Cybersecurity Questions

-

• General IT Security Administration.

• Network Security.

• Application Security.

• Security Architect.

• Risk Management.

• Security Audit, Testing and Incident Response.

• Cryptography.

1. What is information security and how is it achieved?

Information security is achieved through a structured risk management process that:

  • Identifies information, related assets and the threats, vulnerability and impact of unauthorized access
  • Evaluates risks
  • Makes decisions about how to address or treat risks i.e. avoid, mitigate, share or accept
  • When mitigated, selects, designs and implements security controls
  • Monitors activities and makes adjustments to address any new issues, changes, or improvements. 

2. What are the core principles of information security?

There are three basic principles of information security:

  • Confidentiality
  • Integrity
  • Availability

Together, these principles are known as the CIA Triad. For maximum effectiveness, every infosec program must implement these principles and adhere to the respective recommendations.

Confidentiality

This first principle is meant to prevent the unauthorized access or disclosure of enterprise information, while assuring that only authorized users have access. Confidentiality is said to be compromised when someone who doesn’t have the proper authorization is able to access the organization’s data and then damage, compromise, or delete it.

Integrity

Data integrity is about maintaining the accuracy, trustworthiness, consistency, and reliability of data. This means that the data should not be compromised or incorrectly modified (either inadvertently or maliciously) by someone without the proper authority.

Availability

Availability means that information is easily accessible to authorized users whenever they need it, thus minimizing interruptions or downtime.

The CIA Triad forms the basis of the information security paradigm. The three principles inform and affect one another, and determine the strength and efficacy of an organization’s infosec program.

That said, other principles also govern infosec and enhance its effectiveness, too.

3. What is non-repudiation (as it applies to IT security)?

Non-repudiation is a security feature that ensures that the sender of a message or transaction cannot deny having sent it, and that the recipient cannot deny having received it. Non-repudiation is used to provide proof of authenticity and integrity of the message or transaction, and to prevent fraud or disputes.

In IT security, non-repudiation is typically achieved through the use of digital signatures, encryption, and digital certificates. A digital signature is a method of verifying the authenticity of a message or transaction by using a private key to encrypt the message, and a public key to decrypt it. The recipient can use the public key to decrypt the message and verify that it was sent by the sender, and that it has not been tampered with.

Encryption is also used to provide non-repudiation by ensuring that the message or transaction is only readable by the intended recipient. Digital certificates are used to verify the identity of the sender and recipient and to ensure that the public keys used for encryption and digital signatures are valid and trusted.

Non-repudiation is important in a wide range of applications, including e-commerce, financial transactions, and electronic communications. It helps to protect against fraud and disputes, and it provides a way to prove that a message or transaction was sent and received.

4. What is the relationship between information security and data availability?

Information security and data availability are closely related, as they both play important roles in protecting and managing the data that is stored and used within an organization.

Information security is concerned with protecting data from unauthorized access, use, disclosure, disruption, modification, or destruction. It involves implementing various security controls such as access controls, encryption, firewalls, and intrusion detection systems to protect against cyber threats and data breaches.

On the other hand, data availability refers to the ability to access and use data when it is needed. This means that data must be stored and managed in a way that ensures it can be easily and quickly retrieved and used by authorized users.

Ensuring data availability is important for the normal business operation and continuity, as well as for compliance with regulatory requirements. To achieve data availability, organizations often implement data backup and recovery strategies, disaster recovery plans, and high availability solutions.

In summary, information security and data availability are two sides of the same coin. Information security is about protecting data from unauthorized access, and data availability is about ensuring that authorized users can access the data when they need it. Both are necessary for the proper functioning of an organization and its ability to meet its business objectives.

5. What is a security policy and why do we need one?

A security policy is a document that outlines the rules and procedures an organization has in place to protect its information assets and infrastructure. It serves as a blueprint for how the organization will handle and respond to security incidents and threats.

The main reasons organizations need a security policy are:

  1. To establish a framework for protecting sensitive information and IT assets.
  2. To comply with legal and regulatory requirements.
  3. To set clear expectations for employee behavior and responsibilities.
  4. To provide guidance for incident response and disaster recovery.
  5. To reduce risk and potential losses from security breaches.
  6. To protect the organization's reputation and brand.
  7. To foster a culture of security within the organization.

6. What is the difference between logical and physical security? Can you give an example of both?

Logical security and physical security refer to two different aspects of securing an organization's information and assets.

Logical security pertains to the protection of computer systems and networks, data, and software applications through the use of software and technology, such as firewalls, antivirus software, and encryption. Examples of logical security measures include:

  • Access controls: limiting who can access specific systems and data
  • Network security: protecting against unauthorized access to a network
  • Data encryption: converting plaintext data into an unreadable format
  • Intrusion detection and prevention systems: monitoring network traffic for malicious activity

Physical security, on the other hand, refers to the protection of physical assets and infrastructure, such as buildings, equipment, and data centers, through the use of physical measures, such as locks, cameras, and security personnel. Examples of physical security measures include:

  • Surveillance cameras and alarms: monitoring physical access to the building
  • Security personnel: physically securing the facility
  • Biometric access controls : use of fingerprints, face recognition or other biometric to gain access
  • Environmental controls: maintaining specific temperature and humidity conditions for equipment and data centers

An example of both logical and physical security being used together would be a data center. The data center would have physical security measures in place such as security personnel, surveillance cameras, and biometric scanners to control access to the facility. Logical security measures would include firewalls, intrusion detection systems, and encryption to protect the data stored within the facility.

7. What’s an acceptable level of risk?

An acceptable level of risk is a subjective concept that can vary depending on the organization, the specific threat, and the potential impact of a security incident. In general, it refers to the level of risk that an organization is willing to tolerate in order to achieve its objectives.

In order to determine an acceptable level of risk, organizations typically conduct a risk assessment, which involves identifying and evaluating potential threats and vulnerabilities, as well as the likelihood and impact of those threats. This information is then used to prioritize and implement security measures.

The acceptable level of risk will also be influenced by various factors such as regulatory compliance, legal requirements, company policies, industry standards, and the overall risk tolerance of the organization.

It is important to note that the acceptable level of risk is not a fixed value, but rather it can change over time as the organization's risk profile changes, new threats emerge, or the organization's priorities shift.

8. What are the most common types of attacks that threaten enterprise data security?

There are many different types of attacks that can threaten enterprise data security. Some of the most common include:

  • Phishing: This type of attack involves tricking employees into providing sensitive information, such as login credentials, through fraudulent emails or websites.

  • Ransomware: This type of attack involves encrypting an organization's data and demanding a ransom payment to restore access.

  • Advanced persistent threats (APTs): These attacks are targeted and persistent, often carried out by nation-states or other advanced adversaries. They can involve a combination of techniques, including malware, social engineering, and network penetration.

  • Distributed denial of service (DDoS): This type of attack involves overwhelming a website or network with traffic from multiple sources, making it unavailable to legitimate users.

  • SQL injection: This type of attack involves injecting malicious code into a website's database, potentially allowing an attacker to steal or modify data.

  • Man-in-the-middle (MitM): This type of attack involves intercepting communications between two parties, allowing the attacker to steal information or inject malware.

  • Insider threats: This type of attack involves employees or contractors who have legitimate access to an organization's data, but use it for malicious purposes.

It is important to note that these are just a few examples of the many types of attacks that can threaten enterprise data security, and new types of attacks are constantly emerging. Organizations should regularly assess and update their security measures to protect against the most current and relevant threats.

9. What is the difference between a threat and a vulnerability?

A threat and a vulnerability are two different concepts in the context of information security.

A threat refers to a potential danger or adversary that can cause harm to an organization's assets, such as its systems, data, or people. Threats can come in various forms, including natural disasters, human errors, or malicious attacks.

A vulnerability, on the other hand, refers to a weakness in a system or process that can be exploited by a threat to cause harm. A vulnerability can exist in hardware, software, or procedures, and it can be a result of design flaws, misconfigurations, or inadequate security controls.

