ECCouncil Updated 212-89 Exam Questions and Answers by olly

In the incident handling and response (IH&R) process, backing up the data on affected systems is a critical step that usually falls under the Containment phase. The Containment phase is crucial for limiting the scope and severity of an incident, ensuring that it does not spread further or affect additional systems. Backing up affected systems during containment is essential for several reasons: it preserves a snapshot of the system in its current state for forensic analysis, ensures that data is not lost if the system needs to be wiped or altered during the response process, and helps in the recovery process if data is corrupted or lost.

By performing a complete backup of the infected system during the Containment phase, Alice ensures that there is a reliable copy of all data and system states before any major actions, such as eradication or deeper forensic analysis, are taken. This step is also preparatory for the potential use of the backup in analyzing how the incident occurred and in restoring system functionality after the incident is resolved.

The guideline that helps incident handlers to eradicate insider attacks by privileged users is to ensure accountability by not enabling default administrative accounts. Instead, organizations should require administrators and privileged users to use individual accounts that can be audited and traced back to specific actions and users. This practice enhances security by ensuring that all actions taken on the system can be attributed to individual users, reducing the risk of misuse of privileges and making it easier to identify the source of malicious activities or policy violations. The other options listed either present insecure practices or misunderstandings of security protocols that would not help in eradicating insider attacks.

Forensic readiness refers to an organization's ability to maximize its capability to use digital evidence effectively in an investigation, while minimizing the cost of an investigation and disruption to its operations. It involves having policies, procedures, and technologies in place to collect, preserve, and analyze digital evidence efficiently, so when an incident occurs, the organization is prepared to handle it quickly and with minimal costs. Forensic readiness not only helps in reducing the time and resources spent on investigations but also ensures that the evidence is reliable and can be used in legal proceedings if necessary.

Static analysis involves examining the malware's memory dumps or binary codes without executing the code. This technique is used to find traces of malware by analyzing the code to understand its purpose, functionality, and potential impact. Static analysis allows for the identification of malicious signatures, strings, or other indicators of compromise within the malware's code. This method is contrasted with dynamic analysis, which studies the malware's behavior during execution, live system analysis, which examines running systems, and intrusion analysis, which focuses on detecting and analyzing breaches.