ECCouncil 212-89 Dumps Questions Answers

This scenario demonstrates a preventive containment action during an email security incident. The ECIH Email Security Incident Handling module emphasizes that once phishing is identified, responders should immediately prevent further delivery to reduce organizational exposure.

Option A is correct because Lena removes malicious emails from the mail server’s delivery queue before users receive them. This action directly reduces risk by preventing additional users from clicking malicious links or submitting credentials. ECIH identifies email purging as a critical containment technique during active phishing campaigns.

Option B is an investigative action, not containment. Option C applies after delivery and compromise. Option D addresses already compromised accounts rather than preventing exposure.

By stopping malicious emails before delivery, Lena aligns with ECIH best practices for rapid containment of email-based threats.

This scenario represents a failure in the Preparation phase of the Incident Handling and Response (IH&R) lifecycle as defined by the EC-Council ECIH curriculum. Preparation focuses on establishing policies, procedures, standards, and awareness programs that define how systems and data must be used and protected. In this case, employees were sharing credentials via unauthorized channels because the organization failed to provide explicit rules governing acceptable communication practices.

Option C is correct because establishing defined protocols for approved digital channels directly addresses the root cause. ECIH emphasizes that organizations must define acceptable use policies, secure communication standards, and data handling procedures before incidents occur. These controls reduce the likelihood of human error and insider misuse by setting clear expectations and enforceable boundaries.

Option A relates to physical surveillance risks, which are unrelated to credential sharing. Option B is a recovery-focused control and does not prevent misuse. Option D is a detection mechanism that cannot compensate for missing governance controls.

By defining approved channels and educating users on their proper use, organizations significantly reduce the probability of credential leakage and insider-driven incidents, fulfilling a core ECIH preparation requirement.

Centralized logging and monitoring is a core best practice in cloud incident detection and response under ECIH. Cloud environments are distributed and dynamic, making visibility a major challenge.

Option C is correct because aggregating logs from multiple cloud platforms enables correlation, faster detection, and effective incident triage. ECIH emphasizes centralized visibility as essential for identifying cross-platform threats.

Options A and D are limited in scope. Option B does not address cloud-specific risks.