Toolmingo
Guides29 min read

50 Cybersecurity Interview Questions (With Answers)

Top cybersecurity interview questions with detailed answers — covering CIA triad, cryptography, network security, OWASP Top 10, incident response, SOC, cloud security, and compliance frameworks.

Cybersecurity interviews test your depth in threat modelling, cryptography, network defence, incident response, and compliance. This guide covers the 50 most common questions with clear, accurate answers for roles ranging from security analyst to penetration tester to CISO.

Quick reference

Topic Key concepts
Fundamentals CIA triad, AAA, risk, threat vs vulnerability
Cryptography Symmetric/asymmetric, hashing, PKI, TLS
Network Security Firewalls, IDS/IPS, VPN, DMZ, segmentation
Web Security OWASP Top 10, XSS, SQLi, CSRF, SSRF
Identity & Access MFA, OAuth 2.0, SSO, Kerberos, zero trust
Threats & Malware APT, ransomware, phishing, lateral movement
Incident Response PICERL, forensics, chain of custody
Security Operations SIEM, SOC tiers, threat hunting, log analysis
Cloud Security Shared responsibility, IAM, S3, containers
Compliance GDPR, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Fundamentals

1. What is the CIA triad?

The CIA triad is the foundational model for information security:

Pillar Definition Example threat Control example
Confidentiality Only authorised parties access data Data breach, eavesdropping Encryption, access control
Integrity Data is accurate and unaltered Tampering, man-in-the-middle Hashing, digital signatures
Availability Systems are accessible when needed DDoS, ransomware Redundancy, backups, rate limiting

Some frameworks extend this to the Parkerian Hexad (adding possession, authenticity, utility).


2. What is the difference between a threat, vulnerability, and risk?

Term Definition Example
Threat Potential cause of harm (actor or event) Attacker exploiting a web app
Vulnerability Weakness that can be exploited Unpatched CVE in Apache
Risk Likelihood × impact of a threat exploiting a vulnerability Critical risk if internet-facing + sensitive data
Exploit Code or technique that takes advantage of a vulnerability Metasploit module for CVE-2021-44228
Control Safeguard that reduces risk WAF blocking known exploit patterns

Risk formula: Risk = Threat × Vulnerability × Asset Value


3. Explain the AAA framework in security.

Authentication, Authorisation, and Accounting:

Component What it answers Example
Authentication Who are you? Password, MFA, certificate
Authorisation What are you allowed to do? RBAC, ACLs, permissions
Accounting What did you do? Audit logs, SIEM, access records

RADIUS and TACACS+ are common AAA protocols used for network device access.


4. What is defence in depth?

Defence in depth (layered security) applies multiple overlapping security controls so that if one fails, others still protect the asset.

Layers example:

Internet → Perimeter firewall → IDS/IPS → DMZ
→ WAF → Application firewall → OS hardening
→ Encryption at rest → DLP → Logging/SIEM
→ User training → Incident response plan

The principle: no single control is relied upon. Based on the military strategy of slowing an attacker at each layer.


5. What is the principle of least privilege?

Users, processes, and systems should have only the minimum permissions required to perform their function — nothing more.

Application:

  • Admin accounts used only for admin tasks (not daily browsing)
  • Service accounts with read-only DB access when write isn't needed
  • Containers running as non-root
  • Network segments with access only to necessary ports/services

Related concepts: need-to-know (data access), separation of duties (no single person controls a critical process end-to-end).


Cryptography

6. What is the difference between symmetric and asymmetric encryption?

Property Symmetric Asymmetric
Keys One shared secret key Public key (encrypt) + private key (decrypt)
Speed Fast (hardware-accelerated) Slow (computationally expensive)
Key distribution Hard — how do you share the key securely? Easy — share public key freely
Examples AES-256, ChaCha20 RSA-2048, ECDSA, ECDH
Use cases Bulk data encryption TLS handshake, digital signatures, key exchange

TLS uses both: asymmetric crypto to exchange a symmetric session key, then symmetric encryption for the bulk data transfer.


7. What is hashing and how does it differ from encryption?

Property Hashing Encryption
Reversible? No (one-way) Yes (given the key)
Output Fixed-size digest Variable (same size or larger)
Use cases Password storage, integrity checks, digital signatures Data confidentiality
Examples SHA-256, bcrypt, Argon2 AES-256, RSA

Password storage best practice:

# Never store plain-text or MD5/SHA1 passwords
# Use bcrypt, scrypt, or Argon2 with a unique salt per user
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
# Store hashed — never the plain-text password

Why salting matters: Prevents rainbow table attacks. A salt is a random value prepended to the password before hashing — unique per user so identical passwords produce different hashes.


