Eccouncil 212-89 Exam Questions Instant Access

Question 1

DeltaDynamics, a large-scale data analytics firm, found that one of its data scientists was sharing proprietary algorithms with external parties. The firm wishes to monitor its employees more closely without breaching privacy laws. What is the most effective measure it should consider?

AUse an advanced Employee Monitoring Tool that respects user privacy.

BImplement keystroke logging on all company devices.

CInstall CCTV cameras in all workstations.

DRandomly inspect employee personal devices every week.

Answer : A

The ECIH Insider Threat module stresses that insider monitoring must be lawful, proportional, and privacy-aware. Organizations must balance security with legal and ethical constraints.

Option A is correct because advanced employee monitoring tools can analyze behavior patterns, access anomalies, and data movement while respecting privacy regulations. These tools typically focus on metadata and risk indicators rather than invasive surveillance.

Options B, C, and D are intrusive, legally risky, and inconsistent with ECIH guidance. Keystroke logging and physical surveillance can violate privacy laws, while inspecting personal devices without consent is often unlawful.

ECIH recommends behavioral analytics and privacy-conscious monitoring as the most effective and defensible approach to detecting insider threats.

Question 2

Emily, a member of the cybersecurity response team, receives an alert indicating suspicious login attempts on the company's internal HR portal. Upon inspection, she finds several failed login attempts from a foreign IP address targeting administrative accounts. Further investigation reveals that one of the accounts was compromised and its privileges were escalated. What indicator most strongly suggests this is an unauthorized access incident?

ANew system process creation

BLog entries showing access to critical files

CHigh CPU utilization

DSuspicious DNS activity

Answer : B

The ECIH incident validation phase emphasizes the importance of direct evidence when confirming unauthorized access. Log entries that show access to sensitive or restricted files provide concrete proof that an attacker successfully breached controls.

Option B is correct because access logs tied to critical resources confirm both authentication success and unauthorized activity. Failed logins or system performance issues alone do not confirm compromise.

Option A, C, and D are indirect indicators that may signal suspicious behavior but cannot independently confirm unauthorized access.

Therefore, verified log evidence is the strongest indicator, aligning with ECIH incident triage and validation principles.

Question 3

Stenley is an incident handler working for Texa Corp. located in the United States. With the growing concern of increasing emails from outside the organization, Stenley was

asked to take appropriate actions to keep the security of the organization intact. In the process of detecting and containing malicious emails, Stenley was asked to check the

validity of the emails received by employees.

Identify the tools he can use to accomplish the given task.

APointofMail

BEmail Dossier

CPoliteMail

DEventLog Analyzer

Answer : B

Email Dossier is a tool designed to perform detailed investigations on email messages to verify their authenticity and trace their origin. It can analyze email headers and provide information about the route an email has taken, the servers it passed through, and potentially malicious links or origins. For an incident handler like Stenley, tasked with verifying the validity of emails and containing malicious email threats, Email Dossier serves as a practical tool for analyzing and validating emails received by employees. By using this tool, Stenley can identify fraudulent or suspicious emails, thereby helping to protect the organization from phishing attacks, malware distribution, and other email-based threats.

Question 4

Richard is analyzing a corporate network. After an alert in the network's IPS. he identified that all the servers are sending huge amounts of traffic to the website abc.xyz. What type of information security attack vectors have affected the network?

ABotnet

BAdvance persistent three Is

CRansomware

DIOT threats

Answer : A

When a corporate network's servers are sending huge amounts of traffic to a specific website, as detected by the network's Intrusion Prevention System (IPS), this behavior is indicative of a Botnet attack. A Botnet is a network of compromised computers, often referred to as 'bots,' that are controlled remotely by an attacker, typically without the knowledge of the owners of the computers. The attacker can command these bots to execute distributed denial-of-service (DDoS) attacks, send spam, or conduct other malicious activities. In this scenario, the servers behaving as bots and targeting a website with large volumes of traffic suggests that they have been co-opted into a Botnet to potentially perform a DDoS attack on the website abc.xyz.

