Tibson works as an incident responder for MNC based in Singapore. He is investigating a web application security incident recently faced by the company. The attack is performed on a MS SQL Server hosted by the company. In the detection and analysis phase, he used regular expressions to analyze and detect SQL meta-characters that led to SQL injection attack. Identify the regular expression used by Tibson to detect SQL injection attack on MS SQL Server.
Correct Answer: A
The regular expression/exec(\s|\+)+(s|x)p\w+/ixis designed to match patterns that resemble SQL injection attempts, specifically targeting MS SQL Server. This expression looks for the use of theexeccommand followed by one or more spaces or plus signs, and then patterns that start withsporxp, which are prefixes commonly used in SQL Server stored procedures and extended stored procedures. These are often targeted in SQL injection attacks to execute malicious SQL statements. The regular expression provided is a tool used by incident responders like Tibson to identify and analyze potential SQL injection attempts by looking for suspicious patterns in SQL queries.
212-89 Exam Question 87
Rose is an incident-handling person and she is responsible for detecting and eliminating any kind of scanning attempts over the network by any malicious threat actors. Rose uses Wireshark tool to sniff the network and detect any malicious activities going on. Which of the following Wireshark filters can be used by her to detect TCP Xmas scan attempt by the attacker?
Correct Answer: D
A TCP Xmas scan is a type of network scanning technique used by attackers to identify open ports on a target machine. The name "Xmas" comes from the set of flags that are turned on within the packet, making it 'lit up like a Christmas tree'. Specifically, the FIN, PSH, and URG flags are set, which corresponds to the hexadecimal value 0X029 in the TCP header's flags field. Wireshark, a popular network protocol analyzer, allows users to create custom filters to detect specific types of network traffic, including malicious scanning attempts. By using the filtertcp.flags==0X029, Rose can detect packets that have these specific flags set, indicating a potential TCP Xmas scan attempt. References:The technique of using Wireshark to detect specific types of scans, including the TCP Xmas scan, is covered in cybersecurity training materials and documentation related to network analysis and incident handling, such as those associated with the ECIH certification.
212-89 Exam Question 88
Which of the following risk management processes identifies the risks, estimates the impact, and determines sources to recommend proper mitigation measures?
Correct Answer: A
Risk assessment is the risk management process that involves identifying risks, estimating their impact on the organization, and determining the sources of those risks to recommend appropriate mitigation measures. The goal of a risk assessment is to understand the nature of potential threats, vulnerabilities, and the consequences of those risks materializing, allowing an organization to make informed decisions about how to address them effectively. Risk assumption involves accepting the potential impact of a risk, risk mitigation focuses on reducing the likelihood or impact of risks, and risk avoidance involves taking actions to avoid the risk entirely. References:The ECIH v3 course materials include discussions on risk management processes, outlining the importance of risk assessment in identifying and preparing for potential security threats.
212-89 Exam Question 89
Which of the following is a standard framework that provides recommendations for implementing information security controls for organizations that initiate, implement, or maintain information security management systems (ISMSs)?
Correct Answer: A
ISO/IEC 27002 is a standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems (ISMSs). It covers areas such as risk assessment, human resource security, operational security, and communications security, among others, providing a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. ISO/IEC 27035 pertains to information security incident management, PCI DSS (Payment Card Industry Data Security Standard) deals with the security of cardholder data, and RFC 2196 is a guide for computer security incident response teams (CSIRTs), not a standard for implementing ISMSs. References:The ECIH v3 curriculum includes the study of various standards and frameworks that support information security management and governance, including ISO/IEC 27002, highlighting its role in guiding organizations in implementing effective security controls.
212-89 Exam Question 90
Zoe, a security analyst, deploys a high-interaction honeypot in the DMZ that mimics critical systems and monitors logs for scans, exploit attempts, and lateral movement techniques. What is the main purpose of Zoe' s activity?
Correct Answer: A
Explanation (aligned to threat intelligence & detection): A high-interaction honeypot is designed to attract and engage adversaries, providing realistic services so defenders can observe tactics, techniques, and procedures (TTPs) with higher fidelity than a low-interaction decoy. The goal is not to "stop" attacks directly, but to detect and learn: identify scanning patterns, credential stuffing attempts, exploit chains, payload delivery methods, and post-exploitation behaviors such as enumeration and lateral movement. That intelligence is then used to improve controls-signatures, detections, segmentation, and hardening priorities. Sandboxing (B) is typically about detonating suspicious files/URLs to observe behavior in a controlled environment; it's not what a DMZ honeypot primarily does. ACL rules and DDoS blocking (C) are traffic filtering measures, not deception telemetry. Backup/recovery testing (D) is resilience planning, unrelated to studying attacker behavior in real-time. In incident handling terms, honeypots support the "preparation" and "detection" posture-expanding visibility, generating early warning, and enriching threat intelligence. They can also reduce risk by luring opportunistic attackers away from production assets, but their primary value is behavioral observation and evidence collection.