Cybersecurity interviews test your depth in threat modelling, cryptography, network defence, incident response, and compliance. This guide covers the 50 most common questions with clear, accurate answers for roles ranging from security analyst to penetration tester to CISO.
Quick reference
| Topic | Key concepts |
|---|---|
| Fundamentals | CIA triad, AAA, risk, threat vs vulnerability |
| Cryptography | Symmetric/asymmetric, hashing, PKI, TLS |
| Network Security | Firewalls, IDS/IPS, VPN, DMZ, segmentation |
| Web Security | OWASP Top 10, XSS, SQLi, CSRF, SSRF |
| Identity & Access | MFA, OAuth 2.0, SSO, Kerberos, zero trust |
| Threats & Malware | APT, ransomware, phishing, lateral movement |
| Incident Response | PICERL, forensics, chain of custody |
| Security Operations | SIEM, SOC tiers, threat hunting, log analysis |
| Cloud Security | Shared responsibility, IAM, S3, containers |
| Compliance | GDPR, ISO 27001, NIST CSF, PCI-DSS, SOC 2 |
Fundamentals
1. What is the CIA triad?
The CIA triad is the foundational model for information security:
| Pillar | Definition | Example threat | Control example |
|---|---|---|---|
| Confidentiality | Only authorised parties access data | Data breach, eavesdropping | Encryption, access control |
| Integrity | Data is accurate and unaltered | Tampering, man-in-the-middle | Hashing, digital signatures |
| Availability | Systems are accessible when needed | DDoS, ransomware | Redundancy, backups, rate limiting |
Some frameworks extend this to the Parkerian Hexad (adding possession, authenticity, utility).
2. What is the difference between a threat, vulnerability, and risk?
| Term | Definition | Example |
|---|---|---|
| Threat | Potential cause of harm (actor or event) | Attacker exploiting a web app |
| Vulnerability | Weakness that can be exploited | Unpatched CVE in Apache |
| Risk | Likelihood × impact of a threat exploiting a vulnerability | Critical risk if internet-facing + sensitive data |
| Exploit | Code or technique that takes advantage of a vulnerability | Metasploit module for CVE-2021-44228 |
| Control | Safeguard that reduces risk | WAF blocking known exploit patterns |
Risk formula: Risk = Threat × Vulnerability × Asset Value
3. Explain the AAA framework in security.
Authentication, Authorisation, and Accounting:
| Component | What it answers | Example |
|---|---|---|
| Authentication | Who are you? | Password, MFA, certificate |
| Authorisation | What are you allowed to do? | RBAC, ACLs, permissions |
| Accounting | What did you do? | Audit logs, SIEM, access records |
RADIUS and TACACS+ are common AAA protocols used for network device access.
4. What is defence in depth?
Defence in depth (layered security) applies multiple overlapping security controls so that if one fails, others still protect the asset.
Layers example:
Internet → Perimeter firewall → IDS/IPS → DMZ
→ WAF → Application firewall → OS hardening
→ Encryption at rest → DLP → Logging/SIEM
→ User training → Incident response plan
The principle: no single control is relied upon. Based on the military strategy of slowing an attacker at each layer.
5. What is the principle of least privilege?
Users, processes, and systems should have only the minimum permissions required to perform their function — nothing more.
Application:
- Admin accounts used only for admin tasks (not daily browsing)
- Service accounts with read-only DB access when write isn't needed
- Containers running as non-root
- Network segments with access only to necessary ports/services
Related concepts: need-to-know (data access), separation of duties (no single person controls a critical process end-to-end).
Cryptography
6. What is the difference between symmetric and asymmetric encryption?
| Property | Symmetric | Asymmetric |
|---|---|---|
| Keys | One shared secret key | Public key (encrypt) + private key (decrypt) |
| Speed | Fast (hardware-accelerated) | Slow (computationally expensive) |
| Key distribution | Hard — how do you share the key securely? | Easy — share public key freely |
| Examples | AES-256, ChaCha20 | RSA-2048, ECDSA, ECDH |
| Use cases | Bulk data encryption | TLS handshake, digital signatures, key exchange |
TLS uses both: asymmetric crypto to exchange a symmetric session key, then symmetric encryption for the bulk data transfer.
7. What is hashing and how does it differ from encryption?
| Property | Hashing | Encryption |
|---|---|---|
| Reversible? | No (one-way) | Yes (given the key) |
| Output | Fixed-size digest | Variable (same size or larger) |
| Use cases | Password storage, integrity checks, digital signatures | Data confidentiality |
| Examples | SHA-256, bcrypt, Argon2 | AES-256, RSA |
Password storage best practice:
# Never store plain-text or MD5/SHA1 passwords
# Use bcrypt, scrypt, or Argon2 with a unique salt per user
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
# Store hashed — never the plain-text password
Why salting matters: Prevents rainbow table attacks. A salt is a random value prepended to the password before hashing — unique per user so identical passwords produce different hashes.
