Question 1

A Virtual Private Network (VPN) requires how many Security Associations?

Accepted Answer

D

Explanation: A Virtual Private Network (VPN) typically requires two Security Associations (SAs) for a secure communication session. One SA is used for inbound traffic, and the other for outbound traffic. In the context of IPsec, which is often used to secure VPN connections, these two SAs facilitate the bidirectional secure exchange of packets in a VPN tunnel. Each SA uniquely defines how traffic should be securely processed, including the encryption and authentication mechanisms. This ensures that data sent in one direction is handled independently from data sent in the opposite direction, maintaining the integrity and confidentiality of both communication streams. Reference "Understanding IPSec VPNs," by Cisco Systems. "IPsec Security Associations," RFC 4301, Security Architecture for the Internet Protocol.

Question 2

Which component of the IT Security Model is attacked with eavesdropping and interception?

Accepted Answer

A

Explanation: Eavesdropping and interception primarily attack the confidentiality component of the IT Security Model. Confidentiality is concerned with protecting information from being accessed by unauthorized parties. Eavesdropping involves listening to private communication or capturing data as it is transmitted over a network, thereby breaching the confidentiality of the information. Reference: William Stallings, "Cryptography and Network Security: Principles and Practice".

Question 3

A protocol analyzer that produces raw output is which of the following?

Accepted Answer

A

Explanation: tcpdump is a powerful command-line packet analyzer used primarily in UNIX and UNIX-like operating systems; it allows the capture and display of TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Unlike graphical tools like Wireshark, tcpdump provides raw output of the packet captures directly to the terminal or a specified file, making it ideal for deep dive network analysis, especially in environments where a graphical user interface is unavailable. tcpdump uses the libpcap library to capture packet data, which allows it to support a wide range of command-line options to filter and display packet information according to user needs. Reference "tcpdump manual page," by the Tcpdump Group. "Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems," by Chris Sanders, No Starch Press.

Question 4

Which of the following is a weakness of a vulnerability scanner?

Accepted Answer

B

Explanation: One weakness of a vulnerability scanner is that it is not designed to go through filters or bypass security controls like firewalls or intrusion detection systems. Vulnerability scanners typically perform well in identifying known weaknesses within the perimeter of a network or system but might not effectively assess systems that are shielded by robust security measures, which can filter out the scanner's attempts to probe or attack. Reference: National Institute of Standards and Technology (NIST), "Technical Guide to Information Security Testing and Assessment".

Question 5

What version of SMB did the WannaCry ransomware attack?

Accepted Answer

C

Explanation: The WannaCry ransomware primarily exploited vulnerabilities in the SMB (Server Message Block) version 1 protocol to propagate across network systems. Microsoft had identified vulnerabilities in SMBv1, which were exploited by the EternalBlue exploit to spread the ransomware. This led to widespread infections, particularly in systems that had not applied the security updates released to patch the vulnerability. Reference: Microsoft Security Bulletin MS17-010, "Security Update for Microsoft Windows SMB Server".

Question 6

Which of the following is the stance on risk that by default allows traffic with a default permit approach?

Accepted Answer

D

Explanation: In network security, the stance on managing and assessing risk can vary widely depending on the security policies of an organization. A "Permissive" stance, often referred to as a default permit approach, allows all traffic unless it has been specifically blocked. This approach can be easier to manage from a usability standpoint but is less secure as it potentially allows unwanted or malicious traffic unless explicitly filtered. This is in contrast to a more restrictive policy, which denies all traffic unless it has been explicitly permitted, typically seen in more secure environments. Reference "Network Security Basics," by Cisco Systems. "Understanding Firewall Policies," by Fortinet.

Question 7

How many IPsec rules are there in Microsoft Firewall configuration?

Accepted Answer

D

Explanation: In the configuration of Microsoft Windows Firewall with Advanced Security, you can define IPsec rules as part of your security policy. Typically, these rules can be organized into four main categories: Allow connection, Block connection, Allow if secure (which can specify encryption or authentication requirements), and Custom. While the interface and features can vary slightly between Windows versions, four fundamental types of rules regarding how traffic is handled are commonly supported. Reference: Microsoft documentation, "Windows Firewall with Advanced Security".

Question 8

What is a vulnerability called that is released before a patch comes out?

Accepted Answer

C

Explanation: A vulnerability that is exploited before the vendor has issued a patch or even before the vulnerability is known to the vendor is referred to as a "zero-day" vulnerability. The term "zero-day" refers to the number of days the software vendor has had to address and patch the vulnerability since it was made public—zero, in this case. Reference: Symantec Security Response, "Zero Day Initiative".

Question 9

Which publication from NIST provides guidance on Industrial Control Systems?

Accepted Answer

B

Explanation: NIST Special Publication 800-82, "Guide to Industrial Control Systems (ICS) Security," provides guidance on securing industrial control systems, including SCADA systems, distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC). It offers practices and recommendations for protecting and securing ICS systems against disruptions, malicious activities, and other threats to their integrity and availability. Reference: National Institute of Standards and Technology (NIST), "Guide to Industrial Control Systems (ICS) Security".

