Pass the ECCouncil ECIH 212-89 Questions and answers with CertsForce

ISO/IEC 27002 is a standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems (ISMSs). It covers areas such as risk assessment, human resource security, operational security, and communications security, among others, providing a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. ISO/IEC 27035 pertains to information security incident management, PCI DSS (Payment Card Industry Data Security Standard) deals with the security of cardholder data, and RFC 2196 is a guide for computer security incident response teams (CSIRTs), not a standard for implementing ISMSs.

This incident is a classic spear phishing attack, where a targeted individual is deceived into entering credentials on a fraudulent login page. The ECIH Email Security module describes spear phishing as highly targeted and often tailored to specific roles, such as executives.

Option D is correct because the CFO was targeted with a convincing fake Microsoft 365 login prompt, leading to credential theft. The use of valid credentials afterward confirms successful social engineering rather than technical exploitation.

Option A involves email flooding. Option B redirects traffic via DNS manipulation. Option C targets mobile messaging platforms.

Recognizing spear phishing is critical because it informs remediation steps such as credential resets, MFA enforcement, and executive awareness training, all emphasized in ECIH guidance.

This incident is a textbook example of whaling, a specialized form of phishing that targets senior executives or impersonates them to exploit authority and trust. According to the ECIH Email Security module, whaling attacks often focus on financial fraud, such as wire transfer requests or invoice manipulation, and are designed to bypass normal controls through urgency and executive impersonation.

Option A is correct because the attacker impersonated the CEO and targeted employees responsible for financial actions. The minor domain alteration and authoritative language are classic whaling indicators.

Option B refers to overwhelming inboxes with large volumes of mail. Option C involves automated credential testing. Option D targets mobile messaging platforms.

Jason’s response—header analysis, identity verification, firewall blocking, financial alerting, and organization-wide notification—aligns with ECIH best practices for handling executive impersonation attacks. Recognizing the attack type correctly is critical for appropriate escalation and mitigation, making Option A the correct answer.

Persistent mobile malware that survives antivirus scans indicates deep system compromise. The ECIH Endpoint and Mobile Incident Handling guidance states that when malware cannot be reliably removed, reimaging or OS reinstallation is the safest remediation.

Option C is correct because performing a factory reset or reinstalling the OS ensures complete removal of malicious components and restores device integrity. ECIH cautions that partial containment actions may stop symptoms but not eradicate threats.

Options A and B are temporary containment steps. Option D is ineffective against malware.

Therefore, full OS reinstallation is the correct next action.

The term that describes the combination of strategies and services intended to restore data, applications, and other resources to the public cloud or dedicated service providers is "Cloud recovery." This term encompasses disaster recovery efforts focused on ensuring that an organization's digital assets can be quickly and effectively restored or moved to cloud environments in the event of data loss, system failure, or a disaster. Cloud recovery strategies are part of a broader disaster recovery and business continuity planning, ensuring minimal downtime and data loss by leveraging cloud computing's scalability and flexibility. Mitigation, analysis, and eradication are terms associated with other aspects of incident response and risk management, not specifically with the restoration of resources to cloud environments.

The correct sequence of steps performed by incident responders during the vulnerability assessment phase is as follows:

Perform OSINT information gathering to validate the vulnerabilities (4):Initially, Open Source Intelligence (OSINT) is used to gather information about the organization’s digital footprint and potential vulnerabilities.

Run vulnerability scans using tools (1):Next, specialized tools are employed to scan the organization's networks and systems for vulnerabilities.

Identify and prioritize vulnerabilities (2):The identified vulnerabilities are then analyzed and prioritized based on their severity and potential impact on the organization.

Examine and evaluate physical security (3):Physical security assessments are also crucial as they can impact the overall security posture and protection of digital assets.

Check for misconfigurations and human errors (6):This step involves looking for misconfigurations in systems and networks, as well as potential human errors that could lead to vulnerabilities.

Apply business and technology context to scanner results (5):The results from the scans are evaluated within the context of the business and its technology environment to accurately assess risks.

Create a vulnerability scan report (7):Finally, a comprehensive report is created, detailing the vulnerabilities, their severity, and recommended mitigation strategies.

This sequence ensures a thorough assessment, prioritizing vulnerabilities that pose the greatest risk and providing actionable insights for mitigation.

The Slowloris attack is a type of application-layer attack that targets the web server by establishing and maintaining many simultaneous HTTP connections to the target server. Unlike traditional network-layer DoS/DDoS attacks such as UDP flood or SYN flood, Slowloris is designed to hold as many connections to the target web server open for as long as possible. It does so by sending partial requests, which are never completed, and periodically sending subsequent HTTP headers to keep the connections open. This consumes the server's resources, leading to denial of service as legitimate users cannot establish connections. The Slowloris attack is effective even against servers with a high bandwidth because it targets the server's connection pool, not its network bandwidth.

This scenario represents a classic insider data exfiltration incident, where a legitimate user abuses authorized access to move sensitive information outside organizational boundaries. The ECIH Insider Threat module clearly identifies Data Loss Prevention (DLP) as the primary technical control for detecting and preventing such activity.

Option B is correct because DLP solutions are designed to monitor, classify, and control sensitive data in motion, at rest, and in use. DLP can detect when regulated or confidential data is sent via email, uploaded to cloud services, or copied to external destinations, and can block or alert on policy violations in real time. ECIH emphasizes that DLP is especially effective against low-and-slow insider leaks that bypass perimeter defenses.

Option A improves awareness but does not enforce controls. Option C is overly restrictive and does not prevent other exfiltration channels. Option D is blunt and easily bypassed while disrupting legitimate business use.

ECIH guidance stresses layered insider threat defenses combining policy, monitoring, and enforcement. DLP provides visibility and control without relying solely on user behavior, making it the most effective priority action.

MxToolbox is an online tool that provides various network diagnostics and email security checks, including looking up DNS and MX records, SPF records, and more. It can be used by incident handlers to prevent the organization against evolving email threats by analyzing domain health, checking blacklists, verifying email delivery issues, and more. While Email Header Analyzer is useful for analyzing specific emails for traces of phishing or spoofing, G Suite Toolbox might be specific to Google's services, and Gpg4win is more focused on email encryption. MxToolbox provides a broader set of functionalities for monitoring and troubleshooting email delivery issues and security threats, making it a versatile tool for incident handlers.