8. What is a digital signature and how does it work?
A digital signature proves authenticity (who sent it) and integrity (it wasn't tampered with):
Signing: hash(message) → encrypt with sender's PRIVATE key → signature
Verifying: decrypt signature with sender's PUBLIC key → compare hash to message hash
If hashes match: message is authentic and unaltered.
Used in: code signing, TLS certificates, email (S/MIME), software updates, JWT (RS256/ES256).
9. Explain PKI (Public Key Infrastructure).
PKI is the framework of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
Chain of trust:
Root CA (self-signed, offline)
└── Intermediate CA
└── End-entity certificate (website, user, device)
Key components:
| Component | Role |
|---|---|
| Certificate Authority (CA) | Issues and signs certificates |
| Registration Authority (RA) | Verifies identity before CA issues cert |
| Certificate Revocation List (CRL) | List of revoked certs |
| OCSP | Online real-time revocation check |
| X.509 | Standard certificate format |
Certificate fields: Subject, Issuer, Serial, Valid From/To, Public Key, Signature Algorithm, Subject Alternative Names (SANs).
10. What is TLS and how does TLS 1.3 handshake work?
TLS (Transport Layer Security) encrypts data in transit. TLS 1.3 (RFC 8446) streamlined the handshake to 1-RTT (vs 2-RTT in TLS 1.2):
Client → Server: ClientHello (supported ciphers, key share)
Server → Client: ServerHello + Certificate + Finished
Client → Server: Finished
──────────────────────────────────
Data exchange begins (encrypted with session keys)
TLS 1.3 improvements:
- Removed weak cipher suites (RC4, 3DES, MD5, SHA-1)
- Perfect Forward Secrecy (ECDHE) mandatory
- 0-RTT resumption (with replay attack caution)
- Encrypted SNI (ESNI) in some implementations
- Faster — saves one round trip vs TLS 1.2
Network Security
11. What is the difference between a stateful and stateless firewall?
| Property | Stateless | Stateful |
|---|---|---|
| Tracks connections | No | Yes (connection table) |
| Rules basis | Packet headers only | Full connection context |
| Performance | Faster | Slightly more resource-intensive |
| Spoofing resistance | Low | Higher |
| Example | ACLs on routers | iptables, AWS Security Groups |
Stateful firewalls know that an incoming packet is part of an established outbound connection, so they allow it without a specific inbound rule.
NGFW (Next-Generation Firewall) adds: application awareness, deep packet inspection, IPS, SSL inspection, user identity.
12. What is the difference between IDS and IPS?
| Property | IDS (Intrusion Detection System) | IPS (Intrusion Prevention System) |
|---|---|---|
| Position | Out-of-band (passive tap) | Inline (traffic passes through) |
| Action | Alert only | Alert + block/drop |
| Risk | False negative = missed attack | False positive = blocks legit traffic |
| Detection methods | Signature, anomaly, behaviour | Same |
Signature-based: matches known attack patterns (fast, misses zero-days).
Anomaly-based: detects deviations from baseline (slower, more false positives).
13. What is a DMZ in network architecture?
A DMZ (Demilitarised Zone) is a network segment that sits between the public internet and the internal network, hosting services that must be publicly accessible (web servers, mail relays, DNS).
Internet → [Firewall 1] → DMZ (web/mail/DNS) → [Firewall 2] → Internal LAN
Why: If a DMZ server is compromised, the attacker still faces Firewall 2 to reach internal systems. Limits blast radius.
14. What is a VPN and what are the main types?
A VPN (Virtual Private Network) creates an encrypted tunnel over a public network:
| Type | Use case | Protocol |
|---|---|---|
| Remote Access VPN | Employee → corporate network | OpenVPN, WireGuard, IPsec/IKEv2, SSL/TLS |
| Site-to-Site VPN | Office A ↔ Office B | IPsec |
| Split-tunnel VPN | Only corporate traffic through VPN | Configurable per client |
| Full-tunnel VPN | All traffic through VPN | Default on most corporate solutions |
IPsec modes:
- Transport mode: encrypts payload only (host-to-host)
- Tunnel mode: encrypts entire packet with new IP header (site-to-site)
15. What is the difference between a vulnerability scan and a penetration test?
| Property | Vulnerability Scan | Penetration Test |
|---|---|---|
| Who runs it | Automated tool (Nessus, OpenVAS) | Human security tester |
| Depth | Broad, surface-level | Deep, chains vulnerabilities |
| Exploits vulnerabilities | No | Yes (controlled) |
| Result | List of CVEs with severity | Narrative report with PoC + business impact |
| Frequency | Weekly/monthly | Annually or after major changes |
| Scope | Can be very wide | Defined and agreed in advance |
Engagement types:
- Black box: tester has no prior knowledge
- Grey box: partial knowledge (credentials, architecture docs)
- White box: full knowledge (code access, admin creds)
