212-89 Exam Dumps : EC Council Certified Incident Handler (ECIH v3)

The ECIH Email Security Incident Handling module emphasizes email header analysis as a primary method for identifying spoofed or malicious emails. One of the most critical header elements is the originating IP address, which reveals where the email actually came from.

Option D is correct because tracing the originating IP and validating it through WHOIS provided definitive evidence that the email did not originate from a legitimate organizational source. This technique allows responders to distinguish between legitimate executive communications and impersonation attempts.

Option A is reactive and unreliable. Option B provides detection context but not attribution. Option C validates domain authentication but does not always reveal spoofing when credentials are compromised.

ECIH highlights that IP tracing combined with WHOIS analysis is a powerful verification method during executive impersonation investigations, making Option D correct.

In the scenario where your company sells Software as a Service (SaaS) and is hosted on the cloud using it as a Platform as a Service (PaaS), your company is responsible for eradicating malware in your customer's database. This is because, as the SaaS provider, your company manages the software and is responsible for its security and maintenance, including the databases that store customer data. While the PaaS provider is responsible for the underlying infrastructure, platform, and possibly some middleware security aspects, the application layer security, including data and application management, falls to the SaaS provider. Building management would not be involved in digital security matters, and while customers are responsible for their data, the actual software maintenance and security in a SaaS model are the provider's responsibility.

The ECIH Endpoint Security module identifies EDR systems as the cornerstone of modern endpoint incident response. Advanced attacks targeting intellectual property often bypass traditional antivirus controls.

Option C is correct because EDR provides continuous monitoring, behavioral detection, rapid containment, and automated response across endpoints. This capability is critical during high-risk periods such as product launches.

Options A, B, and D are important but insufficient alone for real-time detection and response.

Therefore, deploying a robust EDR system is essential.