Part – 1

Q1. What is the CIA Triad and why is it the cornerstone of cybersecurity?

The CIA Triad is the foundational model of information security, comprising three core principles:

Confidentiality – Ensures data is accessible only to authorized users. Example: AES-256 encryption of a database storing customer PII prevents unauthorized reads.
Integrity – Guarantees data is not altered without authorization. Example: SHA-256 hashing of a file allows verification that its content hasn’t changed during transfer.
Availability – Ensures systems and data are accessible when needed. Example: Load balancers and redundant servers prevent single points of failure.

When a security breach occurs, at least one of these three pillars is violated.

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.

Q2. Differentiate between Threat, Vulnerability, and Risk.

These three concepts are distinct but interconnected:

Threat – Any potential danger capable of exploiting a weakness (e.g., malware, phishing, rogue employees).
Vulnerability – A flaw in hardware, software, or processes that a threat actor can exploit (e.g., unpatched CVE-2021-44228 Log4Shell, buffer overflow).
Risk – The probability and impact of a threat exploiting a vulnerability. Expressed as:

Risk=Likelihood of Threat×Vulnerability Impact

Example: An unpatched Apache server (vulnerability) exposed to the internet (threat vector) creates a high-risk scenario of unauthorized code execution.

Q3. What is a Firewall? Explain its types.

A firewall is a network security device (hardware or software) that monitors and controls incoming/outgoing network traffic based on pre-configured rules.

Packet Filtering Firewall – Inspects packets at the network layer (Layer 3). Filters by IP, port, protocol. Example: iptables rule blocking all inbound traffic on port 23 (Telnet).
Stateful Inspection Firewall – Tracks the state of active connections and only allows packets belonging to established sessions.
Application Layer Firewall (WAF) – Operates at Layer 7. Understands HTTP/HTTPS traffic and blocks SQLi, XSS. Example: ModSecurity WAF blocking SQL injection payloads.
Next-Gen Firewall (NGFW) – Combines deep packet inspection (DPI), IPS, and application awareness.

Q4. What is the difference between Symmetric and Asymmetric Encryption?

Feature	Symmetric Encryption	Asymmetric Encryption
Keys Used	Single shared key	Public + Private key pair
Speed	Fast	Slower
Use Case	Bulk data encryption (files, disk)	Key exchange, digital signatures
Examples	AES-256, DES, 3DES	RSA-2048, ECC, Diffie-Hellman
Risk	Key distribution is a challenge	No key-sharing problem

Example: HTTPS uses asymmetric encryption (RSA) during the TLS handshake to securely exchange a symmetric session key (AES), which is then used for the actual data transfer.

Q5. What is hashing and how does it differ from encryption?

Feature	Hashing	Encryption
Reversibility	One-way (irreversible)	Two-way (reversible with key)
Purpose	Integrity verification	Confidentiality
Output	Fixed-length digest	Variable-length ciphertext
Examples	SHA-256, MD5, bcrypt	AES, RSA

Example: Passwords are stored as bcrypt hashes in a database. When a user logs in, their input is hashed and compared against the stored hash the original password is never stored or retrieved.

Q6. What is a VPN and how does it work technically?

A VPN (Virtual Private Network) creates an encrypted tunnel between a client and a server over a public network (internet). It works via:

Tunneling protocols: IPSec, OpenVPN, WireGuard, L2TP/IPSec
Encryption: All traffic inside the tunnel is encrypted (typically AES-256)
IP masking: The client’s real IP is replaced by the VPN server’s IP

Example: An employee working from a café uses an OpenVPN client to connect to their office network. All traffic is AES-256 encrypted inside an IPSec tunnel, preventing eavesdropping on the public Wi-Fi.

Q7. What is Two-Factor Authentication (2FA) and why is it critical?

2FA (Two-Factor Authentication) is a security process that requires two independent verification factors before granting access:

Factor 1 (Something you know): Password or PIN
Factor 2 (Something you have): OTP via SMS/TOTP app (Google Authenticator), hardware token (YubiKey)
Factor 3 (Something you are): Biometric (fingerprint, facial recognition)

Example: Logging into Gmail with a password (factor 1) + a 6-digit TOTP from Google Authenticator (factor 2). Even if the password is stolen via phishing, the attacker still cannot access the account without the second factor.

