Pass the ECCouncil ECIH 212-89 Questions and answers with CertsForce

This incident represents an application-layer DoS attack, which targets specific functions rather than bandwidth. ECIH emphasizes function-level protection in such scenarios.

Option C is correct because rate limiting restricts abusive request frequency while allowing legitimate usage. It directly addresses the exploited feature without disrupting service availability.

Option D may block legitimate users behind shared IPs. Options A and B do not mitigate the attack vector.

Rate limiting aligns with ECIH guidance for preserving availability during Layer 7 attacks.

The ECIH Network Security Incident Handling module emphasizes maintaining availability while mitigating denial-of-service attacks. The objective is not simply to stop traffic, but to distinguish malicious traffic from legitimate user requests.

Option D is correct because rate limiting and challenge-response mechanisms (such as CAPTCHA or SYN cookies) allow legitimate traffic to continue while throttling or blocking malicious requests. This approach minimizes service disruption while effectively containing the attack.

Option A may increase costs and still fail against large-scale DDoS attacks. Option B can unintentionally block legitimate users. Option C contradicts ECIH guidance by unnecessarily impacting availability.

ECIH stresses proportional and intelligent mitigation strategies that preserve business continuity. Therefore, implementing rate limiting and challenge-response mechanisms is the preferred strategy.

A permissive security policy is characterized by allowing all activities except those that are explicitly blocked. This approach starts with a default state of allowing access and functionality, with restrictions applied only to known dangerous services, attacks, or behaviors. Such a policy can lead to a wider attack surface because it assumes services and behaviors are safe unless proven otherwise.

A prudent policy would typically involve more conservative security measures, applying necessary restrictions to protect against identified and potential threats.

A paranoic policy would be at the extreme end of security measures, possibly blocking more than necessary to ensure the highest level of security, often at the expense of usability or functionality.

A promiscuous policy, in contrast, would be even more open than a permissive policy, essentially allowing nearly all traffic or actions with minimal restrictions, which is not what Rica observed.

ECIH forensic readiness guidance stresses that forensic imaging with hash verification is the gold standard for preserving evidence integrity. Option B is correct because it ensures data integrity, authenticity, and non-repudiation.

Creating a bit-by-bit forensic image preserves original evidence while allowing analysis on copies. Hash verification confirms that no alterations occur during acquisition or transport. Encrypted storage protects confidentiality, and detailed logs support chain of custody.

Options A, C, and D lack one or more critical forensic requirements such as hash validation or evidentiary isolation. ECIH explicitly warns against relying solely on physical transport or live data transfers.

Cross-site request forgery (CSRF or XSRF) is an attack that tricks the victim's browser into executing unauthorized actions on a website where they are currently authenticated. In this scenario, the attacker exploits the trust that a site has in the user's browser, effectively forcing the browser to perform actions without the user's knowledge or consent. For example, if the user is logged into their bank's website, an attacker could craft a malicious request to transfer funds without the user's direct interaction. CSRF attacks rely on authenticated sessions and typically target state-changing requests to compromise user or application data.

In a disassociation attack, the attacker sends disassociation frames to a wireless access point (AP) using a spoofed MAC address of a client or to the client pretending to be the AP. This forces the target to disconnect and often reconnect, causing a disruption in the wireless connectivity. Such attacks can be used to create a denial-of-service condition for the client, making the network resource unavailable. The primary objective of this attack is not to eavesdrop but to disrupt the normal operation of the wireless connection between the client and the AP.

In the scenario described, Stanley's effort to present evidence in a clear and comprehensible manner to the members of a jury, with the intention of clarifying facts and aiding in obtaining expert opinion, aligns with the characteristic of admissibility. The admissibility of digital evidence pertains to its acceptability in a court of law, which hinges on the evidence being collected, handled, and presented in a manner that complies with legal standards and procedures. This includes ensuring the evidence is relevant, reliable, and not overly prejudicial. By preparing to present the evidence in a way that the jury can understand and use to confirm the investigation process, Stanley is focusing on ensuring that the evidence meets the criteria for admissibility in the legal proceedings. Completeness, believability, and authenticity are also important characteristics of digital evidence, but the context provided indicates that Stanley's primary focus is on meeting the legal requirements for the evidence to be considered valid in court.

In the risk assessment process, "System characterization" is the initial step where the scope of the assessment is defined. This involves identifying and documenting the boundaries of the IT systems under review, the resources (hardware, software, data, and personnel) that constitute these systems, and any relevant information about their operation and environment. This foundational step is essential for understanding what needs to be protected and forms the basis for subsequent analysis, including identifying vulnerabilities, assessing potential threats, and determining the impact of risks to the organization.

In the scenario where your company sells Software as a Service (SaaS) and is hosted on the cloud using it as a Platform as a Service (PaaS), your company is responsible for eradicating malware in your customer's database. This is because, as the SaaS provider, your company manages the software and is responsible for its security and maintenance, including the databases that store customer data. While the PaaS provider is responsible for the underlying infrastructure, platform, and possibly some middleware security aspects, the application layer security, including data and application management, falls to the SaaS provider. Building management would not be involved in digital security matters, and while customers are responsible for their data, the actual software maintenance and security in a SaaS model are the provider's responsibility.