INTERVIEW PREPARATION FOR CYBER SECURITY

Q. What is Cryptography?
Cryptography is the practice and study of techniques for securing information and
communication mainly to protect the data from third parties that the data is not intended for.
Q. What is the difference between Symmetric and Asymmetric encryption?

Q. What is the difference between IDS and IPS?

IDS is Intrusion Detection System and it only detects intrusions, and the administrator must take
care of preventing the intrusion. Whereas, in IPS i.e., Intrusion Prevention System, the system
detects the intrusion and takes actions to prevent the intrusion.
Q. Explain CIA triad.
CIA stands for Confidentiality, Integrity, and Availability. CIA is a model that is designed to
guide policies for Information Security. It is one of the most popular models used by
organizations.
Confidentiality
The information should be accessible and readable only to authorized personnel. It should not
be accessible by unauthorized personnel. The information should be strongly encrypted just in
case someone uses hacking to access the data so that even if the data is accessed, it is not
readable or understandable.
Integrity
Making sure the data has not been modified by an unauthorized entity. Integrity ensures that
data is not corrupted or modified by unauthorized personnel. If an authorized
individual/system is trying to modify the data and the modification wasn’t successful, then the
data should be reversed back and should not be corrupted.
Availability
The data should be available to the user whenever the user requires it. Maintaining of
Hardware, upgrading regularly, Data Backups and Recovery, Network Bottlenecks should be
taken care of.
Q. How is Encryption different from Hashing?
Both Encryption and Hashing are used to convert readable data into an unreadable format.
The difference is that the encrypted data can be converted back to original data by the
process of decryption but the hashed data cannot be converted back to original data.
6. What is a Firewall and why is it used?
A Firewall is a network security system set on the boundaries of the system/network that
monitors and controls network traffic. Firewalls are mainly used to protect the system/network
from viruses, worms, malware, etc. Firewalls can also be to prevent remote access and
content filtering.
7. What is the difference between VA(Vulnerability Assessment) and PT(Penetration Testing)?
Vulnerability Assessment is the process of finding flaws on the target. Here, the organization
knows that their system/network has flaws or weaknesses and want to find these flaws and
prioritize the flaws for fixing.
Penetration Testing is the process of finding vulnerabilities on the target. In this case, the
organization would have set up all the security measures they could think of and would want
to test if there is any other way that their system/network can be hacked.
8. What is a three-way handshake?
A three-way handshake is a method used in a TCP/IP network to create a connection
between a host and a client. It’s called a three-way handshake because it is a three-step
method in which the client and server exchanges packets. The three steps are as follows:
1. The client sends a SYN(Synchronize) packet to the server check if the server is up or has
open ports
2. The server sends SYN-ACK packet to the client if it has open ports
3. The client acknowledges this and sends an ACK(Acknowledgment) packet back to the
server
9. What are the response codes that can be received from a Web Application?
1xx – Informational responses
2xx – Success
3xx – Redirection
4xx – Client-side error
5xx – Server-side error
10. What is traceroute? Why is it used?
Traceroute is a tool that shows the path of a packet. It lists all the points (mainly routers) that
the packet passes through. This is used mostly when the packet is not reaching its destination.
Traceroute is used to check where the connection stops or breaks to identify the point of
failure.
11. What is the difference between HIDS and NIDS?
HIDS(Host IDS) and NIDS(Network IDS) are both Intrusion Detection System and work for the
same purpose i.e., to detect the intrusions. The only difference is that the HIDS is set up on a
particular host/device. It monitors the traffic of a particular device and suspicious system
activities. On the other hand, NIDS is set up on a network. It monitors traffic of all device of the
network.
12. What are the steps to set up a firewall?
Following are the steps to set up a firewall:
1. Username/password: modify the default password for a firewall device
2. Remote administration: Disable the feature of the remote administration
3. Port forwarding: Configure appropriate port forwarding for certain applications to work
properly, such as a web server or FTP server
4. DHCP server: Installing a firewall on a network with an existing DHCP server will cause
conflict unless the firewall’s DHCP is disabled
5. Logging: To troubleshoot firewall issues or potential attacks, ensure that logging is
enabled and understand how to view logs
6. Policies: You should have solid security policies in place and make sure that the firewall
is configured to enforce those policies.
13. Explain SSL Encryption
SSL(Secure Sockets Layer) is the industry-standard security technology creating encrypted
connections between Web Server and a Browser. This is used to maintain data privacy and to
protect the information in online transactions. The steps for establishing an SSL connection is
as follows:
1. A browser tries to connect to the webserver secured with SSL
2. The browser sends a copy of its SSL certificate to the browser
3. The browser checks if the SSL certificate is trustworthy or not. If it is trustworthy, then the
browser sends a message to the web server requesting to establish an encrypted
connection
4. The web server sends an acknowledgment to start an SSL encrypted connection
5. SSL encrypted communication takes place between the browser and the web server
14. What steps will you take to secure a server?
Secure servers use the Secure Sockets Layer (SSL) protocol for data encryption and decryption
to protect data from unauthorized interception.
Here are four simple ways to secure server:
Step 1: Make sure you have a secure password for your root and administrator users
Step 2: The next thing you need to do is make new users on your system. These will be the users
you use to manage the system
Step 3: Remove remote access from the default root/administrator accounts
Step 4: The next step is to configure your firewall rules for remote access
15. Explain Data Leakage
Data Leakage is an intentional or unintentional transmission of data from within the
organization to an external unauthorized destination. It is the disclosure of confidential
information to an unauthorized entity. Data Leakage can be divided into 3 categories based
on how it happens:
1. Accidental Breach: An entity unintentionally send data to an unauthorized person due
to a fault or a blunder
2. Intentional Breach: The authorized entity sends data to an unauthorized entity on
purpose
3. System Hack: Hacking techniques are used to cause data leakage
Data Leakage can be prevented by using tools, software, and strategies known as DLP(Data
Leakage Prevention) Tools.
16. What are some of the common Cyberattacks?
Following are some common cyber attacks that could adversely affect your system.

17. What is a Brute Force Attack? How can you prevent it?
Brute Force is a way of finding out the right credentials by repetitively trying all the
permutations and combinations of possible credentials. In most cases, brute force attacks are
automated where the tool/software automatically tries to login with a list of credentials. There
are various ways to prevent Brute Force attacks. Some of them are:
 Password Length: You can set a minimum length for password. The lengthier the
password, the harder it is to find.
 Password Complexity: Including different formats of characters in the password makes
brute force attacks harder. Using alpha-numeric passwords along with special
characters, and upper and lower case characters increase the password complexity
making it difficult to be cracked.
 Limiting Login Attempts: Set a limit on login failures. For example, you can set the limit on
login failures as 3. So, when there are 3 consecutive login failures, restrict the user from
logging in for some time, or send an Email or OTP to use to log in the next time. Because
brute force is an automated process, limiting login attempts will break the brute force
process.
18. What is Port Scanning?
Port Scanning is the technique used to identify open ports and service available on a host.
Hackers use port scanning to find information that can be helpful to exploit vulnerabilities.
Administrators use Port Scanning to verify the security policies of the network. Some of the
common Port Scanning Techniques are:
1. Ping Scan
2. TCP Half-Open
3. TCP Connect
4. UDP
5. Stealth Scanning
19. What are the different layers of the OSI model?
An OSI model is a reference model for how applications communicate over a network. The
purpose of an OSI reference is to guide vendors and developers so the digital communication
products and software programs can interoperate.
Following are the OSI layers:
Physical Layer: Responsible for transmission of digital data from sender to receiver through the
communication media,

Data Link Layer: Handles the movement of data to and from the physical link. It is also
responsible for encoding and decoding of data bits.

Network Layer: Responsible for packet forwarding and providing routing paths for network
communication.

Transport Layer: Responsible for end-to-end communication over the network. It splits the data
from the above layer and passes it to the Network Layer and then ensures that all the data
has successfully reached at the receiver’s end.

Session Layer: Controls connection between the sender and the receiver. It is responsible for
starting, ending, and managing the session and establishing, maintaining and synchronizing
interaction between the sender and the receiver.

Presentation Layer: It deals with presenting the data in a proper format and data structure
instead of sending raw datagrams or packets.

Application Layer: It provides an interface between the application and the network. It
focuses on process-to-process communication and provides a communication interface.

20. What is a VPN?

VPN stands for Virtual Private Network. It is used to create a safe and encrypted connection.
When you use a VPN, the data from the client is sent to a point in the VPN where it is encrypted
and then sent through the internet to another point. At this point, the data is decrypted and
sent to the server. When the server sends a response, the response is sent to a point in the VPN
where it is encrypted and this encrypted data is sent to another point in the VPN where it is
decrypted. And finally, the decrypted data is sent to the client. The whole point of using a VPN
is to ensure encrypted data transfer.
21. What do you understand by Risk, Vulnerability & Threat in a network?
Threat: Someone with the potential to harm a system or an organization
Vulnerability: Weakness in a system that can be exploited by a potential hacker
Risk: Potential for loss or damage when threat exploits a vulnerability

22. How can identity theft be prevented?

 Ensure strong and unique password

 Avoid sharing confidential information online, especially on social media
 Shop from known and trusted websites
 Use the latest version of the browsers
 Install advanced malware and spyware tools
 Use specialized security solutions against financial data
 Always update your system and the software
 Protect your SSN (Social Security Number)

23. What are black hat, white hat and grey hat hackers?
Black hat hackers are known for having vast knowledge about breaking into computer
networks. They can write malware which can be used to gain access to these systems. This
type of hackers misuse their skills to steal information or use the hacked system for malicious
purpose.

White hat hackers use their powers for good deeds and so they are also called Ethical
Hackers. These are mostly hired by companies as a security specialist that attempts to find
and fix vulnerabilities and security holes in the systems. They use their skills to help make the
security better.

Grey hat hackers are an amalgamation of a white hat and black hat hacker. They look for
system vulnerabilities without the owner’s permission. If they find any vulnerabilities, they report
it to the owner. Unlike Black hat hackers, they do not exploit the vulnerabilities found.

24. How often should you perform Patch management?

Patch management should be done as soon as it is released. For windows, once the patch is
released it should be applied to all machines, not later than one month. Same goes for
network devices, patch it as soon as it is released. Proper patch management should be
followed.

25. How would you reset a password-protected BIOS configuration?

Since BIOS is a pre-boot system it has its own storage mechanism for settings and preferences.
A simple way to reset is by popping out the CMOS battery so that the memory storing the
settings lose its power supply and as a result, it will lose its setting.

26. Explain MITM attack and how to prevent it?

A MITM(Man-in-the-Middle) attack is a type of attack where the hacker places himself in
between the communication of two parties and steal the information. Suppose there are two
parties A and B having a communication. Then the hacker joins this communication. He
impersonates as party B to A and impersonates as party A in front of B. The data from both the
parties are sent to the hacker and the hacker redirects the data to the destination party after
stealing the data required. While the two parties think that they are communicating with each
other, in reality, they are communicating with the hacker.

You can prevent MITM attack by using the following practices:

 Use VPN
 Use strong WEP/WPA encryption
 Use Intrusion Detection Systems
 Force HTTPS
 Public Key Pair Based Authentication

27. Explain DDOS attack and how to prevent it?

A DDOS(Distributed Denial of Service) attack is a cyberattack that causes the servers to refuse
to provide services to genuine clients. DDOS attack can be classified into two types:

1. Flooding attacks: In this type, the hacker sends a huge amount of traffic to the server
which the server can not handle. And hence, the server stops functioning. This type of
attack is usually executed by using automated programs that continuously send
packets to the server.
2. Crash attacks: In this type, the hackers exploit a bug on the server resulting in the system
to crash and hence the server is not able to provide service to the clients.

You can prevent DDOS attacks by using the following practices:

 Use Anti-DDOS services

 Configure Firewalls and Routers
 Use Front-End Hardware
 Use Load Balancing
 Handle Spikes in Traffic

28. Explain XSS attack and how to prevent it?

XSS(Cross-Site Scripting) is a cyberattack that enables hackers to inject malicious client-side
scripts into web pages. XSS can be used to hijack sessions and steal cookies, modify DOM,
remote code execution, crash the server etc.

You can prevent XSS attacks by using the following practices:

 Validate user inputs

 Sanitize user inputs
 Encode special characters
 Use Anti-XSS services/tools
 Use XSS HTML Filter

29. What is an ARP and how does it work?

Address Resolution Protocol (ARP)is a protocol for mapping an Internet Protocol address (IP
address) to a physical machine address that is recognized in the local network.
When an incoming packet destined for a host machine on a particular local area network
arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC
address that matches the IP address.

The ARP program looks in the ARP cache and, if it finds the address, provides it so that the
packet can be converted to the right packet length and format and sent to the machine.

If no entry is found for the IP address, ARP broadcasts a request packet in a special format to
all the machines on the LAN to see if one machine knows that it has that IP address associated
with it.

30. What is port blocking within LAN?

Restricting the users from accessing a set of services within the local area network is called
port blocking.

Stopping the source to not to access the destination node via ports. As the application works
on the ports, so ports are blocked to restricts the access filling up the security holes in the
network infrastructure.

31. What protocols fall under TCP/IP internet layer?

32. What is a Botnet?

A Botnet is a number of devices connected to the internet where each device has one or
more bots running on it. The bots on the devices and malicious scripts used to hack a victim.
Botnets can be used to steal data, send spams and execute a DDOS attack.

33. What are salted hashes?

Salt is a random data. When a properly protected password system receives a new password,
it creates a hash value of that password, a random salt value, and then the combined value
is stored in its database. This helps to defend against dictionary attacks and known hash
attacks.

Example: If someone uses the same password on two different systems and they are being
used using the same hashing algorithm, the hash value would be same, however, if even one
of the system uses salt with the hashes, the value will be different.

34. Explain SSL and TLS

SSL is meant to verify the sender’s identity but it doesn’t search for anything more than that.
SSL can help you track the person you are talking to but that can also be tricked at times.
TLS is also an identification tool just like SSL, but it offers better security features. It provides
additional protection to the data and hence SSL and TLS are often used together for better
protection.

35. What is data protection in transit vs data protection at rest?

36. What is 2FA and how can it be implemented for public websites?
An extra layer of security that is known as “multi-factor authentication“.
Requires not only a password and username but also something that only, and only, that user
has on them, i.e. a piece of information only they should know or have immediately to hand
– such as a physical token.
Authenticator apps replace the need to obtain a verification code via text, voice call or email.
37. What is Cognitive Cybersecurity?
Cognitive Cybersecurity is an application of AI technologies patterned on human thought
processes to detect threats and protect physical and digital systems.
Self-learning security systems use data mining, pattern recognition, and natural language
processing to simulate the human brain, albeit in a high-powered computer model.
38. What is the difference between VPN and VLAN?

39. Explain Phishing and how to prevent it?

Phishing is a Cyberattack in which a hacker disguises as a trustworthy person or business and
attempt to steal sensitive financial or personal information through fraudulent email or instant
message.
You can prevent Phishing attacks by using the following practices:
 Don’t enter sensitive information in the webpages that you don’t trust
 Verify the site’s security
 Use Firewalls
 Use AntiVirus Software that has Internet Security
 Use Anti-Phishing Toolbar
40. Explain SQL Injection and how to prevent it?
SQL Injection (SQLi) is a code injection attack where an attacker manipulates the data being
sent to the server to execute malicious SQL statements to control a web application’s
database server, thereby accessing, modifying and deleting unauthorized data. This attack is
mainly used to take over database servers.
You can prevent SQL Injection attacks by using the following practices:
 Use prepared statements
 Use Stored Procedures
 Validate user input
Part B – Scenario Based Questions
1. Here’s a situation- You receive the following email from the help desk:
Dear XYZ Email user,
To create space for more users we’re deleting all inactive email accounts. Here’s what you
have to send to save your account from getting deleted:
 Name (first and last):
 Email Login:
 Password:
 Date of birth:
 Alternate email
If we don’t receive the above information from you by the end of the week, your email
account will be terminated.
This email is a classic example of “phishing” – trying to trick you into “biting”. The justification is
the generalized way of addressing the receiver which is used in mass spam emails.
Above that, a corporate company will never ask for personal details on mail.
They want your information. Don’t respond to email, instant messages (IM), texts, phone calls,
etc., asking you for your password or other private information.
You should never disclose your password to anyone, even if they say they work for UCSC, ITS,
or other campus organizations.
2. A friend of yours sends an e-card to your mail. You have to click on the attachment to get
the card.
What do you do? Justify your answer
There are four risks here:
 Some attachments contain viruses or other malicious programs, so just in general, it’s
risky to open unknown or unsolicited attachments.
 Also, in some cases just clicking on a malicious link can infect a computer, so unless you
are sure a link is safe, don’t click on it.
 Email addresses can be faked, so just because the email says it is from someone you
know, you can’t be certain of this without checking with the person.
 Finally, some websites and links look legitimate, but they’re really hoaxes designed to
steal your information.
3. One of the staff members in XYZ subscribes to many free magazines. Now, to activate her
subscriptions one of the magazines asked for her month of birth, second asked for her year of
birth, the other one asked for her maiden name.
What do you infer from this situation? Justify.
All three newsletters probably have the same parent company or are distributed through the
same service. The parent company or service can combine individual pieces of seemingly-
harmless information and use or sell it for identity theft
It is even possible that there is a fourth newsletter that asks for a day of birth as one of the
activation questions
Often questions about personal information are optional. In addition to being suspicious about
situations like the one described here, never provide personal information when it is not
legitimately necessary, or to people or companies, you don’t personally know.
4. In our computing labs, print billing is often tied to the user’s login. Sometimes people call to
complain about bills for printing they never did only to find out that the bills are, indeed,
correct.
What do you infer from this situation? Justify.
Sometimes they realize they loaned their account to a friend who couldn’t remember his/her
password, and the friend did the printing. Thus the charges. It’s also possible that somebody
came in behind them and used their account
This is an issue with shared or public computers in general. If you don’t log out of the computer
properly when you leave, someone else can come in behind you and retrieve what you were
doing, use your accounts, etc. Always log out of all accounts, quit programs, and close
browser windows before you walk away.
5. There is this case that happened in my computer lab. A friend of mine used their yahoo
account at a computer lab on campus. She ensured that her account was not left open before
she left the lab. Someone came after her and used the same browser to re-access her
account. and they started sending emails from it.
What do you think might be going on here?
The first person probably didn’t log out of her account, so the new person could just go to
history and access her account.
Another possibility is that she did log out, but didn’t clear her web cache. (This is done through
the browser menu to clear pages that the browser has saved for future use.)
6. Two different offices on campus are working to straighten out an error in an employee’s
bank account due to a direct deposit mistake.
Office #1 emails the correct account and deposit information to office #2, which promptly
fixes the problem.
The employee confirms with the bank that everything has, indeed, been straightened out.
What is wrong here?
Account and deposit information is sensitive data that could be used for identity theft. Sending
this or any kind of sensitive information by email is very risky because email is typically not
private or secure. Anyone who knows how can access it anywhere along its route.
As an alternative, the two offices could have called each other or worked with ITS to send the
information a more secure way.
7. The mouse on your computer screen starts to move around on its own and click on things
on your desktop. What do you do?
a) Call your co-workers over so they can see
b) Disconnect your computer from the network
c) Unplug your mouse
d) Tell your supervisor
e) Turn your computer off
f) Run anti-virus
g) All of the above
Select all the options that apply.
Right answer is B & D.
This is definitely suspicious. Immediately report the problem to your supervisor and the ITS
Support Center: itrequest.ucsc.edu, 459-HELP (4357), help@ucsc.edu or Kerr Hall room 54, M-F
8AM-5PM
Also, since it seems possible that someone is controlling the computer remotely, it is best if you
can disconnect the computer from the network (and turn off wireless if you have it) until help
arrives. If possible, don’t turn off the computer.
8. Below is a list of passwords pulled out a database.
A. @#$)*&^%
B. akHGksmLN
C.UcSc4Evr!
D.Password1
Which of the following passwords meets UCSC’s password requirements?
Answer is UcSc4Evr!
At least 8 characters in length
Contains at least 3 of the following 4 types of characters: lower case letters, upper case letters,
numbers, special characters
Not a word preceded or followed by a digit
9. You receive an email from your bank telling you there is a problem with your account. The
email provides instructions and a link so you can log into your account and fix the problem.
What should you do?
Delete the email. Better yet, use the web client (e.g. gmail, yahoo mail, etc.) and report it as
spam or phishing, then delete it.
Any unsolicited email or phone call asking you to enter your account information, disclose
your password, financial account information, social security number, or other personal or
private information is suspicious – even if it appears to be from a company you are familiar
with. Always contact the sender using a method you know is legitimate to verify that the
message is from them.
10. A while back, the IT folks got a number of complaints that one of our campus computers
was sending out Viagra spam. They checked it out, and the reports were true: a hacker had
installed a program on the computer that made it automatically send out tons of spam email
without the computer owner’s knowledge.
How do you think the hacker got into the computer to set this up?
This was actually the result of a hacked password. Using passwords that can’t be easily
guessed, and protecting your passwords by not sharing them or writing them down can help
to prevent this. Passwords should be at least 8 characters in length and use a mixture of upper
and lower case letters, numbers, and symbols.
Even though in this case it was a hacked password, other things that could possibly lead to
this are:
 Out of date patches/updates
 No anti-virus software or out of date anti-virus software
Attacks on CIA:

How is Cybersecurity implemented?

There are numerous procedures for actually implementing cybersecurity, but there three main
steps when actually fixing a security-related issue.
The first step is to recognize the problem that is causing the security issue, for example, we
have to recognize whether there is a denial of service attack or a man in the middle attack.
The next step is to evaluate and analyze the problem. We have to make sure we isolate all the
data and information that may have been compromised in the attack. Finally, after
evaluating and analyzing the problem, the last step is to develop a patch that actually solves
the problem and brings back the organization to a running state.

When identifying, analyzing and treating a cyber attack, there are three principals that are
kept in mind for various calculations. They are:
  Vulnerability
 Threat
 Risk

What is Ethical Hacking?