In other words, a threat is the source of harm, while a vulnerability is the weakness that the threat can exploit to cause harm. Addressing vulnerabilities is an important part of protecting against threats, as it helps to reduce the risk of a successful attack.

10. Can you give me an example of common security vulnerabilities?

  • SQL injection: a type of attack that involves injecting malicious code into a database through a web application's input fields.

  • Cross-Site Scripting (XSS): a type of attack that allows an attacker to inject malicious code into a website, which can be executed by other users who visit the site.

  • Unpatched software: outdated software can contain known vulnerabilities that can be exploited by attackers.

  • Weak passwords: using easily guessable or weak passwords can leave systems vulnerable to brute force attacks.

  • Unsecured network protocols: using unencrypted or weakly encrypted network protocols, such as Telnet or FTP, can expose sensitive data to eavesdropping.

  • Man-in-the-middle attacks: a type of attack in which an attacker intercepts and alters communications between two parties.

  • Social engineering attacks: a type of attack that involves manipulating people into divulging sensitive information or taking actions that compromise security.

  • Remote code execution: a type of attack that allows an attacker to execute malicious code on a remote system.

These are just a few examples of common security vulnerabilities, and new vulnerabilities are constantly being discovered. Keeping systems and software up-to-date, implementing strong security policies, and following best practices can help to reduce the risk of vulnerability exploitation.

11. Are you familiar with any security management frameworks such as ISO/IEC 27002?

Security management frameworks, such as ISO/IEC 27002, are a set of guidelines and best practices designed to help organizations establish and maintain effective security controls to protect their information and assets from various security threats. The ISO/IEC 27002 framework, in particular, provides a comprehensive set of security controls and guidance for implementing, monitoring, and improving information security management systems. It covers various aspects of information security, including access control, network security, cryptography, and incident management, among others. The framework is widely recognized and used by organizations worldwide as a standard for information security management.

12. What is a security control?

A security control is a measure put in place to mitigate or reduce security risks or threats to an organization's information or assets. It is a safeguard that can be technical, administrative, or physical in nature, designed to protect against security threats and vulnerabilities. Examples of security controls include firewalls, access controls, encryption, intrusion detection systems, security policies, training and awareness programs, and physical security measures, among others.

Security controls are implemented as part of a comprehensive security program and are used to manage risk by reducing the likelihood and impact of security incidents. Effective security controls should be proportionate to the risks and threats faced by an organization and should be regularly reviewed and updated to ensure they continue to be effective in protecting against new and evolving threats.

13. What are the different types of security control?

There are three primary types of security controls:

  • Technical controls: These are security measures implemented through technology, such as firewalls, intrusion detection systems, encryption, and antivirus software.

  • Administrative controls: These are security measures that rely on policies, procedures, and standards. Examples include security policies, security awareness training, background checks, and security audits.

  • Physical controls: These are security measures designed to physically protect an organization's assets and information. Examples include security cameras, access controls, locks, and biometric systems.

Effective security controls typically involve a combination of these three types of controls, based on an organization's risk profile and specific security needs. It is important to note that security controls are not a one-time implementation, but an ongoing process that requires regular monitoring and updates to adapt to changing security threats and risks.

14. Can you describe the information lifecycle? How do you ensure information security at each phase?

The information lifecycle is the process that data or information goes through from its creation to its destruction. It typically involves the following phases:

  • Creation: The information is generated or collected, such as through data entry, email, or other means.

  • Processing: The information is used or manipulated, such as in data analysis or report generation.

  • Storage: The information is stored or archived, such as in a database or file system.

  • Transmission: The information is transmitted or shared, such as through email or a file transfer.

  • Use: The information is accessed or used by authorized users, such as to support business processes or decision-making.

  • Archival: The information is archived or disposed of, based on retention policies or legal requirements.

To ensure information security at each phase of the information lifecycle, it is important to implement appropriate security controls. Here are some examples:

  • Creation: Implement access controls to ensure that only authorized personnel have access to create or input information. Ensure the use of secure protocols for data input or collection, such as encryption or secure file transfer.

  • Processing: Implement role-based access controls to ensure that only authorized personnel have access to process the information. Ensure data validation checks are in place to detect errors or inconsistencies.

  • Storage: Implement appropriate access controls, such as encryption or password protection, to protect the information from unauthorized access. Ensure that regular backups are taken, and the information is securely stored in a way that is compliant with any relevant regulations or policies.

  • Transmission: Implement secure protocols, such as encryption, to protect the information in transit. Ensure that only authorized personnel can send or receive the information.

  • Use: Implement access controls and audit trails to monitor who is accessing the information and how it is being used. Train employees on the importance of protecting sensitive information and how to handle it securely.

  • Archival: Ensure that the information is securely disposed of or archived based on retention policies or legal requirements. Implement secure deletion procedures to prevent unauthorized access to the information.

Overall, the key to ensuring information security throughout the information lifecycle is to implement appropriate security controls at each phase and to regularly review and update these controls to adapt to changing security threats and risks.

15. What is Information Security Governance?

Information Security Governance refers to the processes and structures that organizations put in place to manage and ensure the security of their information and assets. It involves the development and implementation of policies, procedures, standards, and guidelines to manage information security risks and to ensure the confidentiality, integrity, and availability of information.

Information Security Governance aims to establish accountability and responsibility for information security throughout the organization. It involves the participation and cooperation of all stakeholders, including executives, managers, employees, and third-party partners. The goal is to ensure that everyone in the organization understands their role and responsibility in protecting the organization's information assets.

Some key activities involved in Information Security Governance include:

  • Developing an Information Security Policy: This document outlines the organization's approach to information security and sets expectations for employees and stakeholders.

  • Risk Assessment: This involves identifying and assessing information security risks and vulnerabilities to determine appropriate security controls.

  • Establishing Security Controls: Based on the results of the risk assessment, implementing security controls, policies, and procedures to mitigate identified risks.

  • Monitoring and Reporting: Regularly monitoring and reporting on the effectiveness of the implemented security controls and identifying areas for improvement.

  • Incident Management: Establishing processes for responding to and reporting security incidents.

Overall, Information Security Governance is a critical aspect of managing information security risks in organizations. It helps ensure that information security is treated as a priority and that the organization is appropriately managing and mitigating risks to its information assets.

16. What are your professional values? Why are professional ethics important in the information security field?

Professional ethics are a set of moral principles and values that guide the behavior of professionals in their interactions with clients, colleagues, and the broader community. In the information security field, ethics are important for several reasons:

  • Trust and reputation: Clients and stakeholders rely on information security professionals to protect their sensitive information. Demonstrating a commitment to ethical conduct helps to build trust and establish a positive reputation for the industry.

  • Compliance: Many information security regulations and standards require adherence to ethical principles and values. Compliance with these regulations is necessary to avoid legal consequences and ensure the confidentiality, integrity, and availability of information.

  • Responsibility: As stewards of sensitive information, information security professionals have a responsibility to act ethically and prioritize the protection of this information.

  • Professionalism: Ethical conduct is an essential component of professionalism. Maintaining a high standard of ethics helps to establish the information security field as a respected and credible profession.

  • Public safety: Information security breaches can have significant consequences for public safety and security. Adhering to ethical principles helps to minimize the risk of security incidents and protect public safety.

In summary, professional ethics are essential in the information security field to establish trust, maintain compliance, demonstrate responsibility, promote professionalism, and protect public safety.

17. Are open-source projects more or less secure than proprietary ones?

The security of an open-source project versus a proprietary one is not determined solely by its development model, but rather by a range of factors, including the quality of the code, the level of testing and review, the expertise of the developers, and the presence of vulnerabilities and exploits.

That being said, both open-source and proprietary software can be secure or insecure, and there is no inherent advantage or disadvantage to either development model when it comes to security. Both models have their respective strengths and weaknesses in terms of security.

