1. What is Cyber Security?

Cyber Security is the practice of protecting computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It encompasses technologies, processes, and practices designed to defend against unauthorized access, damage, or theft of digital information.

Key objectives (CIA Triad):

• Confidentiality — Ensuring data is accessible only to authorized users
• Integrity — Maintaining accuracy and completeness of data; preventing unauthorized modification
• Availability — Ensuring authorized users have reliable access to information when needed

2. What is the CIA Triad?

The CIA Triad is a fundamental security model that defines three core principles of information security:

Confidentiality: Information must be kept private and protected from unauthorized disclosure. Implemented through encryption, access controls, authentication.

Integrity: Data must remain accurate, complete, and unaltered during storage and transmission. Protected through hashing, digital signatures, checksums, version control.

Availability: Systems and data must be accessible when needed by authorized users. Ensured through redundancy, backups, DDoS protection, disaster recovery planning.

Additional principles sometimes added: Authentication, Authorization, Non-repudiation

3. What is the difference between a threat, vulnerability, and risk?

Threat: A potential danger that could exploit a vulnerability to breach security and cause harm. Can be natural (flood, fire) or human (hacker, insider threat).

Examples: Malware, hackers, DDoS attacks, phishing, social engineering

Vulnerability: A weakness or gap in a system's security that can be exploited by threats. Flaws in software, hardware, or processes.

Examples: Unpatched software, weak passwords, misconfigured firewalls, SQL injection flaws

Risk: The potential for loss or damage when a threat exploits a vulnerability. Combination of likelihood and impact.

Formula: Risk = Threat × Vulnerability × Impact

4. What are the different types of hackers?

5. What is a firewall and how does it work?

A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between trusted internal networks and untrusted external networks.

How it works: Examines packets and applies rules to allow or block traffic based on source/destination IP, port numbers, protocols, and application layer data.

Types:

• Packet filtering: Examines packet headers (Layer 3/4)
• Stateful inspection: Tracks connection state; more intelligent
• Proxy firewall: Intermediary between users and services (Layer 7)
• Next-Gen Firewall (NGFW): Deep packet inspection, IPS, application awareness

6. What is the difference between IDS and IPS?

IDS (Intrusion Detection System): Passively monitors network traffic and alerts administrators when suspicious activity is detected. Does not take action to block threats.

• Acts as a "burglar alarm"
• Analyzes traffic using signatures and anomaly detection
• Generates alerts for security team to investigate
• No impact on network performance

IPS (Intrusion Prevention System): Actively monitors and blocks malicious traffic in real-time. Can automatically prevent threats.

• Acts as a "burglar alarm with automatic locks"
• Sits inline with network traffic
• Can drop packets, block connections, reset sessions
• May impact performance if misconfigured

7. What is a DDoS attack?

A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming it with a flood of Internet traffic from multiple compromised systems.

How it works: Attackers use a botnet (network of compromised devices) to send massive amounts of requests, exhausting the target's resources and making it unavailable to legitimate users.

Types:

• Volume-based: UDP floods, ICMP floods — overwhelm bandwidth
• Protocol-based: SYN floods, Ping of Death — exploit protocol weaknesses
• Application layer: HTTP floods, Slowloris — target web applications

Mitigation: Rate limiting, traffic filtering, CDN with DDoS protection (Cloudflare, Akamai), blackhole routing, scrubbing centers

8. What is a VPN?

A VPN (Virtual Private Network) creates a secure, encrypted connection (tunnel) over a less secure network, typically the internet, allowing users to send and receive data as if directly connected to a private network.

How it works:

• Encrypts all data between device and VPN server
• Masks user's real IP address with VPN server IP
• Routes traffic through VPN server before reaching destination

Benefits: Privacy, security on public Wi-Fi, bypass geo-restrictions, remote access to corporate networks

Protocols: OpenVPN, IPSec, L2TP, WireGuard, PPTP

9. What is encryption?

Encryption is the process of converting plaintext (readable data) into ciphertext (unreadable format) using an algorithm and encryption key. Only authorized parties with the decryption key can convert it back to plaintext.