Web Application Security
16. What is the OWASP Top 10?
The OWASP Top 10 (2021) lists the most critical web application security risks:
| # | Category | Example |
|---|---|---|
| A01 | Broken Access Control | IDOR, privilege escalation |
| A02 | Cryptographic Failures | Weak encryption, plain-text passwords |
| A03 | Injection | SQL injection, NoSQL injection, OS command injection |
| A04 | Insecure Design | Missing threat modelling, unsafe design patterns |
| A05 | Security Misconfiguration | Default credentials, verbose errors, open S3 buckets |
| A06 | Vulnerable Components | Outdated libraries with known CVEs |
| A07 | Authentication Failures | Weak passwords, no MFA, brute-force not blocked |
| A08 | Software & Data Integrity Failures | Supply chain attacks, unsigned updates |
| A09 | Security Logging Failures | No logs, logs not monitored |
| A10 | SSRF | App fetches attacker-controlled URLs |
17. How does SQL injection work and how do you prevent it?
SQL injection occurs when user input is interpolated directly into a SQL query:
-- Vulnerable
SELECT * FROM users WHERE username = '$input';
-- Input: admin' OR '1'='1
-- Result: SELECT * FROM users WHERE username = 'admin' OR '1'='1'
-- Returns all users!
Prevention:
# Parameterised queries (bind variables) — ALWAYS use this
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))
# ORM (handles parameterisation automatically)
User.objects.filter(username=username)
Other defences: WAF, least-privilege DB account, disable xp_cmdshell, input validation, error messages that don't leak DB details.
18. What is Cross-Site Scripting (XSS) and what are the types?
XSS allows attackers to inject malicious scripts into pages viewed by other users:
| Type | How it persists | Example |
|---|---|---|
| Reflected | URL parameter, not stored | ?q=<script>alert(1)</script> in search box |
| Stored (Persistent) | Saved to DB, shown to all users | Comment field with script tag |
| DOM-based | Client-side JavaScript writes to DOM | document.write(location.hash) |
Impact: Session hijacking (document.cookie), credential theft, defacement, keylogging.
Prevention:
- Output encode all user-controlled data (
<,>,&,") - Content Security Policy (CSP) header:
Content-Security-Policy: default-src 'self' - Use framework escaping (React auto-escapes JSX, Jinja2 auto-escapes)
HttpOnlyandSecurecookie flags- Never use
innerHTML,document.write(),eval()with user data
19. What is CSRF and how is it prevented?
Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into making an unwanted request to a site where they're logged in:
<!-- Attacker's page -->
<img src="https://bank.example.com/transfer?to=attacker&amount=1000">
<!-- Browser automatically sends session cookie with the request -->
Prevention:
| Method | How it works |
|---|---|
| CSRF Token | Random token in form/header; server validates it |
| SameSite cookie | SameSite=Strict or SameSite=Lax prevents cross-site requests from sending cookies |
| Double Submit Cookie | Token in both cookie and request body; CORS prevents attacker reading cookie |
| Referer/Origin check | Server checks request origin header |
Note: CSRF tokens must be per-session (or per-request for higher security) and unpredictable.
20. What is SSRF (Server-Side Request Forgery)?
SSRF occurs when an attacker can make the server fetch arbitrary URLs, potentially accessing internal resources:
# Normal use: https://api.example.com/fetch?url=https://cdn.external.com/img.jpg
# Attacker input: ?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Result: AWS EC2 metadata exposed → IAM credentials stolen
Impact: Access to internal services (localhost:6379 Redis), cloud metadata endpoints, internal APIs, SSRF → RCE via Gopher protocol.
Prevention:
- Allowlist permitted URL schemes (only
https://) and domains - Block internal IP ranges (127.0.0.1, 10.x, 172.16.x, 192.168.x, 169.254.x)
- DNS rebinding prevention (resolve IP and check before request)
- Don't forward raw responses to users
- Use separate network for outbound requests
Identity & Access Management
21. What is Multi-Factor Authentication (MFA) and why is it important?
MFA requires two or more of:
| Factor | Category | Examples |
|---|---|---|
| Password, PIN | Something you know | Password, security question |
| Phone, hardware token | Something you have | SMS OTP, TOTP (Google Authenticator), FIDO2 hardware key |
| Fingerprint, Face ID | Something you are | Biometrics |
| Location/device | Somewhere you are / context | Trusted device, geolocation |
Why it matters: Even if a password is breached (phishing, data dump), the attacker can't authenticate without the second factor.
