ECIH_B_031-040

=031==

An employee accidentally emails confidential customer information to a personal email address.

一名員工不小心將機密客戶資訊發送到個人電子郵件地址。

What is the biggest challenge faced by the incident response team in this scenario?

在此情境中，事件回應團隊面臨的最大挑戰是什麼？

Ⓐ Determining the intent of the employee 確定員工的意圖

Ⓑ Balancing the need for confidentiality and transparency with stakeholders 平衡保密需求與對利害關係人保持透明之間的需求

Ⓒ Identifying the extent of the damage caused by the incident 確定事件造成的損害程度

Ⓓ Identifying the source of the email server used to send the email 確定用於發送郵件的電子郵件伺服器的來源

=032==

An incident handling team has been alerted about a possible security breach on a Linux system.

一個事件處理團隊收到有關Linux系統可能發生安全漏洞的警報。

As an EC-Council Certified Incident Handler, you decide to perform an incident triage using a tool named buck-security on Linux.

作為EC-Council認證的事件處理人員，您決定使用名為buck-security的工具在Linux上進行事件分類。

After conducting the security check, buck-security returns a warning message indicating a potential issue with the firewall policies.

在進行安全檢查後，buck-security返回了一條警告信息，表明防火牆策略可能存在問題。

Considering the above scenario, what should be the immediate next step?

考慮到上述情境，下一步應該做什麼？

Ⓐ Run another security scan with buck-security to validate the issue. 使用buck-security進行另一個安全掃描以驗證問題。

Ⓑ Install and configure Splunk Universal Forwarder to capture remote system logs. 安裝和配置Splunk Universal Forwarder以捕獲遠程系統日誌。

Ⓒ Analyze and address the vulnerabilities in the firewall policies. 分析並解決防火牆策略中的漏洞。

Ⓓ Configure a Syslog server to retrieve the network devices’ logs. 配置Syslog伺服器以檢索網絡設備的日誌。

=033==

As an incident handler, you are responsible for managing unauthorized access incidents.

作為事件處理人員，您負責管理未經授權的訪問事件。

After a series of reconnaissance attacks on your network, you have employed tools such as Wireshark and Nmap to detect the incidents.

在一系列針對您網絡的偵察攻擊後，您使用了Wireshark和Nmap等工具來檢測事件。

During one such scenario, you notice an IP address, 10.10.10.9, has been repeatedly conducting ICMP echo requests and TCP SYN scans.

在其中一個情境中，您注意到一個IP地址10.10.10.9反覆進行ICMP回顯請求和TCP SYN掃描。

What would be your immediate course of action to mitigate the situation?

為緩解此情況，您的立即行動應該是什麼？

Ⓐ Block the address 10.10.10.9 at the firewall level. 在防火牆層級封鎖地址10.10.10.9。

Ⓑ Ignore the IP address 10.10.10.9, as it is not causing harm to the network. 忽略IP地址10.10.10.9，因為它沒有對網絡造成傷害。

Ⓒ Report the IP address 10.10.10.9 to local law enforcement. 將IP地址10.10.10.9報告給當地執法機構。

Ⓓ Launch a counter-attack against IP address 10.10.10.9. 對IP地址10.10.10.9發動反擊。

=034==

An EC-Council Certified Incident Handler (ECIH) is preparing a cloud-based company for potential security incidents.

一名EC-Council認證的事件處理人員（ECIH）正在為一家基於雲端的公司準備可能的安全事件。

She’s focusing on best practices to fortify the company's defenses against such events.

她專注於加強公司防禦此類事件的最佳實踐。

Given the following measures, which one should the ECIH prioritize?

考慮以下措施，ECIH應優先考慮哪一項？

Ⓐ Regularly updating and patching all cloud-based systems. 定期更新和修補所有基於雲的系統。

Ⓑ Implementing a zero-trust architecture across all network resources. 在所有網絡資源中實施零信任架構。

Ⓒ Limiting the use of third-party applications within the cloud environment. 限制在雲環境中使用第三方應用程序。

Ⓓ Frequently changing all users’ passwords in the cloud environment. 經常更改雲環境中所有用戶的密碼。

=035==

An Incident Handler is configuring Suricata IDS to detect suspicious ICMP and HTTP traffic in the network.

事件處理人員正在配置Suricata IDS以檢測網絡中的可疑ICMP和HTTP流量。

They have set up an ICMP rule and want to ensure the HTTP traffic is also logged.

他們已設置ICMP規則，並希望確保HTTP流量也被記錄。

The Suricata engine is running, and some HTTP activity is being conducted on a Windows machine for testing purposes.

Suricata引擎正在運行，並且在Windows機器上進行了一些HTTP活動以進行測試。

The Suricata engine is then stopped to analyze the logs.

然後停止Suricata引擎以分析日誌。

What would be the correct sequence of steps that the Incident Handler should follow in the Ubuntu terminal to analyze the HTTP traffic log?

