, a malware incident should be reported within 1 h of discovery/detection after its spread across the company. Which category does this incident belong to?
- A. CAT 1
- B. CAT 3
- C. CAT 2
- D. CAT 4
正解:A
解説:
In incident response protocols, incidents are categorized based on their severity, impact, and the urgency of the response required. The categorization helps in prioritizing incident response activities and allocating resources accordingly. A CAT 1 (Category 1) incident is typically considered the highest priority, involving significant threats that require immediate response. Given the scenario where a malware incident in one of the largest social network companies must be reported within 1 hour of discovery/detection, this indicates a high-priority incident due to the potential widespread impact and the need for a rapid response to contain and mitigate the malware's spread. The urgency of the reporting timeframe suggests that the incident is considered critical, aligning with the characteristics of a CAT 1 incident, which necessitates immediate action to prevent significant damage or disruption to the company's operations and services.References:The Incident Handler (ECIH v3) curriculum emphasizes the importance of incident categorization and the establishment of clear reporting and response protocols based on the severity and urgency of incidents. This framework enables organizations to respond effectively to incidents like malware attacks by ensuring that high-priority threatsare quickly identified and addressed.
質問 # 91
Auser downloaded what appears to be genuine software. Unknown to her, when she installed the application, it executed code that provided an unauthorized remote attacker access to her computer. What type of malicious threat displays this characteristic?
- A. Virus
- B. Trojan
- C. Spyware
- D. Backdoor
正解:B
解説:
The scenario described is characteristic of a Trojan. A Trojan is a type of malware that disguises itself as legitimate software but performs malicious actions once installed. Unlike viruses, which can replicate themselves, or worms, which can spread across networks on theirown, Trojans rely on the guise of legitimacy to trick users into initiating their execution. In this case, the user believed they were downloading and installing genuine software, but the reality was that the application contained a Trojan. The malicious code executed upon installation provided unauthorized remote access to the user's computer, which could be used by an attacker to control the system, steal data, install additional malware, or carry out other malicious activities.
Trojans can come in many forms and can be used to achieve a wide range of malicious objectives, making them a versatile and dangerous type of cyber threat. The deceptive nature of Trojans, exploiting the trust users have in what appears to be legitimate software, is what makes them particularly effective and widespread.
References:The ECIH v3 curriculum from EC-Council thoroughly covers different types of malware, including Trojans, and emphasizes understanding their behavior, methods of infection, and strategies for prevention and response.
質問 # 92
In which of the following stages of the incident handling and response (IH&R) process do the incident handlers try to find the root cause of the incident along with the threat actors behind the incidents, threat vectors, etc.?
- A. Incident triage
- B. Post-incident activities
- C. Incident recording and assignment
- D. Evidence gathering and forensics analysis
正解:D
質問 # 93
You are a systems administrator for a company. You are accessing your file server remotely for maintenance.
Suddenly, you are unable to access the server. After contacting others in your department, you find out that they cannot access the file server either. You can ping the file serverbut not connect to it via RDP. You check the Active Directory Server, and all is well. You check the email server and find that emails are sent and received normally. What is the most likely issue?
- A. An e-mail service issue
- B. An admin account issue
- C. The file server has shut down
- D. A denial-of-service issue
正解:D
解説:
In this scenario, the inability to access the file server via Remote Desktop Protocol (RDP), despite the server being pingable and other services functioning normally, suggests a service-specific disruption rather than a complete system shutdown or broader network issue. This pattern is indicative of a denial-of-service (DoS) attack targeted at the file server's RDP service or network congestion that specifically affects RDP connectivity. A DoS attack aims to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. The fact that other services (like email) are operational rules out broader system or admin account issues, pointing towards a specific problem with accessing the file server, most likely due to a denial-of-service condition.References:Incident Handler (ECIH v3) courses teach systems administrators and security professionals to diagnose and respond to various security incidents, including DoS attacks, by understanding symptoms and isolating issues based on the services affected.
質問 # 94
Jacob is an employee at a firm called Dolphin Investment. While he was on duty, he identified that his computer was facing some problems, and he wanted to convey the issue to the concerned authority in his organization. However, this organization currently does not have a ticketing system to address such types of issues. In the above scenario, which of the following ticketing systems can be employed by Dolphin Investment to allow Jacob to inform the concerned team about the incident?
