ECIH_C_001-020

=01==B032、B018

An incident handling team has been alerted about a possible security breach on a Linux system.

某事件處理小組已被警告Linux系統可能存在安全漏洞。

As an EC-Council Certified Incident Handler, you decide to perform an incident triage using a tool named buck-security on Linux.

作為EC-Council認證的事件處理員，你決定使用名為buck-security的工具在Linux上進行事件篩選。

After conducting the security check, buck-security returns a warning message indicating a potential issue with the firewall policies.

進行安全檢查後，buck-security返回一條警告消息，指出防火牆策略可能存在問題。

Considering the above scenario, what should be the immediate next step?

考慮到上述情況，下一步應該做什麼？

A. Configure a Syslog server to review the network devices' logs. 配置Syslog伺服器以檢查網絡設備的日誌。

B. Analyze and address the vulnerabilities in the firewall policies. 分析並解決防火牆策略中的漏洞。

C. Install and configure Splunk Universal Forwarder to capture remote system logs. 安裝和配置Splunk Universal Forwarder以捕獲遠程系統日誌。

D. Run another security scan with buck-security to validate the issue. 使用buck-security再次進行安全掃描以驗證問題。

=02==

AlphaTech's CISO received an alert regarding suspicious activity on multiple endpoints. The symptoms aligned with a malware incident where data appeared to be exfiltrated to an external server. Facing a potential crisis, the security team convened. Which containment strategy should they deploy first?

AlphaTech的首席信息安全官收到了關於多個端點可疑活動的警報。症狀與數據似乎被傳輸到外部伺服器的惡意軟件事件相符。在面臨潛在危機時，安全團隊召開了會議。他們應該首先部署哪種遏制策略？

A. Isolate the network segments showing the suspicious activity. 隔離顯示可疑活動的網絡部分。

B. Implement multi-factor authentication across all user accounts. 在所有用戶帳戶中實施多因素身份驗證。

C. Notify the legal team and prepare a public statement. 通知法律團隊並準備公開聲明。

D. Roll back all systems to the last known good configuration. 將所有系統回滾到最後已知的良好配置。

=03==

A company has migrated its infrastructure and services to the cloud to leverage its scalability and flexibility. However, they are facing challenges in effectively handling and responding to security incidents in the cloud environment. What is one of the key challenges in cloud incident handling and response?

一家公司已將其基礎設施和服務遷移到雲端，以利用其可擴展性和靈活性。然而，他們在有效處理和應對雲端環境中的安全事件方面面臨挑戰。雲端事件處理和響應的主要挑戰之一是什麼？

A. Inadequate incident response team training and skills. 事件響應團隊培訓和技能不足。

B. Lack of visibility and control over cloud infrastructure and data. 對雲端基礎設施和數據缺乏可見性和控制。

C. Difficulty in conducting forensic investigations in a shared cloud environment. 在共享雲端環境中進行取證調查的難度。

D. Limited availability of cloud service provider's security tools and features. 雲端服務提供商的安全工具和功能有限。

=04==

The incident handling and response (IH&R) team of a large multinational corporation recently identified a security incident. Using the Microsoft Baseline Security Analyzer (MBSA) and buck-security tools, they discovered several missing security patches and misconfigurations on their Windows and Linux systems, respectively. In the incident management process, what should be the next appropriate step the team needs to perform after the detection and analysis of vulnerabilities?

一家大型跨國公司的事件處理和響應(IH&R)團隊最近識別到一起安全事件。他們使用Microsoft Baseline Security Analyzer (MBSA)和buck-security工具，分別在其Windows和Linux系統上發現了幾個缺失的安全補丁和配置錯誤。在事件管理過程中，團隊在檢測和分析漏洞後應該進行的下一步措施是什麼？

A. Initiate the implementation of an incident response plan for similar future incidents. 啟動針對未來類似事件的事件響應計劃。

B. Re-scan the systems to validate the accuracy of the initial vulnerability reports. 重新掃描系統以驗證初始漏洞報告的準確性。

C. Evaluate the extent of damage caused by the security incident and perform damage control. 評估安全事件造成的損害範圍並進行損害控制。

D. Proceed with the eradication of vulnerabilities and patch the system. 進行漏洞根除並修補系統。

=05==

Following a ransomware attack, CyberTech Inc. initiated a full-scale risk assessment. They found multiple potential vulnerabilities and realized the need to prioritize them for remediation. Which criteria should CyberTech primarily use to prioritize these vulnerabilities?

