FSCA Flashcards
ICS stands for ____________ Control System
Industrial
Which of the following is an inaccurate statement regarding ICS?
a) It may span across multiple countries
b) It may be confined to just a single factory
c) Its a system that manages industrial processes
d) There are two types of ICS architectures
e) Its used to control windows domain services
e) It’s used to control windows domain services
SCADA stands for ‘Supervisory Control and _______ Acquisition’
Data
DCS stands for _____________ Control System
Distributed
Which of the following are characteristics of a DCS architecture? Select three.
a) Field controllers simply acquire and pass along data.
b) Primarily used in single factories
c) Uses open protocols
d) Uses control loops to manage processes
e) Used in large geographical areas
f) Most control functions take place by the field controllers
b) Primarily used in single factories
d) Uses control loops to manage processes
f) Most control functions take place by the field controllers
True or False: Since they were developed many years ago, ICS protocols have been modified to include security features.
False
True of False: It’s unlikely to have a DCS architecture that uses multiple different ICS protocols
True
Which of the following are examples of ICS protocols used in SCADA architectures? Select three.
a) IEC104
b) DNP3
c) IEC61850
d) RS232
e) Delta
a) IEC104
b) DNP3
c) IEC61850
True or False: The main purpose of the Purdue reference model is to make it easier for different devices to communicate.
False
PLC stands for Programmable _________ Controller
Logic
Which Purdue level is responsible for supervising, monitoring and controlling manufacturing processes?
a) Purdue level 0
b) Purdue level 1
c) Purdue level 2
d) Purdue level 3
e) Purdue level 4
c) Purdue level 2
Which devices would you find in Purdue level 1? Select two.
a) RTUs
b) SCADA servers
c) PLCs
d) HMIs
e) Historian
f) SIEM
a) RTUs
c) PLCs
OT stands for ____________ Technology
Operational
Which of the following are characteristics of an IT environment? Select three.
a) Control, availability, and integrity are the most important
b) There are not typically a lot of a new devices added
c) New devices and applications are added without IT approval
d) They’re engineered to have long-lasting processes
e) Throughput and confidentiality are the most important
f) They typically contain many types of devices and applications
c) New devices and applications are added without IT approval
e) Throughput and confidentiality are the most important
f) They typically contain many types of devices and applications
True or False: In the past, for OT environments, physical security was the number one security concern.
True
True or False: Due to new standards, all of today’s OT environments have become connected to their organization’s IT networks.
False
Which of the following are characteristics of an OT environment: Select three:
a) New devices and applications are added without IT approval
b) They typically contain many types of devices and applications
c) They’re engineered to have long-lasting processes
d) Throughput and confidentiality are the most important
e) Control, availability, and integrity are the most important
f) There are not typically a lot of new devices added
c) They’re engineered to have long-lasting processes
e) Control, availability, and integrity are the most important
f) There are not typically a lot of new devices added
Which of the following is NOT a benefit of the convergence of IT and OT environments:
a) An administrator can control the PLC devices of all locations from a single place
b) An administrator can provide network assessments from home
c) An administrator can view processes of a satellite plant
d) An administrator can view security assessments on the road
e) A SCADA server can run on a windows server
e) A SCADA server can run on a windows server
True or False: One of the critical factors of OT environments is that they have no downtime.
True
Which of the following is a downside of the convergence of IT and OT environments?
a) It’s easier for administrators to manage manufacturing processes locally
b) Organizations require more field devices and field controllers
c) Administrators do not need to travel as much
d) It widens the attack surface for the OT environment
e) Administrators have less control of the overall processes
d) It widens the attack surface for the OT environment
True or False: Distributed intelligence happens on the command center, and centralized management happens on the enterprise command center.