Open-source software has the advantage of being open to review and contributions from a larger pool of developers, which can result in faster identification and patching of vulnerabilities. However, open-source software may also be more susceptible to malicious code injections and insider threats, as the code is publicly available and potentially vulnerable to exploitation.

Proprietary software has the advantage of being developed and maintained by a dedicated team of developers, who are more accountable for the security and stability of their code. However, the proprietary nature of the code can also make it more difficult to detect vulnerabilities, as the code is not publicly available for review.

Overall, the security of a software project is determined by many factors beyond its development model. It is important to carefully evaluate the security practices of any software product or project, regardless of its development model.

18. Who do you look up to within the field of Information Security? Why?

Some of the notable individuals in the field of information security include Bruce Schneier, who is a renowned cryptographer and security expert, and is known for his work on security protocols, cryptography, and security policy. Another individual is Kevin Mitnick, who is known for his work as a hacker and security consultant, and for his contributions to the development of ethical hacking and penetration testing.

Other notable individuals in the field include Dan Kaminsky, who was a respected security researcher and the developer of several important security tools and protocols, and Mikko Hypponen, a renowned security researcher and author, who is known for his work in malware analysis and digital forensics.

These individuals, along with many others, have made significant contributions to the field of information security and are respected for their expertise, leadership, and innovation. Their work has helped to shape the development of the field, and their insights and perspectives continue to inform and inspire the next generation of security professionals.

19. Where do you get your security news from?

Some of the most reputable sources of security news and information include industry-leading publications and blogs such as KrebsOnSecurity, Dark Reading, Threatpost, SC Magazine, and SecurityWeek. These sources provide up-to-date information on the latest security threats, trends, and developments, as well as analysis and commentary from leading experts in the field.

In addition to these sources, many security conferences and events, such as Black Hat and DEF CON, provide opportunities for security professionals to share information and insights about the latest threats and defenses. These events often feature presentations, workshops, and panels with top industry experts, and can be a valuable source of information for security professionals.

It's important to note that while there are many reliable sources of security news and information available, it's also important to be cautious and critical of the information you encounter. Not all sources of information are equally reliable or trustworthy, so it's important to evaluate sources carefully and be discerning in your consumption and interpretation of security news and information.

20. What’s the difference between symmetric and public-key cryptography?

Symmetric cryptography and public-key cryptography are two fundamental techniques used in modern cryptography to protect the confidentiality and integrity of information.

Symmetric cryptography, also known as secret-key cryptography, is a technique that uses a single secret key for both encryption and decryption. In this approach, the sender and receiver of a message must have access to the same secret key. The sender uses the secret key to encrypt the message, and the receiver uses the same key to decrypt the message. Examples of symmetric encryption algorithms include Advanced Encryption Standard (AES) and Data Encryption Standard (DES).

Public-key cryptography, also known as asymmetric cryptography, uses a pair of keys - a public key and a private key - to encrypt and decrypt data. The public key is used for encryption, while the private key is used for decryption. The public key can be freely distributed, while the private key must be kept secret. In this approach, anyone can encrypt a message using the recipient's public key, but only the recipient with the corresponding private key can decrypt the message. Examples of public-key encryption algorithms include RSA and Elliptic Curve Cryptography (ECC).

The key difference between symmetric and public-key cryptography is the number of keys used in the encryption process. In symmetric cryptography, a single secret key is used for both encryption and decryption, while in public-key cryptography, a pair of keys - one public and one private - is used. Public-key cryptography is often used for key distribution and digital signatures, while symmetric cryptography is typically used for data encryption and decryption due to its efficiency and speed.

21. What are the types of network used at home ?

There are a few common types of networks that may be used in a home environment. These include:

  • Wired network: This type of network uses Ethernet cables to connect devices, such as computers, printers, and routers, to each other and to the internet. A wired network can offer faster speeds and more reliable connections than wireless networks.

  • Wireless network: A wireless network, also known as Wi-Fi, uses radio waves to connect devices to the internet and to each other. A wireless router is typically used to create a wireless network, and devices can connect to the network using a Wi-Fi adapter.

  • Powerline network: A powerline network uses a home's electrical wiring to transmit data between devices. Adapters are plugged into electrical outlets to create a network that can provide faster and more reliable connections than Wi-Fi.

  • Mesh network: A mesh network uses multiple Wi-Fi routers or access points to create a network that provides wider coverage and more consistent speeds than a traditional wireless network.

The type of network used in a home will depend on factors such as the size of the home, the number of devices that need to be connected, and the desired speed and reliability of the network. Many homes today use a combination of wired and wireless networks, with Wi-Fi being the most common type of network used for connecting devices.

22. What are the advantages offered by bug bounty programs over normal testing practices?

Bug bounty programs offer several advantages over normal testing practices, including:

  • Increased speed and efficiency: Bug bounty programs can help to identify vulnerabilities and security issues more quickly and efficiently than traditional testing methods. This is because they often involve a large number of skilled security researchers who can quickly find and report vulnerabilities.

  • Broader scope: Bug bounty programs can provide a wider scope of testing, as they often involve a large number of participants who can test different parts of the system. This can help to identify vulnerabilities that might be missed with traditional testing methods.

  • Cost-effectiveness: Bug bounty programs can be a cost-effective way to test for vulnerabilities, as companies only pay for the vulnerabilities that are identified, rather than paying a fixed cost for testing services.

  • Community engagement: Bug bounty programs can help to engage the security community in testing and improving a system's security. This can foster a sense of community and collaboration between security researchers and companies.

  • Reputation management: By running a bug bounty program, companies can demonstrate their commitment to security and their willingness to work with the security community to identify and fix vulnerabilities. This can help to improve a company's reputation and build trust with customers and stakeholders.

Overall, bug bounty programs can be a valuable addition to a company's security testing strategy, offering a range of benefits over traditional testing practices.

23. What are your first three steps when securing a Linux server?

Here are three basic steps that can be taken to help secure a Linux server:

  • Keep software up-to-date: One of the most important steps in securing a Linux server is to keep all software up-to-date with the latest security patches and updates. This includes the operating system, web server software, database software, and any other applications running on the server.

  • Configure firewall rules: Linux servers should be configured with a firewall to control incoming and outgoing network traffic. Firewall rules can be used to restrict access to services, ports, and protocols that are not necessary for the server to function.

  • Implement strong authentication measures: Strong authentication measures such as secure passwords, public-key authentication, or two-factor authentication should be used to prevent unauthorized access to the server. Passwords should be complex and changed regularly, and only authorized users should have access to the server.

While these steps are a good starting point for securing a Linux server, it's important to note that server security is an ongoing process and requires a multi-layered approach that includes regular maintenance, monitoring, and updates to keep the server secure. Additional steps may also be required depending on the specific use case and security requirements of the server.

24. What are your first three steps when securing a Windows server?

Here are three basic steps that can be taken to help secure a Windows server:

  • Keep software up-to-date: One of the most important steps in securing a Windows server is to keep all software up-to-date with the latest security patches and updates. This includes the operating system, web server software, database software, and any other applications running on the server.

  • Configure firewall rules: Windows servers should be configured with a firewall to control incoming and outgoing network traffic. Firewall rules can be used to restrict access to services, ports, and protocols that are not necessary for the server to function.

  • Implement strong authentication measures: Strong authentication measures such as secure passwords, public-key authentication, or two-factor authentication should be used to prevent unauthorized access to the server. Passwords should be complex and changed regularly, and only authorized users should have access to the server.

While these steps are a good starting point for securing a Windows server, it's important to note that server security is an ongoing process and requires a multi-layered approach that includes regular maintenance, monitoring, and updates to keep the server secure. Additional steps may also be required depending on the specific use case and security requirements of the server.