8. What is a digital signature and how does it work?

A digital signature proves authenticity (who sent it) and integrity (it wasn't tampered with):

Signing:   hash(message) → encrypt with sender's PRIVATE key → signature
Verifying: decrypt signature with sender's PUBLIC key → compare hash to message hash

If hashes match: message is authentic and unaltered.

Used in: code signing, TLS certificates, email (S/MIME), software updates, JWT (RS256/ES256).


9. Explain PKI (Public Key Infrastructure).

PKI is the framework of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

Chain of trust:

Root CA (self-signed, offline) 
  └── Intermediate CA 
        └── End-entity certificate (website, user, device)

Key components:

Component Role
Certificate Authority (CA) Issues and signs certificates
Registration Authority (RA) Verifies identity before CA issues cert
Certificate Revocation List (CRL) List of revoked certs
OCSP Online real-time revocation check
X.509 Standard certificate format

Certificate fields: Subject, Issuer, Serial, Valid From/To, Public Key, Signature Algorithm, Subject Alternative Names (SANs).


10. What is TLS and how does TLS 1.3 handshake work?

TLS (Transport Layer Security) encrypts data in transit. TLS 1.3 (RFC 8446) streamlined the handshake to 1-RTT (vs 2-RTT in TLS 1.2):

Client → Server: ClientHello (supported ciphers, key share)
Server → Client: ServerHello + Certificate + Finished
Client → Server: Finished
──────────────────────────────────
Data exchange begins (encrypted with session keys)

TLS 1.3 improvements:

  • Removed weak cipher suites (RC4, 3DES, MD5, SHA-1)
  • Perfect Forward Secrecy (ECDHE) mandatory
  • 0-RTT resumption (with replay attack caution)
  • Encrypted SNI (ESNI) in some implementations
  • Faster — saves one round trip vs TLS 1.2

Network Security

11. What is the difference between a stateful and stateless firewall?

Property Stateless Stateful
Tracks connections No Yes (connection table)
Rules basis Packet headers only Full connection context
Performance Faster Slightly more resource-intensive
Spoofing resistance Low Higher
Example ACLs on routers iptables, AWS Security Groups

Stateful firewalls know that an incoming packet is part of an established outbound connection, so they allow it without a specific inbound rule.

NGFW (Next-Generation Firewall) adds: application awareness, deep packet inspection, IPS, SSL inspection, user identity.


12. What is the difference between IDS and IPS?

Property IDS (Intrusion Detection System) IPS (Intrusion Prevention System)
Position Out-of-band (passive tap) Inline (traffic passes through)
Action Alert only Alert + block/drop
Risk False negative = missed attack False positive = blocks legit traffic
Detection methods Signature, anomaly, behaviour Same

Signature-based: matches known attack patterns (fast, misses zero-days).
Anomaly-based: detects deviations from baseline (slower, more false positives).


13. What is a DMZ in network architecture?

A DMZ (Demilitarised Zone) is a network segment that sits between the public internet and the internal network, hosting services that must be publicly accessible (web servers, mail relays, DNS).

Internet → [Firewall 1] → DMZ (web/mail/DNS) → [Firewall 2] → Internal LAN

Why: If a DMZ server is compromised, the attacker still faces Firewall 2 to reach internal systems. Limits blast radius.


14. What is a VPN and what are the main types?

A VPN (Virtual Private Network) creates an encrypted tunnel over a public network:

Type Use case Protocol
Remote Access VPN Employee → corporate network OpenVPN, WireGuard, IPsec/IKEv2, SSL/TLS
Site-to-Site VPN Office A ↔ Office B IPsec
Split-tunnel VPN Only corporate traffic through VPN Configurable per client
Full-tunnel VPN All traffic through VPN Default on most corporate solutions

IPsec modes:

  • Transport mode: encrypts payload only (host-to-host)
  • Tunnel mode: encrypts entire packet with new IP header (site-to-site)

15. What is the difference between a vulnerability scan and a penetration test?

Property Vulnerability Scan Penetration Test
Who runs it Automated tool (Nessus, OpenVAS) Human security tester
Depth Broad, surface-level Deep, chains vulnerabilities
Exploits vulnerabilities No Yes (controlled)
Result List of CVEs with severity Narrative report with PoC + business impact
Frequency Weekly/monthly Annually or after major changes
Scope Can be very wide Defined and agreed in advance

