1.

What are the OSI layers and what is the

job of network layer?
It is Open System Interconnection is a reference model for how applications
communicate over a network. There 7 layers in OSI which are:

● Application layer->Data -> network process and apps -> SMTP,

telnet, HTTP, FTP, etc.

● Presentation Layer->Data -> Data formatting and encryption ->

JPG, HTTPS, SSL

● Session layer->Data -> establishes/ends connections between two

hosts -> NetBIOS, PPTP

● Transport layer->Segments -> end-to-end connections and

reliability -> TCP, UDP

● Network layer-> Packets -> Path determination and IP (logical

addressing) -> routers and layer3 switches

● Data link layer-> Frames -> Physical addressing – > switches

● Physical layer -> Bits -> Send data on to the physical wire -> Hubs,
NICS, cables
2. What are some common port numbers and
their services?

3. Can you name 5 common ports and their

services?
● 21-FTP- File transport protocol

● 22- SSH- secure shall protocol that secure the communication

between hosts and services.

● 80- HTTP- Hypertext transport protocol- HTTP gives users a way to

interact with web resources such as HTML files by transmitting
hypertext messages between clients and servers.

● 67-68 – DHCP
 ● 110- POP

● 53- DNS

● 443- HTTPS

4. What is a Firewall?

A firewall serves as a barrier between a LAN and the Internet. It allows private
resources to remain private while reducing security threats. It manages both inbound
and outbound network traffic.

A sample firewall between a LAN and the internet is shown in the diagram below. The
point of vulnerability is the connection between the two. At this point, network traffic
can be filtered using both hardware and software.

There are two types of firewall systems: one that uses network layer filters and the other that
uses user, application, or network layer proxy servers.
5. Differentiate between IDS and IPS in the context of Cyber Security.

Intrusion Detection Systems (IDS) scan and monitor network traffic for signals that attackers
are attempting to infiltrate or steal data from your network using a known cyber threat. IDS
systems detect a variety of activities such as security policy violations, malware, and port
scanners by comparing current network activity to a known threat database.
Intrusion Prevention Systems (IPS) are located between the outside world and the internal
network, in the same area of the network as a firewall. If a packet represents a known security
hazard, an IPS will proactively prohibit network traffic based on a security profile.
The fundamental distinction is that an IDS is a monitoring system, whereas an IPS is a control
system. IDS makes no changes to network packets, whereas IPS block packet delivery
depending on the contents of the packet, similar to how a firewall blocks traffic based on IP
address.

6. Differentiate between HIDS and NIDS.

HIDs look at certain host-based actions including what apps are run, what files are
accessed, and what information is stored in the kernel logs. NIDs examine the flow of
data between computers, often known as network traffic. They basically "sniff" the
network for unusual activity. As a result, NIDs can identify a hacker before he can make
an unlawful entry, whereas HIDs won't notice anything is wrong until the hacker has
already gotten into the system.
7. Define VPN.

The term VPN refers to a virtual private network. It enables you to connect your
computer to a private network, establishing an encrypted connection that hides your IP
address, allowing you to safely share data and access the web while safeguarding your
online identity.

A virtual private network, or VPN, is an encrypted link between a device and a network
via the Internet. The encrypted connection aids in the secure transmission of sensitive
data. It protects against illegal eavesdropping on the traffic and allows the user to work
remotely. In corporate settings, VPN technology is commonly used.
8. What is Cryptography?
Cryptography is the practice and study of techniques for securing information and
communication mainly to protect the data from third parties that the data is not
intended for.

9. What is the difference between Symmetric and Asymmetric

encryption?

Basis of
Symmetric Encryption Asymmetric Encryption
Comparison
Same key for encryption & Different keys for encryption &
Encryption key
decryption decryption
Encryption is fast but more Encryption is slow due to high
Performance
vulnerable computation
Algorithms DES, 3DES, AES and RC4 Diffie-Hellman, RSA
Used for bulk data Often used for securely
Purpose
transmission exchanging secret keys

10. What is the difference between IDS and IPS?

IDS is Intrusion Detection System and it only detects intrusions and the
administrator has to take care of preventing the intrusion. Whereas,
in IPS i.e., Intrusion Prevention System, the system detects the intrusion and also
takes actions to prevent the intrusion.

11. Explain CIA triad.

CIA stands for Confidentiality, Integrity, and Availability. CIA is a model that is
designed to guide policies for Information Security. It is one of the most popular
models used by organizations.

Confidentiality

The information should be accessible and readable only to authorized personnel. It

should not be accessible by unauthorized personnel. The information should be
strongly encrypted just in case someone uses hacking to access the data so that
even if the data is accessed, it is not readable or understandable.

Integrity

Making sure the data has not been modified by an unauthorized entity. Integrity
ensures that data is not corrupted or modified by unauthorized personnel. If an
authorized individual/system is trying to modify the data and the modification wasn’t
successful, then the data should be reversed back and should not be corrupted.

Availability

The data should be available to the user whenever the user requires it. Maintaining
of Hardware, upgrading regularly, Data Backups and Recovery, Network Bottlenecks
should be taken care of.
12. What is the main objective of Cyber Security?

