Eccouncil ICS/SCADA Cyber Security Exam Practice Test

Page: 1 / 14
Total 75 questions
Question 1

Which of the following ports are used for communications in Modbus TCP?



Answer : D

Modbus TCP is a variant of the Modbus family of simple, networked protocols aimed at industrial automation applications. Unlike the original Modbus protocol, which runs over serial links, Modbus TCP runs over TCP/IP networks.

Port 502 is the standard TCP port used for Modbus TCP communications. This port is designated for Modbus messages encapsulated in a TCP/IP wrapper, facilitating communication between Modbus devices and management systems over an IP network.

Knowing the correct port number is crucial for network configuration, security settings, and troubleshooting communications within a Modbus-enabled ICS/SCADA environment.

Reference

Modbus Organization, 'MODBUS Application Protocol Specification V1.1b3'.

'Modbus TCP/IP -- A Comprehensive Network protocol,' by Schneider Electric.


Question 2

Which of the IPsec headers contains the Security Parameters Index (SPI)?



Answer : B

IPsec uses two main protocols to secure network communications: Authentication Header (AH) and Encapsulating Security Payload (ESP).

Both AH and ESP use a Security Parameters Index (SPI), which is a critical component of their headers. The SPI is a unique identifier that enables the receiver to select the correct security association for processing incoming packets.

AH provides authentication and integrity, while ESP provides confidentiality, in addition to authentication and integrity. Both protocols use the SPI to manage these functions securely.

Reference

'IPsec Security Architecture,' RFC 4302 (AH) and RFC 4303 (ESP).

'IPsec Explained,' by Juniper Networks.


Question 3

Which of the following is the stance on risk that by default allows traffic with a default permit approach?



Answer : D

In network security, the stance on managing and assessing risk can vary widely depending on the security policies of an organization.

A 'Permissive' stance, often referred to as a default permit approach, allows all traffic unless it has been specifically blocked. This approach can be easier to manage from a usability standpoint but is less secure as it potentially allows unwanted or malicious traffic unless explicitly filtered.

This is in contrast to a more restrictive policy, which denies all traffic unless it has been explicitly permitted, typically seen in more secure environments.

Reference

'Network Security Basics,' by Cisco Systems.

'Understanding Firewall Policies,' by Fortinet.


Question 4

How many IPsec modes are there?



Answer : D

IPsec (Internet Protocol Security) primarily operates in two modes: Transport mode and Tunnel mode.

Transport mode: Encrypts only the payload of each packet, leaving the header untouched. This mode is typically used for end-to-end communication between two systems.

Tunnel mode: Encrypts both the payload and the header of each IP packet, which is then encapsulated into a new IP packet with a new header. Tunnel mode is often used for network-to-network communications (e.g., between two gateways) or between a remote client and a gateway.

Reference

'Security Architecture for the Internet Protocol,' RFC 4301.

'IPsec Modes of Operation,' by Internet Engineering Task Force (IETF).


Question 5

Which of the following is considered the best way to counter packet monitoring for a switch?



Answer : D

Port mirroring (also known as SPAN - Switched Port Analyzer) is considered one of the best ways to counter packet monitoring on a switch. This technique involves copying traffic from one or more switch ports (or an entire VLAN) to another port where the monitoring device is connected. Port mirroring allows administrators to monitor network traffic in a non-intrusive way, as it does not affect network performance and is transparent to users and endpoints on the network. Reference:

Cisco Systems, 'Catalyst Switched Port Analyzer (SPAN) Configuration Example'.


Question 6

Which of the following are required functions of information management?



Answer : A

Information management within the context of network security involves several critical functions that ensure data is correctly handled for security operations. These functions include:

Normalization: This process standardizes data formats from various sources to a common format, making it easier to analyze systematically.

Correlation: This function identifies relationships between disparate pieces of data, helping to identify patterns or potential security incidents.

Data enrichment: Adds context to the collected data, enhancing the information with additional details, such as threat intelligence.

All these functions are essential to effective information management in security systems, allowing for more accurate monitoring and faster response to potential threats.

Reference

'Data Enrichment and Correlation in SIEM Systems,' Security Information Management Best Practices.

'Normalization Techniques for Security Data,' Journal of Network Security.


Question 7

Which of the following names represents inbound filtering?



Answer : D

Ingress filtering is a method used in network security to ensure that incoming packets are allowed or blocked based on a set of security rules.

This type of filtering is often implemented at the boundaries of networks to prevent unwanted or harmful traffic from entering a more secure internal network.

The term 'ingress' refers to traffic that is entering a network boundary, whereas 'egress' refers to traffic exiting a network.

Reference

Cisco Networking Academy Program: Network Security.

'Understanding Ingress and Egress Filtering,' Network Security Guidelines, TechNet.


Page:    1 / 14   
Total 75 questions