Engagement types:

  • Black box: tester has no prior knowledge
  • Grey box: partial knowledge (credentials, architecture docs)
  • White box: full knowledge (code access, admin creds)

Web Application Security

16. What is the OWASP Top 10?

The OWASP Top 10 (2021) lists the most critical web application security risks:

# Category Example
A01 Broken Access Control IDOR, privilege escalation
A02 Cryptographic Failures Weak encryption, plain-text passwords
A03 Injection SQL injection, NoSQL injection, OS command injection
A04 Insecure Design Missing threat modelling, unsafe design patterns
A05 Security Misconfiguration Default credentials, verbose errors, open S3 buckets
A06 Vulnerable Components Outdated libraries with known CVEs
A07 Authentication Failures Weak passwords, no MFA, brute-force not blocked
A08 Software & Data Integrity Failures Supply chain attacks, unsigned updates
A09 Security Logging Failures No logs, logs not monitored
A10 SSRF App fetches attacker-controlled URLs

17. How does SQL injection work and how do you prevent it?

SQL injection occurs when user input is interpolated directly into a SQL query:

-- Vulnerable
SELECT * FROM users WHERE username = '$input';
-- Input: admin' OR '1'='1
-- Result: SELECT * FROM users WHERE username = 'admin' OR '1'='1'
-- Returns all users!

Prevention:

# Parameterised queries (bind variables) — ALWAYS use this
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))

# ORM (handles parameterisation automatically)
User.objects.filter(username=username)

Other defences: WAF, least-privilege DB account, disable xp_cmdshell, input validation, error messages that don't leak DB details.


18. What is Cross-Site Scripting (XSS) and what are the types?

XSS allows attackers to inject malicious scripts into pages viewed by other users:

Type How it persists Example
Reflected URL parameter, not stored ?q=<script>alert(1)</script> in search box
Stored (Persistent) Saved to DB, shown to all users Comment field with script tag
DOM-based Client-side JavaScript writes to DOM document.write(location.hash)

Impact: Session hijacking (document.cookie), credential theft, defacement, keylogging.

Prevention:

  • Output encode all user-controlled data (&lt;, &gt;, &amp;, &quot;)
  • Content Security Policy (CSP) header: Content-Security-Policy: default-src 'self'
  • Use framework escaping (React auto-escapes JSX, Jinja2 auto-escapes)
  • HttpOnly and Secure cookie flags
  • Never use innerHTML, document.write(), eval() with user data

19. What is CSRF and how is it prevented?

Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into making an unwanted request to a site where they're logged in:

<!-- Attacker's page -->
<img src="https://bank.example.com/transfer?to=attacker&amount=1000">
<!-- Browser automatically sends session cookie with the request -->

Prevention:

Method How it works
CSRF Token Random token in form/header; server validates it
SameSite cookie SameSite=Strict or SameSite=Lax prevents cross-site requests from sending cookies
Double Submit Cookie Token in both cookie and request body; CORS prevents attacker reading cookie
Referer/Origin check Server checks request origin header

Note: CSRF tokens must be per-session (or per-request for higher security) and unpredictable.


20. What is SSRF (Server-Side Request Forgery)?

SSRF occurs when an attacker can make the server fetch arbitrary URLs, potentially accessing internal resources:

# Normal use: https://api.example.com/fetch?url=https://cdn.external.com/img.jpg
# Attacker input: ?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Result: AWS EC2 metadata exposed → IAM credentials stolen

Impact: Access to internal services (localhost:6379 Redis), cloud metadata endpoints, internal APIs, SSRF → RCE via Gopher protocol.

Prevention:

  • Allowlist permitted URL schemes (only https://) and domains
  • Block internal IP ranges (127.0.0.1, 10.x, 172.16.x, 192.168.x, 169.254.x)
  • DNS rebinding prevention (resolve IP and check before request)
  • Don't forward raw responses to users
  • Use separate network for outbound requests

Identity & Access Management

21. What is Multi-Factor Authentication (MFA) and why is it important?

MFA requires two or more of:

Factor Category Examples
Password, PIN Something you know Password, security question
Phone, hardware token Something you have SMS OTP, TOTP (Google Authenticator), FIDO2 hardware key
Fingerprint, Face ID Something you are Biometrics
Location/device Somewhere you are / context Trusted device, geolocation

Why it matters: Even if a password is breached (phishing, data dump), the attacker can't authenticate without the second factor.

