EC-Council Certified Incident Handler
What is an Incident Handler?
Incident handler is a term used to describe the activities of an organization to
identify, analyze, and correct hazards to prevent a future reoccurrence. These
incidents within a structured organization are normally dealt with by a either
an Incident Response Team (IRT), or an Incident Management Team (IMT). These
teams are often either designated beforehand, or during the event and are placed
in control of the organization while the incident is dealt with, in order to
retain business processes.
Become a Certified Incident Handler
The EC-Council Certified Incident Handler certification is designed to provide
the fundamental skills to handle and respond to computer security incidents in
an information system.
A Certified Incident Handler is a skilled professional who is able to handle
various types of incidents, risk assessment methodologies, and various laws and
policies related to incident handling. A certified Incident Handler will be able
to create incident handling and response policies and deal with various types of
computer security incidents such as network security incidents, malicious code
incidents, and insider attack threats.
The ECIH certification will provide professionals with greater industry
acceptance as the seasoned incident handler.
Certification Target Audience
This course will significantly benefit incident handlers, risk assessment
administrators, penetration testers, cyber forensic investigators, venerability
assessment auditors, system administrators, system engineers, firewall
administrators, network managers, IT managers, IT professionals, and anyone who
is interested in incident handling and response.
Exam Information
ECIH (Prefix 212-89) exam is available at the ECC Exam Center.
EC-Council reserves the right to revoke the certification status of candidates
that do not comply with all EC-Council examination policies found here.
ECIH Exam Details
Duration 3 Hours
Questions 100
Clause: Age Requirements and Policies Concerning Minors
The age requirement for attending the training or attempting the exam is
restricted to any candidate that is at least 18 years old.
If the candidate is under the age of 18, they are not eligible to attend the
official training or eligible to attempt the certification exam unless they
provide the accredited training center/EC-Council a written consent of their
parent/legal guardian and a supporting letter from their institution of higher
learning. Only applicants from nationally accredited institution of higher
learning shall be considered.
Disclaimer: EC-Council reserves the right to impose additional restriction to
comply with the policy. Failure to act in accordance with this clause shall
render the authorized training center in violation of their agreement with
EC-Council. EC-Council reserves the right to revoke the certification of any
person in breach of this requirement.
ECIH Exam Blueprint v1
Incident Response and Handling
•Information Security
•Computer Security
•Threat intelligence
•Risk Management
•Incident Handling
•Security Policies
Process Handling
•Incident Handling and Response
•Incident Readiness
•Security Auditing
•Security Incidents
•Forensic Investigation
•Eradication and Recovery
Forensic Readiness and First Response
•Computer Forensics
•Digital Evidence
•Forensic Readiness
•Preservation of Electronic Evidence
•Volatile Evidence
•Static Evidence
•Anti-forensics
Email Security Incidents
•Email Security
•Deceptive and Suspicious Email
•Email Incidents
•Phishing email
Application Level Incidents
•Web Application Threats & Vulnerabilities
•Web Attack
•Eradication of Web Applications
Network & Mobile Incidents
•Network Attacks
•Unauthorized Access
•Inappropriate Usage
•Denial-of-Service
•Wireless Network
•Mobile Platform Vulnerabilities and Risks
•Eradication of Mobile Incidents & Recovery
Insider Threats
•Insider Threats
•Eradication
•Detecting and Preventing Insider Threats
•Employee Monitoring Tools
Malware Incidents
• Malware
• Malware Incident Triage
• Malicious Code
Incidents Occurred in a Cloud Environment
• Cloud Computing Threats
• Security in Cloud Computing
• Eradication
• Recovery in Cloud
Question: 1
Which of the following terms may be defined as “a measure of possible inability
to achieve a goal,
objective, or target within a defined security, cost plan and technical
limitations that adversely
affects the organization’s operation and revenues?