The primary goal of cyber security is to protect data. To safeguard data from cyber-
attacks, the security sector offers a triangle of three connected principles. The CIA trio
is the name for this principle. The CIA model is intended to help organizations develop
policies for their information security architecture. One or more of these principles has
been broken when a security breach is discovered. Confidentiality, Integrity, and
Availability are the three components of the CIA model. It's a security paradigm that
guides individuals through many aspects of IT security. Let's take a closer look at each

section.

Confidentiality: Confidentiality is the same as privacy in that it prevents unauthorized

access to data. It entails ensuring that the data is only accessible to those who are
authorized to use it, as well as restricting access to others. It keeps vital information
from getting into the wrong hands. Data encryption is a great example of keeping
information private.
Integrity: This principle assures that the data is genuine, correct, and safe from
unwanted threat actors or unintentional user alteration. If any changes are made,
precautions should be taken to protect sensitive data from corruption or loss, as well
as to quickly recover from such an incident. Furthermore, it denotes that the source of
information must be genuine.
Availability: This principle ensures that information is constantly available and helpful
to those who have access to it. It ensures that system failures or cyber-attacks do not
obstruct these accesses.

13. Differentiate between threat, vulnerability and risk.

Threat: A threat is any form of hazard that has the potential to destroy or steal data,
disrupt operations, or cause harm in general. Malware, phishing, data breaches, and
even unethical employees are all examples of threats.
Threat actors, who might be individuals or groups with a variety of backgrounds and
motives, express threats. Understanding threats is essential for developing effective
mitigations and making informed cybersecurity decisions. Threat intelligence is
information regarding threats and threat actors.

Vulnerability: A vulnerability is a flaw in hardware, software, personnel, or procedures

that threat actors can use to achieve their objectives.
Physical vulnerabilities, such as publicly exposed networking equipment, software
vulnerabilities, such as a buffer overflow vulnerability in a browser, and even human
vulnerabilities, such as an employee vulnerable to phishing assaults, are all examples of
vulnerabilities.
Vulnerability management is the process of identifying, reporting and repairing
vulnerabilities. A zero-day vulnerability is a vulnerability for which a remedy is not yet
available.

Risk: The probability of a threat and the consequence of a vulnerability are combined
to form risk. To put it another way, the risk is the likelihood of a threat agent
successfully exploiting a vulnerability, which may be calculated using the formula:

Risk = Likelihood of a threat * Vulnerability Impact

Risk management is the process of identifying all potential hazards, analyzing their
impact, and determining the best course of action. It's a never-ending procedure that
examines new threats and vulnerabilities on a regular basis. Risks can be avoided,
minimized, accepted, or passed to a third party depending on the response chosen.
14. Who are Black Hat, White Hat and Grey Hat Hackers?

Black Hat hackers, sometimes known as crackers, attempt to obtain unauthorized

access to a system in order to disrupt its operations or steal critical data.

Because of its malicious aim, black hat hacking is always illegal, including stealing
company data, violating the privacy, causing system damage, and blocking network
connection, among other things.

Ethical hackers are also referred to as White hat hackers. As part of penetration testing
and vulnerability assessments, they never intend to harm a system; rather, they strive
to uncover holes in a computer or network system.
Ethical hacking is not a crime and is one of the most difficult professions in the IT
business. Many businesses hire ethical hackers to do penetration tests and vulnerability
assessments.

Grey hat hackers combine elements of both black and white hat hacking. They act
without malice, but for the sake of amusement, they exploit a security flaw in a
computer system or network without the permission or knowledge of the owner.
Their goal is to draw the owners' attention to the flaw in the hope of receiving gratitude
or a small reward.

15. What are the types of Cyber Security?

The assets of every company are made up of a variety of various systems. These
systems have a strong cybersecurity posture, which necessitates coordinated actions
across the board. As a result, cybersecurity can be divided into the following sub-
domains:

Network security: It is the process of securing a computer network against

unauthorized access, intruders, attacks, disruption, and misuse using hardware and
software. This security aids in the protection of an organization's assets from both
external and internal threats. Example: Using a Firewall.
Application security: It entails safeguarding software and devices against malicious
attacks. This can be accomplished by regularly updating the apps to ensure that they
are secure against threats.
Data security: It entails putting in place a strong data storage system that ensures data
integrity and privacy while in storage and transport.
 Identity management: It refers to the process of identifying each individual's level of
access inside an organization. Example: Restricting access to data as per the job role of
an individual in the company.
Operational security: It entails analyzing and making decisions about how to handle
and secure data assets. Example: Storing data in an encrypted form in the database.
Mobile security: It refers to the protection of organizational and personal data held on
mobile devices such as cell phones, PCs, tablets, and other similar devices against a
variety of hostile attacks. Unauthorized access, device loss or theft, malware, and other
threats are examples of these dangers.
Cloud security: It refers to the safeguarding of data held in a digital environment or in
cloud infrastructures for an organization. It employs a variety of cloud service
providers, including AWS, Azure, Google, and others, to assure protection against a
variety of threats.

