Module 18 - Iot and OT Hacking ( EC Mode )

Question 1

Which of the following technologies is a short-range communication protocol based on the IEEE 203.15.4 standard and is used in devices that transfer data infrequently at a low rate in a restricted area, within a range of 10–100 m?

A. Wi-Fi Direct
B. BLE
C. Thread
D. Zigbee

Answer 1

Answer: D. Zigbee

Question 2

Which of the following operating systems is used in low-power wireless devices such as street lighting and sound monitoring systems?

A. CoAP
B. Edge
C. Contiki
D. LWM2M

Answer 2

Answer: C. Contiki

Question 3

Which of the following layers in the IoT architecture is responsible for important functions such as data management and device management as well as various issues such as data analysis, data aggregation, data filtering, device information discovery, and access control?

A. Middleware layer
B. Edge technology layer
C. Internet layer
D. Access gateway layer

Answer 3

Answer: A. Middleware layer.

Question 4

Which of the following protocols is a type of LAN that consists of a wired connection between computers in a small building, office, or campus?

A. LTE-Advanced
B. Li-Fi
C. MQTT
D. Ethernet

Answer 4

Answer: D. Ethernet.

Question 5

Which of the following IoT technology components bridges the gap between the IoT device and the end user?

A. IoT gateway
B. Remote control using mobile app
C. Sensing technology
D. Cloud server/data storage

Answer 5

Answer: A. IoT gateway

Question 6

Which of the following IoT technology components collects data that undergoes data analysis, from the gateway?

A. Cloud server/data storage
B. Remote control using mobile app
C. Sensing technology
D. IoT gateway

Answer 6

Answer: A. Cloud server/data storage.

Question 7

Which of the following IoT devices is included in the buildings service sector?

A. HVAC, transport, fire and safety, lighting, security, access, etc.
B. Turbines, windmills, UPS, batteries, generators, meters, drills, fuel cells, etc.
C. MRI, PDAs, implants, surgical equipment, pumps, monitors, telemedicine, etc.
D. Digital cameras, power systems, MID, e-readers, dishwashers, desktop computers, etc.

Answer 7

Answer: A. HVAC, transport, fire and safety, lighting, security, access, etc.

Question 8

Which of the following long-range wireless communication protocols is used for data transfer through small dish antennas for both broadband and narrowband data?

A. VSAT
B. PLC
C. QUIC
D. NFC

Answer 8

Answer: A. VSAT.

Question 9

Which of the following protocols is used to enable fast and seamless interaction with nearby IoT devices and reveals the list of URLs being broadcasted by nearby devices with BLE beacons?

A. XMPP
B. Physical Web
C. CoAP
D. LWM2M

Answer 9

Answer: B. Physical Web.

Question 10

Which of the following IoT architecture layers consists of all the hardware parts like sensors, RFID tags, readers or other soft sensors, and the device itself?

A. Access gateway layer
B. Application layer
C. Internet layer
D. Edge technology layer
E. Middleware layer

Answer 10

Answer: D. Edge technology layer.

Question 11

Which of the following IoT architecture layers carries out communication between two end points such as device-to-device, device-to-cloud, device-to-gateway, and back-end data-sharing?

A. Edge technology layer
B. Access gateway layer
C. Middleware layer
D. Internet layer
E. Application layer

Answer 11

Answer: D. Internet layer

Question 12

In which of the following IoT communication models does a device upload its data to the cloud to be later accessed or analyzed by third parties?

A. Device-to-gateway communication model
B. Device-to-device communication model
C. Back-end data-sharing communication model
D. Device-to-cloud communication model

Answer 12

Answer: C. Back-end data-sharing communication model

Question 13

What is the name of the communication model where IoT devices communicate with the cloud service through gateways?

A. Back-end data-sharing communication model
B. Device-to-device communication model
C. Device-to-cloud communication model
D. Device-to-gateway communication model

Answer 13

Answer: D. Device-to-gateway communication model.

Question 14

Which of the following layers in the IoT architecture has security issues such as validation of the inputted string, AuthN, AuthZ, no automatic security updates, and default passwords?

A. Mobile
B. Application
C. Cloud
D. Network

Answer 14

Answer: B. Application.

Question 15

Which of the following IoT attack surface areas has username enumeration, weak passwords, account lockout, known default credentials, and an insecure password recovery mechanism as its major vulnerabilities?

A. Device physical interfaces
B. Device web interface
C. Network traffic
D. Device firmware

Answer 15

Answer: B. Device web interface.

Question 16

One of the following tools is used by attackers to obtain the rolling code sent by a victim to unlock a vehicle, which is later used for unlocking and stealing the vehicle. Which is this tool?

A. RFCrack
B. SearchDiggity
C. MultiPing
D. CyberX

Answer 16

Answer: A. RFCrack.

Question 17

What is the name of the IoT security vulnerability that gives rise to issues such as weak credentials, lack of account lockout mechanism, and account enumeration?

A. Insecure web interface
B. Privacy concerns
C. Insecure network services
D. Insufficient authentication/authorization

Answer 17

Answer: A. Insecure web interface

Question 18

In which of the following attacks does an attacker use a malicious script to exploit poorly patched vulnerabilities in an IoT device?

A. Side channel attack
B. Exploit kits
C. Replay attack
D. Sybil attack

Answer 18

Answer: B. Exploit kits.

Question 19

What is the name of an attack where an attacker uses an army of botnets to target a single online service or system?

A. Side channel attack
B. DDoS attack
C. Sybil attack
D. Replay attack

Answer 19

Answer: B. DDoS attack.

Question 20

What is the name of an attack where an attacker interrupts communication between two devices by using the same frequency signals on which the devices are communicating?

A. Man-in-the-middle attack
B. Side channel attack
C. Replay attack
D. Jamming attack

Answer 20

Answer: D. Jamming attack.

Question 21

Given below are the various steps involved in the Enemybot malware attack. Identify the correct sequence of steps involved in the Enemybot malware attack.

