Free Preparation Discussions
MENU
Eccouncil 212-89 Exam Questions
- Topic 1: Introduction to Incident Handling and Response: This section of the exam measures the competency of Cybersecurity Analysts in understanding the core concepts of information security threats, vulnerabilities, and various attack and defense frameworks. It covers foundational knowledge of incidents, their classification, and the incident management lifecycle. Candidates are expected to be familiar with automation and orchestration in response efforts, industry standards, security best practices, and legal compliance frameworks relevant to incident handling.
- Topic 2: Incident Handling and Response Process: This part evaluates IT Security Operations Managers on their understanding of the structured incident handling and response process. It includes the recording, assignment, and triage of incidents, as well as the procedures for notifying stakeholders and containing threats. The module also examines capabilities in forensic evidence gathering, eradication and recovery strategies, post-incident review activities, and the significance of inter-organizational information sharing.
- Topic 3: First Response: This section of the exam assesses Cybersecurity Analysts in their ability to carry out effective first response procedures. It includes securing and documenting crime scenes, evidence collection methodologies, and guidelines for preserving, packaging, and transporting digital and physical evidence in a way that maintains chain of custody and forensic integrity.
- Topic 4: Handling and Responding to Malware Incidents:In this domain, IT Security Operations Managers are tested on their capacity to respond to malware incidents effectively. The focus lies on planning, detecting, containing, and analyzing malware threats. It also includes strategies for eradication and recovery, alongside evaluating real-world malware case studies and identifying applicable best practices to avoid recurrence.
- Topic 5: Handling and Responding to Email Security Incidents: This part evaluates Cybersecurity Analysts on their ability to detect and mitigate email-based threats. It explores preparation, analysis, and containment measures in response to email-related incidents, as well as post-incident recovery steps. Candidates must interpret case studies and apply best practices for protecting enterprise email systems.
- Topic 6: Handling and Responding to Network Security Incidents: This module assesses IT Security Operations Managers in their expertise to manage network-level security breaches. It includes the detection of unauthorized access, misuse, denial-of-service attacks, and wireless network threats. Practical case studies and preventive strategies are included to ensure operational security across distributed environments.
- Topic 7: Handling and Responding to Web Application Security Incidents: This section measures Cybersecurity Analysts' proficiency in managing web application vulnerabilities and incidents. It covers the preparation, detection, containment, and resolution of threats within web-based platforms. Candidates are expected to understand analytical approaches, case-based examples, and protective techniques for securing application infrastructure.
- Topic 8: Handling and Responding to Cloud Security Incidents: Here, IT Security Operations Managers are examined on their familiarity with cloud-specific threats across platforms like Azure, AWS, and Google Cloud. The focus is on recognizing incident types, handling and monitoring procedures, and recovery methods. The use of real-world scenarios helps to demonstrate effective response tactics and reinforce best practices in cloud environments.
- Topic 9: Handling and Responding to Insider Threats: This module evaluates Cybersecurity Analysts on how well they understand and manage internal security risks. It includes detection and containment of insider threats, analysis and eradication procedures, and recovery from internal breaches. A case-study approach is used to test comprehension of best practices and response strategies that align with organizational policy.
- Topic 10: Handling and Responding to Endpoint Security Incidents: This section measures the abilities of IT Security Operations Managers to protect various endpoint devices, including mobile, IoT, and operational technologies. It addresses the identification and mitigation of endpoint threats, with applied case examples to evaluate readiness and response capacity in complex technical environments.
Free Eccouncil 212-89 Exam Actual Questions
Note: Premium Questions for 212-89 were last updated On May. 21, 2026 (see below)
Logan, an incident handler, ensures the chain of custody is documented while handling backup media post-attack. The goal is to preserve evidence integrity while restoring critical systems. Which recovery principle is Logan adhering to?
The EC-Council Incident Handler (ECIH) curriculum stresses the importance of maintaining evidence integrity during recovery operations. Documenting the chain of custody ensures that evidence remains admissible in legal proceedings and maintains forensic validity.
Chain of custody documentation tracks who handled the evidence, when it was accessed, how it was stored, and what actions were performed. This aligns directly with forensic compliance principles, which require proper evidence preservation, documentation, and controlled handling procedures.
While restoring systems, responders must ensure that backup media and affected systems are handled in a way that does not compromise evidence. ECIH emphasizes that recovery should not destroy or contaminate forensic artifacts that may be required for legal, regulatory, or disciplinary action.
Option B (Network segmentation) relates to containment strategies. Option C (Immutable infrastructure) refers to architectural resilience models. Option D (Enhanced authentication) concerns access control, not evidence handling.
Therefore, Logan is adhering to forensic compliance principles during recovery.
Dash wants to perform a DoS attack over 256 target URLs simultaneously.
Which of the following tools can Dash employ to achieve his objective?
