Eccouncil ICS-SCADA Exam Questions Instant Access

Question 1

What is the size of the AH in bits with respect to width?

A24

B43

C16

D32

Answer : D

The Authentication Header (AH) in the context of IPsec has a fixed header portion of 24 bits and a mutable part that can vary, but when considering the fixed structure of the AH itself, the width is typically considered to be 32 bits at its core structure for basic operations in providing integrity and authentication, without confidentiality. Reference:

RFC 4302, 'IP Authentication Header'.

Question 2

Which mode within IPsec provides a secure connection tunnel between two endpoints AND protects the sender and the receiver?

AProtected

BTunnel

CTransport

DCovered

Answer : B

IPsec (Internet Protocol Security) has two modes: Transport mode and Tunnel mode.

Tunnel mode is used to create a secure connection tunnel between two endpoints (e.g., two gateways, or a client and a gateway) and it encapsulates the entire IP packet.

This mode not only protects the payload but also the header information of the original IP packet, thereby providing a higher level of security compared to Transport mode, which only protects the payload.

Reference

Kent, S. and Seo, K., 'Security Architecture for the Internet Protocol,' RFC 4301, December 2005.

'IPsec Services,' Microsoft TechNet.

Question 3

Which of the following was attacked using the Stuxnet malware?

APLCS

BPLC3

CAll of these

DPLC7

Answer : A

Stuxnet is a highly sophisticated piece of malware discovered in 2010 that specifically targeted Supervisory Control and Data Acquisition (SCADA) systems used to control and monitor industrial processes.

The primary targets of Stuxnet were Programmable Logic Controllers (PLCs), which are critical components in industrial control systems.

Stuxnet was designed to infect Siemens Step7 software PLCs. It altered the operation of the PLCs to cause physical damage to the connected hardware, famously used against Iran's uranium enrichment facility, where it caused the fast-spinning centrifuges to tear themselves apart.

Reference

Langner, R. 'Stuxnet: Dissecting a Cyberwarfare Weapon.' IEEE Security & Privacy, May-June 2011.

'W32.Stuxnet Dossier,' Symantec Corporation, Version 1.4, February 2011.

Question 4

What share does the WannaCry ransomware use to connect with the target?

A$IPC

B$Admin

C$SPOOL

D$C

Answer : A

The WannaCry ransomware utilizes the $IPC (Inter-Process Communication) share to connect with and infect target machines. This hidden network share supports the operation of named pipes, which facilitates the communication necessary for WannaCry to execute its payload across networks. Reference:

CISA Analysis Report, 'WannaCry Ransomware'.

WannaCry ransomware uses the SMB (Server Message Block) protocol to propagate through networks and connect to target systems. Specifically, it exploits a vulnerability in SMBv1, known as EternalBlue (MS17-010).

IPC Share: The $IPC (Inter-Process Communication) share is a hidden administrative share used for inter-process communication. WannaCry uses this share to gain access to other machines on the network.

SMB Exploitation: By exploiting the SMB vulnerability, WannaCry can establish a connection to the $IPC share, allowing it to execute the payload on the target machine.

Propagation: Once connected, it deploys the DoublePulsar backdoor and then spreads the ransomware payload.

Given these details, the correct answer is $IPC.

Reference

'WannaCry Ransomware Attack,' Wikipedia, WannaCry.

'MS17-010: Security Update for Windows SMB Server,' Microsoft, MS17-010.

Question 5

Which component of the IT Security Model is attacked with modification?

AAuthentication

BAvailability

CIntegrity

DConfidentiality

Answer : C

Modification attacks directly impact the integrity of data within the IT Security Model. Integrity ensures that information is accurate and unchanged from its original form unless altered by authorized means. An attack that involves modification manipulates data in unauthorized ways, thereby compromising its accuracy and reliability. Reference:

Shon Harris, 'CISSP Certification: All-in-One Exam Guide'.

Question 6

When monitoring a network, you receive an ICMP type 8 packet. What does this represent?

AEcho request

BEcho start

CEcho recall

DEcho reply

Answer : A

ICMP (Internet Control Message Protocol) is used in network devices, like routers, to send error messages and operational information indicating success or failure when communicating with another IP address.

An ICMP type 8 packet specifically is an 'Echo Request.' It is used primarily by the ping command to test the connectivity between two nodes.

When a device sends an ICMP Echo Request, it expects to receive an ICMP Echo Reply (type 0) from the target node. This mechanism helps in diagnosing the state and reachability of a network on the Internet or within a private network.

Reference

RFC 792 Internet Control Message Protocol: https://tools.ietf.org/html/rfc792

Internet Assigned Numbers Authority (IANA) ICMP Parameters:

Question 7

Which of the following names represents inbound filtering?

AFunnel

BSanity

CEgress

DIngress

Answer : D

Ingress filtering is a method used in network security to ensure that incoming packets are allowed or blocked based on a set of security rules.

This type of filtering is often implemented at the boundaries of networks to prevent unwanted or harmful traffic from entering a more secure internal network.

The term 'ingress' refers to traffic that is entering a network boundary, whereas 'egress' refers to traffic exiting a network.

Reference

Cisco Networking Academy Program: Network Security.

'Understanding Ingress and Egress Filtering,' Network Security Guidelines, TechNet.

Eccouncil ICS/SCADA Cyber Security ICS-SCADA Exam Questions