1. What is the difference between IDS and IPS? How are they deployed?
- Answer:
- IDS (Intrusion Detection System): Monitors network traffic for suspicious activities and sends alerts. It’s a passive system.
- IPS (Intrusion Prevention System): Actively analyzes and takes actions, such as blocking malicious traffic. It’s an active system.
- Deployment: IDS is deployed out-of-band, while IPS is placed inline with traffic to analyze packets in real time.
2. Explain the concept of Zero Trust Architecture.
- Answer:
Zero Trust Architecture ensures no user or device is trusted by default, even inside the network. It requires continuous verification of identity, strict access controls, and least privilege principles for every resource request.
3. How does DNS tunneling work as a cyberattack method?
- Answer:
DNS tunneling encodes malicious payloads or data within DNS queries and responses. Attackers use this covert channel to exfiltrate data or establish command-and-control communication.
4. What is a security onion, and how does it enhance cybersecurity?
- Answer:
The security onion is a layered approach to cybersecurity, comprising multiple defensive measures like firewalls, intrusion detection/prevention systems, and endpoint protection. Each layer provides a fallback if one defense is breached.
5. Explain the importance of the MITRE ATT&CK framework.
- Answer:
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques. It helps organizations understand and detect threats by mapping attacks to known behaviors, improving incident response and threat hunting strategies.
6. What is the difference between symmetric and asymmetric encryption? Provide examples.
- Answer:
- Symmetric Encryption: Uses the same key for encryption and decryption (e.g., AES, DES). Faster but less scalable.
- Asymmetric Encryption: Uses a public and private key pair (e.g., RSA, ECC). Slower but supports secure key exchange.
7. How do you defend against a ransomware attack?
- Answer:
- Regularly back up data and test recovery.
- Implement endpoint protection and email filtering.
- Segment networks to limit lateral movement.
- Patch vulnerabilities promptly.
- Train users to recognize phishing attempts.
8. Describe the difference between black-box, white-box, and gray-box penetration testing.
- Answer:
- Black-Box Testing: Tester has no prior knowledge of the system. Mimics external attacks.
- White-Box Testing: Tester has full access to source code and architecture. Evaluates internal vulnerabilities.
- Gray-Box Testing: Tester has partial knowledge, combining internal and external perspectives.
9. How does OAuth 2.0 enhance security for APIs?
- Answer:
OAuth 2.0 enables secure, delegated access to APIs without exposing user credentials. It uses access tokens to grant permissions, ensuring limited and controlled access.
10. What are the key steps in an incident response process?
- Answer:
- Preparation
- Detection and Analysis
- Containment
- Eradication
- Recovery
- Lessons Learned
11. Explain the difference between stored and reflected XSS.
- Answer:
- Stored XSS: Malicious script is stored on the server and executed when the victim accesses the page.
- Reflected XSS: Malicious script is part of the request and reflected back to the user, typically via a URL parameter.
12. What is the role of a Security Information and Event Management (SIEM) system?
- Answer:
A SIEM system collects, correlates, and analyzes security data from various sources in real-time, helping detect and respond to potential threats. It centralizes log management and provides actionable insights.
13. How does a buffer overflow attack work, and how can it be mitigated?
- Answer:
- How It Works: An attacker exploits software to overwrite memory buffers, leading to arbitrary code execution or crashes.
- Mitigation: Use bounds checking, ASLR (Address Space Layout Randomization), and compile-time protections like stack canaries.
14. What is the difference between risk, vulnerability, and threat in cybersecurity?
- Answer:
- Risk: The potential for damage if a threat exploits a vulnerability.
- Vulnerability: A weakness in a system.
- Threat: A potential actor or event capable of exploiting a vulnerability.
15. What is a side-channel attack? Provide examples.
- Answer:
A side-channel attack exploits unintended information leakage (e.g., timing, power consumption) to deduce secrets. Examples include timing attacks on cryptographic algorithms and electromagnetic analysis.
16. What is the difference between hashing and encryption?
- Answer:
- Hashing: Converts data into a fixed-length hash. It’s irreversible and used for integrity checks (e.g., SHA-256).
- Encryption: Converts data into ciphertext for confidentiality and can be reversed with the appropriate key.
17. Explain the principle of least privilege (PoLP). Why is it important?
- Answer:
PoLP ensures that users or processes only have the minimum access necessary to perform their functions. It minimizes attack surfaces and reduces potential damage from insider threats or compromised accounts.
18. What is a Man-in-the-Middle (MITM) attack, and how can it be prevented?
- Answer:
An MITM attack involves intercepting and potentially altering communications between two parties. Prevention includes using HTTPS, VPNs, secure DNS, and implementing mutual authentication.
19. How do you secure containers in a DevOps environment?
- Answer:
- Use trusted container images.
- Regularly scan images for vulnerabilities.
- Limit container privileges.
- Implement network segmentation.
- Monitor container activity using tools like Falco or Sysdig.
20. What is the role of a Threat Intelligence Platform (TIP)?
- Answer:
TIP aggregates, analyzes, and shares threat intelligence from multiple sources to help organizations identify and respond to emerging threats proactively. It aids in prioritizing threats based on risk and relevance.
Tags
Cyber Security