Cyber security Interview Questions
1. What is cybersecurity?
Cybersecurity is the practice of defending computers, servers, networks, and data from malicious digital attacks. It ensures confidentiality, integrity, and availability of information assets. The goal is to reduce risks and protect organizations from breaches.
2. What is the CIA triad?
The CIA triad stands for Confidentiality, Integrity, and Availability. Confidentiality means only authorized users can access data, integrity ensures the accuracy and reliability of data, and availability ensures systems and information are accessible when needed.
3. What is the difference between a threat, vulnerability, and risk?
A threat is a potential event that could harm systems or data. A vulnerability is a weakness in systems or processes that a threat can exploit. Risk is the probability of a threat exploiting a vulnerability and causing damage.
4. What is a firewall?
A firewall is a network security device or software that filters incoming and outgoing traffic. It uses predefined rules to block malicious traffic while allowing legitimate communication. Firewalls act as the first line of defense in network security.
5. What is IDS vs IPS?
An IDS (Intrusion Detection System) monitors network traffic for suspicious activity and alerts administrators. An IPS (Intrusion Prevention System) does the same but also blocks malicious activity in real time. IDS is passive; IPS is active prevention.
6. What is a DMZ?
A DMZ (Demilitarized Zone) is a separate network that sits between an internal network and the internet. It hosts public-facing services like web or email servers. If compromised, it prevents attackers from directly reaching the internal network.
7. What is symmetric vs asymmetric encryption?
Symmetric encryption uses one key for both encryption and decryption, making it fast but harder to share securely. Asymmetric encryption uses a public key for encryption and a private key for decryption. Both are often combined for secure communications.
8. What is hashing?
Hashing is a process of converting data into a fixed-length string using algorithms like SHA-256. It is one-way and cannot be reversed. It’s mainly used for integrity verification, like storing passwords securely.
9. Difference between hashing and encryption?
Hashing is irreversible and is used to verify data integrity. Encryption is reversible with a key and is used to protect confidentiality. Hashing prevents tampering, while encryption ensures only authorized access.
10. What is SSL/TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that secure internet communication. They provide encryption, authentication, and integrity between clients and servers. TLS is the modern, secure version of SSL.
11. What is a digital certificate?
A digital certificate is issued by a Certificate Authority to verify the ownership of a public key. It ensures secure communication by authenticating identities. Digital certificates are essential for HTTPS connections.
12. What is a VPN?
A VPN (Virtual Private Network) encrypts traffic between a user and a remote network. It hides the user’s IP address and protects data in transit. VPNs are widely used for secure remote work and safe internet browsing.
13. What is phishing?
Phishing is a social engineering attack where attackers impersonate trusted entities through emails or websites. The goal is to trick victims into revealing sensitive information like credentials. Phishing relies more on human error than technical flaws.
14. What is spear phishing?
Spear phishing is a targeted version of phishing. Attackers research their victims to craft convincing messages. It’s more effective and dangerous because it often bypasses generic security filters.
15. What is ransomware?
Ransomware is malware that encrypts files and demands payment for decryption. It can spread via phishing emails, malicious attachments, or unpatched systems. Victims often face downtime, data loss, and financial damage.
16. What is SQL injection?
SQL Injection is a web attack where attackers insert malicious SQL code into input fields. This allows unauthorized access to databases, data theft, or modification. Input validation and parameterized queries prevent SQL injection.
17. What is cross-site scripting (XSS)?
XSS allows attackers to inject malicious scripts into trusted websites. When victims load the page, the script runs in their browsers. It can steal cookies, hijack sessions, or redirect users to malicious sites.
18. What is CSRF (Cross-Site Request Forgery)?
CSRF tricks authenticated users into executing unwanted actions. For example, submitting a hidden request to transfer funds. Mitigations include anti-CSRF tokens and SameSite cookie policies.
19. What is a zero-day exploit?
A zero-day exploit targets an unknown vulnerability that has no patch. Because vendors are unaware, attackers can use it immediately. Zero-day attacks are often seen in advanced persistent threats.
20. What is a DDoS attack?
A DDoS (Distributed Denial of Service) floods a server or network with massive traffic. The goal is to exhaust resources and make services unavailable. Attackers usually use botnets to launch DDoS attacks.
21. What is privilege escalation?
Privilege escalation occurs when attackers gain higher system permissions than intended. It can be vertical (user to admin) or horizontal (accessing another user’s data). Fixing misconfigurations and patching vulnerabilities prevents it.
22. Difference between virus, worm, and Trojan?
A virus attaches to files and spreads when they are executed. A worm is self-replicating and spreads without user action. A Trojan disguises itself as legitimate software but executes malicious code once installed.
23. What is brute force attack?
A brute force attack tries all possible password combinations until the correct one is found. It is time-consuming but effective against weak passwords. Rate-limiting and account lockout policies mitigate brute force attacks.
24. What is dictionary attack?
A dictionary attack uses a list of common passwords to guess credentials. It’s faster than brute force because it uses likely options. Strong, unique passwords and account lockout policies help prevent it.
