ECCouncil ICS-SCADA Exam Dumps & Practice Test Questions

Question 1:

Which communication method does the Modbus RTU protocol rely on for transmitting data between devices?

A. UDP
B. ICMP
C. Serial
D. SSTP

Correct Answer: C

Explanation:

Modbus RTU (Remote Terminal Unit) is a communication protocol widely used in industrial automation and control systems to enable data exchange between devices such as sensors, actuators, and Programmable Logic Controllers (PLCs). One of the defining characteristics of Modbus RTU is that it uses serial communication as its transmission medium. This means data is sent sequentially over physical communication lines like RS-232, RS-485, or RS-422, which are common in industrial environments due to their reliability and noise resistance.

In a Modbus RTU setup, information is transmitted in a compact binary format. The protocol is master-slave oriented, where the master device initiates communication and one or more slave devices respond. The communication is highly efficient and suitable for systems that require low latency and deterministic behavior, which is why Modbus RTU remains prevalent in embedded systems and legacy equipment.

Now, let's briefly examine why the other options are incorrect:

• A (UDP): User Datagram Protocol is a connectionless protocol used over IP networks. While another variant of Modbus, known as Modbus TCP, can run over UDP/IP or TCP/IP, Modbus RTU specifically does not operate on IP networks.

• B (ICMP): Internet Control Message Protocol is mainly used for diagnostic purposes in IP networking (such as with ping). It is unrelated to industrial communication protocols like Modbus RTU.

• D (SSTP): Secure Socket Tunneling Protocol is a VPN protocol used for encrypted tunnels over IP networks. It has no relevance to low-level serial communication or industrial control systems.

Therefore, since Modbus RTU uses serial communication protocols for data exchange, the correct answer is C.

Question 2:

Which generation of ICS/SCADA systems is known for using a monolithic architecture?

A. Second
B. First
C. Fourth
D. Third

Correct Answer: B

Explanation:

The first generation of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems is characterized by a monolithic architecture. This term refers to a tightly integrated design where all components of the system—such as the control unit, operator interface, and data acquisition tools—exist within a single, unified platform.

These systems emerged in the 1960s through the 1980s and were built with proprietary hardware and software. During this era, ICS/SCADA systems were often standalone setups with little to no networking capabilities. Each system was usually developed for a specific industrial process and lacked flexibility or scalability. Communication with field devices such as sensors and actuators occurred over proprietary or serial connections, and the control functions were centralized within one large computing unit.

Some key characteristics of first-generation (monolithic) ICS/SCADA systems include:

• Centralized design: All computing functions and decision-making resided in a single location.

• Lack of modularity: Components were not easily upgradable or interchangeable.

• Closed networks: Systems were isolated and not connected to corporate or external networks, enhancing security but reducing interoperability.

The other generations differ significantly:

• Second generation systems introduced Distributed Control Systems (DCS). They began to separate functionalities and support networked components.

• Third generation architectures moved toward open systems, integrating with TCP/IP networking and promoting interoperability.

• Fourth generation ICS/SCADA systems embrace modern IT principles, including cloud integration, real-time data analytics, and cybersecurity.

The evolution from monolithic to modular and networked designs represents a shift toward more flexible, scalable, and secure systems. However, understanding the monolithic nature of the first generation helps contextualize the technological advancements that followed.

Therefore, the correct answer is B.

Question 3:

Which of the following is not a feature provided by the IPsec Authentication Header (AH)?

A. Replay
B. Authentication
C. Confidentiality
D. Integrity

Correct Answer: C

Explanation:

The Authentication Header (AH) is one of the key components in the IPsec protocol suite, which provides security services for IP packets. AH is specifically designed to ensure data integrity, authentication, and protection against replay attacks, but it does not provide confidentiality.

Let’s analyze each option:

A. Replay – AH includes a sequence number mechanism that protects against replay attacks. This mechanism ensures that intercepted packets cannot be resent by a malicious actor to trick the recipient. As a result, replay protection is an inherent feature of AH, making Replay a part of AH's security functions.

B. Authentication – One of AH’s primary roles is to confirm the authenticity of the sender. It does this through cryptographic hashing techniques. These ensure that the packet comes from a trusted source and that it hasn't been altered during transmission. So, Authentication is indeed a core component of AH.

