ECCouncil ICS-SCADA ICS/SCADA Cyber Security Exam Exam Practice Test

Enumeration is a step in the information-gathering phase of a penetration test or cyber attack where an attacker actively engages with the target to extract detailed information, including IP addressing.

Enumeration: During enumeration, the attacker interacts with network services to gather information such as user accounts, network shares, and IP addresses.

Techniques: Common techniques include using tools like Nmap, Netcat, and Nessus to scan for open ports, services, and to identify the IP addresses in use.

Purpose: The goal is to map the network's structure, find potential entry points, and understand the layout of the target environment.

Because enumeration involves discovering detailed information including IP addresses, it is the correct answer.

References

"Enumeration in Ethical Hacking," GeeksforGeeks, Enumeration.

"Network Enumeration," Wikipedia,Network Enumeration.

IPsec (Internet Protocol Security) primarily operates in two modes: Transport mode and Tunnel mode.

Transport mode: Encrypts only the payload of each packet, leaving the header untouched. This mode is typically used for end-to-end communication between two systems.

Tunnel mode: Encrypts both the payload and the header of each IP packet, which is then encapsulated into a new IP packet with a new header. Tunnel mode is often used for network-to-network communications (e.g., between two gateways) or between a remote client and a gateway.

References

"Security Architecture for the Internet Protocol," RFC 4301.

"IPsec Modes of Operation," by Internet Engineering Task Force (IETF).

The Authentication Header (AH) is a component of the IPsec protocol suite that provides authentication and integrity to the communications. AH ensures that the contents of the communications have not been altered in transit (integrity) and verifies the sending and receiving parties (authentication). However, AH does not provide confidentiality, which would involve encrypting the payload data. Confidentiality is provided by the Encapsulating Security Payload (ESP), another component of IPsec.References:

RFC 4302, "IP Authentication Header".

Modbus TCP is a variant of the Modbus family of simple, networked protocols aimed at industrial automation applications. Unlike the original Modbus protocol, which runs over serial links, Modbus TCP runs over TCP/IP networks.

Port 502 is the standard TCP port used for Modbus TCP communications. This port is designated for Modbus messages encapsulated in a TCP/IP wrapper, facilitating communication between Modbus devices and management systems over an IP network.

Knowing the correct port number is crucial for network configuration, security settings, and troubleshooting communications within a Modbus-enabled ICS/SCADA environment.

References

Modbus Organization, "MODBUS Application Protocol Specification V1.1b3".

"Modbus TCP/IP – A Comprehensive Network protocol," by Schneider Electric.

The IT Security Model commonly refers to the CIA Triad, which stands for Confidentiality, Integrity, and Availability.

An attack on "Availability" is aimed at disrupting the normal functioning and access to data or resources in a network. This type of attack can include actions such as DDoS (Distributed Denial of Service), where overwhelming traffic is sent to a system to make it unresponsive.

The main goal of attacks on availability is to prevent legitimate users from accessing systems or information, which can have significant implications for business operations and security.

References

Understanding the CIA Triad in Cybersecurity: https://www.cyber.gov.au/acsc/view-all-content/publications/cia-triad

Denial of Service – What it is and how to prevent it: https://www.us-cert.gov/ncas/tips/ST04-015

Among the options listed, Nessus is primarily a vulnerability assessment tool, not an exploit tool. It is used to scan systems, networks, and applications to identify vulnerabilities but does not exploit them. On the other hand, Canvas, Core Impact, and Metasploit are exploit tools designed to actually perform attacks (safely and legally) to demonstrate the impact of vulnerabilities.References:

Tenable, Inc., "Nessus FAQs".

The term "Dropper" in cybersecurity refers to a small piece of software used in malware deployment that is designed to install or "drop" malware (like viruses, ransomware, spyware) onto the target system.

The Dropper itself is not typically malicious in behavior; however, it is used as a vehicle to install malware that will perform malicious activities without detection.

During the infection process, the Dropper is usually the first executable that runs on a system. It then unpacks or downloads additional malicious components onto the system.

References

Common Malware Enumeration (CME): http://cme.mitre.org

Microsoft Malware Protection Center:https://www.microsoft.com/en-us/wdsi

The PSH (Push) flag in the TCP header instructs the receiving host to push the data to the receiving application immediately without waiting for the buffer to fill. This is used to ensure that data is not delayed, thus improving the efficiency of communication where real-time data processing is required. It effectively tells the system that the data in the packet should be considered urgent.References:

Douglas E. Comer, "Internetworking with TCP/IP Vol.1: Principles, Protocols, and Architecture".

A Virtual Private Network (VPN) typically requires two Security Associations (SAs) for a secure communication session. One SA is used for inbound traffic, and the other for outbound traffic.

In the context of IPsec, which is often used to secure VPN connections, these two SAs facilitate the bidirectional secure exchange of packets in a VPN tunnel.

Each SA uniquely defines how traffic should be securely processed, including the encryption and authentication mechanisms. This ensures that data sent in one directionis handled independently from data sent in the opposite direction, maintaining the integrity and confidentiality of both communication streams.

References

"Understanding IPSec VPNs," by Cisco Systems.

"IPsec Security Associations," RFC 4301, Security Architecture for the Internet Protocol.

tcpdumpis a powerful command-line packet analyzer used primarily in UNIX and UNIX-like operating systems; it allows the capture and display of TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

Unlike graphical tools like Wireshark,tcpdumpprovides raw output of the packet captures directly to the terminal or a specified file, making it ideal for deep dive network analysis, especially in environments where a graphical user interface is unavailable.

tcpdumpuses the libpcap library to capture packet data, which allows it to support a wide range of command-line options to filter and display packet information according to user needs.