Security ranking (weakest → strongest):
SMS OTP < TOTP (app) < Push notification < Hardware FIDO2 key
SMS is weakest due to SIM-swapping attacks.
22. What is the difference between authentication and authorisation?
| Concept | Question answered | Example |
|---|---|---|
| Authentication (AuthN) | Who are you? | Login with username + password |
| Authorisation (AuthZ) | What can you do? | Can this user delete records? |
Common mistake: Checking authentication but not authorisation → IDOR (Insecure Direct Object Reference).
# IDOR example
GET /api/invoices/1234 ← User A's invoice
# User B changes 1234 to 1235 — can they see User A's invoice?
# If server only checks "is user logged in" (AuthN) not "does user own this invoice" (AuthZ) → vulnerability
23. What is OAuth 2.0 and when should you use it vs session-based auth?
OAuth 2.0 is an authorisation framework that lets a third-party app access resources on behalf of a user without sharing credentials.
User → clicks "Login with Google" → Google auth page
→ User grants permission → Google returns auth code
→ App exchanges code for access token
→ App uses access token to call Google APIs
| Property | Session-Based Auth | OAuth 2.0 / JWT |
|---|---|---|
| Storage | Server-side session store | Client-side token (stateless) |
| Scalability | Needs sticky sessions or shared store | Easy to scale horizontally |
| Use case | Same-domain web app | API, mobile, third-party access |
| Revocation | Immediate (delete session) | Hard (wait for token expiry or denylist) |
OpenID Connect (OIDC) adds authentication on top of OAuth 2.0 (returns an ID token with user identity).
24. What is Kerberos and how does it work?
Kerberos is a ticket-based authentication protocol used in Active Directory environments:
1. Client → KDC Authentication Service: "I'm Alice" (encrypted with Alice's password hash)
2. KDC → Client: TGT (Ticket Granting Ticket) encrypted with KDC's secret
3. Client → KDC Ticket Granting Service: "I want to access FileServer, here's my TGT"
4. KDC → Client: Service Ticket for FileServer
5. Client → FileServer: "Here's my Service Ticket"
6. FileServer validates ticket → access granted
Key features: Mutual authentication, tickets have TTL (default 10h), no password sent over the network.
Common attacks:
- Pass-the-Ticket: steal TGT/service ticket and replay it
- Kerberoasting: request service tickets for SPNs and crack them offline
- Golden Ticket: forge TGT using
krbtgthash (requires DC compromise) - AS-REP Roasting: target accounts with Kerberos pre-auth disabled
25. What is Zero Trust security?
Zero Trust assumes no user or device is trusted by default, even inside the network perimeter:
Core principles:
- Verify explicitly: authenticate and authorise every request (identity, device health, location, time)
- Least privilege access: just-in-time, just-enough-access
- Assume breach: segment networks, minimise blast radius, monitor everything
Traditional model:
Outside: Untrusted | Perimeter firewall | Inside: Trusted
Zero Trust model:
Every request requires identity verification + device compliance + authorisation
Location (inside/outside) doesn't grant implicit trust
Technologies: ZTNA (Zero Trust Network Access), MFA, device compliance (MDM), micro-segmentation, CASB, continuous monitoring.
Threats & Malware
26. What are the different types of malware?
| Type | Behaviour | Example |
|---|---|---|
| Virus | Self-replicating, attaches to files | ILOVEYOU |
| Worm | Self-replicating, spreads without user action | WannaCry |
| Trojan | Appears legitimate, hides malicious payload | Banking trojan |
| Ransomware | Encrypts files, demands payment | LockBit, Conti |
| Rootkit | Hides itself at OS/kernel level | Necurs |
| Spyware | Steals data silently | Pegasus |
| Adware | Shows unwanted ads | Genieo |
| Keylogger | Records keystrokes | Agent Tesla |
| Botnet | Network of infected devices (bots) | Mirai, ZeuS |
| Backdoor | Persistent unauthorised access | Cobalt Strike beacon |
| RAT | Remote Access Trojan — full remote control | DarkComet |
27. What is an Advanced Persistent Threat (APT)?
An APT is a sophisticated, long-term, targeted attack typically carried out by nation-state actors or well-funded criminal groups:
Characteristics:
- Persistent: maintain access for months/years
- Stealthy: avoid detection, blend with normal traffic
- Targeted: specific organisation or industry (critical infrastructure, defence, finance)
- Resourceful: zero-day exploits, custom malware, supply chain attacks
APT kill chain (Mandiant):
Initial Compromise → Establish Foothold → Escalate Privileges
→ Internal Reconnaissance → Move Laterally → Maintain Presence
→ Complete Mission (exfiltration/destruction)
Examples: APT29 (Cozy Bear / Russia), APT41 (China), Lazarus Group (North Korea).