Hacking is the process of finding vulnerabilities in a system and using these found vulnerabilities
to gain unauthorized access into the system to perform malicious activities ranging from
deleting system files to stealing sensitive information. Hacking is illegal and can lead to extreme
consequences if you are caught in the act. People have been sentenced to years of
imprisonment because of hacking.
Nonetheless, hacking can be legal if done with permission. Computer experts are often hired
by companies to hack into their system to find vulnerabilities and weak endpoints so that they
can be fixed. This is done as a precautionary measure against legitimate hackers who have
malicious intent. Such people, who hack into a system with permission, without any malicious
intent, are known as ethical hackers and the process is known as ethical hacking.
So now that we know what exactly ethical hacking is, and who ethical hackers are, let’s go
over the different types of hackers.
What are the types of Hackers?
Hackers can be segregated according to their intent.
White Hat Hacker
It is another name for an Ethical Hacker. They hack into a system with prior permission to find
out vulnerabilities so that they can be fixed before a person with malicious intent finds them.
Black Hat Hacker
They are also known as crackers, who hack in order to gain unauthorized access to a system
& harm its operations or steal sensitive information. It’s always illegal because of its malicious
intent which includes stealing corporate data, violating privacy, damaging the system etc.
Grey Hat Hacker
They are a blend of both black hat and white hat hackers. They mostly hack for fun and exploit
a security weakness in a computer system or network without the owner’s permission or
knowledge. Their intent is to bring the weakness to the attention of the owners & earning some
bug bounty.
Suicide Hacker
A suicide hacker is a person who works with the intent to bring down major corporations and
infrastructure. These kinds of hackers are not scared of the consequences of their actions as
they mostly work with a vengeance in their mind. These people are also known as hacktivists.
What are the different types of hacking?
Now that we have discussed the various types of Hackers, let’s go over the different types of
hacking. We can segregate hacking into different types depending on what the hacker is
trying to achieve.
Website Hacking
Hacking a website means taking unauthorized control over a web server and its associated
software such as databases and other interfaces.
Network Hacking
Hacking a network means gathering information about a network by using tools like Telnet, NS
lookup, Ping, Tracert, Netstat, etc. with the intent to harm the network system and hamper its
operation.
Email Hacking
This includes gaining unauthorized access to an Email account and using it without taking the
consent of its owner for sending out spam links, third-party threats, and other such harmful
activities.
Password Hacking
This is the process of recovering secret passwords from data that has been stored in or
transmitted by a computer system.
Computer Hacking
This is the process of stealing computer ID and password by applying hacking methods and
getting unauthorized access to a computer system.
Phases of Ethical Hacking
Like every discipline out there in the world, ethical hacking is divided into distinct phases.
Ethical hacking has 6 distinct phases. These phases are not strict rules, but more like a guideline
to be followed.
Reconnaissance
Reconnaissance is the process of information gathering. In this phase, the hacker gathers
relevant information regarding the target system. These include detecting services, operating
systems, packet-hops to reach the system, IP configuration etc. Various tools like Nmap, Hping,
Google Dorks etc are used for reconnaissance purposes
Scanning
In the scanning phase, the hacker begins to actively probe the target machine or network for
vulnerabilities that can be exploited. Tools like Nessus, Nexpose, and NMAP are widely used by
hackers in this process.
Gaining Access
In this phase, the vulnerability located during scanning is exploited using various methods and
the hacker tries to enter the target system without raising any alarms. The primary tool that is
used in this process is Metasploit.
Maintaining Access
This is one of the most integral phases. In this phase, the hacker installs various backdoors and
payloads onto the target system. Just in case you don’t know, Payload is a term used for
activities performed on a system after gaining unauthorized access. Backdoors help the
hacker gaining quicker access onto the target system in the future.
Clearing Tracks
This process is an unethical activity. It has to do with the deletion of logs of all the activities that
take place during the hacking process. Nonetheless, Ethical Hackers still have to perform this
phase to demonstrate how a Black Hat Hacker would go about his activities.
Reporting
Reporting is the last step of finishing the ethical hacking process. Here the Ethical Hacker
compiles a report with his findings and the job that was done such as the tools used, the
success rate, vulnerabilities found, and the exploit processes.
Reconnaissance
Okay, so let’s talk a little bit more about Reconnaissance. I’ve already mentioned that it is the
process of gathering information about the target system, but what kind of information are we
trying to gather? Well, to list them out would be a task but they can be boiled down to the
following
 Gather initial information
 Determine the network range
 Identify active machines
 Discover open ports and access points
 Fingerprint the operating system
 Uncover services on ports
 Map the network
Active Reconnaissance
Active Reconnaissance refers to the process when you, the hacker, directly interact with the
computer system to gain information. This information can be relevant and accurate. But there
is a risk of getting detected if you are planning active reconnaissance without permission. If
you are detected, the system admin can take severe action against you and trail your
subsequent activities.

Passive Reconnaissance
Passive Reconnaissance, on the other hand, doesn’t directly interact with the computer. This
process is used to gather essential information without ever interacting with the target systems.
What is Footprinting?
Footprinting is basically the first step where hacker gathers as much information as possible to
find ways to intrude into a target system or at least decide what type of attacks will be more
suitable for the target.
Footprinting is a part of the reconnaissance process which is used for gathering possible
information about a target computer system or network. Footprinting could be both passive
and active. Reviewing a company’s website is an example of passive footprinting, whereas
attempting to gain access to sensitive information through social engineering is an example
of active information gathering.
During this phase, an ethical hacker can collect the following information

Footprinting – What is ethical hacking – Edureka

General footprinting is really simple and even an everyday user could do it using websites
like whois.com, ip2location.com, archive.org etc
What is Fingerprinting?
Fingerprinting, in ethical hacking, refers to any method that is used to determine the operating
system that is being run on the target computer. Fingerprinting, much like Footprinting is both
active and passive
Active Fingerprinting
Active fingerprinting is accomplished by sending specially crafted packets to a target
machine and then noting down its response and analyzing the gathered information to
determine the target OS. In the following section, we have given an example to explain how
you can use NMAP tool to detect the OS of a target domain.
Passive Fingerprinting
Passive fingerprinting is based on sniffer traces from the remote system. Based on the sniffer
traces (such as Wireshark) of the packets, you can determine the operating system of the
remote host. Before attacking a system, it is required that you know what operating system is
hosting a website. Once a target OS is known, then it becomes easy to determine which
vulnerabilities might be present to exploit the target system. Fingerprinting is done by analyzing
various factors of a packet
 TTL − What the operating system sets the Time-To-Live on the outbound packet.
 Window Size − What the operating system sets the Window Size at.
 DF − Does the operating system set the Don’t Fragment bit.
 TOS − Does the operating system set the Type of Service, and if so, at what.
By analyzing these factors of a packet, you may be able to determine the remote operating
system. This method is not 100% accurate and works better for some operating systems than
others.

1. What is a Firewall? Explain its need in brief.

Firewalls are the defense system to any network that keeps your systems, devices, and other
network touchpoints safe from any external threats like viruses, worms, trojans, DDoS
attacks, Waterhole attacks and more. Firewalls are additionally used for filtering the
communications that are happening between the internal and external touchpoints.
2. What are social engineering attacks?
When a cybercriminal manipulates their targets using normal communication medium like
calls, texts, and emails to fetch the confidential information directly from the target without
any technical expertise it is called as social engineering attacks. For example Tailgaiting,
Spear Phishing, Pretexting, Baiting, Whaling attack, Waterhole attacks and more.
3. What is the difference between penetrating testing and vulnerability management?
The organization that has set up an outstanding security procedure will hire penetration testers
to check how secure and unbreakable is their network, this is called penetration testing.
However, vulnerability management is the process of identifying vulnerabilities in the existing
network using tools like patch management and endpoint security management and fix the
same using them.
4. Who is a Cryptographer?
Any confidential data that is existing in the web has to be encrypted to keep it safe, but due
to increased number of data breaches this is better if the same data is being converted into
more convoluted using cryptography, a method of encrypting data in a unique way which
only the receiver with the code can decrypt. The professional behind this cryptography
process is called a cryptographer.
5. How will you secure a server?
 Checking servers for SSL protocol to encrypt and decrypt the sensitive data and secure
it against anonymous access.
 Create new users using this server and making sure unwanted ports are blocked.
 Removing privileged access to the server data for users.
 Removing remote access to servers.
 Practicing VPN based access to servers.
 Configuring firewalls and proxy settings for secure communications.
6. What is data leakage?
Any intentional or unintentional leakage of data from the corporate database to external
storage is called as data leakage. This leakage can be of one of three ways. Accidental
breach Intentional breach using an insider threat Hacking attempt to break into the corporate
network and steal the data.
7. Can You Name Eight Common cyberattacks?
 Ransomware
 DDoS attacks
 Malware
 Phishing
 Zero-day attacks
 Brute force attacks
 XSS
 Man-in-the-middle attacks
8. What is a brute force attack?
The process of finding a credential to a website/target by generating the number of
combination and permutations to identify the right password is called as the brute force
attacks. The password breaking mechanism can be defined by password length, complexity,
language, and customizing the algorithms for the combinations and permutations.
9. What are the OSI model and name their types?
OSI model is an inter-operative framework that developers would need to make their
applications work along with the network. The types are:
 Application layer
 Presentation layer
 Network layer
 Transport layer
 Session layer
 Data link layer
 Physical layer
10. Name the difference between Black hat, Whitehat and Grey hat hackers.
Black hat hackers - These guys are the bad ones that operate individually or supported by an
organization or states to breach into the corporate or public networks to fetch, encrypt or
delete a data illegally. They have exorbitant skills of hacking and can even create a malware
that can breach into networks easily in a short duration.
White hate hackers - These are the good guys, who are otherwise called Ethical hackers. They
hack into organizations or cyber-criminal groups legally, they can also be used as the
penetration testers for identifying the vulnerabilities and loopholes in an organization.
Grey hat hackers - These are the good guys but sometimes turn into black hat hackers based
on their demand and objective. They mostly seek for a network or system vulnerabilities,
identify them without owners permission but report it back to the owner for rewards than
exploiting the same.
11. How to set up a firewall?
Modify the credentials of a firewall device and disable the remote administration feature,
configuring the ports and DHCP server, ensuring the logs are turned ON for analysis, and finally
defining the security policies.
12. What is SSL encryption?
Secure Socket Layer (SSL) is a security layer that is usually deployed between a web server
and a browser to keep the communication secured and safe from any external cyber actors.
Useful for online transaction and for digital privacy.
An SSL connection can be established when a browser requests for an SSL with the web
browsers and the webserver confirms the same with its SSL certificate showing it is trustworthy,
and that's when the browsers initiate the communication after verifying the SSL certificate and
believes the connection would be trustworthy.
13.Explain Port Scanning
Port scanning is the process of identifying the opened ports in a host. Hackers exploit these
opened ports to breach into a network while security pros try to close the same for safety.
There are different types of port scan techniques,
 Ping scan
 UDP
 TCP connect
 Stealth scanning
 TCP half-open
14. What is VPN?
Virtual Private Network (VPN) is a safe private network that would allow employees to connect
to their original corporate network even when they are away from their corporate office.
The server believes the employee is accessing the network within the office only but actually
he/she is not in that location physically.
VPNs are encrypted and is practiced to avoid data breaches via public networks in cafes,
train stations, and airports. Users can view movies, series and other games that are from a
different location by using a proxy or VPN.
There is the number of VPN services available on the web to escape the geographical
limitations and march forward with your browsing objectives.
15. What is a DDoS attack?
When a huge amount of traffic is sent to a single device to crash the device's normal
functioning it is called a Distributed Denial of Service (DDoS) attacks. This is the basis behind
the cyber fame Mirai Botnet, and the DDoS attacks are of two types, flooding, and crash
attacks. The former we discussed, while in the case of latter the hacker just identifies a bug or
more in the system and deploys the crash algorithms to crash the device.
16. What is a Botnet?
Botnet is a group of devices that could be laptops, desktops, IoT which is run by one or more
bots for a certain purpose like crashing a targeted system, stealing data or spamming the
targets through DDoS framework, malware or using scripts. Mirai Botnet is one good example
to explore.
17. Explain about authentications in General
Authentications are procedures to verify the credential and the individuality of a user by
validating the same using different means of identification. There are different types of
authentication in the industry,
1. Two factor authentication (2FA)
 2. Mult-factor authentication (MFA)
3. Bio-metric authentication (BFA)
Two-factor authentication is something that includes usernames, password and a OTP (an
example) for verification.
Mult-factor authentication may require you to type in the username, password, OTP and a
secret phrase for verification.
Bio-metric authentication will include username, password and a biometric verification like
retina, fingerprint and face scan.
18. Hacker was able to break into your network using a port and outdated software. What will
you do to fix it?
Initially, we need to block the ports that are kept open, followed by that we can either remove
that software if is not required or update the software to its secured version by deploying the
patches to the devices that have the software.
19 What is an XSS attack?
Cross-Site Scripting (XSS) attacks are malicious scripts that run on a web page injected by
hackers to hijack sessions, perform phishing, track cookies, remote code executions and more.
XSS attacks can be prevented by validating user inputs, using XSS HTML filters, or by using anti-
XSS tools.
20. What is Cyber Espionage?
Cyber espionage is the process of gaining access to sensitive business documents through
malicious practices and using the same as an advantage against the company or
government agency. Cyber espionage has become prevalent, thanks to the ransomware
trends.
21. What is enterprise mobility management?
Organizations need to take care of the roaming devices that either belongs to them or the
users, in other words, the BYOD, CYOD, and COPE. When employees are out of the corporate
network so does their devices which includes smartphones, tablets, and laptops. Organizations
need to manage these roaming devices and users to keep their business-sensitive data
secured and safe from any public threats. Additionally, IT departments need to manage these
devices from a single console for better efficiency.
22. How to secure the IoT devices from cyberattacks?
Users need to ensure they have a solid router, that does not compromise on network security.
They also need to check for good firewalls and build an IoT customized Wi-Fi network with the
right passwords and hosted as WAP2 or WAP3. Above all users need to make sure they have
got their IoT devices updated and free from vulnerabilities. Patching the IoT devices can
prevent any application-level breaches while the former will help with network-level breaches.
Learn: Mastering the Security of the Internet of Things (IoT) Course.
23. Explain about CIS critical security controls?
Centre for Internet Security(CIS) is an organization established by a group of security
researchers to make the internet a better place for the end-users. CIS group of researchers
have defined 20 critical security controls that are at three different levels. They are,
 Basic security controls
 Foundation security controls
 Organizational security controls
24. What is ransomware, give some examples
Ransomware is a type of malware that encrypts users data, leaves a ransom note requesting
a certain amount of ransom to decrypt the data. Ransomware has become very common in
recent years, their motive could be to either encrypt and request ransom, encrypt and steal
the data, or encrypt and erase the data thus causing havoc to the targeted audience.
Examples: WannaCry, Ryuk, NotPetya, SamSam, and GandCrab.
25. How will you increase the security over network browsers?
Browsers are the touchpoints for any digital communication. With so much information being
communicated via browsers it's important to establish the right cybersecurity policies for your
browsers to keep them safe from cyberattacks like MITD, XSS and remote code execution
flaws.
Browsers need to be,
1. Updated with the right security policies, by channeling the network traffic via the right
proxy server.
2. Defined with browser configurations thus preventing users from visiting malicious and
anonymous websites.
3. Updated with the latest extension and plugin patches.
26. Tell me about Meltdown and Spectre bugs?
Meltdown and Spectre are processor bugs that exploit a speculative execution flaw in the
processors that allows hackers and cybercriminals to access sensitive data that is being stored
in the cache. Both these bugs were later mitigated when OS manufacturers and AV vendors
gave their compatibility patches. The Internet went berserk when these processor bugs were
reported on Jan 2018.
27. Explain about automated patch management in detail.
Automated patch management is a process in which the IT admin scans the network for
missing patches, identifies the missing patches and downloads them from the vendors
websites, test them in a closed environment and later deploy them to the targeted devices
based on the criticality of patches by scheduling them according to the convenience of the
organization.
28. Explain the difference between penetration tester and vulnerability assessor
Penetration tester tries to break into a network or software to identify potential loopholes
associated with that particular entity, however, vulnerability assessor will check for the
potential vulnerabilities about the given body alone, unlike the penetration tester where the
assessment is done combining all the components of the target environment. A vulnerability
assessment will be narrow compared to penetration testing.
29. How to avoid Zero-Day Exploits?
Keeping your applications and devices up-to-date with the latest patches, both security and
non-security irrespective of their reason for an update can keep your application and device
safe against external threats. Enterprises need to employ an automated patch management
procedures to maintain the MS Patch Tuesday updates and third party patches, but updating
them with the latest patches may have performance hits in some cases but it is better than to
get screwed by cyberthreats.
30. How to secure roaming devices?
Security professionals can use mobile device management (MDM) or unified endpoint
management solutions (UEM) to take care of roaming devices even if they are connected to
public Wi-Fi's. Organizations can also request their employees to use VPN for safe and secure
browsing and business data accessing routines. Sandbox technique that is being
implemented in these solutions will help security professionals and IT administrators to secure
their corporate data.
31. How will you Secure the USB Devices?
USB devices need to be secured based on how trustworthy they are to the enterprise. IT
security professionals need to restrict and allow USB devices based on whether those devices
are recognized or not. USB security management can help organizations prevent data leaks,
cause havoc through USB sticks, and booby-trapped USB sticks.
32. What is common between GDPR, LGPD, CCPA, and POPI?
All these are data protection laws. GDPR is for Europe, LGPD is for Brazil, CCPA is for California
(USA) and POPI is for South Africa. All these laws are being introduced to secure the personal
data of the data subjects and maintain privacy in the country. Any business who is doing
business in these organizations needs to get compliant towards these data protection laws.
33. What is DPO?
Data Protection Officer (DPO) is a new role created as per the norms of the General Data
Protection Regulation (GDPR) in the year 2018. The demand for this role is high considering the
huge risk associated with it. Data Protection Officer will be the official touchpoint and
responsible for all the data that is existing inside any corporate environment. He must be aware
of the different types of data collected, their source, why they are being collected, what is
the process associated with the data collection, whether users have given their consent for
processing the data, and when these data are erased from the organization database.
35. Difference Between threat, Vulnerability, and Risk?
Your organization is exposed to a threat when a malicious actor is trying to leverage a
vulnerability existing in a network that was not fixed as there is not a proper identification
system to define this as a risk. Another way to explain these three would be, IT security
professionals should not risk their network allowing device and applications vulnerabilities to
exist as this could cause potential cyber threats.
36. What is Deception Technology?
Not all attacks can be prevented proactively and that is why an organization additionally
need to equip the reactive approach to keep themselves safe against any unforeseen
breaches. Deception Technology is a reactive approach where IT security professionals use
their skills and tools, to lure hackers into a path that they did not intend to take.
For example, let us assume a hacker is trying to take down a system in the targeted location
with its IP address.
37. What is PKI?
Public Key Infrastructure (PKI) is a framework that is compiled of policies, hardware, software,
standards, configurations, to facilitate the trust among the entities that are using the data
encryption.
Public key encryption is imperative for communication over emails, any sensitive information
communicated over an email can be public-key encrypted, thus leaving the receiver with the
information that is very much valid and ensuring it has not reached an incorrect inbox. This is
because public key encryption work with a digital certificate, even duplication of the key
cannot be successful in this case. Public key encryption is for better security and private key
encryption are for storage purposes.
38. Name the difference between process, guidelines, and policies?
The process is a step by step procedure where the readers will be shown what to do next, in
case of guidelines its little high-level recommendations and suggestions for networks or
applications to formulate a strategy or process to implement the same. Policies are the criteria
that have to be defined to maintain security and compliance in a network or application.
39. What is the Zero Trust Network?
Zero trust Network is an evolving framework, where organizations will not trust any device or
user so easily, according to this model there will zero trust that will not allow the devices to
directly connect with the corporate network unless they verify their identity every time they
join the intended network. This Zero Trust is already being implemented in a few fortune 500
companies however, it will take a while before this is being implemented across industries. With
the Zero Trust Model, business-sensitive data can stay safe from outside and insider threats.
40. Difference between EU personal data and US personal information?
EU personal data will be a superset for US personal information, as the EU personal data is very
vast and it can include anything from data subject's name, age, email, phone number, social
security number, country etc however in case of US personal information it does not consider
these vast details. Anything that will allow an entity to narrow down and identify the target
data subject is personal data. GDPR deals with personal data handling and companies are
moving their infrastructure from personal information to personal data handling.
41. Explain the server-client based model?
Server-client based model is composed of two key components server and clients. When one
of the machines is hosted as a server, then its clients are generated through these servers and
will be deployed to a targeted set of machines. The server will no be able to define settings,
policies, configurations and actions to all the clients, or only hand-picked clients which can
again be defined based on a workgroup and domains.
Server-client model is mostly used in IT management applications, to facilitate IT administrators
to manage, control, monitor, troubleshoot, and update the clients (machines). These clients
could be laptops, desktops, smartphones, tablets, IoT devices, virtual
machines, hypervisors and more.
42. Explain about IPS and IDS.
Cyberattacks can be prevented proactively and detected when they are
happening. Intrusion Prevention System (IPS) detects the cyberattacks and helps in preventing
the cyberattacks from further progress into the network. However, the Intrusion Detection
System (IDS) will alert IT administrators for any potential threat that is trying to infiltrate the
corporate network.
43. Can you name the difference between false positive and false negative?
If the IDS shows an alert for a network breach but there is not any in real-time then it is called
as false positive and if there is a real-time breach inside the network but the IDS is not showing
any alert for the attack then it is called as a false negative.
44. What do you know about the red and blue team in cyberspace?
Organizations usually define split their teams for better cybersecurity, the red team will act like
attackers and the blue team will act as defenders. The Red team needs to study different
methods of breaching into a network, system and account's while the blue team will study
different protections, security best practices and more to secure their network, system, and
accounts from red team's actions.
This will help the organization understand the security loopholes and release its security
advisory in-time before an external malicious cyber actor takes advantage of any existing
vulnerabilities.
45. How will you improve data leak prevention in the network?
Data leakage can happen at any given touchpoint in a network, it could be your routers,
servers, laptops, mobile devices, servers, IoT and more. Data from these components can be
secured by practicing good firewall policies, USB security, internet upload metrics, corporate
content management, BYOD management, browser configurations, and strong password
policies. All these can be incorporated using an endpoint security tool if the strategies are built
the right way.
46. Explain the difference between AI, Machine Learning and Deep Learning.
Deep learning is the process of using artificial neural networks to solve the complicated issue,
while Machine learning will help machines decide on a problem without being programmed,
a superset of deep learning and AI is the universal or parent set for deep learning and machine
learning where the machine thinks for itself just like human beings.
AI can be broadly classified into three types,
1. Artificial Narrow Intelligence- Very narrow scope, for example: AlphaZero
2. Aritificial General Intelligence- The ultimate AI that can think far better than humans. Still
in development.
3. Artificial Super Intelligence- This is the stage where AI becomes more powerful than
humans, as it starts processing the entire historical data and improves the overall results.
47. What is Steganography?
Steganography is the process of hiding and delivering a message to a receiver without
showing any identification for the existence of the message itself is called Steganography. In
the case of cryptography, the message will be encrypted but in steganography, the presence
of message itself is kept hidden.
48. What is Quantum Computing? Why is it evolving?
The process of developing a computer which works based on the principle of quantum theory
considering the atomic and sub-atomic particles to define the working mechanism of the
computer is called Quantum Computing. In the future, humans are in need of super-fast
computers than can process billions o data at a given time, and the existing machines are not
capable of doing the same in the short duration but with quantum computing millions of
combinations and permutations are possible in a concise duration thus offering better
efficiency for the users.
49. What privacy features are essential for a VPN?
VPN in recent times come with a lot of features like kill switch, multi-hopping and more for
retaining privacy. However, what's often ignored while choosing a VPN is a good logging
policy. Many VPNs retain logs of personally identifiable information of the end-user and destroy
the mere purpose of using a VPN.
Understanding and analyzing the VPN comparison in general illuminates what types of log
tracking are being offered in the market along with their storing mechanisms. Users should
make the right call by evaluating the VPN's based on their network demands.
50. What is an Evil Twin?
Evil twin is a fake Wi-Fi access point that appears to be legible network. When users connect
to this fake network they accidentally disclose the usernames and passwords, allowing the
hacker to access the same later. This is more like a endpoint security, but at the network level,
using Wi-Fi replication techniques.
What is a Zero-Day Attack?
Zero-day exploits are a mistake with the underlying code of a program, and they are a
complicated matter for even the most experienced of software developers. Since these flaws
can remain dormant since the start, they are always posing a danger as no piece of software
is perfect.
Ways That These Exploits are Discovered
To understand zero-day prevention, it is essential to have an idea of how these exploits are
found in the first place. Let’s go over some of the most popular techniques that are used to
discover zero-day exploits and then eliminate them.
Using Statistics
Methods that use statistics to discover exploits tend to be the most common since they use
data to determine the most likely faults in the code. Since past exploits are used to find issues,
statistics tend to be less likely to discover new issues that have never been faced before
Signature Detection
This form of exploit detection tends to be a little more complex than statistics-based methods.
This way creates artificial signals that are meant to trip malware detection systems and point
you towards zero-day exploits.
Behavior Detection
Behavior detection tends to be a more functional way of detecting attacks that take
advantage of zero-day exploits. These techniques tend to look at how the program is handling
processes and whether anything is out of the ordinary. If something is wrong with a software
interaction, it is further reviewed.
Hybrid Detection
The most advanced and useful method that you can use to prevent zero-day attacks is hybrid
detection since it is the most likely to notice that something is off in a program. Hybrid detection
uses all of the methods that we mentioned above at the same time to cast the most extensive
net possible.
While hybrid detection is often the most likely to catch zero-day exploits, it tends to be a little
less specialized than some other options.
Conclusion
Zero-day attack prevention is one of the most fundamental parts of designing a secure piece
of software. We hope that this guide has been able to give you an idea of how everything
works.

What is XSS (Cross Site Scripting) ?

