• Home
  • Articles
  • 212-89 Exam Study Guide Free Practice Test LAST UPDATED DATE May 06, 2026 [Q119-Q140]

212-89 Exam Study Guide Free Practice Test LAST UPDATED DATE May 06, 2026 [Q119-Q140]

Share

212-89 Exam Study Guide Free Practice Test LAST UPDATED DATE May 06, 2026

The New 212-89 2026 Updated Verified Study Guides & Best Courses

NEW QUESTION # 119
Eve's is an incident handler in ABC organization. One day, she got a complaint about email hacking incident from one of the employees of the organization. As a part of incident handling and response process, she must follow many recovery steps in order to recover from incident impact to maintain business continuity.
What is the first step that she must do to secure employee account?

  • A. Enable two-factor authentication
  • B. Disabling automatic file sharing between the systems
  • C. Enable scanning of links and attachments in all the emails
  • D. Restore the email services and change the password

Answer: D

Explanation:
The first step in securing an employee's account following an email hacking incident involves restoring access to the email services if necessary and immediately changing the password to prevent unauthorized access.
This action ensures that the attacker is locked out of the account as quickly as possible. While enabling two- factor authentication, scanning links and attachments, and disabling automatic file sharing are important security measures, they come into play after ensuring that the compromised account is first secured by changing its password to halt any ongoing unauthorized access.
References:The ECIH v3 certification materials cover the initial steps to be taken when responding to incidents involving compromised accounts, emphasizing the importance of quickly changing passwords to secure the accounts against further unauthorized access.


NEW QUESTION # 120
WebDynamics experienced altered webpage content due to stored Cross-Site Scripting (XSS) attacks caused by lack of output encoding. What should be the main focus to prevent this?

  • A. Regularly update the CMS and plugins.
  • B. Implement proper output encoding for displayed content.
  • C. Establish a Web Application Firewall (WAF).
  • D. Introduce mandatory two-factor authentication.

Answer: B

Explanation:
Comprehensive and Detailed Explanation (ECIH-aligned):
Stored XSS vulnerabilities arise when untrusted input is rendered without proper output encoding. The ECIH Web Application module clearly states that output encoding is the primary defense against XSS.
Option A is correct because encoding ensures that user-supplied input is treated as data rather than executable script. This directly prevents malicious script execution in users' browsers.
Options B and C provide additional protection but do not fix the root cause. Option D is unrelated to XSS prevention.
ECIH emphasizes fixing vulnerabilities at the application logic level, making output encoding the correct focus.


NEW QUESTION # 121
During the vulnerability assessment phase, the incident responders perform various steps as below:
1. Run vulnerability scans using tools
2. Identify and prioritize vulnerabilities
3. Examine and evaluate physical security
4. Perform OSINT information gathering to validate the vulnerabilities
5. Apply business and technology context to scanner results
6. Check for misconfigurations and human errors
7. Create a vulnerability scan report
Identify the correct sequence of vulnerability assessment steps performed by the incident responders.

  • A. 2-->1-->4-->7-->5-->6-->3
  • B. 1-->3-->2-->4-->5-->6-->7
  • C. 4-->1-->2-->3-->6-->5-->7
  • D. 3-->6-->1-->2-->5-->4-->7

Answer: C


NEW QUESTION # 122
In NIST risk assessment/ methodology; the process of identifying the boundaries of an IT system along with
the resources and information that constitute the system is known as:

  • A. Asset valuation
  • B. System characterization
  • C. Asset Identification
  • D. System classification

Answer: B


NEW QUESTION # 123
Which of the following can be considered synonymous:

  • A. Vulnerability and Danger
  • B. Precaution and countermeasure
  • C. Hazard and Threat
  • D. Threat and Threat Agent

Answer: C


NEW QUESTION # 124
Incidents are reported in order to:

  • A. Deal properly with legal issues
  • B. Be prepared for handling future incidents
  • C. Provide stronger protection for systems and data
  • D. All the above

Answer: D


NEW QUESTION # 125
Identify Sarbanes-Oxley Act (SOX) Title, which consists of only one section, that includes measures designed to help restore investor confidence in the reporting of securities analysts.

  • A. Title V: Analyst Conflicts of Interest
  • B. Title IX: White-Collar-Crime Penalty Enhancement
  • C. Title VII: Studies and Reports
  • D. Title VIII: Corporate and Criminal Fraud Accountability

Answer: A


NEW QUESTION # 126
Andrew, an incident responder, is performing risk assessment of the client organization.
As a part of risk assessment process, he identified the boundaries of the IT systems, along with the resources and the information that constitute the systems.
Identify the risk assessment step Andrew is performing.

