FSCA Flashcards by Jack Smith

ICS stands for ____________ Control System

Industrial

How well did you know this?

Not at all

Perfectly

Which of the following is an inaccurate statement regarding ICS?

a) It may span across multiple countries

b) It may be confined to just a single factory

c) Its a system that manages industrial processes

d) There are two types of ICS architectures

e) Its used to control windows domain services

e) It’s used to control windows domain services

How well did you know this?

Not at all

Perfectly

SCADA stands for ‘Supervisory Control and _______ Acquisition’

Data

How well did you know this?

Not at all

Perfectly

DCS stands for _____________ Control System

Distributed

How well did you know this?

Not at all

Perfectly

Which of the following are characteristics of a DCS architecture? Select three.

a) Field controllers simply acquire and pass along data.

b) Primarily used in single factories

c) Uses open protocols

d) Uses control loops to manage processes

e) Used in large geographical areas

f) Most control functions take place by the field controllers

b) Primarily used in single factories

d) Uses control loops to manage processes

f) Most control functions take place by the field controllers

How well did you know this?

Not at all

Perfectly

True or False: Since they were developed many years ago, ICS protocols have been modified to include security features.

False

How well did you know this?

Not at all

Perfectly

True of False: It’s unlikely to have a DCS architecture that uses multiple different ICS protocols

True

How well did you know this?

Not at all

Perfectly

Which of the following are examples of ICS protocols used in SCADA architectures? Select three.

a) IEC104

b) DNP3

c) IEC61850

d) RS232

e) Delta

a) IEC104

b) DNP3

c) IEC61850

How well did you know this?

Not at all

Perfectly

True or False: The main purpose of the Purdue reference model is to make it easier for different devices to communicate.

False

How well did you know this?

Not at all

Perfectly

PLC stands for Programmable _________ Controller

Logic

How well did you know this?

Not at all

Perfectly

Which Purdue level is responsible for supervising, monitoring and controlling manufacturing processes?

a) Purdue level 0

b) Purdue level 1

c) Purdue level 2

d) Purdue level 3

e) Purdue level 4

c) Purdue level 2

How well did you know this?

Not at all

Perfectly

Which devices would you find in Purdue level 1? Select two.

a) RTUs

b) SCADA servers

c) PLCs

d) HMIs

e) Historian

f) SIEM

a) RTUs

c) PLCs

How well did you know this?

Not at all

Perfectly

OT stands for ____________ Technology

Operational

How well did you know this?

Not at all

Perfectly

Which of the following are characteristics of an IT environment? Select three.

a) Control, availability, and integrity are the most important

b) There are not typically a lot of a new devices added

c) New devices and applications are added without IT approval

d) They’re engineered to have long-lasting processes

e) Throughput and confidentiality are the most important

f) They typically contain many types of devices and applications

c) New devices and applications are added without IT approval

e) Throughput and confidentiality are the most important

f) They typically contain many types of devices and applications

How well did you know this?

Not at all

Perfectly

True or False: In the past, for OT environments, physical security was the number one security concern.

True

How well did you know this?

Not at all

Perfectly

True or False: Due to new standards, all of today’s OT environments have become connected to their organization’s IT networks.

False

How well did you know this?

Not at all

Perfectly

Which of the following are characteristics of an OT environment: Select three:
a) New devices and applications are added without IT approval
b) They typically contain many types of devices and applications
c) They’re engineered to have long-lasting processes
d) Throughput and confidentiality are the most important
e) Control, availability, and integrity are the most important
f) There are not typically a lot of new devices added

c) They’re engineered to have long-lasting processes
e) Control, availability, and integrity are the most important
f) There are not typically a lot of new devices added

How well did you know this?

Not at all

Perfectly

Which of the following is NOT a benefit of the convergence of IT and OT environments:
a) An administrator can control the PLC devices of all locations from a single place
b) An administrator can provide network assessments from home
c) An administrator can view processes of a satellite plant
d) An administrator can view security assessments on the road
e) A SCADA server can run on a windows server

e) A SCADA server can run on a windows server

How well did you know this?