References

"tcpdump manual page," by the Tcpdump Group.

"Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems," by Chris Sanders, No Starch Press.

The Wayback Machine is an internet service provided by the Internet Archive that allows users to see archived versions of web pages across time, enabling them to browse past versions of a website as it appeared on specific dates.

It captures and stores snapshots of web pages, making it an invaluable tool for accessing the historical state of a website or recovering content that has since been changed or deleted.

Other options like Google Cache may also show snapshots of web pages, but the Wayback Machine is dedicated to this purpose and holds a vast archive of historical web data.

References

Internet Archive:https://archive.org

"Using the Wayback Machine," Internet Archive Help Center.

In the Modbus protocol, the function code is used to tell the slave device what kind of action to perform, such as reading or writing data.

Modbus function codes specify the type of operation to be performed on the registers. For example, function code 03 is used to read holding registers, and function code 06 is used to write a single register.

Each function code is a single byte in size and is positioned at the start of the PDU (Protocol Data Unit) in the Modbus message structure, directly influencing how the slave interprets and executes the request.

References

"Modbus Application Protocol Specification V1.1b," Modbus Organization.

"The Modbus Protocol Explained," by Schneider Electric.

A masquerade attack involves an attacker pretending to be an authorized user of a system, thus compromising the authentication component of the IT security model. Authentication ensures that the individuals accessing the system are who they claim to be. By masquerading as a legitimate user, an attacker can bypass this security measure and gain unauthorized access to the system.References:

William Stallings, "Security in Computing".

In the context of physical to logical asset protection in network security, several threats can be directed against the network, including:

Elevation of Privileges: Where unauthorized users gain higher-level permissions improperly.

Flood the Switch: Typically involves a DoS attack where the switch is overwhelmed with traffic, preventing normal operations.

Crack the Password: An attack aimed at gaining unauthorized access by breaking through password security. All these threats can potentially compromise the network's security and the safety of its physical and logical assets.References:

CompTIA Security+ Guide to Network Security Fundamentals.

A "watering hole" attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit.

The goal is to infect a website that members of a targeted community frequently use with malware. Once a user visits the compromised website, malware can be delivered to the user’s system, exploiting vulnerabilities on their device.

This attack vector is used in scenarios where attackers want to breach secure environments indirectly by targeting less secure points in a network's ecosystem, such as third-party software used within the organization.

References

"Watering Hole Attacks: Detect, Disrupt, and Prevent," by Kaspersky Lab.

"Emerging Threats in Cybersecurity: Understanding Watering Hole Attacks," published in the Journal of Network Security.

To determine the correct Security Association (SA) in the context of IPsec, several elements are required:

SPI (Security Parameter Index): Uniquely identifies the SA.

Partner IP address: The address of the endpoint with which the SA is established.

Protocol: Specifies the type of security protocol used (e.g., AH or ESP). All these components collectively define and identify a specific SA for secure communication between parties.References:

RFC 4301, "Security Architecture for the Internet Protocol".

NIST SP 800-53 is a publication that provides a catalog of security and privacy controls for federal information systems and organizations and promotes the development of secure and resilient federal information and information systems.

According to the NIST SP 800-53 Rev. 5, the framework defines a comprehensive set of controls, which are divided into different families. Among these families, there are specifically nine families categorized under management controls. These include categories such as risk assessment, security planning, program management, and others.

References

"NIST Special Publication 800-53 (Rev. 5) Security and Privacy Controls for Information Systems and Organizations."

NIST website:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

The first generation of ICS/SCADA systems is considered monolithic, primarily characterized by standalone systems that had no external communications or connectivity with other systems. These systems were typically fully self-contained, with all components hard-wired together, and operations were managed without any networked interaction.References:

U.S. Department of Homeland Security, "Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies".

IPsec (Internet Protocol Security) has two modes: Transport mode and Tunnel mode.

Tunnel mode is used to create a secure connection tunnel between two endpoints (e.g., two gateways, or a client and a gateway) and it encapsulates the entire IP packet.

This mode not only protects the payload but also the header information of the original IP packet, thereby providing a higher level of security compared to Transport mode, which only protects the payload.

References

Kent, S. and Seo, K., "Security Architecture for the Internet Protocol," RFC 4301, December 2005.

"IPsec Services," Microsoft TechNet.

A network switch typically operates at Layer 2 of the OSI model, which is the Data Link layer. This layer is responsible for node-to-node data transfer—a function that involves handling data frames between physical devices on the same network or link. The switch uses MAC addresses to forward data to the appropriate destination within the network.References:

Andrew S. Tanenbaum, "Computer Networks".

The maximum transmission unit (MTU) for Ethernet, which is the largest size of an Ethernet packet or frame that can be sent over the network, is typically 1500 bytes. This size does not include the Ethernet frame's preamble and start frame delimiter but does include all other headers and the payload. Ethernet's MTU of 1500 bytes is a standard for most Ethernet networks, especially those conforming to the IEEE 802.3 standard.References:

IEEE 802.3-2012, "Standard for Ethernet".

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

The temporal score in CVSS adjusts the base score of a vulnerability based on factors that change over time, such as the availability of exploits or the existence of patches.

The temporal score includes:

Remediation Level

Report Confidence

Attack Vector and User Interaction are part of the base score, not the temporal score, as they describe the fundamental characteristics of the vulnerability and do not typically change over time.

References

Common Vulnerability Scoring System v3.1: Specification Document.

"Understanding CVSS," by FIRST (Forum of Incident Response and Security Teams).