False
Which of the following are characteristics of an active sensor? Select three.
a) They send traffic details to the enterprise command center
b) They use queries that are configured on the command center
c) They are required for eyeInspect deployments
d) They can obtain Windows update details
e) They do not add an additional network traffic
f) They add additional network traffic
b) They use queries that are configured on the command center
d) They can obtain Windows update details
f) They add additional network traffic
What is the benefit of using an enterprise command center?
a) They can retrieve data from both active and passive sensors
b) They can connect to more than 50 passive sensors
c) They enable communications over wide-area networks
d) They display data from multiple command centers
e) They provide license and software version control
d) They display data from multiple command centers
Which of the following can be used to access and eyeInspect command center? Select two:
a) http://<IP_address>
b) https://<IP_address>
c) http://<host_name>
d) https://<host_name>
e) ftp://<host_name></host_name></host_name></host_name></IP_address></IP_address>
b) https://<IP_address>
d) https://<host_name></host_name></IP_address>
What is the default username and password for a newly installed eyeInspect command center?
admin/admin
True or False: You must install a software license on the command center before you can add a passive sensor.
True
What detail is not displayed about a software license upon uploading it to the command center?
a) Expiration date
b) Maximum number of assets
c) Maximum number of connected sensors
d) Installation date
e) License level
d) Installation date
Which of the following are menus in an eyeInspect command center? Select four:
a) Events
b) Reports
c) Sensors
d) Configuration
e) Assets
f) Home
a) Events
c) Sensors
e) Assets
f) Home
What is the default port when adding a new passive sensor running v5.0 or prior?
a) 1000
b) 7676
c) 10640
d) 9999
e) 1234
d) 9999
True or False: It’s recommended to change the default port when adding a new sensor?
False
What is the monitoring status of a newly added sensor?
a) Open
b) Needs configuration
c) Licensed
d) Active
e) Connected
e) Connected
What are the possible State options for sensor detection modules? Select four:
a) Error
b) Detecting
c) Learning
d) Active
e) Alerting
f) Paused
b) Detecting
c) Learning
d) Active
f) Paused
True or False: For best communication between the command center and connected sensors, it’s recommended to manually set the date and time on both systems.
False
Which built-module would identify when an attacker attempts to identify which services are running on a device?
a) Frequent even aggregation
b) Malformed packed detection
c) Event logging
d) Visual analytics
e) Portscan detection
f) Man-in-the-Middle detection
e) Portscan detection
Which built-in module would identify when an attacker attempts to alter communication between two hosts?
a) Frequent event aggregation
b) Event logging
c) Portscan detection
d) Visual Analytics
e) Man-in-the-middle detection
f) Malformed packet detection
e) Man-in-the-middle detection
Which built-in module would identify when an attacker attempts to add an extra parameter to a communication?
a) Frequent event aggregation
b) Event logging
c) Portscan Detection
d) Visual analytics
e) Man-in-the-middle detection
f) Malformed packet detection
f) Malformed packet detection
True or False: Each eyeInspect user maintains their own Network Analytics page with custom widgets and tabs.
True
True or False: The visual analytics engine enables users to see network behavior in real-time.
True
What is a widget?
a) A backup and restore process
b) a toggle button
c) A method for sending network data
d) A license file
e) A chart
e) A chart
True or False: It’s important to consider disabling the visual analytics engine as it causes sensors to send flow information in full data format.
False
By default, how long is visual analytics data stored on the command center?
a) Data is not stored on the command center
b) 24 hours
c) 2 weeks
d) 1 month
e) 3 months
e) 3 months
Once the visual analytics engine is active, what does the sensor send to the command center?
a) Traffic patterns
b) Flow information
c) Network Logs
d) Alerts
e) Asset details
b) Flow information
True or False: You can disable parts of the visual analytics engine to conserve network bandwidth.