16. What are the benefits of Cyber Security?

The following are some of the advantages of putting cybersecurity in place and keeping
it up to date:

● Businesses are protected from cyberattacks and data breaches.

● Both data and network security are safeguarded.
● Unauthorized user access is kept to a minimum.
● There is a quicker recovery time after a breach.
● Protection for end-users and endpoint devices.
● Regulatory compliance.
● Operational consistency.
● Developers, partners, consumers, stakeholders, and employees have a higher level of trust in
the company's reputation.

17. What do you mean by Network Sniffing?

Sniffing is a technique for evaluating data packets delivered across a network. This can
be accomplished through the use of specialized software or hardware. Sniffing can be
used for a variety of purposes, including:

● Capture confidential information, such as a password.

● Listen in on chat messaging
● Over a network, keep an eye on a data package.
18. What do you mean by a botnet?

A botnet is a collection of internet-connected devices, such as servers, PCs, and

mobile phones, that are infected with malware and controlled by it.
It's used to steal data, send spam, launch distributed denial-of-service (DDoS) attacks,
and more, as well as provide the user access to the device and its connection.

19. What do you mean by honeypots?

Honeypots are attack targets that are set up to see how different attackers attempt
exploits. Private firms and governments can utilize the same concept to evaluate their
vulnerabilities, which is widely used in academic settings.
20. Differentiate between Vulnerability Assessment and Penetration Testing.

Vulnerability assessment and penetration testing are two different phrases that both
serve the same purpose: to secure the network environment.

Vulnerability Assessment is a process for defining, detecting, and prioritizing

vulnerabilities in computer systems, network infrastructure, applications, and other
systems, as well as providing the necessary information to the organization to correct
the flaws.
Penetration Testing is also known as ethical hacking or pen-testing. It's a method of
identifying vulnerabilities in a network, system, application, or other systems in order to
prevent attackers from exploiting them. It is most commonly used to supplement a
web application firewall in the context of web application security (WAF).
A vulnerability scan is similar to approaching a door and checking to see if it is
 unlocked before stopping. A penetration test goes a step further, not only checking to
see if the door is unlocked but also opening the door and walking right in.

21. What are the common types of cyber security attacks?

The common types of cyber security attacks are:-

● Malware
● Cross-Site Scripting (XSS)
● Denial-of-Service (DoS)
● Domain Name System Attack
● Man-in-the-Middle Attacks
● SQL Injection Attack
● Phishing
● Session Hijacking
● Brute Force

22. What do you mean by brute force in the context of Cyber Security?

A brute force attack is a cryptographic assault that uses a trial-and-error approach to

guess all potential combinations until the correct data is discovered. This exploit is
commonly used by cybercriminals to gain personal information such as passwords,
login credentials, encryption keys, and PINs. It is very easy for hackers to implement
this.

23. What do you mean by Phishing?

Phishing is a sort of cybercrime in which the sender appears to be a legitimate entity

such as PayPal, eBay, financial institutions, or friends and coworkers. They send an
email, phone call, or text message to a target or target with a link to convince them to
 click on the link. This link will take users to a fake website where they will be asked to
enter sensitive information such as personal information, banking and credit card
information, social security numbers, usernames, and passwords. By clicking the link,
malware will be installed on the target machines, allowing hackers to remotely control
them.

You can protect yourself from phishing attacks by following these guidelines:

● Don't give out important information on websites you don't know.

● Check the site's security.
● Make use of firewalls.
● Use Toolbar for Anti-Phishing

24. Differentiate between spear phishing and phishing?

Spear phishing is a type of phishing assault that targets a small number of high-value
targets, usually just one. Phishing usually entails sending a bulk email or message to a
big group of people. It implies that spear-phishing will be much more personalized and
perhaps more well-researched (for the individual), whereas phishing will be more like
a real fishing trip where whoever eats the hook is caught.
25. What does XSS stand for? How can it be prevented?

XSS stands for Cross-site scripting. It is a web security flaw that allows an attacker to
manipulate how users interact with a susceptible application. It allows an attacker to
get around the same-origin policy, which is meant to keep websites separate from one
another. Cross-site scripting flaws allow an attacker to impersonate a victim user and
execute any actions that the user is capable of, as well as access any of the user's data.
If the victim user has privileged access to the application, the attacker may be able to
take complete control of the app's functionality and data.

Preventing cross-site scripting can be simple in some circumstances, but it can be

much more difficult in others, depending on the application's sophistication and how it
handles user-controllable data. In general, preventing XSS vulnerabilities will almost
certainly need a mix of the following measures:
On arrival, filter the input. Filter user input as precisely as feasible at the point when it
is received, based on what is expected or valid input.
On the output, encode the data. Encode user-controllable data in HTTP responses at
the point where it is output to avoid it being perceived as active content. Depending on
the output context, a combination of HTML, URL, JavaScript, and CSS encoding may be
required.
Use headers that are relevant for the response. You can use the Content-Type and X-
Content-Type-Options headers to ensure that browsers read HTTP responses in the
way you intend, preventing XSS in HTTP responses that aren't intended to contain any
HTML or JavaScript.
Policy for Content Security. You can utilize Content Security Policy (CSP) as a last line
of defense to mitigate the severity of any remaining XSS issues.