Security ranking (weakest → strongest):

SMS OTP < TOTP (app) < Push notification < Hardware FIDO2 key

SMS is weakest due to SIM-swapping attacks.


22. What is the difference between authentication and authorisation?

Concept Question answered Example
Authentication (AuthN) Who are you? Login with username + password
Authorisation (AuthZ) What can you do? Can this user delete records?

Common mistake: Checking authentication but not authorisation → IDOR (Insecure Direct Object Reference).

# IDOR example
GET /api/invoices/1234  ← User A's invoice
# User B changes 1234 to 1235 — can they see User A's invoice?
# If server only checks "is user logged in" (AuthN) not "does user own this invoice" (AuthZ) → vulnerability

23. What is OAuth 2.0 and when should you use it vs session-based auth?

OAuth 2.0 is an authorisation framework that lets a third-party app access resources on behalf of a user without sharing credentials.

User → clicks "Login with Google" → Google auth page
→ User grants permission → Google returns auth code
→ App exchanges code for access token
→ App uses access token to call Google APIs
Property Session-Based Auth OAuth 2.0 / JWT
Storage Server-side session store Client-side token (stateless)
Scalability Needs sticky sessions or shared store Easy to scale horizontally
Use case Same-domain web app API, mobile, third-party access
Revocation Immediate (delete session) Hard (wait for token expiry or denylist)

OpenID Connect (OIDC) adds authentication on top of OAuth 2.0 (returns an ID token with user identity).


24. What is Kerberos and how does it work?

Kerberos is a ticket-based authentication protocol used in Active Directory environments:

1. Client → KDC Authentication Service: "I'm Alice" (encrypted with Alice's password hash)
2. KDC → Client: TGT (Ticket Granting Ticket) encrypted with KDC's secret
3. Client → KDC Ticket Granting Service: "I want to access FileServer, here's my TGT"
4. KDC → Client: Service Ticket for FileServer
5. Client → FileServer: "Here's my Service Ticket"
6. FileServer validates ticket → access granted

Key features: Mutual authentication, tickets have TTL (default 10h), no password sent over the network.

Common attacks:

  • Pass-the-Ticket: steal TGT/service ticket and replay it
  • Kerberoasting: request service tickets for SPNs and crack them offline
  • Golden Ticket: forge TGT using krbtgt hash (requires DC compromise)
  • AS-REP Roasting: target accounts with Kerberos pre-auth disabled

25. What is Zero Trust security?

Zero Trust assumes no user or device is trusted by default, even inside the network perimeter:

Core principles:

  1. Verify explicitly: authenticate and authorise every request (identity, device health, location, time)
  2. Least privilege access: just-in-time, just-enough-access
  3. Assume breach: segment networks, minimise blast radius, monitor everything

Traditional model:

Outside: Untrusted | Perimeter firewall | Inside: Trusted

Zero Trust model:

Every request requires identity verification + device compliance + authorisation
Location (inside/outside) doesn't grant implicit trust

Technologies: ZTNA (Zero Trust Network Access), MFA, device compliance (MDM), micro-segmentation, CASB, continuous monitoring.


Threats & Malware

26. What are the different types of malware?

Type Behaviour Example
Virus Self-replicating, attaches to files ILOVEYOU
Worm Self-replicating, spreads without user action WannaCry
Trojan Appears legitimate, hides malicious payload Banking trojan
Ransomware Encrypts files, demands payment LockBit, Conti
Rootkit Hides itself at OS/kernel level Necurs
Spyware Steals data silently Pegasus
Adware Shows unwanted ads Genieo
Keylogger Records keystrokes Agent Tesla
Botnet Network of infected devices (bots) Mirai, ZeuS
Backdoor Persistent unauthorised access Cobalt Strike beacon
RAT Remote Access Trojan — full remote control DarkComet

27. What is an Advanced Persistent Threat (APT)?

An APT is a sophisticated, long-term, targeted attack typically carried out by nation-state actors or well-funded criminal groups:

Characteristics:

  • Persistent: maintain access for months/years
  • Stealthy: avoid detection, blend with normal traffic
  • Targeted: specific organisation or industry (critical infrastructure, defence, finance)
  • Resourceful: zero-day exploits, custom malware, supply chain attacks

APT kill chain (Mandiant):

Initial Compromise → Establish Foothold → Escalate Privileges
→ Internal Reconnaissance → Move Laterally → Maintain Presence
→ Complete Mission (exfiltration/destruction)

Examples: APT29 (Cozy Bear / Russia), APT41 (China), Lazarus Group (North Korea).