Not at all

Perfectly

True or False: One of the critical factors of OT environments is that they have no downtime.

True

How well did you know this?

Not at all

Perfectly

Which of the following is a downside of the convergence of IT and OT environments?
a) It’s easier for administrators to manage manufacturing processes locally
b) Organizations require more field devices and field controllers
c) Administrators do not need to travel as much
d) It widens the attack surface for the OT environment
e) Administrators have less control of the overall processes

d) It widens the attack surface for the OT environment

How well did you know this?

Not at all

Perfectly

True or False: Distributed intelligence happens on the command center, and centralized management happens on the enterprise command center.

False

How well did you know this?

Not at all

Perfectly

Which of the following are characteristics of an active sensor? Select three.
a) They send traffic details to the enterprise command center
b) They use queries that are configured on the command center
c) They are required for eyeInspect deployments
d) They can obtain Windows update details
e) They do not add an additional network traffic
f) They add additional network traffic

b) They use queries that are configured on the command center
d) They can obtain Windows update details
f) They add additional network traffic

How well did you know this?

Not at all

Perfectly

What is the benefit of using an enterprise command center?
a) They can retrieve data from both active and passive sensors
b) They can connect to more than 50 passive sensors
c) They enable communications over wide-area networks
d) They display data from multiple command centers
e) They provide license and software version control

d) They display data from multiple command centers

How well did you know this?

Not at all

Perfectly

Which of the following can be used to access and eyeInspect command center? Select two:
a) http://<IP_address>
b) https://<IP_address>
c) http://<host_name>
d) https://<host_name>
e) ftp://<host_name></host_name></host_name></host_name></IP_address></IP_address>

b) https://<IP_address>
d) https://<host_name></host_name></IP_address>

How well did you know this?

Not at all

Perfectly

What is the default username and password for a newly installed eyeInspect command center?

admin/admin

True or False: You must install a software license on the command center before you can add a passive sensor.

True

What detail is not displayed about a software license upon uploading it to the command center? a) Expiration date b) Maximum number of assets c) Maximum number of connected sensors d) Installation date e) License level

d) Installation date

Which of the following are menus in an eyeInspect command center? Select four: a) Events b) Reports c) Sensors d) Configuration e) Assets f) Home

a) Events c) Sensors e) Assets f) Home

What is the default port when adding a new passive sensor running v5.0 or prior? a) 1000 b) 7676 c) 10640 d) 9999 e) 1234

d) 9999

True or False: It's recommended to change the default port when adding a new sensor?

False

What is the monitoring status of a newly added sensor? a) Open b) Needs configuration c) Licensed d) Active e) Connected

e) Connected

What are the possible State options for sensor detection modules? Select four: a) Error b) Detecting c) Learning d) Active e) Alerting f) Paused

b) Detecting c) Learning d) Active f) Paused

True or False: For best communication between the command center and connected sensors, it's recommended to manually set the date and time on both systems.

False

Which built-module would identify when an attacker attempts to identify which services are running on a device? a) Frequent even aggregation b) Malformed packed detection c) Event logging d) Visual analytics e) Portscan detection f) Man-in-the-Middle detection

e) Portscan detection

Which built-in module would identify when an attacker attempts to alter communication between two hosts? a) Frequent event aggregation b) Event logging c) Portscan detection d) Visual Analytics e) Man-in-the-middle detection f) Malformed packet detection

e) Man-in-the-middle detection

Which built-in module would identify when an attacker attempts to add an extra parameter to a communication? a) Frequent event aggregation b) Event logging c) Portscan Detection d) Visual analytics e) Man-in-the-middle detection f) Malformed packet detection

f) Malformed packet detection

True or False: Each eyeInspect user maintains their own Network Analytics page with custom widgets and tabs.

True

True or False: The visual analytics engine enables users to see network behavior in real-time.