26. What do you mean by ARP poisoning?

Address Resolution Protocol Poisoning is a sort of cyber-attack that uses a network

device to convert IP addresses to physical addresses. On the network, the host sends
an ARP broadcast, and the receiver machine responds with its physical address.
It is the practice of sending bogus addresses to a switch so that it can associate them
with the IP address of a legitimate machine on the network and hijack traffic.

27. What do you mean by two-factor authentication?

Two-factor authentication (2FA), often known as two-step verification or dual-factor

authentication, is a security method in which users validate their identity using two
independent authentication factors. This procedure is carried out in order to better
protect the user's credentials as well as the resources that the user has access to.
Single-factor authentication (SFA), in which the user gives only one factor — generally a
 password or passcode — provides a lower level of security than two-factor
authentication (TFA). Since possessing the defendant's password alone is not enough to
accomplish the authentication check, two-factor authentication adds an extra layer of
security to the authentication process, making it more difficult for attackers to get
access to a person's devices or online accounts.

28. How can you avoid a brute force attack?

There are a variety of techniques for stopping or preventing brute force attacks.

A robust password policy is the most evident. Strong passwords should be enforced
by every web application or public server. Standard user accounts, for example, must
contain at least eight characters, a number, uppercase and lowercase letters, and a
special character. Furthermore, servers should mandate password updates on a
regular basis.
Brute Force attack can also be avoided by the following methods:-

● Limit the number of failed login attempts.

● By altering the sshd_config file, you can make the root user unreachable via SSH.
● Instead of using the default port, change it in your sshd config file.
● Make use of Captcha.
● Limit logins to a certain IP address or range of IP addresses.
● Authentication using two factors
● URLs for logging in that are unique
● Keep an eye on the server logs.

29. What do you mean by Man-in-the-Middle Attack?

A cyber threat (a type of eavesdropping assault) in which a cybercriminal wiretaps a
communication or data transmission between two people is known as a man-in-the-
middle attack. Once a cybercriminal enters a two-way conversation, they appear to be
genuine participants, allowing them to obtain sensitive information and respond in a
variety of ways. The main goal of this type of attack is to acquire access to our
company's or customers' personal information. On an unprotected Wi-Fi network, for
example, a cybercriminal may intercept data passing between the target device and
the network.

30. Differentiate between VPN and VLAN.

Companies use VLANs to consolidate devices that are dispersed across several remote
sites into a single broadcast domain. VPNs, on the other hand, are used to transmit
secure data between two offices of the same organization or between offices of
different companies. Individuals also use it for their personal needs.
A VLAN is a VPN subtype. VPN stands for Virtual Private Network, and it is a technology
that creates a virtual tunnel for secure data transfer over the Internet.
Because it enables encryption and anonymization, a VPN is a more advanced but more
expensive solution. A VLAN is useful for segmenting a network into logical sections for
easier management, but it lacks the security characteristics of a VPN.
A virtual local area network minimizes the number of routers required as well as the
cost of deploying routers. A VPN improves a network's overall efficiency.
Example of a VPN:- NordVPN, ZenMate
31. What do you mean by perimeter-based and data-based protection?

Perimeter-based cybersecurity entails putting security measures in place to safeguard

your company's network from hackers. It examines people attempting to break into
your network and prevents any suspicious intrusion attempts.

The term "data-based protection" refers to the use of security measures on the data
itself. It is unaffected by network connectivity. As a result, you can keep track of and
safeguard your data regardless of where it is stored, who accesses it, or which
connection is used to access it.

32. Which is more reliable: SSL or HTTPS?

SSL (Secure Sockets Layer) is a secure technology that allows two or more parties to
communicate securely over the internet. To provide security, it works on top of HTTP.
It works at the Presentation layer.
HTTPS (Hypertext Transfer Protocol Secure) is a combination of HTTP and SSL that
uses encryption to create a more secure surfing experience. The working of HTTPS
involves the top 4 layers of the OSI model, i.e, Application Layer, Presentation Layer,
Session Layer, and Transport Layer.
SSL is more secure than HTTPS in terms of security.

33. How do you decide the placement of the encryption function?

We must decide what to encrypt and where the encryption mechanism should be
situated if encryption is to be used to counter attacks on confidentiality. Link and end-
to-end encryption are the two main ways of encryption placement.
End-to-end encryption, or E2EE, is a secure data transfer system in which data is
encrypted and decrypted only at the endpoints, regardless of how many points it
passes through in the middle of its virtual journey. This sort of encryption is an
excellent technique to communicate in a secure and confidential manner. Because no
one else has the key to decode it, no one in the middle will be able to read it.
The primary difference between link encryption and end-to-end encryption is that link
encryption encrypts and decrypts all traffic at all points, not just at the endpoints. All
data is encrypted as it travels along the communication line with this approach. When
it reaches a router or another intermediary device, however, it is decrypted so that the
intermediator can determine which direction to send it next.