True
What does eyeInspect do if it doesn’t recognize the protocol being used?
a) It ignores the traffic
b) It labels it using ‘TCP’ or ‘UDP’ and the port number
c) It requests a port-to-name mapping
d) It labels it as ‘Unknown’
e) It labels it as ‘NotAKnown One’
e) It labels it as ‘NotAKnown One’
Which of the following are widget datasources? Select four:
a) Authentication Events
b) Assets
c) Flow Information
d) Sensors
e) Logged Events
f) Alerts
b) Assets
c) Flow Information
e) Logged Events
f) Alerts
Which of the following are widget types? Select four:
a) Histogram
b) Pie
c) Scatter
d) Column
e) Sunburst
f) Chord
a) Histogram
b) Pie
e) Sunburst
f) Chord
Which of the following are widget dimensions? Select four:
a) Source MAC
b) L2 Protocol
c) Destination IP
d) Connections
e) Sensor Name
f) Bytes
a) Source MAC
b) L2 Protocol
c) Destination IP
e) Sensor Name
True or False: When you create a new tab using a template, the resulting tab layout cannot be modified.
False
True or False: When you apply a filter to a tab, you can also apply an additional filter to one of the widgets on the tab.
True
True or False: Information learned by active sensors is added to the Assets page.
True
Which of the following asset details are discovered by eyeInspect passive sensors?
a) Firmware version
b) MAC address
c) Model
d) Vendor
e) Purdue Level
f) Role
a) Firmware version
b) MAC address
c) Model
d) Vendor
e) Purdue Level
f) Role
Which of the following are widgets on the assets page? Select four:
a) Vulnerability instances per severity
b) Assets per Purdue level
c) Assets per risk
d) Assets per role
e) Top Protocols
f) Throughput per protocol
a) Vulnerability instances per severity
b) Assets per Purdue level
c) Assets per risk
e) Top Protocols
True or False: You can add custom widgets on the Assets page
False
What is the default grouping of the assets on the Map view?
a) By risk
b) By criticality
c) By role
d) By purdue level
e) By network
c) By role
What is the default layout for assets on the Map view?
a) Purdue levels
b) Communications
c) Risks
d) Roles
e) Networks
a) Purdue Levels
What information can you see about an asset when you mouse over it on the map?
a) It’s risk
b) Which assets it communicates with
c) Its hostname
d) Its MAC address
e) It’s vendor
f) It’s criticality
a) It’s risk
b) Which assets it communicates with
c) Its hostname
d) Its MAC address
By default, how often are the overall risk levels evaluated?
a) Never
b) Every minute
c) Every 30 seconds
d) Every hour
e) Every 12 hours
d) Every hour
Which alert details can be modified? Select three:
a) Event type
b) Severity
c) Tactic
d) Status
e) Detection Engine
f) Case
b) Severity
d) Status
f) Case
How does eyeInspect cluster assets together?
a) By communication only
b) By role only
c) By network only
d) By role and communications
e) By role and network
d) By role and communications
True or False: An eyeInspect active sensor can be used to obtain details that a passive sensor can’t provide
True
Where can you install an active sensor?
a) On a dedicated appliance
b) On the same appliance as a passive sensor
c) On the same appliance as a command center
d) A and B
e) A, B , C
e) A, B , C
True or False: You can add an active sensor using the command line on the appliance it will run on.
False
What is the default port when adding an active sensor?
a) 180
b) 7575
c) 9001
d) 9999
e) None of the above
c) 9001
What is the State value once you finish adding a new sensor?
a) Connected
b) Sensor is being deployed
c) In process
d) Active
e) Deployment Started
b) Sensor is being deployed
What is the state value once an active sensor has been successfully deployed?
a) Working
b) Normal
c) Active
d) Connected
e) Needs Attention
d) Connected
What do most active scans use to obtain information from hosts?
a) SNMP
b) NMAP
c) ICMP
d) CDP
e) Telnet
b) NMAP
Which of the following are types of active scans? Select four:
a) OS/Ports
b) Active IPs
c) Services
d) Windows
e) OT Ports
f) Open Ports
a) OS/Ports
b) Active IPs
d) Windows
e) OT Ports
True or False: Windows active scans will typically be placed higher in the queue than an OS/Ports scan
True
True or False: The OS/Ports scan uses WMI to identify the operating system installed on Host.
False
True or False: Active scan policies are only used for issuing scans on a schedule?
