Which of the following is an Inappropriate usage incident?
Correct Answer: C
An Inappropriate Usage incident refers to instances where computing resources are misused or abused, often violating organizational policies or laws. While access-control attacks, reconnaissance attacks, and denial-of- service (DoS) attacks represent different types of external threats or methods of attack, an Insider Threat is an example of inappropriate usage. Insider threats come from individuals within the organization, such as employees or contractors, who misuse their access to harm the organization's interests. This can include stealing confidential information, intentionally disrupting systems, or other malicious activities that leverage their legitimate access to the organization's resources. References:EC-Council's Incident Handler (ECIH v3) materials often discuss various types of security incidents, including inappropriate usage, and emphasize the importance of recognizing and preparing for insider threats as a critical component of an organization's incident response strategy.
212-89 Exam Question 32
Malicious Micky has moved from the delivery stage to the exploitation stage of the kill chain. This malware wants to find and report to the command center any useful services on the system. Which of the following recon attacks is the MOST LIKELY to provide this information?
Correct Answer: D
When malware moves from the delivery stage to the exploitation stage in the cyber kill chain, its objective often shifts to identifying exploitable vulnerabilities within the targeted system. A port scan is a technique used to discover services that are listening on ports within a system. By scanning the system's ports, the malware can identify open ports and the services running on them, providing valuable information about potential entry points for further exploitation. This type of reconnaissance attack is aimed at gathering intelligence on the target system's network services, which can then be reported back to a command and control center for further malicious activity planning. Port scanning is more relevant than IP range sweeps, packet sniffing, or session hijacking for identifying useful services on a system because it directly targets the discovery of accessible network services and their corresponding ports. While the other methods can also be part of the reconnaissance phase, they serve different purposes: IP range sweeps aim to identify active IP addresses, packet sniffing intercepts data packets to gather information, and session hijacking involves taking over a valid user session. In contrast, port scanning is specifically designed to enumerate services that could be exploited. References:The ECIH v3 certification materials discuss various reconnaissance techniques used by attackers, including port scanning, as part of the exploitation stage of the kill chain. Understanding these techniques is crucial for incident handlers in identifying how attackers gather information and plan their attacks.
212-89 Exam Question 33
Michael is an incident handler at CyberTech Solutions. He is performing detection and analysis of a cloud security incident. He is analyzing the file systems, slack spaces, and metadata of the storage units to find hidden malware and evidence of malice. Identify the cloud security incident handled by Michael.
Correct Answer: B
Michael's activities, which involve analyzing file systems, slack spaces, and metadata of storage units to find hidden malware and evidence of malice, indicate that he is handling a storage-related cloud security incident. This type of incident pertains to unauthorized access, alteration, or exfiltration of data stored in cloud environments. By focusing on the storage aspects such as file systems and metadata, Michael is looking for signs of compromise that specifically affect the storage of data, which is indicative of a storage-related security incident in the cloud. References:Incident Handler (ECIH v3) certification materials cover the various types of cloud security incidents, detailing how to detect and respond to them, including those related to storage where sensitive data might be targeted or compromised.
212-89 Exam Question 34
Otis is an incident handler working in Delmont organization. Recently, the organization is facing several setbacks in the business and thereby its revenues are going down. Otis was asked to take the charge and look into the matter. While auditing the enterprise security, he found the traces of an attack, where the proprietary information was stolen from the enterprise network and was passed onto the competitors. Which of the following information security incidents Delmont organization faced?
Correct Answer: C
The Delmont organization faced an espionage incident, which involves the unauthorized access and theft of proprietary or confidential information for passing it onto competitors or other external entities. Espionage is targeted at obtaining secrets or intellectual property to gain a competitive advantage or for other strategic purposes. Unlike network and resource abuses or email-based abuse, which might not specifically target sensitive information, espionage directly aims at stealing valuable data. Unauthorized access is a method that could be used in an espionage attempt but does not fully capture the motive of passing stolen information to competitors. References:Incident Handler (ECIH v3) courses and study materials discuss various types of information security incidents, including espionage, highlighting its impact on businesses and strategies for detection and prevention.
212-89 Exam Question 35
AlphaTech, a cloud-based storage company, recently suffered data leakage. Investigation revealed an employee sent sensitive client data to a personal email. AlphaTech wants to implement a solution to monitor and prevent such incidents. What should they prioritize?
Correct Answer: B
This scenario represents a classic insider data exfiltration incident, where a legitimate user abuses authorized access to move sensitive information outside organizational boundaries. The ECIH Insider Threat module clearly identifies Data Loss Prevention (DLP) as the primary technical control for detecting and preventing such activity. Option B is correct because DLP solutions are designed to monitor, classify, and control sensitive data in motion, at rest, and in use. DLP can detect when regulated or confidential data is sent via email, uploaded to cloud services, or copied to external destinations, and can block or alert on policy violations in real time. ECIH emphasizes that DLP is especially effective against low-and-slow insider leaks that bypass perimeter defenses. Option A improves awareness but does not enforce controls. Option C is overly restrictive and does not prevent other exfiltration channels. Option D is blunt and easily bypassed while disrupting legitimate business use. ECIH guidance stresses layered insider threat defenses combining policy, monitoring, and enforcement. DLP provides visibility and control without relying solely on user behavior, making it the most effective priority action.