在勒索軟件攻擊之後，CyberTech公司啟動了全面的風險評估。他們發現了多個潛在漏洞並意識到需要優先處理這些漏洞。CyberTech應該主要使用哪些標準來優先處理這些漏洞？

A. The cost associated with the mitigation of each vulnerability. 與每個漏洞的緩解相關的成本。

B. Time since the vulnerability was discovered. 發現漏洞以來的時間。

C. The potential business impact of a successful exploitation of the vulnerability. 成功利用漏洞的潛在業務影響。

D. Popularity of the vulnerability in the hacker community. 漏洞在駭客社區的流行程度。

=06==

An incident handler is performing security scanning on an Ubuntu Linux system using buck-security to identify potential vulnerabilities. The handler runs the command ./buck-security" and receives a list of warning messages. Among the warnings, the handler finds an issue under the [3] CHECK firewall: Check firewall policies section. Considering the handler's main objective is to validate and classify the security incident, what should be their next course of action? 事件處理員正在使用buck-security對Ubuntu Linux系統進行安全掃描以識別潛在漏洞。處理員運行命令./buck-security"並收到一系列警告消息。在警告中，處理員發現[3]檢查防火牆：檢查防火牆策略部分存在問題。考慮到處理員的主要目標是驗證和分類安全事件，下一步應該採取什麼行動？

A. The handler should document the findings and correlate them with other indicators for incident validation. 處理員應該記錄發現並將其與其他指標相關聯以驗證事件。

B. The handler should ignore the warning as the issue pertains only to firewall policies. 處理員應忽略警告，因為問題僅與防火牆策略有關。

C. The handler should immediately start fixing the identified firewall policy issues. 處理員應立即開始修復已識別的防火牆策略問題。

D. The handler should perform further analysis of the logs from the Syslog Server. 處理員應進一步分析來自Syslog伺服器的日誌。

=07==

In the aftermath of a cybersecurity incident at TechGuard Ltd., the response team identified a USB drive suspected of containing malicious code. To preserve its integrity for forensic analysis, what should the team do?

在TechGuard有限公司發生網絡安全事件後，應對團隊發現了一個懷疑包含惡意代碼的USB驅動器。為了保護其完整性以進行取證分析，團隊應該怎麼做？

A. Format the USB drive to remove any malware. 格式化USB驅動器以刪除任何惡意軟件。

B. Store it in an anti-static bag, ensuring it's well-labeled and sealed. 將其存放在防靜電袋中，確保標籤清晰並密封。

C. Connect it to a sandboxed environment to check its contents. 將其連接到沙盒環境以檢查其內容。

D. Copy the contents to a secure server for backup. 將內容複製到安全的伺服器進行備份。

=08==

As the new CISO for a mid-sized healthcare organization, you've been tasked with fortifying the company's cyber defenses. Your predecessor mainly focused on network security, but you believe that endpoint security incident handling and response are equally vital. What is the most compelling reason to justify the additional investment to the board of directors?

作為一家中型醫療機構的新任首席信息安全官，你的任務是加強公司的網絡防禦。你的前任主要專注於網絡安全，但你認為端點安全事件處理和響應同樣重要。向董事會證明額外投資的最有說服力的理由是什麼？

A. Increasing the number of remote workers makes the network perimeter less defined. 增加的遠程工作人員使網絡邊界不再明確。

B. Endpoint security is a current trend in the cybersecurity industry. 端點安全是當前網絡安全行業的趨勢。

C. Regulatory bodies demand a greater focus on endpoint security. 監管機構要求更多關注端點安全。

D. The company's competitors have invested heavily in endpoint security. 公司的競爭對手已大量投資於端點安全。

=09==

An employee accidentally emails confidential customer information to a personal email address. What is the biggest challenge faced by the incident response team in this scenario?