  • A. Control analysis
  • B. System characterization
  • C. Control recommendations
  • D. Likelihood determination

Answer: B

Explanation:
In the risk assessment process, "System characterization" is the initial step where the scope of the assessment is defined. This involves identifying and documenting the boundaries of the IT systems under review, the resources (hardware, software, data, and personnel) that constitute these systems, and any relevant information about their operation and environment. This foundational step is essential for understanding what needs to be protected and forms the basis for subsequent analysis, including identifying vulnerabilities, assessing potential threats, and determining the impact of risks to the organization.
References:The step of system characterization within the risk assessment process is discussed in detail in information security frameworks and incident response guides, including those related to the ECIH v3 certification. These guides stress the importance of accurately characterizing the system to ensure that the risk assessment is comprehensive and tailored to the specific context of the organization.


NEW QUESTION # 127
Olivia, a cybersecurity responder at a multinational firm, is alerted late at night by the NOC team about unusual latency and degraded performance across several critical applications hosted on the company's internal servers. Upon initial inspection, she notices that the internal routers are experiencing an unusually high volume of ARP requests being broadcast across the network. The network bandwidth utilization has spiked, and multiple routers are reporting elevated CPU usage.
As she digs deeper into the diagnostics, Olivia finds that the NAT tables on edge routers are saturated with numerous entries coming from the same IP range within a short time frame. These entries appear to be initiating simultaneous connections to different ports across various endpoints. The firewall logs also show repeated attempts to access unused services, and the ISP reports an overflow of incoming requests from various geolocations.
Based on these symptoms, what should Olivia suspect?

  • A. Application vulnerability scanning
  • B. Distributed DoS attack
  • C. Rogue DHCP server activity
  • D. Data exfiltration

Answer: B

Explanation:
The indicators described align closely with a Distributed Denial-of-Service (DDoS) attack, a major topic in the ECIH Network Security Incidents module. DDoS attacks overwhelm network and system resources using traffic from multiple sources, often distributed across geographic regions.
Excessive ARP traffic, NAT table exhaustion, elevated CPU usage on routers, and simultaneous connection attempts are classic symptoms of volumetric and protocol-based DDoS attacks. The involvement of multiple geolocations, as reported by the ISP, further confirms the distributed nature of the attack.
Option B is correct because no single-host misconfiguration or reconnaissance activity would generate this volume and diversity of traffic. Option A would cause IP conflicts, not global traffic floods. Option C focuses on stealthy outbound activity, not inbound saturation. Option D is low-volume and targeted.
ECIH emphasizes early identification of DDoS conditions to enable rapid containment using rate limiting, blackholing, or ISP coordination. Recognizing these indicators is critical to protecting service availability.


NEW QUESTION # 128
Ella, a wireless network administrator, notices multiple authentication failures and reports of users being disconnected from a corporate Wi-Fi network. Upon investigation, she identifies an unauthorized access point broadcasting the same SSID as the legitimate network. What is the most likely issue Ella is facing?

  • A. MAC address spoofing
  • B. Network misconfiguration
  • C. Evil twin attack
  • D. Rogue DHCP server

Answer: C

Explanation:
This scenario describes an evil twin attack, a well-documented wireless network threat covered in the ECIH Network Security Incidents module. An evil twin attack occurs when an attacker sets up a rogue wireless access point that mimics the SSID of a legitimate network. Unsuspecting users connect to the stronger or more accessible signal, allowing attackers to intercept credentials, inject malware, or perform man-in-the- middle attacks.
Option A is correct because the presence of an unauthorized access point broadcasting the same SSID and causing authentication failures is a defining indicator of an evil twin attack. Users may unknowingly connect to the malicious access point, leading to repeated disconnections from the legitimate network.
Option B would not involve a rogue access point. Option C focuses on identity spoofing at the MAC layer but does not explain SSID duplication. Option D involves IP address assignment issues, not SSID impersonation.
ECIH emphasizes that identifying rogue wireless infrastructure quickly is critical to containment. Detecting evil twin attacks allows responders to isolate the rogue device, protect credentials, and restore secure wireless operations.


NEW QUESTION # 129
Elizabeth, working for OBC organization as an incident responder, is assessing the risks facing the organizational security. During the assessment process, she calculates the probability of a threat source exploiting an existing system vulnerability.
Identify the risk assessment step Elizabeth is currently in.

