Cyber security Fundamentals
1. What is cybersecurity, and why is it important?
Cybersecurity protects systems, networks, and data from cyber threats while ensuring confidentiality, integrity, and availability (CIA).
Real-time Example: At a mid-sized e-commerce company, implementing multi-factor authentication for all admin accounts reduced unauthorized access attempts by 80%, especially during a phishing campaign targeting customer service staff.
2. Difference between vulnerability, threat, and risk?
Vulnerability = weakness; Threat = potential cause of harm; Risk = likelihood × impact of threat exploiting a vulnerability.
Real-time Example: A publicly exposed Jenkins server (vulnerability) was targeted by a crypto-mining botnet (threat), risking increased cloud bills and service downtime (risk).
3. What is the CIA triad?
Confidentiality (prevent unauthorized access), Integrity (prevent unauthorized changes), Availability (ensure access when needed).
Real-time Example: During a ransomware outbreak, encrypted backups preserved data integrity and allowed recovery in under 4 hours, ensuring minimal service downtime.
4. Difference between symmetric and asymmetric encryption?
Symmetric = same key for encryption/decryption; Asymmetric = public/private key pair.
Real-time Example: AES was used for encrypting a large client database backup, while RSA keys were used to transmit that AES key to a remote recovery site securely.
5. What is the principle of least privilege?
Users get only the access they need to perform their job, nothing more.
Real-time Example: In a financial institution, revoking unnecessary admin rights for analysts prevented an insider from altering payment approval workflows.
6. What is defense in depth?
Implementing multiple layers of security so that if one fails, others still protect the asset.
Real-time Example: During a phishing attack, email filtering blocked 90% of malicious emails, endpoint protection stopped a malicious macro, and network monitoring flagged unusual outbound traffic.
7. Difference between IDS and IPS?
IDS = monitors/detects suspicious activity; IPS = monitors and blocks malicious activity.
Real-time Example: An IPS automatically blocked repeated SQL injection attempts on a public-facing web application before they reached the backend.
8. What is a zero-day vulnerability?
A flaw exploited before a patch is available.
Real-time Example: When the Log4Shell zero-day was disclosed, the SOC team applied virtual patching via a web application firewall while waiting for the vendor’s fix.
Network Security
9. What is a firewall and its types?
A firewall filters network traffic; types include packet-filtering, stateful, proxy, and NGFW.
Real-time Example: An NGFW blocked command-and-control (C2) traffic from an infected workstation, preventing further lateral movement.
10. Difference between packet filtering and stateful inspection?
Packet filtering checks headers only; stateful inspection tracks the state of connections.
Real-time Example: A stateful firewall identified a suspicious inbound packet as unrelated to any legitimate session and dropped it, preventing an intrusion.
11. What is a DMZ in networking?
A demilitarized zone is a network segment separating public-facing services from the internal network.
Real-time Example: A public web server was placed in a DMZ to ensure attackers couldn’t directly access sensitive internal systems even if the web server was compromised.
12. Explain VPN and its security benefits.
VPN encrypts traffic between the user and the network, ensuring data confidentiality over public networks.
Real-time Example: Remote engineers used an IPsec VPN to access company systems securely, which stopped data interception attempts on public Wi-Fi at airports.
13. What is network segmentation?
Dividing the network into smaller segments to contain breaches and limit access.
Real-time Example: When malware hit the IoT devices network, segmentation prevented it from spreading to the finance department’s subnet.
14. What is port scanning, and why is it used?
Port scanning identifies open ports and services for assessment.
Real-time Example: A security audit’s Nmap scan revealed an unused but open SSH port on a backup server, which was later secured.
15. What is MAC address filtering?
It restricts network access based on device hardware addresses.
Real-time Example: A company used MAC filtering to ensure only company-issued laptops connected to its secure Wi-Fi network.
16. What is SSL/TLS, and why is it important?
SSL/TLS protocols encrypt web communication to protect against interception.
Real-time Example: Migrating an old web app from HTTP to TLS 1.3 prevented credential theft during man-in-the-middle attacks.
Application & Web Security
17. What is the OWASP Top 10?
The OWASP Top 10 is a list of the most critical web application security risks.