True

What is a widget? a) A backup and restore process b) a toggle button c) A method for sending network data d) A license file e) A chart

e) A chart

True or False: It's important to consider disabling the visual analytics engine as it causes sensors to send flow information in full data format.

False

By default, how long is visual analytics data stored on the command center? a) Data is not stored on the command center b) 24 hours c) 2 weeks d) 1 month e) 3 months

e) 3 months

Once the visual analytics engine is active, what does the sensor send to the command center? a) Traffic patterns b) Flow information c) Network Logs d) Alerts e) Asset details

b) Flow information

True or False: You can disable parts of the visual analytics engine to conserve network bandwidth.

True

What does eyeInspect do if it doesn't recognize the protocol being used? a) It ignores the traffic b) It labels it using 'TCP' or 'UDP' and the port number c) It requests a port-to-name mapping d) It labels it as 'Unknown' e) It labels it as 'NotAKnown One'

e) It labels it as 'NotAKnown One'

Which of the following are widget datasources? Select four: a) Authentication Events b) Assets c) Flow Information d) Sensors e) Logged Events f) Alerts

b) Assets c) Flow Information e) Logged Events f) Alerts

Which of the following are widget types? Select four: a) Histogram b) Pie c) Scatter d) Column e) Sunburst f) Chord

a) Histogram b) Pie e) Sunburst f) Chord

Which of the following are widget dimensions? Select four: a) Source MAC b) L2 Protocol c) Destination IP d) Connections e) Sensor Name f) Bytes

a) Source MAC b) L2 Protocol c) Destination IP e) Sensor Name

True or False: When you create a new tab using a template, the resulting tab layout cannot be modified.

False

True or False: When you apply a filter to a tab, you can also apply an additional filter to one of the widgets on the tab.

True

True or False: Information learned by active sensors is added to the Assets page.

True

Which of the following asset details are discovered by eyeInspect passive sensors? a) Firmware version b) MAC address c) Model d) Vendor e) Purdue Level f) Role

a) Firmware version b) MAC address c) Model d) Vendor e) Purdue Level f) Role

Which of the following are widgets on the assets page? Select four: a) Vulnerability instances per severity b) Assets per Purdue level c) Assets per risk d) Assets per role e) Top Protocols f) Throughput per protocol

a) Vulnerability instances per severity b) Assets per Purdue level c) Assets per risk e) Top Protocols

True or False: You can add custom widgets on the Assets page

False

What is the default grouping of the assets on the Map view? a) By risk b) By criticality c) By role d) By purdue level e) By network

c) By role

What is the default layout for assets on the Map view? a) Purdue levels b) Communications c) Risks d) Roles e) Networks

a) Purdue Levels

What information can you see about an asset when you mouse over it on the map? a) It's risk b) Which assets it communicates with c) Its hostname d) Its MAC address e) It's vendor f) It's criticality

a) It's risk b) Which assets it communicates with c) Its hostname d) Its MAC address

By default, how often are the overall risk levels evaluated? a) Never b) Every minute c) Every 30 seconds d) Every hour e) Every 12 hours

d) Every hour

Which alert details can be modified? Select three: a) Event type b) Severity c) Tactic d) Status e) Detection Engine f) Case

b) Severity d) Status f) Case

How does eyeInspect cluster assets together? a) By communication only b) By role only c) By network only d) By role and communications e) By role and network

d) By role and communications

True or False: An eyeInspect active sensor can be used to obtain details that a passive sensor can't provide

True

Where can you install an active sensor? a) On a dedicated appliance b) On the same appliance as a passive sensor c) On the same appliance as a command center d) A and B e) A, B , C

e) A, B , C

True or False: You can add an active sensor using the command line on the appliance it will run on.

