=61=
In a simulated lab environment, an incident handler uses the CurrPorts tool to monitor TCP/IP connections in the wake of a malware incident.
在模擬實驗室環境中,事件處理員使用 CurrPorts 工具來監控 TCP/IP 連接,應對惡意軟體事件。
The malware, a trojan called njRAT," has been executed on a Windows Server 2016 virtual machine. 惡意軟體,一種名為 njRAT" 的木馬,已在 Windows Server 2016 虛擬機上執行。
After executing the trojan, the handler observes a connection established by the njRAT client on the Windows 10 virtual machine.
執行木馬後,處理員觀察到 Windows 10 虛擬機上 njRAT 客戶端建立的連接。
Using CurrPorts on the infected Windows Server 2016, what course of action should the handler take next?
使用 CurrPorts 在受感染的 Windows Server 2016 上,處理員接下來應該採取什麼行動?
A. Run a full antivirus scan on the Windows 10 virtual machine. 在 Windows 10 虛擬機上運行全面的防病毒掃描。
B. Restart Windows Server 2016 to remove the trojan. 重新啟動 Windows Server 2016 以刪除木馬。
C. Immediately disconnect Windows Server 2016 from the network. 立即將 Windows Server 2016 從網絡中斷開。
D. Perform port monitoring to identify the process running and the port on which it's running. 執行端口監控以識別正在運行的進程及其運行的端口。
=62=
The CEO of a leading financial institution received a blackmail email containing highly confidential financial data.
一家領先金融機構的 CEO 收到一封含有高度機密財務數據的勒索電子郵件。
The incident response (IR) team, utilizing cutting-edge digital forensics, pinpointed the attacker and prepared evidence for legal action.
事件響應(IR)團隊利用最先進的數位鑑識技術鎖定攻擊者並準備法律行動的證據。
They also conducted a thorough analysis of the breach and the existing security measures.
他們還對漏洞和現有的安全措施進行了全面分析。
Based on their extensive investigation, what specific recommendations did the IR team most likely provide to the organization?
根據他們的廣泛調查,IR 團隊最有可能向組織提供哪些具體建議?
A. Enhance security controls, offer training on security awareness, and implement continuous monitoring. 加強安全控制,提供安全意識培訓,並實施持續監控。
B. Expand the company's business into new markets. 將公司的業務擴展到新市場。
C. Increase salaries of the executive team to boost morale. 提高高管團隊的薪酬以提升士氣。
D. Invest in marketing to restore the brand image. 投資於市場營銷以恢復品牌形象。
=63=
A multinational corporation has been receiving a large number of phishing attacks lately.
一家跨國公司最近收到大量網絡釣魚攻擊。
As the newly appointed Incident Handler, you have been tasked with improving the company's ability to detect and handle these attacks.
作為新任命的事件處理員,您的任務是提高公司檢測和處理這些攻擊的能力。
The existing infrastructure consists of several virtual machines running Windows Server 2016, Windows 10, and Ubuntu, and administrative privileges are available to install and run the required tools.
現有基礎設施包括多台運行 Windows Server 2016、Windows 10 和 Ubuntu 的虛擬機,並具有安裝和運行所需工具的管理權限。
Which of the following methods should you primarily implement to enhance the company's ability to handle these email security incidents?
您應該主要實施以下哪種方法來增強公司處理這些電子郵件安全事件的能力?
A. Installing the Netcraft Toolbar on all company systems to block phishing websites. 在所有公司系統上安裝 Netcraft 工具欄以阻止釣魚網站。
B. Using PhishTank to verify and track all suspicious links in emails received by the company. 使用 PhishTank 驗證和跟蹤公司收到的電子郵件中的所有可疑鏈接。
C. Implementing PGP encryption for all email communications to prevent unauthorized access to email content. 為所有電子郵件通信實施 PGP 加密以防止未經授權訪問電子郵件內容。
D. Training employees to detect phishing attacks and encouraging them to report suspicious emails. 培訓員工檢測網絡釣魚攻擊並鼓勵他們報告可疑電子郵件。
=64=
A multinational organization recently suffered a massive data breach, resulting in the exposure of sensitive customer information.
一家跨國組織最近遭受重大數據洩露,導致敏感客戶信息洩露。
As an EC-Council Certified Incident Handler (ECIH), you have been tasked with ensuring compliance with incident handling laws and acts while handling this situation.
作為 EC-Council 認證的事件處理員(ECIH),您的任務是在處理此情況時確保遵守事件處理法律和法規。
The company operates in multiple jurisdictions, including Europe and the United States.
