212-89 Exam Dumps - ECCouncil ECIH Questions and Answers

The EC-Council Incident Handler (ECIH) curriculum categorizes incidents such as unauthorized software installation and policy violations under inappropriate usage incidents. In this scenario, the activity originated from a legitimate internal workstation and user account, not an external third party.

The repeated login failures outside business hours combined with installation of an unauthorized remote desktop tool indicate a breach of acceptable use policy and potentially malicious intent. However, the key factor is that the actions were performed by an internal user using valid access credentials, making this an insider-related policy violation rather than an external unauthorized access attack.

Option A implies legitimate remote work within policy boundaries, which is contradicted by the unauthorized software installation. Option B suggests a third-party compromise, but logs indicate activity from an internal user account. Option D (DoS attack) involves service disruption via traffic flooding, which is not described here.

ECIH stresses enforcing acceptable use policies, monitoring user behavior, restricting unauthorized software installation, and applying least privilege controls to mitigate insider misuse. Therefore, this scenario best fits inappropriate usage due to policy violation and unauthorized software installation.

This scenario represents a failure in the Preparation phase of the Incident Handling and Response (IH&R) lifecycle as defined by the EC-Council ECIH curriculum. Preparation focuses on establishing policies, procedures, standards, and awareness programs that define how systems and data must be used and protected. In this case, employees were sharing credentials via unauthorized channels because the organization failed to provide explicit rules governing acceptable communication practices.

Option C is correct because establishing defined protocols for approved digital channels directly addresses the root cause. ECIH emphasizes that organizations must define acceptable use policies, secure communication standards, and data handling procedures before incidents occur. These controls reduce the likelihood of human error and insider misuse by setting clear expectations and enforceable boundaries.

Option A relates to physical surveillance risks, which are unrelated to credential sharing. Option B is a recovery-focused control and does not prevent misuse. Option D is a detection mechanism that cannot compensate for missing governance controls.

By defining approved channels and educating users on their proper use, organizations significantly reduce the probability of credential leakage and insider-driven incidents, fulfilling a core ECIH preparation requirement.

James's activities, including creating anonymous access to cloud services to carry out attacks such as password and key cracking, hosting malicious data, and conducting DDoS attacks, exemplify the abuse and nefarious use of cloud services. This threat involves exploiting cloud computing resources to conduct malicious activities, which can impact the cloud service provider as well as other users of the cloud services. This abuse ranges from using the cloud platform's resources for computationally intensive tasks like cracking passwords or encryption keys to conducting DDoS attacks that can disrupt services for legitimate users.

A Trojan, or Trojan horse, is a type of malware that disguises itself as a legitimate, harmless program or file to trick users into downloading and installing it. Once activated, a Trojan can perform a range of malicious activities, including giving attackers unauthorized access to the infected system. This can lead to the theft of sensitive information, such as credit card numbers and passwords, and can also allow the attacker to install additional malware, potentially leading to further damage, such as the erasure of data. Unlike viruses and worms, Trojans do not replicate themselves but rely on the deception of users to spread.

Volatile memory contains critical artifacts such as encryption keys, running processes, and network connections. The ECIH Forensic Readiness module emphasizes that volatile evidence must be captured immediately before it is lost.

Option C is correct because capturing memory first preserves irreplaceable evidence, followed by securing the scene to prevent contamination. Powering down systems before memory capture would destroy volatile data.

Options A and D are incomplete without prioritization. Option B is incorrect due to evidence loss.

Thus, immediate memory capture followed by scene security is the correct action.

The regular expression/exec(\s|\+)+(s|x)p\w+/ixis designed to match patterns that resemble SQL injection attempts, specifically targeting MS SQL Server. This expression looks for the use of theexeccommand followed by one or more spaces or plus signs, and then patterns that start withsporxp, which are prefixes commonly used in SQL Server stored procedures and extended stored procedures. These are often targeted in SQL injection attacks to execute malicious SQL statements. The regular expression provided is a tool used by incident responders like Tibson to identify and analyze potential SQL injection attempts by looking for suspicious patterns in SQL queries.

According to the EC-Council Incident Handler (ECIH) curriculum, malware infections commonly originate from users downloading malicious executables from untrusted external sources. The scenario clearly indicates repeated access to suspicious URLs followed by the download of unsigned executable files outside business hours. ECIH classifies such behavior as high-risk web activity leading to malware compromise.

The endpoint protection system flagged the executables as malicious after execution, and outbound communication attempts suggest command-and-control (C2) beaconing behavior. ECIH explains that once malware executes, it frequently attempts outbound connections to attacker-controlled infrastructure for instructions, payload updates, or data exfiltration.

There is no evidence suggesting Wi-Fi spoofing (Option B), as logs trace activity to an internal workstation. Option C (SQL injection) relates to web application vulnerabilities, which are not described in this endpoint-based download scenario. Option D (privilege escalation) may occur after infection, but it is not presented as the initial cause.

ECIH emphasizes monitoring web proxy logs, correlating SIEM alerts, validating digital signatures, and analyzing firewall egress traffic to confirm malware incidents. Nina’s actions—log correlation, endpoint isolation, and lateral movement investigation—align precisely with recommended containment procedures.

Therefore, the most likely cause of the incident is inappropriate resource usage through malicious downloads.

Centralized logging and monitoring is a core best practice in cloud incident detection and response under ECIH. Cloud environments are distributed and dynamic, making visibility a major challenge.

Option C is correct because aggregating logs from multiple cloud platforms enables correlation, faster detection, and effective incident triage. ECIH emphasizes centralized visibility as essential for identifying cross-platform threats.

Options A and D are limited in scope. Option B does not address cloud-specific risks.

Risk assessment is the risk management process that involves identifying risks, estimating their impact on the organization, and determining the sources of those risks to recommend appropriate mitigation measures. The goal of a risk assessment is to understand the nature of potential threats, vulnerabilities, and the consequences of those risks materializing, allowing an organization to make informed decisions about how to address them effectively. Risk assumption involves accepting the potential impact of a risk, risk mitigation focuses on reducing the likelihood or impact of risks, and risk avoidance involves taking actions to avoid the risk entirely.