1. Gaining access
2. Disabling other malware on the target
3. Launching attack
4. Persistence
5. Creating exploits
   A. 1 -> 2 -> 3 -> 4 -> 5
   B. 5 -> 3 -> 4 -> 1 -> 2
   C. 5 -> 2 -> 1 -> 3 -> 4
   D. 3 -> 4 -> 5 -> 1 -> 2

Answer 21

Answer: C. 5 -> 2 -> 1 -> 3 -> 4

Question 22

Identify the Enemybot malware attack stage in which it borrows modules such as scanner and bot killer from Mirai’s source code.

A. Creating exploits
B. Gaining access
C. Persistence
D. Launching attack

Answer 22

Answer: A. Creating exploits

Question 23

Identify the Enemybot malware attack stage in which the malware targets multiple architectures to spread its infection.

A. Persistence
B. Launching attack
C. Creating exploits
D. Disabling other malware on the target

Answer 23

Answer: D. Disabling other malware on the target

Question 24

Which of the following IoT threats is prone to various attacks such as buffer overflow that result in denial of service, leaving the device inaccessible to the user?

A. Insecure data transfer and storage
B. Insecure ecosystem interfaces
C. Insecure default settings
D. Insecure network services

Answer 24

Answer: D. Insecure network services.

Question 25

In which of the following IoT attacks does an attacker extract information about encryption keys by observing the emission of signals?

A. Exploit kits
B. Side-channel attack
C. Sybil attack
D. DNS rebinding attack

Answer 25

Answer: B. Side-channel attack.

Question 26

What is the name of the code that is used in locking or unlocking a car or a garage and prevents replay attacks?

A. Polymorphic code
B. Rolling code
C. Unicode
D. Hex code

Answer 26

Answer: B. Rolling code.

Question 27

Identify the Mirai-based malware that has been proliferating by exploiting weaknesses in IoT to hijack the computational resources of IoT devices and has been using them for DDoS and crypto-mining attacks.

A. EquationDrug
B. BitCrypter
C. Enemybot
D. IExpress Wizard

Answer 27

Answer: C. Enemybot.

Question 28

In which of the following attack stages does Enemybot malware obfuscate its strings using several techniques such as XOR encoding?

A. Gaining access
B. Persistence
C. Launching attack
D. Disabling other malware on the target

Answer 28

Answer: B. Persistence

Question 29

In which of the following attacks does an attacker use multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks?

A. Rolling code attack
B. Replay attack
C. Sybil attack
D. DoS attack

Answer 29

Answer: C. Sybil attack.

A. Rolling code attack: This is a type of attack that targets systems that use rolling codes for security purposes. Rolling codes are commonly used in devices such as garage door openers and car key fobs to prevent unauthorized access. In a rolling code attack, an attacker intercepts a valid rolling code and then replays it later to gain access to the system.

B. Replay attack: This is a type of attack in which an attacker intercepts valid data transmissions and then replays them later to gain unauthorized access. This type of attack is commonly used against authentication systems that rely on messages exchanged between a client and a server. By intercepting and replaying these messages, the attacker can impersonate the client and gain access to the system.

C. Sybil attack: This is a type of attack in which an attacker creates multiple identities or personas to manipulate a network or system. The goal of a Sybil attack is to overwhelm a network or system with fake identities in order to gain control or influence over it. This type of attack is commonly used in peer-to-peer networks and online communities.

D. DoS attack: A Denial-of-Service (DoS) attack is a type of attack in which an attacker attempts to disrupt the normal functioning of a network, system or website by overwhelming it with traffic or requests. The goal of a DoS attack is to make the system unavailable to legitimate users. This type of attack can be carried out using a variety of methods, including flooding the target with traffic, exploiting vulnerabilities in the system, or using botnets to coordinate the attack.

Question 30

Which of the following tools uses sniffers to capture 6LoWPAN traffic and RPL-related information and identify abnormal behaviors in IoT traffic?

A. Nmap
B. RIoT Vulnerability Scanner
C. Foren6
D. Censys

Answer 30

Answer: C. Foren6

Question 31

Given below are the steps used by the attackers to perform firmware analysis and reverse engineering.

1.Extract the file system
2. Emulate firmware for dynamic testing
3. Obtain firmware
4. Analyze the file-system content
5. Mount the file system
6. Analyze firmware
What is the correct sequence of steps used by attackers to perform firmware analysis and reverse engineering?

A. 3 -> 6 -> 1 -> 5 -> 4 -> 2
B. 2 -> 1 -> 5 -> 3 -> 4 -> 6
C. 5 -> 6 -> 3 -> 1 -> 4 -> 2
D. 3 -> 1 -> 6 -> 5 -> 2 -> 4

Answer 31

Answer: A. 3 -> 6 -> 1 -> 5 -> 4 -> 2

Question 32

Which of the following Nmap commands is used by an attacker to identify the IPv6 capabilities of a target IoT device?

A. nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX
B. nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX
C. nmap -p 80,81,8080,8081
D. nmap -n -Pn -sS -pT:0-65535 -v -A -oX

Answer 32

Answer: B. nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX

Question 33

In which of the following phases of IoT hacking is information such as IP address, protocols used, open ports, device type, and geo-location of a device extracted by an attacker?

A. Vulnerability Scanning
B. Gain Access
C. Launch Attacks
D. Information Gathering

Answer 33

Answer: D. Information Gathering

Question 34

Once an attacker gathers information about a target device in the first phase, what is the second phase in IoT device hacking?

A. Gain Access
B. Vulnerability Scanning
C. Maintain Access
D. Information Gathering

Answer 34

Answer: B. Vulnerability Scanning

Question 35

If an attacker wants to gather information such as IP address, hostname, ISP, device’s location, and the banner of the target IoT device, which of the following tools should he use to do so?

A. RIoT Vulnerability Scanner
B. Shodan
C. Nmap
D. Foren6

Answer 35

Answer: B. Shodan

Question 36

Which of the following tools can an attacker use to gather information such as open ports and services of IoT devices connected to the network?

A. Nmap
B. Foren6
C. RFCrack
D. Multiping

Answer 36

Answer: A. Nmap

Question 37

Which of the following tools is used to perform a rolling code attack by obtaining the rolling code sent by the victim?