28. What is phishing and what are its variants?

Variant Target Method
Phishing Mass, untargeted Generic email with malicious link/attachment
Spear phishing Specific individual/org Personalised email using OSINT
Whaling C-level executives Highly targeted, impersonates legal/board
Vishing Voice call Caller impersonates IT support, bank
Smishing SMS Fake delivery notification with link
Business Email Compromise (BEC) Finance dept Fake CEO requesting wire transfer

Red flags: urgency, mismatched sender domain, requests for credentials or wire transfers, unexpected attachments.

Defence: email security gateway (DMARC, SPF, DKIM), security awareness training, MFA, callback verification for wire transfers.


29. What is lateral movement and how do attackers perform it?

Lateral movement is when an attacker moves from their initial foothold to other systems within the network:

Common techniques (MITRE ATT&CK):

Technique Description
Pass-the-Hash Reuse NTLM hash without knowing the plain-text password
Pass-the-Ticket Reuse Kerberos service tickets
RDP (T1021.001) Remote Desktop to adjacent systems
SMB/Windows Admin Shares Move files, execute code via \\host\C$
WMI / WinRM / PsExec Remote code execution tools
SSH tunnelling Pivot through compromised Linux host

Detection: Unusual RDP connections, new admin account creation, net use commands, credential dumping (LSASS access), large data transfers to unusual hosts.


30. What is a supply chain attack?

A supply chain attack compromises a trusted vendor/software to reach downstream targets:

Notable examples:

  • SolarWinds (2020): Malicious update to Orion software → 18,000 organisations compromised
  • Log4Shell (CVE-2021-44228): Vulnerability in Log4j library used by thousands of products
  • XZ Utils backdoor (2024): Deliberate backdoor injected into xz compression library
  • npm/PyPI typosquatting: Malicious packages with names similar to popular libraries

Defence:

  • Software Bill of Materials (SBOM)
  • Dependency scanning (Snyk, Dependabot, OWASP Dependency-Check)
  • Code signing for updates
  • Verify package integrity (checksums)
  • Vendor security assessments

Incident Response

31. What are the phases of the NIST incident response lifecycle?

NIST SP 800-61 defines four phases:

Phase Activities
1. Preparation IR plan, runbooks, tools, team training, backups
2. Detection & Analysis Identify indicators, triage severity, scope the incident
3. Containment, Eradication & Recovery Isolate affected systems, remove malware, restore from clean backups
4. Post-Incident Activity Lessons learned, timeline reconstruction, report, improve controls

PICERL (SANS) is another popular mnemonic: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.


32. What is the difference between containment and eradication?

Action Timing Purpose Example
Containment Immediately after detection Stop the spread, preserve evidence Isolate infected host from network
Eradication After containment Remove the threat completely Wipe and reimage host, delete attacker accounts
Recovery After eradication Restore to normal operation Restore from backup, monitor for recurrence

Short-term containment: quarantine the host now.
Long-term containment: apply patches, change passwords, before bringing systems back.


33. What is digital forensics and what is chain of custody?

Digital forensics is the process of collecting, preserving, analysing, and presenting digital evidence in a legally sound manner.

Forensic process:

1. Identification → 2. Preservation (forensic image) → 3. Collection
→ 4. Analysis → 5. Reporting → 6. Presentation

Chain of custody: documented record of who handled evidence, when, and what was done — ensures evidence integrity and admissibility in court.

Best practices:

  • Write-block the drive before imaging (hardware or software blocker)
  • Create bit-for-bit image (FTK Imager, dd)
  • Verify with cryptographic hash (MD5/SHA-256) before and after
  • Never work on the original evidence
  • Document every step with timestamps

Volatile data order (RFC 3227): Capture most volatile first: CPU registers → cache → RAM → swap → disk → logs.


34. What are Indicators of Compromise (IoC) and Indicators of Attack (IoA)?

Type What it is Examples
IoC Evidence that a compromise has occurred (retrospective) Malicious IP, file hash, domain, registry key
IoA Behavioural signal of an attack in progress (proactive) Suspicious process spawning cmd.exe, lateral movement pattern

IoCs are useful for detection but age quickly (attackers change IPs/hashes).
IoAs focus on attacker behaviour — harder to change, more resilient to evasion.

