ECCouncil ICS-SCADA Cyber Security Practice Test - Questions Answers, Page 5

Port mirroring (also known as SPAN - Switched Port Analyzer) is considered one of the best ways to counter packet monitoring on a switch. This technique involves copying traffic from one or more switch ports (or an entire VLAN) to another port where the monitoring device is connected. Port mirroring allows administrators to monitor network traffic in a non-intrusive way, as it does not affect network performance and is transparent to users and endpoints on the network.

Reference:

Cisco Systems, 'Catalyst Switched Port Analyzer (SPAN) Configuration Example'.

One weakness of a vulnerability scanner is that it is not designed to go through filters or bypass security controls like firewalls or intrusion detection systems. Vulnerability scanners typically perform well in identifying known weaknesses within the perimeter of a network or system but might not effectively assess systems that are shielded by robust security measures, which can filter out the scanner's attempts to probe or attack.

Reference:

National Institute of Standards and Technology (NIST), 'Technical Guide to Information Security Testing and Assessment'.

The WannaCry ransomware primarily exploited vulnerabilities in the SMB (Server Message Block) version 1 protocol to propagate across network systems. Microsoft had identified vulnerabilities in SMBv1, which were exploited by the EternalBlue exploit to spread the ransomware. This led to widespread infections, particularly in systems that had not applied the security updates released to patch the vulnerability.

Reference:

Microsoft Security Bulletin MS17-010, 'Security Update for Microsoft Windows SMB Server'.

IEC 62443 is a series of standards designed to secure Industrial Automation and Control Systems (IACS). It provides a framework for implementing cybersecurity measures in the context of industrial environments.

The Defense in Depth (DiD) approach outlined in IEC 62443 involves multiple layers of security measures to protect industrial networks. This method ensures that if one layer fails, others are in place to continue protection.

Specifically, the IEC 62443 framework describes six fundamental steps in setting up a Defense in Depth strategy, covering aspects from physical security to network segmentation and device hardening.

Reference

International Electrotechnical Commission, IEC 62443 Series.

'Understanding IEC 62443 for Industrial Cybersecurity,' by ISA99 Committee.

The IEC 62443 standard outlines a comprehensive framework for securing industrial automation and control systems (IACS). The Defense in Depth concept within this standard includes six steps designed to ensure robust security.

Step 1: Identification and Authentication Control (IAC): Ensuring only authorized users and devices can access the system.

Step 2: Use Control (UC): Managing permissions and access controls to restrict actions users can perform.

Step 3: System Integrity (SI): Ensuring the system remains in a trustworthy state, protected from unauthorized changes.

Step 4: Data Confidentiality (DC): Protecting sensitive data from unauthorized access and disclosure.

Step 5: Restricted Data Flow (RDF): Controlling and monitoring data flows to prevent unauthorized data transmission.

Step 6: Timely Response to Events (TRE): Implementing mechanisms to detect, respond to, and recover from security incidents.

These steps collectively form the Defense in Depth strategy prescribed by IEC 62443.

Reference

'IEC 62443 - Industrial Automation and Control Systems Security,' International Electrotechnical Commission, IEC 62443.

'Defense in Depth,' Cybersecurity and Infrastructure Security Agency (CISA), Defense in Depth.

The default size of a Windows Echo Request packet, commonly known as a ping request, is 28 bytes. This size is derived from the following components:

ICMP Header: The Internet Control Message Protocol (ICMP) header is 8 bytes.

IPv4 Header: The IP header for an IPv4 packet is typically 20 bytes.

Therefore, the total size of the default Windows Echo Request packet is 28 bytes (8 bytes for ICMP header + 20 bytes for IPv4 header).

Reference

'Ping (networking utility),' Wikipedia, Ping.

'ICMP Header Format,' Cisco, ICMP Header.

IPsec offers two modes of operation: Transport mode and Tunnel mode.

Transport mode in IPsec provides security for the payload (the message part) of each packet along the communication path between two endpoints.

In this mode, the IP header of the original packet is not encrypted; it secures only the payload, not protecting the headers. This means while the data is protected, information about the sender and receiver as contained in the IP header is not obscured.

Reference

'Security Architecture for IP,' RFC 4301.

IPsec documentation, Internet Engineering Task Force (IETF).

In the context of monitoring and alerts within cybersecurity, the classification of alerts includes true positives, false positives, true negatives, and false negatives.

A false negative is considered the most dangerous type of alert because it occurs when an actual security threat is present but the monitoring system fails to detect and alert it. This allows malicious activities to occur undetected, potentially leading to significant damage or data loss.

The risk with false negatives is that they provide a false sense of security, assuming that systems are secure while in reality, they are compromised.

Reference

'Security and Network Monitoring Basics,' Cisco Systems.

'Understanding Alert Classifications in Cybersecurity,' Journal of Information Security.

A data diode is known as a prebuilt directional gateway that is unidirectional, designed specifically to allow data to travel in only one direction, ensuring secure one-way communication. This feature makes data diodes ideal for environments where it is critical to prevent any possibility of data leakage or unauthorized access from an external network back to a secure network. Data diodes are commonly used in military and industrial applications, including ICS/SCADA systems, to protect sensitive information.

Reference:

U S. Department of Energy, 'Cybersecurity for SCADA Systems'.

A network switch typically operates at Layer 2 of the OSI model, which is the Data Link layer. This layer is responsible for node-to-node data transfer---a function that involves handling data frames between physical devices on the same network or link. The switch uses MAC addresses to forward data to the appropriate destination within the network.

Reference:

Andrew S. Tanenbaum, 'Computer Networks'.