False

What is the default port when adding an active sensor? a) 180 b) 7575 c) 9001 d) 9999 e) None of the above

c) 9001

What is the State value once you finish adding a new sensor? a) Connected b) Sensor is being deployed c) In process d) Active e) Deployment Started

b) Sensor is being deployed

What is the state value once an active sensor has been successfully deployed? a) Working b) Normal c) Active d) Connected e) Needs Attention

d) Connected

What do most active scans use to obtain information from hosts? a) SNMP b) NMAP c) ICMP d) CDP e) Telnet

b) NMAP

Which of the following are types of active scans? Select four: a) OS/Ports b) Active IPs c) Services d) Windows e) OT Ports f) Open Ports

a) OS/Ports b) Active IPs d) Windows e) OT Ports

True or False: Windows active scans will typically be placed higher in the queue than an OS/Ports scan

True

True or False: The OS/Ports scan uses WMI to identify the operating system installed on Host.

False

True or False: Active scan policies are only used for issuing scans on a schedule?

False

True or False: You can manually start an active scan policy that is configured to run on a schedule

True

True or False: You must purchase an additional license to use eyeInspect alerts.

False

True or False: alerts are generated on a passive sensor and then sent to a command center.

True

True or False: An alert is always an indication of a security issue that needs to be addressed.

False

To open the alert page, select the _____ menu and click alerts.

Events

Which of the following are widgets on the asset page? Select four: a) Alerts per L7 protocol b) Alerts over time c) Alerts per severity d) Alerts per category e) Alerts from today f) Alerts per sensor

b) Alerts over time c) Alerts per severity d) Alerts per category f) Alerts per sensor

True or False: You cannot add custom widgets on the alerts page.

True

What is the default time range of alerts on the alerts page? a) The last hour b) The last 12 hours c) The last day d) The last week e) The last month

c) The last day.

What is the default grouping of alerts in the alerts list? a) By event type b) By date c) By severity d) By sensor e) By status

a) By event type

How can you filter alerts on the alerts page? Select three: a) Click on an area of the widget b) Click the filter button and select the filter criteria c) Add a new filter list option, and select an option from the list d) Select one of the columns and click filter e) Select an option from one of the default filter lists f) Add a new widget

a) Click on an area of the widget c) Add a new filter list option, and select an option from the list e) Select an option from one of the default filter lists

True or False: You can add custom widgets on a new tab on the alerts page

False

Which of the following properties can be used to filter assets? Select four: a) Engine type b) Asset c) Timestamp d) Risk e) Severity f) Status

a) Engine type c) Timestamp e) Severity f) Status

Which of the following are views on the alerts page? a) Risk b) Vulnerabilities c) Table d) Cases e) Map f) Changelogs

c) Table d) Cases

Passive sensors use the _________ module to generate network logs.

Event Logging

What is the default view on the network logs page? a) List view b) Table view c) Custom View d) Aggregated view e) Detailed view

d) Aggregated view

Which of the following fields can be used for filtering on the network logs page? Select three: a) Sensor b) Event name c) Event date d) Event severity e) Event criticality f) L7 protocol

b) Event name d) Event severity f) L7 protocol

True or False: You can filter by more than one Event Name at a time.

True

Which of the following are network log categories ? Select four. a) Potentially dangerous operations b) File operation c) Authorization d) Name resolution e) Authentication f) Application

a) Potentially dangerous operations b) File operation d) Name resolution e) Authentication

Instead of modifying columns on the aggregated view template, it's recommended to use the _____ view template.

Custom

By default, which fields are used for aggregating the network logs ? Select three. a) Event category b) Source IP c) Destination IP d) Sensor e) Event name f) L7 Protocol

b) Source IP c) Destination IP d) Sensor

True or False: You can create multiple different custom views with different filtering, columns and aggregations.

True

Which datasource is used to view network log analytics? a) Network events b) Network logs c) Logged events d) Events e) Logs

c) Logged events

True or False: The eyeInspect built-in-modules must perform a learning period before they begin.

False

True or False: The eyeInspect built-in-modules must be started before they begin detecting malicious activity.

True

Which of the following are eyeInspect built-in-modules? Select all that apply: a) Man-in-the-middle detection b) Frequent event aggregation c) Visual analytics d) Malformed packet detection e) Event logging f) Portscan detection

a) Man-in-the-middle detection b) Frequent event aggregation c) Visual analytics d) Malformed packet detection e) Event logging f) Portscan detection

Once enabled, the portscan detection module runs in the ________ state.

