Eccouncil 212-89 EC-Council Certified Incident Handler v3 Exam Practice Test

Page: 1 / 14
Total 172 questions
Question 1

[Handling and Responding to Insider Threats]

If a hacker cannot find any other way to attack an organization, they can influence an employee or a disgruntled staff member. What type of threat is this?



Answer : B

If a hacker influences an employee or a disgruntled staff member to gain access to an organization's resources or sensitive information, this is classified as an insider attack. Insider attacks are perpetrated by individuals within the organization, such as employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. The threat from insiders can be intentional, as in the case of a disgruntled employee seeking to harm the organization, or unintentional, where an employee is manipulated or coerced by external parties without realizing the implications of their actions. Phishing attacks, footprinting, and identity theft represent different types of cybersecurity threats where the attacker's method or objective differs from that of insider attacks.


Question 2

[Introduction to Incident Handling and Response]

You are a systems administrator for a company. You are accessing your file server remotely for maintenance. Suddenly, you are unable to access the server. After contacting others in your department, you find out that they cannot access the file server either. You can ping the file server but not connect to it via RDP. You check the Active Directory Server, and all is well. You check the email server and find that emails are sent and received normally. What is the most likely issue?



Answer : C

In this scenario, the inability to access the file server via Remote Desktop Protocol (RDP), despite the server being pingable and other services functioning normally, suggests a service-specific disruption rather than a complete system shutdown or broader network issue. This pattern is indicative of a denial-of-service (DoS) attack targeted at the file server's RDP service or network congestion that specifically affects RDP connectivity. A DoS attack aims to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. The fact that other services (like email) are operational rules out broader system or admin account issues, pointing towards a specific problem with accessing the file server, most likely due to a denial-of-service condition.


Question 3

[Introduction to Incident Handling and Response]

Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the user's information and system. These

programs may unleash dangerous programs that may erase the unsuspecting user's disk and send the victim's credit card numbers and passwords to a stranger.



Answer : D

A Trojan, or Trojan horse, is a type of malware that disguises itself as a legitimate, harmless program or file to trick users into downloading and installing it. Once activated, a Trojan can perform a range of malicious activities, including giving attackers unauthorized access to the infected system. This can lead to the theft of sensitive information, such as credit card numbers and passwords, and can also allow the attacker to install additional malware, potentially leading to further damage, such as the erasure of data. Unlike viruses and worms, Trojans do not replicate themselves but rely on the deception of users to spread.


Question 4

[Introduction to Incident Handling and Response]

Zaimasoft, a prominent IT organization, was attacked by perpetrators who directly targeted the hardware and caused irreversible damage to the hardware. In result, replacing or reinstalling the hardware was the only solution.

Identify the type of denial-of-service attack performed on Zaimasoft.



Answer : C

A Permanent Denial-of-Service (PDoS) attack, also known as 'phlashing,' is a form of attack that targets hardware, causing irreversible damage to the hardware components, thereby making the device unusable without a replacement or significant hardware intervention. In the scenario described with Zaimasoft, the attackers' actions leading to the damage of hardware components align with the characteristics of a PDoS attack. Unlike Distributed Denial-of-Service (DDoS) or Denial-of-Service (DoS) attacks, which generally aim to overwhelm a system's resources temporarily, or DRDoS (Distributed Reflection Denial of Service), which involves amplification techniques using third-party servers, a PDoS attack directly damages the physical hardware, necessitating its replacement or reinstallation. This makes PDoS particularly severe due to its permanent impact on the targeted organization's hardware infrastructure.


Question 5

[Introduction to Incident Handling and Response]

Shiela is working at night as an incident handler. During a shift, servers were affected by a massive cyberattack. After she classified and prioritized the incident, she must report the incident, obtain necessary permissions, and perform other incident response functions. What list should she check to notify other responsible personnel?



Answer : B

In the context of incident handling, the 'point of contact' list is essential for ensuring that Sheila, the incident handler working at night, can quickly notify the responsible personnel within the organization about the cyberattack. This list typically includes the contact information of key stakeholders and decision-makers who need to be informed about security incidents, allowing for timely communication, decision-making, and response coordination.


Question 6

[Introduction to Incident Handling and Response]

QualTech Solutions is a leading security services enterprise. Dickson, who works as an incident responder with this firm, is performing a vulnerability assessment to identify the security problems in the network by using automated tools for identifying the hosts, services, and vulnerabilities in the enterprise network. In the above scenario, which of the following types of vulnerability assessment is Dickson performing?



Answer : A

In the scenario described, Dickson is performing an active assessment. This type of vulnerability assessment involves using automated tools to actively scan and probe the network for identifying hosts, services, and vulnerabilities. Unlike passive assessments, which rely on monitoring network traffic without direct interaction with the targets, active assessments engage directly with the network infrastructure to discover vulnerabilities, misconfigurations, and other security issues by sending data to systems and analyzing the responses. This approach provides a more immediate and detailed view of the security posture but can also generate detectable traffic that might be noticed by defensive systems or affect the performance of live systems.


Question 7

[Introduction to Incident Handling and Response]

Which of the following methods help incident responders to reduce the false-positive

alert rates and further provide benefits of focusing on topmost priority issues reducing

potential risk and corporate liabilities?



Answer : C

Threat correlation is a method used by incident responders to analyze and associate various indicators of compromise (IoCs) and alerts to identify genuine threats. By correlating data from multiple sources and applying intelligence to distinguish between unrelated events and coordinated attack patterns, responders can significantly reduce the rate of false-positive alerts. This enables teams to prioritize their efforts on the most critical and likely threats, thereby reducing potential risks and corporate liabilities. Effective threat correlation involves the use of sophisticated security information and event management (SIEM) systems, threat intelligence platforms, and analytical techniques to identify relationships between seemingly disparate security events and alerts.


Page:    1 / 14   
Total 172 questions