Exam4Training

EC-Council ICS-SCADA ICS/SCADA Cyber Security Online Training

Question #1

What type of communication protocol does Modbus RTU use?

  • A . UDP
  • B . ICMP
  • C . Serial
  • D . SSTP

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Modbus RTU (Remote Terminal Unit) is a communication protocol based on a master-slave architecture that uses serial communication. It is one of the earliest communication protocols developed for devices connected over serial lines. Modbus RTU packets are transmitted in a binary format over serial lines such as RS-485 or RS-232.

Reference: Modbus Organization, "MODBUS over Serial Line Specification and Implementation Guide V1.02".

Question #2

Which of the ICS/SCADA generations is considered monolithic?

  • A . Second
  • B . First
  • C . Fourth
  • D . Third

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The first generation of ICS/SCADA systems is considered monolithic, primarily characterized by standalone systems that had no external communications or connectivity with other systems. These systems were typically fully self-contained, with all components hard-wired together, and operations were managed without any networked interaction.

Reference: U.S. Department of Homeland Security, "Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies".

Question #3

Which of the following components is not part of the Authentication Header (AH)?

  • A . Replay
  • B . Authentication
  • C . Confidentiality
  • D . Integrity

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The Authentication Header (AH) is a component of the IPsec protocol suite that provides authentication and integrity to the communications. AH ensures that the contents of the communications have not been altered in transit (integrity) and verifies the sending and receiving parties (authentication). However, AH does not provide confidentiality, which would involve encrypting the payload data. Confidentiality is provided by the Encapsulating Security Payload (ESP), another component of IPsec.

Reference: RFC 4302, "IP Authentication Header".

Question #4

How many main score areas are there in the CVSS?2

  • A . 2
  • B . 4
  • C . 3
  • D . None of these

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. CVSS provides three main score areas: Base, Temporal, and Environmental. Base Score evaluates the intrinsic qualities of a vulnerability.

Temporal Score reflects the characteristics of a vulnerability that change over time. Environmental Score considers the specific impact of the vulnerability on a particular organization, tailoring the Base and Temporal scores according to the importance of the affected IT asset.

Reference: FIRST, "Common Vulnerability Scoring System v3.1: Specification Document".

Question #5

Which of the following is NOT an exploit tool?

  • A . Canvas
  • B . Core Impact
  • C . Metasploit
  • D . Nessus

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Among the options listed, Nessus is primarily a vulnerability assessment tool, not an exploit tool. It is used to scan systems, networks, and applications to identify vulnerabilities but does not exploit them. On the other hand, Canvas, Core Impact, and Metasploit are exploit tools designed to actually perform attacks (safely and legally) to demonstrate the impact of vulnerabilities.

Reference: Tenable, Inc., "Nessus FAQs".

Question #6

When monitoring a network, you receive an ICMP type 8 packet.

What does this represent?

  • A . Echo request
  • B . Echo start
  • C . Echo recall
  • D . Echo reply

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

ICMP (Internet Control Message Protocol) is used in network devices, like routers, to send error messages and operational information indicating success or failure when communicating with another IP address.

An ICMP type 8 packet specifically is an "Echo Request." It is used primarily by the ping command to test the connectivity between two nodes.

When a device sends an ICMP Echo Request, it expects to receive an ICMP Echo Reply (type 0) from

the target node. This mechanism helps in diagnosing the state and reachability of a network on the

Internet or within a private network.

Reference

RFC 792 Internet Control Message Protocol: https://tools.ietf.org/html/rfc792

Internet Assigned Numbers Authority (IANA) ICMP Parameters:

Question #7

What step of the malware infection installs the malware on the target?

  • A . Drive-by
  • B . Init
  • C . Dropper
  • D . Stager

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The term "Dropper" in cybersecurity refers to a small piece of software used in malware deployment that is designed to install or "drop" malware (like viruses, ransomware, spyware) onto the target system.

The Dropper itself is not typically malicious in behavior; however, it is used as a vehicle to install malware that will perform malicious activities without detection.

During the infection process, the Dropper is usually the first executable that runs on a system. It then unpacks or downloads additional malicious components onto the system.