Q8. Differentiate between Virus, Worm, Trojan Horse, and Ransomware.

Type	Self-Replicates	Requires User Action	Primary Goal
Virus	Yes (attaches to files)	Yes (file must be executed)	Corrupts/deletes data
Worm	Yes (network-based)	No	Consume bandwidth/resources
Trojan Horse	No	Yes (disguised as legit software)	Backdoor/data theft
Ransomware	Sometimes	Yes	Encrypt data, demand payment

Example: WannaCry (2017) was a ransomware worm that self-propagated using the EternalBlue exploit (MS17-010), encrypted files on infected machines, and demanded Bitcoin ransom all without user interaction.

Q9. What is Phishing? Describe its variants.

Phishing is a social engineering attack where attackers impersonate trusted entities to steal credentials or install malware.

Standard Phishing: Mass emails mimicking banks, PayPal, etc. with fake login links
Spear Phishing: Targeted attack on a specific individual using personalized info gathered from LinkedIn/social media
Whaling: Spear phishing targeting C-level executives (CEOs, CFOs)
Vishing: Voice phishing via phone calls
Smishing: SMS-based phishing

Example: A spear-phishing email targeting a CFO, referencing a real vendor name and a fake invoice, requesting wire transfer a common Business Email Compromise (BEC) scenario.

Q10. What is a Botnet and how is it used in cyberattacks?

A botnet is a network of compromised internet-connected devices (bots) controlled remotely by an attacker (botmaster) via a Command & Control (C2) server.

DDoS Attacks: Thousands of bots flood a target server with traffic (e.g., Mirai botnet took down Dyn DNS in 2016)
Spam Campaigns: Bots send millions of phishing emails
Credential Stuffing: Bots perform automated login attempts using stolen credential lists
Cryptojacking: Bots mine cryptocurrency using victim’s CPU/GPU

Example: The Mirai botnet in 2016 used IoT devices (cameras, routers) with default passwords to launch a 1.2 Tbps DDoS attack against Dyn DNS, taking down Twitter, Netflix, and Reddit.

Part -2 Network Security

Q11. What is the difference between IDS and IPS?

Feature	IDS (Intrusion Detection System)	IPS (Intrusion Prevention System)
Function	Monitors and alerts	Monitors and blocks
Placement	Out-of-band (passive)	Inline (active)
Response	Passive – logs and alerts	Active – drops malicious packets
Risk of False Positive	Lower impact	Can block legitimate traffic

Example: Snort can operate as both an IDS (logging suspicious packets) and an IPS (using iptables integration to actively block attack sources in real time).

Q12. What is a Man-in-the-Middle (MitM) Attack?

In a MitM attack, an attacker secretly intercepts and relays communication between two parties who believe they are communicating directly.

Common techniques:

ARP Poisoning: Attacker sends fake ARP replies to associate their MAC with a legitimate IP
SSL Stripping: Downgrades HTTPS to HTTP to intercept plaintext traffic
DNS Spoofing: Redirects DNS responses to attacker-controlled IPs

Example: On an open Wi-Fi network, an attacker uses arpspoof to poison the ARP cache of a victim and the gateway, then uses sslstrip to intercept HTTPS login credentials in plaintext.

Q13. What is ARP Poisoning and how does it work?

Address Resolution Protocol (ARP) Poisoning floods a network switch with fake ARP replies to associate the attacker’s MAC address with a legitimate IP address.

Steps:

Attacker sends unsolicited ARP replies to victim and router
Victim’s ARP cache maps gateway IP → attacker’s MAC
All traffic from victim passes through the attacker
Attacker can sniff, modify, or block data

Prevention: Dynamic ARP Inspection (DAI) on managed switches, static ARP entries for critical hosts.

Q14. What is a DDoS Attack? How do you prevent it?

A Distributed Denial-of-Service (DDoS) attack uses multiple compromised systems to flood a target with traffic, exhausting its resources and causing downtime.