Purpose: Protect confidentiality of data during storage (data at rest) and transmission (data in transit)

Two main types:

• Symmetric encryption: Same key for encryption and decryption (AES, DES, 3DES)
• Asymmetric encryption: Public key for encryption, private key for decryption (RSA, ECC)

10. What is the difference between symmetric and asymmetric encryption?

11. What is hashing?

Hashing is the process of converting input data of any size into a fixed-size string of characters (hash value or digest) using a mathematical algorithm. It's a one-way function — you cannot reverse a hash to get the original data.

Properties of good hash functions:

• Deterministic: Same input always produces same hash
• Fast computation: Quick to compute hash value
• Avalanche effect: Small input change produces drastically different hash
• Collision resistant: Hard to find two inputs with same hash
• Irreversible: Cannot derive input from hash

Common algorithms: MD5 (weak), SHA-1 (deprecated), SHA-256, SHA-3, bcrypt

Uses: Password storage, data integrity verification, digital signatures, blockchain

12. What is a digital signature?

A digital signature is a cryptographic technique that verifies the authenticity and integrity of a digital message or document. It proves that the message came from the claimed sender and wasn't altered.

How it works:

• Sender hashes the message
• Sender encrypts hash with their private key → this is the digital signature
• Recipient decrypts signature using sender's public key to get hash
• Recipient independently hashes the received message
• If both hashes match → signature valid, message authentic and unaltered

Benefits: Authentication (proves sender), integrity (detects tampering), non-repudiation (sender can't deny sending)

13. What is SQL Injection?

SQL Injection is a web security vulnerability that allows attackers to interfere with database queries by injecting malicious SQL code through application input fields.

Example vulnerable code:

query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"

Attack input: Username: admin' OR '1'='1, Password: anything

Resulting query:

SELECT * FROM users WHERE username = 'admin' OR '1'='1' AND password = 'anything'

This bypasses authentication because '1'='1' is always true.

Prevention: Parameterized queries (prepared statements), input validation, least privilege database accounts, WAF, ORM frameworks

14. What is Cross-Site Scripting (XSS)?

XSS is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. The victim's browser executes the attacker's script, compromising their session.

Types:

1. Stored XSS: Malicious script permanently stored on target server (database, forum post). Most dangerous.

2. Reflected XSS: Script reflected off web server in error message, search result. Requires victim to click malicious link.

3. DOM-based XSS: Vulnerability in client-side code. Script executes as result of modifying DOM environment.

Impact: Session hijacking, credential theft, defacement, malware distribution

Prevention: Input validation, output encoding, Content Security Policy (CSP), HTTPOnly cookies, sanitize user input

15. What is Cross-Site Request Forgery (CSRF)?

CSRF is an attack that tricks a victim into performing unwanted actions on a web application where they're authenticated. The attacker exploits the victim's authenticated session.

How it works:

• Victim logs into legitimate site (bank.com) and receives session cookie
• Attacker tricks victim into visiting malicious site or clicking malicious link
• Malicious page sends forged request to bank.com using victim's credentials
• Bank processes request as if victim intentionally made it

Example attack: <img src="https://bank.com/transfer?to=attacker&amount=1000">

Prevention: CSRF tokens (unpredictable tokens in forms), SameSite cookie attribute, verify origin/referer headers, re-authentication for sensitive actions

16. What is the OWASP Top 10?

The OWASP Top 10 is a standard awareness document listing the most critical web application security risks, published by the Open Web Application Security Project.