A. RFcrack
B. RIoT Vulnerability Scanning
C. Zigbee Framework
D. HackRF One

Answer 37

Answer: A. RFcrack

Question 38

Using which one of the following tools can an attacker perform BlueBorne or airborne attacks such as replay, fuzzing, and jamming?

A. RIoT Vulnerability Scanning
B. HackRF One
C. Foren6
D. Zigbee Framework

Answer 38

Answer: B. HackRF One

Question 39

If an attacker wants to reconstruct malicious firmware from legitimate firmware in order to maintain access to the victim device, which of the following tools can he use to do so?

A. Firmware Mod Kit
B. RFcrack
C. Zigbee Framework
D. RIoT Vulnerability Scanner

Answer 39

Answer: A. Firmware Mod Kit

Question 40

Which of the following online tools allows attackers to collect real-time IoT data across dozens of verticals, including weather, environment, smart cities, energy, and transport?

A. MetaGer
B. Startpage
C. Thingful
D. eTools.ch

Answer 40

Answer: C. Thingful

Question 41

If an attacker wants to gather information such as IP address, hostname, ISP, device’s location, and the banner of the target IoT device, which of the following types of tools can he use to do so?

A. Vulnerability Scanning Tools
B. Sniffing Tools
C. IoT Hacking Tools
D. Information Gathering Tools

Answer 41

Answer: D. Information Gathering Tools

Question 42

Which of the following tools allows attackers to identify IoT communication systems and interfaces?

A. BUS Auditor
B. Vindicate
C. beSTORM
D. Ophcrack

Answer 42

Answer: A. BUS Auditor

Question 43

Which of the following commands returns bootlogs communicated during IoT device bootup that help an attacker in obtaining the actual memory chip loaded with the booting firmware?

A. cmd.exe /c “%CommonProgramFiles:~3,1%owerShell.exe” -windowstyle hidden -command wscript myscript.vbc
B. access-list access-list-number {deny | permit} tcp any destination destination-wildcard
C. minicom -D /dev/ttyUSB0 -w -C D-link_startup.txt
D. msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -f c -a x86 -b “\x00”

Answer 43

Answer: C. minicom -D /dev/ttyUSB0 -w -C D-link_startup.txt

Question 44

Which of the following commands is executed by an attacker on the UART console to gain root access to an IoT device?

A. nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}
B. gobuster -u -w common.txt
C. btlejack -f 0xac56bc12 -x nordic -o capture.nordic.pcap
D. reaver –i wlan0mon -b B4:75:0E:89:00:60 -vv

Answer 44

Answer: A. nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}

Question 45

Out of the following RFCrack commands, which command is used by an attacker to perform jamming?

A. python RFCrack.py -j -F 314000000
B. python RFCrack.py -r -U “-75” -L “-5” -M MOD_2FSK -F 314350000
C. python RFCrack.py -i
D. python RFCrack.py -r -M MOD_2FSK -F 314350000

Answer 45

Answer: A. python RFCrack.py -j -F 314000000

Question 46

Which of the following tools is a smart fuzzer that detects buffer-overflow vulnerabilities by automating and documenting the process of delivering corrupted inputs and watching for an unexpected response from the application?

A. Censys
B. RTL-SDR
C. beSTORM
D. Universal Radio Hacker

Answer 46

Answer: C. beSTORM

Question 47

Out of the following tools, which tool can be used to find buffer overflow vulnerabilities present in the system?

A. Z-Wave Sniffer
B. Censys
C. beSTORM
D. Firmalyzer Enterprise

Answer 47

Answer: C. beSTORM

Question 48

Identify the technique that involves gaining privileged root access while booting a device and can be performed by making a ground connection to the serial I/O pin of a flash memory chip.

A. NAND Glitching
B. Zones and Conduits
C. Anti-Disassembly
D. Pharming

Answer 48

Answer: A. NAND Glitching

Question 49

Given below are the different phases involved in IoT hacking. What is the correct sequence of steps involved in IoT hacking?

Vulnerability scanning
Information gathering
Maintaining access
Launching attacks
Gaining remote access
A. 2 -> 1 -> 5 -> 3 -> 4
B. 1 -> 2 -> 3 -> 4 -> 5
C. 2 -> 1 -> 4 -> 5- > 3
D. 5 -> 2 -> 3 -> 1 -> 4

Answer 49

Answer: C. 2 -> 1 -> 4 -> 5- > 3

Question 50

Which of the following tools helps attackers find the details and certification granted to IoT devices?

A. IoTSeeker
B. FCC ID Search
C. RFCrack
D. MultiPing

Answer 50

Answer: B. FCC ID Search

Question 51

Which of the following commands is executed by an attacker on the UART console to gain root access to an IoT device?

A. nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}
B. btlejack -f 0xac56bc12 -x nordic -o capture.nordic.pcap
C. gobuster -u -w common.txt
D. reaver –i wlan0mon -b B4:75:0E:89:00:60 -vv

Answer 51

Answer: A. nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}

Question 52

Which of the following components of an IoT framework must incorporate strong encryption techniques for secure communications between endpoints and the authentication mechanism for the edge components?

A. Mobile
B. Gateway
C. Edge
D. Cloud platform

Answer 52

Answer: B. Gateway

Question 53

According to OWASP, the best solution for one of the following vulnerabilities is setting up a unique password for BIOS/firmware, configuring device boot, and minimizing external ports. Which is this vulnerability?

A. Insecure default settings
B. Lack of a secure update mechanism
C. Lack of device management
D. Lack of physical hardening

Answer 53

Answer: D. Lack of physical hardening

Question 54

In order to prevent an illegitimate user from performing a brute force attack, what security mechanism should be implemented to the accounts?

A. Use of strong passwords
B. Use of SSL/TLS
C. Secure boot chain mechanism
D. Account lockout mechanism

Answer 54

Answer: D. Account lockout mechanism

Question 55

Encrypted communications, strong authentication credentials, secure web interface, encrypted storage, and automatic updates are the security considerations for which of the following components?

A. Edge
B. Mobile
C. Gateway
D. Cloud platform

Answer 55

Answer: D. Cloud platform

Question 56

Which of the following practices makes an organization’s IoT devices susceptible to various attacks?

