ECCouncil ICS-SCADA Cyber Security Practice Test - Questions Answers, Page 6

The most common ICS/SCADA architecture typically includes two firewalls. This dual firewall configuration often involves one firewall placed between the enterprise network and the ICS/SCADA network, and another between the ICS/SCADA network and the plant floor devices. This arrangement, known as a 'demilitarized zone' (DMZ) between the two firewalls, adds an additional layer of security to help isolate and protect sensitive operational technology (OT) environments from threats originating from IT networks.

Reference:

National Institute of Standards and Technology (NIST), 'Guide to Industrial Control Systems (ICS) Security'.

IPsec (Internet Protocol Security) primarily operates in two modes: Transport mode and Tunnel mode.

Transport mode: Encrypts only the payload of each packet, leaving the header untouched. This mode is typically used for end-to-end communication between two systems.

Tunnel mode: Encrypts both the payload and the header of each IP packet, which is then encapsulated into a new IP packet with a new header. Tunnel mode is often used for network-to-network communications (e.g., between two gateways) or between a remote client and a gateway.

Reference

'Security Architecture for the Internet Protocol,' RFC 4301.

'IPsec Modes of Operation,' by Internet Engineering Task Force (IETF).

In network security, the stance on managing and assessing risk can vary widely depending on the security policies of an organization.

A 'Permissive' stance, often referred to as a default permit approach, allows all traffic unless it has been specifically blocked. This approach can be easier to manage from a usability standpoint but is less secure as it potentially allows unwanted or malicious traffic unless explicitly filtered.

This is in contrast to a more restrictive policy, which denies all traffic unless it has been explicitly permitted, typically seen in more secure environments.

Reference

'Network Security Basics,' by Cisco Systems.

'Understanding Firewall Policies,' by Fortinet.

IPsec uses two main protocols to secure network communications: Authentication Header (AH) and Encapsulating Security Payload (ESP).

Both AH and ESP use a Security Parameters Index (SPI), which is a critical component of their headers. The SPI is a unique identifier that enables the receiver to select the correct security association for processing incoming packets.

AH provides authentication and integrity, while ESP provides confidentiality, in addition to authentication and integrity. Both protocols use the SPI to manage these functions securely.

Reference

'IPsec Security Architecture,' RFC 4302 (AH) and RFC 4303 (ESP).

'IPsec Explained,' by Juniper Networks.

The PSH (Push) flag in the TCP header instructs the receiving host to push the data to the receiving application immediately without waiting for the buffer to fill. This is used to ensure that data is not delayed, thus improving the efficiency of communication where real-time data processing is required. It effectively tells the system that the data in the packet should be considered urgent.

Reference:

Douglas E. Comer, 'Internetworking with TCP/IP Vol.1: Principles, Protocols, and Architecture'.

Code Red is not ICS specific malware; it was a famous worm that targeted computers running Microsoft's IIS web server. Unlike Flame, Havex, and Stuxnet, which were specifically designed to target industrial control systems or perform espionage related to ICS environments, Code Red was aimed at exploiting vulnerabilities in internet-facing software to perform denial-of-service attacks and other malicious activities.

Reference:

CERT Coordination Center, 'Code Red Worm Exploiting Buffer Overflow In IIS Indexing Service DLL'.

tcpdump is a powerful command-line packet analyzer used primarily in UNIX and UNIX-like operating systems; it allows the capture and display of TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

Unlike graphical tools like Wireshark, tcpdump provides raw output of the packet captures directly to the terminal or a specified file, making it ideal for deep dive network analysis, especially in environments where a graphical user interface is unavailable.

tcpdump uses the libpcap library to capture packet data, which allows it to support a wide range of command-line options to filter and display packet information according to user needs.

Reference

'tcpdump manual page,' by the Tcpdump Group.

'Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems,' by Chris Sanders, No Starch Press.

In the context of data analysis, enumeration is not typically considered a step. Enumeration is more relevant in security assessments and network scanning contexts where specific details about devices, users, or services are cataloged. Data analysis steps typically include gathering data, preprocessing, analyzing, and interpreting results rather than enumeration, which is more about identifying and listing components in a system or network.

Reference:

'Data Science from Scratch' by Joel Grus, which outlines common steps in data analysis.

Nmap scripts, which are used to enhance the functionality of Nmap for performing network discovery, security auditing, and other tasks, have the extension .nse. This stands for Nmap Scripting Engine, which allows users to write scripts to automate a wide variety of networking tasks.

Reference:

Nmap Network Scanning by Gordon Lyon (also known as Fyodor Vaskovich), detailing the use and examples of Nmap scripts.