OWASP Top 10 (2021):

• A01: Broken Access Control — Users acting outside intended permissions
• A02: Cryptographic Failures — Weak encryption, exposed sensitive data
• A03: Injection — SQL, NoSQL, OS command injection
• A04: Insecure Design — Missing security controls in design phase
• A05: Security Misconfiguration — Improper security settings
• A06: Vulnerable Components — Using outdated, vulnerable libraries
• A07: Identification & Authentication Failures — Weak auth mechanisms
• A08: Software & Data Integrity Failures — Untrusted pipelines, unsigned code
• A09: Security Logging & Monitoring Failures — Insufficient logging
• A10: Server-Side Request Forgery (SSRF) — Fetching malicious remote resources

17. What are the different types of malware?

• Virus: Attaches to files/programs; spreads when executed; requires host file
• Worm: Self-replicating; spreads independently without host; exploits network vulnerabilities
• Trojan: Disguises as legitimate software; doesn't self-replicate; creates backdoors
• Ransomware: Encrypts files and demands payment for decryption key (e.g., WannaCry)
• Spyware: Monitors user activity and collects information secretly
• Adware: Displays unwanted advertisements; can track browsing
• Rootkit: Hides presence of malware; provides privileged access; hard to detect
• Keylogger: Records keystrokes to steal passwords and sensitive data
• Botnet: Network of infected computers controlled remotely for attacks

18. What is phishing?

Phishing is a social engineering attack where attackers impersonate trusted entities to trick victims into revealing sensitive information like passwords, credit card numbers, or downloading malware.

Common methods:

• Email phishing: Mass emails pretending to be from legitimate organizations
• Spear phishing: Targeted attacks on specific individuals/organizations
• Whaling: Targets high-profile individuals (executives, celebrities)
• Vishing: Voice phishing via phone calls
• Smishing: SMS/text message phishing
• Clone phishing: Duplicates legitimate emails with malicious modifications

Red flags: Urgent language, suspicious sender, grammar errors, mismatched URLs, unexpected attachments

Prevention: Security awareness training, email filtering, multi-factor authentication, verify sender independently

19. What is a zero-day vulnerability?

A zero-day vulnerability is a security flaw in software that is unknown to the vendor and has no available patch. Attackers discover and exploit it before developers can fix it.

Why "zero-day": Vendors have "zero days" to fix the vulnerability before it's exploited.

Zero-day attack: Exploitation of a zero-day vulnerability before a patch is available.

Why dangerous: No defense exists; widely deployed software affected; often sold on dark web; used in targeted attacks

Defense: Security monitoring, behavior-based detection, network segmentation, least privilege, keep systems updated

20. What is penetration testing?

Penetration testing (pen testing) is an authorized simulated cyberattack on a system to identify exploitable vulnerabilities before malicious hackers do. Ethical hackers attempt to breach security using the same techniques as attackers.

Types:

• Black box: No prior knowledge; simulates external attacker
• White box: Full knowledge of system; thorough testing
• Grey box: Partial knowledge; simulates insider threat

Phases: Reconnaissance → Scanning → Gaining Access → Maintaining Access → Covering Tracks → Reporting

Tools: Metasploit, Burp Suite, Nmap, Wireshark, Kali Linux

21. What is the difference between vulnerability assessment and penetration testing?

22. What is a WAF (Web Application Firewall)?

A WAF is a security solution that monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application. It sits between web applications and the internet, protecting against attacks like SQL injection, XSS, and CSRF.

How it differs from network firewall: Network firewall operates at network/transport layer (Layer 3/4); WAF operates at application layer (Layer 7) with deep understanding of HTTP traffic.

Deployment modes:

• Network-based: Hardware appliance on-premises
• Host-based: Software integrated with application
• Cloud-based: Managed service (Cloudflare, AWS WAF)

Detection methods: Signature-based (known attack patterns), Anomaly-based (unusual behavior), Hybrid

23. What is SIEM?

SIEM (Security Information and Event Management) is a solution that aggregates and analyzes security data from multiple sources across an organization in real-time, providing centralized visibility and threat detection.