A. Patch vulnerabilities and update the device firmware regularly.
B. Retain the default settings of the router.
C. Allow only trusted IP addresses to access the device from the Internet.
D. Protect the devices against physical tampering.

Answer 56

Answer: B. Retain the default settings of the router.

Question 57

Which of the following practices helps security professionals in defending against IoT hacking?

A. Enable the “guest” and “demo” user accounts if disabled
B. Never deploy security as a unified, integrated system
C. Monitor traffic on port 48101
D. Enable the UPnP port on routers

Answer 57

Answer: C. Monitor traffic on port 48101

Monitor traffic on port 48101, as infected devices attempt to spread the malicious file using port 48101

Question 58

Which of the following is a security consideration for the gateway component of IoT architecture?

A. Local storage security, encrypted communications channels
B. Multi-directional encrypted communications, strong authentication of all the components, automatic updates
C. Storage encryption, update components, no default passwords
D. Secure web interface, encrypted storage

Answer 58

Answer: B. Multi-directional encrypted communications, strong authentication of all the components, automatic updates

Explanation:
Mobile: An ideal framework for the mobile interface should include proper authentication mechanism for the user, account lockout mechanism after a certain number of failed attempts, local storage security, encrypted communication channels and the security of the data transmitted over the channel.
Gateway: An ideal framework for the gateway should incorporate strong encryption techniques for secure communications between endpoints. Also, the authentication mechanism for the edge components should be as strong as any other component in the framework. Where ever possible the gateway should be designed in such a way that it authenticates multi-directionally to carry out trusted communication between the edge and the cloud. Automatic updates should also be provided to the device for countering vulnerabilities.
Cloud Platform: A secure framework for the cloud component should include encrypted communications, strong authentication credentials, secure web interface, encrypted storage, automatic updates and so on.
Edge: Framework consideration for edge would be proper communications and storage encryption, no default credentials, strong passwords, use latest up to date components and so on.

Question 59

Which of the following tools can be used to protect private data and home networks while preventing unauthorized access using PKI-based security solutions for IoT devices?

A. SeaCat.io
B. Censys
C. DigiCert IoT Device Manager
D. Firmalyzer Enterprise

Answer 59

Answer: C. DigiCert IoT Device Manager

Question 60

Proper communication and storage encryption, no default credentials, strong passwords, and up-to-date components are the security considerations for which of the following components?

A. Mobile
B. Gateway
C. Cloud platform
D. Edge

Answer 60

Answer: D. Edge

Explanation:
Mobile: An ideal framework for the mobile interface should include proper authentication mechanism for the user, account lockout mechanism after a certain number of failed attempts, local storage security, encrypted communication channels and the security of the data transmitted over the channel.
Cloud Platform: A secure framework for the cloud component should include encrypted communications, strong authentication credentials, secure web interface, encrypted storage, automatic updates and so on.
Edge: Framework consideration for edge would be proper communications and storage encryption, no default credentials, strong passwords, use latest up to date components and so on.
Gateway: An ideal framework for the gateway should incorporate strong encryption techniques for secure communications between endpoints. Also, the authentication mechanism for the edge components should be as strong as any other component in the framework. Where ever possible the gateway should be designed in such a way that it authenticates multi-directionally to carry out trusted communication between the edge and the cloud. Automatic updates should also be provided to the device for countering vulnerabilities.

Question 61

In which of the following levels of the Purdue model can the analysis and alteration of the physical process be performed?

A. Level 3
B. Level 0
C. Level 1
D. Level 2

Answer 61

Answer: C. Level 1

Explanation:
Level 0 (Physical Process): In this level, the actual physical process is defined, and the product is manufactured.
Level 2 (Control Systems/Area Supervisory Controls): Supervising, monitoring, and controlling the physical process is carried out at this level.
Level 1 (Basic Controls/Intelligent Devices): Analyzation and alteration of the physical process can be done at this level. The operations in basic control include “start motors,” “open valves,” “move actuators,” etc.
Level 3 (Operational Systems/Site Operations): In this level, the production management, individual plant monitoring, and control functions are defined.

Question 62

Which of the following components of an industrial control system is an automated control system designed to safeguard the manufacturing environment in case of any hazardous incident in the industry?

A. SCADA
B. DCS
C. SIS
D. PLC

Answer 62

Answer: C. SIS (Safety Instrumented System)

Explanation:
Safety Instrumented Systems (SIS): A safety instrumented systems (SIS) is an automated control system designed to safeguard the manufacturing environment in case of any hazardous incident in the industry.
Distributed Control System (DCS): A DCS is used to control production systems spread within the same geographical location.
Programmable Logic Controller (PLC): A PLC is a real-time digital computer used for industrial automation. PLCs are considered more than just digital computers in various industrial control systems due to their extraordinary features such as robust construction, ease of programming, sequential control, ease of hardware use, timers and counters, and reliable controlling capabilities.
Supervisory Control and Data Acquisition (SCADA): SCADA is a centralized supervisory control system that is used for controlling and monitoring industrial facilities and infrastructure.

Question 63

Which of the following components of an industrial control system contains a centralized supervisory control unit used to control multiple local controllers, thousands of input/output (I/O) points, and various other field devices that are part of the overall production process?

A. DCS (Distributed Control System)
B. BPCS (Basic Process Control System)
C. SCADA (Supervisory Control and Data Acquisition)
D. SIS (Safety Instrumented System)

Answer 63

Answer: A. DCS (Distributed Control System)

Explanation:
Basic Process Control System (BPCS): BPCS systems are dynamic in nature and are highly adaptable to changing process conditions. They are applicable to all sorts of control loops, including the temperature, batch, pressure, flow, feedback, and feedforward control loops used in industries such as the chemical, oil and gas, and food and beverages industries.
Supervisory Control and Data Acquisition
(SCADA): SCADA systems provide centralized controlling and monitoring of multiple process inputs and outputs by integrating the data acquisition system with the data transmission system and HMI software.
Distributed Control System (DCS): It contains a centralized supervisory control unit used to control multiple local controllers, thousands of input/output (I/O) points, and various other field devices that are part of the overall production process.
Safety Instrumented Systems (SIS):
Consists of logic solvers that are helpful in deciding the necessary action to be taken based on the gathered information. They provide actions for both failsafe and fault-tolerant situations. They act as controllers that capture signals from the sensors and execute pre-programmed actions to avoid risk by providing output to the final control elements.

Question 64

Which of the following protocols provides a flexible framework for addressing and mitigating current and future security vulnerabilities in industrial automation and control systems?

A. ISA/IEC 62443

B. HSCP

C. ICCP (IEC 60870-6)

D. IEC 61850

Answer 64

Answer: A. ISA/IEC 62443

Explanation:
ISA/IEC 62443: ISA/IEC 62443 provides a flexible framework for addressing and mitigating current and future security vulnerabilities in industrial automation and control systems.
ICCP (IEC 60870-6): ICCP (Inter-Control Center Communications Protocol) (IEC 60870-6) provides a set of standards and protocols for covering ICS or SCADA communication in power system automation.
IEC 61850: IEC 61850 is a common protocol that enables interoperability and communications between the IEDs at electrical substations.
HSCP: Hybrid SCP (Secure Copy Protocol) is developed for transmitting larger file sizes at high speed on long-distance and wideband infrastructure.

Question 65

Which of the following levels of the Purdue model uses protocols such as 6LoWPAN, DNP3, DNS/DNSSEC, FTE, HART-IP, IEC 60870-5-101/104, and SOAP?

A. Level 0
B. Level 1
C. Level 2
D. Level 4

Answer 65

Answer: C. Level 2

Explanation:
Level 4 and 5: DCOM, DDE, FTP/SFTP, GE-SRTP, IPv4/IPv6, OPC, TCP/IP, Wi-Fi.
Level 0 and 1: BACnet, EtherCat, CANopen, Crimson v3, DeviceNet, GE-SRTP, Zigbee, ISA/IEC 62443, ISA SP100, MELSEC-Q, MODBUS, Niagara Fox, Omron Fins, PCWorx, Profibus, Profinet, Sercos II, S7 Communications, WiMax.
Level 2: 6LoWPAN, DNP3, DNS/DNSSEC, FTE, HART-IP, IEC 60870-5-101/104, SOAP.

Question 66

Which of the following components of an industrial control system is a small solid-state control computer where instructions can be customized to perform a specific task?

Choices:
A. SIS
B. DCS
C. PLC
D. BPCS

Answer 66

Answer: C. PLC

Explanation:
DCS: A Distributed Control System (DCS) is used to control production systems spread within the same geographical location.
BPCS: A Basic Process Control System (BPCS) is responsible for performing process control and monitoring for industrial infrastructure.
SIS: A safety instrumented systems (SIS) is an automated control system designed to safeguard the manufacturing environment in case of any hazardous incident in industry.
PLC: A programmable logic controller (PLC) is a small solid-state control computer where instructions can be customized to perform a specific task. PLC is a Operational Technology (OT) component.

Question 67

In which of the following attacks does an attacker use techniques such as timing analysis and power analysis to obtain critical information from a target industrial system?

A) Malware attack
B) Protocol abuse
C) Side-channel attack
D) Buffer overflow attack

Answer 67

Answer: C) Side-channel attack

Explanation:
Malware Attack: Attackers are reusing legacy malware packages that were previously used to exploit IT systems for exploiting OT systems.
Side-Channel Attack: Attacker uses timing analysis and power analysis techniques are used to obtain critical information from a target system.
Protocol Abuse: Owing to compatibility issues, many OT systems use outdated legacy protocols and interfaces such as Modbus and CAN bus. Attackers exploit these protocols and interfaces to perform various attacks on OT systems.
Buffer Overflow Attack: The attacker exploits various buffer overflow vulnerabilities that exist in ICS software, such as HMI web interface, ICS web client, communications interfaces, etc., to inject malicious data and commands to modify the normal behavior and operation of the systems.

Question 68

What is the technique in which an attacker can gain access to an OT system by exploiting the target user’s web browser after tricking them into visiting a compromised website during a normal browsing session?

Choices:
A. Drive-by compromise
B. Shoulder surfing
C. Checking the filtering systems of target networks
D. Launch daemon

Answer 68

Answer: A. Drive-by compromise

Explanation:
Shoulder Surfing: Shoulder surfing is a technique whereby attackers secretly observe the target to gain critical information.
Checking the Filtering Systems of Target Networks: The ACK flag probe scanning technique also helps in checking the filtering systems of target networks. The attacker sends an ACK probe packet to check the filtering mechanism (firewalls) of packets employed by the target network.
Drive-by compromise: An attacker can gain access to the OT system by exploiting the target user’s web browser by tricking them into visiting a compromised website during a normal browsing session.
Launch Daemon: Attackers can create and install a new launch daemon, which can be configured to execute at boot-up time using launchd or launchctl to load plist into the relevant directories.

Question 69

Which of the following techniques allows an attacker to achieve higher-level access and authorizations to perform further malicious activities on an ICS system or network?

Choices:
A) Network address translation
B) Hooking
C) Obfuscating
D) Activity profiling

Answer 69

Answer: B) Hooking

Explanation:
Obfuscating: Obfuscation means to make code more difficult to understand or read, generally for privacy or security purposes.
Exploiting software: Attackers can take advantage of known software vulnerabilities by abusing any programming errors to elevate privileges.
Hooking: It allows attackers to hook into the APIs of different processes for redirecting and calling them to elevate privileges.
Activity Profiling: Activity profiling is performed based on the average packet rate for network flow, which consists of consecutive packets with similar packet header information. The packet header information includes the IP addresses of the destination and sender, ports, and transport protocols used.
Network Address Translation: Network address translation (NAT) separates IP addresses into two sets and enables the LAN to use these addresses for internal and external traffic. The NAT helps hide an internal network layout and force connections to go through a choke point.
Privilege Escalation: Privilege escalation allows an attacker to achieve higher-level access and authorizations to perform further malicious activities on an ICS system or network. Some of the techniques that can be used by an attacker to escalate privileges are as follows.

Question 70

Which of the following techniques allows attackers to perform additional movements across a target ICS environment by leveraging existing access?

A. Remote services
B. Drive-by downloads
C. Proxy server DNS poisoning
D. Cookie sniffing

Answer 70

Answer: A. Remote services

Explanation:
Remote services: Attackers attempt to make additional movements across the target ICS environment by leveraging the existing access. An attacker can abuse the remote services to make lateral movements within the network assets and components.
Drive-by Downloads: This refers to the unintentional downloading of software via the Internet. Here, an attacker exploits flaws in browser software to install malware by merely visiting a website.
Proxy Server DNS Poisoning: In the proxy server DNS poisoning technique, the attacker sets up a proxy server on the attacker’s system. The attacker also configures a fraudulent DNS and makes its IP address a primary DNS entry in the proxy server.
Cookie Sniffing: It is a technique in which an attacker sniffs a cookie containing the session ID of the victim who has logged in to a target website and uses the cookie to bypass the authentication process and log in to the victim’s account.

Question 71

Peter, a professional hacker, managed to gain unauthorized access to a target ICS network. He wanted to thwart reactions to any security event such as a hazard or failure. For this purpose, Peter employed a technique to block command messages to stop defense solutions from reacting to any security event.

Which of the following techniques was employed by Peter in the above scenario?

a) Evasion
b) Command and control
c) Inhibit response function
d) Persistence

Answer 71

Answer: c) Inhibit response function

Explanation:
Evasion: Attackers use this tactic to evade conventional defense mechanisms throughout their operations. Some of the techniques used to evade detection are removing the indicators, rootkits, and changing the operator mode.
Persistence: Attackers employ persistence procedures to retain access within the ICS environment, even if the compromised device is restarted or the communication is interrupted. Some of the techniques that can be used by an attacker at this stage are modifying a program, module firmware, and project file infection.
Command and Control: An attacker attempts to deactivate, control, or exploit the physical control processes within the target ICS environment using command and control. Some of the techniques used for command and control are frequently used ports, connection proxy, and standard application-layer protocol.
Inhibit Response Function: The inhibition of response function refers to the different ways an attacker attempts to thwart reactions against any security event such as hazard or failure. Some of the techniques associated with this tactic are activate firmware update mode, block command messages and block reporting messages.

Question 72

In which of the following phases of MITRE ATT&CK for ICS does an attacker use various tactics such as I/O brute-forcing and parameter altering to disable, exploit, or control the physical control processes in the target environment?

a) Impair process control
b) Lateral movement
c) Privilege escalation
d) Collection

Answer 72

Answer: a) Impair process control

Explanation:
Impair Process Control: Attackers use this tactic to disable, exploit, or control the physical control processes in the target environment. An attacker can re-program a device by injecting malicious firmware into it and thereby prepare it to perform other malicious tasks.
Collection: Collection refers to various methods that an attacker uses to gather information and gain knowledge regarding the data and domains of the ICS infrastructure.
Lateral Movement: Attackers attempt to make additional movements across the target ICS environment by leveraging the existing access.
Privilege Escalation: Privilege escalation allows an attacker to achieve higher-level access and authorizations to perform further malicious activities on an ICS system or network.

Question 73

Which of the following phases of MITRE ATT&CK for ICS involves the use of techniques by an attacker to damage, disrupt, or gain control of the data and systems of the targeted ICS environment and its surroundings?

a) Discovery
b) Inhibit response function
c) Impact
d) Impair process control

Answer 73

Answer: c) Impact

Explanation:
Impair Process Control: Attackers use this tactic to disable, exploit, or control the physical control processes in the target environment.
Impact: Impact refers to the techniques used by an attacker to damage, disrupt, or gain control of the data and systems of the targeted ICS environment and its surroundings.
Inhibit Response Function: The inhibition of response function refers to the different ways an attacker attempts to thwart reactions against any security event such as hazard or failure.
Discovery: Discovery is the process of gaining information about an ICS environment to assess and identify target assets.

Question 74

In which of the following malware attacks do attackers use DustTunnel and LazyCargo to penetrate IT systems and pivot OT networks to perform various malicious activities?

a) Zmist
b) Kovter
c) PIPEDREAM
d) Wingbird

Answer 74

Answer: c) PIPEDREAM

Explanation:
Kovter: Backdoor Trojans such as Kovter are often initially used in the second (point of entry) or third (command-andcontrol [C&C]) stage of the targeted attack process.
Wingbird: Rootkits such as Wingbird are potent backdoors that specifically attack the root or OS. Unlike backdoors, rootkits cannot be detected by observing services, system task lists, or registries. Rootkits provide full control of the victim OS to the attacker.
PIPEDREAM: PIPEDREAM is an attack framework designed with a set of tools aimed at ICS/SCADA devices. Attackers use this tool set to scan, compromise, and control the devices of an OT network. PIPEDREAM contains five components: EvilScholar, BadOmen, DustTunnel, MouseHole, and LazyCargo. The malware allows attackers to make lateral moves, escalate privileges, and disrupt critical functionalities. Additionally, attackers can leverage this malware to compromise Windows devices by exploiting ASRock motherboard driver vulnerabilities. Using DustTunnel and LazyCargo, attackers attempt to penetrate IT systems and pivot OT networks to perform malicious activities.
Zmist: Zmist is also known as Zombie. Mistfall was the first virus to use the technique called “code integration.” This code inserts itself into other code, regenerates the code, and rebuilds the executable.

Question 75

Scenario: Robert, a professional hacker, targeted an ICS network to cause power disruption in specific areas of a targeted region. To achieve his goal, he employed malware that has self-contained executables and configuration files and implements the communication protocol IEC-104 on the target network to manipulate the RTUs over TCP connections for disrupting the target OT-based power grids.

Question: Identify the malware employed by Robert in the above scenario.

a) eCh0raix
b) INDUSTROYER.V2
c) Divergent
d) Dharma

Answer 75

Answer: b) INDUSTROYER.V2

Explanation:
INDUSTROYER.v2: INDUSTROYER.V2 was discovered in 2022 with some additional custom pieces of code to target OT-based power grids in specific regions of Ukraine. With self-contained executables and configuration files, the malware implements the communication protocol IEC-104 on the target network to manipulate the remote terminal units (RTUs) over TCP connections. INDUSTROYER.V2 allows attackers to integrate a custom configuration that can change the malware behavior according to the target device’s functionality.
Dharma: Dharma is a dreadful ransomware that was first identified in 2016; since then, it has been affecting various targets across the globe with new versions.
eCh0raix: eCh0raix is a new ransomware that specifically targets Linux devices with QNAP network-attached storage (NAS). It infects and encrypts the victim’s machine using the AES encryption technique.
Divergent: Divergent is a type of fileless malware that exploits NodeJS, which is a program that executes JavaScript outside the browser. Using Divergent fileless malware, attackers generate revenue by targeting corporate networks through click-fraud attacks.

Question 76

Identify the technique that allows an attacker to deactivate, control, or exploit the physical control processes within a target ICS environment using command and control.

a) Connection proxy
b) Alternative trusted medium
c) Anti-disassembly
d) Impersonation

Answer 76

Answer: a) Connection proxy

Explanation:
Impersonation: Impersonation is a common human-based social engineering technique where an attacker pretends to be a legitimate or authorized person. Attackers perform impersonation attacks personally or use a phone or another communication medium to mislead their target and trick them into revealing information.
Alternative Trusted Medium: The alternative trusted medium technique is the most reliable method used for detecting rootkits at the OS level.
Connection Proxy: An attacker attempts to deactivate, control, or exploit the physical control processes within the target ICS environment using command and control. Attackers can control the traffic of the target network across the ICS environment using a connection proxy.
Anti-disassembly: Anti-disassembly is a technique that uses specially crafted code or data in a program to produce an incorrect program listing by disassembly analysis tools.

Question 77

Which of the following online tools allows attackers to discover the default credentials of a device or product simply by entering the device name or manufacturer name?

a) Thingful
b) Censys
c) CRITIFENCE
d) Netcraft

Answer 77

Answer: c) CRITIFENCE

Explanation:
Censys: Censys is a public search engine and data-processing facility backed by data collected from ongoing Internet-wide scans. Censys supports full-text searches on protocol banners and queries a wide range of derived fields. It can identify specific vulnerable devices and networks, and generate statistical reports on broad usage patterns and trends.

Thingful: Thingful is a search engine for finding and using open IoT data from around the world. It helps organizations make better decisions with external IoT data.

CRITIFENCE: CRITIFENCE is an online database that stores default passwords of critical infrastructure, SCADA, ICS, and the IIoT. Attackers can use this online tool to discover the default credentials of a device or product simply by entering the device name or its manufacturer’s name.

Netcraft: Netcraft provides Internet security services, including anti-fraud and anti-phishing services, application testing, and PCI scanning.

Question 78

Which of the following tools passively maps and visually displays an ICS/SCADA network topology while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems?

a) Shodan
b) Gqrx
c) SCADA Shutdown Tool
d) GRASSMARLIN

Answer 78

Answer: d) GRASSMARLIN

Explanation:
GRASSMARLIN: GRASSMARLIN is an open-source tool that passively maps and visually displays an ICS/SCADA network topology, while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems.

SCADA Shutdown Tool: SCADA Shutdown Tool is an ICS testing and automation tool that allows attackers to fuzz, scan, and run remote commands on ICSs, SCADA networks, and controllers.

Shodan: The Shodan search engine helps attackers to gather information about OT devices connected to the Internet. This online tool can be used to obtain details of SCADA systems that are used in water treatment plants, nuclear power plants, HVAC systems, electrical transmission systems, home heating systems, etc.

Gqrx: Gqrx is an SDR implemented with the help of the GNU Radio and Qt GUI tool. Attackers use hardware devices such as FunCube dongles, Airspy, HackRF, and RTL-SDR along with Gqrx SDR, to analyze the spectrum.

Question 79

Which of the following tools helps attackers scan and examine firmware binaries and images as well as retrieve information such as encryption types, sizes, partitions, and file systems?

a) GDB
b) Binwalk
c) Multimeter
d) Fritzing

Answer 79

Answer: b) Binwalk

Explanation:
GDB: GDB is a debugging tool for Linux that allows attackers to comprehend the process of on-chip executions.

Fritzing: The Fritzing tool assists attackers in designing electronic diagrams and circuits.

Binwalk: Binwalk helps attackers to scan and examine firmware binaries and images; it immediately displays different encryption types, sizes, partitions, filesystems involved, etc.

Multimeter: Attackers use multimeters or voltage meters to perform certain tests similar to the analyzer.

Question 80

Which of the following commands helps attackers gather information and identify critical network activities of an ICS network?

a) run post/windows/gather/arp_scanner RHOSTS
b) msfvenom -p windows/shell_reverse_tcp lhost= lport=444 -f exe > /home/attacker/Windows.exe
c) Invoke-Mimikatz -command ‘“lsadump::dcsync /domain: /user:”
d) python -m fuzzowski printer1 631 -f ipp -r get_printer_attribs –restart smartplug

Answer 80

Answer: d) python -m fuzzowski printer1 631 -f ipp -r get_printer_attribs –restart smartplug

Explanation:
Invoke-Mimikatz -command ‘“lsadump::dcsync /domain: /user:":
Attackers attempt malicious replication using this command.

msfvenom -p windows/shell_reverse_tcp lhost= lport=444 -f exe > /home/attacker/Windows.exe: Attackers run this command to generate a payload using msfvenom.

python -m fuzzowski printer1 631 -f ipp -r get_printer_attribs –restart smartplug:
The fuzzing of ICS protocols such as Modbus, BACnet, and Internet Printing Protocol (IPP) is critical for gathering information and identifying critical network activities.
Fuzzowski is a network protocol fuzzer that helps attackers perform fuzz tests on ICS protocols. It assists attackers throughout the process of fuzzing a network protocol, as well as configuring communications.

run post/windows/gather/arp_scanner RHOSTS :
Attackers uses this command to detect live hosts in the target network.