34: What is the difference between TCP and UDP?

Answer: The difference between TCP and UDP is as follows:

TCP(Transfer Layer Protocol) UDP(User Datagram Protocol)

TCP is a connection-oriented protocol. UDP is a datagram oriented protocol.

TCP is reliable as it guarantees the delivery of UDP is not reliable as it does not guarantees
data packets to the destination. the delivery of data packets to the destination.

TCP Provides a thorough error checking UDP provides a basic error checking
mechanism. mechanism.

5 more minutes

TCP is heavyweight. UDP is lightweight.

TCP is slower as compared to UDP UDP IS faster than TCP

 Failed data packets are retransmitted in TCP. In UDP, there is no re-transmission for failed
data packets.

Example: HTTP, SSH, HTTPS, SMTP Example: TFTP, VoIP, online multiplayer
games

35: Define a Phishing attack and how to prevent it?

Answer: Phishing is a type of social engineering attack in which an attacker obtains sensitive
information from the target by creating urgency, using threats, impersonation, and incentives.
Spear phishing, e-mail spam, session hijacking, smishing, and vishing are types of phishing
attacks.
ways to prevent a phishing attack:

● Raising awareness about phishing attack among employees

● Conducting testing campaigns to check the awareness of the employees

● Implementing two-factor authentication

● Monitoring the behavior of employees

● Applying e-mail filters to identify spams

36. What do you mean by System Hardening?

In general, system hardening refers to a set of tools and procedures for managing
vulnerabilities in an organization's systems, applications, firmware, and other
components.
The goal of system hardening is to lower security risks by lowering potential attacks
and compressing the system's attack surface.
The many types of system hardening are as follows:

● Hardening of databases
● Hardening of the operating system
● Hardening of the application
● Hardening the server
● Hardening the network
37. What do you mean by a DDoS attack? How can you prevent it?

It's a form of cyber threat or malicious effort in which fraudsters use Internet traffic to
fulfill legitimate requests to the target or its surrounding infrastructure, causing the
target's regular traffic to be disrupted. The requests originate from a variety of IP
addresses, which might cause the system to become unworkable, overload its servers,
cause them to slow down or go offline, or prevent an organization from performing its
essential responsibilities.
 The methods listed below will assist you in stopping and preventing DDOS attacks:

● Create a denial of the service response strategy.

● Maintain the integrity of your network infrastructure.
● Use fundamental network security measures.
● Keep a solid network architecture.
● Recognize the Warning Signs
● Think about DDoS as a service.

38. What do you mean by Domain Name System (DNS) Attack?

DNS hijacking is a sort of cyberattack in which cyber thieves utilize weaknesses in the
Domain Name System to redirect users to malicious websites and steal data from
targeted machines. Because the DNS system is such an important part of the internet
infrastructure, it poses a serious cybersecurity risk.
 These can be avoided by the following precautions:-

● Examine the DNS zones in your system.

● Make sure your DNS servers are up to current.
● The BIND version is hidden.
● Transfers between zones should be limited.
● To avoid DNS poisoning attempts, disable DNS recursion.
● Use DNS servers that are separated.
● Make use of a DDOS mitigation service.

39: What is the Cross-Site Scripting (XSS) attack, and how to prevent it?
Answer: Cross-site Scripting: In the cross-site scripting attack, the attacker executes the
malicious scripts on a web page and can steal the user’s sensitive information. With XSS
vulnerability, the attacker can inject Trojan, read out user information, and perform specific
actions such as the website’s defacement.
Countermeasures:

● Encoding the output

● Applying filters at the point where input is received

● Using appropriate response headers

● Enabling content security policy

● Escaping untrusted characters

40. What do you mean by SQL Injection? How do you prevent it?

SQL injection is a typical attack in which fraudsters employ malicious SQL scripts to
manipulate backend databases and get access to sensitive data. The hostile actor can
see, edit, or remove important company data, customer lists, or customers' personal
details contained in the SQL database after the attack is successful.

Countermeasures:

● Using parameterized queries

● Validating the inputs

● Creating stored procedures

● Deploying a web application firewall

● Escaping untrusted characters

41. What is the difference between virus and worm?

A virus is a piece of harmful executable code that is attached to another executable file
and can modify or erase data. When a virus-infected computer application executes, it
takes action such as removing a file from the computer system. Viruses can't be
managed from afar.
Worms are comparable to viruses in that they do not alter the program. It continues to
multiply itself, causing the computer system to slow down. Worms can be
manipulated with remote control. Worms' primary goal is to consume system
resources.

42. What form of cookie might be used in a spyware attack?

A tracking cookie, instead of a session cookie, would be used in a spyware attack

because it would last through multiple sessions rather than just one.

43. What is XSS? how do you defend a system from XSS?

XSS (cross-site scripting) is a type of computer security vulnerability typically found in

web applications. XSS enables attackers to inject malicious client-side scripts into web
pages viewed by other users. XSS vulnerability may be used by attackers to bypass
access controls such as the same-origin policy.
XSS vulnerability attacks can steal data, take control of a user’s session, run malicious
code, or be used for a phishing scam. they attack an application’s users, not the
application or server. XSS
attacks is to gather cookie data, as cookies are commonly and regularly used
incorrectly to store information such as session IDs, user preferences, or login
information.