Types:

Volumetric: UDP floods, ICMP floods (overwhelm bandwidth)
Protocol: SYN floods (exhaust connection tables)
Application Layer (Layer 7): HTTP GET floods (exhaust web server resources)

Mitigation:

Rate limiting and traffic scrubbing (Cloudflare, Akamai)
Anycast network diffusion
Black-hole routing
CDN load distribution

Example: A SYN flood sends millions of TCP SYN packets without completing the 3-way handshake, filling the server’s half-open connection table and making it unable to accept legitimate connections.

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.

Q15. What is DNS and how is a DNS Hijacking attack performed?

DNS (Domain Name System) translates human-readable domain names into IP addresses. DNS Hijacking redirects DNS queries to malicious servers.

Methods:

DNS Cache Poisoning (Spoofing): Injecting fake DNS records into a resolver’s cache
Rogue DNS Server: Compromising a router and changing DNS server settings
Man-in-the-Middle: Intercepting DNS queries and forging responses

Prevention: DNSSEC (DNS Security Extensions), DoH (DNS over HTTPS), DoT (DNS over TLS).

Q16. Explain Network Sniffing. What tools are used?

Network sniffing is the act of capturing and analyzing data packets flowing through a network.

Passive Sniffing: Capturing traffic on a hub (broadcasts to all ports)
Active Sniffing: ARP poisoning a switch to redirect traffic

Tools:

Wireshark – GUI-based packet analyzer
tcpdump – CLI-based packet capture
Ettercap – MitM and sniffing framework

Q17. What is a Null Session attack?

A null session is an anonymous connection to a Windows network share (IPC$) that requires no username or password.

Exploits the IPC$ administrative share in Windows SMB (Server Message Block)
Allows attackers to enumerate users, groups, shares, and password policies

Prevention: Disable anonymous access to IPC$ via Group Policy, restrict null session pipes in the registry.

Q18. What is the difference between HIDS and NIDS?

Feature	HIDS (Host-based IDS)	NIDS (Network-based IDS)
Location	Installed on endpoint	Deployed on network segment
Monitors	File changes, process activity, log files	Network packet flow
Detection	Insider threats, malware post-execution	Network-level attacks, port scans
Example Tools	OSSEC, Tripwire, Auditd	Snort, Suricata, Zeek

Q19. What is VPN vs. VLAN? When do you use each?

Feature	VPN	VLAN
Purpose	Secure encrypted tunnel over the internet	Logical network segmentation
Encryption	Yes (AES, IPSec)	No (unless combined with encryption)
Layer	Layer 3 (Network)	Layer 2 (Data Link)
Use Case	Remote access, site-to-site connectivity	Segment internal departments (HR, Finance)

Example: A VLAN separates the Finance department’s traffic from the IT department’s traffic on the same physical switch. A VPN connects a remote employee’s laptop securely to the corporate network over the internet.

Q20. What is Port Scanning? Name common tools and techniques.

Port scanning is the process of probing a target host to discover open TCP/UDP ports and the services running on them commonly used in reconnaissance.

Techniques:

TCP SYN Scan (Stealth Scan): Sends SYN, waits for SYN-ACK (open port) or RST (closed). Never completes the handshake harder to detect in logs.
TCP Connect Scan: Completes the full 3-way handshake. More detectable.
UDP Scan: Probes UDP ports; slower and less reliable.
OS Fingerprinting: Uses TCP/IP stack responses to identify the OS.

Tool: Nmap

Part -3 Web Security & Application Security

Q21. What is SQL Injection (SQLi)? How does it work?

SQL Injection is a web vulnerability that allows attackers to insert malicious SQL code into input fields, manipulating the backend database.

Types:

Classic SQLi: ' OR '1'='1 bypasses login forms
Blind SQLi: No visible output; attacker infers data via true/false conditions
Time-based Blind SQLi: '; WAITFOR DELAY '0:0:5'-- infers data via response delay
Out-of-band SQLi: Extracts data via DNS/HTTP callbacks

Prevention: Parameterized queries/prepared statements, input validation, least-privilege DB accounts, WAF.

Q22. What is Cross-Site Scripting (XSS)?

XSS is a web vulnerability where an attacker injects malicious scripts into pages viewed by other users, exploiting the browser’s trust in the website.