Reference

Common Malware Enumeration (CME): http://cme.mitre.org

Microsoft Malware Protection Center: https://www.microsoft.com/en-us/wdsi

Question #8

The vulnerability that led to the WannaCry ransomware infections affected which protocol?

  • A . Samba
  • B . None of these
  • C . RPC
  • D . SMB

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

WannaCry is a ransomware attack that spread rapidly across multiple computer networks in May 2017.

The vulnerability exploited by the WannaCry ransomware was in the Microsoft Windows implementation of the Server Message Block (SMB) protocol.

Specifically, the exploit, known as EternalBlue, targeted a flaw in the SMBv1 protocol. This flaw allowed the ransomware to spread within corporate networks without any user interaction, making it one of the fastest-spreading and most harmful cyberattacks at the time.

Reference

Microsoft Security Bulletin MS17-010 – Critical: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010

National Vulnerability Database, CVE-2017-0144: https://nvd.nist.gov/vuln/detail/CVE-2017-0144

Question #9

Which of the registrars contains the information for the domain owners in Europe?

  • A . RIPENCC
  • B . AFRINIC
  • C . LACNIC
  • D . ARIN

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

RIPENCC (Réseaux IP Européens Network Coordination Centre) is one of the five Regional Internet Registries (RIRs) that allocate IP addresses and manage related resources within a specific region. Specifically, RIPENCC covers Europe, the Middle East, and parts of Central Asia.

For domain owners, while the top-level domain (TLD) registrars handle domain registration, the information about IP allocations and related network infrastructure information in Europe is managed by RIPENCC.

Reference

RIPE Network Coordination Centre: https://www.ripe.net

RIPE Documentation and Information: https://www.ripe.net/manage-ips-and-asns

Question #10

Which component of the IT Security Model is attacked with interruption?

  • A . Confidentiality
  • B . Availability
  • C . Authentication
  • D . Integrity

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The IT Security Model commonly refers to the CIA Triad, which stands for Confidentiality, Integrity, and Availability.

An attack on "Availability" is aimed at disrupting the normal functioning and access to data or resources in a network. This type of attack can include actions such as DDoS (Distributed Denial of Service), where overwhelming traffic is sent to a system to make it unresponsive.

The main goal of attacks on availability is to prevent legitimate users from accessing systems or information, which can have significant implications for business operations and security.

Reference

Understanding the CIA Triad in Cybersecurity: https://www.cyber.gov.au/acsc/view-all-content/publications/cia-triad

Denial of Service C What it is and how to prevent it: https://www.us-cert.gov/ncas/tips/ST04-015

Question #11

In what default directory (fully qualified path) does nmap store scripts?

  • A . /usr/share/scripts
  • B . /ust/share/nmap/scripts
  • C . /usr/share/nmap
  • D . /opt

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Nmap (Network Mapper) is a network scanning and security auditing tool. Scripts used by Nmap for performing different network discovery and security auditing tasks are stored in /usr/share/nmap/scripts. This directory contains a collection of scripts for NSE (Nmap Scripting Engine), which enables Nmap to perform additional networking tasks, often used for detecting vulnerabilities, misconfigurations, and security-related information about network services.

Reference: Nmap documentation, "Nmap Scripting Engine (NSE)".

Question #12

Which of the registrars contains the information for the domain owners in South America?

  • A . AFRINIC
  • B . ARIN
  • C . LACNIC
  • D . RIPENCC

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

LACNIC (Latin American and Caribbean Network Information Centre) is the regional Internet registry for Latin America and parts of the Caribbean. It manages the allocation and registration of Internet number resources (such as IP addresses and AS numbers) within this region and maintains the registry of domain owners in South America.

Reference: LACNIC official website, "About LACNIC".

Question #13

Which of the hacking methodology steps can be used to identify the applications and vendors used?

  • A . Enumeration
  • B . OSINT
  • C . Scanning
  • D . Surveillance

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

OSINT (Open Source Intelligence) refers to the collection and analysis of information gathered from public, freely available sources to be used in an intelligence context. In the context of hacking methodologies, OSINT can be used to identify applications and vendors employed by a target organization by analyzing publicly available data such as websites, code repositories, social media, and other internet-facing resources.