28. What is phishing and what are its variants?
| Variant | Target | Method |
|---|---|---|
| Phishing | Mass, untargeted | Generic email with malicious link/attachment |
| Spear phishing | Specific individual/org | Personalised email using OSINT |
| Whaling | C-level executives | Highly targeted, impersonates legal/board |
| Vishing | Voice call | Caller impersonates IT support, bank |
| Smishing | SMS | Fake delivery notification with link |
| Business Email Compromise (BEC) | Finance dept | Fake CEO requesting wire transfer |
Red flags: urgency, mismatched sender domain, requests for credentials or wire transfers, unexpected attachments.
Defence: email security gateway (DMARC, SPF, DKIM), security awareness training, MFA, callback verification for wire transfers.
29. What is lateral movement and how do attackers perform it?
Lateral movement is when an attacker moves from their initial foothold to other systems within the network:
Common techniques (MITRE ATT&CK):
| Technique | Description |
|---|---|
| Pass-the-Hash | Reuse NTLM hash without knowing the plain-text password |
| Pass-the-Ticket | Reuse Kerberos service tickets |
| RDP (T1021.001) | Remote Desktop to adjacent systems |
| SMB/Windows Admin Shares | Move files, execute code via \\host\C$ |
| WMI / WinRM / PsExec | Remote code execution tools |
| SSH tunnelling | Pivot through compromised Linux host |
Detection: Unusual RDP connections, new admin account creation, net use commands, credential dumping (LSASS access), large data transfers to unusual hosts.
30. What is a supply chain attack?
A supply chain attack compromises a trusted vendor/software to reach downstream targets:
Notable examples:
- SolarWinds (2020): Malicious update to Orion software → 18,000 organisations compromised
- Log4Shell (CVE-2021-44228): Vulnerability in Log4j library used by thousands of products
- XZ Utils backdoor (2024): Deliberate backdoor injected into xz compression library
- npm/PyPI typosquatting: Malicious packages with names similar to popular libraries
Defence:
- Software Bill of Materials (SBOM)
- Dependency scanning (Snyk, Dependabot, OWASP Dependency-Check)
- Code signing for updates
- Verify package integrity (checksums)
- Vendor security assessments
Incident Response
31. What are the phases of the NIST incident response lifecycle?
NIST SP 800-61 defines four phases:
| Phase | Activities |
|---|---|
| 1. Preparation | IR plan, runbooks, tools, team training, backups |
| 2. Detection & Analysis | Identify indicators, triage severity, scope the incident |
| 3. Containment, Eradication & Recovery | Isolate affected systems, remove malware, restore from clean backups |
| 4. Post-Incident Activity | Lessons learned, timeline reconstruction, report, improve controls |
PICERL (SANS) is another popular mnemonic: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
32. What is the difference between containment and eradication?
| Action | Timing | Purpose | Example |
|---|---|---|---|
| Containment | Immediately after detection | Stop the spread, preserve evidence | Isolate infected host from network |
| Eradication | After containment | Remove the threat completely | Wipe and reimage host, delete attacker accounts |
| Recovery | After eradication | Restore to normal operation | Restore from backup, monitor for recurrence |
Short-term containment: quarantine the host now.
Long-term containment: apply patches, change passwords, before bringing systems back.
33. What is digital forensics and what is chain of custody?
Digital forensics is the process of collecting, preserving, analysing, and presenting digital evidence in a legally sound manner.
Forensic process:
1. Identification → 2. Preservation (forensic image) → 3. Collection
→ 4. Analysis → 5. Reporting → 6. Presentation
Chain of custody: documented record of who handled evidence, when, and what was done — ensures evidence integrity and admissibility in court.
Best practices:
- Write-block the drive before imaging (hardware or software blocker)
- Create bit-for-bit image (FTK Imager, dd)
- Verify with cryptographic hash (MD5/SHA-256) before and after
- Never work on the original evidence
- Document every step with timestamps
Volatile data order (RFC 3227): Capture most volatile first: CPU registers → cache → RAM → swap → disk → logs.
34. What are Indicators of Compromise (IoC) and Indicators of Attack (IoA)?
| Type | What it is | Examples |
|---|---|---|
| IoC | Evidence that a compromise has occurred (retrospective) | Malicious IP, file hash, domain, registry key |
| IoA | Behavioural signal of an attack in progress (proactive) | Suspicious process spawning cmd.exe, lateral movement pattern |
IoCs are useful for detection but age quickly (attackers change IPs/hashes).