25. Who’s more dangerous to an organization, insiders or outsiders?

Both insiders and outsiders can pose a risk to an organization's security, and it's difficult to say which is more dangerous. Insiders, who are typically employees or contractors with authorized access to an organization's systems and data, may have greater opportunities to cause harm than outsiders. They may have access to sensitive information and be familiar with an organization's security policies, making it easier for them to exploit vulnerabilities or bypass security controls.

Outsiders, on the other hand, may have a variety of motivations for targeting an organization, ranging from financial gain to hacktivism or state-sponsored attacks. They may have more technical expertise and be able to exploit vulnerabilities that insiders are not aware of.

Ultimately, the level of risk posed by insiders and outsiders will depend on a variety of factors, including an organization's security policies and procedures, the nature of the data and systems being protected, and the motivations and capabilities of potential attackers. It's important for organizations to have a comprehensive security program that addresses both insider and outsider threats, including strong access controls, monitoring and detection capabilities, and incident response plans.

26. Why is DNS monitoring important?

DNS (Domain Name System) monitoring is important for several reasons:

  • Security: DNS is a critical component of network infrastructure and is often targeted by cybercriminals for malicious activities, such as domain hijacking, DNS spoofing, and DNS amplification attacks. Monitoring DNS traffic can help detect and prevent these types of attacks, providing an additional layer of security to the network.

  • Performance: DNS performance can have a significant impact on network performance and user experience. DNS monitoring can help identify and troubleshoot issues such as slow response times, DNS server failures, and misconfigured DNS settings.

  • Compliance: DNS monitoring is often required by regulatory frameworks such as PCI-DSS and HIPAA. These regulations require organizations to implement security controls to protect sensitive data and ensure the confidentiality, integrity, and availability of information systems.

Overall, DNS monitoring is an important part of a comprehensive security program, providing visibility into network traffic and helping to identify potential threats and vulnerabilities. By monitoring DNS traffic, organizations can proactively detect and prevent attacks, improve network performance, and maintain compliance with regulatory requirements.

27. How would traceroute help you find out where a breakdown in communication is?

Traceroute is a network diagnostic tool that helps identify the path that packets take when traveling from one network device to another. By analyzing the path of the packets, traceroute can help identify the point of failure or the location of a breakdown in communication.

Traceroute works by sending a series of packets to the destination device with gradually increasing Time-to-Live (TTL) values. Each network device that the packets pass through decrements the TTL value by one, and if the TTL value reaches zero, the device sends back an ICMP time-exceeded message to the sender. Traceroute records the IP addresses of the devices that send back these messages and calculates the time it took for each packet to travel from the sender to each intermediate device.

By examining the list of intermediate devices returned by traceroute, you can identify the path that packets take to reach the destination device. If a device fails to send back an ICMP time-exceeded message, it may be the source of the communication breakdown. Alternatively, if a device takes significantly longer to respond than the other devices on the path, it may be experiencing performance issues that are causing the breakdown in communication.

Overall, traceroute can be a useful tool for identifying the location of communication breakdowns and diagnosing network issues.

28. Why would you want to use SSH from a Windows PC?

SSH, or Secure Shell, is a network protocol that provides secure encrypted communication between two networked devices. It is commonly used to provide secure remote access to a device's command line interface (CLI) or to securely transfer files between devices.

While SSH is typically associated with Unix-based operating systems like Linux and macOS, it can also be used from a Windows PC. There are several reasons why you might want to use SSH from a Windows PC, including:

Remotely accessing a Unix-based server or device: If you need to remotely manage a Unix-based server or device, SSH can provide a secure encrypted connection to its command line interface. Many servers and network devices run Unix-based operating systems, so being able to use SSH from a Windows PC can be useful for system administrators.

Transferring files securely: SSH also supports secure file transfer using protocols like SFTP (Secure File Transfer Protocol) and SCP (Secure Copy Protocol). These protocols can be used to securely transfer files between devices, which can be especially important when transferring sensitive or confidential data.

Improving security: Using SSH from a Windows PC can also help improve the security of your network by encrypting your communication and preventing unauthorized access to your devices. This can be particularly important if you are accessing your network from a public or unsecured network.

In summary, using SSH from a Windows PC can be useful for remotely accessing Unix-based servers or devices, securely transferring files, and improving the security of your network.

29. How would you find out what a POST code means?

POST codes, or Power-On Self Test codes, are diagnostic codes produced by a computer's BIOS during the boot process. These codes can indicate whether the computer is experiencing any issues or errors during startup.

To find out what a specific POST code means, you can follow these general steps:

Identify the brand and model of your computer's BIOS: This information is usually displayed during the boot process, but you can also check your computer's documentation or the manufacturer's website to find this information.

Look up the POST code in the BIOS documentation: Each BIOS manufacturer should have documentation that explains the POST codes for their specific BIOS. This documentation may be available on the manufacturer's website, or it may be included in the documentation that came with your computer.

Check online forums or support sites: If you are unable to find the documentation for your specific BIOS, you may be able to find information about the POST code by searching online forums or support sites. Other users may have experienced the same issue and may have posted about it in these forums.

Contact the manufacturer's support team: If you are still unable to determine the meaning of the POST code, you can contact the manufacturer's support team for assistance. They may be able to provide you with additional information or troubleshooting steps to help resolve the issue.

Overall, finding out what a specific POST code means can be done by identifying the brand and model of your computer's BIOS, looking up the code in the BIOS documentation, checking online forums or support sites, or contacting the manufacturer's support team for assistance.

30. What is the difference between a black hat and a white hat?

In the context of computer security, a "black hat" refers to a hacker who uses their skills to break into computer systems, steal data, or cause damage to networks without authorization. They may do this for personal gain, to show off their skills, or for malicious purposes.

On the other hand, a "white hat" refers to a hacker or security professional who uses their skills for ethical purposes. They are often hired by organizations to identify vulnerabilities in their computer systems and networks, and to test their security measures. White hat hackers use their knowledge to protect computer systems from unauthorized access, data theft, and other security threats.

In summary, the difference between a black hat and a white hat is their intentions and the ethical principles they follow. Black hats use their skills for personal gain and with malicious intent, while white hats use their skills to improve security and protect computer systems from harm.

31. What do you think of social networking sites such as Facebook and LinkedIn?

Social networking sites like Facebook and LinkedIn have become increasingly popular over the years, providing people with the ability to connect and communicate with others around the world. They can be a useful tool for networking, building professional relationships, and sharing information with others.

However, social networking sites can also have negative consequences, such as cyberbullying, addiction, and the spread of misinformation. They can also raise concerns about privacy and security, as personal information shared on these platforms can be vulnerable to hackers and other security threats.

Ultimately, whether or not someone uses social networking sites is a personal choice, and it is important for individuals to weigh the potential benefits and risks before deciding to engage with these platforms.

32. Why are internal threats often more successful than external threats?

Internal threats are often more successful than external threats because insiders have already gained authorized access to an organization's systems, data, and resources. This means that they have a greater level of familiarity with the organization's security measures, weaknesses, and potential vulnerabilities.

Insiders, such as employees or contractors, have legitimate credentials and access to the organization's systems, which can make it easier for them to carry out attacks without raising suspicion. They also have a better understanding of the organization's processes, procedures, and culture, which can help them to identify weaknesses in the security measures that external attackers might not be aware of.

In addition, internal threats are often motivated by different factors than external threats. While external threats may be driven by financial gain or a desire to disrupt operations, internal threats may be motivated by revenge, a desire to steal intellectual property, or to gain an advantage in negotiations.

Despite these challenges, organizations can take steps to mitigate the risks posed by internal threats, such as by implementing strong access controls, monitoring employee behavior, and conducting background checks on new hires. Regular security awareness training for employees can also help to raise awareness of the risks associated with internal threats and how to prevent them.

33. Why is deleted data not truly gone when you delete it?

When data is deleted from a computer or other electronic device, it is not truly gone because of the way that storage devices work.

Data is stored on electronic storage devices such as hard drives, solid-state drives, or flash drives, in the form of binary code, which is a series of 1's and 0's. When a file is deleted, the storage device does not actually remove the data from the drive. Instead, it marks the area of the disk where the data is stored as being available for new data to be written to.