44. How to reduce the risk of XSS attacks?

security development lifecycle (SDL). I will look at SDLs in more detail in a future
article, but their aim is to reduce the number of security-related design and coding
errors in an application and reduce the severity of any errors that remain undetected.
A critical rule you’ll learn when developing secure applications is to assume that all
data received by the application is from an untrusted source. This applies to any data
received by the application — data, cookies, emails, files, or images — even if the data is
from users who have logged into their account and authenticated themselves.
Not trusting user input means validating it for type, length, format, and range whenever
data passes through a trust boundary, say from a Web form to an application script,
and then encoding it prior to redisplay in a dynamic page.
In practice, this means that you need to review every point on your site where user-
supplied data is handled and processed and ensure that, before being passed back to
the user, any values accepted from the client side are checked, filtered, and encoded.

45. What is a DMZ and what would you most likely find in it?

In computer security, a DMZ or demilitarized zone (sometimes referred to as a

perimeter network or screened subnet) is a physical or logical subnetwork that
contains and exposes an organization’s external-facing services to an untrusted
network, usually a larger network such as the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization’s local
area network (LAN): an external network node can access only what is exposed in the
DMZ, while the rest of the organization’s network is firewalled. The DMZ functions as a
small, isolated network positioned between the Internet and the private network and, if
its design is effective, allows the
organization extra time to detect and address breaches before they would further
penetrate into the internal networks.

46. If there was a possible attack from a specific IP address, what would you
do to defend the network?

Block the IP address on the firewall

47. How can you defend against ransomware? (They wanted to hear antivirus
and segmented VLAN’s)

Network Segregation, Segmentation Can Stop Ransomware Attacks. Network

segregation is the separation of critical networks from the Internet and other internal,
less sensitive networks.
Network segmentation, which involves splitting the larger network into smaller
network segments, can be accomplished through firewalls, virtual local area networks,
and other separation techniques.
Both strategies have the potential to prevent ransomware attacks that encrypt files on
the network, block access to those files, and then direct the victim to a webpage with
instructions on how to pay a ransom in bitcoin to unlock the files.

48. What is Splunk?

Splunk is a SIEM tool that performs near real-time data and logs analyses,
visualization, alerting, reporting, and investigation of computer and network
systems. Splunk can make machine data (scrambled, meaningless
characters) readable because we can train Splunk to tag characters with a
meaningful item.

Splunk components:

Indexer: Indexer takes raw data from forwarders, turns it into events, and
places results into
an index that is stored in a bucket (categorizes and applies metadata to the
data)

Search heads: Search heads act as the user interface and allow users to
create dashboards,
alerts and reports related to analyzed logs and data.

Forwarder: Forwards raw data to other parts of the deployment (indexer,

search head &
indexer) universal forwarder requires very little configuration and heavy
forwarder which
you can configure it according to your needs.

Splunk has a data pipeline that includes 4 phases:

● Input

● Parsing
 ● Indexing

● Searching

49. What is MITRE ATT&CK?

MITRE ATT&CK™ is a globally accessible knowledge base of adversary tactics and techniques based on re

A custom XML configuration is set up with Windows agents to translate process

activity to MITRE ATT&CK vectors, so specific events can be easily queried.
Dashboards are also provided for forensic analysis of MITRE ATT&CK correlations. It
can be integrated with Malware information sharing platform (MISP), OpenCTI

50. Password and Other suspicious Request- Cybercriminals can pose as

employees, contractors or third-party vendors to bait employees into
divulging sensitive passwords or other access controls, how do you
recognize a suspicious request?

Cybercriminals use the phishing technique to gain passwords, credentials, and

sensitive information of users by means of e-mails and messages.
They ask you to download attachments or click on a link to update or change your
password or user credentials. They then seize your user name and password to use
create a new account for themselves.

● Legit companies do not request your sensitive information via e-mail or

message.

● Legit companies call you by your name. Some hackers avoid the salutation
altogether

● Legit companies have domain emails, so check the name as well as the email
address of the a person who sent you the email.

● Check if there are spelling errors and bad grammar.

● Legit companies do not force you to their website and do not send unsolicited
attachments.

51. Unauthorized Computers and Devices on Network- Computers and

devices that haven’t gone through proper authentication processes before
joining your corporate network are perfect targets for attackers. How does
your response team not only identify attempts to connect to your network
but also block them?

● Authenticate the user and the device before joining them to network.

● Implement access control process to recognize each user and each device and
enforce security policies. With access control method we can also block
noncompliant endpoint devices or give them only limited access. Network
access controls implement a defined security policy for access which is
supported by a network access server that performs the authentication and
authorization. dynamic network access control works on specific computers that
are connected to a local area network and are considered to be trusted systems.
When an unauthorized user attempts to access the network, the trusted systems
will restrict access and then communicate the action to the main policy server.