False
True or False: You can manually start an active scan policy that is configured to run on a schedule
True
True or False: You must purchase an additional license to use eyeInspect alerts.
False
True or False: alerts are generated on a passive sensor and then sent to a command center.
True
True or False: An alert is always an indication of a security issue that needs to be addressed.
False
To open the alert page, select the _____ menu and click alerts.
Events
Which of the following are widgets on the asset page? Select four:
a) Alerts per L7 protocol
b) Alerts over time
c) Alerts per severity
d) Alerts per category
e) Alerts from today
f) Alerts per sensor
b) Alerts over time
c) Alerts per severity
d) Alerts per category
f) Alerts per sensor
True or False: You cannot add custom widgets on the alerts page.
True
What is the default time range of alerts on the alerts page?
a) The last hour
b) The last 12 hours
c) The last day
d) The last week
e) The last month
c) The last day.
What is the default grouping of alerts in the alerts list?
a) By event type
b) By date
c) By severity
d) By sensor
e) By status
a) By event type
How can you filter alerts on the alerts page? Select three:
a) Click on an area of the widget
b) Click the filter button and select the filter criteria
c) Add a new filter list option, and select an option from the list
d) Select one of the columns and click filter
e) Select an option from one of the default filter lists
f) Add a new widget
a) Click on an area of the widget
c) Add a new filter list option, and select an option from the list
e) Select an option from one of the default filter lists
True or False: You can add custom widgets on a new tab on the alerts page
False
Which of the following properties can be used to filter assets? Select four:
a) Engine type
b) Asset
c) Timestamp
d) Risk
e) Severity
f) Status
a) Engine type
c) Timestamp
e) Severity
f) Status
Which of the following are views on the alerts page?
a) Risk
b) Vulnerabilities
c) Table
d) Cases
e) Map
f) Changelogs
c) Table
d) Cases
Passive sensors use the _________ module to generate network logs.
Event Logging
What is the default view on the network logs page?
a) List view
b) Table view
c) Custom View
d) Aggregated view
e) Detailed view
d) Aggregated view
Which of the following fields can be used for filtering on the network logs page? Select three:
a) Sensor
b) Event name
c) Event date
d) Event severity
e) Event criticality
f) L7 protocol
b) Event name
d) Event severity
f) L7 protocol
True or False: You can filter by more than one Event Name at a time.
True
Which of the following are network log categories ? Select four.
a) Potentially dangerous operations
b) File operation
c) Authorization
d) Name resolution
e) Authentication
f) Application
a) Potentially dangerous operations
b) File operation
d) Name resolution
e) Authentication
Instead of modifying columns on the aggregated view template, it’s recommended to use the _____ view template.
Custom
By default, which fields are used for aggregating the network logs ? Select three.
a) Event category
b) Source IP
c) Destination IP
d) Sensor
e) Event name
f) L7 Protocol
b) Source IP
c) Destination IP
d) Sensor
True or False: You can create multiple different custom views with different filtering, columns and aggregations.
True
Which datasource is used to view network log analytics?
a) Network events
b) Network logs
c) Logged events
d) Events
e) Logs
c) Logged events
True or False: The eyeInspect built-in-modules must perform a learning period before they begin.
False
True or False: The eyeInspect built-in-modules must be started before they begin detecting malicious activity.
True
Which of the following are eyeInspect built-in-modules? Select all that apply:
a) Man-in-the-middle detection
b) Frequent event aggregation
c) Visual analytics
d) Malformed packet detection
e) Event logging
f) Portscan detection
a) Man-in-the-middle detection
b) Frequent event aggregation
c) Visual analytics
d) Malformed packet detection
e) Event logging
f) Portscan detection
Once enabled, the portscan detection module runs in the ________ state.
Detecting
Once enabled, the Frequent detection module runs in the ________ state.
Active
True or False: Port scanning is always an indication of malicious activity.
