212-89 Exam Dumps : EC Council Certified Incident Handler (ECIH v3)

The EC-Council Incident Handler (ECIH) curriculum categorizes incidents such as unauthorized software installation and policy violations under inappropriate usage incidents. In this scenario, the activity originated from a legitimate internal workstation and user account, not an external third party.

The repeated login failures outside business hours combined with installation of an unauthorized remote desktop tool indicate a breach of acceptable use policy and potentially malicious intent. However, the key factor is that the actions were performed by an internal user using valid access credentials, making this an insider-related policy violation rather than an external unauthorized access attack.

Option A implies legitimate remote work within policy boundaries, which is contradicted by the unauthorized software installation. Option B suggests a third-party compromise, but logs indicate activity from an internal user account. Option D (DoS attack) involves service disruption via traffic flooding, which is not described here.

ECIH stresses enforcing acceptable use policies, monitoring user behavior, restricting unauthorized software installation, and applying least privilege controls to mitigate insider misuse. Therefore, this scenario best fits inappropriate usage due to policy violation and unauthorized software installation.

In the static data collection process, which is part of digital forensics and incident handling, the focus is on acquiring and examining digital evidence without altering the system or the data itself. This process includes evidence examination, where the data is analyzed; system preservation, where the current state of a system or data is maintained to ensure no alteration occurs; and evidence acquisition, which involves creating an exact binary copy of the digital evidence. Password protection, however, is not a part of the static data collection process. Instead, it relates to securing access to data or systems but does not directly involve the collection or preservation of static data for forensic purposes.

When an attacker installs a fake AP (Access Point) within a company's network, especially behind a firewall, this constitutes the deployment of a Rogue Access Point. Rogue APs are unauthorized wireless access points installed within a network without the network administrator's knowledge or consent. They pose a significant security risk because they can be used to intercept sensitive information, bypass network security configurations, and provide a gateway for attackers to enter the network undetected. This type of attack circumvents the security measures put in place by a company, including firewalls, by creating an illicit entry point into the network that is under the control of the attacker.