一名員工不小心將機密的客戶信息發送到個人電子郵件地址。在這種情況下，事件響應團隊面臨的最大挑戰是什麼？

A. Identifying the source of the email server used to send the email. 確定用於發送電子郵件的郵件伺服器的來源。

B. Balancing the need for confidentiality and transparency with stakeholders. 平衡與利益相關者之間的保密性和透明性需求。

C. Identifying the extent of the damage caused by the incident. 確定事件造成的損害範圍。

D. Determining the intent of the employee. 確定員工的意圖。

=10==

An organization's network has just suffered a significant breach. As an EC-Council Certified Incident Handler, you have been called in to secure and document the crime scene. Which of the following actions would be your primary focus to avoid contaminating the digital evidence?

一個組織的網絡剛剛遭受了重大漏洞攻擊。作為EC-Council認證的事件處理員，你被召來保護和記錄犯罪現場。以下哪項行動應該是你的主要關注點以避免污染數字證據？

A. Document the original state of the system before shutting it down for analysis. 記錄系統的原始狀態，然後關閉以進行分析。

B. Install the latest patches and update the antivirus on all affected systems. 在所有受影響的系統上安裝最新補丁並更新防病毒軟件。

C. Disconnect all compromised machines from the network immediately. 立即將所有受影響的機器斷開網絡。

D. Notify all employees in the organization about the breach for transparency. 通知組織中的所有員工有關漏洞的情況以保持透明。

=11==

An EC-Council Certified Incident Handler is assigned to handle an incident involving a complex cyberattack on a large corporation's cloud-based system. The attack has resulted in a significant data breach. Which initial step should the ECIH take to best ensure the successful handling of this incident?

一名EC-Council認證的事件處理員被指派處理一起涉及大型公司雲端系統的複雜網絡攻擊的事件。此次攻擊導致了重大數據洩露。ECIH應該採取哪個初步步驟來最好地確保成功處理此事件？

A. Notify the corporation's clients about the data breach and potential compromise of their data. 通知公司的客戶有關數據洩露及其數據可能受到影響的情況。

B. Initiate a full system shutdown to halt all operations and prevent additional data loss. 啟動全系統關閉以停止所有操作並防止額外數據丟失。

C. Document the state of the system, including system logs, network configurations, and any anomalous activities. 記錄系統狀態，包括系統日誌、網絡配置和任何異常活動。

D. Block the suspected IP addresses involved in the breach to cut off further access. 封鎖涉及漏洞的可疑IP地址以切斷進一步的訪問。

=12==

An incident responder for a multinational organization has successfully installed ActivTrak on the Windows Server 2016 machine, aiming to monitor and detect insider threats. After a day of monitoring, the incident responder notices a user accessing social media websites extensively during work hours and also finds multiple entries for a highly confidential internal web application in the TOP SITES pie chart of the ActivTrak dashboard. What should be the incident responder's immediate action?

一家跨國公司的事件響應人員已成功在Windows Server 2016機器上安裝ActivTrak，旨在監控和檢測內部威脅。經過一天的監控，事件響應人員注意到一個用戶在工作時間廣泛訪問社交媒體網站，並在ActivTrak儀表板的頂級網站餅圖中發現了多個高度機密的內部網絡應用程序的條目。事件響應人員應該採取什麼立即行動？

A. Proceed with system isolation of the user's workstation and revoke user access privileges. 進行用戶工作站的系統隔離並撤銷用戶訪問權限。

B. Ignore the findings, as they do not directly indicate any malicious activity. 忽略這些發現，因為它們並不直接表明有任何惡意活動。

C. Engage the human resources team to talk to the user regarding time spent on social media. 與人力資源團隊合作，與用戶談談在社交媒體上花費的時間。

D. Consult with the security team to analyze the user's activities and the accessed data for potential threats. 與安全團隊協商，分析用戶的活動和訪問的數據以識別潛在威脅。

=13==

In the aftermath of a malware incident involving malicious startup programs on a Windows 10 machine, an incident handler is tasked with the recovery process using the WinPatrol tool. Which of the following sequences of actions taken by the incident handler indicates the correct approach?