IoAs focus on attacker behaviour — harder to change, more resilient to evasion.
IoC sharing: STIX/TAXII format, threat intelligence platforms (MISP, ThreatConnect).
35. What is the MITRE ATT&CK framework?
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations:
Structure: Tactics (why) → Techniques (how) → Sub-techniques (specific implementation)
| Tactic | Description | Example Technique |
|---|---|---|
| Initial Access | Get into the environment | T1566 Phishing |
| Execution | Run malicious code | T1059 Command Scripting |
| Persistence | Maintain foothold | T1547 Boot/Logon Autostart |
| Privilege Escalation | Gain higher privileges | T1068 Exploit Elevation |
| Defence Evasion | Avoid detection | T1027 Obfuscation |
| Credential Access | Steal credentials | T1003 OS Credential Dumping |
| Discovery | Learn the environment | T1083 File Discovery |
| Lateral Movement | Move to other systems | T1021 Remote Services |
| Collection | Gather data | T1005 Local Data Staging |
| Exfiltration | Transfer data out | T1048 Exfil Over Alternative Protocol |
| Impact | Disrupt/destroy | T1486 Data Encrypted for Impact |
Security Operations
36. What is a SIEM and what does it do?
A SIEM (Security Information and Event Management) collects, correlates, and analyses log data from across the environment to detect threats:
| Function | Description |
|---|---|
| Log collection | Ingest from firewalls, endpoints, servers, apps, cloud |
| Normalisation | Parse logs into consistent format |
| Correlation | Match events across sources to detect attack patterns |
| Alerting | Trigger alerts on rule matches or anomaly detection |
| Dashboards | SOC analyst visibility |
| Retention | Long-term log storage for forensics and compliance |
Popular SIEMs: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM, Google Chronicle, Sumo Logic.
Use case: Detect brute-force attack — 10 failed logins followed by 1 success from the same IP → alert on "successful login after brute force".
37. What are the different tiers in a Security Operations Centre (SOC)?
| Tier | Role | Responsibilities |
|---|---|---|
| Tier 1 — Alert Analyst | First responder | Triage alerts, basic investigation, escalate |
| Tier 2 — Incident Responder | Deeper analysis | Investigate escalated incidents, containment |
| Tier 3 — Threat Hunter | Proactive | Hunt for undetected threats, malware analysis, threat intel |
| Management | Leadership | Strategy, metrics, reporting, vendor management |
Alert triage process (Tier 1):
Alert received → True Positive / False Positive?
→ True Positive → Severity? → Escalate or contain
→ False Positive → Tune rule to reduce noise
38. What is threat hunting?
Threat hunting is a proactive, hypothesis-driven search for threats that have evaded existing security controls:
Process:
1. Form hypothesis (e.g., "APT may be using living-off-the-land binaries")
2. Collect data (EDR telemetry, logs, network flows)
3. Analyse (look for anomalous LOLBin usage, unusual parent-child process relationships)
4. Respond (investigate findings, update detections)
5. Improve (feed findings into SIEM rules)
Living off the Land (LotL): attackers use built-in tools (PowerShell, certutil, mshta, wmic) to avoid custom malware detection.
Data sources: EDR (CrowdStrike, SentinelOne), Windows Event Logs (4624/4625/4688/4698), Sysmon, Zeek/Suricata network logs.
39. What is the difference between a red team and a blue team?
| Team | Role | Activities |
|---|---|---|
| Red Team | Offensive — attack | APT simulation, physical intrusion, phishing, exploitation |
| Blue Team | Defensive — defend | SIEM monitoring, incident response, hardening, patching |
| Purple Team | Collaborative | Red + Blue work together to improve detection and response |
| Yellow Team | Builders | Developers who build secure systems |
| Orange Team | Awareness | Security awareness, training |
Red team ≠ penetration test:
- Pen test: agreed scope, finds vulnerabilities
- Red team: adversary simulation, tests entire detection/response capability
40. What are the key Windows Event IDs a SOC analyst should know?
| Event ID | Description |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4648 | Logon using explicit credentials (runas) |
| 4688 | Process creation (enable command-line logging) |
| 4698 | Scheduled task created |
| 4720 | User account created |
| 4732 | Member added to security-enabled local group |
| 4771 | Kerberos pre-authentication failed |
| 4776 | NTLM authentication attempt |
| 7045 | New service installed |
Logon types (4624):
- Type 2: Interactive (keyboard)
- Type 3: Network (SMB, file share)
- Type 10: Remote interactive (RDP)
Cloud Security
41. What is the cloud shared responsibility model?
Cloud providers and customers share security responsibility — the split depends on the service model:
| Responsibility | IaaS (e.g., EC2) | PaaS (e.g., RDS) | SaaS (e.g., Gmail) |
|---|---|---|---|
| Physical infrastructure | Provider | Provider | Provider |
| Hypervisor/host OS | Provider | Provider | Provider |
| Guest OS | Customer | Provider | Provider |
| Network controls | Shared | Shared | Provider |
| Application code | Customer | Customer | Provider |
| Data encryption | Customer | Customer | Customer |
| IAM / access control | Customer | Customer | Customer |
Key insight: Customers are always responsible for their data and IAM, regardless of service model.