XSS is a very commonly exploited vulnerability type which is very widely spread and easily
detectable and also it is one of the important vulnerability in OWASP TOP 10.
What is XSS( Cross Site Scripting )? An attacker can inject untrusted snippets of JavaScript into
your application without validation. This JavaScript is then executed by the victim who is visiting
the target site. It classified into three types.
 Reflected XSS
 Stored XSS
 DOM-Based XSS
In Reflected XSS, an attacker sends the victim a link to the target application through email,
social media, etc. This link has a script embedded within it which executes when visiting the
target site.
In Stored XSS, the attacker is able to plant a persistent script in the target website which will
execute when anyone visits it.
With DOM Based XSS, no HTTP request is required, the script is injected as a result of modifying
the DOM of the target site in the client side code in the victim’s browser and is then executed.
Understanding XSS – Cross Site Scripting
 http://test.gbhackers.com/search?q=gbhackers
 Searched for <strong>gbhackers</strong>
 <script>alert(document.cookie)</script>

Imagine that we are having an URL like this and we are searching for gbhackers and it will
reflect the following query in the browser. We trust the domain and we trust the resource being
entered in the search page, so now the untrusted part gbhackers was the query string entered
by the browser, the attacker can manipulate the value anything as they like, for an example
they change like this <script>alert(document.cookie)</script>. This is just a simple query to
popup an alert in the webpage, if some requested the page of attackers website and
passed document.cookies as a parameter in the website then the attacker can gather all
cookies in the website. If they got Auth cookies they can simply hijack user sessions.

Potential risks about Cross Site Scripting

The attacker can compromise or take over the victim’s user account in the application. They
could retrieve data from the target web application, modify content on the target page,
redirect the victim to another malicious or spoof site, or use it as a platform to install other
malware on the victim’s system.
The consequences of any of the above can seriously impact your ability to conduct business,
your customers, and your organization’s reputation.

Defenses against Cross Site Scripting

 What input do we trust?
 Does it adhere to expected patterns?
 Never simply reflect untrusted data.
 Applies to data within our database too.
 Encoding of context(Java/attribute/HTML/CSS).

Brute Force Attack: Definition and Examples

What's a Brute Force Attack?
A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden
web page. Hackers work through all possible combinations hoping to guess correctly.
These attacks are done by ‘brute force’ meaning they use excessive forceful attempts to try
and ‘force’ their way into your private account(s).
This is an old attack method, but it's still effective and popular with hackers. Because
depending on the length and complexity of the password, cracking it can take anywhere
from a few seconds to many years.
What do hackers gain from Brute Force Attacks?
Brute force attackers have to put in a bit of effort to make these schemes pay off. While
technology does make it easier, you might still question: why would someone do this?
Here’s how hackers benefit from brute force attacks:
  Profiting from ads or collecting activity data
 Stealing personal data and valuables
 Spreading malware to cause disruptions
 Hijacking your system for malicious activity
 Ruining a website’s reputation
Profiting from ads or collecting activity data.
Hackers can exploit a website alongside others to earn advertising commissions. Popular ways
to do this include:
 Putting spam ads on a well-traveled site to make money each time an ad is clicked or
viewed by visitors.
 Rerouting a website’s traffic to commissioned ad sites.
 Infecting a site or its visitors with activity-tracking malware — commonly spyware. Data
is sold to advertisers without your consent to help them improve their marketing.
Stealing personal data and valuables.
Breaking into online accounts can be like cracking open a bank vault: everything from bank
accounts to tax information can be found online. All it takes is the right break-in for a criminal
to steal your identity, money, or sell your private credentials for profit. Sometimes, sensitive
databases from entire organizations can be exposed in corporate-level data breaches.
Spreading malware to cause disruptions for the sake of it.
If a hacker wants to cause trouble or practice their skills, they might redirect a website’s traffic
to malicious sites. Alternatively, they may directly infect a site with concealed malware to be
installed on visitor’s computers.
Hijacking your system for malicious activity.
When one machine isn’t enough, hackers enlist an army of unsuspecting devices called
a botnet to speed up their efforts. Malware can infiltrate your computer, mobile device, or
online accounts for spam phishing, enhanced brute force attacks and more. If you don’t have
an antivirus system, you may be more at risk of infection.
Ruining a website’s reputation.
If you run a website and become a target of vandalism, a cybercriminal might decide to infest
your site with obscene content. This might include text, images, and audio of a violent,
pornographic, or racially offensive nature.
Types of Brute Force Attacks
Each brute force attack can use different methods to uncover your sensitive data. You might
be exposed to any of the following popular brute force methods:
 Simple Brute Force Attacks
  Dictionary Attacks
 Hybrid Brute Force Attacks
 Reverse Brute Force Attacks
 Credential Stuffing
Simple brute force attacks: hackers attempt to logically guess your credentials — completely
unassisted from software tools or other means. These can reveal extremely simple passwords
and PINs. For example, a password that is set as “guest12345”.
Dictionary attacks: in a standard attack, a hacker chooses a target and runs possible
passwords against that username. These are known as dictionary attacks. Dictionary attacks
are the most basic tool in brute force attacks. While not necessarily being brute force attacks
in themselves, these are often used as an important component for password cracking. Some
hackers run through unabridged dictionaries and augment words with special characters and
numerals or use special dictionaries of words, but this type of sequential attack is cumbersome.
Hybrid brute force attacks: these hackers blend outside means with their logical guesses to
attempt a break-in. A hybrid attack usually mixes dictionary and brute force attacks. These
attacks are used to figure out combo passwords that mix common words with random
characters. A brute force attack example of this nature would include passwords such
as NewYork1993 or Spike1234.
Reverse brute force attacks: just as the name implies, a reverse brute force attack reverses the
attack strategy by starting with a known password. Then hackers search millions of usernames
until they find a match. Many of these criminals start with leaked passwords that are available
online from existing data breaches.
Credential stuffing: if a hacker has a username-password combo that works for one website,
they’ll try it in tons of others as well. Since users have been known to reuse login info across
many websites, they are the exclusive targets of an attack like this.
Tools Aid Brute Force Attempts
Guessing a password for a particular user or site can take a long time, so hackers have
developed tools to do the job faster.
Automated tools help with brute force attacks. These use rapid-fire guessing that is built to
create every possible password and attempt to use them. Brute force hacking software can
find a single dictionary word password within one second.
Tools like these have workarounds programmed in them to:
 Work against many computer protocols (like FTP, MySQL, SMPT, and Telnet)
 Allow hackers to crack wireless modems.
 Identify weak passwords
 Decrypt passwords in encrypted storage.
  Translate words into leetspeak — "don'thackme" becomes "d0n7H4cKm3," for example.
 Run all possible combinations of characters.
 Operate dictionary attacks.
Some tools scan pre-compute rainbow tables for the inputs and outputs of known hash
functions. These “hash functions” are the algorithm-based encryption methods used to
translate passwords into long, fixed-length series of letters and numerals. In other words,
rainbow tables remove the hardest part of brute force attacking to speed up the process.
GPU Speeds Brute Force Attempts
Tons of computer brainpower is needed to run brute force password software. Unfortunately,
hackers have worked out hardware solutions to make this part of the job a lot easier.
Combining the CPU and graphics processing unit (GPU) accelerates computing power. By
adding the thousands of computing cores in the GPU for processing, this enables the system
to handle multiple tasks at once. GPU processing is used for analytics, engineering, and other
computing-intensive applications. Hackers using this method can crack passwords about 250
times faster than a CPU alone.
So, how long would it take to crack a password? To put it in perspective, a six-character
password that includes numbers has approximately 2 billion possible combinations. Cracking
it with a powerful CPU that tries 30 passwords per second takes more than two years. Adding
a single, powerful GPU card lets the same computer test 7,100 passwords per second and
crack the password in 3.5 days.
Steps to Protect Passwords for Professionals
To keep yourself and your network safe, you'll want to take your precautions and help others
do so as well. User behavior and network security systems will both need reinforcement.
For IT specialists and users alike, you’ll want to take a few general pieces of advice to heart:
 Use an advanced username and password. Protect yourself with credentials that are
stronger than admin and password1234 to keep out these attackers. The stronger this
combination is, the harder it will be for anyone to penetrate it.
 Remove any unused accounts with high-level permissions. These are the cyber
equivalent of doors with weak locks that make breaking in easy. Unmaintained
accounts are a vulnerability you can’t risk. Throw them away as soon as possible.
Once you’ve got the basics down, you’ll want to bolster your security and get users on board.
We’ll begin with what you can do on the backend, then give tips to support safe habits.
Passive Backend Protections for Passwords
High encryption rates: to make it harder for brute force attacks to succeed, system
administrators should ensure that passwords for their systems are encrypted with the highest
encryption rates possible, such as 256-bit encryption. The more bits in the encryption scheme,
the harder the password is to crack.
Salt the hash: administrators should also randomize password hashes by adding a random
string of letters and numbers (called salt) to the password itself. This string should be stored in a
separate database and retrieved and added to the password before it's hashed. By salting
the hash, users with the same password have different hashes.
Two-factor authentication (2FA): additionally, administrators can require two-step
authentication and install an intrusion detection system that detects brute force attacks. This
requires users to follow-up a login attempt with a second factor, like a physical USB key or
fingerprint biometrics scan.
Limit number of login re-tries: limiting the number of attempts also reduces susceptibility to
brute-force attacks. For example, allowing three attempts to enter the correct password
before locking out the user for several minutes can cause significant delays and cause hackers
to move on to easier targets.
Account lockdown after excessive login attempts: if a hacker can endlessly keep retrying
passwords even after a temporary lockout, they can return to try again. Locking the account
and requiring the user to contact IT for an unlock will deter this activity. Short lockout timers are
more convenient for users, but convenience can be a vulnerability. To balance this, you might
consider using the long-term lockdown if there are excessive failed logins after the short one.
Throttle rate of repeated logins: you can further slow an attacker’s efforts by creating space
between each single login attempt. Once a login fails, a timer can deny login until a short
amount of time has passed. This will leave lag-time for your real-time monitoring team to spot
and work on stopping this threat. Some hackers might stop trying if the wait is not worth it.
Required Captcha after repeated login attempts: manual verification does stop robots from
brute-forcing their way into your data. Captcha comes in many types, including retyping the
text in an image, checking a checkbox, or identifying objects in pictures. Regardless of what
you use, you can use this before the first login and after each failed attempt to protect further.
Use an IP blacklist to block known attackers. Be sure that this list is constantly updated by those
who manage it.
Active IT Support Protections for Passwords
Password education: user behavior is essential to password security. Educate users on safe
practices and tools to help them keep track of their passwords. Services like Kaspersky
Password Manager allow users to save their complex, hard-to-remember passwords in an
encrypted “vault” instead of unsafely writing them down on sticky notes. Since users tend to
compromise their safety for the sake of convenience, be sure to help them put convenient
tools in their hands that will keep them safe.
Watch accounts in real-time for strange activity: Odd login locations, excessive login attempts
etc. Work to find trends in unusual activity and take measures to block any potential attackers
in real-time. Look out for IP address blocks, account lockdown, and contact users to determine
if account activity is legitimate (if it looks suspicious).
How Users Can Strengthen Passwords Against Brute Force Attacks
As a user, you can do a lot to support your protection in the digital world. The best defense
against password attacks is ensuring that your passwords are as strong as they can be.
Brute force attacks rely on time to crack your password. So, your goal is to make sure your
password slows down these attacks as much as possible, because if it takes too long for the
breach to be worthwhile… most hackers will give up and move on.
Here are a few ways you can strength passwords against brute attacks:
Longer passwords with varied character types. When possible, users should choose 10-
character passwords that include symbols or numerals. Doing so creates 171.3 quintillion (1.71
x 1020) possibilities. Using a GPU processor that tries 10.3 billion hashes per second, cracking the
password would take approximately 526 years. Although, a supercomputer could crack it
within a few weeks. By this logic, including more characters makes your password even harder
to solve.
Elaborate passphrases. Not all sites accept such long passwords, which means you should
choose complex passphrases rather than single words. Dictionary attacks are built specifically
for single word phrases and make a breach nearly effortless. Passphrases — passwords
composed of multiple words or segments — should be sprinkled with extra characters and
special character types.
Create rules for building your passwords. The best passwords are those you can remember but
won’t make sense to anyone else reading them. When taking the passphrase route, consider
using truncated words, like replacing “wood” with “wd” to create a string that makes sense
only to you. Other examples might include dropping vowels or using only the first two letters of
each word.
Stay away from frequently used passwords. It's important to avoid the most common
passwords and to change them frequently.
Use unique passwords for every site you use. To avoid being a victim of credential stuffing, you
should never reuse a password. If you want to take your security up a notch, use a different
username for every site as well. You can keep other accounts from getting compromised if
one of yours is breached.
Use a password manager. Installing a password manager automates creating and keeping
track of your online login info. These allow you to access all your accounts by first logging into
the password manager. You can then create extremely long and complex passwords for all
the sites you visit, store them safely, and you only have to remember the one master password.

Phishing Attack Prevention

10 Ways To Prevent Email Phishing Attacks
1. Think before you click
Gone are the days when phishing emails began with “Greetings from the son of the deposed
prince of Zambia.” In an attempt to look legitimate, phishing emails are a lot more
sophisticated today and may even contain links that may direct you to a website that looks
exactly like the original one. Clicking on random links isn’t a smart move. Hover over it to see
if they lead you to the right website. A better option would be to avoid the link altogether and
directly access the website from a secure browser.
There have been instances where cybercriminals may pose as an employee requesting you
to change or confirm your details by clicking on a link. Here’s an example of an email scam
that hit RBC.

2. Expect the unexpected

More often than not, phishing attacks are disguised as a document or an email someone was
expecting – be it bank records, password change requests, emails that a user has subscribed
to, or even ones that come from your company’s IT department.
Make sure you run a check before downloading any attachments, especially unsolicited
emails – better yet, double-check the sender’s email address and keep an eye out for high-
risk attachment files. VirusTotal is a free, handy tool that you use to scan for viruses in
attachments. Sometimes, the sender’s email address may look similar to the company’s official
email address and users may fail to catch this.
3. Stay on top of phishing techniques
Cybercriminals are always looking to tailor the next scam as authentic and legitimate as
possible. Without staying abreast on the latest techniques, you might fall prey to one. By
keeping yourself informed, chances are you’ll find out about the scams as early as possible.
Cyber experts highlighted that spear phishing attacks are on the rise. While phishing
scams often target a large audience, hoping one of them falls victim, spear phishing targets
specific individuals or a small group. They are far more sophisticated than others and
oftentimes, carry impersonation attacks.
The emails might look like they’re coming from a trusted company platform and also include
highly-personalized context to trick the receiver.
How is this done? Spear phishing usually targets someone with access privileges to valuable
data. Most often, companies that do not have a sender policy framework (SPF) – an email
authentication system which detects and prevents spammers from sending emails from forged
email addresses – fall victim to this attack.
By leveraging this blind spot, hackers craft context-driven emails – data that’s picked up from
documents available online that traces the receiver’s details. This could include anything from
the latest project that the person worked on, the team members that worked on this project
and the software version that’s used to create the document.
If the hacker obtains these details, an email can be sent to the receiver covering this context.
For example, it could read “Hi Andres, would you please take a look at the report Jane was
working on? She mentioned you would give us some feedback” – sent from a legitimate-
looking email account.
Once their computer has been compromised, the attacker can access the corporate network
to expand the phishing attack. A quick search reveals that organizations like White House and
the US Department of Defense have been compromised through similar attacks.

Source: CNN
4. Legitimate companies never ask for sensitive information over emails
Never provide sensitive information over email, and chances are if you receive an email
requesting you to provide credit card details, tax number, social security information or any
other sensitive details, it’s a scam.
If the data is necessary, ensure you log in to the website directly over a secure network and
submit the information.
5. Look out for email domains
Look out for the sender’s email address – if the email address does not seem to come from an
authentic company-provided account or seems to be inconsistent with emails you’ve
received previously from the company, it’s a potential red flag. Here’s a very convincing
email, but if you look closely, the email domain is not a legitimate one.

6. Watch out for bad syntax

One of the easiest ways to identify a scam email is through bad grammar. Hackers aren’t
stupid – their aim is to target the less observant, oftentimes uneducated since they’re easier
victims.
7. Legitimate companies don’t force you to download spam
You might notice that some emails redirect you to a rogue website or a fake web page
wherever you click – the whole email would be a gigantic hyperlink, which would auto-
download spam attachments or open an insecure website if you click anywhere in the email.
8. Check if a link’s text matches a legitimate URL
Double-check URLs that are linked to the text. If it isn’t identical to the URL that’s displayed, it’s
a sign you might be directed to a website you don’t want to visit. If the link does not match
the email’s context, don’t trust it.
The presence of SSL doesn’t tell you anything about site legitimacy, the SSL/TLS certificates are
to encrypt the connection between the browser and the server which avoids intrusion from
hackers.
In order to find, is this website safe , we need to figure it out if the URL received from an
unknown source and we would recommend cross-checking the URL before clicking on it.
9. Watch out for intimidation tactics
Promises of instant riches or winning hundreds of millions in lottery are common tactics that
most people are used to. Hackers seek to take advantage of your anxiety or concern by
alerting you to a time-sensitive action pending from you, and eventually get you to provide
sensitive information.
It’s not just banks or credit card providers that scammers use as cover for their phishing emails.
They also resort to sending notifications that appear to be from the IRS or other government
agencies to scare their targets into giving up their information.

10. Install an anti-phishing toolbar

Today, most browsers support anti-phishing toolbars that run quick checks on the websites that
you visit and compare the data against a list of known phishing web pages. Accidentally, if
you follow a link that opens a malicious website, the toolbar will be able to alert you.
Anti virus software are also great tools to detect harmful files. These softwares scan all files that
are transferred through the internet onto your device. Anti-spyware and firewall settings can
also provide an additional layer of security.
However, there’s no fool-proof way to avoid phishing scams or malicious attacks. Online scams
continue to evolve. Make sure you tap into robust security solutions to reduce your risk of falling
prey to phishing emails.

DDoS Attack Prevention

A distributed denial-of-service (DDoS) attack aims to exhaust the resources of a network,
application or service so that genuine users cannot gain access.
There are different types of DDoS attacks, but in general, a DDoS assault is launched
simultaneously from multiple different hosts and can affect the availability of even the largest
enterprises’ internet services and resources.
They are a daily occurrence for many organizations; based on the thenth Worldwide
Infrastructure Security Report, 42% of respondents saw more than 21 DDoS attacks per month,
compared to 25% in 2013.
It’s not just the frequency of these attacks that is increasing, but their size as well. In 2013, there
were fewer than 40 attacks that were more than 100 Gbps, but in 2014 there were 159 attacks
over 100 Gbps, the largest being 400 Gbps.
Enterprise Networks should choose the best DDoS Attack prevention services to ensure DDoS
attack protection and prevent their network.
You can Also Download Free E-book about complete Enterprise Security Mitigation &
Implementation Steps – Download Free-Ebook Here.
Types of DDoS attacks explored:
The different types of DDoS attacks vary significantly but generally fall into one of three broad
categories:
 Volumetric attacks — These attacks aim to overwhelm a network’s infrastructure with
bandwidth-consuming traffic or resource-sapping requests.
 TCP state-exhaustion attacks — Attackers use this method to abuse the stateful nature
of the TCP protocol to exhaust resources in servers, load balancers and firewalls.
 Application layer attacks — The target of these attacks is some aspect of an application
or service at Layer 7.
Volumetric attacks remain the most common of the types of DDoS attacks, but attacks that
combine all three vectors are becoming commonplace, increasing an attack’s length and
magnitude.
The main drivers behind DDoS attacks remain the same: politics and ideology, vandalism and
online gaming. Yes, gamers will DDoS a gaming infrastructure just to gain a competitive
advantage in playing and winning an online game.
While DDoS is the weapon of choice for hacktivists and terrorists, it’s also used for extortion or
disrupting a competitor’s operations.
The use of DDoS attacks as a diversionary tactic is also growing. For example, advanced
persistent threat campaigns are using DDoS attacks against a network as a distraction while
exfiltrating stolen data.
With the hacker community packaging complex and sophisticated attack tools into easy-to-
use, downloadable programs, even those who don’t have the necessary know-how can buy
the ability to launch and control their own DDoS attacks.
And the situation is only going to get worse as attackers are beginning to conscript everything,
from gaming consoles to routers and modems, to increase the volume of attack traffic that
they can generate.
These devices have networking features that are turned on by default and use default
accounts and passwords, making them easy targets to enlist in a DDoS attack. Most are also
Universal Plug and Play-enabled (UPnP), the underlying protocols of which can be abused.
Akamai Technologies found 4.1 million internet-facing UPnP devices were potentially
vulnerable to being employed in reflection types of DDoS attacks. The growing number of
poorly secured or configured internet-connected devices is increasing the ability of attackers
to generate ever more powerful attacks.
Prevention Method:
Report:Worldwide DDoS Attacks & Protection
Securing internet-facing devices and services is as much about helping to secure the internet
as an individual network as it is about reducing the number of devices that can be recruited
to participate in a DDoS attack.
Repeatable Testing and Conduct a serious of method One of the Best Method conduct
Penetration testing for all kind of web application vulnerabilities.
The main protocols hackers are abusing to generate DDoS traffic are NTP, DNS, SSDP, Chargen,
SNMP and DVMRP; any services using them should be carefully configured and run on
hardened, dedicated servers.
For example, enterprises running a DNS server should follow NIST’s Special Publication 800-
81 Secure Domain Name System (DNS) Deployment Guide, while the Network Time Protocol
site offers advice on securing NTP servers.
Many attacks work because attackers can generate traffic with spoofed source IP addresses.
Enterprises need to implement anti-spoofing filters as covered in IETF Best Common Practices
documents BCP 38 and BCP 84 to prevent hackers from sending packets claiming to originate
from another network.
All of the different DDoS attack types can’t be predicted or avoided, and even an attacker
with limited resources can generate the volume of traffic required to take down or severely
disrupt large, heavily defended sites.
While it’s virtually impossible to completely eliminate or mitigate the DDoS attack, the key to
reducing them in the long term is to ensure that all machines and services are correctly
configured so that publicly available services cannot be harnessed and misused by would-be
attackers. By helping others we will be helping ourselves.
An organization should always ensure and focus on maximum Protection level for enterprise
networks and you can try a free trial to Stop DDoS Attack in 10 Seconds.