Types:

Reflected XSS: Malicious script is in the URL and reflected back immediately. Example: https://site.com/search?q=<script>alert('XSS')</script>
Stored XSS (Persistent): Script is stored in the database and executed on every page load for all users. Most dangerous.
DOM-based XSS: Exploits the DOM environment in the victim’s browser without sending the payload to the server.

Prevention: Input sanitization, Content Security Policy (CSP) headers, output encoding (HTMLEncode), HTTPOnly and Secure cookie flags.

Q23. What is CSRF (Cross-Site Request Forgery)?

CSRF tricks an authenticated user into unknowingly submitting a malicious request to a web application where they’re already logged in.

When a logged-in victim visits the page, their browser automatically sends the request with their session cookie, initiating the unauthorized transfer.

Prevention: CSRF tokens (unique per-session hidden form fields), SameSite cookie attribute (SameSite=Strict), Origin/Referer header validation.

Q24. What is a Zero-Day Vulnerability?

A zero-day vulnerability is a security flaw that is unknown to the software vendor and has no available patch making it immediately exploitable.

Timeline:

Attacker or researcher discovers a flaw
Exploit is developed (zero-day exploit)
Attacks occur before vendor is aware
Vendor is notified (responsible disclosure) or not (kept secret for use/sale)
Patch released → zero-day becomes an “N-day”

Q25. What is the OWASP Top 10? Name any five.

OWASP (Open Web Application Security Project) Top 10 is a standard awareness document listing the most critical web application security risks.

Key entries (2021 edition):

A01 – Broken Access Control: Users can act outside their intended permissions (e.g., accessing admin pages without authorization)
A02 – Cryptographic Failures: Sensitive data exposed due to weak or missing encryption (e.g., plain-text password storage)
A03 – Injection: SQLi, NoSQLi, LDAP injection, OS command injection
A05 – Security Misconfiguration: Default credentials, unnecessary features enabled, verbose error messages
A07 – Identification and Authentication Failures: Weak passwords, no MFA, session fixation vulnerabilities

Q26. What is a honeypot in cybersecurity?

A honeypot is a decoy system or network resource deliberately set up to attract attackers and study their techniques without risking real assets.

Types:

Low-interaction: Simulates limited services (e.g., a fake SSH server logging login attempts)
High-interaction: Full OS/application environment that records attacker activity in detail
Honeynet: A network of honeypots

Example: Running a Cowrie SSH honeypot on port 22 logs every command an attacker executes after brute-forcing in, revealing their TTPs (Tactics, Techniques, and Procedures) and potential malware dropped.

Q27. What is session hijacking and how is it performed?

Session hijacking involves stealing or forging a valid session token to impersonate an authenticated user.

Methods:

Session Sniffing: Capturing session cookies over unencrypted HTTP
XSS-based Theft: Using document.cookie via injected JavaScript to exfiltrate session cookies
Session Fixation: Attacker sets a known session ID before authentication; user logs in with that ID, and attacker then uses it

Prevention: HTTPOnly cookie flag (prevents JS access), Secure flag (HTTPS only), session regeneration after login, short session timeouts.

Q28. What is the difference between Black Box, White Box, and Grey Box testing?

Testing Type	Tester Knowledge	Simulates
Black Box	No internal knowledge	External attacker
White Box	Full source code & architecture access	Internal developer review
Grey Box	Partial knowledge (e.g., credentials, API docs)	Privileged insider or authenticated attacker

Example: A black box pentest of a web app gives the tester only the URL. A white box review provides the full Django source code, database schema, and deployment configs for thorough security analysis.

Q29. What are the OWASP Top 10 API Security risks?

APIs introduce unique vulnerabilities beyond traditional web app risks. Top API risks include:

API1 – Broken Object Level Authorization (BOLA): Accessing another user’s data by changing an ID
API2 – Broken Authentication: Weak API key generation, tokens never expire
API3 – Broken Object Property Level Authorization: Receiving more data fields than intended (mass assignment)
API4 – Unrestricted Resource Consumption: No rate limiting enabling DoS
API8 – Security Misconfiguration: CORS misconfiguration allowing any origin

Q30. What is Directory Traversal and how is it exploited?