Until new data is written to that area of the disk, the original data can still be retrieved using data recovery tools or techniques. These tools work by scanning the disk for data that has been marked as deleted but is still present on the disk.

Even if the data has been overwritten by new data, it is still possible for skilled data recovery specialists to retrieve some or all of the original data. This is because when new data is written to a storage device, it may not overwrite the entire original file, leaving fragments of the original data still intact.

For this reason, it is important to use specialized software tools or services to securely erase sensitive data from a storage device. These tools use techniques such as overwriting the data multiple times with random data to ensure that it cannot be recovered.

34. What is the Chain of Custody?

The Chain of Custody is a process that is used to document the handling, movement, and storage of physical or digital evidence, in a way that maintains the integrity and reliability of the evidence.

The Chain of Custody is important in legal and investigative contexts, where the evidence may be used to support legal proceedings or other investigations. It ensures that the evidence can be traced back to its origin and that there is a clear record of who has had access to the evidence and what they have done with it.

The Chain of Custody involves a set of procedures that are followed from the time the evidence is collected or seized until it is presented in court or used in an investigation. These procedures may include documenting the collection of the evidence, labeling and packaging the evidence, and recording the names and contact information of everyone who comes into contact with the evidence.

Maintaining the Chain of Custody is critical in order to ensure that the evidence is not compromised, altered, or mishandled in any way that would render it inadmissible in court or unusable in an investigation. By following established procedures and documenting the handling of evidence at each stage of the process, the Chain of Custody helps to maintain the integrity of the evidence and preserve its evidentiary value.

35. How would you permanently remove the threat of data falling into the wrong hands?

To permanently remove the threat of data falling into the wrong hands, there are several steps that can be taken:

  • Implement strong access controls: Limit access to sensitive data to only those who need it and ensure that access is granted based on a need-to-know basis.
  • Encrypt sensitive data: Use encryption technologies to protect sensitive data at rest and in transit. Encryption ensures that data is unintelligible without the proper decryption key, making it useless to anyone who does not have the key.
  • Regularly update security measures: Ensure that all software, systems, and devices are kept up-to-date with the latest security patches and updates. This helps to prevent known vulnerabilities from being exploited.
  • Use multi-factor authentication: Require users to authenticate using multiple factors, such as a password and a fingerprint or a one-time code, to add an extra layer of security.
  • Regularly back up data: Regularly back up data to ensure that it can be quickly restored in the event of a security breach or data loss.
  • Physically destroy data: For data that is no longer needed or that is particularly sensitive, physically destroying the storage medium (e.g. shredding a hard drive) can be an effective way to ensure that the data cannot be recovered.

By taking these steps, organizations can greatly reduce the risk of data falling into the wrong hands and protect their sensitive information from unauthorized access or theft.

36. What is exfiltration?

Exfiltration refers to the unauthorized transfer of data from a computer system or network to an external location or attacker-controlled server. It is a method used by attackers to steal sensitive or valuable data from an organization.

Exfiltration can take many forms, including copying data to a removable storage device, sending it through email or messaging services, or uploading it to a cloud storage service or a remote server controlled by the attacker.

Attackers may use various methods to exfiltrate data, including exploiting vulnerabilities in software or systems, using social engineering techniques to trick users into sharing their login credentials, or using malware to gain access to the system and extract data.

Exfiltration can be a serious threat to organizations, as it can lead to data breaches, loss of intellectual property, and reputational damage. To prevent exfiltration, organizations should implement security measures such as firewalls, intrusion detection and prevention systems, and data loss prevention solutions. They should also regularly monitor network activity and user behavior to detect and respond to potential exfiltration attempts. Additionally, regular security awareness training for employees can help to prevent social engineering attacks and other types of attacks that may lead to exfiltration.

37. How do you protect your home wireless access point?

To protect your home wireless access point, you can take the following steps:

  • Change the default login credentials: Change the default username and password of your wireless access point to a strong and unique one.
  • Enable WPA2 encryption: Make sure your wireless access point is using WPA2 encryption, which is currently the strongest encryption available for wireless networks.
  • Disable SSID broadcasting: Disable the broadcasting of your wireless network name (SSID) to prevent it from being visible to others.
  • Enable MAC address filtering: Limit the devices that can connect to your wireless network by enabling MAC address filtering. This feature allows you to specify which devices can connect to your network based on their unique MAC addresses.
  • Enable a guest network: If your wireless access point supports it, set up a separate guest network with its own SSID and password. This will allow your visitors to use the Internet without having access to your home network.
  • Update firmware and software: Keep your wireless access point firmware and software up-to-date to protect against known vulnerabilities and exploits.
  • Turn off remote management: Disable remote management of your wireless access point, unless it is absolutely necessary. Remote management can be a security risk if not properly configured and secured.

By taking these steps, you can help secure your home wireless access point and protect your home network from unauthorized access and other security threats.

38. If you were going to break into a database-based website, how would you do it?

39. What is the CIA triangle?

The CIA triangle is a widely used model in information security that consists of three key elements: confidentiality, integrity, and availability. The acronym CIA is derived from the first letter of each element.

Confidentiality refers to the protection of sensitive data from unauthorized access or disclosure. This includes preventing access to data by unauthorized users and ensuring that data is only accessible to those who are authorized to view or use it.

Integrity refers to the accuracy and completeness of data. It involves ensuring that data is not modified, deleted, or destroyed by unauthorized individuals or processes, and that it remains intact and uncorrupted.

Availability refers to the accessibility of data and services when needed. This includes ensuring that data and systems are available to authorized users and that they are not disrupted by system failures, cyber attacks, or other events that can result in downtime.

The CIA triangle is often used as a framework for designing and implementing information security measures to protect against a wide range of threats, such as unauthorized access, data breaches, and system failures. By focusing on confidentiality, integrity, and availability, organizations can ensure that their information is secure and accessible when needed, and that it remains accurate and unmodified.

40. What is the difference between information protection and information assurance?

Information protection and information assurance are two terms that are often used interchangeably, but they have distinct differences.

Information protection refers to the actions taken to safeguard information from unauthorized access, disclosure, or destruction. It is focused on implementing security measures to protect sensitive data from external threats such as hackers, viruses, and other malicious activities. Information protection includes the implementation of security controls such as firewalls, encryption, access controls, and intrusion detection systems to protect against cyber threats.

Information assurance, on the other hand, is a broader concept that encompasses information protection but also includes the overall management and control of information to ensure its accuracy, completeness, and reliability. Information assurance is about ensuring that information is available to those who need it, when they need it, and in a format that they can use. It also includes measures to ensure that information is not altered or destroyed without proper authorization.

In summary, information protection is focused on protecting information from external threats, while information assurance is focused on ensuring the overall quality and reliability of information through management and control measures.

41. How would you lock down a mobile device?

42. What is the difference between closed-source and open-source? Which is better?

Closed-source and open-source refer to different software development and distribution models. Here's an overview of each, along with some considerations for their advantages and disadvantages:

Closed-Source Software:

Also known as proprietary software, closed-source software is developed by a company or individual and is distributed in compiled form, which means the source code is not made available to the general public. Only the compiled executable version is provided. Users do not have access to the underlying code and cannot modify or redistribute it without explicit permission from the software's owner.

Advantages of Closed-Source Software:

  • Control: Developers retain control over the software, ensuring consistent quality and user experience.
  • Profit: Companies can generate revenue by selling licenses to use the software.
  • Intellectual Property Protection: Closed-source models can protect a company's intellectual property and prevent unauthorized copying or modifications.

Disadvantages of Closed-Source Software:

  • Limited Customization: Users cannot modify the software to meet specific needs.
  • Vendor Lock-in: Users are dependent on the software vendor for updates, fixes, and features.
  • Security Concerns: Users have to trust the vendor's security practices and might not be able to assess vulnerabilities directly.