IoC sharing: STIX/TAXII format, threat intelligence platforms (MISP, ThreatConnect).


35. What is the MITRE ATT&CK framework?

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations:

Structure: Tactics (why) → Techniques (how) → Sub-techniques (specific implementation)

Tactic Description Example Technique
Initial Access Get into the environment T1566 Phishing
Execution Run malicious code T1059 Command Scripting
Persistence Maintain foothold T1547 Boot/Logon Autostart
Privilege Escalation Gain higher privileges T1068 Exploit Elevation
Defence Evasion Avoid detection T1027 Obfuscation
Credential Access Steal credentials T1003 OS Credential Dumping
Discovery Learn the environment T1083 File Discovery
Lateral Movement Move to other systems T1021 Remote Services
Collection Gather data T1005 Local Data Staging
Exfiltration Transfer data out T1048 Exfil Over Alternative Protocol
Impact Disrupt/destroy T1486 Data Encrypted for Impact

Security Operations

36. What is a SIEM and what does it do?

A SIEM (Security Information and Event Management) collects, correlates, and analyses log data from across the environment to detect threats:

Function Description
Log collection Ingest from firewalls, endpoints, servers, apps, cloud
Normalisation Parse logs into consistent format
Correlation Match events across sources to detect attack patterns
Alerting Trigger alerts on rule matches or anomaly detection
Dashboards SOC analyst visibility
Retention Long-term log storage for forensics and compliance

Popular SIEMs: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM, Google Chronicle, Sumo Logic.

Use case: Detect brute-force attack — 10 failed logins followed by 1 success from the same IP → alert on "successful login after brute force".


37. What are the different tiers in a Security Operations Centre (SOC)?

Tier Role Responsibilities
Tier 1 — Alert Analyst First responder Triage alerts, basic investigation, escalate
Tier 2 — Incident Responder Deeper analysis Investigate escalated incidents, containment
Tier 3 — Threat Hunter Proactive Hunt for undetected threats, malware analysis, threat intel
Management Leadership Strategy, metrics, reporting, vendor management

Alert triage process (Tier 1):

Alert received → True Positive / False Positive?
→ True Positive → Severity? → Escalate or contain
→ False Positive → Tune rule to reduce noise

38. What is threat hunting?

Threat hunting is a proactive, hypothesis-driven search for threats that have evaded existing security controls:

Process:

1. Form hypothesis (e.g., "APT may be using living-off-the-land binaries")
2. Collect data (EDR telemetry, logs, network flows)
3. Analyse (look for anomalous LOLBin usage, unusual parent-child process relationships)
4. Respond (investigate findings, update detections)
5. Improve (feed findings into SIEM rules)

Living off the Land (LotL): attackers use built-in tools (PowerShell, certutil, mshta, wmic) to avoid custom malware detection.

Data sources: EDR (CrowdStrike, SentinelOne), Windows Event Logs (4624/4625/4688/4698), Sysmon, Zeek/Suricata network logs.


39. What is the difference between a red team and a blue team?

Team Role Activities
Red Team Offensive — attack APT simulation, physical intrusion, phishing, exploitation
Blue Team Defensive — defend SIEM monitoring, incident response, hardening, patching
Purple Team Collaborative Red + Blue work together to improve detection and response
Yellow Team Builders Developers who build secure systems
Orange Team Awareness Security awareness, training

Red team ≠ penetration test:

  • Pen test: agreed scope, finds vulnerabilities
  • Red team: adversary simulation, tests entire detection/response capability

40. What are the key Windows Event IDs a SOC analyst should know?

Event ID Description
4624 Successful logon
4625 Failed logon
4648 Logon using explicit credentials (runas)
4688 Process creation (enable command-line logging)
4698 Scheduled task created
4720 User account created
4732 Member added to security-enabled local group
4771 Kerberos pre-authentication failed
4776 NTLM authentication attempt
7045 New service installed

Logon types (4624):

  • Type 2: Interactive (keyboard)
  • Type 3: Network (SMB, file share)
  • Type 10: Remote interactive (RDP)

Cloud Security

41. What is the cloud shared responsibility model?

Cloud providers and customers share security responsibility — the split depends on the service model:

Responsibility IaaS (e.g., EC2) PaaS (e.g., RDS) SaaS (e.g., Gmail)
Physical infrastructure Provider Provider Provider
Hypervisor/host OS Provider Provider Provider
Guest OS Customer Provider Provider
Network controls Shared Shared Provider
Application code Customer Customer Provider
Data encryption Customer Customer Customer
IAM / access control Customer Customer Customer

Key insight: Customers are always responsible for their data and IAM, regardless of service model.