Ransomware Attack Response and Mitigation Checklist

Ransomware is one of the fast-growing threat in the worldwide and its considered as a leader
of Global cyberattack in recent days which cause some dangerous issues and loss in many
organizations and individuals. Here is the Ransomware response Checklist for Attack Response
and Mitigation.
The ransomware is a turnkey business for some criminals, and victims still pay the ever-
increasing demands for ransom, it’s become a billion-dollar industry that shows no signs of
going away anytime soon.
A cost of Ransomware attacks Crossed more than $1Billion in a single year alone and day by
day number of Ransomware attacks are increasing and threatening around the world.
Here we will see the important ransomware response checklist and mitigation techniques for
Sophisticated Ransomware attacks.
Common Factors:
A common factor of Ransomware is that very strong Encryption(2048 RSA key) method are
using for all the Ransomware variant which is estimated to take around 6.4 quadrillion years to
crack an RSA 2048 key by an average desktop computer.
The wide availability of advanced encryption algorithms including RSA and AES ciphers made
ransomware more robust.
Ransomware is using Bitcoin Payment that is untraceable and Every Ransomware variant are
demanding different bitcoin amount to get the decryption key.
Some time attacker can provide the decryption key some time they won’t even you paid.
Instead of that, they forcing the victim to infect another Few Peoples to get the decryption
key.
To Maintain the Anonymity, attacker always using the “Tor”(The Onion Router) to Establish the
Communication to Victim which helps an attacker to hide their IP Address since Tor network is
created by thousands of nodes in different countries You cannot browse TOR sites using a
regular Internet browser.
Symptoms of Infection – Ransomware Response Checklist
A window has opened that you can’t close it that contains Ransomware Program and
instruction.A warning countdown program instructs you that how to pay to unlock your file
and Device.
A Countdown program warns you that, there is a countdown to Deadline to pay else you can
no longer Decrypt the file or Ransome amount will be increased.
Suddenly you can’t open the file or et errors such as the file are corrupted.
You can See Different Directories that says HOW TO DECRYPT FILES.TXT Or some related
instruction.
Ransomware Entry point and Infection Vector
Phishing Email:
A user will receive an Email with malicious Link in the body content. once you Click the link that
will Download A File that Contains Ransomware.
Email Looks like from Major Brand, Social Engineering, or Seeking.
Email Attachments
A user will receive an Email with an Attached Innocent file. once a user opens the file then it
will be Triggered in the Victims computer and finally he will be victimized by Ra; ransomware.
Ex: urgent Requirement, Job offers, Common Zip file, Sense of Urgency to open Document,
Money Transferred.
Embedded Hyperlink
A Malicious Document Contains Embedded Hyperlink . when user Click the hyperlink then I
will go out to the internet and download the Malicious File that contains Ransomware variant.
Ex: normal Looking Document, Innocent Looking Hyperlink, linked to Ransomware.
Also Read No more ransom adds Immense power to globe against Ransomware Battle
Websites & Downloads
A Users Browser the infected site and Compromised website and download a software and
they think its a genuine software but it actually contains a Ransomware variant.
Ex: General Browsing, Porn Websites, File Download from Bit Torrent, PC Downloads, Play Stores.
Drive by Infection
A User Browser with old Browser, Malicious plug-in, an unpatched third-party application will
infect the machine and spread via infected user within the organization and file sharingf
platform such as IRC, Skype, and other Social Media.
infected sites will redirect the user into exploit kit and it will have a concern ransomware
exploits which will later download and exploit the ransomware.
Ex: No user interact for some time, Malvertising.
Incident Response and Mitigation
Once you feel that you’re infected or you find some unusual activities occur in your network
then the following Steps are urged to take for Mitigation.
Finding the Indicator of Compromise
File Extensions
During the Encryption Process, File Extention will be Changed with a new type of extension
that you have not seen it before.
so collecting the Known Ransomware file Extention and monitoring the Extensions. This will help
you to identify the Ransomware even before the incident will be occurred.
In this case, existing file extension remains the same but a new file extension will be created
during the encryption process and new extension will be added next to normal file extension
of the infected file.
Check the all unusual Ransomware related File Extention Type – Ransomware file Extention.
Bulk File Renamed
Monitoring a large number of Files being Renamed with your network or your computer. It will
be a good indicator of compromised by ransomware.
Check whether any of large volume file name has changed with your Asset.
Using Behaviour analysis will help to identify you to find any number of files being changed or
suddenly using in your network when compared to normal uses.
Security Tools
Security tools such as Endpoint Protection, Antivirus, Web content filtering in your organization
that you may allow you to filter the content that your access on the internet that analysis the
behavior of your network and your computer will help you to find the behaviourally based
indications.
It will monitor the normal behavior of user baseline and if there will be some unusual things
occur then it will intimate you to have a look at it.
Intrusion detection and prevention system that you have implemented into your network will
prevent to call back the unusual files and encrypting your file.
Also, it will prevent from download an encryption key from the command and control server
and stop being encrypted your files in your system.
Ransomware Notes
Ransomware notes is an Explicit indicator of compromise that popups into your screen and
telling you to pay some demanding ransom amount to pay.
its one of the First indicator of the ransomware attack that most of the people should be aware
of it.
User Reports
A report from user to help desk that they cannot open files or cannot Find the files and also PC
Running Slow.
Ensure that you’re organization help desk professional’s are fully trained to Face the
ransomware impact and take appropriate mitigation steps.
What next: if you’re Infected
Once you find and confirm that your computer or network have been infected then
immediately take the following actions.
Disconnect the Network – Ransomware Response Checklist
Completely Disconnected the infected computer from any network and isolate it completely.
Remove all the Storage Devices such as External Hard Drive, USB drive, and other Storage
Devices.
Turn of the Any Wireless Devices such as a router, WiFi, Bluetooth other wireless devices that
you have in your organization.
Simply unplug the computer from the network and any other storage devices.
Don’t Try to Erase anything such as clean up your devices, format, etc. this is very important
for the investigation process.
Determine the Scope
In this case, you need to evaluate how much if your organization infrastructure has been
compromised or Encrypted.
Find your First Infected machine and confirm the infected storage medium. It could be anyone
of following these.
 USB memory sticks with some valuable information
 shared or unshared Drives or folders
 External hard drives
 cloud-based storage (DropBox, Google Drive, Microsoft OneDrive/Skydrive etc…)
 Network storage
Check the above asset and confirm the sign of encryption. If it will be cloud storage then Try
to revert the recent unencrypted version of your files.
If you have back available for the encrypted storage then identify the infected or encrypted
part of files and which file you need to restore or what may not be backed up.
Finally, if you don’t have an option to proceed the above possibility then reconnect memory
drive and check the other possibility for decryption.
Understand the version or Type of Ransomware
First Ransomware needs to know which files it needs to decrypt if you paid the ransom amount.
To determine the scope of the infection is to check for a registry or file listing that has been
created by the ransomware.
Each and every Ransomware are having different version and types. It is recommended to do
a bit of googling to determine the version of ransomware you have been hit with and do your
research based on the right version of the ransomware.
Determine the Strains of Ransomware
In terms of strains, each and every ransomware-type are having different method and
function. so you have to make sure which type of ransomware you’re dealing with and what
is the option you have in your hand.
If you feel that you are the first person who infected with concern ransomware then try to
consult with some for security experts to determine that what kind of ransomware you are
actually facing by providing the information about various files and system information.
Most of the ransomware does not have future to self-spreading function to jump across the
network unless you will directly share from the infected machine.
Generally, ransomware infects to only single machine or related shared network files and it
won’t Encrypt the files where it has not directly control over for the concerned network or
system.
So make sure you have checked with above things in the infected ransomware strains.
Fast Emergency Response
Ransomware does not need an any of user interaction to performing its Task.so you have to
have a very concern about the time to take the necessary steps.
You need to take some rapid response by calling the helpdesk and internal parties
immediately make them aware that Ransomware attack has occurred.
Notify your company’s executive, other legal and emergency response team.
Notify your regulatory agency and consult your law enforcement and also try to implement
your communication plan as soon as possible.
You can also contact industry’s Information Sharing and Analysis Center (ISAC) site to know
about the similar attack.
Paying the Ransomware – Ransomware response Checklist
Advantage: Paying
 It gives a faster solution than restoring the data from Backup
 It would be the cheapest solution in terms of total cost of recovery
 Its help to minimize the disruption to business and users.
Advantage: Not Paying
 You can maintain the integrity of data by certain of recovery of data.
 Not paying criminal and supporting the cybercrime.
 You may protect yourself from targeting again and you can decrease the risk to attack
you again.
Disadvantage: Paying
 Supporting the crime and rewarding the crime
  It would make you high risk in the future and you might be victimized again
 There is no guaranty that you will be data recovery
Disadvantage: Not Paying – Ransomware mitigation Checklist
 There will be a lot of time-consuming to restore the data
 If you don’t have a proper backup it will lead to a critical situation.
 It disturbs the business continuity and users and it will be cost-effective.
Getting Funds to ready in Bitcoin – Ransomware response Checklist
Before paying ransom to criminals you have to make your Bitcoin vault ready.
Its take time to prepare the bitcoin vault and you have to deposit the bitcoin in the vault.
Even though you are paying the ransom about it doesn’t mean that your file decrypted and
available immediately.
Some time criminals may perform manual verification of your ransom amount that you have
transferred.
It takes even more than 1 day to get you decryption key back. Sometimes you may receive
unresponsive situation from criminals.
Defending the Ransomware Attack – Ransomware response Checklist
Take regular backups of your data and test your Backups that perfectly available for any time
to be restored.
One of the main infection vectors is Microsoft office document so make sure your Microsoft
office Macros are disabled by default.
Use Strong Firewall to block the command & control server callbacks. It helps to prevent the
malware from accessing the encryption key from the callback C&C Server.
Scan all your emails for malicious links, content, and attachment. Segregate the physical and
logical network to minimize the infection vector.
Always use anti-malware and anti-virus protection. most the current antivirus using behavior-
based analysis that helps to minimize the unknown ransomware threats takes place in your
network.
Don’t Provide local administrator rights to any user by default. Avoid high privilege by default.
Enforce access control permission for the concerned user and allow them to access the files
which they actually needed to access for their work.
Provide proper training for your employees about ransomware attack and its common
function to attack the network and train users to handle the links.
Block the adds and unnecessary web content. It will download ransomware and other
malicious content.
These Ransomware resposnse Checklist considerations were applicable for both Windows and
other platforms.

Q1. Define Encryption and why it is used?

It is a process of converting the data of file into an unreadable format to protect the data
from attack. It is being widely used in an organization to secure their data.
Q2. What are the key terms for Security?
The key terms for security are Confidentiality, Integrity, and Availability. It is also known as CIA.
These three things are considered to be the most important components of the security.
Confidentiality means protecting the information and the information remains between the
client and organization, and not sharing the information with other people, etc. Integrity
means the reliability and trusted data, which refers to real and accurate data. Availability
refers to access information from the specified location.
Q3. What are the principals to identify the cyber attack?
There are various principals to identify and analyze cybersecurity are a threat, risk, and
vulnerability. A threat is referred to like the event, which has the potential to harm the data of
any individual or the organization. It can be natural, unintentional and intentional threats. Risk
mainly refers to check the loss or damage happen when any type of threat exploited the
vulnerability. Vulnerability means that weakness in the system, which can be exploited by the
attacker or the hackers.
Q4. Explain the Firewall and set up of Firewall?
This is the common Cyber SecurityInterview Questions asked in an interview. A firewall is
referred to as a security system or network to protect the computers from unauthorized access.
It helps in monitoring the network and to check which traffic needs to allow or block. There
are few steps to set up the firewall:
 The new username and password set for the firewall device.
 Firewall is mainly used to disable the feature of remote administration.
 Then port enabling is done with help of configuring the port so that applications can
work properly.
 Installing a firewall on the network with existing DHCP servers.
 Logging has been enabled and understands to view the logs and there should be
configured security policies to enforce these policies.
Q5. Explain SSL and TLS?
SSL referred as secure socket layer, which helps in providing the secured conversation and
helps in verifying the person. It also combines with HTTP to use the internet safely with
encryption of data. Its main use is to just get the identity information of sender apart from that
no other information can be viewed. TLS is referred to as Transport layer security, which is a
protocol that provides privacy and data integrity for the different applications. It is mainly used
to provide the more protection to confidential and sensitive data.
Part 2 – Cyber Security Interview Questions (Advanced)
Q6. How identity theft can be prevented?
It can be prevented with help of providing or using the unique username and password, do
not share the confidential information via online. Only trusted or secured websites should be
used for booking and shopping. Always try to use the latest and secured web browsers.
Computers or systems should be protected with anti-virus tools and update your system and
software periodically. It is necessary to protect your social security number.
Q7. Explain CSRF and security misconfiguration?
CSRF stands for Cross-site request forgery. It is mainly known as the vulnerability in the web
application when the server does not check that request came from the secured client or not.
Security misconfiguration is referred to as vulnerability in device or application, it means the
application has been configured in such a way that attackers can take advantage of that
and exploit it. An example of this is a simple password, which can be detected easily. So, to
avoid this strong password is always recommended.
Let us move to the next Cyber Security Interview Questions.
Q8. Explain DDoS attacks?
DDoS is abbreviated as a distributed denial of service. It is used to make the server unavailable
for the legal request as sometimes network or servers are occupied with a request in many
numbers, which are not able to handle and recognized. The request can come to form the
different source that is called a distributed denial of service attack. These attacks can be
mitigated with the help of identifying the network conditions in normal. It can be done in
scrubbing centers, where the traffic has been analyzed in such a manner that irrelevant traffic
can be identified and removed.
Q9. Explain the difference between process, guidelines, and policies?
This is the most popular Cyber Security Interview Questions asked in an interview. A process
can be defined in this way; it is step by step information which helps in specifying what would
be next action and an implementation part. Guidelines are referred to as the
recommendation s given to the applications or network, which can be customized and these
can be used while creating any procedures. Policies are defined as the criteria for security
objectives and the organization’s security framework.
Q10. Explain the MITM attack and how to prevent it?
MITM means man in the middle, this attack mainly happens when any outside attacker jumps
between when two systems are interacting with each other. This type of attack has been
observed mainly in form online communication like email. The personal conversation and
information are the primary motto of the attack for the outsiders or the attackers. These attacks
can be prevented with the help of using public key encryption while sending the data or set
the email as secured if it contains any confidential information like bank account and
passwords. The other method is not to use the open networks, SSL and TLS need to be used.
Q11. Explain IPS and IDS?
IPS stands for Intrusion Prevention System. IPS helps in detecting the intrusion and it will take
further action to prevent it from the intrusion. IDS stand for an Intrusion detection system that
helps in detection of an intrusion and after that administrator of the system will take a decision
for assessment and evaluation.

1. Why are you looking for a new position?

An interviewer asking this wants to understand what has prompted a change in your career.
Are you looking for more responsibility? A chance to expand your skill set? Do you feel that
you outgrew your old position? Are you looking for more pay and less travel? Well then, why
do you deserve more money and how are you more efficient working more from a central
location? Explain your motivation for finding a new job in a way that shows that you view this
new position as a positive change for both you and the organization.
2. What are your greatest strengths and accomplishments?
Take the opportunity to show how you helped your old company. Did you design its latest
firewalls that prevented breaches? Did you re-route the routers? Help with information access
security? Do you work well with people and show leadership skills? Talk about the types of
technology you know well and how you made a positive impact in your last position. Explain
how you built solid relationships with your coworkers and how you all worked together on
successful projects—and how you intend to do the same at this new company.
3. What are your greatest weaknesses? (Related: How did you overcome a problem?)
Everyone makes mistakes, and no one is good at everything. You should honestly assess what
you can improve and how you plan to show that improvement in your new role. Dig into your
past: You might have overseen the response to a breach or some other serious problem. It
might not have been your fault, but how you handled it shows your professionalism, problem-
solving abilities. and perhaps even outside-of-the-box thinking. Show that you are willing to
learn from mistakes, even if they’re not your own, and that you can handle a crisis. Explain
how you took responsibility and stepped up to be a leader.
4. How do you envision your first 90 days on the job?
Your answer should encompass how you intend to meet with your team members to find out
more about them and how you can work together. You should talk about how you will prioritize
gaining an understanding of what your managers need from you and what all the
stakeholders hope to achieve while also building strong rapport with your co-workers. You
should ask what you can do to make an impact right away. Talk about how you intend to
learn and get into the midst of business as soon as you can.
5. What is on your home network?
Your home network is typically a test environment. How you work with it gives an indication of
what you would do with someone else’s network.
6. What is the difference between a threat, a vulnerability, and a risk?
Answering this question calls for a deep understanding of cybersecurity and anyone working
in the field should be able to give a strong response. You should expect a follow-up question
asking which of the three to focus more on. A simple way to put it: a threat is from someone
targeting a vulnerability (or weakness) in the organization that was not mitigated or taken care
of since it was not properly identified as a risk.
7. How do you go about securing a server?
You might want to break this answer down into steps, especially if it refers to a specific type of
server. Your answer will give a glimpse into your decision-making abilities and thought process.
There are multiple ways to answer this question, just as there are multiple ways to secure a
server. You might reference the concept of trust no one or the principle of least privilege. Let
your expertise guide your response to this question and the others following it.
8. Why is DNS monitoring important?
Some argue that this is not necessary and that saying otherwise indicates that there are
weaknesses in the domain name services. Others say DNS monitoring is prudent because DNS
queries are a data-exfiltration vector from networks that allow any host to communicate to
the Internet on Port 53.
9. What port does ping work over?
Watch out for this. Ping is a layer-3 protocol like IP; ports are an element of the layer-4 protocols
TCP and UDP.
10. What is the difference between encoding, encrypting, and hashing?
This question should inspire a short conversation about encryption, which gives you the chance
to explain your knowledge of it.
(There’s more on encryption here.)
11. What is SSL?
SSL is a standard security technology for creating an encrypted link between a server and a
client (usually a web server and a web browser).
12. What are the differences between HTTPS, SSL, and TLS?
HTTPS is hypertext transfer protocol and secures communications over a network. TLS is
transport layer security and is a successor protocol to SSL. You have to demonstrate that you
know the differences between the three and how network-related protocols are used to
understand the inherent risks involved.
13. What sorts of anomalies would you look for to identify a compromised system?
There are multiple ways to answer this, but again, you need to show your expertise and
ingenuity. One possible answer is drawing out a basic network architecture with its IPS/IDS,
firewalls, and other security technologies to describe the type of traffic and other signs of
compromise.
14. If you had to both compress and encrypt data during a transmission, which would you do
first?
Compress and then encrypt, since encrypting first might make it hard to show compression
having much of an effect.
15. How would you strengthen user authentication?
Whatever way you answer, mention two-factor authentication or non-repudiation and how
you would implement it.
16. How would you defend against a cross-site scripting (XSS) attack?
Every cybersecurity professional should know this, even if it is difficult to answer. Come
prepared with a thoughtful, concise plan for defending against this JavaScript vulnerability.
17. What are the differences between cybersecurity in the cloud and on premises?
Show that you understand the security risks inherent to both and which might be more
appropriate for the company.
18. What does RDP stand for?
Remote desktop protocol, and its port number is 3389.
19. What is the difference between symmetric and asymmetric encryption?
Symmetric encryption uses the same key to encrypt and decrypt, while asymmetric encryption
uses different keys for encryption and decryption. Asymmetric encryption is commonly used
to secure an initial key-sharing conversation, but then the actual conversation is secured using
symmetric crypto. Communication using symmetric crypto is usually faster due to the slightly
simpler math involved in the encryption/decryption process and because the session setup
doesn’t involve PKI certificate checking.”
(For more reading: What Is PKI and How Does It Bolster Your Cybersecurity Defenses?)
20. What is the difference between UDP and TCP?
Both are protocols for sending packets of information over the internet and are built on top of
the internet protocol. TCP stands for transmission control protocol and is more commonly used.
It numbers the packets it sends to guarantee that the recipient receives them. UDP stands for
user datagram protocol. While it operates similarly to TCP, it does not use TCP’s error-checking
abilities, which speeds up the process, but makes it less reliable.
21. What is a traceroute?
A traceroute, or tracert, can help you see where a breakdown of communications occurred.
It shows what routers you touch as you move along to your final destination. If there is
somewhere you cannot connect, you can see where it happened.
(Check out Glassdoor for more examples of technical questions for cybersecurity
analysts and cybersecurity engineers.)
Wrapping Up
After going through his or her list of technical questions to gauge your knowledge and
expertise, an interviewer will wrap up with a few final questions that give you a chance to
make a lasting impression.
22. What tech blogs do you follow?
Show that you stay current by telling the interviewer how you get your cybersecurity news.
These days, there are blogs for everything, but you might also have news sites, newsletters,
and books that you can reference.
23. What do you do in your spare time outside of cybersecurity?
The interviewer is hoping to get a better sense of you as a person to determine whether you’re
trustworthy, reliable, and of good character. He or she also wants to see if you would be a
good culture fit and someone others would enjoy collaborating with. You don’t need to get
too personal with the details, but you can talk about your hobbies, your family, the last
vacation you took, or how often you like to work out, among other things. Show some
personality here.
24. Where do you see yourself in five years?
Most people expect to advance in their cybersecurity careers in five years, which could mean
a promotion or raise (or a few). Emphasize how you are looking to further your knowledge and
skills—and how that will benefit the company. Tell the interviewer that you see yourself moving
up to a more senior position and continuing to contribute to the organization in a significant
way. Drive home the point that the investment made in you will be a good one.
25. Do you have any questions?
This is your chance to find out more about the company and position. Remember that an
interview is a two-way street. You are interviewing them as much as they are interviewing you
(even though it doesn’t always feel that way). Ask about the work environment and what the
company expects of you. Find out more about the day-to-day responsibilities and whether
there any special projects on the horizon. And see if you and the company are a good fit
culture-wise.

Penetration Testing is also called Pen Testing. It is a kind of testing that is used to test the level
of security of a system or web application. It is used to know the weaknesses or vulnerabilities
of the system features and also helpful in getting the complete details of risk assessment of a
target system. It is a process that is included in a complete system security audit. Penetration
Testing can be of two types i.e. White Box testing or Black Box testing. Penetration testing will
determine the strength of the security of the system. There are different tools to perform this
kind of Penetration testing based on the type of application to be tested.
Q1. What is Penetration Testing and how is it useful?
Answer:
Penetration Testing is also called Pen Testing and is a kind of cyber attack on a web
application or a system which can be of good or bad intent. In terms of bad intent, it is a kind
of cyber attack on a system to steal some kind of secure, confidential and sensitive
information. In terms of good intent, it is a kind of checking the strengths and weaknesses of a
system to vulnerabilities and external attacks and the strength of security levels it can handle.
Q2. What are the advantages of Penetration Testing?
Answer:
This is the common Penetration Testing Interview Questions asked in an interview. The
advantages of performing Penetration Testing on a System are –
1. It will help in detecting the security threats and vulnerabilities of a system or web
application.
2. It will help in monitoring the necessary standards to evade some.
3. It is helpful in reducing the downtime of the application in case of diverting large
amounts of traffic to the network by penetrating into the application.
4. It protects the organizations confidential and secured information and maintains the
brand image or value.
5. It is important in securing the application to avoid huge financial losses.
6. Focuses more on business continuity.
7. Maintains trust among the customers.
Q3. What are the different stages of Penetration Testing?
Answer:
There are different stages of performing penetration testing on a target system or web
application such as Planning and reconnaissance, Scanning, Gaining access, Maintaining
access, Analysis and configuration:

1. Planning and Reconnaissance: In this stage analysis and testing the goals to carry out
are performed and the information is gathered.
2. Scanning: In this stage, any kind of scanning tool is used to test the responsiveness of a
target system in the case of intruder penetration.
3. Gaining Access: In this stage, penetration or intruder attack will be executed and web
applications are attacked to disclose the possible vulnerabilities of the system.
4. Maintaining Access: In this, stage the gained access will be maintained carefully to
identify the vulnerabilities and weakness of the system.
5. Analysis and Configuration: In this stage, the results obtained from the maintained
access will be used to configure Web Application Firewall settings also.
Let us move to the next Penetration Testing Interview Questions.
Q4. What are the needs of Scrum?
Answer:
The below is the list of few requirements of Scrum but are not exhausted :
1. It requires User Stories to describe the requirement and track the completion status of
the assigned user story to the team member whereas Use Case is the older concept.
2. A name is required is it describes a sentence as a single line overview to give the simple
explanation of the User Story.
3. A description is required as it gives a high-level explanation of the requirement to be
met by the assignee.
4. Documents or attachments are also required to know about the story. For eg. In the
case of any change in User Interface Screen Layout, that can be easily known only by
having a look at the Wire Frame or Prototype of the Screen model. This can be attached
to the board using the attachment option.
Q5. What are the different Penetration Testing methods?
Answer:
The different penetration testing methods are External Testing, Internal Testing, Blind Testing,
Double-Blind Testing, and Targeted Testing. External Testing is a form of testing on the internet
sites those are publicly visible and email applications and DNS servers etc., Internal Testing is a
kind of testing which will penetrate into the internal applications of the system through a form
of phishing or internal attacks. Blind Testing is a form of penetrating into the application based
on its name in the form of a real-time possibility. Double Blind Testing is a form of testing where
even the name of the application is also unknown and even the security professional will be
having any idea in executing on a particular target and Targeted Testing is a form of
performing testing from both the security professional and tester together in the form of
targeting on each other.
Part 2 – Penetration Testing Interview Questions (Advanced)
Let us now have a look at the advanced Penetration Testing Interview Questions.
Q6. What is Cross Site Scripting (XSS)?
Answer:
Cross Site Scripting is a type of attack in the form of injections into a web application or system.
In this case, different types of malicious scripts are injected into a weak system to acquire
confidential information or hack the system without the knowledge of the administrator of the
system.
Q7. What is Intruder Detection?
Answer:
Intruder Detection mechanism will help in detecting the possible attacks those happened by
scanning the existing files in the form of records in the file system of the application. This will
help the organization to detect the attacks early on their system applications.
Let us move to the next Penetration Testing Interview Questions.
Q8. What is SQL injection?
Answer:
SQL injection is a form of attack in which the attacker injects data into an application which
will result in executing the queries to retrieve the sensitive information from the database that
results in the data breach.
Q9. What is SSL/TLS?
Answer:
This is the popular Penetration Testing Interview Questions asked in an interview. It is Secure
Socket Layer / Transport Layer Security which are standard security protocols to establish
encryption between a web server and a web browser.
Q10. What are different open source penetration testing tools?
Answer:
Following are the different open source penetration testing tools:
1. Wireshark
2. Metasploit.
3. Nikto.
4. NMap.
5. OpenVAS.