Directory traversal (path traversal) allows attackers to access files outside the intended web root directory by manipulating file path variables.

Prevention: Validate and sanitize file path inputs, use allowlists for filenames, chroot jails, avoid exposing file paths in parameters.

Part -4 Cryptography & PKI

Q31. What is Public Key Infrastructure (PKI)?

PKI is a framework of policies, hardware, software, and procedures used to create, manage, distribute, and revoke digital certificates and public-private key pairs.

Components:

Certificate Authority (CA): Issues and signs digital certificates (e.g., DigiCert, Let’s Encrypt)
Registration Authority (RA): Verifies identity before certificate issuance
Digital Certificate (X.509): Binds a public key to an entity’s identity
CRL / OCSP: Certificate Revocation List / Online Certificate Status Protocol for checking if a certificate is revoked

Q32. What is the Diffie-Hellman Key Exchange?

Diffie-Hellman (DH) is a cryptographic protocol allowing two parties to establish a shared secret key over an insecure channel without ever transmitting the key itself.

How it works (simplified):

Both parties agree on public parameters: prime p and generator g
Alice picks secret a, sends g^a mod p to Bob
Bob picks secret b, sends g^b mod p to Alice
Both compute the shared secret: (g^b)^a mod p = (g^a)^b mod p

Example: TLS 1.3 uses Ephemeral Diffie-Hellman (DHE) or Elliptic Curve DHE (ECDHE) to establish session keys, providing Perfect Forward Secrecy (PFS) past sessions remain secure even if the server’s private key is later compromised.

Q33. Why is MD5 considered insecure for storing passwords?

MD5 is cryptographically broken because:

Collision vulnerabilities: Two different inputs can produce the same hash
Speed: MD5 is extremely fast billions of hashes/sec on modern GPUs, making brute-force feasible
Rainbow Table attacks: Precomputed MD5 hash tables exist for billions of common passwords

Secure alternatives: bcrypt, scrypt, Argon2 these are intentionally slow, salted, and resistant to GPU acceleration.

Q34. What is Perfect Forward Secrecy (PFS)?

PFS is a property of cryptographic key exchange protocols ensuring that session keys cannot be compromised even if the server’s long-term private key is stolen.

How: Uses ephemeral (temporary, single-use) DH or ECDH keys for each session. The session key is derived from this temporary key, not the server’s static private key.

Example: If a server’s RSA private key is stolen in a breach, with PFS (TLS 1.3 using ECDHE), past recorded encrypted sessions cannot be decrypted. Without PFS (TLS 1.0 using RSA key exchange), all past sessions could be retroactively decrypted.

Q35. What is the difference between SSL, TLS, and HTTPS?

Protocol	Description
SSL	Original protocol (SSLv2, SSLv3) now deprecated and insecure
TLS	Successor to SSL; current versions TLS 1.2 and TLS 1.3 are secure
HTTPS	HTTP running over TLS encrypts web traffic end-to-end

Q36. What is a Digital Signature and how does it work?

A digital signature provides authentication, integrity, and non-repudiation for digital messages.

Process:

Sender creates a hash of the message (SHA-256)
Sender encrypts the hash with their private key → this is the digital signature
Recipient decrypts the signature using the sender’s public key
Recipient independently hashes the received message and compares both hashes
If hashes match → message is authentic and unaltered

Example: Email signed with PGP (Pretty Good Privacy): recipient uses sender’s public key to verify the signature, confirming the email wasn’t tampered with and truly came from the stated sender.

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.

Part -5 Security Frameworks, Tools & Best Practices

Q37. What is the NIST Cybersecurity Framework?

The NIST CSF is a voluntary framework of standards and guidelines for managing cybersecurity risk, organized into 5 core functions:

Identify – Asset management, risk assessment, governance
Protect – Access control, training, data security, maintenance
Detect – Anomaly detection, continuous monitoring, SIEM
Respond – Incident response, communications, analysis
Recover – Recovery planning, improvements, communications

Example: An organization using NIST CSF maps controls like MFA (Protect), Splunk SIEM (Detect), and an Incident Response Playbook (Respond) to strengthen its overall security posture.

Q38. What is Penetration Testing? Describe its phases.