Reference: Michael Bazzell, "Open Source Intelligence Techniques".

Question #14

Which of the following is a component of an IDS?

  • A . All of these
  • B . Respond
  • C . Detect
  • D . Monitor

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

An Intrusion Detection System (IDS) is designed to monitor network or system activities for malicious activities or policy violations and can perform several functions:

Monitor: Observing network traffic and system activities for unusual or suspicious behavior. Detect: Identifying potential security breaches including both known threats and unusual activities that could indicate new threats.

Respond: Executing pre-defined actions to address detected threats, which can include alerts or

triggering automatic countermeasures.

Reference: Cisco Systems, "Intrusion Detection Systems".

Question #15

Which of the IEC 62443 Security Levels is identified by a cybercrime/hacker target?

  • A . 4
  • B . 3
  • C . 1
  • D . 2

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

IEC 62443 is an international series of standards on Industrial communication networks and system security, specifically related to Industrial Automation and Control Systems (IACS). Within the IEC 62443 standards, Security Level 3 is defined as protection against deliberate or specialized intrusion. It is designed to safeguard against threats from skilled attackers (cybercriminals or hackers) targeting specific processes or operations within the industrial control system.

Reference: International Electrotechnical Commission, "IEC 62443 Standards".

Question #16

Which of the following was attacked using the Stuxnet malware?

  • A . PLCS
  • B . PLC3
  • C . All of these
  • D . PLC7

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Stuxnet is a highly sophisticated piece of malware discovered in 2010 that specifically targeted Supervisory Control and Data Acquisition (SCADA) systems used to control and monitor industrial processes.

The primary targets of Stuxnet were Programmable Logic Controllers (PLCs), which are critical components in industrial control systems.

Stuxnet was designed to infect Siemens Step7 software PLCs. It altered the operation of the PLCs to cause physical damage to the connected hardware, famously used against Iran’s uranium enrichment facility, where it caused the fast-spinning centrifuges to tear themselves apart.

Reference

Langner, R. "Stuxnet: Dissecting a Cyberwarfare Weapon." IEEE Security & Privacy, May-June 2011.

"W32.Stuxnet Dossier," Symantec Corporation, Version 1.4, February 2011.

Question #17

What is the size in bytes of the TCP sequence number in the header?

  • A . 2
  • B . 1
  • C . 3
  • D . 4

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

In the Transmission Control Protocol (TCP) header, the sequence number field is crucial for ensuring the correct sequencing of the packets sent over a network.

The sequence number field in the TCP header is 32 bits long, which equates to 4 bytes.

This sequence number is used to keep track of the bytes in a sequence that are transferred over a TCP connection, ensuring that packets are arranged in the correct order and data integrity is maintained during transmission.

Reference

Postel, J., "Transmission Control Protocol," RFC 793, September 1981.

"TCP/IP Guide," Kozierok, C. M., 2005.

Question #18

Which mode within IPsec provides a secure connection tunnel between two endpoints AND protects the sender and the receiver?

  • A . Protected
  • B . Tunnel
  • C . Transport
  • D . Covered

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

IPsec (Internet Protocol Security) has two modes: Transport mode and Tunnel mode. Tunnel mode is used to create a secure connection tunnel between two endpoints (e.g., two gateways, or a client and a gateway) and it encapsulates the entire IP packet.

This mode not only protects the payload but also the header information of the original IP packet, thereby providing a higher level of security compared to Transport mode, which only protects the payload.

Reference

Kent, S. and Seo, K., "Security Architecture for the Internet Protocol," RFC 4301, December 2005.

"IPsec Services," Microsoft TechNet.

Question #19

Which of the following can be used to view entire copies of web sites?

  • A . Wayback machine
  • B . Google Cache
  • C . Netcraft
  • D . Bing offline

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Wayback Machine is an internet service provided by the Internet Archive that allows users to see archived versions of web pages across time, enabling them to browse past versions of a website as it appeared on specific dates.

It captures and stores snapshots of web pages, making it an invaluable tool for accessing the historical state of a website or recovering content that has since been changed or deleted.

