EC-Council Certified Incident Handler v1.0

Page:    1 / 11   
Exam contains 167 questions

Risk management consists of three processes, risk assessment, mitigation and evaluation. Risk assessment determines the extent of the potential threat and the risk associated with an IT system through its SDLC. How many primary steps does NIST"™s risk assessment methodology involve?

  • A. Twelve
  • B. Four
  • C. Six
  • D. Nine


Answer : D

Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism. Select the technique that helps in detecting insider threats:

  • A. Correlating known patterns of suspicious and malicious behavior
  • B. Protecting computer systems by implementing proper controls
  • C. Making is compulsory for employees to sign a none disclosure agreement
  • D. Categorizing information according to its sensitivity and access rights


Answer : A

Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices. What is the main purpose of the reconstitution plan?

  • A. To restore the original site, tests systems to prevent the incident and terminates operations
  • B. To define the notification procedures, damage assessments and offers the plan activation
  • C. To provide the introduction and detailed concept of the contingency plan
  • D. To provide a sequence of recovery activities with the help of recovery procedures


Answer : A

The insider risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:

  • A. If the insider"™s technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant.
  • B. If the insider"™s technical literacy and process knowledge are high, the risk posed by the threat will be insignificant.
  • C. If the insider"™s technical literacy is high and process knowledge is low, the risk posed by the threat will be high.
  • D. If the insider"™s technical literacy and process knowledge are high, the risk posed by the threat will be high.


Answer : D

Which policy recommends controls for securing and tracking organizational resources:

  • A. Access control policy
  • B. Administrative security policy
  • C. Acceptable use policy
  • D. Asset control policy


Answer : D

Which one of the following is the correct sequence of flow of the stages in an incident response:

  • A. Containment - Identification - Preparation - Recovery - Follow-up - Eradication
  • B. Preparation - Identification - Containment - Eradication - Recovery - Follow-up
  • C. Eradication - Containment - Identification - Preparation - Recovery - Follow-up
  • D. Identification - Preparation - Containment - Recovery - Follow-up - Eradication


Answer : B

Organizations or incident response teams need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. EVIDENCE PROTECTION is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage:

  • A. Network and host log records
  • B. Chain-of-Custody
  • C. Forensic analysis report
  • D. Chain-of-Precedence


Answer : B

Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?

  • A. Links the appropriate technology to the incident to ensure that the foundation"™s offices are returned to normal operations as quickly as possible
  • B. Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management
  • C. Applies the appropriate technology and tries to eradicate and recover from the incident
  • D. Focuses on the incident and handles it from management and technical point of view


Answer : B

The data on the affected system must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigations of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?

  • A. Containment
  • B. Eradication
  • C. Incident recording
  • D. Incident investigation


Answer : A

In a qualitative risk analysis, risk is calculated in terms of:

  • A. (Attack Success + Criticality ) ""(Countermeasures)
  • B. Asset criticality assessment "" (Risks and Associated Risk Levels)
  • C. Probability of Loss X Loss
  • D. (Countermeasures + Magnitude of Impact) "" (Reports from prior risk assessments)


Answer : C

A computer virus hoax is a message warning the recipient of non-existent computer virus. The message is usually a chain e-mail that tells the recipient to forward it to every one they know. Which of the following is NOT a symptom of virus hoax message?

  • A. The message prompts the end user to forward it to his / her e-mail contact list and gain monetary benefits in doing so
  • B. The message from a known email id is caught by SPAM filters due to change of filter settings
  • C. The message warns to delete certain files if the user does not take appropriate action
  • D. The message prompts the user to install Anti-Virus


Answer : A

In which of the steps of NIST"™s risk assessment methodology are the boundary of the IT system, along with the resources and the information that constitute the system identified?

  • A. Likelihood Determination
  • B. Control recommendation
  • C. System characterization
  • D. Control analysis


Answer : C

ADAM, an employee from a multinational company, uses his company"™s accounts to send e-mails to a third party with their spoofed mail address. How can you categorize this type of account?

  • A. Inappropriate usage incident
  • B. Unauthorized access incident
  • C. Network intrusion incident
  • D. Denial of Service incident


Answer : A

A security policy will take the form of a document or a collection of documents, depending on the situation or usage. It can become a point of reference in case a violation occurs that results in dismissal or other penalty. Which of the following is NOT true for a good security policy?

  • A. It must be enforceable with security tools where appropriate and with sanctions where actual prevention is not technically feasible
  • B. It must be approved by court of law after verifications of the stated terms and facts
  • C. It must be implemented through system administration procedures, publishing of acceptable use guide lines or other appropriate methods
  • D. It must clearly define the areas of responsibilities of the users, administrators and management


Answer : B

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following helps in recognizing and separating the infected hosts from the information system?

  • A. Configuring firewall to default settings
  • B. Inspecting the process running on the system
  • C. Browsing particular government websites
  • D. Sending mails to only group of friends


Answer : B

Page:    1 / 11   
Exam contains 167 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.