A. Risk
B. Vulnerability
C. Threat
D. Incident Response
Answer: A
Question: 2
A distributed Denial of Service (DDoS) attack is a more common type of DoS
Attack, where a single
system is targeted by a large number of infected machines over the Internet. In
a DDoS attack,
attackers first infect multiple systems which are known as:
A. Trojans
B. Zombies
C. Spyware
D. Worms
Answer: B
Question: 3
The goal of incident response is to handle the incident in a way that
minimizes damage and reduces
recovery time and cost. Which of the following does NOT constitute a goal of
incident response?
A. Dealing with human resources department and various employee conflict
behaviors.
B. Using information gathered during incident handling to prepare for handling
future incidents in a better way and to provide stronger protection for systems
and data.
C. Helping personal to recover quickly and efficiently from security incidents,
minimizing loss or theft and disruption of services.
D. Dealing properly with legal issues that may arise during incidents.
Answer: A
Question: 4
An organization faced an information security incident where a disgruntled
employee passed
sensitive access control information to a competitor. The organization’s
incident response manager,
upon investigation, found that the incident must be handled within a few hours
on the same day to
maintain business continuity and market competitiveness. How would you
categorize such
information security incident?
A. High level incident
B. Middle level incident
C. Ultra-High level incident
D. Low level incident
Answer: A
Question: 5
Business continuity is defined as the ability of an organization to continue
to function even after a
disastrous event, accomplished through the deployment of redundant hardware and
software, the
use of fault tolerant systems, as well as a solid backup and recovery strategy.
Identify the plan which
is mandatory part of a business continuity plan?
A. Forensics Procedure Plan
B. Business Recovery Plan
C. Sales and Marketing plan
D. New business strategy plan
Answer: B
Question: 6
The flow chart gives a view of different roles played by the different
personnel of CSIRT. Identify the
incident response personnel denoted by A, B, C, D, E, F and G.
A. A-Incident Analyst, B- Incident Coordinator, C- Public Relations,
D-Administrator, E- Human
Resource, F-Constituency, G-Incident Manager
B. A- Incident Coordinator, B-Incident Analyst, C- Public Relations,
D-Administrator, E- Human
Resource, F-Constituency, G-Incident Manager
C. A- Incident Coordinator, B- Constituency, C-Administrator, D-Incident
Manager, E- Human
Resource, F-Incident Analyst, G-Public relations
D. A- Incident Manager, B-Incident Analyst, C- Public Relations,
D-Administrator, E- Human Resource,
F-Constituency, G-Incident Coordinator
Answer: C
Question: 7
Which of the following is an appropriate flow of the incident recovery steps?
A. System Operation-System Restoration-System Validation-System Monitoring
B. System Validation-System Operation-System Restoration-System Monitoring
C. System Restoration-System Monitoring-System Validation-System Operations
D. System Restoration-System Validation-System Operations-System Monitoring
Answer: D
Question: 8
A computer Risk Policy is a set of ideas to be implemented to overcome the risk
associated with
computer security incidents. Identify the procedure that is NOT part of the
computer risk policy?
A. Procedure to identify security funds to hedge risk
B. Procedure to monitor the efficiency of security controls
C. Procedure for the ongoing training of employees authorized to access the
system
D. Provisions for continuing support if there is an interruption in the system
or if the system crashes
Answer: C
Question: 9
Identify the network security incident where intended authorized users are
prevented from using
system, network, or applications by flooding the network with high volume of
traffic that consumes
all existing network resources.
A. URL Manipulation
B. XSS Attack
C. SQL Injection
D. Denial of Service Attack
Answer: D
Question: 10
Incident handling and response steps help you to detect, identify, respond and
manage an incident.
Which of the following steps focus on limiting the scope and extent of an
incident?
A. Eradication
B. Containment
C. Identification
D. Data collection
Answer: B
Click here to
view complete Q&A of 212-89 exam
Certkingdom Review,
Certkingdom PDF Torrents
Best ECCouncil ECIH 212-89 Certification, ECCouncil ECIH 212-89 Training at certkingdom.com