42. What are common cloud misconfigurations?

Misconfiguration Risk Example
Public S3 bucket Data exposure aws s3api put-bucket-policy --policy PublicRead
Overprivileged IAM roles Privilege escalation EC2 with AdministratorAccess policy
Security group 0.0.0.0/0 inbound Any internet access to port SSH port 22 open to world
No MFA on root account Account takeover AWS root account without MFA
Unencrypted storage Data breach EBS volume without encryption
No CloudTrail logging No audit trail Cannot investigate incidents
Metadata service accessible SSRF → credential theft IMDSv1 on EC2 + SSRF in app

Tool: ScoutSuite, Prowler, AWS Security Hub, Checkov for IaC scanning.


43. What is container security and what are the key risks?

Container security covers the entire lifecycle from image build to runtime:

Risk Description Mitigation
Vulnerable base image Outdated packages with CVEs Scan with Trivy, Snyk, regularly rebuild images
Running as root Container escape impact is maximised USER nonroot in Dockerfile
Privileged container Full host access Avoid --privileged flag
Exposed Docker socket Full host compromise via API Never mount /var/run/docker.sock in containers
Secrets in image Credentials baked into layers Use Docker secrets, external secret manager
No network policies Unrestricted container-to-container comms Kubernetes NetworkPolicy

Image signing: Cosign/Sigstore for supply chain integrity.


44. What is a WAF and what does it protect against?

A WAF (Web Application Firewall) inspects HTTP/S traffic and blocks malicious requests:

Protects against: SQL injection, XSS, CSRF, path traversal, SSRF, RFI/LFI, OWASP Top 10.

Deployment modes:

Mode Position Notes
Inline (reverse proxy) In front of app Full inspection, can block
Out-of-band Mirror/tap Detect only, no blocking
Cloud WAF CDN edge (Cloudflare, Akamai, AWS WAF) Easy setup, DDoS protection included

Bypasses: WAFs can be bypassed using encoding, case variation, comments in SQL. Defence in depth — WAF is one layer, not the only one.


Compliance & Frameworks

45. What is the NIST Cybersecurity Framework (CSF)?

NIST CSF organises security activities into five core functions:

Function Goal Example activities
Identify Know what you have Asset inventory, risk assessment
Protect Implement safeguards Access control, patching, training
Detect Find anomalies SIEM, IDS, log monitoring
Respond Act on incidents IR plan, communication, containment
Recover Restore capabilities Backup restoration, lessons learned

CSF 2.0 (2024) added a sixth function: Govern — oversee and manage cybersecurity risk strategy.


46. What is GDPR and what are the key security requirements?

GDPR (General Data Protection Regulation) — EU regulation for personal data protection:

Requirement Detail
Lawful basis for processing Consent, contract, legal obligation, vital interests, public task, legitimate interests
Data minimisation Collect only what's necessary
Breach notification Notify supervisory authority within 72 hours of discovery
Right to erasure "Right to be forgotten" upon request
Privacy by design Build privacy in from the start
DPO Data Protection Officer required for certain organisations
Article 32 Appropriate technical/organisational security measures (encryption, pseudonymisation)
Fines Up to €20M or 4% of global annual revenue (whichever is higher)

47. What is PCI-DSS?

PCI-DSS (Payment Card Industry Data Security Standard) applies to organisations that handle cardholder data:

12 Requirements (grouped):

# Category Requirement
1-2 Network security Firewall, no defaults
3-4 Data protection Protect stored data, encrypt in transit
5-6 Vulnerability management AV, secure development
7-8 Access control Least privilege, unique IDs, MFA
9 Physical security Restrict physical access
10 Monitoring Log and monitor access
11 Testing Regular scanning and pen testing
12 Security policy Information security policy

Scope reduction: Tokenisation (replace PAN with token) removes systems from PCI scope. Reduces audit burden significantly.