Question 5

An organization named Sam Morison Inc. decided to use cloud-based services to reduce

the cost of maintenance. The organization identified various risks and threats

associated with cloud service adoption and migrating business-critical data to thirdparty systems. Hence, the organization decided to deploy cloud-based security tools to

prevent upcoming threats.

Which of the following tools help the organization to secure the cloud resources and

services?

ANmap

BBurp Suite

CWireshark

DAlert Logic

Answer : D

Alert Logic is a cloud-based security tool that provides Security-as-a-Service solutions including threat management, vulnerability assessment, and improved security outcomes. It is designed specifically to secure cloud resources and services, making it an ideal choice for organizations like Sam Morison Inc. that are moving their operations to the cloud and are concerned about the security of their data. Tools like Nmap, Burp Suite, and Wireshark, while valuable in certain contexts, do not offer the same cloud-focused security capabilities as Alert Logic.

Question 6

Noah, a physical security officer, reviewed entry logs after a breach was reported in the data center. Surveillance showed a contract worker accessing restricted areas using another employee's badge. The access control system lacked biometric verification. Which physical security control could have best prevented this incident?

AScheduled patch management

BDual authentication

CRole-based firewall segmentation

DEncrypted file systems

Answer : B

The EC-Council Incident Handler (ECIH) curriculum emphasizes that incident response includes both logical and physical security controls. Physical breaches can directly lead to data compromise, hardware tampering, or insider-enabled attacks. In this case, the breach occurred due to badge sharing, a common weakness in physical access control systems that rely solely on single-factor authentication.

Dual authentication (two-factor authentication) in physical security typically combines something the user has (access card or badge) with something the user is (biometric verification such as fingerprint or iris scan). The absence of biometric validation allowed the contract worker to misuse another employee's badge without detection.

ECIH highlights that effective forensic readiness includes strong access controls, surveillance integration, and identity verification mechanisms to prevent unauthorized facility access. Multi-factor authentication (MFA) for physical entry ensures accountability, prevents impersonation, and strengthens audit trails.

Option A (patch management) addresses system vulnerabilities, not physical access misuse. Option C (firewall segmentation) is a network control unrelated to physical facility entry. Option D (encrypted file systems) protects stored data but does not prevent unauthorized physical presence in restricted areas.

By implementing dual authentication with biometric verification, the organization would have significantly reduced the likelihood of badge misuse and improved accountability, aligning with ECIH's layered security and preventive control principles.

Question 7

Following a spear-phishing campaign targeting executive-level employees, a mid-sized financial firm experienced unauthorized access to internal systems, leading to widespread disruption of customer-facing applications. Although the technical issues were resolved within days, the breach triggered legal scrutiny and negative press coverage. Several major customers expressed concern about the firm's risk posture and began transitioning to competitors. Investor confidence was impacted as the stock value dipped, and senior leadership initiated a damage control campaign. Which of the following best categorizes the broader consequences experienced by the organization?

ATangible operational costs including the deployment of response infrastructure.

BRecovery complications caused by delayed asset inventory synchronization.

CIntangible business effects involving stakeholder defection and public image decline.

DMeasurable loss from hardware failure and direct asset compromise.

Answer : C

The scenario describes consequences extending beyond technical remediation into reputational, financial, and stakeholder trust impacts. According to ECIH risk assessment and post-incident analysis guidance, these outcomes are classified as intangible business effects.

Option C is correct because customer loss, investor confidence decline, and reputational damage cannot be easily quantified yet often exceed direct incident response costs. ECIH emphasizes that post-incident reviews must consider both tangible and intangible impacts to accurately assess business risk.

Options A, B, and D describe operational or technical impacts, which were resolved quickly in this scenario. The lasting damage occurred at the business and market perception level.

Understanding intangible impacts is critical for executive reporting, risk management, and long-term resilience planning, making Option C correct.

Eccouncil EC-Council Certified Incident Handler v3 212-89 Exam Questions