- A. MISP
- B. ManageEngine ServiceDesk Plus
- C. ThreatConnect
- D. IBM XForco Exchange
正解:B
解説:
In the scenario where Dolphin Investment needs to implement a ticketing system for employees like Jacob to report IT-related issues, ManageEngine ServiceDesk Plus is the most suitable option among the choices provided. ManageEngine ServiceDesk Plus is a comprehensive IT help desk software that facilitates issue tracking, incident management, and efficient resolution of IT-related problems and requests. It enables users to submit tickets through various channels, including email, web portal, phone, or chat, and allows IT support teams to manage these tickets through a centralized platform. This system is designed to streamline the process of reporting, tracking, and resolving IT issues and incidents, making it an ideal solution for organizations looking to establish a formalized incident reporting and resolution process. Other options like IBM X-Force Exchange, ThreatConnect, and MISP focus more on threat intelligence sharing and security incident analysis rather than functioning as an IT help desk or ticketing system.References:Incident Handler (ECIH v3) courses and study guides often discuss the importance of having an effective incident reporting and management system in place, and ManageEngine ServiceDesk Plus is frequently cited as a practical solution for organizations seeking to implement such a system.
質問 # 95
Raven is a part of an IH&R team and was informed by her manager to handle and lead the removal of the root cause for an incident and to close all attack vectors to prevent similar incidents in the future. Raven notifies the service providers and developers of affected resources. Which of the following steps of the incident handling and response process does Raven need to implement to remove the root cause of the incident?
- A. Incident triage
- B. Evidence gathering and forensic analysis
- C. Containment
- D. Eracicotion
正解:D
解説:
Eradication is the step in the incident handling and response process where the root cause of an incident is removed, and measures are taken to close all attack vectors to prevent similar incidents in the future. After an incident has been properly contained to stop it from spreading or causing further damage, the eradication phase focuses on eliminating the source of the incident. This could involve removing malware, closing vulnerabilities, or implementing stronger security measures to address the exploitation paths used by the attacker.
In the scenario with Raven, notifying service providers and developers of affected resources is part of the actions taken to address the root cause of the incident. This ensures that any vulnerabilities or issues that contributed to the incident are fixed. By working to remove the root cause and secure the system against similar attacks, Raven is effectively implementing the eradication step of the incident handling process.
References:The EC-Council's Certified Incident Handler (ECIH v3) curriculum outlines the steps involved in handling and responding to security incidents, with a clear emphasis on the importance of eradication in resolving incidents and securing systems for the future. This step is crucial for ensuring that incidents are not only resolved in the short term but also that the underlying issues are addressed to prevent recurrence.
質問 # 96
Which of the following techniques prevent or mislead incident-handling process and may also affect the collection, preservation, and identification phases of the forensic investigation process?
- A. Footprinting
- B. Anti-forensics
- C. Enumeration
- D. Scanning
正解:B
解説:
Anti-forensics techniques are designed to prevent, mislead, or interfere with the incident handling process, affecting the collection, preservation, and identification phases of the forensic investigation process. These techniques include methods to erase, encrypt, or alter information, make data recovery difficult, hide data (e.g., steganography), or otherwise obstruct forensic analysis and investigation efforts. Anti-forensics can significantly challenge the efforts of incident responders and forensic investigators in establishing the facts of a security incident or crime.References:The Incident Handler (ECIH v3) courses and study guides discuss various challenges in digital forensics, including anti-forensics methods and their impact on the effectiveness of forensic investigations.
Top of Form
質問 # 97
Mr. Smith is a lead incident responder of a small financial enterprise having few branches in Australia. Recently, the company suffered a massive attack losing USD 5 million through an inter-banking system. After in-depth investigation on the case, it was found out that the incident occurred because 6 months ago the attackers penetrated the network through a minor vulnerability and maintained the access without any user being aware of it. Then, he tried to delete users' fingerprints and performed a lateral movement to the computer of a person with privileges in the inter-banking system.
Finally, the attacker gained access and did fraudulent transactions.
Based on the above scenario, identify the most accurate kind of attack.