Core functions:

• Log aggregation: Collects logs from firewalls, servers, applications, endpoints
• Normalization: Standardizes data from different sources
• Correlation: Connects related events to identify attack patterns
• Alerting: Notifies security team of potential threats
• Dashboards: Visualizes security posture and incidents
• Compliance reporting: Helps meet regulatory requirements

Popular SIEM solutions: Splunk, IBM QRadar, ArcSight, LogRhythm, Elastic SIEM

24. What is incident response?

Incident response is the structured approach to handling and managing security breaches or cyberattacks, aimed at limiting damage, reducing recovery time and costs, and preventing future incidents.

NIST Incident Response Lifecycle:

• 1. Preparation: Develop policies, train team, deploy tools, create playbooks
• 2. Detection & Analysis: Identify potential incidents, analyze indicators of compromise (IOCs), determine scope and severity
• 3. Containment: Short-term (isolate affected systems) and Long-term (apply patches, rebuild systems)
• 4. Eradication: Remove malware, close vulnerabilities, eliminate root cause
• 5. Recovery: Restore systems to normal operation, monitor for recurrence
• 6. Post-Incident Activity: Document lessons learned, update procedures, improve defenses

25. What is digital forensics?

Digital forensics is the process of collecting, preserving, analyzing, and presenting digital evidence from computers, networks, mobile devices, and other digital media to investigate cybercrimes and security incidents.

Key principles:

• Chain of custody: Documented handling of evidence to maintain integrity
• Non-alteration: Evidence must not be modified during investigation
• Repeatability: Analysis process must be reproducible
• Documentation: Detailed records of all procedures

Types: Computer forensics, Network forensics, Mobile forensics, Memory forensics, Cloud forensics

Tools: EnCase, FTK (Forensic Toolkit), Autopsy, Volatility (memory analysis), Wireshark (network)

26. What is Multi-Factor Authentication (MFA)?

MFA is a security mechanism that requires two or more verification factors to gain access to a system, significantly reducing risk of unauthorized access even if passwords are compromised.

Three factor categories:

• Something you know: Password, PIN, security question
• Something you have: Phone, hardware token, smart card, authenticator app
• Something you are: Biometrics (fingerprint, facial recognition, iris scan)

Common implementations: SMS code, authenticator app (Google Authenticator, Authy), hardware tokens (YubiKey), biometric verification

Why important: Passwords alone are weak; 81% of breaches involve stolen/weak passwords; MFA blocks 99.9% of automated attacks

27. What is the principle of least privilege?

The principle of least privilege states that users, programs, and processes should have only the minimum access rights necessary to perform their legitimate functions — nothing more.

Benefits:

• Limits damage from accidents or attacks
• Reduces attack surface
• Minimizes malware spread
• Improves system stability
• Helps meet compliance requirements

Implementation: Role-based access control (RBAC), just-in-time access, regular access reviews, separate admin accounts from regular accounts

28. What is Single Sign-On (SSO)?

SSO is an authentication method that allows users to access multiple applications with one set of credentials. Users log in once and gain access to all connected systems without re-authenticating.

How it works:

• User authenticates with identity provider (IdP)
• IdP creates authentication token
• Token shared with service providers (applications)
• Applications trust IdP and grant access based on token

Protocols: SAML, OAuth 2.0, OpenID Connect

Benefits: Better user experience, reduced password fatigue, centralized access management, improved security (fewer passwords to manage)

Risk: Single point of failure — if SSO credentials compromised, all connected services at risk (mitigated with MFA)

29. What is GDPR?

GDPR (General Data Protection Regulation) is a comprehensive data privacy law in the European Union that regulates how organizations collect, store, process, and protect personal data of EU residents.

Key principles:

• Lawfulness, fairness, transparency in data processing
• Purpose limitation (data collected for specific purposes)
• Data minimization (collect only what's necessary)
• Accuracy (keep data accurate and up-to-date)
• Storage limitation (don't keep data longer than needed)
• Integrity and confidentiality (security measures)
• Accountability (demonstrate compliance)

Individual rights: Right to access, right to be forgotten, data portability, breach notification within 72 hours

Penalties: Up to €20 million or 4% of global revenue (whichever is higher)

30. What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to protect cardholder data and ensure secure payment card transactions.