Level 1 Questions
This group of questions will cover the basics of penetration testing, focused on the following
areas:
 A definition of pentesting
 The purpose and goals of pentesting
 The difference between vulnerability testing and pentesting
 The types of pentesting methodologies
 The teams that are required to conduct a pentesting exercise
 The certs that are required in order to demonstrate deep skills and knowledge in
pentesting
 How a pentester should explain the results of a pentest to a C-level executive
1. What is a specific definition of pentesting?
Let’s ask the people in the know. Cloudflare.com says the following: “Penetration testing (or
pentesting) is a security exercise where a cybersecurity expert attempts to find and exploit
vulnerabilities in a computer system. The purpose of this simulated attack is to identify any
weak spots in a system’s defenses which attackers could take advantage of.”

2. What is the primary purpose of pentesting?

The main purpose of a pentest is to conduct a “deep dive” into the IT Infrastructure of a
business or a corporation with the primary intention of gaining access to any (and if possible,
all) of the electronic based assets that exist. It is important to note that the goal of the pentester
is not to attempt to strike a hard blow right at the very beginning; rather, they escalate the
intensity of the cyber-attack over a period of time.
3. What are the goals of conducting a pentesting exercise?
The goals are as follows:
 To test adherence to the security policies that have been crafted and implemented by
the organization
 To test for employee proactiveness and awareness of the security environment that they
are in
 To fully ascertain how a business entity can face a massive security breach, and how
quickly they react to it and restore normal business operations after being hit.
4. There is very often confusion between vulnerability testing and pentesting. What is the
primary difference between the two?
With vulnerability testing, one is simply scanning for any weaknesses that may reside in any
component of the IT Infrastructure. In a pentest, a full-scale cyber-attack or series of cyber-
attacks is launched with explicit permission from the client (or whoever is requesting it) in order
to specifically find any types or kinds of gaps that have not yet been discovered by the IT
security staff.
5. What are the three types of pentesting methodologies?
The three types are as follows:
 Black-Box Testing
 White-Box Testing
 Gray-Box Testing
6. Describe these tests in much more detail.
Black-Box Testing
In some instances, the cyber-attacker may know nothing about their intended target. So in an
effort to try to break through the lines of defense, the cyber-attacker will carry an all-out
attack, also known as a brute-force Attack. In a black-box scenario, the pentester will not
have any knowledge whatsoever about the target(s) they are going to hit. As a result, this kind
of pentest can take a very long time to conduct, and automated tools are heavily relied upon.
This kind of exercise is also known as a trial-and-error approach.
White-Box Testing
This kind of pentest is also known as clear-box testing. In these instances, the pentester has
advanced knowledge to some degree about the Web application that they are about to hit
and its underlying source code. This kind of attack takes a shorter amount of time to launch
when compared to the black-box test.
Gray-Box Testing
This kind of pentesting is a combination of both of black-box and white-box testing. This simply
means that the pentester has some advanced knowledge on the targets they plan to attack.
This kind of exercise requires both the use of automated and manual tools. When compared
to the other two tests, this one offers the highest chances of discovering unknown security
holes and weaknesses.
7. What are the teams that can carry out a pentest?
The teams are as follows:
 The Red Team
 The Blue Team
 The Purple Team
8. Can you describe these teams in more detail?
The functionalities of these three teams can be described as follows:
The Red Team
This group of pentesters acts like the actual cyber-attack. That means this team is the one that
launches the actual threat, in order to break down the lines of defense of the business or
corporation and attempt to further exploit any weaknesses that are discovered.
The Blue Team
These are the pentesters that act like the actual IT staff in an organization. Their main objective
is to thwart any cyber-attacks that are launched by the Red Team. They assume a mindset of
being proactive as well as maintaining a strong sense of security consciousness.
The Purple Team
This is a combination of both the Red Team and the Blue Team. For example, they have the
security arsenal that is used by the Blue Team and possess a working knowledge of what the
Red Team is planning to attack. It is the primary job of the Purple Team to help out both these
teams out. Because of that, the pentesters of the Purple team cannot be biased in any regard
and have to maintain a neutral point of view.
9. What kinds of certifications in the most demand for penetration testing?
There is no doubt that in the cybersecurity field, there an endless number of certs one can
pursue. But if a pentester is to be recognized as the top in their field, the following certs are a
must-have:
  The Certified Ethical Hacker (aka CEH – this is administered by the EC Council)
 The Offensive Security Certified Professional (aka OSCP – this is administered by
Offensive Security)
10. The results of a pentesting exercise have to be made available not only to the IT staff, but
also to the C-level executives. The latter may not possess a strong technical knowledge
like their IT staff does. How would you explain the results to them?
The C-suite can understand results when they are explained to them in terms of financial
impact. Thus, a pentesting report should also include a risk analysis which demonstrates the
benefit versus the cost of any of the vulnerabilities that are discovered and not fixed. It should
also have financial calculations demonstrating the impacts of a security breach.
Level 2 Questions
In this section, we’ll look at some intermediate-level questions about penetration testing
concepts. These will focus on the following:
 Cross-site scripting
 Data packet sniffing
 Various abbreviations that are used in pentesting
 Common network security vulnerabilities
 Pentesting techniques
 The various network ports
 SQL injection attacks
 Asymmetric/symmetric cryptography
 SSL/TLS
1. Explain what cross-site scripting (XSS) is all about.
This is a type of cyber-attack where malicious pieces of code, or even scripts, can be covertly
injected into trusted websites. These kinds of attacks typically occur when the attacker uses a
vulnerable Web-based application to insert the malicious lines of code. This can occur on the
client side or the browser side of the application. As a result, when an unsuspecting victim runs
this particular application, their computer is infected and can be used to access sensitive
information and data. A perfect example of this is the contact form, which is used on many
websites. The output that is created when the end user submits their information is often not
encoded, nor is it encrypted.
2. What exactly is data packet sniffing, and what are some of the most widely used tools?
Data packet sniffing is a specific process in which network traffic can be captured ether across
the entire IT Infrastructure, or just certain parts of it. Once this has been accomplished, then a
deep analysis of the data packets in question can then be made.
For example, if a business or a corporation is hit by a cyber-attack, examining the network
traffic and the data packets that were associated with it at the time of the security breach
occurred becomes extremely crucial, especially from the standpoint of forensics. Even if no
attack is imminent, it is still very crucial for the IT staff to conduct a check on their network
traffic in order to determine if there is any sort of anomaly that is present. There are many data
packet sniffing tools that are available today, but probably the most widely-used one is
Wireshark.
3. Please provide the exact names of the following abbreviations that are commonly used in
pentesting: 2FA, 2S2D, 2VPCP, 3DES, 3DESE, 3DESEP.
The acronyms stand for the following:
 2FA means “Two-Factor Authentication”
 2SD2D means “Double-Sided, Double Density”
 2VPCP means “Two-Version Priority Ceiling Protocol”
 3DES means “Triple Data Encryption Standard”
 3DESE means “Triple Data Encryption Standard Encryption”
 3DESEP means “Triple Data Encryption Standard Encryption Protocol”
4. What are some of the most common network security vulnerabilities that a pentester comes
across?
Of course, there are countless numbers of issues that can impact the network infrastructure of
an organization, and you probably have your own stories about what you’ve encountered.
The following vulnerabilities are some of the most prevalent:
 The usage of extremely weak passwords in the network security tools themselves, which
include the routers, firewalls, network intrusion devices and so on. Very often, business
entities are in a rush to deploy these kinds of technologies, and they forget to create a
robust and secure password. This leads to them using the insecure default one set up by
the vendor
 Implementing security patches on the wrong servers and related network components.
There are also times when a security patch is installed on the right machine but not
configured properly, thus leaving it wide open to a cyber-attack
 The misconfiguration of network devices, as described previously
 The use of infected portable media devices (primarily USB drives) and inserting them into
a server and other related network components
 The lack of a coherent network security policy; even if one was implemented,
compliance is still a huge issue
5. What are the different pentesting techniques?
Pentesting techniques fall into these following categories:
  Web Application Testing
 Wireless Network/Wireless Device Testing
 Network Infrastructure Services
 Social Engineering Testing
 Client-Side Application Testing
6. What network ports are commonly examined in a pentesting exercise, and what tool can
be used for this?
They are as follows:
 HTTPS (Port #443)
 FTP (Port #’s 20 & 21)
 NTP (Port #123)
 SSH (Port #22)
 HTTP (Port #80)
 Telnet (Port #23)
 SMTP (Port #25)
In these particular instances, “Nmap” is the most commonly used tool.
7. Describe in detail what SQL injection is.
This is a method in which malicious SQL code is inserted into the database or the back end of
the Web-based application. These are typically deployed into an entry-level field so that the
malicious code can be executed. This kind of attack is used primarily for heavy data-driven
applications in which multiple security vulnerabilities can be found and exploited. It should be
noted that although SQL injection attacks are primarily used to hit Web-based applications,
the attacker can also target the SQL database just by itself as well.
8. What is the primary difference between asymmetric and symmetric cryptography? Give
an example of the former.
Only one type of key is used in symmetric cryptography, and this key is known as the Private
Key. Although the main advantage of this is that this type of system is relatively easy to deploy,
the primary disadvantage of it is that if the Private Key falls outside the reach of the sending
and receiving parties, the cyber-attacker can easily capture the ciphertext and decrypt it
very easily.
With asymmetric cryptography, two keys are used: the Public Key and the Private Key. The
advantage of this system is that it offers far greater levels of security as opposed to just using
a Private Key, but it requires considerably more processing power resources. An example of
an asymmetric cryptography system is Public Key Infrastructure, also known as PKI.
9. What are the permutations required for a robust SSL connection to take place?
The following characteristics are required:
 The session identifier
 A peer certificate
 An established compression method
 Any associated cipher specs
10. What are SSL and TSL?
SSL stands for “Secure Sockets Layer.” This is the de facto standard to keep all Internet
connections safe and secure. You will know that a particular website can be safely accessed
when it has “HTTPS” in its URL address. SSLs are used most in e-commerce-based applications,
in which credit card and other personal information and data is transmitted to the online
merchant.
TSL stands for “Transport Layer Security” and is actually a much more updated and advanced
version of SSL. It is important to note that with TSL, it can come with three types of encryption:
 Elliptical Curve Cryptography (ECC)
 Rivest–Shamir–Adleman (RSA)
 Digital Signature Algorithm (DSA)
Level 3 Questions
This section covers advanced-level questions about penetration testing, focusing on the
following:
 The SSL/TSL handshake
 The phases of a network intrusion attack
 Diffie-Hellman public key exchanges
 The establishment of network controls
 Traceout/Tracert
 Omniquad BorderSecure
 The various pentesting models
 The types of cross-site scripting (XSS)
 Cross-site request forgery
1. How exactly does SSL/TSL work?
Establishing an SSL/TSL connection works in this fashion:
 On the client side, the end user enters a URL address into their Web browser. This then
initiates the SSL/TLS connection by transmitting a particular message to the server on
which the website resides
  This server then returns a Public Key (or even a certificate) back to the end user’s Web
browser
 The browser then closely inspects this Public Key, and if all looks good, a Symmetric Key
is transmitted back to the server. If there are anomalies detected from within the Public
Key, the communications are instantly cut off
 Once the server gets the Symmetric Key, it then sends the encrypted webpage that is
being requested back to the end user’s Web browser
 The browser then decrypts the content into a form that can be easily understood by the
end user
It is important to note that this entire process can also be referred to as the SSL/TSL Handshake.
2. Describe the different phases of a network intrusion attack.
The phases are as follows:
 Reconnaissance: This is where the pentester learns more about the target they are
about to hit. This can either be done on an active or passive basis. In this step, you learn
more about the following:
o The IP address range that the target is in
o Finding out its domain name
o DNS records
o Scanning: This is the step where the pentester learns about the vulnerabilities of
the particular target. Weaknesses are found in the network infrastructure and the
associated software applications. For example, this include the following:
 Ascertaining the services that are currently being run
 Any open ports
 The detection of any firewalls
 Weaknesses of the operating system in question
 Gaining the needed access: This is the part where the pentester starts to actually initiate
the launch of the cyber-attack, based on the weaknesses and the vulnerabilities that
they have discovered in the last step
 Maintaining the access: The pentester has entered the target itself and tries to keep that
access point open so that they can extract as much private information and data as
possible
 Covering their tracks: In this last step, the pentester ensures that any “footprints” left
behind in the course of their attack are covered up so that they can’t be detected. For
instance, this involves the following:
o The deletion of any log-related files
 o Closing off any backdoors
o Hiding all controls that may have been used
3. What is a specific pentesting exercise that can be done with a Diffie-Hellman exchange?
This was actually one of the first Public Key protocols to be put into place, and it is
a methodology that can be utilized to securely exchange Public Keys over an open network
line of communications. A pentest can be done here in order to determine and ascertain any
kind of weak/TLS services that are associated with this exchange process.
4. After a pentest is conducted, what are some of the top network controls you would advise
your client to implement?
The following types of controls should be implemented:
 Only use those applications and software tools that are deemed “whitelisted”
 Always implement a regular firmware upgrade and software patching schedule, and
make sure that your IT staff sticks with the prescribed timetable
 With regards to the last point, it is absolutely imperative that the operating systems(s)
you utilize are thoroughly patched and upgraded
 Establish a protocol for giving out administrative privileges only on an as-needed basis,
and only to those individuals that absolutely require them
5. How does traceout/tracert exactly work?
This is used to determine exactly the route of where the data packets are exactly going. For
example, this method can be used to ascertain if data packets are being maliciously
redirected, they take too long to reach their destination, as well as the number of hops it takes
for the data packets to go from the point of origination to the point of destination.
6. What is Omniquad BorderSecure?
This is a type of specific service that can help to perform network-based audits or even
automated pentesting of an entire network infrastructure. It can give the pentesting team
detailed information and data as to how the cyber-attacker can gain access to your network-
based digital assets. It can also be used to help mitigate any form of threat that is launched
by a malicious third party.
7. What number of vulnerabilities can the abovementioned service actually detect?
All types of network infrastructures can be pentested, and up to a thousand total vulnerabilities
can be detected with this particular service.
8. Describe the theoretical constructs of a threat model that can be used in a pentesting
exercise.
The constructs behind a threat model include the following:
 Gathering the required documentation
  Correctly identifying and categorizing the digital assets that are found within the IT
infrastructure of a corporation or business
 Correctly identifying and categorizing any type of kind of cyber-threat that can be
targeted towards the digital assets
 Properly correlating the digital assets with the cyber-threat that they are prone to (this is
can also be considered as a mapping exercise where a digital asset is associated with
its specific cyber-threat)
It is also important to note that there are three types of threat models that a pentesting team
can use, and they are as follows:
 Digital Asset-Centric
 Cyber-Attacker-Centric
 Software Application-Centric.
The above is an example of a Digital Asset-Centric Threat Model.
9. What are the three types of cross-site scripting (XSS)?
The three types are as follows:
 Persistent/Stored XSS: This is where the malicious input is stored onto the target server,
such as a database, and is reflected at the page where the end user entered in their
information (such as a “Contact Us” form)
 Reflected XSS: Any form of malicious user input is instantaneously returned by the Web-
based application as an “Error Message.” As a result, this data is deemed to be unsafe
by the Web browser, and it is not stored in any fashion
 DOM-based XSS: This will actually for any type or kind of client scripting language (such
as Java) to access and maliciously modify the end user input. It can also covertly alter
the content, structure and even the particular style of a webpage. The types of objects
that can be manipulated include the following:
o Document.URL
o Document.location
o Document.referrer
10. What exactly is CSRF and how can it be prevented when executing a pentest exercise?
This stands for cross-site request forgery, and it takes advantage of the trust levels that are
established in an authenticated user session. For example, in these scenarios, Web-based
applications typically do not conduct any form of verification tests that a specific request
actually came from an authenticated user; rather, the only form of verification is sent by the
particular Web browser that the end user is utilizing. There are two ways to avoid this scenario:
 Double-check the specific CSRF token that is being used
  Confirm that the specific requests are coming from within the same origin
Conclusion
Overall, we’ve looked at some of the interviews that you could be asked if you are applying
for a pentesting job. These questions can also be asked of a pentester if they are currently
employed in this field.
It is important to keep in mind that although answering these questions will demonstrate to the
interviewer your in-depth knowledge of pentesting, it takes other qualitative skills as well in
order to become a successful pentester. For instance, you must have the ability to work well
with others in a team-oriented fashion and work long hours.
Pentesting also requires you to have a great deal of patience on your part, as it these kinds of
exercises do not happen in just one day. A successful pentest can take weeks or even months
to accomplish.
Finally, you must also have the ability to take all of the techno-jargon that is associated with
the results you have obtained and bring it down to a level that your client can understand
and implement. You will be gauged on these qualitative factors as well in your interview.
If you want to review more in-depth pentesting questions, click on the link here. Skillset is a
practice exam engine featuring thousands of certification exam questions for security and IT
pros. Users benefit from detailed question explanations and exam readiness scores, letting
them know exactly when they are ready to sit their exams.

Question 1. Do You Filter Ports On The Firewall?