Real-time Example: A penetration test revealed an unvalidated input issue leading to SQL injection, an OWASP Top 10 risk, which was fixed with parameterized queries.
18. Difference between authentication and authorization?
Authentication verifies identity, while authorization grants access rights.
Real-time Example: A valid user logged into a portal (authentication) but couldn’t access financial reports without the “Finance” role (authorization).
19. What is XSS (Cross-Site Scripting)?
XSS is the injection of malicious scripts into web pages viewed by others.
Real-time Example: An attacker injected a script into a forum post that stole cookies from logged-in users until input sanitization was implemented.
20. Explain SQL Injection.
SQL Injection exploits input fields to run malicious SQL commands.
Real-time Example: A job portal’s search field was exploited to dump user credentials until prepared statements were enforced.
21. What is CSRF?
Cross-Site Request Forgery (CSRF) exploits authenticated sessions to perform unauthorized actions.
Real-time Example: A CSRF vulnerability in a banking app allowed attackers to trigger fund transfers by sending malicious links via email.
22. What is input validation?
Input validation ensures user input is correct, secure, and expected.
Real-time Example: Blocking non-numeric characters in an account number field stopped injection attempts via that parameter.
23. What is API security?
API security protects APIs using authentication, rate limiting, encryption, and validation.
Real-time Example: A public API was abused for data scraping until rate limits and API keys were implemented.
24. Difference between static and dynamic code analysis?
- Static analysis = reviewing code without execution.
- Dynamic analysis = testing code while it is running.
Real-time Example: Static analysis flagged unused imports, while dynamic analysis found a memory leak during high traffic.
25. What is a web application firewall (WAF)?
A WAF filters and monitors HTTP traffic to protect against web attacks.
Real-time Example: The WAF blocked hundreds of malicious login attempts using stolen credentials during a credential stuffing attack.
Incident Response & Forensics
34. What are the steps of incident response?
The steps are: Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned.
Real-time Example: When ransomware hit, the SOC contained it by isolating affected subnets, eradicated malware, restoring from backups, and updating policies.
35. What is a SIEM and why is it important?
A SIEM (Security Information and Event Management) system aggregates and analyzes security logs for threat detection.
Real-time Example: The SIEM alerted on multiple failed logins from foreign IPs, leading to early detection of a brute-force attack.
36. What is threat hunting?
Threat hunting is proactively searching for undetected threats within a network or system.
Real-time Example: Hunting activities revealed a compromised admin account making unusual API calls during off-hours.
37. What is the chain of custody in forensics?
It refers to documenting evidence handling to maintain integrity for legal purposes.
Real-time Example: During a breach investigation, all hard drive images were hashed and signed before transfer to forensic analysts.
38. What is malware reverse engineering?
It is the process of analyzing malware to understand its functionality and behavior.
Real-time Example: Reversing a malicious binary uncovered its hardcoded C2 domain and encryption key.
39. Difference between business continuity and disaster recovery?
- Business Continuity (BC): Ensures business operations continue during disruptions.
- Disaster Recovery (DR): Focuses on restoring IT systems after a disruption.
Real-time Example: A DR site in another region restored ERP systems within 3 hours after a ransomware attack.
40. What is log analysis in security?
Log analysis involves reviewing logs to identify anomalies or suspicious activity.
Real-time Example: Log review uncovered repeated failed logins followed by a successful attempt from the same IP.
41. What is threat intelligence?
Threat intelligence is data on threats collected to inform security defenses.
Real-time Example: Using threat intel feeds, the SOC blocked domains linked to a new phishing campaign before users received emails.
42. What is DDoS, and how can it be mitigated?
DDoS (Distributed Denial of Service) overwhelms a service with traffic. Mitigation methods include filtering, CDNs, and rate limits.
Real-time Example: A retailer used Cloudflare to absorb a 200 Gbps DDoS attack during a holiday sale.
43. Difference between red team and blue team?
- Red Team: Simulates attacks.
- Blue Team: Defends against attacks.
Real-time Example: A red team exploited a misconfigured VPN, prompting the blue team to enforce MFA and IP allowlists.
Compliance, Governance & Risk
44. What is GDPR?
The General Data Protection Regulation (GDPR) is an EU law on personal data protection and privacy.