在涉及Windows 10機器上惡意啟動程序的惡意軟件事件之後，事件處理員被分配使用WinPatrol工具進行恢復過程。以下哪個事件處理員採取的行動順序表明了正確的方法？

A. Install WinPatrol, disable all startup programs, remove all IE helpers, view installed services, disable all services, view file types, and end all active tasks. 安裝WinPatrol，禁用所有啟動程序，移除所有IE幫手，查看已安裝的服務，禁用所有服務，查看文件類型，並結束所有活動任務。

B. Install WinPatrol, enable all startup programs, add necessary IE helpers, view installed services, enable all services, view file types, and start all active tasks. 安裝WinPatrol，啟用所有啟動程序，添加必要的IE幫手，查看已安裝的服務，啟用所有服務，查看文件類型，並啟動所有活動任務。

C. Install WinPatrol, disable trivial startup programs, add necessary IE helpers, view installed services, enable trivial services, view file types, and start non-essential active tasks. 安裝WinPatrol，禁用瑣碎的啟動程序，添加必要的IE幫手，查看已安裝的服務，啟用瑣碎的服務，查看文件類型，並啟動非必要的活動任務。

D. Install WinPatrol, disable trivial startup programs, remove non-required IE helpers, view installed services, disable trivial services, view file types, and end non-essential active tasks. 安裝WinPatrol，禁用瑣碎的啟動程序，移除不需要的IE幫手，查看已安裝的服務，禁用瑣碎的服務，查看文件類型，並結束非必要的活動任務。

=14==

A company's web application security team is preparing for handling potential security incidents that may occur on their web applications. They aim to establish effective processes and protocols to mitigate and respond to such incidents promptly. In addition to an incident response plan, what is another important aspect of preparation for handling web application security incidents?

公司網絡應用程序安全團隊正在準備處理可能發生在其網絡應用程序上的潛在安全事件。他們旨在建立有效的流程和協議，以迅速緩解和應對此類事件。除了事件響應計劃外，處理網絡應用程序安全事件準備的另一個重要方面是什麼？

A. Establishing strong access controls and authentication mechanisms for web applications. 為網絡應用程序建立強大的訪問控制和身份驗證機制。

B. Setting up a centralized security information and event management (SIEM) system. 設立集中式安全信息和事件管理(SIEM)系統。

C. Regularly monitor and log web application traffic and events. 定期監控和記錄網絡應用程序的流量和事件。

D. Implementing encryption and secure communication protocols for web applications. 為網絡應用程序實施加密和安全通信協議。

=15==

During a routine security assessment at SoftTech, a major software development company, a series of suspicious email transmissions were flagged from a senior executive's account to an external domain. Preliminary investigations suggest that the emails contained critical IP details. To identify the cause and extent of this compromise, what should be the primary action?

在對一家主要軟件開發公司SoftTech進行常規安全評估期間，從高級主管帳戶到外部域的一系列可疑電子郵件傳輸被標記。初步調查表明這些電子郵件包含關鍵的IP詳細信息。為了確定此次泄密的原因和範圍，應該採取的主要措施是什麼？

A. Conduct a forensic examination of the affected email account's recent activities. 對受影響的電子郵件帳戶的最近活動進行取證檢查。

B. Send an alert to all staff members about potential phishing threats. 向所有員工發送有關潛在網絡釣魚威脅的警報。

C. Coordinate with the external domain to retrieve the sent emails. 與外部域協調以檢索已發送的電子郵件。

D. Enforce immediate password resets for all senior executive accounts. 對所有高級主管帳戶強制立即重置密碼。

=16==

An employee in the finance department accesses confidential financial data outside of their job duties. What is the most effective way to prevent this type of insider threat?

財務部門的一名員工在其工作職責範圍之外訪問機密財務數據。防止這種類型的內部威脅的最有效方法是什麼？

A. Implement role-based access controls and limit access to sensitive data. 實施基於角色的訪問控制並限制對敏感數據的訪問。

B. Educate employees on the consequences of violating company policies. 教育員工關於違反公司政策的後果。

C. Conduct regular background checks on all employees. 定期對所有員工進行背景檢查。

D. Increase monitoring and surveillance of employee activity. 增加對員工活動的監控和監視。

=17==

A leading manufacturing company with an extensive IoT network detects suspicious activity that appears to be an unauthorized access attempt. This incident could potentially disrupt manufacturing processes, lead to intellectual property theft, and have far-reaching financial implications. In the intricate and highly interconnected environment of this IoT-based security incident, what is the first step in the incident response process for handling this situation?