● Mobile device management should be in place to control and configure which

devices can access your network.

52. Data Breach on the network- What is the first thing you do when attack
occurs on the network? what are the incident response plan in place in your
organization? Describe the six steps for incident response

● Investigate the incident. Gathering information on the incident is important in

validating that an incident has occurred (i.e., who, what, where, and when the
incident occurred)

● If the breach is valid, inform management with a summary of the incident

● Identify the suspected cause of the incident. For example, was the breach
caused by a firewall with an open port, malware on the system, successful email
phishing attack, outdated antivirus software, or an employee that unknowingly
divulged confidential data?

● Isolate the effected system and eradicate the cause of the breach

● Implement policy, procedures, and technology if necessary, to prevent a

recurrence

● Perform period technology audit or risk assessments combined with network

penetration testing to identify weaknesses in the system.

53. How do you stay on top of cybersecurity news and developments?

● The Computer Emergency Readiness Team Coordination Center (CERT/CC) has

up-to-date vulnerability information for the most popular products. The
 vulnerability database is searchable, and you can sort the entries by severity or
date published.

● SecurityFocus has a feed with recent advisories for almost every product. The
specific feeds are not frequently updated.

● The National Vulnerability Database has two feeds: One covers all the recent
CVE vulnerabilities, while the other focuses on fully analyzed CVE vulnerabilities.
I only follow the feed with the fully analyzed vulnerabilities because it provides
the information that’s important to me: the vulnerable product names.

● US-CERT and the Industrial Control Systems CERT (ICS-CERT) publish regularly
updated summaries of the most frequent, high-impact security incidents. The
information is similar to CERT/CC. The content from ICS-CERT is especially
useful if you have to protect critical infrastructure.

● The feed at Full Disclosure, now part of SecLists.org, is one of the oldest
available. It can b rather chatty, but it gives access to information on
vulnerabilities that is not immediately covered via other channels.

● Most vendors have their own feed of advisories, as well. With the use of good
asset management, you should be able to compile a list of key products and
vendors to follow.

● SANS, the hacker news, reddit news

54. What types of security breaches have you dealt with? How did you deal
with them and what did you learn from them?

Theft or loss:

● Computers and laptops, portable electronic devices, electronic media, paper

files.

● Laptops should be secured at all times. Keep it with you or lock it up securely
before you step
away — and make sure it is locked to or in something permanent.

● Use extra security measures for portable devices (including laptop computers)
and portable electronic media containing sensitive or critical info:

● Encryption

● Extra physical security

● Securely delete personal identity information (PII) and other sensitive data when
it is no longer needed for business purposes.

● Report suspected theft of ACCC-related computing equipment to Password

hacked or revealed
 ● Use good, cryptic passwords that are difficult to guess

● Never share or reveal your passwords

● Use different passwords for work and non-work accounts

● Have a unique password for each account

Protect Your Company Against A Data Breach by Applying Following

Key Measures

● Train your employees

● Protect sensitive data

● Enforce strong passwords

● Monitor data and its traffic

● Limit access

● Patch vulnerabilities

● Encrypt devices and data

● Two-factor authentication

● Breach recovery plan

● IR plan in place and exercised

What are different Event Categorie Catalog?