C. Confidentiality – This is the correct answer because confidentiality refers to the encryption of data, which prevents unauthorized access or disclosure of information. AH does not perform encryption. It only authenticates the packet and ensures its integrity. If confidentiality is needed, it is provided by another IPsec protocol called Encapsulating Security Payload (ESP), which handles data encryption.

D. Integrity – Integrity checks ensure that the data has not been tampered with. AH uses cryptographic hash functions to compute a hash over the packet contents, allowing the receiver to verify that the packet hasn’t changed in transit. Therefore, Integrity is an essential feature of AH.

To summarize, the Authentication Header supports authentication, integrity, and anti-replay measures but does not encrypt the data. Since confidentiality is not part of AH's function and is instead managed by ESP, the correct answer is C.

Question 4:

How many core scoring categories are defined within the Common Vulnerability Scoring System (CVSS)?

A. 2
B. 4
C. 3
D. None of these

Correct Answer: C

Explanation:

The Common Vulnerability Scoring System (CVSS) is a standardized method used to measure the severity of security vulnerabilities. It helps organizations assess how critical a vulnerability is and prioritize patching or mitigation efforts. The CVSS framework is divided into three main scoring areas: Base, Temporal, and Environmental.

1. Base Score:
This is the most fundamental score, calculated from characteristics that are consistent over time and across all environments. It considers exploitability metrics (such as how an attack can be launched, whether authentication is needed, and user interaction) and impact metrics (such as effects on confidentiality, integrity, and availability). The base score serves as the foundation of the overall CVSS rating.

2. Temporal Score:
Temporal metrics reflect factors that can change over time, such as the availability of exploit code, the level of confidence in the vulnerability report, or whether a fix is available. This score helps track the evolution of a vulnerability’s risk profile and gives a more current snapshot of its potential danger.

3. Environmental Score:
This score allows organizations to tailor the CVSS value based on local context. For example, a vulnerability in a public-facing server might be rated more severely than the same flaw in an isolated internal system. Environmental metrics factor in the importance of the affected assets, any compensating security controls, and the broader business impact.

Let’s examine the options:
A. 2 – Incorrect, as CVSS includes three main score areas, not two.
B. 4 – Incorrect, CVSS does not have four scoring areas.
C. 3 – Correct, the CVSS structure consists of three main components: Base, Temporal, and Environmental.
D. None of these – Incorrect, because option C provides the correct number.

In conclusion, the CVSS scoring model uses three key areas to evaluate vulnerabilities comprehensively. Hence, the correct answer is C.

Question 5:

Which one of the following tools is not classified as an exploit framework?

A. Canvas
B. Core Impact
C. Metasploit
D. Nessus

Correct Answer: D

Explanation:

Exploit frameworks are specialized tools used by cybersecurity professionals—especially penetration testers and ethical hackers—to simulate attacks by leveraging known software vulnerabilities. These tools typically include prebuilt exploit code that can be deployed against target systems to evaluate their defenses.

Canvas, Core Impact, and Metasploit all fall into this category. These are professional-grade penetration testing platforms, designed not only to scan for vulnerabilities but also to actively exploit them in a controlled manner. They are used extensively in red team exercises and ethical hacking to demonstrate the impact of vulnerabilities and to help organizations strengthen their security posture.

• Canvas, developed by Immunity Inc., is a commercial exploit development platform that provides hundreds of exploits and allows for scripting new attacks using Python.

• Core Impact is another robust penetration testing tool that simulates real-world attacks across various vectors, including network, web, and endpoint systems. It automates many of the steps in a penetration test and includes exploit capabilities.

• Metasploit, maintained by Rapid7, is the most widely known open-source exploit framework. It offers a massive library of publicly available exploits and is regularly updated to include new attack vectors and payloads.

On the other hand, Nessus is fundamentally different. It is a vulnerability scanner, not an exploit tool. Nessus scans systems for known vulnerabilities, misconfigurations, and missing patches, and reports them. However, it does not exploit these vulnerabilities—it only detects and alerts users to their presence. While some plugins in Nessus may include proof-of-concept style checks, they do not actively compromise systems in the same way exploit frameworks do.