一家擁有廣泛物聯網網絡的領先製造公司檢測到可疑活動，似乎是未經授權的訪問嘗試。此事件可能會擾亂製造過程，導致知識產權盜竊，並產生深遠的財務影響。在這種基於物聯網的安全事件的複雜和高度互聯的環境中，處理這種情況的事件響應過程中的第一步是什麼？

A. Preparation, including incident categorization, prioritization, and forming an appropriate response team. 準備工作，包括事件分類、優先級排序和組建合適的響應團隊。

B. Immediately terminate all employees suspected of involvement. 立即解僱所有涉嫌參與的員工。

C. Sell off the compromised IoT devices to minimize financial loss. 出售受損的物聯網設備以減少財務損失。

D. Publicly disclose the incident to warn competitors. 公開披露事件以警告競爭對手。

=18==

Sarah, an employee at a company, feels frustrated and resentful due to a hostile work environment and perceived unfair treatment. She decides to attack the organization's systems as a means of retaliation. What is the driving force behind Sarah's insider attack?

Sarah是公司的一名員工，由於敵對的工作環境和感覺受到不公平對待，她感到沮喪和憤恨。她決定攻擊組織的系統作為報復手段。Sarah內部攻擊的驅動力是什麼？

A. Work-Related Grievance 工作相關的不滿

B. Corporate Espionage 商業間諜活動

C. Challenge 挑戰

D. Hacktivism 黑客行動主義

=19==

After a significant data breach at a large retail company's cloud-based Point of Sale (POS) system, you are tasked as an EC-Council Certified Incident Handler to formulate a strategy for future incidents. One of the main challenges you faced during the response was the ambiguity over the division of responsibility between the company and the cloud service provider. To mitigate this issue, what should be your primary focus for future incident handling?

在一家大型零售公司的基於雲的銷售點(POS)系統發生重大數據泄露後，你作為EC-Council認證的事件處理員被分配制定未來事件的策略。在響應過程中你面臨的主要挑戰之一是公司與雲服務提供商之間責任劃分的不明確。為了減輕這個問題，未來事件處理的主要重點應該是什麼？

A. Implement a multi-cloud strategy to mitigate the risk posed by a single cloud service provider. 實施多雲策略以減少單一雲服務提供商帶來的風險。

B. Develop an internal cloud security team to monitor and handle incidents autonomously. 開發內部雲安全團隊以自主監控和處理事件。

C. Ensure a well-defined and agreed-upon cloud service level agreement (SLA) regarding incident response. 確保有關事件響應的明確且已達成一致的雲服務水平協議(SLA)。

D. Prioritize investments in advanced cloud security technologies, such as cloud-based IDS. 優先投資於先進的雲安全技術，例如基於雲的入侵檢測系統(IDS)。

=20==

A leading tech firm is reassessing its incident response strategy following a series of cyber-attacks. The Incident Response Team has proposed to fine-tune the plan to better adapt to evolving threats. The focus is on reducing response time while accurately assessing the nature and impact of various incidents. In this context, which of the following methods would be the MOST suitable to apply within the incident response and handling process?

一家領先的科技公司在一系列網絡攻擊之後正在重新評估其事件響應策略。事件響應團隊提出了調整計劃以更好地適應不斷演變的威脅。重點是縮短響應時間，同時準確評估各種事件的性質和影響。在這種情況下，以下哪種方法最適合應用於事件響應和處理過程中？

A. Integrate a robust threat intelligence system, fostering collaboration between teams, and aligning incident response to the organization's risk appetite and overall business objectives. 集成強大的威脅情報系統，促進團隊之間的協作，並使事件響應與組織的風險偏好和整體業務目標保持一致。

B. Prioritize the immediate containment of incidents, even before analyzing their nature, by shutting down affected systems and ignoring potential secondary consequences. 優先立即控制事件，甚至在分析其性質之前，通過關閉受影響的系統並忽略潛在的次生後果。

C. Focus on implementing static rules in the Security Information and Event Management (SIEM) system and follow a rigid set of predefined response protocols, irrespective of incident complexity. 專注於在安全信息和事件管理(SIEM)系統中實施靜態規則，並遵循一套嚴格的預定義響應協議，而不管事件的複雜性。

D. Utilize automated threat detection tools exclusively, minimizing human involvement to lower response time and apply AI-driven log analysis. 專門使用自動威脅檢測工具，將人工干預降至最低，以縮短響應時間並應用人工智能驅動的日誌分析。