Real-time Example: A startup updated its privacy policy and data retention to comply with GDPR after expanding to European markets.
45. What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law for healthcare data protection.
Real-time Example: A clinic encrypted all patient records and restricted staff access to comply with HIPAA security rules.
46. What is ISO 27001?
ISO 27001 is an international standard for information security management systems (ISMS).
Real-time Example: A financial firm achieved ISO 27001 certification, strengthening client trust.
47. What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) ensures secure handling of credit card transactions.
Real-time Example: Tokenizing card data reduced PCI-DSS audit scope for a large e-commerce site.
48. What is risk assessment in cybersecurity?
Risk assessment is the process of identifying, evaluating, and prioritizing risks to systems and data.
Real-time Example: Risk assessment flagged an outdated CMS as high risk, leading to urgent patching.
49. What is a security policy?
A security policy is a formal guideline for securing systems, networks, and data.
Real-time Example: A password policy requiring MFA cut account takeovers by 70%.
50. What is security awareness training?
It involves educating employees about cybersecurity risks and safe practices.
Real-time Example: Quarterly phishing simulations lowered click rates from 35% to 5% within a year.
Security Tools & Technologies
51. What is Wireshark used for?
Wireshark is a network protocol analyzer used to capture and inspect packets for troubleshooting and security analysis.
Real-time Example: During a suspected data exfiltration, Wireshark revealed a compromised host sending encrypted traffic to an IP in an unexpected country.
52. What is Nmap?
Nmap is a network scanning tool used for discovering hosts, ports, and services.
Real-time Example: An internal Nmap scan found an exposed MySQL port on a forgotten dev server, which was later secured.
53. What is Metasploit?
Metasploit is a penetration testing framework used to exploit vulnerabilities and validate defenses.
Real-time Example: Security testers used Metasploit to prove an unpatched Apache Struts flaw could be exploited to gain shell access.
54. What is Burp Suite?
Burp Suite is a web application security testing tool for scanning, intercepting, and analyzing HTTP traffic.
Real-time Example: Burp Suite’s scanner detected reflected XSS in a customer feedback form before production release.
55. What is Nessus?
Nessus is a vulnerability scanning tool used to identify misconfigurations, outdated software, and known flaws.
Real-time Example: Nessus flagged outdated SSL configurations on multiple load balancers during a quarterly scan.
56. What is Splunk?
Splunk is a platform for log aggregation, search, and analysis, widely used in security operations.
Real-time Example: Splunk detected repeated failed login attempts from an IP block associated with a known botnet.
57. What is OSINT?
OSINT (Open-Source Intelligence) refers to gathering threat intelligence from publicly available sources.
Real-time Example: Analysts used OSINT to find employee credentials from a past breach posted on a hacking forum.
58. What is Shodan?
Shodan is a search engine for internet-connected devices that helps identify exposed systems.
Real-time Example: Shodan revealed a misconfigured development database accessible from the internet without authentication.
59. What is an EDR solution?
EDR (Endpoint Detection & Response) solutions detect, investigate, and respond to endpoint threats.
Real-time Example: An EDR alert stopped a malicious PowerShell script from downloading ransomware.
60. What is a CASB (Cloud Access Security Broker)?
A CASB enforces cloud service security policies by monitoring and controlling user activity in cloud apps.
Real-time Example: CASB blocked file uploads to unsanctioned cloud storage from corporate devices.
Penetration Testing & Ethical Hacking
61. What is penetration testing?
Penetration testing is a simulated cyberattack performed to identify exploitable weaknesses in systems and networks.
Real-time Example: A pentest revealed a privilege escalation flaw in an HR system, which was fixed before attackers could exploit it.
62. Difference between black box, white box, and grey box testing?
- Black box: Tester has no internal system knowledge.
- White box: Tester has full knowledge of the system.
- Grey box: Tester has partial system knowledge.
Real-time Example: In a grey box test, limited API documentation helped the tester find authentication flaws without full system knowledge.
63. What is privilege escalation?
Privilege escalation occurs when attackers gain higher access rights than intended.
Real-time Example: An attacker exploited a misconfigured sudo rule to gain root access on a Linux server.