In summary, D. Nessus is the correct answer because, unlike the other options listed, it does not have built-in capabilities to launch exploits. It is strictly a detection and assessment tool focused on vulnerability management rather than exploitation.

Question 6:

You are monitoring your network traffic and detect an ICMP packet with type value 8. What does this signify?

A. Echo request
B. Echo start
C. Echo recall
D. Echo reply

Correct Answer: A

Explanation:

The Internet Control Message Protocol (ICMP) plays a critical role in diagnosing and reporting errors within IP-based networks. It is not used for data transmission but rather for control messages that indicate issues in communication. ICMP messages are categorized by types, each representing a different kind of network signal or notification.

One of the most commonly used ICMP message types is Type 8, which represents an Echo Request. This type is central to the ping command, a basic utility for testing the reachability of a host on an IP network. When a ping is initiated, the source device sends an ICMP Type 8 packet to the destination. If the target is reachable and properly configured to respond, it replies with a Type 0 ICMP packet—an Echo Reply.

Understanding ICMP Type 8 is crucial in network monitoring and diagnostics. When you observe ICMP Type 8 traffic in a monitoring tool or packet sniffer, it means that a device is attempting to verify the availability or latency of another device through a network probe. This is commonly seen during health checks, network mapping, or even scanning activities.

Let’s analyze the other options:

• B. Echo start and C. Echo recall are fictitious terms and not defined in the ICMP specification. They do not correspond to any known ICMP message types.

• D. Echo reply refers to ICMP Type 0, which is the response sent by a host that receives an Echo Request (Type 8). Therefore, it’s not the correct answer in this context, which specifically asks about Type 8.

To summarize, ICMP Type 8 is explicitly defined as an Echo Request in network communication. It is used to test if a device is online and reachable. Hence, the correct answer is A. Echo request.

Question 7:

Which phase of a malware attack is responsible for placing and installing the malicious payload onto the target system?

A. Drive-by
B. Init
C. Dropper
D. Stager

Correct Answer: C

Explanation:

The lifecycle of a malware attack generally follows a structured sequence of stages. Each stage has a distinct purpose, from initial access to final execution. One of the most critical points in this lifecycle is the phase that actually installs the malicious payload onto the victim's system. Understanding the role of each phase helps clarify which one is responsible for that installation.

A. Drive-by attacks are a common delivery mechanism. In this method, users become infected simply by visiting a compromised or malicious website—often without any interaction. However, while a drive-by can start the infection process, it is not the actual phase that installs the malware.

B. Init, short for “initialization,” typically refers to the phase when malware begins to execute after being introduced to the system. This can involve setting up environment variables or launching initial scripts, but it is not the step that physically installs the malware.

C. Dropper is the component that carries and installs the final malicious software on the system. A dropper is typically a standalone program designed to deploy the malware payload. It may contain code to bypass security defenses and hide the malware during installation. Once executed, the dropper installs or "drops" the malware into the system, making this the correct answer.

D. Stager refers to a lightweight component used early in some infections to download and execute the main payload later. It prepares the system for the attack but does not deliver or install the main malware itself.

In summary, while phases like drive-by, stager, and init play supporting roles in malware deployment, only the dropper is directly responsible for installing the malicious code onto the target system. This makes C the correct answer.

Question 8:

Which network protocol was exploited during the widespread WannaCry ransomware attack?

A. Samba
B. None of these
C. RPC
D. SMB

Correct Answer: D

Explanation:

The WannaCry ransomware outbreak of May 2017 remains one of the most devastating cyberattacks in history. It spread across hundreds of thousands of systems in over 150 countries, encrypting files and demanding ransom payments in Bitcoin. The rapid spread was due to its exploitation of a vulnerability in a specific Windows networking protocol: SMB (Server Message Block).

SMB is a protocol used primarily for file and printer sharing between machines on a local or wide-area network. The vulnerability that WannaCry leveraged was specifically found in SMBv1, an outdated and insecure version of the protocol. Tracked as CVE-2017-0144, this flaw was exploited using a tool known as EternalBlue, which was reportedly developed by the NSA and leaked by a hacker group known as the Shadow Brokers.