You can filter ports on the firewall to block specific malware and protect the network from
unnecessary traffic. For instance, some companies block port 21, the FTP port, when the
company does not host or allow FTP communications.
Question 2. How Does Tracerout Or Tracert Work?
traceroute and tracert work to determine the route that goes from the host computer to a
remote machine. It’s used to identify if packets are redirected, take too long, or the number
of hops used to send traffic to a host.
Question 3. What Are The Strengths And Differences Between Windows And Linux?
Linux has some commands that Windows does not, but Windows is not open source and does
not suffer from recent hacks such as Heartbleed.
Question 4. How Can You Encrypt Email Messages?
You can use PGP to encrypt email messages or some other form of a public private key pair
system where only the sender and the recipient can read the messages.
Question 5. What Kind Of Penetration Can Be Done With The Diffie Hellman Exchange?
A hacker can use the man in the middle attack with the Diffie Hellman exchange since neither
side of the exchange is authenticated. Users can use SSL or encryption between messages to
add some kind of security and authentication.
Question 6. How Do You Add Security To A Website?
The HTTP protocol allows for security behind authenticated pages and directories. If the user
does not enter the right username and password, the server returns a 403 authentication HTTP
error. This protects from unauthorized users.
Question 7. What Are Some Ways To Avoid Brute Force Hacks?
You can stop authentication after a certain amount of attempts and lock the account. You
can also block IP addresses that flood the network. You can use IP restrictions on the firewall
or server.
Question 8. What Type Of Tools Are There Out There For Packet Sniffing?
Wireshark is probably the most common packet sniffing tool. This program can help you find
odd traffic across the network or identify a program that is sending traffic silently from a host.
Question 9. What Is The Difference Between Asymmetric And Symmetric Encryption?
Symmetric encryption uses the same key for decryption and encryption. Asymmetric uses
different keys.
Question 10. Why Should We Conduct A Penetration Test?
IT is an integral part of every company's business today. Therefore, not only the amount of
business-critical data that is stored on IT systems grows, but also the dependency on a working
IT infrastructure. This leads to an increased amount of attacks against IT systems in the form of
industrial espionage, denial of service attacks and other possibilities to significantly harm a
company. Important corporate secrets are spied on and sold to competitors.
The availability of systems is interrupted, as a non-working IT is causing more and more
problems today. No new orders are placed, because competitors somehow always have the
better offer. A penetration test gives you information about your systems' vulnerabilities, how
probable a successful attack against your infrastructure is and how you can protect yourself
against potential security breaches in the future.
Question 11. Are There Legal Requirements For Penetration Tests?
It may not be mandatory to do a penetration test for corporations, but the German law for
example includes numerous text passages in its commercial laws which could be validated
by conducting a penetration test.
Question 12. What Is The Workflow Of A Penetration Test?
In advance of every penetration test, an individual meeting is held. In this meeting, the various
possibilities of a penetration test in relation to the customer's systems are discussed. A
penetration test only makes sense if it is realised in an individual and customer-oriented way.
Question13. What Time Investment Do You Estimate For A Penetration Test?
The time investment for a penetration test varies from case to case depending on the systems
to be tested and the individual test requirements. Usually, the time needed ranges from a few
days to several weeks. One goal of the preliminary meeting is to get enough information about
the systems to be tested to estimate the optimal length for the penetration test.
Human resources on the customer's side are usually only marginally bound. Most notably, a
contact person for questions during the exploitation phase is required.
Question 14. How Much Information Does Redteam Pentesting Need From Us?
The type and amount of information needed varies with the kind of penetration test that is to
be conducted. The two concepts mentioned most often are blackbox and whitebox tests.
Unfortunately, those terms are not defined by a standard and can therefore mean different
things, depending on who you talk to.
RedTeam Pentesting usually recommends a whitebox test. Penetration tests performed as
complete blackbox tests always suffer from the fact that third parties might get involved
without their explicit consent. Providing technical information in a whitebox test scenario
before the test starts also allows the penetration testers to detect security vulnerabilities that
are of importance to your company even faster and more efficiently.
It should always be acted on the assumption that real, serious attackers are able to obtain the
necessary information prior to their attacks, or can procure it in time. A precise determination
about what information is necessary to conduct an efficient test is done individually for every
client during a preliminary meeting.
Question 15. What Are Blackbox And Whitebox Tests?
A blackbox test is normally defined as a test where the penetration testers do not have any
more information than attackers without internal knowledge might have. The idea is to check
how deeply potential attackers can compromise your systems without any kind of internal
information or access. All knowledge has to be gathered with classical reconnaissance
(finding as much information as possible about the target) and enumeration (a deeper look
at individual systems).
Despite the requirement of having as little information in the beginning as possible, at least a
few specifications for the test have to be given, lest to unwillingly target uninvolved third
parties. This does not pose a restriction for real attackers, but for every reputable company it
should go without saying that all phases of a penetration test are only performed where
explicit consent is given. This is not the case for third party systems, that would for example be
affected by a portscan of a range of systems that presumably belong to the client the
penetration test is conducted for.
In contrast, there is the whitebox test (sometimes also denoted as crystal-box test). In a
whitebox test, the penetration testers already have internal knowledge about the target
systems (for example network plans or a web application's source code) and possibly various
access permissions. The latter could be an unprivileged user account to the company
network, as it is available to employees, or login credentials for a web application like any
normal customer would have.
This allows to test to what extent users with access to a system can misuse their permissions.
Additionally, internal information may be provided that is also available to every staff member
of company. This can be information about internal systems like web servers, mail servers, LDAP
servers etc., but also for example organisational structures like employee's responsibilities and
positions in the company. If only selected parts of information are divulged, this kind of test is
also often called a graybox test.
Question 16. Why Should Not Only The Network Perimeter Be Tested, But Also The Internal
Network?
If your company's network is sufficiently hardened at the perimeter systems and it was not
possible to successfully compromise it during a perimeter test, it still makes sense to additionally
conduct an internal test. Just because the perimeter systems are sufficiently secured, it does
not mean that the same precautions are taken on the internal network. Most of the time, too
little security is done on the internal network, as it is supposedly only accessible by trustworthy
persons. Especially in larger corporations though, not every employee needs the same access
permissions.
The intern does not need to have the same access level as the CEO. It is therefore a severe
problem if a security vulnerability appearing in the future that allows access to the internal
network eliminates all safety precautions. If the financial incentive is big enough, it should also
be no problem for attackers (competitors, business rivals) to either bribe one of your staff
members or infiltrate your organization with somebody reporting back to them with all the
data that is supposedly well guarded if seen from the outside.
Question 17. What Types Of Systems Does Redteam Pentesting Test?
RedTeam Pentesting tests all kinds of systems. Frequently, the security vulnerabilities that matter
the most are independent from the system's technology, making it possible to successfully test
even previously unknown types of systems. Additionally, it goes with the job of being a
penetration tester to have the ability to quickly adapt to new situations and systems.
Additionally, RedTeam Pentesting's service is not limited to the classic network- or web
application penetration test. Newly developed hardware and other products are also tested,
as well as security concepts only existing as a draft at the time of testing. In some particular
cases, a penetration test conducted in response to the detection of a security incident can
help in identifying the vulnerabilities exploited and in fixing them in a timely manner.
18. Can Any Harm Be Done To Our Productive Systems During The Test?
Unlike real attackers, RedTeam Pentesting pays great attention to a customer's production
systems, so as to not interrupt them. We always go to the greatest extent to leave all systems
unharmed in a penetration test. Attacks where the risk of a system failure is especially high are
only performed with the client's explicit consent.
All in all, it is never possible to completely rule out that a production system crashes in a
penetration test. To be able to get hold of someone as fast as possible in such a situation,
emergency telephone numbers are exchanged prior to the test.
Question 19. Are Denial-of-service Attacks Also Tested?
Denial-of-service (DoS) attacks are usually only examined if it seems to be possible to put a
system's availability at risk with very small effort. This can for example be a misconfiguration or
a program error (say, if a system crashes when it gets sent an overly long request). Attacks like
this will only be performed after an explicit agreement is provided, to verify if the attack is
indeed possible.
On the other hand, attacks that try to saturate the bandwidth a company has at its disposal
are usually not tested, as this is always possible for attackers with sufficient resources and will
also affect third-party systems. Distributed denial-of-service attacks, that usually involve
hundreds, if not thousands, of zombie systems (systems that were compromised and can now
be remotely controlled) cannot be simulated realistically.
Question 20. Does Redteam Pentesting Do Social Engineering?
Penetration tests may include social engineering techniques. These techniques are not without
controversy though. More detailed information about the problems occuring with social
engineering and penetration tests is available under exploitation. One safety measure against
social engineering attacks can be trainings for your employees.
Question 21. What Happens To Confidential Data Redteam Pentesting Gathers During The
Penetration Test?
RedTeam Pentesting commits itself to absolute secrecy regarding your confidential data. A
non-disclosure agreement (NDA) determining that RedTeam Pentesting treats a client's data
as confidential is already part of every contract. All customer data, including information that
is used to prepare a first quotation, is subject to the same obligation to confidentiality. At the
end of a penetration test, all data and possible storage media is either securily destroyed or
handed back to the client.
Question 22. Are The Results Written Down In A Report?
Every client gets a detailed report at the end of a penetration test. A typical report includes a
non-technical executive summary of the results, to give a short and precise overview of the
current status, followed by a more extensive technical explanation for administrators,
developers or other technical staff.
The individual problems enumerated in the report are separated into a detailed description,
a risk analysis and proposed solutions, to directly give suggestions for improvement.
Question 23. What Other Products And Services Does Redteam Pentesting Offer?
RedTeam Pentesting specialises in penetration tests and does not offer any other services. In
particular, no products or services are sold after a penetration test, to guarantee independent
and objective test results. The specialisation also ensures that RedTeam Pentesting's
employees have a lot of experience and expert knowledge for conducting penetration tests.
Question 24. Can We Get A List Of Redteam Pentesting's References?
Among RedTeam Pentesting's clients are national and international companies of all trades,
including the following:
• Trade & industry
• Banking & insurance companies
• Public administration & authorities
• IT service providers & data centres
Because our customers set a high value on confidentiality, RedTeam Pentesting cannot
publish a reference list. However, to get a first impression of our capabilities you can take a
look at a selection of published testimonials, in which some of our customers report about their
experience with RedTeam Pentesting.
Question 25. How Is Redteam Pentesting Different From Other Companies That Offer Penetration
Tests?
RedTeam Pentesting specialises exclusively in penetration tests, in contrast to many other
companies in IT-security for which penetration tests are one of many business offerings. As the
expertise for conducting a penetration test with specialized security experts is absent in many
cases, quite often automated security scans are sold as penetration tests. Customers of such
service providers most often receive a printout of the program's findings as the result of the
»penetration test«.
RedTeam Pentesting in contrast employs security specialists who do close teamwork to
achieve the best results. The results are documented in a detailed report by the penetration
testers that performed the test, with the ambition to communicate the necessary knowledge
about the vulnerabilities in an understandable way. For our customers, this means that
vulnerabilities can be better comprehended and issues solved more efficiently. RedTeam
Pentesting particularly does not sell any other services before or after a penetration test. The
penetration test should not serve to sell extra services, but should be an independent security
examination.
Additionally, all of RedTeam Pentesting's employees are permanent employees and publicly
listed on our website. Even during workload peaks, no subcontractors or freelancers are hired,
to guarantee the high quality of the tests as well as strict confidentiality.
Question 26. In What Countries Does Redteam Pentesting Offer Penetration Tests?
RedTeam Pentesting works for many international customers. The project language for
penetration tests is either English or German. Depending on specific customer demands,
penetration tests can be performed locally at the client's premises, or via the Internet or other
means of remote access. It is of course also possible to conduct a penetration test on a client's
test system in RedTeam Pentesting's laboratory, for example in case of a product pentest.
Question 27. What Is Network Penetration Testing?
A penetration test, also referred to as “pentest”, is a method of evaluating the security of a
computer system or network by simulating an attack from malicious outsiders (without any
authorised means of accessing the company's networks) but also malicious insiders (who have
some level of authorised access).
The process involves an active analysis of the system for any potential vulnerabilities that could
result from poor or improper system configuration, known and unknown hardware or software
flaws, or operational weaknesses.
The analysis is carried out from the position of a potential hacker and can involve active
exploitation of security vulnerabilities.
Question 28. Is Network Penetration Testing The Same As Network Vulnerability Assessment?
There are many names for this type of security service. Network vulnerability assessment,
network audit, network vulnerability scan, network penetration testing, they may all mean the
same thing. BorderSecure is the name of Omniquads Network penetration service.
Question 29. Why Is It Critical To Have An On-going Assessment Of Your Networks’ Security?
As new security issues and flaws with different products are made public on a daily basis, it is
important to carry out regular checks in order to maintain a secure network. We check for
holes in your Internet infrastructure, and the ideal way to stay secure on the Internet is to stay
ahead of hackers, at all times.
Question 30. Why Should A Third Party Assess Your System?
If you have your own IT department implement your security system, it is to your advantage to
let an impartial third party do the audit. We provide an outsiders view on how easy/difficult it
is to compromise your integrity. Having an audit report from a third party outlining all confirmed
security vulnerabilities on the network provides invaluable information to any network
administrator.
The service is fast, and you will have the advantage of continually knowing how secure your
network is and what you can do to improve it.
Question 31. What Is Omniquad Bordersecure?
Omniquad BorderSecure is a service that performs network audits or network penetration
testing — it identifies security vulnerabilities and weaknesses on networks. The information can
be used to assess security, manage risks, and eliminate security vulnerabilities before third
parties can take advantage of potential security holes on your network. Omniquad
BorderSecure is a service that can tell you how hackers can gain access to your networks, and
help you prevent such a security breach.
Question 32. We Have A Firewall In Place. Do We Still Need Network Penetration Testing If We
Have A Firewall?
The simple answer is yes. Network penetration testing is especially important if you have a
Firewall, as it forms a part of your assessment of your Firewalls efficiency. Performing a network
scan or penetration test when you have a firewall will test the settings on your Firewall. It is
important to test your Firewall each time you have made upgrades or changes to the settings,
to ensure it is protecting your network the way it should.
Question 33. Will Firewalls Interfere With Omniquad Bordersecure?
Firewalls are an essential part of network security. Omniquad BorderSecure assesses firewall's
effectiveness in addition to applications and protocols such as web, FTP, and e-mail that are
frequently accessible through firewalls. The system also looks for holes in the firewall; it is often
the case that misconfigured firewalls pose security threats.
Question 34. Can I Target Any Ip Address?
Yes we can check any and as many IP addresses as you want provided they belong to you.
We will not check any third party IP address.
Question 35. Is Network Penetration Testing Safe?
Yes it is completely safe, skilled Omniquad engineers are probing your network from outside
your organisation. However, if there should be any glitches, it is better that it happens under a
controlled sweep of your network since this in itself is exposing network vulnerabilities, some of
which could indicate that your business would be defenceless to Denial of Service attacks.
Question 36. Is The Service Host-based Or Network-based?
Omniquad BorderSecure is host-based (on a dedicated server) outside your network. The
service checks your network via the Internet — much like a hacker would try to break into your
company from the outside. This gives you a realistic analysis of your network vulnerabilities.
Question 37. How Many Different Types Of Vulnerabilities Can Omniquad Bordersecure Detect?
Omniquad BorderSecure runs scans and audits on all types of networks. Our team tests new
vulnerabilities for ensuring that our knowledge database remains comprehensive at all times,
and currently we check for up to 1000 different vulnerabilities.
Question 38. What Happens After Omniquad Bordersecure Detects Vulnerabilities On My
Network?
Omniquad BorderSecure provides a detailed report outlining each vulnerability, including: The
vulnerable host(s), Operating system weaknesses, Level of security risk of the vulnerability,
Description of the vulnerability, Recommendation for correcting the problem.
Question 39. Does Bordersecure Fix Vulnerabilities Found Automatically?
No, we point out the weaknesses and recommend solutions. It is not advisable to perform
automatic fixes, even if it was possible, since this could cause a variety of concerns.
BorderSecure informs you about security risks, it is your responsibility to follow up the
recommendations to secure your network perimeter. However, we can offer advice should
this be necessary.

Question 1. What Is Owasp?

OWASP stands for Open Web Application Security Project. It is an organization which supports
secure software development.
Question 2. Mention What Flaw Arises From Session Tokens Having Poor Randomness Across A
Range Of Values?
Session hijacking arises from session tokens having poor randomness across a range of values.
Question 3. Mention What Happens When An Application Takes User Inserted Data And Sends
It To A Web Browser Without Proper Validation And Escaping?
Cross site scripting happens when an application takes user inserted data and sends it to a
web browser without proper validation and escaping.
Question 4. Mention What Threat Can Be Avoided By Having Unique Usernames Produced With
A High Degree Of Entropy?
Authorization Bypass can be avoided by having unique usernames generated with a high
degree of entropy.
Question 5. Explain What Is Owasp Webgoat And Webscarab?
WebGoat: Its an educational tool for learning related to application security, a baseline to test
security tools against known issues. It’s a J2EE web application organized in “Security Lessons”
based on tomcat and JDK 1.5.
WebScarab: It’s a framework for analysing HTTP/HTTPS traffic. It does various functions like
fragment analysis, observer the traffic between the server and browser, manual intercept,
session ID analysis, identifying new URLs within each page viewed.
Question 6. List Top 10 Owasp Vulnerabilities?
OWASP top 10 security flaws include:
o Injection
o Cross site scripting
o Broken Authentication and Session Management
o Insecure cryptographic storage
o Failure to restrict
o Insecure communications
o Malicious file execution
o Insecure direct object reference
o Failure to restrict url access
o Information leakage and improper error handling
Question 7. Explain What Threat Arises From Not Flagging Http Cookies With Tokens As Secure?
Access Control Violation threat arises from not flagging HTTP cookies with tokens as secure.
Question 8. Name The Attack Technique That Implement A User’s Session Credential Or Session
Id To An Explicit Value?
Dictionary attack can force a user’s session credential or session ID to an explicit value
Question 9. Explain What Does Owasp Application Security Verification Standard (asvs) Project
Includes?
OWASP application security verification standard project includes:
Use as a metric: It provides application owners and application developers with a yardstick
with which to analyze the degree of trust that can be placed in their web applications
Use as a guidance: It provides information to security control developers as to what to build
into security controls in order to meet the application security requirements
Use during procurement: It provides a basis for specifying application security verification
requirements in contracts
Question 10. List Out The Controls To Test During The Assessment?
o Information gathering
o Configuration and Deploy management testing
o Identify Management testing
o Authenticate Testing
o Authorization Testing
o Session Management Testing
o Data Validation Testing
o Error Handling
o Cryptography
o Business logic testing
o Client side testing
Question 11. Explain What The Passive Mode Is Or Phase I Of Testing Security In Owasp?
The passive mode or phase I of security testing includes understanding the application’s logic
and gathering information using appropriate tools. At the end of this phase, the tester should
understand all the gates or access points of the application.
Question 12. Mention What Is The Threat You Are Exposed To If You Do Not Verify Authorization
Of User For Direct References To Restricted Resources?
You are exposed to threat for insecure direct object references, if you do not verify
authorization of user for direct references to limited or restricted resources.
Question 13. Explain What Is Owasp Esapi?
OWASP ESAPI (Enterprise Security API) is an open source web application security control
library that enables developers to build or write lower risk applications.
Question 14. Mention What Is The Basic Design Of Owasp Esapi?
The basic design of OWASP ESAPI includes:
o A set of security control interfaces
o For each security control there is a reference implementation
o For each security control, there are option for the implementation for your own
organization

Top 14 OWASP Interview Questions & Answers

1) What is OWASP?
OWASP stands for Open Web Application Security Project. It is an organization which supports
secure software development.
2) Mention what flaw arises from session tokens having poor randomness across a range of
values?
Session hijacking arises from session tokens having poor randomness across a range of values.
3) Mention what happens when an application takes user inserted data and sends it to a web
browser without proper validation and escaping?
Cross site scripting happens when an application takes user inserted data and sends it to a
web browser without proper validation and escaping.
4) Mention what threat can be avoided by having unique usernames produced with a high
degree of entropy?
Authorization Bypass can be avoided by having unique usernames generated with a high
degree of entropy.
5) Explain what is OWASP WebGoat and WebScarab?
 WebGoat: Its an educational tool for learning related to application security, a baseline
to test security tools against known issues. It’s a J2EE web application organized in
“Security Lessons” based on tomcat and JDK 1.5.
 WebScarab: It’s a framework for analysing HTTP/HTTPS traffic. It does various functions
like fragment analysis, observer the traffic between the server and browser, manual
intercept, session ID analysis, identifying new URLs within each page viewed
6) List Top 10 OWASP Vulnerabilities
OWASP top 10 security flaws include
 Injection
 Cross site scripting
 Broken Authentication and Session Management
 Insecure cryptographic storage
 Failure to restrict
  Insecure communications
 Malicious file execution
 Insecure direct object reference
 Failure to restrict url access
 Information leakage and improper error handling
7) Explain what threat arises from not flagging HTTP cookies with tokens as secure?
Access Control Violation threat arises from not flagging HTTP cookies with tokens as secure.
8) Name the attack technique that implement a user’s session credential or session ID to an
explicit value?
Dictionary attack can force a user’s session credential or session ID to an explicit value
9) Explain what does OWASP Application Security Verification Standard (ASVS) project
includes?
OWASP application security verification standard project includes
 Use as a metric: It provides application owners and application developers with a
yardstick with which to analyze the degree of trust that can be placed in their web
applications
 Use as a guidance: It provides information to security control developers as to what to
build into security controls in order to meet the application security requirements
 Use during procurement: It provides a basis for specifying application security
verification requirements in contracts
10) List out the controls to test during the assessment?
 Information gathering
 Configuration and Deploy management testing
 Identify Management testing
 Authenticate Testing
 Authorization Testing
 Session Management Testing
 Data Validation Testing
 Error Handling
 Cryptography
 Business logic testing
 Client side testing
11) Explain what the passive mode is or phase I of testing security in OWASP?
The passive mode or phase I of security testing includes understanding the application’s logic
and gathering information using appropriate tools. At the end of this phase, the tester should
understand all the gates or access points of the application.
12) Mention what is the threat you are exposed to if you do not verify authorization of user for
direct references to restricted resources?
You are exposed to threat for insecure direct object references, if you do not verify
authorization of user for direct references to limited or restricted resources.
13) Explain what is OWASP ESAPI?
OWASP ESAPI (Enterprise Security API) is an open source web application security control
library that enables developers to build or write lower risk applications.
14) Mention what is the basic design of OWASP ESAPI?
The basic design of OWASP ESAPI includes
 A set of security control interfaces
 For each security control there is a reference implementation
 For each security control, there are option for the implementation for your own
organization

Q #10) Name the two common techniques used to protect a password file?
Answer: Two common techniques to protect a password file is- hashed passwords and a salt
value or password file access control.
Q #11) List the full names of abbreviations related to Software security?
Answer: Abbreviations related to software security include:
1. IPsec – Internet Protocol Security is a suite of protocols for securing Internet
2. OSI – Open Systems Interconnection
3. ISDN Integrated Services Digital Network
4. GOSIP- Government Open Systems Interconnection Profile
5. FTP – File Transfer Protocol
6. DBA – Dynamic Bandwidth Allocation
7. DDS – Digital Data System
8. DES – Data -Encryption Standard
9. CHAP – Challenge Handshake Authentication Protocol
10. BONDING – Bandwidth On Demand Interoperability Group
 11. SSH – The Secure Shell
12. COPS Common Open Policy Service
13. ISAKMP – Internet Security Association and Key Management Protocol
14. USM – User-based Security Model
15. TLS – The Transport Layer Security
Q #12) What is ISO 17799?
Answer: ISO/IEC 17799 is originally published in the UK and defines best practices for
Information Security Management. It has guidelines for all organizations small or big for
Information security.
Q #13) List down some factors that can cause vulnerabilities?
Answer: Factors causing vulnerabilities are:
1. Design flaws: If there are loopholes in the system that can allow hackers to attack the
system easily.
2. Passwords: If passwords are known to hackers they can get the information very easily.
Password policy should be followed rigorously to minimize the risk of password steal.
3. Complexity: Complex software can open doors on vulnerabilities.
4. Human Error: Human error is a significant source of security vulnerabilities.
5. Management: Poor management of the data can lead to the vulnerabilities in the
system.
Q #15) List down the seven main types of security testing as per Open Source Security Testing
methodology manual?
Answer: The seven main types of security testing as per the Open Source Security Testing
methodology manual are:
 Vulnerability Scanning: Automated software scans a system against known
vulnerabilities.
 Security Scanning: Manual or automated technique to identify network and system
weaknesses.
 Penetration testing: Penetration testing is on the security testing which helps in identifying
vulnerabilities in a system.
 Risk Assessment: It involves the analysis of possible risks in the system. Risks are classified
as Low, Medium and High.
 Security Auditing: Complete inspection of systems and applications to detect
vulnerabilities.
  Ethical hacking: Hacking is done on a system to detect flaws in it rather than personal
benefits.
 Posture Assessment: This combines Security Scanning, Ethical Hacking and Risk
Assessments to show an overall security posture of an organization.
Q #16) What is SOAP and WSDL?
Answer: SOAP or Simple Object Access Protocol is an XML-based protocol through which
applications exchange information over HTTP. XML requests are sent by web services in SOAP
format then a SOAP client sends a SOAP message to the server. The server responds back
again with a SOAP message along with the requested service.
Web Services Description Language (WSDL) is an XML formatted language used by UDDI.
“Web Services Description Language describes Web services and how to access them”.
Q #17) List the parameters that define an SSL session connection?
Answer: The parameters that define an SSL session connection are:
1. Server and client random
2. Server write MACsecret
3. Client write MACsecret
4. Server write key
5. Client write key
6. Initialization vectors
7. Sequence numbers
Q #18) What is file enumeration?
Answer: This kind of attack uses forceful browsing with the URL manipulation attack. Hackers
can manipulate the parameters in URL string and can get the critical data which generally
does not open for the public such as achieved data, old version or data which is under
development.
Q #19) List the benefits that can be provided by an intrusion detection system?
Answer: There are three benefits of an intrusion detection system.
1. NIDS or Network Intrusion Detection
2. NNIDS or Network Node Intrusion Detection System
3. HIDS or Host Intrusion Detection System
Q #20) What is HIDS?
Answer: HIDS or Host Intrusion Detection system is a system in which a snapshot of the existing
system is taken and compared with the previous snapshot. It checks if critical files were
modified or deleted then an alert is generated and sent to the administrator.
Q #21) List down the principal categories of SET participants?
Answer: Following are the participants:
1. Cardholder
2. Merchant
3. Issuer
4. Acquirer
5. Payment gateway
6. Certification authority
Q #22) Explain “URL manipulation”?
Answer: URL manipulation is a type of attack in which hackers manipulate the website URL to
get the critical information. The information is passed in the parameters in the query string via
HTTP GET method between client and server. Hackers can alter the information between these
parameters and get the authentication on the servers and steal the critical data.
In order to avoid this kind of attack security testing of URL manipulation should be done. Testers
themselves can try to manipulate the URL and check for possible attacks and if found they
can prevent these kinds of attacks.
Q #23) What are the three classes of intruders?
Answer: The three classes of intruders are:
1. Masquerader: It can be defined as an individual who is not authorized on the computer
but hacks the system’s access control and get access of authenticated user’s accounts.
2. Misfeasor: In this case, user is authenticated to use the system resources but he misuses
his access to the system.
3. Clandestine user, It can be defined as an individual who hacks the control system of the
system and bypasses the system security system.
Q #24) List the component used in SSL?
Answer: Secure Sockets Layer protocol or SSL is used to make secure connections between
clients and computers.
Below are the component used in SSL:
1. SSL Recorded protocol
2. Handshake protocol
3. Change Cipher Spec
4. Encryption algorithms
Q #25) What is port scanning?
Answer: Ports are the point where information goes in and out of any system. Scanning of the
ports to find out any loopholes in the system is known as Port Scanning. There can be some
weak points in the system to which hackers can attack and get the critical information. These
points should be identified and prevented from any misuse.
Following are the types of port scans:
 Strobe: Scanning of known services.
 UDP: Scanning of open UDP ports
 Vanilla: In this scanning, the scanner attempts to connect to all 65,535 ports.
 Sweep: The scanner connects to the same port on more than one machine.
 Fragmented packets: The scanner sends packet fragments that get through simple
packet filters in a firewall
 Stealth scan: The scanner blocks the scanned computer from recording the port scan
activities.
 FTP bounce: The scanner goes through an FTP server in order to disguise the source of
the scan.
Q #26) What is a Cookie?
Answer: A cookie is a piece of information received from a web server and stored in a web
browser which can be read anytime later. A cookie can contain password information, some
auto-fill information and if any hackers get these details it can be dangerous. Learn here how
to test website cookies.
Q #27) What are the types of Cookies?
Answer: Types of Cookies are:
 Session Cookies – These cookies are temporary and last in that session only.
 Persistent cookies – These cookies stored on the hard disk drive and last till its expiry or
manual removal of it.
Q #28) What is a honeypot?
Answer: Honeypot is a fake computer system that behaves like a real system and attracts
hackers to attack it. Honeypot is used to find out loopholes in the system and to provide a
solution for these kinds of attacks.
Q #29) List the parameters that define an SSL session state?
Answer: The parameters that define an SSL session state are:
1. Session identifier
2. Peer certificate
3. Compression method
 4. Cipher spec
5. Master secret
6. Is resumable
Q #30) Describe the Network Intrusion Detection system?
Answer: Network Intrusion Detection system generally is known as NIDS. It is used for the analysis
of the passing traffic on the entire subnet and to match with the known attacks. If any loophole
identified then the administrator receives an alert.

What is a Trojan Virus?