Numb Event Category Related to

er Event Source Type Cybersecurity
1. Creation, modification and
1 Operating system removal of group
2. Addition and removal of group
member
3. Creation, modification, removal,
locking and unlocking of
account
4. Change of authenticator
5. Logon and logoff
6. Creation and completion of
 process/task
7. Start and stop of service/driver
8. Access (creation,
reading/execution,
modification/writing, removal)
to the object (i.e., directory, file,
registry key)
9. Change of access rights related
to object
10. Backup and recovery
11. Status of updates
12. Change of system time
13. Turn on, modification of, turn
off audit and removal of audit
trail
1. Creation, modification and
removal of role
2. Creation, modification and
removal of user
3. Change of authenticator
4. Logon and logoff
5. Connect and disconnect
6. Change of database object
owner/database owner
7. Creation, modification and
removal of database
object/database
8. Access (i.e., SELECT, UPDATE,
REFERENCES, INSERT, DELETE,
EXECUTE) to the object (i.e.,
database, table)
9. Statement execution (i.e.,
GRANT, REVOKE, DENY,
CREATE, ALTER, DROP) to the
user or role
10. Start and stop of service
11. Backup and recovery
12. Turn on, modification of, turn
Database management off audit and removal of audit
2 system trail
1. Start and stop of service
2. Logon to virtual hosts
3. Access (i.e., GET, POST to the
3 Web server object [virtual host])
 1. Start and stop of service
2. Logon to administrative console
3. Access (i.e., receiving, sending)
to the object (i.e., mailbox,
4 Mail server email)
1. Creating, modification and
removal of group (if applicable)
2. Addition and removal of group
member (if applicable)
3. Creation, modification, removal,
locking and unlocking of
account (if applicable)
4. Change of authenticator (if
applicable)
5. Logon and logoff (if applicable)
6. Start and stop of service
7. Access (i.e., creation,
reading/execution,
modification/writing, removal)
to the object (if related to
application software)
8. Change of access rights related
to object
9. Turn on, modification of, turn
off audit and removal of audit
5 Application software trail (if applicable)
1. Creation, modification and
6 Router and switch removal of group
2. Addition and removal of group
member
3. Creation, modification, removal,
locking and unlocking of
account
4. Change of authenticator
5. Logon to administrative console
and logoff
6. Access (i.e., creation, reading,
modification, removal) to the
object (i.e., ACL, route)
7. Change of access rights related
to object (setting)
8. Access (i.e., PERMIT, DENY) to
the network object (i.e., IP
address, port, protocol)
9. Start and stop of service
 10. Backup and recovery
11. Status of updates
12. Change of system time
13. Turn on, modification of, turn
off audit and removal of audit
trail
1. Creation, modification and
removal of group
2. Addition and removal of group
member
3. Creation, modification, removal,
locking and unlocking of
account
4. Change of authenticator
5. Logon to administrative console
and logoff
6. Access (i.e., creation, reading,
modification, removal) to the
object (i.e., ACL, route)
7. Change of access rights related
to object
8. Authentication of subject (i.e.,
use name) within access to
network (successful or
unsuccessful)
9. Access (i.e., PERMIT, DENY) to
the network object (i.e., IP
address, port, protocol)
10. Start and stop of service
11. Backup and recovery
12. Status of updates
Firewall (next generation 13. Change of system time
firewall [NGFW], unified 14. Turn on, modification of, turn
threat management off audit and removal of audit
7 [UTM]) and proxy server trail
1. Creation, modification and
8 Virtual private network removal of group
(VPN) tool 2. Addition and removal of group
member
3. Creation, modification, removal,
locking and unlocking of
account
4. Change of authenticator
5. Logon to administrative console
and logoff
 6. Access (i.e., creation, reading,
modification, removal) to the
object (i.e., VPN, router, private
key)
7. Change of access rights related
to object
8. Authentication of subject (VPN
client) within access to VPN
(successful or unsuccessful)
9. Connection between VPN tools
10. Change of private key
11. Start and stop of device
12. Change of service status
13. Backup and recovery
14. Status of updates
15. Change of system time
16. Turn on, modification of, turn
off audit and removal of audit
trail
1. Creation, modification and
removal of group
2. Addition and removal of group
member
3. Creation, modification, removal,
locking and unlocking of
account
4. Change of authenticator
5. Logon to administrative console
and logoff
6. Access (i.e., creation, reading,
modification, removal) to the
object (i.e., ACL, signature)
7. Change of access rights related
to object
8. Detection and blocking of
malicious activity
9. Start and stop of device
10. Change of service status
11. Backup and recovery
12. Status of updates
Intrusion detection 13. Change of system time
system (IDS)/intrusion 14. Turn on, modification of, turn
prevention system (IPS), off audit and removal of audit
9 web application firewall trail
1. Creation, modification and
 removal of group
2. Addition and removal of group
object
3. Creation, modification, removal,
locking and unlocking of
account (if applicable)
4. Logon to administrative console
and logoff
5. Change of antivirus policy
6. Start and stop of service
7. Backup and recovery
8. Status of updates of software
and signature database
9. Change of status of antivirus
tool
10. Detection, quarantine, healing
and removal of malicious object
11. Turn on, modification of, turn
off audit and removal of audit
10 Antivirus tool trail
1. Creation, modification and
removal of group
2. Addition and removal of group
object
3. Creation, modification, removal,
locking and unlocking of
account (if applicable)
4. Logon to administrative console
and logoff
5. Change of scanner policy
6. Start and stop of service/task
7. Status of updates software and
vulnerability database
8. Detection of vulnerability
9. Turn on, modification of, turn
off audit and removal of audit
11 Vulnerability scanner trail
1. Creation, modification and
12 Data leak prevention removal of group
system 2. Addition and removal of group
member
3. Creation, modification, removal,
locking and unlocking of
account
4. Change of authenticator
 5. Logon to administrative console
and logoff
6. Start and stop of service
7. Access (i.e., creation,
movement, coping, removal,
modification) to the object (i.e.,
policy, rule)
8. Action (i.e., sending via
network, copy to external
storage, printing) on data (i.e.,
file, email)
9. Backup and recovery
10. Import, export, saving, applying
and rollback of configuration
11. Turn on, modification of, turn
off audit and removal of audit
trail
12. Event interception with the
verdicts “block” and
“quarantine”
1. Creation, modification and
removal of group
2. Addition and removal of group
member
3. Creation, modification, removal,
locking and unlocking of
account
4. Change of authenticator
5. Logon to administrative
console, logoff
6. Start and stop process/task (i.e.,
migration, cloning)
7. Start and stop of service
8. Access (i.e., creation, execution,
modification, removal) to the
object (i.e., virtual machine,
virtual switch)
9. Change of access rights related
to object
10. Backup and recovery
11. Status of updates
12. Change of system time
13. Turn on, modification of, turn
off audit and removal of audit
13 Hypervisor trail