25. What is MITM (Man-in-the-Middle) attack?
A MITM attack intercepts communication between two parties without their knowledge. Attackers can eavesdrop, alter, or inject malicious content. Using HTTPS, VPNs, and encryption reduces the risk.
26. What is ARP spoofing?
ARP spoofing tricks a network by sending fake ARP messages, linking the attacker’s MAC address to a legitimate IP. This allows interception of traffic. Dynamic ARP inspection and static ARP tables are defenses.
27. What is DNS spoofing?
DNS spoofing alters DNS responses to redirect users to malicious sites. Attackers exploit DNS cache poisoning. DNSSEC (DNS Security Extensions) helps prevent this attack.
28. What is sandboxing?
Sandboxing isolates applications in a controlled environment. Suspicious programs can be executed safely without affecting the host system. It’s commonly used to analyze malware behavior.
29. What is a honeypot?
A honeypot is a decoy system designed to attract attackers. It collects intelligence about attack methods and techniques. While it diverts attackers, it also helps improve defenses.
30. What is SIEM?
SIEM (Security Information and Event Management) collects and analyzes logs from multiple sources. It correlates events to detect suspicious activity. SIEM systems support real-time monitoring and incident response.
31. What is a SOC?
A SOC (Security Operations Center) is a dedicated team that monitors, detects, and responds to security threats. They use SIEM tools, threat intelligence, and incident response frameworks. SOCs are the nerve center of cybersecurity operations.
32. What is incident response?
Incident response is the structured approach to handling cybersecurity breaches. It includes preparation, detection, containment, eradication, recovery, and lessons learned. The goal is to minimize damage and restore operations quickly.
33. What are incident response phases?
The phases are: Preparation (setting up tools and policies), Detection (identifying incidents), Containment (isolating threats), Eradication (removing them), Recovery (restoring systems), and Lessons Learned (improving future defenses).
34. What is the kill chain model?
The cyber kill chain outlines stages of an attack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions. It helps organizations detect and disrupt attacks early.
35. What is red team vs blue team?
Red teams simulate attackers by launching realistic cyberattacks. Blue teams defend against these attacks, monitoring and responding. Together, they test and improve an organization’s defenses.
36. What is threat hunting?
Threat hunting is the proactive search for threats that may have bypassed security controls. It uses intelligence, anomaly detection, and manual analysis. Unlike monitoring, it actively looks for hidden attacks.
37. What is least privilege principle?
The principle of least privilege gives users only the minimum access needed to perform their tasks. It reduces the attack surface and limits damage if accounts are compromised. It applies to users, systems, and applications.
38. What is multi-factor authentication (MFA)?
MFA requires more than one verification method: something you know (password), have (token), or are (biometric). It significantly strengthens authentication. Even if one factor is compromised, attackers can’t easily gain access.
39. Difference between authentication and authorization?
Authentication verifies identity (e.g., logging in with a password). Authorization determines what actions or resources the authenticated user can access. Both are critical for secure access control.
40. What is single sign-on (SSO)?
SSO allows users to log in once and access multiple applications. It improves user experience and reduces password fatigue. Security is enhanced because authentication is centralized.
41. What is port scanning?
Port scanning identifies open and closed ports on a system. Attackers use it for reconnaissance, while admins use it for auditing. Tools like Nmap are commonly used for this purpose.
42. What is patch management?
Patch management involves regularly applying updates to software and systems. Patches fix security vulnerabilities, improve performance, and add features. Poor patching is a common cause of breaches.
43. What is GDPR?
The General Data Protection Regulation is an EU law that governs data protection and privacy. It requires organizations to safeguard personal data and gives users control over their information. Non-compliance results in heavy fines.
44. What is HIPAA?
The Health Insurance Portability and Accountability Act is a US law that protects patient health information. It mandates privacy, security, and breach notification rules. Organizations in healthcare must comply strictly.
45. What is PCI-DSS?
The Payment Card Industry Data Security Standard is a global framework for securing credit card transactions. It includes requirements like encryption, monitoring, and network segmentation. Compliance is mandatory for businesses handling card data.
46. What is ISO 27001?
ISO 27001 is an international standard for Information Security Management Systems. It defines how organizations should establish, implement, and maintain security processes. Certification proves a company takes data security seriously.
47. What is two-factor authentication (2FA)?
2FA requires exactly two authentication methods, usually a password and another factor like an OTP. It adds an extra layer of security beyond single passwords. 2FA is a subset of MFA.
48. What is a security baseline?
A security baseline is the minimum set of configurations and policies an organization requires. It ensures consistency across systems. Baselines reduce vulnerabilities and support compliance with standards.
49. How do you prioritize vulnerabilities?
Vulnerabilities are prioritized by severity (CVSS score), exploitability, business impact, and exposure. Critical vulnerabilities with active exploits are fixed first. Risk-based prioritization ensures resources are used efficiently.
50. If management refuses to patch a critical vulnerability, what would you do?
I would document the risk and escalate it to stakeholders. I would recommend compensating controls like firewall rules, monitoring, or segmentation. Ensuring accountability helps management understand the potential consequences.
