Cybersecurity Interview Q&A

Q1: What are the CIA Triad principles in cybersecurity?

A: CIA stands for Confidentiality, Integrity, and Availability. Confidentiality ensures only authorized users can access

data, integrity ensures data is not tampered with, and availability ensures systems and data are accessible when

needed.

Q2: What is the difference between symmetric and asymmetric encryption?

A: Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses a public

key to encrypt and a private key to decrypt.

Q3: What is a firewall and how does it work?

A: A firewall is a security device that monitors and controls incoming and outgoing network traffic based on predefined

security rules, acting as a barrier between trusted and untrusted networks.

Q4: What is a VPN and why is it used?

A: A VPN (Virtual Private Network) creates a secure, encrypted connection between a user and a network over the

internet, protecting data from interception.

Q5: Explain what a zero-day vulnerability is.

A: A zero-day vulnerability is a software flaw unknown to the vendor, which hackers can exploit before the vendor

becomes aware and fixes it.

Q6: What is SIEM and how does it work?

A: SIEM (Security Information and Event Management) collects and analyzes log data from various sources in real-time

to detect security incidents.

Q7: How do you differentiate a false positive from a real threat?

A: By analyzing log patterns, context, threat intelligence, and verifying against known indicators of compromise before

escalating the alert.

Q8: What steps do you take during incident triage?

A: Classify the alert, gather context, correlate with other events, determine impact, and escalate or mitigate based on
defined playbooks.

Q9: How do you respond to a phishing alert reported by a user?

A: Verify the email header and links, check sender reputation, block the domain if malicious, and educate the user. If

credentials are compromised, initiate a password reset.

Q10: How do you investigate a potential malware infection?

A: Review endpoint logs, run antivirus scans, isolate the device, analyze network traffic and hash the suspicious file for

sandbox analysis.

Q11: What types of logs would you analyze during an investigation?

A: Windows event logs, firewall logs, antivirus logs, web proxy logs, and application logs, depending on the incident.

Q12: How do you use Splunk in a SOC environment?

A: To query log data using SPL, create dashboards, set up alerts for anomalies, and correlate logs from multiple sources

for incident detection.

Q13: What is an IOC and how is it used?

A: An IOC (Indicator of Compromise) is a piece of data that indicates a potential intrusion, such as a file hash, IP

address, or domain name. It is used in detection and response efforts.

Q14: How do you detect a brute-force attack?

A: Monitor for multiple failed login attempts from the same IP or user within a short time period, and correlate with

geolocation or known threat sources.

Q15: What is lateral movement in a network?

A: It refers to how attackers move within a network after gaining access, trying to escalate privileges or access sensitive

data across systems.

Q16: How do you prioritize vulnerabilities?

A: Based on CVSS score, asset criticality, exploitability, and exposure to the public internet.

Q17: What is a vulnerability scan vs. a penetration test?

A: A vulnerability scan identifies known flaws automatically, while a penetration test involves a human simulating an
attack to exploit vulnerabilities.

Q18: What tools have you used for vulnerability management?

A: Tools like Nessus, Qualys, OpenVAS for scanning and identifying vulnerabilities on systems and networks.

Q19: What is the MITRE ATT&CK framework?

A: It is a knowledge base of adversary tactics and techniques based on real-world observations, used for threat

detection and response mapping.

Q20: What is threat intelligence and how is it used?

A: Threat intelligence provides information on current threats, such as attacker TTPs and IOCs, which helps in detection,

prevention, and response planning.

Q21: How do you harden a Windows or Linux system?

A: By disabling unused services, applying security patches, enforcing password policies, configuring firewalls, and

enabling logging/auditing.

Q22: What is RBAC and why is it important?

A: Role-Based Access Control ensures users have only the minimum permissions required for their job, reducing the

risk of privilege misuse.

Q23: What is DLP and where would you use it?

A: Data Loss Prevention tools monitor and restrict the movement of sensitive data to prevent unauthorized disclosures,

used in endpoints, email, and cloud systems.

Q24: How do you secure an API?

A: Use authentication (e.g., OAuth), HTTPS, input validation, rate limiting, and logging to monitor usage and detect

abuse.

Q25: What is the role of DNS in cybersecurity?

A: DNS can be exploited for data exfiltration or redirect users to malicious sites. Monitoring DNS logs helps detect such

activity.

Q26: What is the purpose of NIST Cybersecurity Framework?

Q27: What is SOX and how does it relate to IT security?

A: SOX (Sarbanes-Oxley) requires financial reporting controls, including access controls, audit trails, and change

management in IT systems.

Q28: What are common compliance standards you are familiar with?

A: NIST, CIS Benchmarks, PCI-DSS, HIPAA, and ISO 27001 depending on the industry.

Q29: How do you ensure audit readiness?

A: Maintain detailed documentation, access logs, testing evidence, and control implementation mapping to compliance

requirements.

Q30: What is risk assessment in cybersecurity?

A: Evaluating potential threats and vulnerabilities, assessing their impact and likelihood, and determining mitigation or

acceptance strategies.

Q31: Describe a time you identified a security issue before it became a breach.

A: During QA testing, I discovered a misconfigured session timeout in a third-party module. I reported and resolved it

pre-deployment, preventing potential data exposure.

Q32: How do you handle alert fatigue?

A: By tuning SIEM rules, filtering low-value alerts, correlating data to reduce noise, and focusing on high-fidelity alerts.

Q33: What steps would you take if an executive's account was compromised?

A: Immediately reset credentials, review recent login activity, check for lateral movement, and conduct a forensic

investigation to contain the breach.

Q34: How do you stay current with evolving threats?

A: I follow threat feeds, subscribe to cybersecurity news (e.g., CISA, BleepingComputer), attend webinars, and practice

in labs using tools like TryHackMe and CyberDefenders.

Q35: What is your incident response experience?

A: I've participated in simulated incident response labs, including log correlation, alert triage, and drafting post-incident
reports using predefined playbooks.

Q36: If you notice outbound traffic to a suspicious domain, what would you do?

A: Block the domain, isolate affected systems, review DNS and proxy logs, and check endpoints for indicators of

compromise.

Q37: How do you investigate unusual spikes in outbound traffic?

A: Correlate with user activity, review logs for data transfers, inspect firewall and DNS logs, and analyze endpoint

behavior for malware signs.

Q38: What's the first thing you check during a suspected ransomware attack?

A: Check for encrypted files, ransom notes, network logs for data exfiltration, and isolate affected systems immediately.

Q39: How would you improve the security posture of a small organization?

A: Implement basic controls: endpoint protection, MFA, regular backups, patching, user training, and basic logging and

monitoring.

Q40: Why do you want to work in a SOC/cybersecurity analyst role?

A: I enjoy solving problems, staying ahead of threats, and protecting critical systems. My background in QA helps me

approach security methodically with a strong attention to detail.