Question 10

Which of the following is the stance that by default has a default deny approach?

Accepted Answer

B

Explanation: In the context of network security policies, a "Paranoid" stance typically means adopting a default- deny posture. This security approach is one of the most restrictive, where all access is blocked unless explicitly allowed. A default deny strategy is considered best practice for securing highly sensitive environments, as it minimizes the risk of unauthorized access and reduces the attack surface. This approach contrasts with more open stances such as Permissive or Promiscuous, which are less restrictive and generally allow more traffic by default. Reference "Network Security: Policies and Guidelines for Effective Network Management," by Jonathan Gossels. "Best Practices for Implementing a Security Awareness Program," by Kaspersky Lab.

Question 11

Which mode within IPsec provides secure connection between two endpoints but does NOT protect the sender and the receiver?

Accepted Answer

C

Explanation: IPsec offers two modes of operation: Transport mode and Tunnel mode. Transport mode in IPsec provides security for the payload (the message part) of each packet along the communication path between two endpoints. In this mode, the IP header of the original packet is not encrypted; it secures only the payload, not protecting the headers. This means while the data is protected, information about the sender and receiver as contained in the IP header is not obscured. Reference "Security Architecture for IP," RFC 4301. IPsec documentation, Internet Engineering Task Force (IETF).

Question 12

Who developed the ModBus protocol?

Accepted Answer

C

Explanation: The Modbus protocol was developed by Modicon, now a brand of Schneider Electric. It was originally designed in 1979 for use with its programmable logic controllers (PLCs) in industrial applications. Modbus is a serial communications protocol that has become a de facto standard communication protocol and is now commonly used to connect industrial electronic devices. The main reasons for its use are its simplicity and the fact that it is open-source, which allows manufacturers to build their own implementations of the standard. Reference "Modbus Protocol Reference Guide," Modicon, Inc., 1979. "A Guide to the Modbus Protocol," Schneider Electric.

Question 13

Which of the IEC 62443 Security Levels is identified by a cybercrime/hacker target?

Accepted Answer

B

Explanation: IEC 62443 is an international series of standards on Industrial communication networks and system security, specifically related to Industrial Automation and Control Systems (IACS). Within the IEC 62443 standards, Security Level 3 is defined as protection against deliberate or specialized intrusion. It is designed to safeguard against threats from skilled attackers (cybercriminals or hackers) targeting specific processes or operations within the industrial control system. Reference: International Electrotechnical Commission, "IEC 62443 Standards".

Question 14

Which of the following is NOT an exploit tool?

Accepted Answer

D

Explanation: Among the options listed, Nessus is primarily a vulnerability assessment tool, not an exploit tool. It is used to scan systems, networks, and applications to identify vulnerabilities but does not exploit them. On the other hand, Canvas, Core Impact, and Metasploit are exploit tools designed to actually perform attacks (safely and legally) to demonstrate the impact of vulnerabilities. Reference: Tenable, Inc., "Nessus FAQs".

Question 15

With respect to the IEC 62443, how many steps are in the Defense in Depth process?

Accepted Answer

C

Explanation: IEC 62443 is a series of standards designed to secure Industrial Automation and Control Systems (IACS). It provides a framework for implementing cybersecurity measures in the context of industrial environments. The Defense in Depth (DiD) approach outlined in IEC 62443 involves multiple layers of security measures to protect industrial networks. This method ensures that if one layer fails, others are in place to continue protection. Specifically, the IEC 62443 framework describes six fundamental steps in setting up a Defense in Depth strategy, covering aspects from physical security to network segmentation and device hardening. Reference International Electrotechnical Commission, IEC 62443 Series. "Understanding IEC 62443 for Industrial Cybersecurity," by ISA99 Committee. The IEC 62443 standard outlines a comprehensive framework for securing industrial automation and control systems (IACS). The Defense in Depth concept within this standard includes six steps designed to ensure robust security. Step 1: Identification and Authentication Control (IAC): Ensuring only authorized users and devices can access the system. Step 2: Use Control (UC): Managing permissions and access controls to restrict actions users can perform. Step 3: System Integrity (SI): Ensuring the system remains in a trustworthy state, protected from unauthorized changes. Step 4: Data Confidentiality (DC): Protecting sensitive data from unauthorized access and disclosure. Step 5: Restricted Data Flow (RDF): Controlling and monitoring data flows to prevent unauthorized data transmission. Step 6: Timely Response to Events (TRE): Implementing mechanisms to detect, respond to, and recover from security incidents. These steps collectively form the Defense in Depth strategy prescribed by IEC 62443. Reference "IEC 62443 - Industrial Automation and Control Systems Security," International Electrotechnical Commission, IEC 62443. "Defense in Depth," Cybersecurity and Infrastructure Security Agency (CISA), Defense in Depth.

Free Eccouncil ICS-SCADA Actual Exam Questions