該公司在包括歐洲和美國在內的多個司法管轄區運營。
What should be your primary legal consideration in this scenario?
在此情況下,您的主要法律考慮應該是什麼?
A. Conduct an internal audit to identify potential non-compliance areas. 進行內部審計以識別潛在的不合規領域。
B. Initiate a customer notification process as guided by the European Data Protection Directive. 根據《歐洲數據保護指令》的指導啟動客戶通知程序。
C. Follow the mandates of the GDPR and the California Consumer Privacy Act (CCPA). 遵守 GDPR 和《加利福尼亞消費者隱私法案》(CCPA)的規定。
D. Report the incident to the Internet Crime Complaint Center (IC3) immediately. 立即向互聯網犯罪投訴中心(IC3)報告事件。
=65=
You are an incident handler working for a large financial institution.
您是為一家大型金融機構工作的事件處理員。
The bank has recently purchased new high-end workstations for its data analysis team.
銀行最近為其數據分析團隊購買了新的高端工作站。
In preparation for possible endpoint security incidents, you're deciding on an incident handling approach.
為了準備應對可能的端點安全事件,您正在決定事件處理方法。
What should be your first step?
您的第一步應該是什麼?
A. Install antivirus software on all the new workstations. 在所有新工作站上安裝防病毒軟件。
B. Set up a network intrusion detection system to monitor network traffic. 設置網絡入侵檢測系統以監控網絡流量。
C. Establish a baseline performance for the new workstations. 為新工作站建立基準性能。
D. Train the data analysis team on the basics of incident response. 培訓數據分析團隊事件響應的基礎知識。
=66=
After a series of email-based attacks, FinServCo, a financial services provider, wanted to establish robust defenses against potential email security incidents.
在一系列基於電子郵件的攻擊之後,金融服務提供商 FinServCo 想建立對潛在電子郵件安全事件的強大防禦措施。
While discussing preventive measures, which action emerged as a top priority to guard against email threats?
在討論預防措施時,哪個行動成為防範電子郵件威脅的首要任務?
A. Move all email services to a reputable cloud provider for better management. 將所有電子郵件服務遷移到有聲譽的雲提供商進行更好的管理。
B. Employ an email sandboxing solution to analyze email attachments in a secure environment. 使用電子郵件沙箱解決方案在安全環境中分析電子郵件附件。
C. Prohibit employees from accessing personal emails on corporate devices. 禁止員工在公司設備上訪問個人電子郵件。
D. Ensure that all email traffic is encrypted, both in transit and at rest. 確保所有電子郵件流量在傳輸中和靜止時都被加密。
=67=
While handling and responding to a potential web application security incident, you are required to conduct a vulnerability scan of your website.
在處理和應對潛在的網絡應用程序安全事件時,您需要對您的網站進行漏洞掃描。
As an EC-Council Certified Incident Handler (ECIH), which of the following steps is NOT part of the process of performing web application vulnerability scanning using Acunetix Web Vulnerability Scanner (WVS)?
作為 EC-Council 認證的事件處理員(ECIH),以下哪個步驟不是使用 Acunetix Web Vulnerability Scanner(WVS)進行網絡應用程序漏洞掃描過程的一部分?
A. Perform a full scan, select OWASP Top 10 2017 from the report, and schedule the scan instantly. 執行全面掃描,從報告中選擇 OWASP Top 10 2017 並立即安排掃描。
B. After scanning, view vulnerabilities, analyze their details, and formulate a plan to fix them. 掃描後,查看漏洞,分析其詳細信息,並制定修復計劃。
C. Use the built-in HTTP Editor and HTTP Fuzzer of Acunetix WVS to manually test and validate potential vulnerabilities before scanning. 使用 Acunetix WVS 的內置 HTTP 編輯器和 HTTP Fuzzer 在掃描前手動測試和驗證潛在漏洞。
D. Install Acunetix WVS on a Windows 10 virtual machine and log in with the provided credentials. 在 Windows 10 虛擬機上安裝 Acunetix WVS 並使用提供的憑據登錄。
=68=
In the course of an incident handling task, you identified an email with suspicious attributes.
在事件處理任務過程中,您發現了一封具有可疑屬性的電子郵件。
The email header indicates an SPF result of SoftFail" and a DKIM result of Neutral."
電子郵件標頭顯示 SPF 結果為 SoftFail" 和 DKIM 結果為 Neutral"。
Given these attributes, what is the most probable interpretation and appropriate course of action?
鑑於這些屬性,最可能的解釋和適當的行動是什麼?
