Certification Provider: EC-Council
Exam Name: EC Council Certified Incident Handler (ECIH v2)
Exam Code: 212-89
Official Exam Time: 180 mins
Number of questions in the Official Exam: 100 Q&As
Latest update time in our database: May 30,2023
212-89 Official Exam Topics:
  • Topic1 : Incident Response and Handling
  • Topic2 : Incident Handling / Security Policies
  • Topic3 : Process Handling / Incident Handling and Response
  • Topic4 : Security Auditing / Eradication and Recovery
  • Topic5 : Forensic Readiness and First Response / Volatile Evidence
  • Topic6 : Anti-forensics / Deceptive and Suspicious Email
  • Topic7 : Application Level Incidents / Web Application Threats & Vulnerabilities
  • Topic8 : Eradication of Web Applications / Network & Mobile Incidents
  • Topic9 : Network Attacks / Unauthorized Access
  • Topic10 : Denial-of-Service / Mobile Platform Vulnerabilities and Risks
  • Topic11 : Eradication of Mobile Incidents & Recovery / Employee Monitoring Tools
  • Topic12 : Malware Incident Triage / Security in Cloud Computing
  • Topic13 : Recovery in Cloud /

Which of the following is NOT a symptom of virus hoax message?

A computer virus hoax is a message warning the recipient of non-existent computer virus. The message is usually a chain e-mail that tells the recipient to forward it to every one they know.

Which of the following is NOT a symptom of virus hoax message?
A . The message prompts the end user to forward it to his / her e-mail contact list and gain monetary benefits in doing so
B . The message from a known email id is caught by SPAM filters due to change of filter settings
C . The message warns to delete certain files if the user does not take appropriate action
D . The message prompts the user to install Anti-Virus

Answer: A

What is the main purpose of the reconstitution plan?

Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices.

What is the main purpose of the reconstitution plan?
A . To restore the original site, tests systems to prevent the incident and terminates operations
B . To define the notification procedures, damage assessments and offers the plan activation
C . To provide the introduction and detailed concept of the contingency plan
D . To provide a sequence of recovery activities with the help of recovery procedures

Answer: A

Which one of the following is the correct sequence of flow of the stages in an incident response:

Which one of the following is the correct sequence of flow of the stages in an incident response:
A . Containment – Identification – Preparation – Recovery – Follow-up – Eradication
B . Preparation – Identification – Containment – Eradication – Recovery – Follow-up
C . Eradication – Containment – Identification – Preparation – Recovery – Follow-up
D . Identification – Preparation – Containment – Recovery – Follow-up – Eradication

Answer: B

Elizabeth, working for OBC organization as an incident responder, is assessing the risks facing the organizational security. During the assessment process, she calculates the probability of a threat source exploiting an existing system vulnerability.

Elizabeth, working for OBC organization as an incident responder, is assessing the risks facing the organizational security. During the assessment process, she calculates the probability of a threat source exploiting an existing system vulnerability.

Identify the risk assessment step Elizabeth is currently in.
A . System characterization
B . Impact analysis
C . Likelihood analysis
D . vulnerability identification

Answer: D

Which incident category of the US Federal Agency does this incident belong to?

A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency’s reporting timeframe guidelines, this incident should be reported within two (2) HOURS of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity.

Which incident category of the US Federal Agency does this incident belong to?
A . CAT 5
B . CAT 1
C . CAT 2
D . CAT 6

Answer: C

Which of the following does NOT constitute a goal of incident response?

The goal of incident response is to handle the incident in a way that minimizes damage and reduces recovery time and cost.

Which of the following does NOT constitute a goal of incident response?
A . Dealing with human resources department and various employee conflict behaviors.
B . Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data.
C . Helping personal to recover quickly and efficiently from security incidents, minimizing loss or theft and disruption of services.
D . Dealing properly with legal issues that may arise during incidents.

Answer: A

Which of the following Wire shark filters can be used by her to detect TCP Xmas scan attempt by the attacker?

Rose is an incident-handler and is responsible for detecting and eliminating any kind of scanning attempts over the network by malicious threat actors. Rose uses Wire shark to sniff the network and detect any malicious activities going on.

Which of the following Wire shark filters can be used by her to detect TCP Xmas scan attempt by the attacker?
A . tcp.flags==0X 000
B . tcp.flags==0X 029
C . tcp.dstport== 7
D . tcp.flags.reset== 1

Answer: A

Which among the following CERTs is an Internet provider to higher education institutions and various other research institutions in the Netherlands and deals with all cases related to computer security incidents in which a customer is involved either as a victim or as a suspect?

Which among the following CERTs is an Internet provider to higher education institutions and various other research institutions in the Netherlands and deals with all cases related to computer security incidents in which a customer is involved either as a victim or as a suspect?
A . NET-CERT
B . DFN-CERT
C . Funet CERT
D . SURFnet-CERT

Answer: D

When an employee is terminated from his or her job, what should be the next immediate step taken by an organization?

When an employee is terminated from his or her job, what should be the next immediate step taken by an organization?
A . All access rights of the employee to physical locations, networks, systems, applications and data should be disabled
B . The organization should enforce separation of duties
C . The access requests granted to an employee should be documented and vetted by the supervisor
D . The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information

Answer: A