- A. Ransomware attack
- B. Phishing
- C. Denial-of-service attack
- D. APT attack
正解:D
解説:
The scenario described fits the characteristics of an Advanced Persistent Threat (APT) attack. APTs are sophisticated, stealthy, and continuous computer hacking processes often orchestrated by groups targeting a specific entity. These attackers penetrate the network through vulnerabilities, maintain access without detection, and achieve their objectives, such as data exfiltration or financial theft, over an extended period. The fact that attackers exploited a minor vulnerability, maintained access for six months, and performed lateral movements to access critical systems for fraudulent transactions highlights the strategic planning and persistence typical of APT attacks.References:Incident Handler (ECIH v3) certification materials discuss APTs in detail, including their methodologies, objectives, and the importance of comprehensive security strategies to detect and mitigate such threats.
質問 # 98
Adam is an attacker who along with his team launched multiple attacks on target organization for financial benefits. Worried about getting caught, he decided to forge his identity. To do so, he created a new identity by obtaining information from different victims.
Identify the type of identity theft Adam has performed.
- A. Social identity theft
- B. Synthetic identity theft
- C. Tax identity theft
- D. Medical identity theft
正解:B
解説:
Synthetic identity theft is a type of fraud where the perpetrator combines real (often stolen) and fake information to create a new identity. This can include combining a real social security number with a fictitious name, or other variations that result in an identity that is not entirely real but has elements that can pass through verification processes. In the scenario described, Adam is creating a new identity using information from different victims,which is characteristic of synthetic identity theft. This type of fraud is particularly challenging to detect and counter because it does not directly impersonate a single real individual but creates a plausible new identity that can be used to open accounts, obtain credit, and conduct transactions that can be financially beneficial to the attacker.
References:The concept and techniques of synthetic identity theft are covered in detail in the Incident Handler (ECIH v3) curriculum, where the focus is on identifying, understanding, and mitigating various forms of identity theft, including synthetic identity theft, as part of incident response activities.
質問 # 99
Rica works as an incident handler for an international company. As part of her role, she must review the present security policy implemented. Upon inspection, Rica finds that the policy is wide open, and only known dangerous services/attacks or behaviors are blocked. Which of the following is the current policy that Rica identified?
- A. Paranoic policy
- B. Prudent policy
- C. Promiscuous policy
- D. Permissive policy
正解:D
解説:
A permissive security policy is characterized by allowing all activities except those that are explicitly blocked.
This approach starts with a default state of allowing access and functionality, with restrictions applied only to known dangerous services, attacks, or behaviors. Such a policy can lead to a wider attack surface because it assumes services and behaviors are safe unless proven otherwise.
* A prudent policy would typically involve more conservative security measures, applying necessary restrictions to protect against identified and potential threats.
* A paranoic policy would be at the extreme end of security measures, possibly blocking more than necessary to ensure the highest level of security, often at the expense of usability or functionality.
* A promiscuous policy, in contrast, would be even more open than a permissive policy, essentially allowing nearly all traffic or actions with minimal restrictions, which is not what Rica observed.
References:In the context of the ECIH v3 course by EC-Council, reviewing and understanding the implications of security policies, like the permissive policy identified by Rica, is crucial for incident handlers to assess and improve organizational security postures.
質問 # 100
Dan is a newly appointed information security professional in a renowned organization. He is supposed to follow multiple security strategies to eradicate malware incidents. Which of the following is not considered as a good practice for maintaining information security and eradicating malware incidents?
- A. Do not click on web browser pop-up windows
- B. Do not download or execute applications from third-party sources
- C. Do not open files with file extensions such as .bat, .com, ,exe, .pif, .vbs, and so on
- D. Do not download or execute applications from trusted sources
正解:D
質問 # 101
Which of the following confidentiality attacks do attackers try to lure users by posing themselves as authorized AP by beaconing the WLAN's SSID?
- A. Evil twin AP
- B. Masquerading
- C. Honeypot AP
- D. Session hijacking
正解:A
質問 # 102
One of the goals of CSIRT is to manage security problems by taking a certain approach towards the customers' security vulnerabilities and by responding effectively to potential information security incidents. Identify the incident response approach that focuses on developing the infrastructure and security processes before the occurrence or detection of an event or any incident:
- A. Proactive approach
- B. Introductive approach
- C. Qualitative approach
- D. Interactive approach
正解:A
質問 # 103
Which of the following risk management processes identifies the risks, estimates the impact, and determines sources to recommend proper mitigation measures?