Open-Source Software:

Open-source software is developed collaboratively by a community of developers who make the source code freely available to the public. This means anyone can view, modify, and distribute the code. Open-source projects often encourage community contributions and are typically governed by licenses that define how the software can be used and shared.

Advantages of Open-Source Software:

  • Customization: Users can modify the source code to tailor the software to their specific needs.
  • Transparency: The availability of source code allows for transparency, making it easier to identify and fix security vulnerabilities.
  • Community Collaboration: Open-source projects benefit from a larger pool of contributors, leading to faster innovation and bug fixes.
  • Cost: Open-source software is often free to use, which can be cost-effective for businesses and individuals.

Disadvantages of Open-Source Software:

  • Quality Variability: The quality of open-source projects can vary, as they depend on community contributions.
  • Support: Users might have to rely on community forums or third-party services for support, as opposed to dedicated customer support from a company.
  • Complexity: Working with open-source software may require technical expertise to understand and modify the source code.

Which is Better?

The choice between closed-source and open-source software depends on various factors, including the specific needs of the user or organization:

  • Closed-source software is often chosen for commercial applications that require strict control over intellectual property, and where the vendor provides essential support and maintenance.
  • Open-source software is preferred when customization, transparency, and community collaboration are important. It's particularly valuable for organizations with technical expertise to modify and maintain the software themselves.

Neither model is universally better than the other; it depends on the context. Some projects even blend the two approaches, offering a core open-source version with premium closed-source features and support. Ultimately, the decision should align with the goals and requirements of the users or organization in question.

43. What is your opinion on hacktivist groups such as Anonymous?

Network security 

44. What port does ping work over?

Ping is a network utility that uses the Internet Control Message Protocol (ICMP) to test the reachability of a host on an Internet Protocol (IP) network. It is not based on any specific port, rather it works on the network layer (layer 3) of the OSI model.

When a ping command is executed, it sends an ICMP Echo Request message to the specified IP address, and the host that receives the request is supposed to respond with an ICMP Echo Reply message.

Ping does not use any specific port, as it operates at the network layer, which is below the transport layer where ports are defined. Therefore, it does not rely on any specific port to be open or closed on the host to which it is sending the request.

In summary, Ping works over ICMP protocol which is not based on any specific port and operates at the network layer of the OSI model.

45. Do you prefer filtered ports or closed ports on your firewall?

Difference between filtered ports and closed ports on a firewall.

Filtered Ports:

When a firewall filters a port, it means that the firewall actively blocks incoming traffic to that port. This can be done for security reasons, to prevent unauthorized access or potential attacks. The firewall doesn't send any response to indicate whether the port is open or closed. As a result, an attacker scanning the system might not be able to determine whether the port is truly closed or if it's being filtered by a firewall.

Closed Ports:

Closed ports, on the other hand, refer to ports that are not actively listening for incoming connections. When an attacker scans a system and encounters a closed port, the system sends a response (often an ICMP "Destination Unreachable" message) to indicate that the port is closed. This response lets the attacker know that the port exists but is not currently accepting connections.

Which is Better?

The choice between using filtered ports or closed ports on a firewall depends on the specific security strategy and goals of the network administrators.

  • Filtered Ports: Using filtered ports can provide an extra layer of security by not revealing whether a port is truly closed or if it's being actively filtered by a firewall. This can make it harder for attackers to gather information about the network.

  • Closed Ports: Using closed ports can provide a clear indication to potential attackers that the port is not open for incoming connections. However, it also reveals the presence of the port and the system, which could provide attackers with some information to work with.

In practice, many firewalls use a combination of both approaches. Some ports may be closed to provide a clear indication that they are not open, while others may be filtered to increase the overall level of security and make it more difficult for attackers to gather information about the network.

Ultimately, the decision should be based on the security requirements of the specific network and the trade-offs between transparency and stealthiness in terms of information exposure to potential attackers.

46. How exactly does traceroute/tracert work at the protocol level?

Traceroute (or tracert on Windows) is a network troubleshooting tool that is used to determine the path that a packet takes to reach its destination. It works by sending a series of packets to the destination with increasing time-to-live (TTL) values.

At the protocol level, traceroute uses the User Datagram Protocol (UDP) or the Internet Control Message Protocol (ICMP) to determine the path to the destination.

Here's how it works:

  • The traceroute tool sends a series of packets to the destination with a starting TTL value of 1. 
  • When the first packet reaches the first router on the path, the router decrements the TTL value by 1, since it is now the first hop. Since the TTL value is now 0, the router sends back an ICMP Time Exceeded message to the source.
  • The traceroute tool then increases the TTL value to 2 and sends another packet to the destination.
  • This process continues until the packet reaches the destination or a maximum number of hops is reached.
  •  As the packets pass through each hop along the way, the router will decrement the TTL value of the packet and if the TTL value becomes zero, the router sends an ICMP Time Exceeded message back to the source.
  • Traceroute records the IP address and the round-trip time of each hop, which can be used to determine the path that the packet took to reach the destination and identify any bottlenecks or problems along the way.
  • Traceroute can also use the UDP protocol by sending packets to a specific port that is unlikely to be open on the destination host. These packets will be returned with ICMP "destination unreachable" messages, which also contain the IP address of the router that returned the message.

In summary, Traceroute uses either ICMP or UDP protocol to send packets with increasing TTL values to a destination host, and as the packets pass through each hop, it records the IP address and round-trip time of each hop, and traces the path of the packet to reach the destination host.

47. What are Linux’s strengths and weaknesses vs. Windows?

Linux and Windows are two different operating systems that have their own strengths and weaknesses.

Linux strengths:

Open-source: Linux is an open-source operating system, meaning that its source code is freely available for anyone to use, modify, and distribute. This allows for a large community of developers to collaborate and improve the operating system.

Security: Linux is known for its strong security features, such as user account permissions, firewalls, and encryption. It is also less vulnerable to viruses and malware compared to Windows.

Stability: Linux is known for its stability and reliability. It rarely crashes or needs to be rebooted, which is important for servers and other critical systems.

Customizability: Linux can be customized extensively to suit specific needs and preferences. There are many different distributions (or "distros") of Linux that cater to different use cases and user preferences.

Linux weaknesses:

Compatibility: Some software and hardware may not be compatible with Linux, which can be a barrier to adoption for some users.

User interface: While the user interface of Linux has improved greatly over the years, it still may not be as user-friendly as Windows for some users.

Support: Linux has a large community of developers and users, but official support can be limited compared to Windows.

Windows strengths:

Compatibility: Windows is widely used and has good compatibility with most software and hardware, making it a popular choice for many users.

User interface: Windows has a user-friendly interface that is familiar to many users, making it easy to learn and use.

Support: Windows has extensive official support options, including documentation, online resources, and customer support.

Gaming: Windows is a popular platform for gaming, with many games being developed specifically for the platform.

Windows weaknesses:

Security: Windows has historically been more vulnerable to viruses and malware compared to Linux, although this has improved in recent years.

Stability: Windows can be less stable than Linux, with crashes and performance issues being more common.

Cost: Windows licenses can be expensive, especially for enterprise use.

Customizability: Windows is less customizable compared to Linux, which may be a drawback for some users who require specific configurations or features.

It's worth noting that the strengths and weaknesses of each operating system can vary depending on the use case and specific needs of the user. Ultimately, the choice between Linux and Windows depends on the user's preferences and requirements.


48. What is a firewall? And provide an example of how a firewall can be bypassed by an outsider to

access the corporate network.

49. Besides firewalls, what other devices are used to enforce network boundaries?

50. What is the role of network boundaries in information security?

51. What does an intrusion detection system do? How does it do it?

52. What is a honeypot? What type of attack does it defend against?

53. What technologies and approaches are used to secure information and services deployed on

cloud computing infrastructure?