A. The email is likely a spoofed email and should be quarantined immediately as the SPF SoftFail and DKIM Neutral results together indicate possible email forgery. 該電子郵件可能是偽造郵件,應立即隔離,因為 SPF SoftFail 和 DKIM Neutral 結果共同表明可能的電子郵件偽造。
B. The email could be suspicious, as the DKIM result indicates syntax errors in the signature. However, no immediate action is required as the SPF SoftFail does not confirm the email as malicious. 該電子郵件可能可疑,因為 DKIM 結果表明簽名中存在語法錯誤。但是,無需立即採取行動,因為 SPF SoftFail 並未確認電子郵件為惡意。
C. The email is likely legitimate as the SPF result does not indicate a failure. Continue to analyze the content of the email for any other suspicious signs. 該電子郵件可能是合法的,因為 SPF 結果並未顯示失敗。繼續分析電子郵件內容是否有其他可疑跡象。
D. The email is legitimate as the DKIM result is Neutral, which means the email is signed but the signature could not be processed due to syntax errors. No further action is required. 該電子郵件是合法的,因為 DKIM 結果為 Neutral,這意味著電子郵件已簽名但由於語法錯誤而無法處理簽名。無需進一步行動。
=69=
A company's endpoint security solution detects suspicious activity on multiple endpoints, indicating a potential coordinated attack.
一家公司的端點安全解決方案在多個端點上檢測到可疑活動,表明可能的協調攻擊。
What is the best course of action for the incident response team in this scenario?
在此情況下,事件響應團隊的最佳行動方案是什麼?
A. Collect and analyze logs from the endpoint security solution to identify the source of the attack. 收集並分析端點安全解決方案的日誌以確定攻擊來源。
B. Conduct a full system scan on all affected endpoints to identify the extent of the attack. 對所有受影響的端點進行全面系統掃描以確定攻擊的範圍。
C. Notify senior management and other stakeholders about the potential attack. 通知高級管理層和其他利益相關者潛在的攻擊。
D. Disconnect all affected endpoints from the network and isolate them for further analysis. 將所有受影響的端點與網絡斷開並隔離以進行進一步分析。
=70=
ABC Corp., in the wake of frequent malware attacks, decided to conduct a forensic investigation on a suspected machine in their network.
在頻繁的惡意軟體攻擊之後,ABC 公司決定對其網絡中的可疑機器進行法證調查。
The incident response team used CurrPorts to monitor TCP/IP connections and identified a suspicious process.
事件響應團隊使用 CurrPorts 監控 TCP/IP 連接並識別出可疑進程。
They also leveraged Regshot for registry entry monitoring.
他們還利用 Regshot 進行註冊表條目監控。
While analyzing the registry changes before and after the execution of a suspicious process, they noticed some entries in the startup section of the registry.
在分析可疑進程執行前後的註冊表變化時,他們注意到註冊表啟動部分的一些條目。
Given this scenario, which of the following is the most likely reason for malware creating entries in the startup section of the registry?
鑑於這種情況,惡意軟體在註冊表啟動部分創建條目的最可能原因是什麼?
A. To log the keystrokes and send the user credentials over the network to the attacker. 記錄擊鍵並將用戶憑據通過網絡發送給攻擊者。
B. To propagate the malware across the connected devices in the network. 在網絡中的連接設備間傳播惡意軟體。
C. To ensure that the malicious process runs whenever the system boots. 確保系統啟動時運行惡意進程。
D. To encrypt and hold data ransom for money. 加密並扣押數據以勒索金錢。
=71=
You are the cloud security incident response manager for a large organization.
您是大型組織的雲安全事件響應經理。
Your team has identified a potential security incident in the cloud environment.
您的團隊已在雲環境中識別出潛在的安全事件。
Upon investigation, you find that an unauthorized individual gained access to a critical database containing sensitive customer information.
經過調查,您發現未經授權的個體訪問了包含敏感客戶信息的關鍵數據庫。
What is the MOST appropriate immediate action to take?
最合適的立即行動是什麼?
A. Collect evidence and preserve logs for forensic analysis. 收集證據並保留日誌以進行法證分析。
B. Engage the organization's legal team to assess potential liability and regulatory obligations. 聘請組織的法律團隊評估潛在的責任和監管義務。
C. Shut down the compromised database server to prevent further unauthorized access. 關閉受損的數據庫服務器以防止進一步的未經授權訪問。
D. Notify affected customers and guide them on protecting their personal information. 通知受影響的客戶並指導他們保護個人信息。
=72=
Your organization uses the Google Cloud Platform for its operations.