  • A. Likelihood analysis
  • B. System characterization
  • C. Impact analysis
  • D. Vulnerability identification

Answer: A


NEW QUESTION # 130
Which of the following confidentiality attacks do attackers try to lure users by posing themselves as authorized AP by beaconing the WLAN's SSID?

  • A. Masquerading
  • B. Evil twin AP
  • C. Session hijacking
  • D. Honeypot AP

Answer: B


NEW QUESTION # 131
Which of the following encoding techniques replaces unusual ASCII characters with
"%" followed by the character's two-digit ASCII code expressed in hexadecimal?

  • A. HTML encoding
  • B. URL encoding
  • C. Base64 encoding
  • D. Unicode encoding

Answer: B

Explanation:
URL encoding, also known as percent-encoding, is a mechanism for encoding information in a Uniform Resource Identifier (URI) under certain circumstances. This technique involves replacing unsafe ASCII characters with a "%" followed by two hexadecimal digits that represent the character's ASCII code. This is necessary for embedding characters that are not allowed in URLs directly, such as spaces and symbols, or characters that have special meanings within URLs, ensuring that the URL is correctly interpreted by web browsers and servers.
References:The concept of URL encoding is fundamental to web application security, a topic that is covered in the ECIH v3 program by EC-Council. Understanding encoding techniques is crucial for incident handlers dealing with web-based attacks and investigations.


NEW QUESTION # 132
The sign of incident that may happen in the future is called:

  • A. A Precursor
  • B. A Reactive
  • C. An Indication
  • D. A Proactive

Answer: A


NEW QUESTION # 133
A cybersecurity analyst at a technology firm discovers suspicious activity on a network segment dedicated to research and development. The initial indicators suggest a possible compromise of several endpoints with potential intellectual property theft. Given the sensitive nature of the data involved, what is the most effective method for the analyst to detect and validate the security incident?

  • A. Deploy an endpoint detection and response (EDR) solution to identify and investigate suspicious activities.
  • B. Immediately notify law enforcement and regulatory bodies.
  • C. Isolate the affected network segment and manually inspect each endpoint.
  • D. Conduct a network-wide vulnerability scan.

Answer: A

Explanation:
Comprehensive and Detailed Explanation (ECIH-aligned):
The ECIH Endpoint Security module stresses that modern endpoint incidents require advanced detection capabilities beyond traditional antivirus or manual inspection. Intellectual property theft often involves stealthy techniques that evade basic controls.
Option C is correct because an Endpoint Detection and Response (EDR) solution provides deep visibility into endpoint behavior, including process execution, memory activity, file changes, and lateral movement. EDR enables analysts to detect, investigate, and validate incidents efficiently across multiple endpoints.
Option B is slow and error-prone. Option A is premature without validation. Option D identifies vulnerabilities, not active compromise.
ECIH highlights EDR as a cornerstone technology for endpoint incident detection and validation, especially in high-value environments such as R&D networks.


NEW QUESTION # 134
A US Federal Agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency's reporting timeframe guidelines, this incident should be reported within 2 h of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity.
Which incident category of US Federal Agency does this incident belong to?

  • A. CAT 5
  • B. CAT 2
  • C. CAT 6
  • D. CAT 1

Answer: B

Explanation:
In the context of US Federal Agencies, incidents are categorized based on their impact on operations, assets, or individuals. A DoS attack that prevents or impairs the authorized functionality of networks and is still ongoing without successful mitigation efforts typically falls under Category 2 (CAT 2). This category is designated for incidents that have a significant impact, requiring immediate reporting and response. The reporting timeframe of within 2 hours as mentioned aligns with the urgency associated with CAT 2 incidents, emphasizing the need for swift action to address the attack and restore normal operations.
References:US Federal incident response guidelines and the Incident Handler (ECIH v3) courses outline the categorization of cybersecurity incidents, detailing the response protocols for each category, including the reporting timeframes.


NEW QUESTION # 135
They type of attack that prevents the authorized users to access networks, systems, or applications by
exhausting the network resources and sending illegal requests to an application is known as:

  • A. Man in the Middle attack
  • B. SQL injection attack
  • C. Session Hijacking attack
  • D. Denial of Service attack

Answer: D


NEW QUESTION # 136
Alexa downloaded a movie file. However, upon execution, it unleashed a dangerous program that sent Alexa's credit-card information to an attacker.
What is this malicious program masked as a movie file?