Now, let’s assess the other options:

A. Samba is a software suite that implements SMB and CIFS protocols on Unix and Linux systems. While Samba can be involved in SMB-related communications, WannaCry specifically targeted Microsoft’s SMB implementation, not Samba itself.

B. None of these is incorrect because the attack did target a specific and well-known protocol—SMB.

C. RPC (Remote Procedure Call) is another communication protocol used to execute functions on remote systems. Although critical in many exploits, RPC was not involved in the WannaCry infection chain.

D. SMB is the correct answer. It was the weak point that allowed remote code execution without authentication, enabling the malware to propagate rapidly within and across networks.

Following the attack, Microsoft issued patches—even for unsupported versions like Windows XP—and security professionals urged users to disable SMBv1 permanently. The incident highlighted the critical importance of timely patch management and protocol security.

Therefore, the correct answer is D, as WannaCry’s propagation relied entirely on a serious vulnerability in the SMB protocol.

Question 9:

If a domain is registered in Europe, which regional internet registry would maintain the ownership records for that domain?

A. RIPENCC
B. AFRINIC
C. LACNIC
D. ARIN

Correct Answer: A

Explanation:

The internet is divided into several regions for the purposes of managing IP address allocations and domain ownership records. Each region is governed by a Regional Internet Registry (RIR). These organizations are responsible for distributing and maintaining IP address and domain registration data within their designated territories.

In the case of Europe, the relevant RIR is RIPENCC (Réseaux IP Européens Network Coordination Centre). This organization oversees IP address allocations, domain registration, and resource coordination not only for Europe but also for parts of Central Asia and the Middle East. If a domain is owned by an individual or organization based in Europe, the corresponding registration details would be stored and managed by RIPENCC.

The other options refer to RIRs responsible for different regions and are therefore not suitable answers to the question:

• B. AFRINIC manages the African continent. It handles IP allocation and domain registration information specifically for Africa.

• C. LACNIC is responsible for Latin America and parts of the Caribbean. It does not manage any European-based domain information.

• D. ARIN (American Registry for Internet Numbers) handles domain and IP assignments for North America, including the United States, Canada, and parts of the Caribbean.

Because domain ownership and IP address allocation are regional responsibilities, selecting the correct RIR is essential for accurate domain management. RIPENCC is the only option listed that corresponds with the European region. As such, it is the correct answer when dealing with domain registration and ownership data within Europe.

Question 10:

Which element of the cybersecurity model is directly compromised when a system faces a service disruption?

A. Confidentiality
B. Availability
C. Authentication
D. Integrity

Correct Answer: B

Explanation:

The Availability component of the CIA Triad (Confidentiality, Integrity, and Availability) in information security is responsible for ensuring that systems, services, and data are accessible to authorized users whenever they need them. When a system suffers a disruption or becomes unreachable, the availability aspect is what has been attacked or compromised.

Common threats to availability include Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks. These attacks involve flooding a server or network with illegitimate traffic, rendering it inaccessible to genuine users. This form of disruption doesn’t compromise data confidentiality or alter its contents but prevents legitimate users from accessing services, making it a direct violation of availability.

Interruptions can also be caused by hardware failures, natural disasters, malicious insiders, or ransomware attacks. For instance, ransomware may encrypt essential files, locking users out of systems until a ransom is paid. Though the data might remain intact and confidential, it is unavailable—hence, the availability component is breached.

To contrast:

• A. Confidentiality refers to keeping data private and protected from unauthorized access. It's threatened by data breaches or eavesdropping, not by service interruptions.

• C. Authentication ensures users are who they claim to be. Attacks here involve impersonation or unauthorized logins but don't stop access to services entirely.

• D. Integrity ensures the accuracy and consistency of data. If someone alters or corrupts data without authorization, integrity is compromised—but the system may still remain available.

In summary, when a system becomes slow, unresponsive, or inaccessible—either due to cyberattacks or accidental failures—it is the availability of the service that suffers. Because modern businesses and users demand continuous access to online services, maintaining availability is a top priority in cybersecurity planning. Preventive measures include backup systems, load balancers, redundant infrastructure, and DDoS mitigation tools. Therefore, B (Availability) is the correct answer, as it is the component specifically targeted when systems are disrupted.