64. What is social engineering?
Social engineering manipulates people into revealing confidential information or granting unauthorized access.
Real-time Example: A caller impersonated IT support and convinced an employee to reveal VPN credentials.
65. What is a vulnerability assessment?
A vulnerability assessment identifies, categorizes, and prioritizes vulnerabilities in systems.
Real-time Example: A monthly vulnerability scan flagged a vulnerable log library, prompting an urgent update.
66. What is password cracking?
Password cracking involves attempting to recover passwords using methods like brute force, dictionary attacks, or rainbow tables.
Real-time Example: A security team used John the Ripper to identify weak employee passwords during an internal audit.
67. What is a bug bounty program?
A bug bounty program rewards individuals for responsibly finding and reporting vulnerabilities.
Real-time Example: A researcher reported a critical IDOR flaw through a company’s bug bounty platform.
68. What is pivoting in penetration testing?
Pivoting is using a compromised system as a launch point to attack other systems in the network.
Real-time Example: After breaching a web server in the DMZ, testers pivoted to access an internal database server.
Cloud & Virtualization Security
69. What is shared responsibility in cloud security?
Shared responsibility means the cloud provider secures the infrastructure, while the customer secures their applications, data, and configurations.
Real-time Example: AWS secured the physical servers, but a customer’s misconfigured S3 bucket caused a data leak.
70. What are IAM roles in AWS?
IAM roles define permissions for AWS users, applications, or services to access resources securely.
Real-time Example: A Lambda function was given only read-only S3 permissions to limit risk.
71. What is cloud misconfiguration?
Cloud misconfiguration occurs when cloud services are incorrectly set up, leaving them vulnerable.
Real-time Example: A GCP storage bucket was accidentally left public, exposing internal reports.
72. What is encryption in transit vs at rest?
- Encryption in transit: Protects data while being transferred.
- Encryption at rest: Protects data stored on disks/databases.
Real-time Example: TLS secured customer logins in transit, while AES-256 encrypted the database at rest.
73. What is container escape?
Container escape is when an attacker breaks out of a container to access the host system.
Real-time Example: A vulnerability in the container runtime allowed attackers to escape into the host environment.
74. What is Kubernetes RBAC?
Kubernetes Role-Based Access Control (RBAC) manages permissions for users and services in a cluster.
Real-time Example: RBAC prevented non-admin developers from deleting production pods.
75. What is a cloud access security broker (CASB)?
A CASB is a security tool that manages and enforces cloud usage policies across services.
Real-time Example: CASB detected unauthorized use of personal Dropbox accounts for sensitive file sharing.
Advanced Security Concepts
76. What is zero-trust security?
Zero-trust is a model where no user or device is trusted by default; all access is continuously verified.
Real-time Example: A financial services company implemented zero trust, requiring device health checks and re-authentication for sensitive transactions, which blocked an attacker using stolen VPN credentials.
77. What is MFA, and why is it important?
Multi-Factor Authentication (MFA) adds a second or third verification factor beyond a password.
Real-time Example: An employee’s password was compromised in a phishing attack, but the attacker failed to log in because they didn’t have the user’s physical security token.
78. What is cloud security?
Cloud security involves protecting cloud infrastructure, data, and applications from threats.
Real-time Example: A startup used security groups, IAM policies, and encryption to protect their AWS-hosted app, stopping unauthorized SSH attempts.
79. What is container security?
Container security ensures the protection of container images, runtime, and orchestration platforms.
Real-time Example: A DevOps team used image scanning tools to detect vulnerable packages before deploying to Kubernetes.
80. What is ransomware-as-a-service (RaaS)?
RaaS is a criminal model where ransomware tools are sold or rented to others.
Real-time Example: A school district was hit by a RaaS variant spread via malicious email attachments, affecting 70% of endpoints before containment.
81. What is tokenization vs encryption?
- Tokenization: Replaces sensitive data with tokens.
- Encryption: Transforms data into unreadable text using keys.
Real-time Example: A payment gateway tokenized credit card numbers to reduce PCI-DSS audit requirements.
82. What is steganography?
Steganography is the practice of hiding data within other files or media.
Real-time Example: Malware authors hid C2 server addresses inside image metadata to bypass network filters.
