EC-COUNCIL EC-COUNCIL Certifications 212-82 Questions & Answers

• Question 21:

  Zion belongs to a category of employees who are responsible for implementing and managing the physical security equipment installed around the facility. He was instructed by the management to check the functionality of equipment related

  to physical security.

  Identify the designation of Zion.

  A. Supervisor

  B. Chief information security officer

  C. Guard

  D. Safety officer

  Correct Answer: C

  Explanation: The correct answer is C, as it identifies the designation of Zion. A guard is a person who is responsible for implementing and managing the physical security equipment installed around the facility. A guard typically performs tasks such as: Checking the functionality of equipment related to physical security Monitoring the surveillance cameras and alarms Controlling the access to restricted areas Responding to emergencies or incidents In the above scenario, Zion belongs to this category of employees who are responsible for implementing and managing the physical security equipment installed around the facility. Option A is incorrect, as it does not identify the designation of Zion. A supervisor is a person who is responsible for overseeing and directing the work of other employees. A supervisor typically performs tasks such as: Assigning tasks and responsibilities to employees Evaluating the performance and productivity of employees Providing feedback and guidance to employees Resolving conflicts or issues among employees In the above scenario, Zion does not belong to this category of employees who are responsible for overseeing and directing the work of other employees. Option B is incorrect, as it does not identify the designation of Zion. A chief information security officer (CISO) is a person who is responsible for establishing and maintaining the security vision, strategy, and program for an organization. A CISO typically performs tasks such as: Developing and implementing security policies and standards Managing security risks and compliance Leading security teams and projects Communicating with senior management and stakeholders In the above scenario, Zion does not belong to this category of employees who are responsible for establishing and maintaining the security vision, strategy, and program for an organization. Option D is incorrect, as it does not identify the designation of Zion. A safety officer is a person who is responsible for ensuring that health and safety regulations are followed in an organization. A safety officer typically performs tasks such as: Conducting safety inspections and audits Identifying and eliminating hazards and risks Providing safety training and awareness Reporting and investigating accidents or incidents In the above scenario, Zion does not belong to this category of employees who are responsible for ensuring that health and safety regulations are followed in an organization. References: Section 7.1

• Question 22:

  The incident handling and response (IHandR) team of an organization was handling a recent cyberattack on the organization's web server. Fernando, a member of the IHandP team, was tasked with eliminating the root cause of the incident and closing all attack vectors to prevent similar incidents in future. For this purpose. Fernando applied the latest patches to the web server and installed the latest security mechanisms on it. Identify the IHandR step performed by Fernando in this scenario.

  A. Notification

  B. Containment

  C. Recovery

  D. Eradication

  Correct Answer: D

  Explanation: Eradication is the IHandR step performed by Fernando in this scenario. Eradication is a step in IHandR that involves eliminating the root cause of the incident and closing all attack vectors to prevent similar incidents in future.

  Eradication can include applying patches, installing security mechanisms, removing malware, restoring backups, or reformatting systems.

  References: [Eradication Step in IHandR]

• Question 23:

  Cairo, an incident responder. was handling an incident observed in an organizational network. After performing all IHandR steps, Cairo initiated post-incident activities. He determined all types of losses caused by the incident by identifying And evaluating all affected devices, networks, applications, and software. Identify the post-incident activity performed by Cairo in this scenario.

  A. Incident impact assessment

  B. Close the investigation

  C. Review and revise policies

  D. Incident disclosure

  Correct Answer: A

  Explanation: Incident impact assessment is the post-incident activity performed by Cairo in this scenario. Incident impact assessment is a post-incident activity that involves determining all types of losses caused by the incident by identifying and evaluating all affected devices, networks, applications, and software. Incident impact assessment can include measuring financial losses, reputational damages, operational disruptions, legal liabilities, or regulatory penalties1. References: Incident Impact Assessment

• Question 24:

  Finley, a security professional at an organization, was tasked with monitoring the organizational network behavior through the SIEM dashboard. While monitoring, Finley noticed suspicious activities in the network; thus, he captured and analyzed a single network packet to determine whether the signature included malicious patterns. Identify the attack signature analysis technique employed by Finley in this scenario.

  A. Context-based signature analysis

  B. Atomic-signature-based analysis

  C. Composite signature-based analysis

  D. Content-based signature analysis

  Correct Answer: D

  Explanation: Content-based signature analysis is the attack signature analysis technique employed by Finley in this scenario. Content-based signature analysis is a technique that captures and analyzes a single network packet to determine whether the signature included malicious patterns. Content-based signature analysis can be used to detect known attacks, such as buffer overflows, SQL injections, or cross-site scripting2. References: Content-Based Signature Analysis

• Question 25:

  The IHandR team in an organization was handling a recent malware attack on one of the hosts connected to the organization's network. Edwin, a member of the IHandR team, was involved in reinstating lost data from the backup media. Before performing this step, Edwin ensured that the backup does not have any traces of malware. Identify the IHandR step performed by Edwin in the above scenario.

  A. Eradication

  B. Incident containment

  C. Notification

  D. Recovery

  Correct Answer: D

  Explanation: Recovery is the IHandR step performed by Edwin in the above scenario. IHandR (Incident Handling and Response) is a process that involves identifying, analyzing, containing, eradicating, recovering from, and reporting on security incidents that affect an organization's network or system. Recovery is the IHandR step that involves restoring the normal operation of the system or network after eradicating the incident. Recovery can include reinstating lost data from the backup media, applying patches or updates, reconfiguring settings, testing functionality, etc. Recovery also involves ensuring that the backup does not have any traces of malware or compromise . Eradication is the IHandR step that involves removing all traces of the incident from the system or network, such as malware, backdoors, compromised files, etc. Incident containment is the IHandR step that involves implementing appropriate measures to stop the infection from spreading to other organizational assets and to prevent further damage to the organization. Notification is the IHandR step that involves informing relevant stakeholders, authorities, or customers about the incident and its impact.