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software.
Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems.
Users are typically tricked by some form of social engineering into loading and executing
Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you,
steal your sensitive data, and gain backdoor access to your system. These actions can include:
 Deleting data
 Blocking data
 Modifying data
 Copying data
 Disrupting the performance of computers or computer networks
Unlike computer viruses and worms, Trojans are not able to self-replicate.
How Trojans can impact you
Trojans are classified according to the type of actions that they can perform on your
computer:
 Backdoor
A backdoor Trojan gives malicious users remote control over the infected computer.
They enable the author to do anything they wish on the infected computer – including
sending, receiving, launching and deleting files, displaying data and rebooting the
computer. Backdoor Trojans are often used to unite a group of victim computers to form
a botnet or zombie network that can be used for criminal purposes.
 Exploit
Exploits are programs that contain data or code that takes advantage of a vulnerability
within application software that’s running on your computer.
 Rootkit
Rootkits are designed to conceal certain objects or activities in your system. Often their
 main purpose is to prevent malicious programs being detected – in order to extend the
period in which programs can run on an infected computer.
 Trojan-Banker
Trojan-Banker programs are designed to steal your account data for online banking
systems, e-payment systems and credit or debit cards.
 Trojan-DDoS
These programs conduct DoS (Denial of Service) attacks against a targeted web
address. By sending multiple requests – from your computer and several other infected
computers – the attack can overwhelm the target address… leading to a denial of
service.
 Trojan-Downloader
Trojan-Downloaders can download and install new versions of malicious programs onto
your computer – including Trojans and adware.
 Trojan-Dropper
These programs are used by hackers in order to install Trojans and / or viruses – or to
prevent the detection of malicious programs. Not all antivirus programs are capable of
scanning all of the components inside this type of Trojan.
 Trojan-FakeAV
Trojan-FakeAV programs simulate the activity of antivirus software. They are designed to
extort money from you – in return for the detection and removal of threats… even
though the threats that they report are actually non-existent.
 Trojan-GameThief
This type of program steals user account information from online gamers.
 Trojan-IM
Trojan-IM programs steal your logins and passwords for instant messaging programs –
such as ICQ, MSN Messenger, AOL Instant Messenger, Yahoo Pager, Skype and many
more.
 Trojan-Ransom
This type of Trojan can modify data on your computer – so that your computer doesn’t
run correctly or you can no longer use specific data. The criminal will only restore your
computer’s performance or unblock your data, after you have paid them the ransom
money that they demand.
 Trojan-SMS
These programs can cost you money – by sending text messages from your mobile
device to premium rate phone numbers.
 Trojan-Spy
Trojan-Spy programs can spy on how you’re using your computer – for example, by
tracking the data you enter via your keyboard, taking screen shots or getting a list of
running applications.
  Trojan-Mailfinder
These programs can harvest email addresses from your computer.
 Other types of Trojans include:
o Trojan-ArcBomb
o Trojan-Clicker
o Trojan-Notifier
o Trojan-Proxy
o Trojan-PSW
How to protect yourself against Trojans
By installing effective anti-malware software, you can defend your devices – including PCs,
laptops, Macs, tablets and smartphones – against Trojans. A rigorous anti-malware solution –
such as Kaspersky Anti-Virus – will detect and prevent Trojan attacks on your PC, while
Kaspersky Mobile Security can deliver world-class virus protection for Android smartphones.
Kaspersky Lab has anti-malware products that defend the following devices against Trojans:
 Windows PCs
 Linux computers
 Apple Macs
 Smartphones
 Tablets

Malware & Computer Virus

The term "malware" — an amalgamation of malicious and software — is now used to describe
any malicious computer program on a computer or mobile device. These programs are
installed without the consent of users and can cause a number of unpleasant effects,
including crippling computer performance, mining your system for personally identifiable
information (PII) and sensitive data, erasing or encrypting data or even hijacking device
operations or computer-controlled hardware. Hackers continuously develop increasingly
sophisticated ways to infiltrate user systems. Like a game of whack-a-mole, as soon as one
threat is neutralized, a replacement evolves, and the next iteration emerges. Let's look at some
of the most common types of malware currently in use.
1. Computer Viruses
What is a computer virus? Computer viruses are a type of malware that earned their name
because of how they spread by "infecting" other files on a disk or computer. Viruses then
spread to other disk drives and machines when the infected files are received in downloads
from websites, email attachments, shared drives or when carried in files on physical media,
such as USB drives or—in the early days—floppy disks.
According to the National Institute of Standards and Technology (NIST), the first computer
virus, a boot sector virus called "Brain," was developed in 1986. Tired of customers pirating
software from their shop, two brothers claim to have designed the virus to infect the boot
sector of software thieves' floppy disks. The virus spread through infected copies of the pirated
software, jumping from the infected floppy disk to the computer hard drive when the program
was booted, or loaded onto the new machine.
2. Worms
Unlike viruses, worms don't require human help in order to infect, self-replicate or propagate.
As soon as they breach a system, they infect their entry point and spread through the device
and across any network to which the device connects. By exploiting network vulnerabilities—
such as missed operating system (OS) updates or application patches, weak email security or
poor internet safety practices—worms can execute, self-replicate and propagate at an
almost exponential rate as each new infection repeats the process. Originally, most worms
simply "ate" system resources and reduced performance. Now, most worms contain malicious
"payloads" designed to steal or delete files upon execution.
3. Adware
One of the most common online nuisances is adware. Adware programs automatically deliver
advertisements to host computers. Familiar examples of adware include pop-up ads on
webpages and advertising messages that are part of the interface of "free" software. While
some adware is relatively harmless, other variants use tracking tools to glean information about
your location or browser history. Most of the time, adware collects information in order to serve
better targeted ads. But sometimes Adware is used for more nefarious purposes including
redirecting search results, displaying op-ups that can’t be closed or link to malware, disabling
antivirus software or even going all the way off the rails into the territory of spyware—see #4.
Technically, adware is installed with people's knowledge and consent. But when was the last
time you read all the way through a several thousand word "Terms of Service" statement? By
clicking the "I Agree" button, you grant consent. Because you have acknowledged and
consented to the terms of service, these programs can't be termed malware. Today’s antivirus
software typically identifies these programs as "potentially unwanted programs" (PUPs).
4. Spyware
Spyware does just what it says. It spies on what you're doing at your computer. It collects data
such as keystrokes, browsing habits, location data and even login information. While adware
might include "repurposing" collected data for sale in the terms of service statement, spyware
is more duplicitous. Spyware is considered malware because users are unaware of it. The only
intent of spyware is malicious. Spyware collects and sells your data to third parties, typically
cyber criminals, with no regard for how the data will be used. Spyware may also modify
specific security settings on your computer or interfere with network connections.
In another example of how the line between adware and spyware can blur, the rise of mobile
computing has seen an explosion of spyware that tracks user behavior across devices and
physical locations without their consent. For example, a free weather app on your smartphone
may have gotten your consent to collect and use your location data, ostensibly to provide
more accurate forecasts. You agreed to the app’s terms of service which include language
enabling to re-use the location as they see fit, so it’s legit. But what happens when that includes
selling your location to data to anyone who can afford it, regardless of whether that an online
store trying to populate banner ads in your browser or a cyber criminal who cross-references
mobile phone user data with other data sources?
5. Ransomware
Ransomware infects your computer, encrypts your PII and other sensitive data such as
personal or work documents and then demands a ransom for their release. If you refuse to
pay, the data is deleted. Some ransomware variants lock out all access to your computer.
Sometimes, they might claim to be the work of legitimate law enforcement agencies and
suggest that you've been caught doing something illegal.
6. Bots
Bots are programs designed to automatically carry out specific operations. Although they
serve many legitimate purposes, they are also a popular type of malware. Once on a
computer, bots can cause the machine to execute specific commands without the user's
approval or knowledge. Hackers may also try to infect multiple computers with the same bot
to create a "botnet"—short for robot network. These zombie botnets give hackers the ability to
remotely manage compromised computers, enabling them to steal sensitive data, to spy on
user activities, to distribute spam automatically or to launch devastating Distributed-Denial-of-
Service (DDoS) attacks on computer networks and websites.
7. Rootkits
Rootkits allow remote access or control of a computer by a third party. These programs are
useful for IT professionals trying to troubleshoot network issues remotely, but they can easily
become nefarious. Once installed on your computer, rootkits allow attackers to take complete
control of your machine to steal data or install additional malware. Rootkits are designed to
go unnoticed and actively hide their presence and that of other malware that they install.
As with most computer viruses and malware, although it’s no guarantee of safety, protecting
your devices from rootkits starts with keeping current on all OS and application updates and
patches to eliminate potential infection routes. Effective detection of rootkits requires real-time
monitoring—not just periodic disk drive scans—for unusual behavior system behavior.
8. Trojan Horses
Commonly called "Trojans," these programs hide in plain sight by masquerading as legitimate
files or software. Once downloaded and installed, Trojans make changes to a computer and
carry out malicious activities, without the knowledge or consent of the victim.
9. Bugs
Bugs—flaws in software code—are not a type of malware, they are errors in software code
that popular vectors for attackers with malicious intent. Bugs can, on and of themselves, have
detrimental effects on your computer, such as freezing, crashing or reducing performance.
Security bugs create holes in a computer or network’s defenses that are especially attractive
to would-be attackers. While better security control on the developer end helps reduce the
number of bugs, bugs are another reason why keeping current on software patches and
system updates is crucial.
Common Computer Virus Myths
 Any computer error message indicates virus infection. Error messages can also be
caused by faulty hardware or software bugs.
 Viruses and worms require user interaction to activate. False. This is actually the primary
difference between viruses and worms. Although viruses do require the activation of
their host file in order to execute, this may be part of an automated process. In contrast,
once a worm has breached a system, it can execute, self-replicate and propagate
freely and with no trigger, human or automated.
 Email attachments from known senders are safe. Viruses and malware often spread by
blast emailing the contacts on an infected computer. Even if you know the sender, don't
open any attachments that you aren't sure about.
 Antivirus programs will stop all threats. While antivirus vendors do their best to stay on
top of malware developments, it's important to run a comprehensive internet security
product that includes technologies specifically designed to proactively block threats.
Even then, of course, there's no such thing as 100 percent security. So, it's important to
adopt safe internet practices to reduce your exposure to attack.
Common Misconceptions About Malware
Malware threats often rely on common misconceptions to create soft targets. By
understanding some of the most widely misunderstood points, simple shifts in behavior can
remove you from the soft target list.
One of the most common misconceptions about malware is the assumption that infection is
obvious. Users often assume they'll know if their computer has been compromised. Typically,
however, the intent of malware is to perform their task(s) for as long as possible. So, malware
doesn't leave a trail to follow, and your system displays no signs of infection. Even malware like
ransomware only makes its presence known after it has encrypted the files, thus completing
its first task, to be ransomed back to the user.
Another common misconception is that all reputable websites are safe. Compromising
legitimate websites with infected code is one of the easiest ways to convince potential victims
to download files or provide sensitive information. This is exactly what happened to
the European Central Bank (ECB) in August of 2019.
Many users believe their personal data—photos, documents and files—have no value for
malware creators. But cyber criminals mine publicly available data, like that on social
networks, to create custom targeted attacks on individuals or to gather intelligence for spear
phishing emails popular for accessing the networks and assets of large, otherwise secure
organizations.
Methods of Malware and Virus Infection and Spread
So how does your computer become infected by computer viruses or malware? There are
many common approaches, but the following are some of the most popular methods owing
to their efficacy and simplicity:
 Downloading infected files as email attachments, from websites or through filesharing
activities
 Clicking on links to malicious websites in emails, messaging apps or social network posts
 Visiting compromised websites, aka drive-by downloads, viruses can be hidden in HTML,
thus downloading when the webpage loads in your browser
 Connecting your device to infected external hard drives or network drives
 Operating system and application vulnerabilities provide security loopholes, backdoors
and other exploits
 Social engineering attacks, such as phishing scams, trick victims into providing sensitive
information or access to personal and work systems through customized attacks that
often masquerade as legitimate organizations reporting fake emergencies to push
victims to act quickly and without question
 Connected peripherals, smart devices and Internet-of-Things (IoT) devices can act as
vectors, or access points, or they can be hijacked and controlled remotely by the
hacker
Confidential data, such as passwords, are a key target of cyber criminals. In addition to using
malware to capture passwords, cyber criminals also collect login details from hacked websites
and devices, even physical means like peering over your shoulder in a crowded cafe. That's
why it's so important to use a unique and complex password for each online account. This
means 15 character or more and including letters, numbers and special characters.
The easiest way to do this is through a password manager tool that generates random
passwords, stores them securely and obtains validation/permission prior to entering the stored
credentials while masking the characters. Because so many people re-use passwords,
password tools ensure that one compromised account does not cascade through your entire
digital ecosystem. Also, remember that many security verification questions are ineffective.
For example, if the question is "What's your favorite food?" and you're in the United States,
"Pizza" is a common answer.
Signs of Malware and Computer Virus Infections
While most malware leaves no telltale signs and leaves your computer operating normally,
sometimes there can be indications that you might be infected. Reduced performance tops
the list. This includes slow-running processes, windows that take longer to load than usual and
seemingly random programs running in the background. You may also notice that internet
homepages have been changed in your browser, or that pop-up ads are occurring more
frequently than usual. In some cases, malware can also impact more basic computer
functions: Windows m--ay not open at all, and you may be unable to connect to the internet
or access higher-level system control functions.
If you suspect that your computer might be infected, scan your system immediately. If nothing
is found, but you're still in doubt, get a second opinion by running an alternative antivirus
scanner. Check out these free tools: Free Cloud Anti-Virus Software and Free Ransomware
Protection & Decryption Tools
Ideally, you want to prevent an attack, not discover it. While you should scan your device as
soon as you suspect something amiss, your best defense is a comprehensive internet security
solution that includes real-time scanning and monitoring of disk drives, files and activities as
well as real-time updates on web threats provided by a team of experienced cyber
security professionals. This includes monitoring instant messaging services, scanning email
attachments, providing a firewall and so much more than scheduled scans and periodic
updates. Effective antivirus and cyber security software should be able to work and
coordinate between all your devices—how else can they protect you from viruses and
malware that do the same?

What is Adware
Adware can be perfectly safe for users and a valid business practice for software developers.
However, some adware is highly manipulative and creates an open door for malicious
programs. To avoid viruses, spyware, and other threats, you’ll have to know which types of
adware are bad and how to keep it off your devices.
In this article, we’ll cover how malicious adware can impact the security of your computer.
As we dive in, we’ll cover some common questions you might have:
 What is the definition of adware?
 What does adware do?
 What is an adware virus and is adware a virus?
 How do I remove adware from my phone or computer?
 What can I do to protect myself from adware?
Let’s begin by going over the definition of adware.
What is Adware?
Adware is also known as advertisement-supported software. Creators of adware include
advertisements or help distribute other software to earn money.
In many cases, ads may be within the software itself. Alternatively, the adware may
encourage you to install additional software provided by third-party sponsors.
Adware programs exist across all computers and mobile devices. Most of these are perfectly
safe and legitimate, but some might have dark motives that you are unaware of.
You might opt to download adware if you want:
 Free computer programs or mobile apps.
 Personalized ads tailored to your wants and needs.
  To try the software that comes bundled.
Adware creators and distributing vendors make money from third-parties via either:
 Pay-per-click (PPC) — they get paid each time you open an ad.
 Pay-per-view (PPV) — they get paid each time an ad is shown to you.
 Pay-per-install (PPI) — they get paid each time bundled software is installed on a device.
The sponsoring third-parties benefit from adware by:
 Gaining more users for their software.
 Showing their products or services to more potential customers.
 Collecting data about you to create more effective custom marketing adverts.
Together, this is what makes adware profitable and beneficial for you and all people involved.
By definition, adware is not inherently malicious. However, the intentions of the paying
advertiser, a secondary paying distributor, or the creator may be less safe. Plus, it can be a
gateway for malicious acts, like malware infection or spying on your digital habits.
Adware vs Malware vs Spyware
Adware can sometimes be incorrectly labeled as malware or spyware. Cybersecurity
companies don't label all adware as a threat because some are perfectly safe and reputable.
However, some adware does pose a risk that can introduce a threat to your devices. When
you’re discussing adware, you might wonder “what is the difference between malware and
adware,” or “what is adware and spyware?”
Malware is malicious software designed to disrupt, corrupt, or steal information from computer
devices. This includes threats like viruses, spyware, ransomware, and other malicious code.
Spyware is a type of malware that acts as a window to monitor your device without your
permission.
Adware is not in itself malware, however, it may be equally unwanted in some cases. It can
sometimes assist in the delivery of malware, which may often include spyware. Adware can
just as easily be harmless and respectful, whereas others might be invasive and irritating.
Types of Adware
To further define ad-supported software, we must separate harmless and harmful adware.
Legitimate adware allows you to consent to ads and software promos, offsetting costs to offer
their software for free. You and others willingly download this type of adware to get a free
product. Also, you might choose to allow it to collect marketing info. Sometimes the
accompanying personalized ads or sponsored third-party software can be desirable.
Adware developed by legitimate means is created by all types of developers — even highly
reputable ones. It’s a valid, legal, and ethical way to give customers a free product.
However, not all application downloads are consensual. This is where legal lines come into
play.
Potentially unwanted applications (PUAs) include any program you might not have chosen to
install onto your device. These may also be called potentially unwanted programs (PUPs).
PUA adware may be in a moral grey area or fully malicious and illegal. It depends on the goals
of the software and those who distribute it.
 Legal deceptive adware PUA may actively make it tricky to opt-out of installing harmless
third-party software. While frustrating, legitimate adware sometimes uses this method. It
is legal if the creator has not knowingly included malware-tainted ads or software.
Unfortunately, some adware might unknowingly deliver disguised malware to devices.
 Legal abusive adware PUA is designed to bombard you with ads to abuse sponsorship
payouts. Excessive ads may be in adware itself, or in packaged software via web
browser toolbars or other means. Without any malware, this is also legal at your expense.
Ads for things like pornography or fitness pills appear frequently in adware like this.
 Illegal malicious adware PUA profits from malicious third-parties who want to distribute
malicious software like spyware, viruses, or other malware onto devices. This malware
may be intentionally masked within the adware itself, the websites it advertises, or in
accompanying software. The creators and distributors knowingly spread this threat and
might use abusive methods to accomplish it.
When we talk about “adware,” we usually refer to these PUA types. The programs that abuse
ads and open the door for malware are the threats you’ll want to avoid most of all.
To be clear, adware PUA is illegal if there is:
 Lack of consent. It installs programs and collects information, without your permission.
 Presence of malware. It is used as a vehicle to deliver the actual malware payload.
Adware PUA can be frustrating regardless of legality and can easily go undetected for a long
time. To avoid any invasive or tedious software, you should know what to look for.
How Adware PUA can impact you
The above adware definition means that other than causing malvertising — displaying
advertisements and collecting data — adware PUA doesn’t generally make its presence
known.
Usually, there will be no signs of unwanted programs in your computer’s system tray, and no
indication in your program menu that files have been installed on your machine.
Adware PUA can infect any of your devices, including computers and mobile platforms.
There are two main ways in which Adware can get onto your devices:
 Via freeware or shareware. Adware can be included within some freeware or
shareware programs – as a legitimate way of generating advertising revenues. This helps
to fund the development and distribution of the freeware or shareware program.
  Infected websites. If you visit an infected website, it can result in an unauthorized install
of Adware on your machine. Hacker technologies are often used.
Once it is on your device, it may cause performance issues and compromise your privacy.
How to identify symptoms of an adware PUA infection
While there may be many ways in which an adware infection can cause you problems, there
are some common ones.
One major indicator of an adware infection is that you may have asked yourself, “how do I
stop commercials on my computer?" Other symptoms of adware PUA include the following:
 An unexpected change in web browser home page.
 Overwhelmed with popup ads — sometimes even if not browsing the Internet.
 Slow performance.
 Device crashing.
 Reduced internet speeds.
 Redirected internet searches.
 Random appearance of a new toolbar or browser add-on.
These adware symptoms indicate some common examples of adware PUA infections.
 Browser hijack: Displays advertisements on your device’s web browser. It may also
redirect your search requests to advertising websites. For instance, your computer can
be penetrated via a browser vulnerability, leaving an open door for stealth installation
via Trojans.
 Trojan spyware: Collects data on your activities and does not notify you that it is
gathering information. It may collect marketing-type data about you — for example,
the types of websites that you visit. In worse cases, it may steal sensitive data like your
email account logins, credit card number, or other valuable information.
Adware PUA has gotten more aggressive in recent years. We’ve seen some software embed
itself deep into systems with rootkits to make removal challenging.
If you’re infected, you’ll need to take steps to clean your system of the offending applications.
Detecting and removing Adware and other PUAs
Adware PUA removal will help fix adware problems like obnoxious popups and hidden
spyware.
Manual removal does not guarantee you’ll find all the components. For a reliable solution,
cybersecurity software will assist you in cleaning anything you wouldn’t find on your own.
To break it down, you’ll need to detect and take action on each of the following issues:
  Adware: Legitimate ad-supported software may be fine to keep — as long as it
operates with your consent. Adware or third-party software becomes PUA when it was
either installed without your knowledge or does things you wouldn’t like it to do.
 Adware PUA: Adware and sponsored third-party software can be obnoxious at best,
and a gateway for actual malware at worst. Either way, you’ll likely want to remove
these.
 Malware infections: Malicious programs may have already infiltrated your system. You’ll
need to remove these to stop the immediate threats to your privacy.
Installing a product that has “anti-adware” abilities will be your first step. Software suites
like Kaspersky Internet Security offer system scanning and removal of adware and other
threats.
Checking that your security software’s adware detection settings are active is your next step.
Your security software might not detect and remove adware by default. As we mentioned
earlier, many reputable software programs are ad-supported to offer their software for free.
Often, legitimate adware programs do not have any uninstall procedures of adware
components. Some can use technologies that are similar to those used by viruses to penetrate
your computer and run unnoticed. This again is not inherently malicious, as the ads are part of
your agreement for getting free software.