83. What is a security baseline?
A security baseline is a minimum set of security configurations for systems.
Real-time Example: Applying CIS benchmark baselines reduced vulnerabilities on newly deployed Windows servers by 40%.
84. What is a supply chain attack?
A supply chain attack compromises a trusted third party to target the main organization.
Real-time Example: Attackers compromised a popular IT monitoring tool update, which deployed malware to thousands of clients.
85. What is firmware security?
Firmware security protects the low-level software that runs on hardware devices.
Real-time Example: A manufacturer enabled secure boot on all laptops to prevent the installation of malicious firmware.
86. What is a honeypot in cybersecurity?
A honeypot is a decoy system designed to lure attackers and study their behavior.
Real-time Example: A honeypot mail server caught hundreds of spam campaigns, helping analysts create new detection signatures.
Security Audits, Testing & Reporting
87. What is a security audit?
A security audit is a formal review of security controls, policies, and processes.
Real-time Example: A quarterly audit revealed that 10% of user accounts belonged to former employees, prompting immediate removal.
88. What is purple teaming?
Purple teaming is collaboration between red teams (attackers) and blue teams (defenders) to improve security.
Real-time Example: A purple team exercise simulated phishing attacks, helping the defense team refine detection rules in the SIEM.
89. What is a security gap analysis?
A gap analysis compares the current security state to the desired state to find weaknesses.
Real-time Example: A gap analysis showed a lack of 24/7 monitoring, leading to the creation of a night shift SOC team.
90. What is a false positive vs a false negative?
- False positive: Benign event incorrectly flagged as malicious.
- False negative: Real threat missed by detection.
Real-time Example: An IDS alerting on legitimate backup traffic was tuned to reduce false positives, while missed brute-force attempts were added to detection rules.
91. What is vulnerability remediation?
Vulnerability remediation is the process of fixing identified weaknesses in systems.
Real-time Example: After Nessus scans flagged Apache vulnerabilities, patching reduced exploitable CVEs by 95%.
92. What is anomaly detection?
Anomaly detection identifies unusual patterns or behaviors that may indicate threats.
Real-time Example: Unusual outbound traffic to a foreign IP during non-business hours triggered a security investigation.
93. What is UEBA (User and Entity Behavior Analytics)?
UEBA analyzes user and entity behavior to detect insider threats or compromised accounts.
Real-time Example: UEBA flagged an employee downloading large volumes of HR files at midnight.
94. What is MITRE ATT&CK?
MITRE ATT&CK is a framework cataloging attacker tactics and techniques used in real-world incidents.
Real-time Example: SOC mapped an active phishing campaign to MITRE T1566 for targeted response actions.
95. What is threat modeling?
Threat modeling identifies potential threats, vulnerabilities, and mitigations for a system.
Real-time Example: Before launching a banking app, the team modeled possible attacks and added biometric authentication as a mitigation.
96. What is security monitoring in production?
Security monitoring is the continuous observation of systems to detect and respond to threats.
Real-time Example: Synthetic login tests detected an outage in the payment gateway before customers reported issues.
Career & Practical Scenarios
97. Key cybersecurity metrics to track?
Important metrics include MTTR (Mean Time to Respond), incident count, patching time, and phishing click rate.
Real-time Example: Monthly reports showed patch time reduced from 12 days to 3 days, improving compliance posture.
98. How do you handle tight security deadlines?
By prioritizing high-risk issues, automating quick wins, and maintaining clear communication with stakeholders.
Real-time Example: During a zero-day, the SOC prioritized critical systems for patching within 24 hours while isolating less critical ones.
99. How to run an effective security awareness program?
Include regular training, phishing simulations, and positive reinforcement.
Real-time Example: Simulated phishing emails every quarter reduced click rates from 28% to under 6% in one year.
100. Post-incident follow-up process?
The process includes reviewing the incident, updating playbooks, training teams, and closing security gaps.
Real-time Example: After a credential stuffing attack, the team added rate limiting and mandatory MFA, then ran a tabletop drill to test improvements.
Prepare for job success with our comprehensive Cyber security training and placement guide, featuring 100 most asked interview questions with real-time examples. Master concepts and get interview-ready today.