Penetration testing is an authorized simulated cyberattack on a system to find exploitable vulnerabilities before real attackers do.

Phases (PTES / OWASP):

Reconnaissance: OSINT gathering (Maltego, Shodan, LinkedIn)
Scanning: Port and vulnerability scanning (Nmap, Nessus, OpenVAS)
Exploitation: Exploit vulnerabilities (Metasploit, manual exploits)
Post-Exploitation: Privilege escalation, lateral movement, data exfiltration
Reporting: Document findings, risk ratings (CVSS), remediation recommendations

Q39. What is the difference between Vulnerability Assessment and Penetration Testing?

Feature	Vulnerability Assessment	Penetration Testing
Goal	Identify and prioritize vulnerabilities	Exploit vulnerabilities to assess real-world impact
Depth	Broad, non-exploitative	Deep, exploitative
Tools	Nessus, OpenVAS, Qualys	Metasploit, Burp Suite, manual exploits
Output	List of CVEs and risk scores	Proof-of-concept exploits, attack chains
Analogy	Checking if the door is unlocked	Opening the door and walking in

Q40. What is System Hardening?

System hardening is the process of reducing a system’s attack surface by eliminating unnecessary functions, accounts, and services.

Key hardening steps:

Disable unused services and ports (e.g., disable Telnet, enable SSH only)
Apply the Principle of Least Privilege (PoLP) users/processes get minimum necessary permissions
Remove default/unnecessary accounts
Enable audit logging
Apply OS and application patches promptly
Enable host-based firewall (iptables/ufw)
Use CIS Benchmarks or STIGs as hardening guides

Example: CIS Benchmark for Ubuntu 20.04 includes disabling Ctrl+Alt+Del reboot, setting password complexity rules via PAM, and restricting cron access to specific users.

Q41. What is SIEM? Name common SIEM tools.

SIEM (Security Information and Event Management) is a security solution that collects, correlates, and analyzes log data from across an organization’s IT infrastructure in real time to detect threats.

Functions:

Log aggregation: Collects logs from firewalls, endpoints, servers, applications
Correlation: Identifies patterns across multiple events (e.g., failed logins + privilege escalation + data transfer)
Alerting: Triggers alerts on suspicious activity
Compliance reporting: Generates audit reports for PCI-DSS, HIPAA, SOX

Common tools: Splunk, IBM QRadar, Microsoft Sentinel, Elastic SIEM, ArcSight

Example: A Splunk correlation rule alerts when there are >10 failed SSH logins from the same IP in 60 seconds — indicating a brute-force attack.

Q42. What is Multi-Factor Authentication (MFA) and why is it more secure than 2FA?

MFA requires two or more authentication factors from different categories:

Knowledge: Password, PIN, security question
Possession: Hardware token (YubiKey), TOTP (Google Authenticator), smart card
Inherence: Biometrics fingerprint, iris scan, facial recognition
Location: Geo-based restrictions (allow login only from India)
Behavior: Keystroke dynamics, mouse movement patterns

2FA is a subset of MFA using exactly two factors. MFA using three or more factors provides greater defense-in-depth. Example: Bank vault access requiring a password (knowledge) + smart card (possession) + fingerprint (inherence).

Q43. What is the Principle of Least Privilege (PoLP)?

PoLP states that every user, program, or system should have the minimum level of access rights necessary to perform its function and nothing more.

Implementation:

User accounts run without admin rights by default
Databases accessed by apps use read-only accounts unless writes are needed
Linux processes run under dedicated low-privilege service accounts (e.g., www-data for Apache)
Azure/AWS IAM policies follow fine-grained permission scopes

Example: A web application’s database account should have SELECT and INSERT privileges only, not DROP or GRANT limiting the blast radius if the app is compromised via SQL injection.

Q44. What is OSINT and how is it used in cybersecurity?

OSINT (Open-Source Intelligence) is the collection and analysis of information from publicly available sources to support security research, threat intelligence, or penetration testing.

Sources used in OSINT:

Shodan: Search engine for internet-connected devices, finds open ports/services
Maltego: Visualizes relationships between domains, IPs, email addresses
WHOIS: Domain registration details
LinkedIn / GitHub: Employee info, code leaks with hardcoded credentials
Google Dorks: Advanced search operators to find sensitive files.