Detecting

Once enabled, the Frequent detection module runs in the ________ state.

Active

True or False: Port scanning is always an indication of malicious activity.

False

True or False: Port scanning is configured by selecting a 'Sensitivity level'

True

Which of the following are portscan detection sensitivity levels? Select four: a) Normal b) Strict c) High d) Basic e) Low f) User Defined

a) Normal b) Strict d) Basic f) User Defined

True or False: You can disable specific Portscan TCP detection options.

True

Which of the following are man-in-the-middle detection options? Select three. a) ICMP Spoofing b) IP Spoofing c) DHCP Spoofing d) ARP poisoning e) ICMP Misdirection f) SSL Hijacking

a) ICMP Spoofing c) DHCP Spoofing d) ARP poisoning

True or False: Man-in-the-middle attack can retrieve credit card details.

True

True or False: All malformed packet detection alerts should be investigated to determine root cause.

True

True or False: Using the frequent event aggregation module causes a high loss of alert information.

False

Which page can you use to view the events that have been aggregated. a) Network Logs b) Asset Inventory c) Sensor Overview d) Home e) Alerts

e) Alerts

eyInspect includes LAN CP _________ profiles, also known as LAN CP profiles.

Communication patterns

True or False: LAN CP Profiles use definitions to identify malicious network traffic.

False

True or False: LAN CP profiles are used to issue alerts when traffic deviates from an established baseline.

True

Which of the following are optional modes for a LAN CP Profile? Select two. a) Blocking b) Alerting c) Building d) Learning e) Monitoring f) Detecting

d) Learning f) Detecting

True or False: While in Learning mode, a LAN CP profile creates allow communication rules for all the traffic it monitors.

True

How long should a LAN CP Profile remain in Learning mode? a) 1 day b) 1 week c) 1 month d) You can bypass learning mode for a faster deployment e) It depends on the network environment

e) It depends on the network environment

True or False: Once a LAN CP profile moves to Detecting mode, it blocks traffic that deviates form the established baseline.

False

True or False: Once you install an eyeInspect command center, it comes with two LAN CP profiles by default.

False

If you select the default options when you create a new passive sensor, which LAN CP profiles are created? a) UDP communications b) L7 communications c) LLS communications d) HTTP communications e) TCP communications f) L4 communications

a) UDP communications e) TCP communications

What is the default maximum number of rules that can be created for a LAN CP profile? a) 100 b) 500 c) 1000 d) 10000 e) There is no maximum by default

c) 1000

True or False: It's recommended to increase the maximum number of learned rules to accommodate your network environment.

False

True or False: The action for a LAN CP profile communication rule can be modified to alert.

True

Which of the following does ITL stand for? a) Internet Threat Language b) Industrial Technology Library c) Industrial Threat Library d) Internet Technology Library e) Internet Threat Library

c) Industrial Threat Library

Which of the following describes the ITL? Select four: a) It includes intelligence about the causes of problems b) You can create your own ITL checks c) ForeScout regularly adds new checks d) It requires a learning period e) It contains pre-configured checks f) It has checks in 3 categories

a) It includes intelligence about the causes of problems c) ForeScout regularly adds new checks e) It contains pre-configured checks f) It has checks in 3 categories

What are the industrial threat library categories? Select three: a) system b) Operations c) Security d) Internet e) Networking f) Performance

b) Operations c) Security e) Networking

Which of the following are networking sub-categories? Select two: a) Malfunctioning or misbehaving device b) Use of insecure protocol c) Connectivity issues d) Network Reconnaissance e) Misconfigured Client/Server f) Loss of expected communication

c) Connectivity issues e) Misconfigured Client/Server

Which of the following are Operations sub-categories? Select two: a) Misconfigured Client/Server b) Connectivity issues c) Malfunctioning or misbehaving device d) Use of insecure protocol e) Network Reconnaissance f) Loss of expected communication

c) Malfunctioning or misbehaving device f) Loss of expected communication

Which of the following are Security sub-categories? Select two: a) Loss of expected communication b) Connectivity issues c) Misconfigured client/server d) Malfunctioning or misbehaving device e) Network reconnaissance f) Use of insecure protocol

e) Network reconnaissance f) Use of insecure protocol

True or False: You can globally disable any of the ITL checks.