54. What information security challenges are faced in a cloud computing environment?

55. Can you give me an overview of IP multicast?

56. How many bits do you need for a subnet size?

57. What is packet filtering?

58. Can you explain the difference between a packet filtering firewall and an application layer firewall?

59. What are the layers of the OSI model?

60. How would you login to Active Directory from a Linux or Mac box?

61. What is an easy way to configure a network to allow only a single computer to login on a

particular jack?

62. What are the three ways to authenticate a person?

63. You find out that there is an active problem on your network. You can fix it, but it is out of your

jurisdiction. What do you do?

64. How would you compromise an “office workstation” at a hotel?

65. What is worse in firewall detection, a false negative or a false positive? And why?

66. How would you judge if a remote server is running IIS or Apache?

67. What is the difference between an HIDS and a NIDS? 

Application security

68. Describe the last program or script that you wrote. What problem did it solve?

69. Can you briefly discuss the role of information security in each phase of the software

development lifecycle?

70. How would you implement a secure login field on a high traffic website where performance is a

consideration?

71. What are the various ways to handle account brute forcing?

72. What is cross-site request forgery?

73. How does one defend against CSRF?

74. If you were a site administrator looking for incoming CSRF attacks, what would you look for?

75. What’s the difference between HTTP and HTML?

76. How does HTTP handle state?

77. What exactly is cross-site scripting?

78. What’s the difference between stored and reflected XSS?

79. What are the common defenses against XSS?

80. You are remoted in to a headless system in a remote area. You have no physical access to the

hardware and you need to perform an OS installation. What do you do?

81. On a Windows network, why is it easier to break into a local account than an AD account? 


Security architect


82. Explain data leakage and give examples of some of the root causes.

83. What are some effective ways to control data leakage?

84. Describe the 80/20 rules of networking.

85. What are web server vulnerabilities and name a few methods to prevent web server attacks?

86. What are the most damaging types of malwares?

87. What’s your preferred method of giving remote employees access to the company network and

are there any weaknesses associated to it?

88. List a couple of tests that you would do to a network to identify security flaws.

89. What kind of websites and cloud services would you block?

90. What type of security flaw is there in VPN?

91. What is a DDoS attack?

92. Can you describe the role of security operations in the enterprise?

93. What is layered security architecture? Is it a good approach? Why?

94. Have you designed security measures that span overlapping information domains? Can you give me a brief overview of the solution?

95. How do you ensure that a design anticipates human error?

96. How do you ensure that a design achieves regulatory compliance?

97. What is capability-based security? Have you incorporated this pattern into your designs? How?

98. Can you give me a few examples of security architecture requirements?

99. Who typically owns security architecture requirements and what stakeholders contribute?

100. What special security challenges does SOA present?

101. What security challenges do unified communications present?

102. Do you take a different approach to security architecture for a COTS vs a custom solution?

103. Have you architected a security solution that involved SaaS components? What challenges did you face?

104. Have you worked on a project in which stakeholders choose to accept identified security risks

that worried you? How did you handle the situation?

105. You see a user logging in as root to perform basic functions. Is this a problem?

106. What is data protection in transit vs data protection at rest?

107. You need to reset a password-protected BIOS configuration. What do you do?


Risk management

108. Is there an acceptable level of risk?

109. How do you measure risk? Can you give an example of a specific metric that measures information security risk?

110. Can you give me an example of risk trade-offs (e.g. risk vs cost)?

111. What is incident management?

112. What is business continuity management? How does it relate to security?

113. What is the primary reason most companies haven’t fixed their vulnerabilities?

114. What’s the goal of information security within an organization?

115. What’s the difference between a threat, vulnerability, and a risk?

116. If you were to start a job as head engineer or CSO at a Fortune 500 company due to the

previous guy being fired for incompetence, what would your priorities be? [Imagine you start on

day one with no knowledge of the environment]

117. As a corporate information security professional, what’s more important to focus on: threats or vulnerabilities?

118. If I’m on my laptop, here inside my company, and I have just plugged in my network cable. How

many packets must leave my NIC in order to complete a traceroute to twitter.com?

119. How would you build the ultimate botnet?

120. What are the primary design flaws in HTTP, and how would you improve it?

121. If you could re-design TCP, what would you fix?

122. What is the one feature you would add to DNS to improve it the most?

123. What is likely to be the primary protocol used for the Internet of Things in 10 years?

124. If you had to get rid of a layer of the OSI model, which would it be?

125. What is residual risk?

126. What is the difference between a vulnerability and an exploit?


Security audits, testing & incident response


127. What is an IT security audit?

128. What is an RFC?

129. What type of systems should be audited?

130. Have you worked in a virtualized environment?

131. What is the most difficult part of auditing for you?

132. Describe the most difficult auditing procedure you’ve implemented.

133. What is change management?

134. What types of RFC or change management software have you used?

135. What do you do if a rollout goes wrong?

136. How do you manage system major incidents?

137. How do you ask developers to document changes?

138. How do you compare files that might have changed since the last time you looked at them?

139. Name a few types of security breaches.

140. What is a common method of disrupting enterprise systems?

141. What are some security software tools you can use to monitor the network?

142. What should you do after you suspect a network has been hacked?

143. How can you encrypt email to secure transmissions about the company?

144. What document describes steps to bring up a network that’s had a major outage?

145. How can you ensure backups are secure?

146. What is one way to do a cross-script hack?

147. How can you avoid cross script hacks?

148. How do you test information security?

149. What is the difference between black box and white box penetration testing?

150. What is a vulnerability scan?

151. In pen testing what’s better, a red team or a blue team?

152. Why would you bring in an outside contractor to perform a penetration test?


Cryptography


153. What is secret-key cryptography?

154. What is public-key cryptography?

155. What is a session key?

156. What is RSA?

157. How fast is RSA?

158. What would it take to break RSA?

159. Are strong primes necessary for RSA?

160. How large a module (key) should be used in RSA?

161. How large should the primes be?

162. How is RSA used for authentication in practice? What are RSA digital signatures?

163. What are the alternatives to RSA?

164. Is RSA currently in use today?

165. What are DSS and DSA?

166. What is difference between DSA and RSA?

167. Is DSA secure?

168. What are special signature schemes?

169. What is a blind signature scheme?

170. What is a designated confirmer signatures?

171. What is a fail-stop signature scheme?

172. What is a group signature?

173. What is blowfish?

174. What is SAFER?

175. What is FEAL?

176. What is Shipjack?

177. What is stream cipher?

178. What is the advantage of public-key cryptography over secret-key cryptography?

179. What is the advantage of secret-key cryptography over public-key cryptography?

180. What is Message Authentication Code (MAC)?

181. What is a block cipher?

182. What are different block cipher modes of operation?

183. What is a stream cipher? Name a most widely used stream cipher.

184. What is one-way hash function?

185. What is collision when we talk about hash functions?

186. What are the applications of a hash function?

187. What is trapdoor function?

188. Cryptographically speaking, what is the main method of building a shared secret over a public medium?

189. What’s the difference between Diffie-Hellman and RSA?

190. What kind of attack is a standard Diffie-Hellman exchange vulnerable to?

191. What’s the difference between encoding, encryption, and hashing?

192. In public-key cryptography you have a public and a private key, and you often perform both

encryption and signing functions. Which key is used for which function?

193. What’s the difference between Symmetric and Asymmetric encryption?

Symmetric encryption and asymmetric encryption are two different methods of encrypting data.

Symmetric encryption, also known as shared secret encryption, uses the same key for both encryption and decryption. This means that the same key is used to encrypt the data before transmission and then decrypt it upon receipt. Symmetric encryption is fast and efficient, but it requires that both the sender and the recipient have the same key, which can be a security risk if the key is lost or intercepted.

Asymmetric encryption, also known as public-key encryption, uses two different keys for encryption and decryption. One key, called the public key, is used to encrypt the data, and the other key, called the private k ey, is used to decrypt it. The public key can be freely distributed, while the private key is kept secret. Asymmetric encryption is more secure than symmetric encryption, but it is also slower and more resource-intensive.