Q45. What is Threat Modeling and why is it important?

Threat modeling is a structured process of identifying, enumerating, and prioritizing potential threats to a system during the design phase.

Common frameworks:

STRIDE (Microsoft): Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
PASTA: Process for Attack Simulation and Threat Analysis
DREAD: Damage, Reproducibility, Exploitability, Affected Users, Discoverability

Example: Applying STRIDE to a login system analyzing how the authentication mechanism could be Spoofed (fake credentials), Tampered with (session token manipulation), or subjected to DoS (lockout attacks).

Q46. What is a Rootkit and how do you detect it?

A rootkit is malware that grants attackers persistent privileged access to a system while hiding its presence from users, antivirus, and OS security tools.

Types:

Kernel-level rootkit: Modifies the OS kernel to hide processes (most dangerous, hardest to detect)
Bootkit: Infects the MBR/bootloader, loads before the OS
User-mode rootkit: Operates at application level, hooks API calls

Detection methods:

Memory forensics: Volatility framework to compare running processes in memory vs. disk
Boot from external media: Scan the system without booting from the infected OS
Rootkit scanners: rkhunter, chkrootkit, GMER
Integrity checking: Tripwire to detect unauthorized file modifications

Example: Stuxnet used a kernel rootkit to hide malicious .lnk files from the Windows shell while continuing to infect Siemens PLCs.

Q47. What is Data Loss Prevention (DLP) and how does it work?

DLP is a set of tools and processes that detect and prevent unauthorized access, use, or transmission of sensitive data.

DLP operation modes:

Data at Rest: Scans file systems and databases for sensitive data (SSNs, credit card numbers, PHI)
Data in Motion: Monitors network traffic for sensitive data being transmitted (email, HTTP uploads, FTP)
Data in Use: Monitors copy-paste, screen captures, USB transfers on endpoints

Q48. What is an Advanced Persistent Threat (APT)?

An APT is a sophisticated, long-term, targeted cyberattack conducted by well-resourced adversaries (nation-states, organized crime groups) who maintain persistent unauthorized access to achieve strategic objectives.

Characteristics:

Highly targeted: Specific organizations, sectors, or individuals
Stealthy: Low-and-slow movement to avoid detection
Persistent: Maintain access for months or years
Multi-stage: Initial compromise → lateral movement → data exfiltration

Q49. What is the Cyber Kill Chain?

The Cyber Kill Chain (developed by Lockheed Martin) is a framework describing the 7 stages of a cyberattack:

Stage	Description	Example
1. Reconnaissance	Target research	Shodan scan, WHOIS lookup
2. Weaponization	Creating the exploit	Crafting a malicious PDF with shellcode
3. Delivery	Transmitting the payload	Phishing email with malicious attachment
4. Exploitation	Triggering the exploit	CVE triggered by opening the PDF
5. Installation	Establishing persistence	Installing a backdoor/RAT
6. Command & Control (C2)	Remote control	Malware beacons to attacker’s C2 server
7. Actions on Objectives	Achieving goal	Data exfiltration, ransomware deployment

Defenders can break the kill chain at any stage by deploying appropriate controls.

Q50. What are the key steps in an Incident Response (IR) process?

The NIST SP 800-61 Incident Response lifecycle defines 4 phases:

Preparation: Establish IR team, policies, communication plans, and deploy monitoring tools (SIEM, EDR)
Detection & Analysis: Identify indicators of compromise (IoCs), triage alerts, determine scope and severity (P1/P2/P3)
Containment, Eradication & Recovery:
- Containment: Isolate affected systems (quarantine from network)
- Eradication: Remove malware, patch vulnerabilities, reset compromised credentials
- Recovery: Restore systems from clean backups, validate integrity, resume operations
Post-Incident Activity: Root cause analysis (RCA), lessons learned, update playbooks, improve controls

Example: Upon detecting ransomware (Detect) → isolate the infected VLAN from the corporate network immediately (Contain) → rebuild from last known-good backup (Recover) → conduct a forensic review to determine the initial infection vector, e.g., phishing email (Post-Incident).