ECIH_B_081-090

 =081==

In a scenario where the EC-Council Certified Incident Handler (ECIH) is analyzing unauthorized access incidents, they detect suspicious activities in their network.

在EC-Council認證的事件處理人員（ECIH）分析未經授權的訪問事件的情景中，他們檢測到其網絡中的可疑活動。

They identify multiple reconnaissance attempts from an external IP address, including Ping Sweep, SYNscan, Null scan, and Xmas scan.

他們識別出來自外部IP地址的多次偵察嘗試，包括Ping Sweep、SYNscan、Null掃描和Xmas掃描。

Subsequently, an unfamiliar text file appears in their VSFTPD logs.

隨後，他們在VSFTPD日誌中發現了一個不熟悉的文本文件。

Considering this situation, what should the ECIH do next?

考慮到這種情況，ECIH接下來應該做什麼？

 

Ⓐ Shut down the network immediately to prevent any further unauthorized access. 立即關閉網絡以防止任何進一步的未經授權的訪問。

Ⓑ Conduct a reverse IP lookup of the external IP address to identify the origin of the reconnaissance attacks. 進行外部IP地址的反向查找以確定偵察攻擊的來源。

Ⓒ Ignore the unfamiliar text file, as it might just be a coincidence. 忽略這個不熟悉的文本文件，因為它可能只是巧合。

Ⓓ Check the content of the unfamiliar text file, as it might contain critical information. 檢查這個不熟悉的文本文件的內容，因為它可能包含關鍵信息。

 

=082==

In a scenario where the EC-Council Certified Incident Handler (ECIH) is analyzing unauthorized access incidents, they detect suspicious activities in their network.

在EC-Council認證的事件處理人員（ECIH）分析未經授權的訪問事件的情景中，他們檢測到其網絡中的可疑活動。

They identify multiple reconnaissance attempts from an external IP address, including Ping Sweep, SYNscan, Null scan, and Xmas scan.

他們識別出來自外部IP地址的多次偵察嘗試，包括Ping Sweep、SYNscan、Null掃描和Xmas掃描。

Subsequently, an unfamiliar text file appears in their VSFTPD logs.

隨後，他們在VSFTPD日誌中發現了一個不熟悉的文本文件。

Considering this situation, what should the ECIH do next?

考慮到這種情況，ECIH接下來應該做什麼？

 

Ⓐ The Ubuntu machine didn’t receive the ping from the Windows 10 machine. Ubuntu機器沒有收到來自Windows 10機器的ping。

Ⓑ You forgot to save the changes to the suricata.yaml file after enabling the http-log output. 啟用http-log輸出後，您忘記保存對suricata.yaml文件的更改。

Ⓒ The Suricata engine didn’t start correctly. Suricata引擎沒有正確啟動。

Ⓓ The custom rule you added to the suricata.yaml file was not correctly written. 您添加到suricata.yaml文件的自定義規則沒有正確編寫。

 

=083==

You are an EC-Council Certified Incident Handler (ECIH) working for a company that has managed to contain and eradicate the breach. As a next step, which of the following should you prioritize?

您是一名EC-Council認證的事件處理人員（ECIH），為一家已經成功控制並根除漏洞的公司工作。下一步，您應該優先考慮以下哪一項？

 

Ⓐ Conduct a thorough post-mortem analysis to understand the cause and effect of the incident. 進行徹底的事後分析以了解事件的原因和影響。

Ⓑ Moving sensitive data to a more secure, private cloud environment. 將敏感數據轉移到更安全的私人雲環境。

Ⓒ Setting up additional firewalls to block external traffic. 設置額外的防火牆以阻止外部流量。

Ⓓ Changing all user credentials and revoking all existing API keys. 更改所有用戶憑據並撤銷所有現有的API密鑰。

=084==

You are an EC-Council Certified Incident Handler for a financial institution.

您是一家金融機構的EC-Council認證事件處理人員。

A sudden network spike has been detected in one of your data centers late at night.

在深夜，您的數據中心之一檢測到突然的網絡峰值。

The company might be dealing with a distributed denial of service attack.

公司可能正在處理分佈式拒絕服務攻擊。

As the one on the front line, what is the top priority action you’d need to jump on right away?

作為前線人員，您需要立即採取的首要行動是什麼？

 

Ⓐ Notify all customers about the potential breach. 通知所有客戶潛在的漏洞。

Ⓑ Switch off the servers to stop further data transmission. 關閉服務器以停止進一步的數據傳輸。

Ⓒ Isolate affected systems to prevent the spread of the attack. 隔離受影響的系統以防止攻擊蔓延。

Ⓓ Initiate a complete system backup to preserve current data. 啟動完整的系統備份以保護當前數據。

 

=085==

At Neo Tech, after a suspected insider threat incident, a smartphone believed to be a key piece of evidence was secured.

在Neo Tech，經過一場疑似內部威脅事件後，一部被認為是關鍵證據的智能手機被保護起來。

While waiting for forensic experts, what should the incident handler do to maintain the phone’s data integrity?