False
True or False: Port scanning is configured by selecting a ‘Sensitivity level’
True
Which of the following are portscan detection sensitivity levels? Select four:
a) Normal
b) Strict
c) High
d) Basic
e) Low
f) User Defined
a) Normal
b) Strict
d) Basic
f) User Defined
True or False: You can disable specific Portscan TCP detection options.
True
Which of the following are man-in-the-middle detection options? Select three.
a) ICMP Spoofing
b) IP Spoofing
c) DHCP Spoofing
d) ARP poisoning
e) ICMP Misdirection
f) SSL Hijacking
a) ICMP Spoofing
c) DHCP Spoofing
d) ARP poisoning
True or False: Man-in-the-middle attack can retrieve credit card details.
True
True or False: All malformed packet detection alerts should be investigated to determine root cause.
True
True or False: Using the frequent event aggregation module causes a high loss of alert information.
False
Which page can you use to view the events that have been aggregated.
a) Network Logs
b) Asset Inventory
c) Sensor Overview
d) Home
e) Alerts
e) Alerts
eyInspect includes LAN CP _________ profiles, also known as LAN CP profiles.
Communication patterns
True or False: LAN CP Profiles use definitions to identify malicious network traffic.
False
True or False: LAN CP profiles are used to issue alerts when traffic deviates from an established baseline.
True
Which of the following are optional modes for a LAN CP Profile? Select two.
a) Blocking
b) Alerting
c) Building
d) Learning
e) Monitoring
f) Detecting
d) Learning
f) Detecting
True or False: While in Learning mode, a LAN CP profile creates allow communication rules for all the traffic it monitors.
True
How long should a LAN CP Profile remain in Learning mode?
a) 1 day
b) 1 week
c) 1 month
d) You can bypass learning mode for a faster deployment
e) It depends on the network environment
e) It depends on the network environment
True or False: Once a LAN CP profile moves to Detecting mode, it blocks traffic that deviates form the established baseline.
False
True or False: Once you install an eyeInspect command center, it comes with two LAN CP profiles by default.
False
If you select the default options when you create a new passive sensor, which LAN CP profiles are created?
a) UDP communications
b) L7 communications
c) LLS communications
d) HTTP communications
e) TCP communications
f) L4 communications
a) UDP communications
e) TCP communications
What is the default maximum number of rules that can be created for a LAN CP profile?
a) 100
b) 500
c) 1000
d) 10000
e) There is no maximum by default
c) 1000
True or False: It’s recommended to increase the maximum number of learned rules to accommodate your network environment.
False
True or False: The action for a LAN CP profile communication rule can be modified to alert.
True
Which of the following does ITL stand for?
a) Internet Threat Language
b) Industrial Technology Library
c) Industrial Threat Library
d) Internet Technology Library
e) Internet Threat Library
c) Industrial Threat Library
Which of the following describes the ITL? Select four:
a) It includes intelligence about the causes of problems
b) You can create your own ITL checks
c) ForeScout regularly adds new checks
d) It requires a learning period
e) It contains pre-configured checks
f) It has checks in 3 categories
a) It includes intelligence about the causes of problems
c) ForeScout regularly adds new checks
e) It contains pre-configured checks
f) It has checks in 3 categories
What are the industrial threat library categories? Select three:
a) system
b) Operations
c) Security
d) Internet
e) Networking
f) Performance
b) Operations
c) Security
e) Networking
Which of the following are networking sub-categories? Select two:
a) Malfunctioning or misbehaving device
b) Use of insecure protocol
c) Connectivity issues
d) Network Reconnaissance
e) Misconfigured Client/Server
f) Loss of expected communication
c) Connectivity issues
e) Misconfigured Client/Server
Which of the following are Operations sub-categories? Select two:
a) Misconfigured Client/Server
b) Connectivity issues
c) Malfunctioning or misbehaving device
d) Use of insecure protocol
e) Network Reconnaissance
f) Loss of expected communication
c) Malfunctioning or misbehaving device
f) Loss of expected communication
Which of the following are Security sub-categories? Select two:
a) Loss of expected communication
b) Connectivity issues
c) Misconfigured client/server
d) Malfunctioning or misbehaving device
e) Network reconnaissance
f) Use of insecure protocol
e) Network reconnaissance
f) Use of insecure protocol
True or False: You can globally disable any of the ITL checks.
False
True or False: When you select to create an exception, all ITL checks are initially enabled by default.
False
Which of the following does CVE stand for?
a) Computer virus emulation
b) Computer virus encoding
c) Content vulnerability encoding
d) Common vulnerabilities and exposures
e) Content vulnerabilities and encryption
d) Common vulnerabilities and exposures
IOC stand for Indicators of _________
Compromise
How often does forescout update the CVE IoC database?
a) Once a week
b) Every other week
c) Once a month
d) Every six months
e) Once a year
C) Once a month
Which of the following can be forwarded from eyeInspect? Select four:
a) Health status
b) User activity
c) Network logs
d) Network Analytics
e) Alerts
f) Assets
a) Health status
b) User activity
c) Network logs
e) Alerts
True or False: Using email is only available with alert forwarding
True
What information is needed when creating an email alert forwarding server? Select four:
a) To addresses
b) Message
c) Server address
d) From address
e) Connection security
f) Transport protocol
a) To addresses
c) Server address
d) From address
e) Connection security
True or False: Using email is only available with alert forwarding
True
What information can be supplied when creating a syslog alert forwarding server? Select four:
a) Compression
b) Connectivity
c) Forwarding conditions
d) Basic information
e) Security
f) Message
b) Connectivity
c) Forwarding conditions
d) Basic information
f) Message
True or False: By default, all alerts are sent to an alert forwarding server
True
True or False: Health status forwarding is enabled by default.
False
Which of the following is an inaccurate statement about eyeInspect data storage?
a) Sensors do not retain collected data long term
b) Sensors collect data and forward the data to the command center
c) Sensors never retain collected data
d) The command center retains data long term
e) The amount of time data is retained on the command center can be customized.
c) Sensors never retain collected data
Which of the following are default roles with a new eyeInspect command center installation? Select four:
a) Limited
b) Viewer
c) Operator
d) Admin
e) Analyst
f) Blank
b) Viewer
d) Admin
e) Analyst
f) Blank
True or False: You can only assign a single permission to each role.
False
Which of the following cannot be given permissions with a user role?
a) Alerts
b) Sensors
c) Events
d) Monitored networks
e) Alert Cases
c) Events
Which eyeInspect features can be viewed in the eyeSight console with an eyeSight license? Select two:
a) Device visibility
b) Threat hunting
c) Asset map
d) Network monitoring and intelligence
e) Risk assessment
f) Vulnerability management
a) Device visibility
f) Vulnerability management
Which eyeInspect menus are available when using an eyeSight license? Select two:
a) Home
b) Assets
c) Events
d) Analytics
e) Sensors
f) Settings
e) Sensors
f) Settings
OTSM stands for __________
Operational Technology Security Module
The eyeSight device that communicates with the command center is known as what?
a) The focal appliance
b) The data appliance
c) The access appliance
d) The communication appliance
e) The OTSM appliance
a) The focal appliance
True or False: The only use of OTSM plug-in is to enable the communication between eyeSight and the command center.
False
True or False: It’s not recommended to use an EyeSight device for both an integrated sensor and the focal appliance.
True
What information must be provided when configuring the OTSM plug-in? Select four:
a) The IP address or hostname of the command center
b) The eyeSight device SSH access credentials
c) The command center SSH access credentials
d) The command center webUI credentials
e) The layer 4 protocols to use for communication
f) The eyeSight device to use as the focal appliance
a) The IP address or hostname of the command center
c) The command center SSH access credentials
d) The command center webUI credentials
f) The eyeSight device to use as the focal appliance
Which host category would you find the OT Purdue level?
a) Classification details
b) Security
c) General
d) More
e) Classification
c) General
Which host category would you find the OT vulnerabilities?
a) Security
b) Classification
c) Classification details
d) General
e) More
a) Security