12 Requirements (6 control objectives):

• Build and maintain secure network: Install/maintain firewall, don't use vendor defaults
• Protect cardholder data: Protect stored data, encrypt transmission
• Maintain vulnerability management: Use anti-virus, develop secure systems
• Implement strong access controls: Restrict data access, assign unique IDs, restrict physical access
• Monitor and test networks: Track/monitor access, test security systems
• Maintain information security policy: Maintain policy for all personnel

Who must comply: Any organization that stores, processes, or transmits cardholder data

31. What is Zero Trust security?

Zero Trust is a security framework based on the principle "never trust, always verify" — assuming no user or device should be automatically trusted, even if inside the network perimeter.

Core principles:

• Verify explicitly (authenticate and authorize based on all available data)
• Use least privilege access (limit user access with just-in-time/just-enough-access)
• Assume breach (minimize blast radius, segment access, verify end-to-end encryption)

Key components: Identity verification, device security posture, network segmentation, continuous monitoring, data encryption

Shift from traditional: Old model trusted internal network; Zero Trust treats all networks as hostile

32. What are the security challenges in cloud computing?

• Data breaches: Sensitive data stored in cloud vulnerable to unauthorized access
• Misconfiguration: S3 buckets left public, weak access controls (leading cause of breaches)
• Lack of visibility: Difficult to monitor data across distributed cloud environments
• Compliance issues: Meeting regulatory requirements across jurisdictions
• Shared responsibility confusion: Unclear division of security duties between provider and customer
• Account hijacking: Stolen credentials provide access to cloud resources
• Insider threats: Malicious or negligent employees
• API vulnerabilities: Weak API security exposing cloud services

Mitigation: Cloud Security Posture Management (CSPM), encryption, IAM best practices, security monitoring, regular audits

33. How would you secure a web application?

Multi-layered approach:

• Input validation: Validate all user inputs, whitelist approach
• Authentication: Implement MFA, strong password policies, secure session management
• Authorization: Enforce least privilege, role-based access control
• Data protection: Encrypt sensitive data at rest and in transit (TLS/SSL)
• Security headers: Content-Security-Policy, X-Frame-Options, X-XSS-Protection
• API security: Rate limiting, input validation, OAuth/API keys
• Dependency management: Keep libraries updated, scan for vulnerabilities
• Logging & monitoring: Track security events, implement SIEM
• WAF deployment: Filter malicious traffic
• Regular testing: Vulnerability assessments, penetration testing
• Secure SDLC: Security integrated from design phase

34. What should you do if you suspect a system has been compromised?

Immediate response steps:

• 1. Identify & verify: Confirm the compromise, determine scope
• 2. Contain: Isolate affected systems from network (don't power off — preserves memory evidence)
• 3. Notify: Alert incident response team, management, potentially law enforcement
• 4. Preserve evidence: Take memory dumps, disk images, capture network traffic
• 5. Analyze: Investigate how breach occurred, what data was accessed
• 6. Eradicate: Remove malware, close vulnerabilities, change credentials
• 7. Recover: Restore from clean backups, rebuild compromised systems
• 8. Monitor: Watch for signs of persistence or re-infection
• 9. Document: Record all actions for legal/compliance purposes
• 10. Post-mortem: Lessons learned, improve security posture

35. How do you stay updated with cybersecurity trends?

Continuous learning sources:

• News sites: Krebs on Security, The Hacker News, Bleeping Computer, Dark Reading
• Vulnerability databases: CVE, NVD, Exploit-DB
• Security blogs: SANS Internet Storm Center, Schneier on Security
• Podcasts: Darknet Diaries, Security Now, Risky Business
• Conferences: Black Hat, DEF CON, RSA Conference
• Certifications: CISSP, CEH, OSCP, Security+, CISM
• Online training: TryHackMe, HackTheBox, Cybrary
• Communities: Reddit r/netsec, Twitter security community, local meetups
• Mailing lists: US-CERT, vendor security advisories