• Question 26:

  Gideon, a forensic officer, was examining a victim's Linux system suspected to be involved in online criminal activities. Gideon navigated to a directory containing a log file that recorded information related to user login/logout. This information helped Gideon to determine the current login state of cyber criminals in the victim system, identify the Linux log file accessed by Gideon in this scenario.

  A. /va r/l og /mysq Id. log

  B. /va r/l og /wt m p

  C. /ar/log/boot.iog

  D. /var/log/httpd/

  Correct Answer: B

  Explanation: /var/log/wtmp is the Linux log file accessed by Gideon in this scenario. /var/log/wtmp is a log file that records information related to user login/logout, such as username, terminal, IP address, and login time. /var/log/wtmp can be used to determine the current login state of users in a Linux system. /var/log/wtmp can be viewed using commands such as last, lastb, or utmpdump1. References: Linux Log Files

• Question 27:

  A software company is developing a new software product by following the best practices for secure application development. Dawson, a software analyst, is checking the performance of the application on the client's network to determine whether end users are facing any issues in accessing the application.

  Which of the following tiers of a secure application development lifecycle involves checking the performance of the application?

  A. Development

  B. Testing

  C. Quality assurance (QA)

  D. Staging

  Correct Answer: B

  Explanation: The testing tier of a secure application development lifecycle involves checking the performance of the application on the client's network to determine whether end users are facing any issues in accessing the application. Testing is a crucial phase of software development that ensures the quality, functionality, reliability, and security of the application. Testing can be done manually or automatically using various tools and techniques, such as unit testing, integration testing, system testing, regression testing, performance testing, usability testing, security testing, and acceptance testing

• Question 28:

  Tristan, a professional penetration tester, was recruited by an organization to test its network infrastructure. The organization wanted to understand its current security posture and its strength in defending against external threats. For this purpose, the organization did not provide any information about their IT infrastructure to Tristan. Thus, Tristan initiated zero-knowledge attacks, with no information or assistance from the organization.

  Which of the following types of penetration testing has Tristan initiated in the above scenario?

  A. Black-box testing

  B. White-box testing

  C. Gray-box testing

  D. Translucent-box testing

  Correct Answer: A

  Explanation: Black-box testing is a type of penetration testing where the tester has no prior knowledge of the target system or network and initiates zero-knowledge attacks, with no information or assistance from the organization. Black-box testing simulates the perspective of an external attacker who tries to find and exploit vulnerabilities without any insider information. Black-box testing can help identify unknown or hidden vulnerabilities that may not be detected by other types of testing. However, black-box testing can also be time-consuming, costly, and incomplete, as it depends on the tester's skills and tools.

• Question 29:

  RAT has been setup in one of the machines connected to the network to steal the important Sensitive corporate docs located on Desktop of the server, further investigation revealed the IP address of the server 20.20.10.26. Initiate a remote connection using thief client and determine the number of files present in the folder.

  Hint: Thief folder is located at: Z:\CCT-Tools\CCT Module 01 Information Security Threats and Vulnerabilities\Remote Access Trojans (RAT)\Thief of Attacker Machine-1.

  A. 2

  B. 4

  C. 3

  D. 5

  Correct Answer: C

  Explanation: 3 is the number of files present in the folder in the above scenario. A RAT (Remote Access Trojan) is a type of malware that allows an attacker to remotely access and control a compromised system or network. A RAT can be

  used to steal sensitive data, spy on user activity, execute commands, install other malware, etc. To initiate a remote connection using thief client, one has to follow these steps:

  Navigate to the thief folder located at Z:\CCT-Tools\CCT Module 01 Information Security Threats and Vulnerabilities\Remote Access Trojans (RAT)\Thief of Attacker Machine-1.

  Double-click on thief.exe file to launch thief client.

  Enter 20.20.10.26 as IP address of server.

  Enter 1234 as port number.

  Click on Connect button.

  After establishing connection with server, click on Browse button.

  Navigate to Desktop folder on server.

  Count number of files present in folder.

  The number of files present in folder is 3, which are:

  Sensitive corporate docs.docx

  Sensitive corporate docs.pdf

  Sensitive corporate docs.txt

• Question 30:

  Hayes, a security professional, was tasked with the implementation of security controls for an industrial network at the Purdue level 3.5 (IDMZ). Hayes verified all the possible attack vectors on the IDMZ level and deployed a security control that fortifies the IDMZ against cyber-attacks.

  Identify the security control implemented by Hayes in the above scenario.

  A. Point-to-po int communication

  B. MAC authentication

  C. Anti-DoS solution

  D. Use of authorized RTU and PLC commands

  Correct Answer: D

  Explanation: The use of authorized RTU and PLC commands is the security control implemented by Hayes in the above scenario. RTU (Remote Terminal Unit) and PLC (Programmable Logic Controller) are devices that control and monitor industrial processes, such as power generation, water treatment, oil and gas production, etc. RTU and PLC commands are instructions that are sent from a master station to a slave station to perform certain actions or request certain data. The use of authorized RTU and PLC commands is a security control that fortifies the IDMZ (Industrial Demilitarized Zone) against cyber- attacks by ensuring that only valid and authenticated commands are executed by the RTU and PLC devices. Point-to-point communication is a communication method that establishes a direct connection between two endpoints. MAC authentication is an authentication method that verifies the MAC (Media Access Control) address of a device before granting access to a network. Anti-DoS solution is a security solution that protects a network from DoS (Denial-of-Service) attacks by filtering or blocking malicious traffic.