您的組織使用 Google Cloud Platform 進行運營。
You, as an EC-Council Certified Incident Handler, have been alerted of a potential security incident involving unauthorized access to sensitive data.
作為 EC-Council 認證的事件處理員,您已收到涉及未經授權訪問敏感數據的潛在安全事件警報。
Which of the following should be your first step in handling this incident?
處理此事件的第一步應該是什麼?
A. Disable all user accounts on GCP. 禁用 GCP 上的所有用戶帳戶。
B. Initiate an immediate backup of all data. 立即備份所有數據。
C. Shut down all instances on GCP. 關閉 GCP 上的所有實例。
D. Perform an initial analysis of the GCP audit logs. 對 GCP 審計日誌進行初步分析。
=73=
A company's intrusion detection system (IDS) generates an alert indicating a potential network security incident.
一家公司入侵檢測系統(IDS)發出警報,指示潛在的網絡安全事件。
What is the next step in the process of detecting and validating network security incidents?
在檢測和驗證網絡安全事件過程中的下一步是什麼?
A. Validate the IDS alert by cross-referencing it with other security monitoring systems. 通過與其他安全監控系統交叉參照來驗證 IDS 警報。
B. Conduct a thorough analysis of the IDS alert logs to gather additional information. 對 IDS 警報日誌進行徹底分析以收集更多信息。
C. Perform forensic analysis on the affected systems to identify the root cause of the incident. 對受影響的系統進行法證分析以確定事件的根本原因。
D. Determine the severity of the alert and its potential impact on the network. 確定警報的嚴重性及其對網絡的潛在影響。
=74=
During a routine incident response process in a large organization, the incident responder noticed some suspicious activities on the organization's database using ActivTrak.
在大型組織的例行事件響應過程中,事件響應者使用 ActivTrak 注意到組織數據庫中的一些可疑活動。
Several databases were accessed late at night, and the main culprit appears to be an internal employee.
幾個數據庫在深夜被訪問,主要罪魁禍首似乎是一名內部員工。
What should be the incident responder's immediate step in order to prevent further malicious activities?
為防止進一步的惡意活動,事件響應者的立即步驟應該是什麼?
A. Block all access for the suspicious employee, including email, application accounts, physical access cards, and network credentials. 封鎖可疑員工的所有訪問,包括電子郵件、應用帳戶、物理訪問卡和網絡憑據。
B. Inform the senior management about the issue for further action. 將問題告知高級管理層以便進一步行動。
C. Change the passwords of all systems without notifying the employee. 在不通知員工的情況下更改所有系統的密碼。
D. Disable the network connection for the whole organization until the situation is under control. 禁用整個組織的網絡連接,直到情況得到控制。
=75=
After identifying a compromised workstation at CyberFirm Inc., the incident handling team needs to transport the physical evidence to a secure location.
在確定 CyberFirm Inc. 的一個工作站被攻擊後,事件處理團隊需要將物理證據運送到安全位置。
What is the primary consideration during this phase?
在此階段的主要考慮因素是什麼?
A. Ensure that the device is connected to the internet to monitor ongoing malicious activities. 確保設備連接到互聯網以監控正在進行的惡意活動。
B. Transport the evidence without its power source to avoid tampering. 在沒有電源的情況下運送證據以避免篡改。
C. Immediately start analyzing the evidence to understand the extent of the compromise. 立即開始分析證據以了解攻擊的程度。
D. Label the device with its original location, handler's name, date, and time. 標記設備的原始位置、處理者的姓名、日期和時間。
=76=
As an incident handler, you received an email that appeared suspicious.
作為事件處理員,您收到了一封看起來可疑的電子郵件。
You performed an email header analysis using the online tool MxToolbox.
您使用在線工具 MxToolbox 進行了電子郵件標頭分析。
The results showed SPF Authenticated as Failed," DKIM Authenticated as Failed," SPF Alignment as Pass," and DKIM Alignment as Pass."
結果顯示 SPF 驗證失敗," DKIM 驗證失敗," SPF 對齊通過," 和 DKIM 對齊通過"。
According to these results, which of the following conclusions is most accurate?
根據這些結果,以下哪項結論最準確?
A. The email is safe and legitimate because the SPF and DKIM alignments both passed. 該電子郵件是安全和合法的,因為 SPF 和 DKIM 對齊均通過。
B. The email is likely malicious because SPF and DKIM authentications both failed. 該電子郵件可能是惡意的,因為 SPF 和 DKIM 驗證均失敗。
C. The email is likely malicious because SPF authentication failed but safe because DKIM alignment passed. 該電子郵件可能是惡意的,因為 SPF 驗證失敗但安全,因為 DKIM 對齊通過。
D. The email is likely safe because SPF alignment passed, even though DKIM authentication failed. 該電子郵件可能是安全的,因為 SPF 對齊通過,儘管 DKIM 驗證失敗。
=77=
An Incident Handler is conducting a training session on implementing PGP for email security using Gpg4win in an organization.