Question 81

Which of the following tools helps security professionals perform an automated security assessment of software to identify configuration and application vulnerabilities?

a) IoTVAS
b) Gqrx
c) LOIC
d) Azure IoT Central

Answer 81

Answer: a) IoTVAS

Explanation:
Gqrx:
Attackers use Gqrx to observe the frequency bands of temperature/humidity sensors, light switches, car keys, M-bus transmitters, etc. Gqrx can also enable an ttacker to listen to or eavesdrop on radio FM frequencies or any radio conversations.

Azure IoT Central:
Azure IoT Central is a hosted, extensible software-as-a-service (SaaS) platform that simplifies the setup of IoT solutions.

Low Orbit Ion Cannon (LOIC):
LOIC is a network stress testing and DoS attack application. LOIC attacks can be called application-based DOS attacks because they primarily target web applications.

IoTVAS:
IoTVAS enables device vendors and security professionals to perform an automated security assessment of the software that powers IoT devices (firmware) to identify configuration and application vulnerabilities. This tool notifies users about the vulnerabilities discovered and assists in mitigating those in a timely manner.

Question 82

Which of the following Nmap commands helps attackers identify the HMI systems in a target OT network?

a) nmap -Pn -sT -p 102 –script s7-info
b) nmap -Pn -sT -p 46824
c) nmap -Pn -sT -p 1911,4911 –script fox-info
d) nmap -Pn -sU -p 44818 –script enip-info

Answer 82

Answer: b) nmap -Pn -sT -p 46824

Explanation:
Nmap commands used by attackers to enumerate open ports and services of ICS/SCADA systems:

Identifying HMI Systems:
nmap -Pn -sT -p 46824

Scanning Siemens SIMATIC S7 PLCs:
nmap -Pn -sT -p 102 –script s7-info

Scanning Ethernet/IP Devices:
nmap -Pn -sU -p 44818 –script enip-info

Scanning Niagara Fox Devices:
nmap -Pn -sT -p 1911,4911 –script fox-info

Question 83

Which of the following practices is NOT a countermeasure to defend against OT hacking?

a) Enable unused services and functionalities
b) Maintain an asset register to track information
c) Regularly upgrade OT hardware and software tools
d) Regularly conduct risk assessment

Answer 83

Answer: a) Enable unused services and functionalities

Explanation:
Follow the countermeasures discussed below to defend against OT hacking:

• Maintain an asset register to track the information and to scrutinize outdated and unsupported systems
• Disable unused ports and services
• Use only tested and familiar third-party web servers for serving the ICS web applications
• Restrict network traffic by using techniques like rate-limiting and whitelisting to prevent DoS and brute-forcing attacks
• Regularly conduct a risk assessment to reduce the current risk exposure
• Use purpose-built sensors to discover the vulnerabilities in the network inactively
• Incorporate threat intelligence to uncover threats and protect assets by prioritizing OT patches
• Regularly upgrade OT hardware and software tools
• Implement secure configuration and secure coding practices for OT applications
• Update systems to the latest technologies and patch systems regularly
• Perform continuous monitoring and detection of the log data generated by the OT systems for detecting real-time attacks

Question 84

Which of the following Purdue levels is commonly referred to as an industrial demilitarized zone (IDMZ)?

a) Level 2
b) Level 3.5
c) Level 4
d) Level 3

Answer 84

Answer: b) Level 3.5

Explanation:
Level 2:
Manufacturing zone

Level 3:
Manufacturing zone

Level 3.5:
- Industrial Demilitarized Zone (IDMZ)

Level 4:
Enterprise zone

Question 85

Given below are the various steps involved in implementing a zero-trust model for an ICS network. Identify the correct sequence of steps involved in implementing a zero-trust model.

1. Defining the network
2. Architecting the network
3. Mapping the traffic
4. Developing a ZT policy
5. Monitoring and maintaining

• A. 5 -> 2 -> 4 -> 1 -> 3
• B. 1 -> 3 -> 2 -> 4 -> 5
• C. 4 -> 3 -> 2 -> 5 -> 1
• D. 2 -> 1 -> 3 -> 4 -> 5

Answer 85

Answer: B. 1 -> 3 -> 2 -> 4 -> 5

Explanation:
Steps to Implement a Zero-Trust Model in an ICS Network

Step 1:
Defining the Network

Step 2:
Mapping the Traffic

Step 3:
Architecting the Network

Step 4:
Developing a ZT Policy

Step 5:
Monitoring and Maintaining

Question 86

Which of the following is a not-for-profit international regulatory authority that aims to assure the effective and efficient reduction of risks to the reliability and security of electric grids?

a) CSA
b) Censys
c) NERC
d) CVE

Answer 86

Answer: c) NERC

Explanation:
NERC:
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority that aims to assure the effective and efficient reduction of risks to the reliability and security of the electric grid.

Common Vulnerabilities and Exposures (CVE):
CVE® is a publicly available and free-to-use list or dictionary of standardized identifiers for common software vulnerabilities and exposures.

Cloud Security Alliance (CSA):
The CSA is a nonprofit global organization that provides rising awareness and promotes best practices and security policies to help and secure the cloud environment.

Censys:
Censys monitors the infrastructure and discovers unknown assets anywhere on the Internet. It provides a full view of every server and device exposed to the Internet.

Question 87

Which of the following organizations is a non-profit professional association of engineers, technicians, and managers engaged in industrial automation?

a) Factiva
b) FISMA
c) MITRE CVE
d) ISA/IEC-62443

Answer 87

Answer: d) ISA/IEC-62443

Explanation:
The Federal Information Security Management Act (FISMA):
The Federal Information Security Management Act of 2002 was enacted to produce several key security standards and guidelines required by Congressional legislation.

ISA/IEC-62443:
The International Society of Automation (ISA)/ International Electrotechnical Commission (IEC)- 62443 is a non-profit professional association of engineers, technicians, and management engaged in industrial automation.

Factiva:
is a global news database and licensed content provider. It is a business information and research tool that gets information from licensed and free sources and provides capabilities such as searching, alerting, dissemination, and business information management.

MITRE CVE:
MITRE maintains a CVE database that contains details of the latest vulnerabilities. Attackers can search MITRE CVE to discover vulnerabilities that exist in the target system.