  • A. Trojan horse
  • B. Rootkit
  • C. Ransom ware
  • D. Backdoor

Answer: A


NEW QUESTION # 137
During routine monitoring, a cloud-based application hosting provider detects an anomaly suggesting an ongoing DDoS attack targeting one of its hosted applications. The provider's incident response team must quickly mitigate the attack while ensuring minimal service disruption. Which of the following strategies should they prioritize?

  • A. Temporarily take the affected application offline to stop the attack.
  • B. Immediately scale up application resources to absorb the attack impact.
  • C. Enable geo-restriction to block incoming traffic from regions not serviced by the application.
  • D. Implement rate limiting and challenge-response tests to differentiate between legitimate and malicious traffic.

Answer: D

Explanation:
Comprehensive and Detailed Explanation (ECIH-aligned):
The ECIH Network Security Incident Handling module emphasizes maintaining availability while mitigating denial-of-service attacks. The objective is not simply to stop traffic, but to distinguish malicious traffic from legitimate user requests.
Option D is correct because rate limiting and challenge-response mechanisms (such as CAPTCHA or SYN cookies) allow legitimate traffic to continue while throttling or blocking malicious requests. This approach minimizes service disruption while effectively containing the attack.
Option A may increase costs and still fail against large-scale DDoS attacks. Option B can unintentionally block legitimate users. Option C contradicts ECIH guidance by unnecessarily impacting availability.
ECIH stresses proportional and intelligent mitigation strategies that preserve business continuity. Therefore, implementing rate limiting and challenge-response mechanisms is the preferred strategy.


NEW QUESTION # 138
Which of the following risk management processes identifies the risks, estimates the impact, and determines sources to recommend proper mitigation measures?

  • A. Risk assessment
  • B. Risk mitigation
  • C. Risk assumption
  • D. Risk avoidance

Answer: A

Explanation:
Risk assessment is the risk management process that involves identifying risks, estimating their impact on the organization, and determining the sources of those risks to recommend appropriate mitigation measures. The goal of a risk assessment is to understand the nature of potential threats, vulnerabilities, and the consequences of those risks materializing, allowing an organization to make informed decisions about how to address them effectively. Risk assumption involves accepting the potential impact of a risk, risk mitigation focuses on reducing the likelihood or impact of risks, and risk avoidance involves taking actions to avoid the risk entirely.
References:The ECIH v3 course materials include discussions on risk management processes, outlining the importance of risk assessment in identifying and preparing for potential security threats.


NEW QUESTION # 139
Darwin is an attacker residing within the organization and is performing network sniffing by running his system in promiscuous mode. He is capturing and viewing all the network packets transmitted within the organization. Edwin is an incident handler in the same organization.
In the above situation, which of the following Nmap commands Edwin must use to detect Darwin's system that is running in promiscuous mode?

  • A. nmap -sU -p 500
  • B. nmap --script hostmap
  • C. nmap -sV -T4 -O -F -version-light
  • D. nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]

Answer: D

Explanation:
The GPG18 and Forensic readiness planning (SPF) principles outline various guidelines to enhance an organization's readiness for forensic investigation and response. Principle 5, which suggests that organizations should adopt a scenario-based Forensic Readiness Planning approach that learns from experience gained within the business, emphasizes the importance of being prepared for a wide range of potential incidents by leveraging lessons learned from past experiences. This approach helps in continuously improving forensic readiness and response capabilities by adapting to the evolving threat landscape and organizational changes.
References:While specific documentation from GPG18 and SPF might detail these principles, the ECIH v3 program by EC-Council covers the concept of forensic readiness planning, including adopting scenario-based approaches and learning from past incidents as a fundamental aspect of enhancing an organization's incident response and forensic capabilities.


NEW QUESTION # 140
......


The ECIH v2 exam covers a range of topics related to incident handling and response, including incident management, incident response, and incident investigation. Candidates are required to have a deep understanding of the incident response process, including the ability to identify and classify incidents, gather evidence, and contain and mitigate the impact of incidents. 212-89 exam also covers the use of incident response tools and techniques, such as vulnerability scanning, network forensics, and threat intelligence.

 

Get Prepared for Your 212-89 Exam With Actual 305 Questions: https://vcetorrent.examtorrent.com/212-89-prep4sure-dumps.html

Related Articles

more
EC-COUNCIL 212-89 Certification Practice Exam

Valid exam torrent sheet will be a shortcut for every buyer to obtain certifications. We ExamTorrent provide new dumps torrent file with 99.59% passing rate. If you have any question about our products we the best quality and the service attitude will serve for you!

Latest Dump pass for sure

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 ExamTorrent NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy