Home
Eccouncil
212-89: EC-Council Certified Incident Handler v3 Dumps

Free Eccouncil 212-89 Exam Dumps June 2026

Here you can find all the free questions related with Eccouncil EC-Council Certified Incident Handler v3 (212-89) exam. You can also find on this page links to recently updated premium files with which you can practice for actual Eccouncil EC-Council Certified Incident Handler v3 Exam. These premium versions are provided as 212-89 exam practice tests, both as desktop software and browser based application, you can use whatever suits your style. Feel free to try the EC-Council Certified Incident Handler v3 Exam premium files for free, Good luck with your Eccouncil EC-Council Certified Incident Handler v3 Exam.

Question No: 1

MultipleChoice

An organization suffers a financial loss after an executive responds to a fraudulent email crafted as part of a spear phishing attack. After isolating affected systems and notifying internal stakeholders, the incident response team prepares a detailed report outlining the attack timeline, suspicious IP addresses, email metadata, phone scam details, and the amount lost. This report is forwarded to a government agency specializing in cybercrime to aid further investigation and potential restitution. Which aspect of the recovery process is the organization addressing?

Options

ALegal escalation and investigation support

BData redundancy planning

CEndpoint protection deployment

DInternal server reconfiguration
Comprehensive and Detailed Explanation (ECIH-aligned):
This scenario reflects the post-incident recovery and reporting phase outlined in the ECIH curriculum. After containment and eradication, organizations must address legal, regulatory, and investigative requirements, especially when financial fraud and executive compromise are involved.
Option A is correct because forwarding detailed incident reports to a government cybercrime agency constitutes legal escalation and investigation support. ECIH stresses the importance of cooperation with law enforcement in cases involving fraud, financial loss, or cross-border criminal activity. Proper documentation supports potential prosecution, restitution efforts, and regulatory compliance.
Options B, C, and D are technical recovery actions unrelated to legal follow-up.
By engaging authorities with verified evidence, the organization fulfills its recovery obligations beyond technical remediation, aligning with ECIH best practices.

Answer
A

Question No: 2

MultipleChoice

Shally, an incident handler, is working for a company named Texas Pvt. Ltd. based in

Florida. She was asked to work on an incident response plan. As part of the plan, she

decided to enhance and improve the security infrastructure of the enterprise. She has

incorporated a security strategy that allows security professionals to use several

protection layers throughout their information system. Due to multiple layer protection,

this security strategy assists in preventing direct attacks against the organization's

information system as a break in one layer only leads the attacker to the next layer.

Identify the security strategy Shally has incorporated in the incident response plan.

Options

ADefense-in-depth

BThree-way handshake

CCovert channels

DExponential backoff algorithm
Shally has incorporated the Defense-in-depth strategy into the incident response plan for Texas Pvt. Ltd. Defense-in-depth is a layered security approach that involves implementing multiple security measures and controls throughout an information system. This strategy is designed to provide several defensive barriers to protect against threats and attacks, ensuring that if one layer is compromised, others still provide protection. The goal is to create a multi-faceted defense that addresses potential vulnerabilities in various areas, including physical security, network security, application security, and user education.

Answer
A

Question No: 3

MultipleChoice

Who is mainly responsible for providing proper network services and handling network-related incidents in all the cloud service models?

Options

ACloud consumer

BCloud auditor

CCloud brokers

DCloud service provide
In cloud computing environments, the responsibility for providing and managing network services, as well as handling incidents related to these services, primarily falls on the cloud service provider. This includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) models. The cloud service provider is tasked with ensuring the availability, integrity, and security of the network services they offer. This responsibility includes managing and responding to incidents that may affect these services, ranging from security breaches to performance issues. The cloud service provider employs a variety of tools and techniques to monitor the network, identify potential threats, and implement corrective actions to mitigate any impact on the services and their users.

Answer
D

Question No: 4

MultipleChoice

In which of the following phases of the incident handling and response (IH&R) process is the identified security incidents analyzed, validated, categorized, and prioritized?

Options

AIncident triage

BIncident recording and assignment

CContainment

DNotification
Incident triage is the phase in the Incident Handling and Response (IH&R) process where identified security incidents are analyzed, validated, categorized, and prioritized. This step is crucial for determining the severity of incidents and deciding on the order in which they should be addressed. During triage, incident handlers assess the impact, urgency, and potential harm of an incident to prioritize their response efforts effectively. This ensures that resources are allocated efficiently, and the most critical incidents are handled first. Incident recording and assignment involve logging incidents and assigning them to handlers, containment focuses on limiting the extent of damage, and notification involves informing stakeholders about the incident.

Answer
A

Question No: 5

MultipleChoice

Joseph is an incident handling and response (IH&R) team lead in Toro Network Solutions Company. As a part of IH&R process, Joseph alerted the service providers,

developers, and manufacturers about the affected resources.

Identify the stage of IH&R process Joseph is currently in.

Options

AEradication

BContainment

CIncident triage

DRecovery

Answer
BExplanation

When Joseph, the IH&R team lead, alerted service providers, developers, and manufacturers about the affected resources, he was engaged in the Containment stage of the Incident Handling and Response (IH&R) process. Containment involves taking steps to limit the spread or impact of an incident and to isolate affected systems to prevent further damage. Alerting relevant stakeholders, including service providers and developers, is part of containment efforts to ensure that the threat does not escalate and that measures are taken to protect unaffected resources. This stage precedes eradication and recovery, focusing on immediate response actions to secure the environment. Reference: The ECIH v3 certification program outlines the IH&R process stages, explaining the roles and actions involved in containment, including communication with external and internal stakeholders to manage and mitigate the incident's effects.

Question No: 6

MultipleChoice

Identify the network security incident where intended or authorized users are prevented from using system, network, or applications by flooding the network with a

high volume of traffic that consumes all existing network resources.

Options

AXSS attack

BDenial-of-service

CURL manipulation

DSQL injection

Answer
BExplanation

A Denial-of-Service (DoS) attack is characterized by flooding the network with a high volume of traffic to consume all available network resources, preventing intended or authorized users from accessing system, network, or applications. This type of attack aims to overwhelm the target's capacity to handle incoming requests, causing a denial of access to legitimate users. Unlike XSS (Cross-Site Scripting) attacks, URL manipulation, or SQL injection, which exploit vulnerabilities in web applications for unauthorized data access or manipulation, a DoS attack specifically targets the availability of services. Reference: Incident Handler (ECIH v3) courses and study guides cover various types of network security incidents, including Denial-of-Service attacks, detailing their impact on network resources and services.

Question No: 7

MultipleChoice

Clark is investigating a cybercrime at TechSoft Solutions. While investigating the case,

he needs to collect volatile information such as running services, their process IDs,

startmode, state, and status.

Which of the following commands will help Clark to collect such information from

running services?

Options

AOpenfiles

Bnetstat --ab

Cwmic

Dnet file

Answer
CExplanation

WMIC (Windows Management Instrumentation Command-line) is a command-line tool that provides a unified interface for Windows management tasks, including the collection of system information. It allows administrators and forensic investigators to query the live system for information about running services, their process IDs, start modes, states, and statuses, among other data. The use of WMIC is particularly valuable in incident response scenarios for gathering volatile information from a system without having to install additional software, which might alter the state of the system being investigated. By executing specific WMIC commands, Clark can extract detailed information about the services running on a system at the time of the investigation, making it an essential tool for collecting volatile data in a forensically sound manner.

Question No: 8

MultipleChoice

Stenley is an incident handler working for Texa Corp. located in the United States. With the growing concern of increasing emails from outside the organization, Stenley was

asked to take appropriate actions to keep the security of the organization intact. In the process of detecting and containing malicious emails, Stenley was asked to check the

validity of the emails received by employees.

Identify the tools he can use to accomplish the given task.

Options

APointofMail

BEmail Dossier

CPoliteMail

DEventLog Analyzer

Answer
BExplanation

Email Dossier is a tool designed to perform detailed investigations on email messages to verify their authenticity and trace their origin. It can analyze email headers and provide information about the route an email has taken, the servers it passed through, and potentially malicious links or origins. For an incident handler like Stenley, tasked with verifying the validity of emails and containing malicious email threats, Email Dossier serves as a practical tool for analyzing and validating emails received by employees. By using this tool, Stenley can identify fraudulent or suspicious emails, thereby helping to protect the organization from phishing attacks, malware distribution, and other email-based threats.

Question No: 9

MultipleChoice

Which of the following is not a best practice to eliminate the possibility of insider attacks?

Options

ADisable the users from installing unauthorized software or accessing malicious websites using the corporate network

BMonitor employee behaviors and the computer systems used by employees

CImplement secure backup and disaster recovery processes for business continuity

DAlways leave business details over voicemail or email broadcast message

Answer
DExplanation

Leaving sensitive business details over voicemail or sending them out through email broadcast messages is not a best practice for security. This approach significantly increases the risk of information leakage and unauthorized access to critical business information. Such practices can be exploited by insiders to conduct malicious activities, including data theft, fraud, or sabotage. The best practices for mitigating insider threats involve implementing strict access controls, monitoring and auditing employee actions, securing communications, and ensuring that sensitive information is only shared through secure and authorized channels. Encouraging or allowing the practice of leaving sensitive business details in such insecure manners contradicts the principles of information security and increases the vulnerability to insider attacks.

Question No: 10

MultipleChoice

Computer forensics is methodical series of techniques and procedures for gathering evidence from computing equipment, various storage devices and or digital media that can be presented in a course of law in a coherent and meaningful format. Which one of the following is an appropriate flow of steps in the computer forensics process:

Options

AExamination> Analysis > Preparation > Collection > Reporting

BPreparation > Analysis > Collection > Examination > Reporting

CAnalysis > Preparation > Collection > Reporting > Examination

DPreparation > Collection > Examination > Analysis > Reporting

Answer
D

Question No: 11

MultipleChoice

Risk is defined as the probability of the occurrence of an incident. Risk formulation generally begins with the likeliness of an event's occurrence, the harm it may cause and is usually denoted as Risk = (events)X(Probability of occurrence)X?

Options

AMagnitude

BProbability

CConsequences

DSignificance

Answer
A

Question No: 12

MultipleChoice

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focus on limiting the scope and extent of an incident?

Options

AEradication

BContainment

CIdentification

DData collection

Answer
B

Question No: 13

MultipleChoice

Which of the following is an appropriate flow of the incident recovery steps?

Options

ASystem Operation-System Restoration-System Validation-System Monitoring

BSystem Validation-System Operation-System Restoration-System Monitoring

CSystem Restoration-System Monitoring-System Validation-System Operations

DSystem Restoration-System Validation-System Operations-System Monitoring

Answer
D

Question No: 14

MultipleChoice

A computer Risk Policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is NOT part of the computer risk policy?

Options

AProcedure to identify security funds to hedge risk

BProcedure to monitor the efficiency of security controls

CProcedure for the ongoing training of employees authorized to access the system

DProvisions for continuing support if there is an interruption in the system or if the system crashes

Answer
C

Question No: 15

MultipleChoice

The flow chart gives a view of different roles played by the different personnel of CSIRT. Identify the incident response personnel denoted by A, B, C, D, E, F and G.

Options

AA-Incident Analyst, B- Incident Coordinator, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Manager

BA- Incident Coordinator, B-Incident Analyst, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Manager

CA- Incident Coordinator, B- Constituency, C-Administrator, D-Incident Manager, E- Human Resource, F-Incident Analyst, G-Public relations

DA- Incident Manager, B-Incident Analyst, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Coordinator

Answer
C

Question No: 16

MultipleChoice

Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy. Identify the plan which is mandatory part of a business continuity plan?

Options

AForensics Procedure Plan

BBusiness Recovery Plan

CSales and Marketing plan

DNew business strategy plan

Answer
B

Question No: 17

MultipleChoice

An organization faced an information security incident where a disgruntled employee passed sensitive access control information to a competitor. The organization's incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incident?

Options

AHigh level incident

BMiddle level incident

CUltra-High level incident

DLow level incident

Answer
A

Question No: 18

MultipleChoice

The goal of incident response is to handle the incident in a way that minimizes damage and reduces recovery time and cost. Which of the following does NOT constitute a goal of incident response?

Options

ADealing with human resources department and various employee conflict behaviors.

BUsing information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data.

CHelping personal to recover quickly and efficiently from security incidents, minimizing loss or theft and disruption of services.

DDealing properly with legal issues that may arise during incidents.

Answer
A

Question No: 19

MultipleChoice

Which of the following terms may be defined as ''a measure of possible inability to achieve a goal, objective, or target within a defined security, cost plan and technical limitations that adversely affects the organization's operation and revenues?

Options

ARisk

BVulnerability

CThreat

DIncident Response

Answer
A

Question No: 20

MultipleChoice

A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:

Options

ATrojans

BZombies

CSpyware

DWorms

Answer
B

Limited Time Offer

25%

Off

Get Premium 212-89 Questions as Interactive Web-Based Practice Test or PDF