- A. Risk assessment
- B. Risk mitigation
- C. Risk avoidance
- D. Risk assumption
正解:A
解説:
Risk assessment is the risk management process that involves identifying risks, estimating their impact on the organization, and determining the sources of those risks to recommend appropriate mitigation measures. The goal of a risk assessment is to understand the nature of potential threats, vulnerabilities, and the consequences of those risks materializing, allowing an organization to make informed decisions about how to address them effectively. Risk assumption involves accepting the potential impact of a risk, risk mitigation focuses on reducing the likelihood or impact of risks, and risk avoidance involves taking actions to avoid the risk entirely.References:The ECIH v3 course materials include discussions on risk management processes, outlining the importance of risk assessment in identifying and preparing for potential security threats.
質問 # 104
Which of the following is a common tool used to help detect malicious internal or compromised actors?
- A. User behavior analytics
- B. SOC2 compliance report
- C. Log forwarding
- D. Syslog configuration
正解:A
質問 # 105
Which of the following is a volatile evidence collecting tool?
- A. Netstat
- B. FTK Images
- C. Pro Discover Forensics
- D. Hash Tool
正解:A
質問 # 106
The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/
services that are not required. Which service listed below, if blocked, can help in preventing Denial of Service
attack?
- A. SMTP service
- B. SAM service
- C. Echo service
- D. POP3 service
正解:C
質問 # 107
After a recent email attack, Harry is analyzing the incident to obtain important information. While investigating the incident, he is trying to extract information such as sender identity, mail server, sender's IP address, location, etc.
Which of the following tools should Harry use to perform this task?
- A. Yes ware
- B. shARP
- C. Clamwin
- D. Logly
正解:A
質問 # 108
An organization's customers are experiencing either slower network communication or unavailability of services. In addition, network administrators are receiving alerts from security tools such as IDS/IPS and firewalls about a possible DoS/DDoS attack. In result, the organization requests the incident handling and response (IH&R) team further investigates the incident. The IH&R team decides to use manual techniques to detect DoS/DDoS attack.
Which of the following commands helps the IH&R team to manually detect DoS/DDoS attack?
- A. netstat an
- B. netstat -r
- C. nbtstat/S
- D. nbtstat /c
正解:C
質問 # 109
Your manager hands you several items of digital evidence and asks you to investigate them in the order of volatility. Which of the following is the MOST volatile?
- A. Emails
- B. Temp files
- C. Disk
- D. Cache
正解:D
解説:
In the context of digital evidence investigation, volatility refers to how quickly data can change or be lost when power is removed or systems are altered. Among the options provided, cache is the most volatile because it is temporary storage that is designed to speed up access to data and is frequently overwritten. Cache data resides in RAM and includes things like memory buffers, system and network information, and process execution data, which are lost upon reboot or power loss. This contrasts with disks, emails, and temp files, which are considered less volatile because they are stored on permanent or semi-permanent media and are less likely to be immediately lost or overwritten.References:The Incident Handler (ECIH v3) curriculum includes principles of digital evidence handling, which emphasizes the importance of collecting evidence in descending order of volatility to ensure that the most ephemeral data is preserved before it's lost.
質問 # 110
Incident management team provides support to all users in the organization that are affected by the threat or attack. The organization's internal auditor is part of the incident response team. Identify one of the responsibilities of the internal auditor as part of the incident response team:
- A. Perform necessary action to block the network traffic from suspected intruder
- B. Identify and report security loopholes to the management for necessary actions
- C. Configure information security controls
- D. Coordinate incident containment activities with the information security officer
正解:B
質問 # 111
Raven is a part of an IH&R team and was info med by her manager to handle and lead the removal of the root cause for an incident and to close all attack vectors to prevent similar incidents in the future. Raven notifies the service providers and developers of affected resources.
Which of the following steps of the incident handling and response process does Raven need to implement to remove the root cause of the incident?
- A. Incident triage
- B. Evidence gathering and forensic analysis
- C. Eradication
- D. Containment
正解:C
質問 # 112
Computer viruses are malicious software programs that infect computers and corrupt or delete the data on them. Identify the virus type that specifically infects Microsoft Word files?
- A. Macro Virus
- B. Boot Sector virus
- C. Micro Virus
- D. File Infector
正解:A
質問 # 113
......
検証済みの212-89問題集で問題と解答で合格保証試験問題集テストエンジン:https://jp.fast2test.com/212-89-premium-file.html
検証済みの212-89問題集170格別な問題:https://drive.google.com/open?id=1FHxOrD3-kdjxlb0X8szGI_uSMEU9LGO8