Other options like Google Cache may also show snapshots of web pages, but the Wayback Machine is dedicated to this purpose and holds a vast archive of historical web data.

Reference

Internet Archive: https://archive.org

"Using the Wayback Machine," Internet Archive Help Center.

Question #20

The NIST SP 800-53 defines how many management controls?

  • A . 6
  • B . 9
  • C . 5
  • D . 7

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

NIST SP 800-53 is a publication that provides a catalog of security and privacy controls for federal information systems and organizations and promotes the development of secure and resilient federal information and information systems.

According to the NIST SP 800-53 Rev. 5, the framework defines a comprehensive set of controls,

which are divided into different families. Among these families, there are specifically nine families

categorized under management controls. These include categories such as risk assessment, security

planning, program management, and others.

Reference

"NIST Special Publication 800-53 (Rev. 5) Security and Privacy Controls for Information Systems and Organizations."

NIST website: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

Question #21

Which component of the IT Security Model is attacked with masquerade?

  • A . Integrity
  • B . Availability
  • C . Confidentiality
  • D . Authentication

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

A masquerade attack involves an attacker pretending to be an authorized user of a system, thus compromising the authentication component of the IT security model. Authentication ensures that the individuals accessing the system are who they claim to be. By masquerading as a legitimate user, an attacker can bypass this security measure and gain unauthorized access to the system.

Reference: William Stallings, "Security in Computing".

Question #22

Which component of the IT Security Model is attacked with modification?

  • A . Authentication
  • B . Availability
  • C . Integrity
  • D . Confidentiality

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Modification attacks directly impact the integrity of data within the IT Security Model. Integrity ensures that information is accurate and unchanged from its original form unless altered by authorized means. An attack that involves modification manipulates data in unauthorized ways, thereby compromising its accuracy and reliability.

Reference: Shon Harris, "CISSP Certification: All-in-One Exam Guide".

Question #23

Which of the following is required to determine the correct Security Association?

  • A . SPI
  • B . Partner IP address
  • C . Protocol
  • D . All of these

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

To determine the correct Security Association (SA) in the context of IPsec, several elements are required:

SPI (Security Parameter Index): Uniquely identifies the SA.

Partner IP address: The address of the endpoint with which the SA is established.

Protocol: Specifies the type of security protocol used (e.g., AH or ESP). All these components collectively define and identify a specific SA for secure communication between parties.

Reference: RFC 4301, "Security Architecture for the Internet Protocol".

Question #24

What share does the WannaCry ransomware use to connect with the target?

  • A . $IPC
  • B . $Admin
  • C . $SPOOL
  • D . $C

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The WannaCry ransomware utilizes the $IPC (Inter-Process Communication) share to connect with and infect target machines. This hidden network share supports the operation of named pipes, which facilitates the communication necessary for WannaCry to execute its payload across networks.

Reference: CISA Analysis Report, "WannaCry Ransomware".

WannaCry ransomware uses the SMB (Server Message Block) protocol to propagate through networks and connect to target systems. Specifically, it exploits a vulnerability in SMBv1, known as EternalBlue (MS17-010).

IPC Share: The $IPC (Inter-Process Communication) share is a hidden administrative share used for inter-process communication. WannaCry uses this share to gain access to other machines on the network.

SMB Exploitation: By exploiting the SMB vulnerability, WannaCry can establish a connection to the $IPC share, allowing it to execute the payload on the target machine.

Propagation: Once connected, it deploys the DoublePulsar backdoor and then spreads the ransomware payload.

Given these details, the correct answer is $IPC.

Reference

"WannaCry Ransomware Attack," Wikipedia, WannaCry.

"MS17-010: Security Update for Windows SMB Server," Microsoft, MS17-010.

Question #25

What is the size of the AH in bits with respect to width?

  • A . 24
  • B . 43
  • C . 16
  • D . 32

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The Authentication Header (AH) in the context of IPsec has a fixed header portion of 24 bits and a

mutable part that can vary, but when considering the fixed structure of the AH itself, the width is

typically considered to be 32 bits at its core structure for basic operations in providing integrity and

authentication, without confidentiality.

Reference: RFC 4302, "IP Authentication Header".

Exit mobile version