False

True or False: When you select to create an exception, all ITL checks are initially enabled by default.

False

Which of the following does CVE stand for? a) Computer virus emulation b) Computer virus encoding c) Content vulnerability encoding d) Common vulnerabilities and exposures e) Content vulnerabilities and encryption

d) Common vulnerabilities and exposures

IOC stand for Indicators of _________

Compromise

How often does forescout update the CVE IoC database? a) Once a week b) Every other week c) Once a month d) Every six months e) Once a year

C) Once a month

Which of the following can be forwarded from eyeInspect? Select four: a) Health status b) User activity c) Network logs d) Network Analytics e) Alerts f) Assets

a) Health status b) User activity c) Network logs e) Alerts

True or False: Using email is only available with alert forwarding

True

What information is needed when creating an email alert forwarding server? Select four: a) To addresses b) Message c) Server address d) From address e) Connection security f) Transport protocol

a) To addresses c) Server address d) From address e) Connection security

True or False: Using email is only available with alert forwarding

True

What information can be supplied when creating a syslog alert forwarding server? Select four: a) Compression b) Connectivity c) Forwarding conditions d) Basic information e) Security f) Message

b) Connectivity c) Forwarding conditions d) Basic information f) Message

True or False: By default, all alerts are sent to an alert forwarding server

True

True or False: Health status forwarding is enabled by default.

False

Which of the following is an inaccurate statement about eyeInspect data storage? a) Sensors do not retain collected data long term b) Sensors collect data and forward the data to the command center c) Sensors never retain collected data d) The command center retains data long term e) The amount of time data is retained on the command center can be customized.

c) Sensors never retain collected data

Which of the following are default roles with a new eyeInspect command center installation? Select four: a) Limited b) Viewer c) Operator d) Admin e) Analyst f) Blank

b) Viewer d) Admin e) Analyst f) Blank

True or False: You can only assign a single permission to each role.

False

Which of the following cannot be given permissions with a user role? a) Alerts b) Sensors c) Events d) Monitored networks e) Alert Cases

c) Events

Which eyeInspect features can be viewed in the eyeSight console with an eyeSight license? Select two: a) Device visibility b) Threat hunting c) Asset map d) Network monitoring and intelligence e) Risk assessment f) Vulnerability management

a) Device visibility f) Vulnerability management

Which eyeInspect menus are available when using an eyeSight license? Select two: a) Home b) Assets c) Events d) Analytics e) Sensors f) Settings

e) Sensors f) Settings

OTSM stands for __________

Operational Technology Security Module

The eyeSight device that communicates with the command center is known as what? a) The focal appliance b) The data appliance c) The access appliance d) The communication appliance e) The OTSM appliance

a) The focal appliance

True or False: The only use of OTSM plug-in is to enable the communication between eyeSight and the command center.

False

True or False: It's not recommended to use an EyeSight device for both an integrated sensor and the focal appliance.

True

What information must be provided when configuring the OTSM plug-in? Select four: a) The IP address or hostname of the command center b) The eyeSight device SSH access credentials c) The command center SSH access credentials d) The command center webUI credentials e) The layer 4 protocols to use for communication f) The eyeSight device to use as the focal appliance

a) The IP address or hostname of the command center c) The command center SSH access credentials d) The command center webUI credentials f) The eyeSight device to use as the focal appliance

Which host category would you find the OT Purdue level? a) Classification details b) Security c) General d) More e) Classification

c) General

Which host category would you find the OT vulnerabilities? a) Security b) Classification c) Classification details d) General e) More

a) Security