In practice, both symmetric and asymmetric encryption are often used together in what is known as a hybrid encryption system. The data is first encrypted using symmetric encryption, and then the symmetric key is encrypted using asymmetric encryption and transmitted along with the encrypted data. This provides the security of asymmetric encryption while maintaining the speed and efficiency of symmetric encryption.

194. If you had to both encrypt and compress data during transmission, which would you do first, and why?

It is generally recommended to encrypt data before compressing it. This is because encryption usually makes the data appear random, which makes it difficult for compression algorithms to reduce its size. Compressing encrypted data can actually increase its size, as the encryption process has already made the data as small as possible.

In addition, encrypting the data first provides a stronger security layer, as the data is protected in its encrypted form during compression and transmission. If the data is compressed first, it can be vulnerable to attack in its compressed form before encryption is applied.

In summary, encrypting data first and then compressing it provides a better balance between security and efficiency, as the encryption protects the data during the entire transmission process and the compression can still provide some reduction in size without compromising the encryption.

195. What is SSL and why is it not enough when it comes to encryption?

SSL (Secure Sockets Layer) is a cryptographic protocol that provides secure communication over the internet. It is designed to prevent eavesdropping, tampering, and message forgery. SSL was succeeded by TLS (Transport Layer Security), which is a more recent and improved version of the protocol.

While SSL/TLS is still widely used and provides encryption for data in transit, it is not enough when it comes to encryption. This is because SSL/TLS only encrypts the data transmitted between a client and a server and does not provide end-to-end encryption, meaning that the data is decrypted at the server and can potentially be accessed by third parties with access to the server.

In addition, SSL/TLS only provides encryption for communication, not for data at rest. For example, if sensitive data is stored on a server or transmitted over email, it is not protected by SSL/TLS encryption. To ensure full encryption of data, both in transit and at rest, additional measures such as encryption at the application layer or disk-level encryption may be required.

196. What is salting, and why is it used?

Salting is a security technique used to improve the protection of sensitive information, such as passwords, stored in a database. The process of salting involves adding a random string of characters, known as a salt, to the sensitive information before it is hashed.

The salt is then stored along with the hashed information in the database. When the information needs to be verified, the salt is added to the entered information, and the resulting hash is compared to the stored hash.

The purpose of salting is to make it more difficult for an attacker to crack the stored hashes. In the absence of salting, an attacker could precompute hashes for a large number of commonly used passwords and compare them to the hashes in a database to recover passwords. By adding a unique salt to each password, this attack becomes much more difficult, because the attacker must compute hashes for every possible salt-password combination.

In summary, salting is used to increase the security of sensitive information stored in a database by adding a unique, random string of characters to the information before it is hashed. This makes it more difficult for an attacker to crack the stored hashes and protects the sensitive information from unauthorized access.

197. What are salted hashes?

Salted hashes are a technique used for secure password storage. They involve adding a random string of data, called a salt, to a password before applying a cryptographic hash function to it. The resulting hash is then stored in a database. When a user logs in, the system adds the salt to the entered password, hashes it, and compares the result to the stored hash. This helps to protect against various attacks, such as dictionary attacks or rainbow table attacks, and makes it more difficult for attackers to access the original password even if they obtain the hashed version.

198. What is the Three-way handshake? How can it be used to create a DOS attack?

The Three-way handshake, also known as the TCP handshake, is the process used to establish a reliable and secure connection between two devices using the Transmission Control Protocol (TCP). The three-way handshake consists of the following steps:

  • The initiating device (e.g. a client) sends a SYN (Synchronize) packet to the receiving device (e.g. a server), requesting that a connection be established.
  • The receiving device sends back a SYN-ACK (Synchronize-Acknowledgment) packet to the initiating device, confirming that it is ready to receive data.
  • The initiating device sends an ACK (Acknowledgment) packet to the receiving device, acknowledging receipt of the SYN-ACK and completing the three-way handshake.

This three-way handshake is used to establish a reliable and secure connection between two devices, and it is an essential part of the TCP communication protocol.

However, it can also be used to create a Denial of Service (DoS) attack, also known as a TCP SYN Flood attack. In a TCP SYN Flood attack, an attacker floods the target device with a large number of SYN packets, causing the device to allocate resources for each incoming connection request. If the number of incoming requests exceeds the device's capacity, it can become overwhelmed and unable to respond to legitimate requests, effectively denying service to users. This type of attack can be used to disable websites, servers, and other online services.

199. What’s more secure, SSL or HTTPS?

Both SSL (Secure Socket Layer) and HTTPS (HyperText Transfer Protocol Secure) are terms that are often used interchangeably and refer to the same technology. SSL was the original technology for secure communication on the internet, but it has since been succeeded by its successor, TLS (Transport Layer Security).

When someone refers to "SSL" or "HTTPS" they typically mean a secure communication protocol that encrypts the data transmitted between a client (e.g. a web browser) and a server (e.g. a web server). This encryption helps to protect sensitive information, such as passwords and credit card numbers, from being intercepted and read by malicious actors.

So, to answer your question: there is no real difference between SSL and HTTPS in terms of security. They both refer to the same technology for secure communication on the internet.

200. Can you describe rainbow tables?  

Rainbow tables are a type of precomputed table used to reduce the amount of time needed to crack a password hash. They work by precomputing a large number of hashes for all possible password combinations, and storing the password and hash pairs in a table. When trying to crack a password hash, the attacker can look up the hash in the table and find the corresponding password, rather than having to perform a hash computation for each possible password. Rainbow tables are most effective when the hash function being used has a large number of possible outputs and when the same hash function is used for many passwords.


Comments

Post a Comment

Popular posts from this blog

What is Microsoft SharePoint ?

-
Microsoft SharePoint is a web-based collaborative platform that integrates with Microsoft Office. It's primarily used for document management and storage but also offers a wide range of capabilities such as intranet, content management, workflow management, business intelligence, and enterprise search. SharePoint allows users to create sites where they can share documents, information, and ideas within their organization. These sites can be customized to fit specific needs, such as team collaboration, project management, or departmental portals. Some key features of SharePoint include: Document Management: Users can upload, store, organize, and share documents within SharePoint sites. Version control ensures that users are always working with the latest version of a document. Collaboration: SharePoint facilitates collaboration among team members through features like document co-authoring, discussion boards, calendars, and task lists. Intranet and Portals: SharePoint can be used...
Read more

General Cybersecurity

-
What is perimeter security?  Perimeter security, in the context of cybersecurity, refers to the measures and strategies implemented to protect an organization's internal network from external threats. It establishes a boundary, or perimeter, between the organization's internal network and the external environment, such as the internet. The goal of perimeter security is to prevent unauthorized access, attacks, and breaches from reaching the internal network and its resources. Here are some key components and concepts related to perimeter security: Firewalls: Firewalls are the cornerstone of perimeter security. They inspect incoming and outgoing network traffic based on predefined rules and policies. Firewalls can block or allow traffic based on factors such as IP addresses, port numbers, and protocols. Intrusion Detection and Prevention Systems (IDPS): IDPS solutions monitor network traffic for signs of malicious activity or known attack patterns. They can detect and prevent i...
Read more

Well-Architected Framework | Solution Architect

-
The Well-Architected Framework is a set of best practices and guidelines designed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications. The framework is developed by AWS (Amazon Web Services), but similar principles can be applied to other cloud platforms. The Well-Architected Framework consists of five pillars, each addressing a key aspect of building well-designed and well-operated systems. These pillars are: Operational Excellence: Focuses on operational practices that ensure efficient and effective use of cloud resources. Key considerations include monitoring, incident response, automation, and overall operational health. Security: Emphasizes the importance of implementing robust security measures to protect data, systems, and assets. Covers data protection, identity and access management, and incident response, among other security aspects. Reliability: Aims to ensure a system's ability to recover from failures ...
Read more