High Orbit Ion Cannon (HOIC) is a tool designed to perform stress testing on networks or servers. It can launch a Distributed Denial of Service (DDoS) attack by enabling an attacker to overwhelm a target with HTTP POST and GET requests. HOIC's distinctive feature is its ability to attack multiple targets (up to 256 URLs simultaneously) with configurable HTTP flood attacks. This capability makes it a preferred choice for attackers aiming to disrupt services on a large scale. Unlike tools designed for debugging or vulnerability scanning (e.g., IDA Pro, Ollydbg, OpenVAS), HOIC is specifically crafted for launching DoS/DDoS attacks, making it the correct answer for Dash's objective.
John is a professional hacker who is performing an attack on the target organization where he tries to redirect the connection between the IP address and its target server such that when the users type in the Internet address, it redirects them to a rogue website that resembles the original website. He tries this attack using cache poisoning technique. Identify the type of attack John is performing on the target organization.
Pharming is a cyber attack intended to redirect a website's traffic to another, bogus website. By poisoning a DNS server's cache, attackers can redirect users from the site they intended to visit to one that is malicious, without the user's knowledge or any action on their part, such as clicking a deceptive link. This technique is particularly insidious because it can affect well-intentioned users who type the correct URL into their browsers but are still redirected. War driving involves searching for wireless networks from a moving vehicle, skimming refers to stealing credit card information using a device placed on ATMs or point-of-sale terminals, and pretexting is a form of social engineering where the attacker lies to obtain privileged data.
Raven is a part of an IH&R team and was informed by her manager to handle and lead the removal of the root cause for an incident and to close all attack vectors to prevent similar incidents in the future. Raven notifies the service providers and developers of affected resources. Which of the following steps of the incident handling and response process does Raven need to implement to remove the root cause of the incident?
Eradication is the step in the incident handling and response process where the root cause of an incident is removed, and measures are taken to close all attack vectors to prevent similar incidents in the future. After an incident has been properly contained to stop it from spreading or causing further damage, the eradication phase focuses on eliminating the source of the incident. This could involve removing malware, closing vulnerabilities, or implementing stronger security measures to address the exploitation paths used by the attacker.
In the scenario with Raven, notifying service providers and developers of affected resources is part of the actions taken to address the root cause of the incident. This ensures that any vulnerabilities or issues that contributed to the incident are fixed. By working to remove the root cause and secure the system against similar attacks, Raven is effectively implementing the eradication step of the incident handling process.
Your company sells SaaS, and your company itself is hosted in the cloud (using it as a PaaS). In case of a malware incident in your customer's database, who is responsible for eradicating the malicious software?
In the scenario where your company sells Software as a Service (SaaS) and is hosted on the cloud using it as a Platform as a Service (PaaS), your company is responsible for eradicating malware in your customer's database. This is because, as the SaaS provider, your company manages the software and is responsible for its security and maintenance, including the databases that store customer data. While the PaaS provider is responsible for the underlying infrastructure, platform, and possibly some middleware security aspects, the application layer security, including data and application management, falls to the SaaS provider. Building management would not be involved in digital security matters, and while customers are responsible for their data, the actual software maintenance and security in a SaaS model are the provider's responsibility.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Edward Miller
7 days agoDonna Miller
17 days agoRyan Rodriguez
1 month agoSharon Stewart
1 month agoMaria Taylor
19 days agoDorothy Roberts
15 days agoAdam Cook
1 month agoJason Williams
1 month agoCurtis
2 months agoPage
2 months agoAileen
2 months agoShalon
3 months agoFrankie
3 months agoJulianna
3 months agoLuisa
3 months agoElza
4 months agoChau
4 months agoElly
4 months agoSanjuana
4 months agoJanna
5 months agoMartina
5 months agoSabra
5 months agoHuey
5 months agoArgelia
6 months agoEdelmira
6 months agoMariann
6 months agoLindsey
6 months agoEmiko
7 months agoDaron
7 months agoKaty
7 months agoViva
7 months agoCherry
8 months agoKaran
8 months agoFrancisca
8 months agoGeorgiann
8 months agoTula
8 months agoChauncey
9 months agoLajuana
9 months agoPercy
11 months agoElmira
11 months agojalolag
1 year agoMari
1 year agoJaime
1 year agoBeckie
1 year agoCurtis
1 year agoDorothy
1 year agoDesirae
1 year agoAndree
1 year agoRosio
1 year agoArletta
1 year agoTeri
1 year agoAugustine
1 year agoQuiana
1 year agoTori
1 year agoKallie
1 year agoAlise
1 year agoMike
1 year agoStaci
2 years agoJulio
2 years agoAnnice
2 years agoAnnabelle
2 years agoElli
2 years agoCarisa
2 years agoEugene
2 years agoAdelina
2 years agoReed
2 years agoCecil
2 years agoPeggie
2 years agoMi
2 years agoLashonda
2 years agoCletus
2 years agoCharlesetta
2 years agoLanie
2 years agoAmos
2 years agoWilford
2 years agoBeckie
2 years agoAleta
2 years agoDaniel
2 years ago