42. What are common cloud misconfigurations?
| Misconfiguration | Risk | Example |
|---|---|---|
| Public S3 bucket | Data exposure | aws s3api put-bucket-policy --policy PublicRead |
| Overprivileged IAM roles | Privilege escalation | EC2 with AdministratorAccess policy |
| Security group 0.0.0.0/0 inbound | Any internet access to port | SSH port 22 open to world |
| No MFA on root account | Account takeover | AWS root account without MFA |
| Unencrypted storage | Data breach | EBS volume without encryption |
| No CloudTrail logging | No audit trail | Cannot investigate incidents |
| Metadata service accessible | SSRF → credential theft | IMDSv1 on EC2 + SSRF in app |
Tool: ScoutSuite, Prowler, AWS Security Hub, Checkov for IaC scanning.
43. What is container security and what are the key risks?
Container security covers the entire lifecycle from image build to runtime:
| Risk | Description | Mitigation |
|---|---|---|
| Vulnerable base image | Outdated packages with CVEs | Scan with Trivy, Snyk, regularly rebuild images |
| Running as root | Container escape impact is maximised | USER nonroot in Dockerfile |
| Privileged container | Full host access | Avoid --privileged flag |
| Exposed Docker socket | Full host compromise via API | Never mount /var/run/docker.sock in containers |
| Secrets in image | Credentials baked into layers | Use Docker secrets, external secret manager |
| No network policies | Unrestricted container-to-container comms | Kubernetes NetworkPolicy |
Image signing: Cosign/Sigstore for supply chain integrity.
44. What is a WAF and what does it protect against?
A WAF (Web Application Firewall) inspects HTTP/S traffic and blocks malicious requests:
Protects against: SQL injection, XSS, CSRF, path traversal, SSRF, RFI/LFI, OWASP Top 10.
Deployment modes:
| Mode | Position | Notes |
|---|---|---|
| Inline (reverse proxy) | In front of app | Full inspection, can block |
| Out-of-band | Mirror/tap | Detect only, no blocking |
| Cloud WAF | CDN edge (Cloudflare, Akamai, AWS WAF) | Easy setup, DDoS protection included |
Bypasses: WAFs can be bypassed using encoding, case variation, comments in SQL. Defence in depth — WAF is one layer, not the only one.
Compliance & Frameworks
45. What is the NIST Cybersecurity Framework (CSF)?
NIST CSF organises security activities into five core functions:
| Function | Goal | Example activities |
|---|---|---|
| Identify | Know what you have | Asset inventory, risk assessment |
| Protect | Implement safeguards | Access control, patching, training |
| Detect | Find anomalies | SIEM, IDS, log monitoring |
| Respond | Act on incidents | IR plan, communication, containment |
| Recover | Restore capabilities | Backup restoration, lessons learned |
CSF 2.0 (2024) added a sixth function: Govern — oversee and manage cybersecurity risk strategy.
46. What is GDPR and what are the key security requirements?
GDPR (General Data Protection Regulation) — EU regulation for personal data protection:
| Requirement | Detail |
|---|---|
| Lawful basis for processing | Consent, contract, legal obligation, vital interests, public task, legitimate interests |
| Data minimisation | Collect only what's necessary |
| Breach notification | Notify supervisory authority within 72 hours of discovery |
| Right to erasure | "Right to be forgotten" upon request |
| Privacy by design | Build privacy in from the start |
| DPO | Data Protection Officer required for certain organisations |
| Article 32 | Appropriate technical/organisational security measures (encryption, pseudonymisation) |
| Fines | Up to €20M or 4% of global annual revenue (whichever is higher) |
47. What is PCI-DSS?
PCI-DSS (Payment Card Industry Data Security Standard) applies to organisations that handle cardholder data:
12 Requirements (grouped):
| # | Category | Requirement |
|---|---|---|
| 1-2 | Network security | Firewall, no defaults |
| 3-4 | Data protection | Protect stored data, encrypt in transit |
| 5-6 | Vulnerability management | AV, secure development |
| 7-8 | Access control | Least privilege, unique IDs, MFA |
| 9 | Physical security | Restrict physical access |
| 10 | Monitoring | Log and monitor access |
| 11 | Testing | Regular scanning and pen testing |
| 12 | Security policy | Information security policy |
Scope reduction: Tokenisation (replace PAN with token) removes systems from PCI scope. Reduces audit burden significantly.