事件處理人員應在Ubuntu終端中遵循什麼正確步驟來分析HTTP流量日誌？

Ⓐ Type gedit/var/log.suricata/fast.log," press Enter, and inspect the file that opens showing ICMP traffic sent through the Windows machine. 鍵入gedit/var/log.suricata/fast.log，按Enter鍵，並檢查打開的顯示通過Windows機器發送的ICMP流量的文件。

Ⓑ Type gedit/var/log.suricata/fast.log," press Enter, and inspect the file that opens showing HTTP traffic captured from the network. 鍵入gedit/var/log.suricata/fast.log，按Enter鍵，並檢查打開的顯示從網絡捕獲的HTTP流量的文件。

Ⓒ Type gedit/var/log.suricata/http.log," press Enter, and inspect the file that opens showing ICMP traffic sent through the windows machine. 鍵入gedit/var/log.suricata/http.log，按Enter鍵，並檢查打開的顯示通過Windows機器發送的ICMP流量的文件。

Ⓓ Type gedit/var/log.suricata/http.log," press Enter, and inspect the file that opens showing HTTP traffic captured from the network. 鍵入gedit/var/log.suricata/http.log，按Enter鍵，並檢查打開的顯示從網絡捕獲的HTTP流量的文件。

=036==

As a Certified Incident Handler at a multinational corporation, you are notified of a possible data breach incident in one of the departments.

作為跨國公司的認證事件處理人員，您被通知某個部門可能發生數據洩露事件。

During the initial investigation, you confirmed that one workstation was used to execute the malicious activity.

在初步調查中，您確認一台工作站被用來執行惡意活動。

You need to ensure the integrity of the evidence for further forensic analysis.

您需要確保證據的完整性以進行進一步的法證分析。

What should your first response action be regarding the affected workstation?

您對受影響的工作站的首要應對行動應該是什麼？

Ⓐ Photograph the workstation and document the hardware configuration. 拍攝工作站並記錄硬體配置。

Ⓑ Shut down the workstation immediately to stop potential data loss. 立即關閉工作站以防止潛在數據丟失。

Ⓒ Immediately disconnect the workstation from the network but leave it running. 立即將工作站從網絡中斷開但保持運行。

Ⓓ Use an antivirus to scan the workstation and delete any detected malware. 使用防病毒軟件掃描工作站並刪除任何檢測到的惡意軟件。

=037==

A company’s web application security team is preparing for handling potential security incidents that may occur on their web applications.

某公司的網絡應用安全團隊正在準備應對可能發生在其網絡應用上的安全事件。

They aim to establish effective processes and protocols to mitigate and respond to such incidents promptly.

他們旨在建立有效的流程和協議以迅速減輕和應對此類事件。

In addition to an incident response plan, what is another important aspect of preparation for handling web application security incidents?

除了事件響應計劃外，準備應對網絡應用安全事件的另一個重要方面是什麼？

Ⓐ Implementing encryption and secure communication protocols for web applications. 為網絡應用實施加密和安全通信協議。

Ⓑ Establishing strong access controls and authentication mechanisms for web applications. 為網絡應用建立強大的訪問控制和身份驗證機制。

Ⓒ Setting up a centralized security information and event management (SIEM) system. 建立集中的安全信息和事件管理（SIEM）系統。

Ⓓ Regularly monitoring and web application traffic and events. 定期監控網絡應用流量和事件。

=038==

Post a debilitating malware attack on RetailHub, a chain of e-commerce platforms, the top brass decided to bolster their defenses.

在連鎖電子商務平台RetailHub遭受破壞性惡意軟件攻擊後，高層決定加強其防禦。

They acknowledged human error as a significant vulnerability.

他們承認人為錯誤是一個重大漏洞。

As part of their renewed strategy, which preventive guideline would be most impactful against malware introduction?

作為其新策略的一部分，哪項預防指南對防止惡意軟件引入最有影響力？

Ⓐ Restricting administrative privileges to a select few. 限制行政權限僅限少數人。

Ⓑ Conducting regular employee training on phishing and social engineering threats. 定期對員工進行釣魚和社交工程威脅的培訓。

Ⓒ Outsourcing their IT infrastructure to a third-party vendor for better management. 將其IT基礎設施外包給第三方供應商以進行更好的管理。

Ⓓ Mandating biannual security audits. 規定每半年進行一次安全審核。

=039==

An employee who was recently terminated still has access to company systems due to an administrative oversight.

一名最近被解僱的員工由於行政疏忽仍然可以訪問公司系統。

What is the biggest challenge in responding to this insider threat?

應對這一內部威脅的最大挑戰是什麼？

Ⓐ Balancing the need to revoke access with maintaining business continuity. 平衡撤銷訪問權限的需求與保持業務連續性之間的關係。

Ⓑ Identifying the potential damage caused by the former employee. 確定前員工可能造成的損害。

Ⓒ Maintaining the confidentiality of the investigation. 保持調查的機密性。

Ⓓ Identifying how the former employee gained unauthorized access. 確定前員工如何獲得未經授權的訪問權限。

=040==

An international manufacturing company experienced a major security incident impacting its operational technology (OT) systems.

一家國際製造公司經歷了一次重大安全事件，影響了其操作技術（OT）系統。

It was determined that the incident was caused by a sophisticated malware strain that infected the Programmable Logic Controllers (PLCs).

確定該事件是由感染可編程邏輯控制器（PLC）的複雜惡意軟件引起的。

As an EC-Council Certified Incident Handler, what is your priority in handling OT-based security incidents in the future?

作為EC-Council認證的事件處理人員，您在未來處理基於OT的安全事件時的優先事項是什麼？

Ⓐ Ensure regular backups of critical OT configurations and PLC programming. 確保定期備份關鍵OT配置和PLC編程。

Ⓑ Update PLC firmware frequently to eliminate vulnerabilities. 經常更新PLC固件以消除漏洞。

Ⓒ Implement an intrusion prevention system (IPS) specific to OT environments. 實施針對OT環境的入侵防禦系統（IPS）。

Ⓓ Isolate the OT network from the IT network to reduce infection vectors. 將OT網絡與IT網絡隔離以減少感染途徑。CCAAD CCBBA