212-89 Exam Dumps - ECCouncil ECIH Questions and Answers

Explanation (incident response governance):

This scenario combines data theft + extortion involving highly sensitive IP and regulated participant data. The prudent course is to trigger formal legal/incident governance: engage law enforcement and appropriate cybercrime agencies (D), preserve evidence, and coordinate with legal counsel, regulators (if required), and cyber-insurance response processes. Law enforcement engagement can support intelligence sharing, preservation orders, and broader investigation into the infrastructure receiving the exfiltrated data.

(A) recalling the drug is not directly tied to the incident’s immediate technical or legal response; it’s a business decision that may be unnecessary and harmful without evidence of counterfeit risk. (B) immediate public announcement may be legally required in some jurisdictions, but it must be accurate and coordinated; doing it prematurely can worsen harm. (C) negotiation is risky and typically handled only through controlled legal and executive channels; it does not ensure data return and can incentivize further extortion.

Thus, (D) reflects best-practice escalation: treat it as a serious crime, preserve chain of custody, and coordinate response through legal and investigative authorities while technical teams contain and scope.

A permissive security policy is characterized by allowing all activities except those that are explicitly blocked. This approach starts with a default state of allowing access and functionality, with restrictions applied only to known dangerous services, attacks, or behaviors. Such a policy can lead to a wider attack surface because it assumes services and behaviors are safe unless proven otherwise.

A prudent policy would typically involve more conservative security measures, applying necessary restrictions to protect against identified and potential threats.

A paranoic policy would be at the extreme end of security measures, possibly blocking more than necessary to ensure the highest level of security, often at the expense of usability or functionality.

A promiscuous policy, in contrast, would be even more open than a permissive policy, essentially allowing nearly all traffic or actions with minimal restrictions, which is not what Rica observed.

In the context of collecting physical evidence during a cyber forensic investigation, Patrick must consider items like removable media, cables, and publications. These items can contain crucial information related to the crime, such as data storage devices (USB drives, external hard drives), cables connected to potentially relevant devices, and any printed materials that might have information or clues about the incident. Open ports, services, and OS vulnerabilities, DNS information, and published name servers and web application source code, while important in digital forensics, do not constitute physical evidence in the traditional sense.

This incident highlights a failure in endpoint and mobile device preparation, a core area in the ECIH curriculum. Mobile devices often store or provide access to sensitive enterprise data, and when lost or stolen, they represent a high-risk exposure point. ECIH emphasizes that organizations must implement centralized mobile device management (MDM/EMM) controls as part of incident readiness.

Option D is correct because configuring remote wipe functionality allows an organization to immediately remove sensitive data from a lost or stolen device, even when physical access is no longer possible. Remote wipe is a critical containment capability that prevents data leakage, credential misuse, and unauthorized access to internal systems.

Option A strengthens authentication but does not help once the device is lost. Option B secures communications but does not address local data exposure. Option C improves application-level security but does not allow device-level containment.

ECIH stresses that preparation controls must support rapid containment actions. Without remote wipe capability, the response team is effectively powerless to protect data on a lost mobile device. Therefore, Option D is the correct and most effective preparation step.

The EC-Council Incident Handler (ECIH) curriculum stresses that preparation is the most critical phase of incident response. Organizations must establish clearly defined roles, communication channels, escalation procedures, and documented response workflows before an incident occurs. The scenario highlights confusion during a resilience drill—specifically unclear stakeholder responsibilities, communication breakdowns, and uncertainty in vendor coordination and log retrieval.

ECIH emphasizes that conducting realistic simulations, tabletop exercises, and red/blue team drills strengthens organizational readiness. These exercises help validate escalation paths, clarify third-party engagement protocols, and ensure that evidence collection procedures—such as retrieving diagnostic logs—are well understood by operational teams.

Option A (automated alerts) improves detection but does not solve role ambiguity. Option B (firmware patching) addresses vulnerability management but not communication gaps. Option D (manual fallback mode) supports business continuity but does not resolve the confusion in responsibilities and escalation paths identified in the drill.

ECIH guidance clearly states that effective first response depends on documented playbooks, defined stakeholder responsibilities, vendor coordination procedures, and continuous testing of incident response plans. Simulation-based training exposes procedural weaknesses and ensures each department understands its operational and communication duties.

Therefore, conducting realistic simulations and clearly documenting responsibilities for each stakeholder is the most appropriate corrective action to close the preparedness gaps identified during the exercise.

The correct flow of stages in an Incident Handling and Response (IH&R) process as outlined in the Incident Handler (ECIH v3) by EC-Council begins with Preparation. This phase involves getting ready for potential incidents by developing plans, policies, and procedures, and ensuring that tools and team training are up to date. Incident Recording is the next stage, where incidents are documented and reported. Incident Triage follows, prioritizing incidents based on their impact and urgency. Containment is next, aiming to limit the damage of the incident and prevent further spread. Eradication comes after containment, where the root cause of the incident is removed. Recovery is the stage where affected systems are restored to their operational status. Post-Incident Activities conclude the process, reviewing and learning from the incident to improve future response efforts.

The EC-Council Incident Handler (ECIH) curriculum stresses that periodic access reviews are essential for preventing insider threats. When user roles change or projects end, permissions must be reviewed and adjusted according to the Principle of Least Privilege (PoLP).

In this case, the intern retained access privileges beyond the project duration due to lack of periodic auditing. Regular auditing of user access rights ensures that permissions remain aligned with job responsibilities and reduces the risk of privilege misuse.

Option A (data classification) helps identify sensitive data but does not ensure access rights are revoked. Option B (account lockout policies) addresses brute-force login attempts, not permission creep. Option D (surveillance cameras) concerns physical monitoring.

ECIH emphasizes implementing Role-Based Access Control (RBAC), enforcing least privilege, conducting quarterly or periodic access reviews, and maintaining strong identity governance to mitigate insider threats.

Therefore, regular auditing of user access rights would have prevented this issue.

Incident triage is the phase in the incident handling and response process where identified security incidents are analyzed, validated, categorized, and prioritized. This step is critical for determining the severity of incidents and deciding on the allocation of resources for effective response. It involves initial analysis to understand the nature of the incident, its impact, and urgency, which guides the subsequent response actions.

Yesware is a tool primarily known for its email tracking capabilities, which can be useful for sales, marketing, and customer relationship management. However, in the context of investigating email attacks and analyzing incidents to extract details such as sender identity, mail server, sender’s IP address, and location, a more appropriate tool would be one that specializes in analyzing and extracting detailed header information from emails, providing insights into the path an email took across the internet. While Yesware can provide data related to email interactions, it might not offer the depth of forensic analysis required for incident investigation. Tools like email header analyzers, which are designed specifically for dissecting and interpreting email headers, would be more fitting. In the absence of a direct match from the given options, the description might imply a broader interpretation of tools like Yesware in context but traditionally, tools specifically designed for email forensics would be sought after for this task.

The ECIH Insider Threat module stresses that insider monitoring must be lawful, proportional, and privacy-aware. Organizations must balance security with legal and ethical constraints.

Option A is correct because advanced employee monitoring tools can analyze behavior patterns, access anomalies, and data movement while respecting privacy regulations. These tools typically focus on metadata and risk indicators rather than invasive surveillance.

Options B, C, and D are intrusive, legally risky, and inconsistent with ECIH guidance. Keystroke logging and physical surveillance can violate privacy laws, while inspecting personal devices without consent is often unlawful.

ECIH recommends behavioral analytics and privacy-conscious monitoring as the most effective and defensible approach to detecting insider threats.