48. What is ISO/IEC 27001?

ISO 27001 is an international standard for Information Security Management Systems (ISMS):

  • ISMS: Systematic approach to managing sensitive company information through policies, procedures, and controls
  • Annex A: 93 controls across 4 domains (Organisational, People, Physical, Technological)
  • Certification: Organisations can be certified by accredited audit bodies
  • Risk-based: Identify risks, implement controls proportionate to risk
  • PDCA cycle: Plan → Do → Check → Act (continual improvement)

ISO 27001 vs SOC 2:

  • ISO 27001: International, prescriptive control set, results in certification
  • SOC 2: US-focused, trust service criteria (security, availability, confidentiality, processing integrity, privacy), results in audit report

Common mistakes

Mistake Why it's wrong Correct approach
Using MD5 or SHA-1 for passwords Cryptographically broken, fast to crack Use bcrypt, Argon2, or scrypt with high work factor
Storing secrets in source code Version control exposure, logs, breach Use environment variables or secrets manager (Vault, AWS Secrets Manager)
"Security through obscurity" Not a valid control Layered defences + known-secure algorithms
Trusting the client Client-side validation is trivially bypassed Always re-validate on the server
All eggs in one basket Single point of failure Defence in depth, network segmentation
Never rotating credentials Long-lived credentials = long breach window Rotate passwords, API keys, certificates regularly
Ignoring security logs Can't detect what you don't log Centralise logs, set up alerting, review regularly
Not patching promptly Known CVEs exploited within hours of publication Patch critical vulnerabilities within 24-48h

Cybersecurity vs related fields

Field Focus Typical tools
Cybersecurity Protecting systems and data SIEM, EDR, firewalls, WAF
Network Security Protecting network infrastructure IDS/IPS, VPN, firewall
Application Security (AppSec) Securing software SAST (SonarQube), DAST (Burp Suite), SCA
Cloud Security Securing cloud environments CSPM, CWPP, IAM analysis
DevSecOps Security integrated into CI/CD Trivy, Checkov, OWASP ZAP
Penetration Testing Finding vulnerabilities (offensive) Metasploit, Nmap, Burp Suite
Digital Forensics Investigating incidents FTK, Autopsy, Volatility
Threat Intelligence Understanding adversaries MISP, VirusTotal, MITRE ATT&CK

FAQ

Q: What is the difference between a CVE, CWE, and CVSS?
A: CVE (Common Vulnerabilities and Exposures) — unique identifier for a specific vulnerability (e.g., CVE-2021-44228 for Log4Shell). CWE (Common Weakness Enumeration) — type of weakness (e.g., CWE-89: SQL Injection). CVSS (Common Vulnerability Scoring System) — numeric score 0–10 indicating severity (Base, Temporal, Environmental metrics).

Q: How do you secure an API?
A: Authentication (API keys, OAuth 2.0, mTLS), authorisation (check every endpoint), rate limiting, input validation, HTTPS only, never expose sensitive data in responses, log all access, use API gateway, disable verbose errors, rotate API keys regularly.

Q: What is the difference between vulnerability management and patch management?
A: Vulnerability management is the full lifecycle: discover, assess, prioritise, remediate, verify. Patch management is the specific process of applying software updates. Patching is one remediation option; others include workarounds, compensating controls, or accepting risk.

Q: What is social engineering and how do you defend against it?
A: Manipulating people into revealing information or taking actions (phishing, pretexting, baiting, tailgating, quid pro quo). Defence: security awareness training, verification procedures (call back to known numbers for wire transfers), physical access controls, culture of scepticism, no sensitive info over unverified channels.

Q: What is a honeypot?
A: A decoy system designed to attract attackers, allowing defenders to study attack techniques, gather IoCs, and waste attacker time. A honeynet is a network of honeypots. Low-interaction honeypots emulate services; high-interaction are real systems with monitoring. Legal considerations apply — ensure your jurisdiction permits them.

Q: What would you do if you discovered a critical vulnerability in production?
A: 1) Assess severity and exploitability immediately. 2) Notify security team and relevant stakeholders. 3) Implement temporary mitigation (WAF rule, disable feature, rate limit). 4) Test and deploy permanent fix in staging. 5) Deploy fix to production with rollback plan. 6) Verify remediation. 7) Document timeline, patch, and lessons learned. 8) Consider responsible disclosure if third-party software.

Related tools

Keep reading

All Toolmingotools are free & run in your browser

No sign-up, no upload, no watermark. Your files never leave your device.

Browse all tools