一位事件處理員正在組織內部舉行一個使用 Gpg4win 實施 PGP 電子郵件安全的培訓會議。
She explains that securing email communication requires a sequence of steps such as creating a PGP key, generating a backup copy, creating a public key text document, and more.
她解釋說,保護電子郵件通信需要一系列步驟,例如創建 PGP 密鑰、生成備份副本、創建公鑰文本文件等等。
The trainee is required to send an encrypted message from one email account to another.
受訓者需要從一個電子郵件帳戶向另一個電子郵件帳戶發送加密消息。
At what point does the trainee need to encrypt the message to ensure that it is secure and confidential during transmission?
受訓者需要在何時加密消息以確保在傳輸過程中的安全性和保密性?
A. Just before sending the email from the second account to the first account. 在從第二個帳戶向第一個帳戶發送電子郵件之前。
B. Right after generating the PGP key and saving a backup copy. 在生成 PGP 密鑰並保存備份副本後。
C. Immediately after pasting the public key into a new text document. 在將公鑰粘貼到新文本文件後立即。
D. As soon as the message is composed on the clipboard window. 一旦在剪貼板窗口中撰寫消息。
=78=
As an EC-Council Certified Incident Handler (ECIH), you have been assigned to handle a malware incident in a large organization.
作為 EC-Council 認證的事件處理員(ECIH),您被指派處理大型組織中的惡意軟體事件。
You have noticed that the malware initiates at system bootup and runs in the background without the user's knowledge.
您注意到惡意軟體在系統啟動時啟動並在用戶不知情的情況下在後台運行。
You have access to tools like WinPatrol and Driver Booster.
您可以使用 WinPatrol 和 Driver Booster 等工具。
What should be your immediate course of action?
您應該立即採取什麼行動?
A. Use WinPatrol to analyze running tasks and end any suspicious tasks. 使用 WinPatrol 分析正在運行的任務並結束任何可疑任務。
B. Use WinPatrol to monitor startup programs and control the execution of potentially malicious programs. 使用 WinPatrol 監控啟動程序並控制潛在惡意程序的執行。
C. Monitor the system device drivers using Driver Booster to detect any malicious activities. 使用 Driver Booster 監控系統設備驅動程序以檢測任何惡意活動。
D. Use Driver Booster to scan for outdated drivers and update them immediately. 使用 Driver Booster 掃描過時的驅動程序並立即更新。
=79=
An international manufacturing company experienced a major security incident impacting its operational technology (OT) systems.
一家國際製造公司經歷了一次重大安全事件,影響了其運營技術(OT)系統。
It was determined that the incident was caused by a sophisticated malware strain that infected the Programmable Logic Controllers (PLCs).
經確定,事件是由感染可編程邏輯控制器(PLC)的複雜惡意軟體引起的。
As an EC-Council Certified Incident Handler, what is your priority in handling OT-based security incidents in the future?
作為 EC-Council 認證的事件處理員,您在未來處理基於 OT 的安全事件時的首要任務是什麼?
A. Update PLC firmware frequently to eliminate vulnerabilities. 頻繁更新 PLC 固件以消除漏洞。
B. Implement an intrusion prevention system (IPS) across the OT network. 在 OT 網絡中實施入侵防禦系統(IPS)。
C. Ensure regular backups of critical OT configurations and PLC programming. 確保定期備份關鍵 OT 配置和 PLC 程序。
D. Insist on complete segregation of IT and OT networks. 堅持 IT 和 OT 網絡的完全隔離。
=80=
John, a system administrator, has been with the company for several years and has access to sensitive company data.
John 是一名系統管理員,他在公司工作多年,擁有訪問敏感公司數據的權限。
However, he has recently become disgruntled due to a denied promotion.
然而,他最近因晉升被拒而感到不滿。
He decides to seek revenge on the company by compromising its resources.
他決定通過損害公司的資源來報復公司。
Which type of insider threat does John represent?
John 代表哪種類型的內部威脅?
A. Privileged User 有特權的用戶
B. Accident-Prone Employee 容易發生意外的員工
C. Malicious Insider 惡意內部人員
D. Vulnerable Insider 易受攻擊的內部人員
留言
張貼留言