What is social engineering

Social engineering is the term used for a broad range of malicious activities accomplished
through human interactions. It uses psychological manipulation to trick users into making
security mistakes or giving away sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first investigates the
intended victim to gather necessary background information, such as potential points of entry
and weak security protocols, needed to proceed with the attack. Then, the attacker moves
to gain the victim’s trust and provide stimuli for subsequent actions that break security
practices, such as revealing sensitive information or granting access to critical resources.
What makes social engineering especially dangerous is that it relies on human error, rather
than vulnerabilities in software and operating systems. Mistakes made by legitimate users are
much less predictable, making them harder to identify and thwart than a malware-based
intrusion.
Social engineering attack techniques
Social engineering attacks come in many different forms and can be performed anywhere
where human interaction is involved. The following are the five most common forms of digital
social engineering assaults.
Baiting
As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity.
They lure users into a trap that steals their personal information or inflicts their systems with
malware.
The most reviled form of baiting uses physical media to disperse malware. For example,
attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where
potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a
targeted company). The bait has an authentic look to it, such as a label presenting it as the
company’s payroll list.
Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in
automatic malware installation on the system.
Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of
baiting consist of enticing ads that lead to malicious sites or that encourage users to download
a malware-infected application.
Scareware
Scareware involves victims being bombarded with false alarms and fictitious threats. Users are
deceived to think their system is infected with malware, prompting them to install software that
has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also
referred to as deception software, rogue scanner software and fraudware.
A common scareware example is the legitimate-looking popup banners appearing in your
browser while surfing the web, displaying such text such as, “Your computer may be infected
with harmful spyware programs.” It either offers to install the tool (often malware-infected) for
you, or will direct you to a malicious site where your computer becomes infected.
Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for
users to buy worthless/harmful services.
Pretexting
Here an attacker obtains information through a series of cleverly crafted lies. The scam is often
initiated by a perpetrator pretending to need sensitive information from a victim so as to
perform a critical task.
The attacker usually starts by establishing trust with their victim by impersonating co-workers,
police, bank and tax officials, or other persons who have right-to-know authority. The pretexter
asks questions that are ostensibly required to confirm the victim’s identity, through which they
gather important personal data.
All sorts of pertinent information and records is gathered using this scam, such as social security
numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank
records and even security information related to a physical plant.
Phishing
As one of the most popular social engineering attack types, phishing scams are email and text
message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then
prods them into revealing sensitive information, clicking on links to malicious websites, or
opening attachments that contain malware.
An example is an email sent to users of an online service that alerts them of a policy violation
requiring immediate action on their part, such as a required password change. It includes a
link to an illegitimate website—nearly identical in appearance to its legitimate version—
prompting the unsuspecting user to enter their current credentials and new password. Upon
form submittal the information is sent to the attacker.
Given that identical, or near-identical, messages are sent to all users in phishing campaigns,
detecting and blocking them are much easier for mail servers having access to threat sharing
platforms.
Spear phishing
This is a more targeted version of the phishing scam whereby an attacker chooses specific
individuals or enterprises. They then tailor their messages based on characteristics, job
positions, and contacts belonging to their victims to make their attack less conspicuous. Spear
phishing requires much more effort on behalf of the perpetrator and may take weeks and
months to pull off. They’re much harder to detect and have better success rates if done
skillfully.
A spear phishing scenario might involve an attacker who, in impersonating an organization’s
IT consultant, sends an email to one or more employees. It’s worded and signed exactly as
the consultant normally does, thereby deceiving recipients into thinking it’s an authentic
message. The message prompts recipients to change their password and provides them with
a link that redirects them to a malicious page where the attacker now captures their
credentials.
Social engineering prevention
Social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes
and draw victims into their traps. Therefore, be wary whenever you feel alarmed by an email,
attracted to an offer displayed on a website, or when you come across stray digital media
lying about. Being alert can help you protect yourself against most social engineering attacks
taking place in the digital realm.
Moreover, the following tips can help improve your vigilance in relation to social engineering
hacks.
 Don’t open emails and attachments from suspicious sources – If you don’t know the
sender in question, you don’t need to answer an email. Even if you do know them and
are suspicious about their message, cross-check and confirm the news from other
sources, such as via telephone or directly from a service provider’s site. Remember that
email addresses are spoofed all of the time; even an email purportedly coming from a
trusted source may have actually been initiated by an attacker.
 Use multifactor authentication – One of the most valuable pieces of information
attackers seek are user credentials. Using multifactor authentication helps ensure your
account’s protection in the event of system compromise. Imperva Login Protect is an
easy-to-deploy 2FA solution that can increase account security for your applications.
 Be wary of tempting offers – If an offer sounds too enticing, think twice before accepting
it as fact. Googling the topic can help you quickly determine whether you’re dealing
with a legitimate offer or a trap.
 Keep your antivirus/antimalware software updated – Make sure automatic updates are
engaged, or make it a habit to download the latest signatures first thing each day.
Periodically check to make sure that the updates have been applied, and scan your
system for possible infections.

Question 1: Explain the SOC team architecture?

Answer: The SOC team consists of different levels. The following diagram exhibits a traditional
SOC team hierarchy.
Nowadays, there are additional job roles included in the SOC team hierarchy. These job roles
are as follows:
 Threat intelligence
 Threat hunter
 Incident handler
 Digital forensic investigator
 Red team specialist
 Incident response automation Engineer
Question 2: What are the responsibilities of L1 and L2 Security analyst?
Answer: Responsibilities of L1 security analyst:
 Monitoring security incidents 24/7 from various SOC entry channels (SIEM, e-mail, firewall,
IDS, IPS)
 Analysis of the triggered security incidents
 Raising tickets for validated incidents
 Formulate remediation strategies with the incident response team
 Helping L2 security analyst and SOC Lead in preparing reports
Responsibilities of L2 security analyst
 A detailed evaluation of escalated alerts
 Helping L1 security analyst in the assessment of alerts
 Troubleshooting the issues with SIEM
 Assisting in the remediation planning after a security incident has occurred
(The interviewer may ask this question to check the awareness of a candidate about the job
responsibilities)
Question 3: Why are the advantages of having a SOC team?
Answer: The following are the advantages of having a SOC team in an organization:
  SOC team provides continuous monitoring and analysis of security events. Therefore it
helps in detecting intrusion and prevent any potential attacks.
 The approach of the SOC team is proactive rather than being reactive.
 The SOC team also ensures that the organization stays compliant with the existing
regulations or policies.
 The SOC team provides a complete overview of the organization’s security posture by
correlating all the events taking place over the network.
 With the expertise of a SOC team, an organization can respond quickly to external
threats and security incidents.
Question 4: What is the three-way handshake?
Answer: A three-way handshake (also known as TCP-3way handshake) is a mechanism to
establish a connection between the client and server over a TCP/IP network. In this
mechanism, the client and server send each other the synchronization and acknowledgment
packets before an actual data transmission occurs.
Three-way handshake mechanism: In this mechanism, the client sends an SYN TCP packet to
the server asking for a connection (synchronizing) request and a sequence number. The server
responds with the SYN/ACK packet, acknowledging the connection request and assigning a
sequence number. The client again sends an ACK packet to accept the response of the
server.
Question 5: What documents do you create in SOC?
Answer: SOC team creates the following documents:
 Log source onboarding
 Log source decommissioning
 Threat intelligence gathering procedures
 Threat hunting methodologies
 New use case development procedures
 Data configuration backup procedures
Question 6: What is data leakage? Explain in your own words.
Answer: Data leakage refers to the exposure or transmission of an organization’s sensitive data
to the external recipient. The data may be transmitted or exposed via the internet or by
physical means.
The following factors can be responsible for data leakage:
 Most of the data losses are accidental. For example, an employee may unintentionally
be transmitting information to the wrong recipient.
 Disgruntled employees
  Insecure backup storage
 System breach by a hacker
 Systems not properly configured
 Inappropriate security control measures
Question 7: List the steps to develop the Data Loss Prevention (DLP) strategy?
Answer: The steps to develop and implement a DLP strategy are as follows:
Step1: prioritizing the critical data assets
Step2: categorizing the data based on its source
Step3: analyzing which data is more prone to the risks
Step4: monitor the transmission of the data
Step5: developing control measures to mitigate the data leakage risk
Question 8: What is the difference between TCP and UDP?
Answer: The difference between TCP and UDP is as follows:

TCP(Transfer Layer Protocol) UDP(User Datagram Protocol)

TCP is a connection-oriented protocol. UDP is a datagram oriented protocol.

TCP is reliable as it guarantees the delivery UDP is not reliable as it does not guarantees
of data packets to the destination. the delivery of data packets to the
destination.

TCP Provides a thorough error checking UDP provides a basic error checking
mechanism. mechanism.

TCP is heavyweight. UDP is lightweight.

TCP is slower as compared to UDP UDP IS faster than TCP

 Failed data packets are retransmitted in In UDP, there is no re-transmission for failed
TCP. data packets.

Example: HTTP, SSH, HTTPS, SMTP Example: TFTP, VoIP, online multiplayer
games

Question 9: What is the difference between firewall deny and drop?

Answer: DENY RULE: If the firewall is set to deny rule, it will block the connection and send a
reset packet back to the requester. The requester will know that the firewall is deployed.
DROP RULE: If the firewall is set to drop rule, it will block the connection request without notifying
the requester.
It is best to set the firewall to deny the outgoing traffic and drop the incoming traffic so that
attacker will not know whether the firewall is deployed or not.
Question 10: Explain different SOC models?
Answer: There are three types of models in SOC:
 In-house model: In this SOC model organization has its security operation center. All the
resources, technologies, and processes are managed within the organization.
 MSSP (Managed security service provider): In MSSP, a security service provider team
helps the organization monitor and manage the security incidents.
o Dedicated MSSP: In the dedicated MSSP, the team works for a client using its
technology and resources.
o Shared MSSP: In the shared MSSP team of services providers, use his technology
and logs, and security incidents are managed at its data center.
 Hybrid SOC model: It is the blend of in-house and MSSP SOC models. In the hybrid SOC
model, level-1 monitoring is managed by MSSP, and level-2 monitoring is run by the
organization (client) itself.
Question 11: What is the Runbook in SOC?
Answer: A runbook, also known as a standard operating procedure (SOP), consists of a set of
guidelines to handle security incidents and alerts in the Security Operation Centre. The L1
security analyst generally uses it for better assessment and documentation of the security
events.
Question 12: What is the difference between the Red Team and the Blue Team?
Answer: The red team and blue team consist of highly skilled cybersecurity professionals. Both
teams play an important role in strengthening the security posture of an organization.
Red Team: The red team plays an offensive role. The team conducts rigorous exercises to
penetrate the security infrastructure and identify the exploitable vulnerabilities in it. The red
team is generally hired by the organization to test the defenses.
Blue Team: The blue team plays a defensive role. The blue team’s role is to defend the
organization’s security infrastructure by detecting the intrusion. The members of a blue team
are internal security professionals of the organization.
Question 13: Define a Phishing attack and how to prevent it?
Answer: Phishing is a type of social engineering attack in which an attacker obtains sensitive
information from the target by creating urgency, using threats, impersonation, and incentives.
Spear phishing, e-mail spam, session hijacking, smishing, and vishing are types of phishing
attacks.
ways to prevent a phishing attack:
 Raising awareness about phishing attack among employees
 Conducting testing campaigns to check the awareness of the employees
 Implementing two-factor authentication
 Monitoring the behavior of employees
 Applying e-mail filters to identify spams
Question 14: What is the Cross-Site Scripting (XSS) attack, and how to prevent it?
Answer: Cross-site Scripting: In the cross-site scripting attack, the attacker executes the
malicious scripts on a web page and can steal the user’s sensitive information. With XSS
vulnerability, the attacker can inject Trojan, read out user information, and perform specific
actions such as the website’s defacement.
Countermeasures:
 Encoding the output
 Applying filters at the point where input is received
 Using appropriate response headers
 Enabling content security policy
 Escaping untrusted characters
Question 15: Explain the SQL injection vulnerability and give countermeasures to prevent it?
Answer: SQL Injection: SQL injection is a famous vulnerability in the web application that allows
hackers to interfere in communication taking place between a web application and its
database. Hackers inject malicious input into the SQL statement to compromise the SQL
database. They can retrieve, alter, or modify the data. In some cases, it allows attackers to
perform DDOS attacks.
Countermeasures:
  Using parameterized queries
 Validating the inputs
 Creating stored procedures
 Deploying a web application firewall
 Escaping untrusted characters
Question 16: Difference between hashing and Encryption?
Answer: The difference between hashing and Encryption is as follows:

Hashing Encryption

Conversion of data into a fixed-length of Conversion of data into an unreadable

unreadable strings using algorithms string using cryptographic keys

Hashed data can not be reverted back into Encrypted data can be decrypted back
readable strings into readable strings

The length of the hashed string is fixed The length of the encrypted string is not fixed

No keys are used in hashing Keys are used in Encryption

Question 17: What are the SOC implementation stages?

Answer: Following are the stages in the SOC implementation:
Question 18: What is the difference between SIEM and IDS?
Answer: SIEM (Security incident and event management system) and IDS (Intrusion detection
system) are used by the organizations to protect the network and systems efficiently. Both
collect the log data, but unlike SIEM, IDS does not facilitate event correlation and
centralization of log data. Therefore, IDS can only detect intrusions. The SIEM allows security
analysts to take security measures and preventive actions against a possible or ongoing
attack.
Question 19: Being a SOC analyst, What will you do if you found 300 alerts triggered at once?
Answer: If multiple alerts trigger at the same time, there could be the following three
possibilities:
A single alert may have triggered more than once: If a single alert triggers more than once, I
will distinguish the duplicate alerts.
If the alerts are different: I will prioritize them and chose the one having a higher impact.
If the alerts are for a new correlation rule: Then alerts may be misconfigured. I will inform the
SIEM Engineer.
(These types of questions are asked by the interviewer to check the practical or applied
knowledge of the candidates)
Question 20: What is DNS? Why is DNS monitoring essential?
Answer: The domain name system is a distributed database over the internet that enables
converting user-friendly hostnames into computer-friendly IP addresses. It is known as the
phonebook of the internet.
DNS plays a vital role in how an end-user in an organization connects to the internet. Whenever
a client establishes a connection with a domain, its information is stored in DNS logs. DNS
monitoring can disclose information such as websites visited by the employee, malicious
domain accessed by an end-user, malware connecting to Command & Control server. It can
help in identifying and thwarting cyberattacks.
Wrap up
These were the frequently asked SOC analyst interview questions that might help you get an
opportunity to be a SOC team member. The interview questions may vary depending upon
the organization. Be prepared for the questions regarding your background and the
technologies you have worked on in your previous organization. Just like any other interview,
Confidence, and good communication skills are key to success.

Q3) What is the difference between Threat, Vulnerability, and Risk?

Threat: Someone with the potential to cause harm by damaging or destroying the official data
to a system or organization.
Ex: Phishing attack
Vulnerability: It refers to weaknesses in a system that makes threat outcomes more possible
and even more dangerous.
Ex: SQL injections, cross-site scripting
Risk: It refers to a combination of threat probability and impact/loss. In simple terms, it is related
to potential damage or loss when threat exploits the vulnerability.
Q4) What is Cross-Site Scripting and how it can be prevented?
Ans. Cross-Site Scripting is also known as a client-side injection attack, which aims at executing
malicious scripts on a victim’s web browser by injecting malicious code.
The following practices can prevent Cross-Site Scripting:
  Encoding special characters
 Using XSS HTML Filter
 Validating user inputs
 Using Anti-XSS services/tools
Q6) What is a Botnet?
A Botnet is a group of internet-connected devices such as servers, PCs, mobile devices, etc.,
that are affected and controlled by malware.
It is used for stealing data, sending spam, performing distributed denial-of-service attack
(DDoS attack), and more, and also to enable the user to access the device and its
connection.
Q10) What is two-factor authentication and how it can be implemented for public websites?
 Tw0-factor authentication is also referred to as dual-factor authentication or two-step
verification where the user provides two authentication factors for protecting both user
credentials and resources while accessing.
 The two-factor authentication can be implemented on public websites such as Twitter,
Microsoft, LinkedIn, and more for enabling another protection on your already protected
account with a password.
 For enabling this double factor authentication, you can easily go to settings and then
manage security settings.
Q11) What is the use of a firewall and how it can be implemented?
A firewall is a security system used to control and monitor network traffic. It is used for
protecting the system/network from malware, viruses, worms, etc., and secures unauthorized
access from a private network.
The steps required to set up and configure the firewall are listed below:
 Change the default password for a firewall device.
 Disable the remote administration feature.
 Configure port forwarding for specific applications to function correctly, such as an FTP
server or a web server.
 Firewall installation on a network with an existing DHCP server can cause errors unless its
firewall’s DHCP is disabled.
 Make sure the firewall is configured to robust security policies.
Q13) What is the difference between stored and reflected XSS?
Stored XSS Attacks - The attacks where the injected scripts are stored on the target servers
permanently. In this, the victim retrieves the malicious script from the server when requests the
stored information.
Reflected XSS Attacks - In this, the user has to send the request first, then it will start running on
the victim’s browser and reflects results from the browser to the user who sent the request.
Q14) What is a three-way handshake process?
A three-way handshake process is used in TCP (Transmission Control Protocol) network for
transmission of data in a reliable way between the host and the client.
It’s called a three-way handshake because three segments are exchanged between the
server and the client.
SYN: The client wants to establish a connection with the server, and sends a segment with
SYN(Synchronize Sequence Number) to the server if the server is up and has open ports.
SYN + ACK: The server responds to the client request with SYN-ACK signal bits set if it has open
ports.
ACK: The client acknowledges the response of a server and sends an ACK(Acknowledgment)
packet back to the server.
Q17) List the common types of cybersecurity attacks.
The following are the most common types of cybersecurity attacks:
 Malware
 SQL Injection Attack
 Cross-Site Scripting (XSS)
 Denial-of-Service (DoS)
 Man-in-the-Middle Attacks
 Credential Reuse
 Phishing
 Session Hijacking
Q18) Define data leakage and its types?
Data Leakage refers to the illegal transmission of data to an external destination or
unauthorized entity within an organization. It can transfer data either physically or
electronically. It usually occurs via the web, emails, and mobile data storage devices.
Types of data leakage:
1. The Accidental Breach - Majority of data leakage incidents are accidental.
Ex: An entity may choose the wrong recipient while sending confidential data.
2. The Disgruntled or ill-intentioned Employee - The authorized entity sends confidential data
to an unauthorized body.
3. Electronic Communications with Malicious Intent - The problem is all the electronic mediums
are capable of file transferring and external access sources over the internet.
Q20) How to prevent CSRF attacks?
CSRF is referred to as Cross-site Request Forgery, where an attacker tricks a victim into
performing actions on their behalf.
CSRF attacks can be prevented by using the following ways:
 Employing the latest antivirus software which helps in blocking malicious scripts.
 While authenticating to your banking site or performing any financial transactions on any
other website do not browse other sites or open any emails, which helps in executing
malicious scripts while being authenticated to a financial site.
 Never save your login/password within your browser for financial transactions.
 Disable scripting in your browser.
Q21) What is port scanning?
A port scanning is an application designed for identifying open ports and services accessible
on a host network. Security administrators mostly utilize it for exploiting vulnerabilities, and also
by hackers for targeting victims.
Some of the most popular port scanning techniques are listed below:
 Ping scan
 TCP connect
 TCP half-open
 Stealth scanning – NULL, FIN, X-MAS
 UDP
Q22) What is the need for DNS monitoring?
DNS (Domain Name System) is a service that is used for converting user-friendly domain names
into a computer-friendly IP address. It allows websites under a particular domain name which
is easy to remember.
DNS monitoring is nothing but monitoring DNS records to ensure does it route traffic properly
to your website, electronic communication, services, and more.
Q23) What is the difference between hashing and salting?
 Hashing is majorly used for authentication and is a one-way function where data is planned
to a fixed-length value.
 Salting is an extra step for hashing, where it adds additional value to passwords that
change the hash value created.
Q24) How to prevent ‘Man-in-the-Middle Attack’?
The following practices prevent the ‘Man-in-the-Middle Attacks’:
Have a stronger WAP/WEP Encryption on wireless access points avoids unauthorized users.
Use a VPN for a secure environment to protect sensitive information. It uses key-based
encryption.
Public key pair based authentication must be used in various layers of a stack for ensuring
whether you are communicating the right things are not.
HTTPS must be employed for securely communicating over HTTP through the public-private key
exchange.
Q25) What are the common methods of authentication for network security?
Biometrics - It is a known and registered physical attributes of a user specifically used for
verifying their identity.
Token - A token is used for accessing systems. It makes more difficult for hackers to access
accounts as they have long credentials.
Transaction Authentication - A one time pin or password is used in processing online
transactions through which they verify their identity.
Multi-Factor Authentication - It’s a security system that needs more than one method of
authentication.
Out-of-Band Authentication - This authentication needs two different signals from two different
channels or networks. It prevents most of the attacks from hacking and identity thefts in online
banking.
Q26) Which is more secure SSL or HTTPS?
 SSL (Secure Sockets Layer) is a secure protocol which provides safer conversations between
two or more parties across the internet. It works on top of the HTTP to provide security.
 HTTPS (Hypertext Transfer Protocol Secure) is a combination of HTTP and SSL to provide a
safer browsing experience with encryption.
In terms of security, SSL is more secure than HTTPS.
Q33) What do you understand by compliance in Cybersecurity?
Compliance means living by a set of standards set by organization/government/independent
party.
It helps in defining and achieving IT targets and also in mitigating threats through processes
like vulnerability management.
Q34) What is the use of Patch Management?
The purpose of patch management is to keep updating various systems in a network and
protect them against malware and hacking attacks.
Many enterprise patch management tools manage the patching process by installing or
deploying agents on a target computer, and they provide a link between centralized patch
servers and computers to be patched.
Q35) What is the difference between a false positive and false negative in IDS?
A false positive is considered to be a false alarm and false negative is considered to be the
most complicated state.
A false positive occurs when an IDS fires an alarm for legitimate network activity.
A false negative occurs when IDS fails to identify malicious network traffic.
Compared to both, a false positive is more acceptable than false-negative as they lead to
intrusions without getting noticed.
Q37) Explain System hardening?
Generally, system hardening refers to a combination of tools and techniques for controlling
vulnerabilities in systems, applications, firmware, and more in an organization.
The purpose of system hardening is to decrease the security risks by reducing the potential
attacks and condensing the system’s attack surface.
The following are the various types of system hardening:
 Database hardening
 Operating system hardening
 Application hardening
 Server hardening
 Network hardening
Q38) What is a cybersecurity risk assessment?
A cybersecurity risk assessment refers to detecting the information assets that are prone to
cyber-attacks(including customer data, hardware, laptop, etc.) and also evaluates various
risks that could affect those assets.
 It is mostly performed to identify, evaluate, and prioritize risks across organizations.
 The best way to perform cybersecurity risk assessment is to detect:
 Relevant threats in your organization
 Internal and external vulnerabilities
 Evaluate vulnerabilities impact if they are exploited
Q41) What is the use of Address Resolution Protocol (ARP)?
ARP is a protocol specifically used to map IP network addresses to physical addresses, such as
Ethernet addresses.
It translates 32-bits addresses to 48-bits addresses and vice versa. This is needed because the
most common level of internet protocol(IP) we use today is 32-bits long and MAC addresses
are 48-bits long.
Q42) How to protect data in transit Vs rest?

Description Data in Transit Data in Rest

Definition of data Here data moves actively from Here data is not transferred from
one location to another across one location to another as data
the internet or private network. is stored on hard drives, flash
drive, etc.

Encryption in data protection It encrypts sensitive data before It encrypts sensitive files before
sending or using encrypted storing or choosing the
connections(SSL, HTTPS, TLS, encrypted storage drive itself.
etc.)
Q43) What are the several indicators of compromise(IOC) that organizations should monitor?
The key indicators of compromise that organizations should monitor are listed below:
 Unusual Outbound Network Traffic
 HTML Response Sizes
 Geographical Irregularities
 Increases in Database Read Volume
 Log-In Red Flags
 Unexpected Patching of Systems
 Large Numbers of Requests for the Same File
 Web Traffic with Unhuman Behavior
 Suspicious Registry or System File Changes
 Unusual DNS Requests
 Mobile Device Profile Changes
 Bundles of Data in the Wrong Place
 Mismatched Port-Application Traffic
 Signs of DDoS Activity
 Anomalies in Privileged User Account Activity
Q44) What is Remote Desktop Protocol (RDP)?
RDP (Remote Desktop Protocol) is a Microsoft protocol specifically designed for application
data transfer security and encryption between client devices, users, and a virtual network
server.
It allows administrators to remotely evaluate and resolve issues individual subscribers
encounter.
It supports up to 64,000 separate data channels with a provision for multipoint transmission.
Q45) What is the difference between Diffie Hellman and RSA?
Diffie-Helman: It’s a key exchange protocol where two parties exchange a shared key that
either one can use to encrypt/decrypt messages between them.
RSA: It’s asymmetric key encryption where it has two different keys. The public key can be
given to anyone and decrypted with another, which is kept private.
Q46) What is Forward Secrecy and how does it work?
Forward secrecy is a feature of specific key agreement protocols which gives assurance that
even if the private key of the server is compromised the session keys will not be compromised.
It is also known as perfect forward secrecy(PFS).
The Algorithm that helps in achieving this is called "Diffie–Hellman key exchange".
Q47) What is an active reconnaissance?
Active reconnaissance is a kind of computer attack where intruder engages the target system
for collecting the data about vulnerabilities.
The attackers mostly use port scanning to identify vulnerable ports and then exploit the
vulnerabilities of services that are associated with open ports.
Q48) What is security misconfiguration?
Security misconfiguration is a vulnerability that could happen if an
application/network/device is susceptible to attack due to an insecure configuration option.
It can be as simple as keeping the default username/password unchanged.
Q49) What is the difference between information protection and information assurance?
Information protection: It protects the data using encryption, security software, etc., from
unauthorized access.
Information Assurance: It keeps the data reliable by ensuring availability, authentication,
confidentiality, etc.
Q50) What do you mean by Chain of Custody?
Chain of custody refers to the probability of data provided as originally acquired and has not
been changed before admission into evidence.
In legal terms, it’s a chronological documentation/paper trail that records a proper sequence
of custody, control, analysis, and disposition of electronic or physical evidence.