48. What is ISO/IEC 27001?
ISO 27001 is an international standard for Information Security Management Systems (ISMS):
- ISMS: Systematic approach to managing sensitive company information through policies, procedures, and controls
- Annex A: 93 controls across 4 domains (Organisational, People, Physical, Technological)
- Certification: Organisations can be certified by accredited audit bodies
- Risk-based: Identify risks, implement controls proportionate to risk
- PDCA cycle: Plan → Do → Check → Act (continual improvement)
ISO 27001 vs SOC 2:
- ISO 27001: International, prescriptive control set, results in certification
- SOC 2: US-focused, trust service criteria (security, availability, confidentiality, processing integrity, privacy), results in audit report
Common mistakes
| Mistake | Why it's wrong | Correct approach |
|---|---|---|
| Using MD5 or SHA-1 for passwords | Cryptographically broken, fast to crack | Use bcrypt, Argon2, or scrypt with high work factor |
| Storing secrets in source code | Version control exposure, logs, breach | Use environment variables or secrets manager (Vault, AWS Secrets Manager) |
| "Security through obscurity" | Not a valid control | Layered defences + known-secure algorithms |
| Trusting the client | Client-side validation is trivially bypassed | Always re-validate on the server |
| All eggs in one basket | Single point of failure | Defence in depth, network segmentation |
| Never rotating credentials | Long-lived credentials = long breach window | Rotate passwords, API keys, certificates regularly |
| Ignoring security logs | Can't detect what you don't log | Centralise logs, set up alerting, review regularly |
| Not patching promptly | Known CVEs exploited within hours of publication | Patch critical vulnerabilities within 24-48h |
Cybersecurity vs related fields
| Field | Focus | Typical tools |
|---|---|---|
| Cybersecurity | Protecting systems and data | SIEM, EDR, firewalls, WAF |
| Network Security | Protecting network infrastructure | IDS/IPS, VPN, firewall |
| Application Security (AppSec) | Securing software | SAST (SonarQube), DAST (Burp Suite), SCA |
| Cloud Security | Securing cloud environments | CSPM, CWPP, IAM analysis |
| DevSecOps | Security integrated into CI/CD | Trivy, Checkov, OWASP ZAP |
| Penetration Testing | Finding vulnerabilities (offensive) | Metasploit, Nmap, Burp Suite |
| Digital Forensics | Investigating incidents | FTK, Autopsy, Volatility |
| Threat Intelligence | Understanding adversaries | MISP, VirusTotal, MITRE ATT&CK |
FAQ
Q: What is the difference between a CVE, CWE, and CVSS?
A: CVE (Common Vulnerabilities and Exposures) — unique identifier for a specific vulnerability (e.g., CVE-2021-44228 for Log4Shell). CWE (Common Weakness Enumeration) — type of weakness (e.g., CWE-89: SQL Injection). CVSS (Common Vulnerability Scoring System) — numeric score 0–10 indicating severity (Base, Temporal, Environmental metrics).
Q: How do you secure an API?
A: Authentication (API keys, OAuth 2.0, mTLS), authorisation (check every endpoint), rate limiting, input validation, HTTPS only, never expose sensitive data in responses, log all access, use API gateway, disable verbose errors, rotate API keys regularly.
Q: What is the difference between vulnerability management and patch management?
A: Vulnerability management is the full lifecycle: discover, assess, prioritise, remediate, verify. Patch management is the specific process of applying software updates. Patching is one remediation option; others include workarounds, compensating controls, or accepting risk.
Q: What is social engineering and how do you defend against it?
A: Manipulating people into revealing information or taking actions (phishing, pretexting, baiting, tailgating, quid pro quo). Defence: security awareness training, verification procedures (call back to known numbers for wire transfers), physical access controls, culture of scepticism, no sensitive info over unverified channels.
Q: What is a honeypot?
A: A decoy system designed to attract attackers, allowing defenders to study attack techniques, gather IoCs, and waste attacker time. A honeynet is a network of honeypots. Low-interaction honeypots emulate services; high-interaction are real systems with monitoring. Legal considerations apply — ensure your jurisdiction permits them.
Q: What would you do if you discovered a critical vulnerability in production?
A: 1) Assess severity and exploitability immediately. 2) Notify security team and relevant stakeholders. 3) Implement temporary mitigation (WAF rule, disable feature, rate limit). 4) Test and deploy permanent fix in staging. 5) Deploy fix to production with rollback plan. 6) Verify remediation. 7) Document timeline, patch, and lessons learned. 8) Consider responsible disclosure if third-party software.