ECCouncil Updated 212-89 Exam Questions and Answers by aron

In incident response protocols, incidents are categorized based on their severity, impact, and the urgency of the response required. The categorization helps in prioritizing incident response activities and allocating resources accordingly. A CAT 1 (Category 1) incident is typically considered the highest priority, involving significant threats that require immediate response. Given the scenario where a malware incident in one of the largest social network companies must be reported within 1 hour of discovery/detection, this indicates a high-priority incident due to the potential widespread impact and the need for a rapid response to contain and mitigate the malware's spread. The urgency of the reporting timeframe suggests that the incident is considered critical, aligning with the characteristics of a CAT 1 incident, which necessitates immediate action to prevent significant damage or disruption to the company's operations and services.

This scenario describes an active malware infection with confirmed command-and-control (C2) communication, which represents an immediate and severe risk to sensitive financial data. According to the EC-Council ECIH malware incident handling process, the first priority in such cases is containment, specifically stopping ongoing malicious activity and preventing further data exfiltration.

Option A is correct because disconnecting the affected servers from the network immediately severs the attacker’s control channel and halts outbound data leakage. ECIH emphasizes that when C2 traffic is observed, responders must act decisively to isolate compromised systems before pursuing deeper forensic analysis or remediation. Containment minimizes damage and reduces legal, financial, and reputational impact.

Option B may preserve system state but allows continued exfiltration until shutdown is complete and may disrupt critical banking operations. Option C is a preventive measure and does not stop an active infection. Option D is valuable for investigation but should occur after containment, not before.

ECIH guidance consistently prioritizes stopping harm over gathering evidence when critical assets are at risk. Therefore, immediate network disconnection of affected servers is the correct triage action.

The EC-Council Incident Handler (ECIH) curriculum stresses that mobile malware often enters enterprise environments through sideloaded applications obtained from untrusted sources. Android devices that allow installation from unknown sources significantly increase organizational risk.

Mobile Device Management (MDM) solutions are recommended to enforce application control policies, including restricting installations to digitally signed applications from approved app stores. By enforcing signed app installation policies, organizations prevent the execution of tampered or malicious APK files.

Option A (remote tracking) assists with lost device recovery but does not prevent malicious installations. Option B (Bluetooth/NFC restriction) addresses wireless communication risks, not app integrity. Option C (full-disk encryption) protects stored data but does not stop malware from executing.

ECIH guidance highlights enforcing mobile security baselines, restricting unknown sources, implementing application whitelisting, and applying MDM-enforced controls to prevent sideloaded malware infections. Therefore, enforcing MDM policies that allow only signed app installations is the most effective preventive control.

In the context of incident handling, the "point of contact" list is essential for ensuring that Sheila, the incident handler working at night, can quickly notify the responsible personnel within the organization about the cyberattack. This list typically includes the contact information of key stakeholders and decision-makers who need to be informed about security incidents, allowing for timely communication, decision-making, and response coordination.