在等待法醫專家的同時，事件處理人員應該怎樣做以維護手機數據的完整性？

 

Ⓐ Place the phone in a Faraday bag to prevent remote wiping or communication. 將手機放入法拉第袋以防止遠程擦除或通信。

Ⓑ Charge the phone continuously to avoid power loss. 持續給手機充電以避免電量耗盡。

Ⓒ Keep the phone turned on and prevent it from locking. 保持手機開機並防止其鎖定。

Ⓓ Take photos of all opened apps and active screens for documentation. 拍攝所有打開的應用程序和活動屏幕以作記錄。

 

=086==

A company’s network security monitoring system alerts the incident response team to a potential data breach.

一家公司的網絡安全監控系統向事件響應小組發出潛在數據洩露的警報。

What is the first step in the preparation process for handling this network security incident?

處理此網絡安全事件的準備過程中的第一步是什麼？

 

Ⓐ Gather information about the alert, including the affected systems and potential impact. 收集有關警報的信息，包括受影響的系統和潛在影響。

Ⓑ Assess the credibility and severity of the alert before taking any action. 在採取任何行動之前，評估警報的可信度和嚴重性。

Ⓒ Deactivate the incident response team and initiate the incident response monitoring. 停用事件響應小組並啟動事件響應監控。

Ⓓ Notify senior management and other relevant stakeholders about the potential incident. 通知高級管理層和其他相關利益相關者潛在的事件。

 

=087==

The incident handling and response(IH&R) team of a large multinational corporation recently identified a security incident.

一家大型跨國公司的事件處理和響應（IH&R）小組最近識別出一個安全事件。

Using the Microsoft Baseline Security Analyzer (MBSA) and back-security tools, they discovered several missing security patches and misconfigurations on their Windows and Linux systems, respectively.

使用Microsoft基線安全分析器（MBSA）和後端安全工具，他們分別在其Windows和Linux系統上發現了幾個遺漏的安全補丁和錯誤配置。

In the incident management process, what should be the next appropriate step the team needs to perform after the detection and analysis of vulnerabilities?

在事件管理過程中，團隊在檢測和分析漏洞後應執行的下一個適當步驟是什麼？

 

Ⓐ Re-scan the systems to validate the accuracy of the initial vulnerability reports. 重新掃描系統以驗證初始漏洞報告的準確性。

Ⓑ Evaluate the extent of damage caused by the security incident and prepare damage control. 評估安全事件造成的損害程度並準備損害控制。

Ⓒ Proceed with the eradication of vulnerabilities and patch the system. 進行漏洞根除並修補系統。

Ⓓ Initiate the implementation of an incident response plan for similar future incidents. 啟動類似未來事件的事件響應計劃的實施。

 

=088==

During a web application security incident, the incident response team suspects that an employee’s account was compromised.

在一次網絡應用安全事件中，事件響應小組懷疑員工帳戶被盜。

What should be the first step the team takes to identify the cause of the security breach?

團隊應該採取的第一步是什麼以識別安全漏洞的原因？

 

Ⓐ Schedule the meeting and accounts that were used to access the database. 安排用於訪問數據庫的會議和帳戶。

Ⓑ Notify affected customers of the breach. 通知受影響的客戶有關漏洞。

Ⓒ Shut down the database server to prevent further access. 關閉數據庫服務器以防止進一步訪問。

Ⓓ Conduct a forensic investigation of the database server. 進行數據庫服務器的法醫調查。

 

=089==

You are an incident handler working for a large financial institution.

您是一家大型金融機構的事件處理人員。

The bank has recently purchased new high-end workstations for its data analysis team.

該銀行最近為其數據分析團隊購買了新的高端工作站。

In preparation for possible endpoint security incidents, you’re deciding on an incident handling approach.

為可能的端點安全事件做準備，您正在決定一種事件處理方法。

What should be your first step?

您的第一步應該是什麼？

 

Ⓐ Set up a network intrusion detection system to monitor network traffic. 設置網絡入侵檢測系統以監控網絡流量。

Ⓑ Install antivirus software on all the new workstations. 在所有新工作站上安裝防病毒軟件。

Ⓒ Establish a baseline performance for the new workstations. 為新工作站建立基線性能。

Ⓓ Train the data analysis team on the basics of incident response. 訓練數據分析團隊的基本事件響應。

 

=090==

John, a system administrator, has been with the company for several years and has access to sensitive company data.

John，一名系統管理員，在公司工作了好幾年，並且可以訪問敏感的公司數據。

However, he has recently become disgruntled due to a denied promotion.

然而，由於晉升被拒，他最近變得不滿。

He decides to seek revenge on the company by compromising its resources.

他決定通過損害公司的資源來對公司進行報復。

Which type of insider threat does John represent?

John代表哪種類型的內部威脅？

 

Ⓐ Privileged User 特權用戶

Ⓑ Accident-Prone Employee 易出事故的員工

Ⓒ Disgruntled Employee 心懷不滿的員工

Ⓓ Terminated Employee 被解雇的員工

DCACA BBCCC