Get the Preplance app for a seamless learning experience. Practice offline, get daily streaks, and stay ahead with real-time interview updates.
Get it on
Google Play
4.9/5 Rating on Store
Google · System Security
Practice System Security questions specifically asked in Google interviews – ideal for online test preparation, technical rounds and final HR discussions.
Questions
67
Tagged for this company + subject
Company
View company-wise questions
Subject
System Security
Explore topic-wise practice
Go through each question and its explanation. Use this page for targeted revision just before your Google System Security round.
Old SSL versions have known weaknesses. Modern TLS fixes protocol flaws, adds better cipher suites, enables perfect forward secrecy, and is actively maintained. Enforcing current TLS versions closes a big class of downgrade and crypto attacks.
Server idea: min protocol TLS 1.2; prefer ECDHE; disable RC4/3DES; enable HSTS at app layer
For complete preparation, combine this company + subject page with full company-wise practice and subject-wise practice. You can also explore other companies and topics from the links below.
Wrap the app with identity-aware access. Put a policy-enforcing proxy or gateway at the edge, terminate TLS, and authenticate users and devices before letting traffic in. Inside, restrict east-west flows to the minimal ports and addresses. Use per-service allowlists, segment the database, and add continuous signals like device posture. Over time, refactor hard-coded trust by shifting from broad subnets to identity and context-based rules.
Plan: user/device auth at gateway → policy engine → allow only app:port from approved sources → log and adapt
SSRF abuses a server’s ability to make HTTP calls. In cloud, attackers often target metadata services to steal credentials or pivot. Recent research shows active campaigns and rising prevalence; vendors recommend layered mitigations.
GET http://169.254.169.254/latest/meta-data/iam/security-credentials/
Web shells provide stealthy persistence on web servers. They blend with normal traffic and can survive short rebuilds if stored in shared content. Hunt for odd file paths, recent changes, and suspicious parameters.
Example: /var/www/html/.cache/assets/.img.php?cmd=id
OWASP maintains a dedicated Top Ten for cloud-native threats that complements general web and API risks. It is useful for interviews and design reviews focused on containers and orchestration.
Use it to cross-check: identity, secrets, supply chain, workload isolation, and runtime protection
Treat the S B O M as living inventory. Feed it to vulnerability intelligence so you can answer “am I affected” quickly when a new CVE drops. Track licenses for legal risk. Compare S B O Ms across releases to spot unexpected component drift. Tie components to exploitability context so teams can prioritize by real risk, not just counts. Over time this reduces patch noise and speeds response.
Workflow: generate S B O M → ingest to VEX/SIEM → alert on impacted components → create prioritized tickets
Auditd is the userspace component of the Linux Auditing System. With kernel audit rules, it records security-relevant events, such as file writes, privilege use, and syscalls, to an immutable log. During an incident, responders pull targeted aureport and ausearch results for key paths, sensitive syscalls, and identity changes, then correlate with endpoint and network logs. This timeline shows what changed, who did it, and when.
auditctl -w /etc/passwd -p wa -k id_change ausearch -k id_change | aureport -f -i
Zeek, formerly Bro, is a passive network security monitor that generates detailed logs and enables custom analysis beyond simple signatures, supporting investigations and hunting.
Outputs: conn.log, http.log, dns.log for timeline and pivoting
YARA lets researchers create rule-based patterns to find related malware in files or memory. It is widely used for hunting and triage.
rule find_rundll32 { strings: $a = "rundll32" nocase condition: $a }Sysmon (System Monitor) is a Windows service and driver that logs rich events such as process creations, network connections, and file hash data to Windows Event Log. It supports threat hunting and detection; it is not a prevention tool. Sources: Microsoft Sysinternals Sysmon documentation and practitioner guidance.
Install example (admin): sysmon64.exe -accepteula -i sysmon-config.xml
A WAF inspects HTTP/HTTPS traffic to and from a web application and blocks attacks like SQL injection or cross-site scripting. It’s specifically designed for web system security.
Zero Trust rejects the assumption that internal users or networks are safe. It emphasises continuous verification and is highly relevant in system-security architecture.
A vulnerability scanner is a tool that automatically inspects computers, networks or applications for known security weaknesses — missing patches, mis-configurations, open ports. Using such scanners helps organisations identify risk before attackers exploit it. For example, scanning externally facing servers for open services and then remediating issues. Understanding how to run, interpret and prioritise scanner findings is a valuable system-security skill.
Failure to apply security patches is a common cause of compromise. Regular patch management is a basic but essential system-security control.
An IDS observes network or system activity for malicious behavior and issues alerts, but typically does not stop the traffic. An IPS goes further by actively intervening and blocking or rejecting malicious traffic in real time. Knowing this distinction is important for system security tool knowledge.
Malware refers to software (or sometimes firmware) purposely designed to compromise systems — e.g., worms, ransomware, key-loggers. A legitimate firmware update signed by the vendor is not malware. Understanding detailed differences like this is valued in system security interviews.
Memory forensics is the process of capturing and analysing the volatile memory (RAM) of a system to uncover live processes, network connections, loaded modules, encryption keys or other artefacts that may not persist on disk. It is especially useful in detecting stealthy threats like rootkits or file-less malware which leave no footprints on disk. This technique gives deeper visibility into attacker behaviour and is increasingly referenced in system security operations.
In an incident response scenario you would use tools like EDR (Endpoint Detection & Response) to isolate systems, memory forensics on compromised hosts, SIEM to aggregate logs and trigger alerts, network packet capture for traffic analysis, and a run-book process to contain, eradicate and recover. You’d also document chain-of-custody, preserve evidence and communicate with stakeholders. Understanding both tools and process shows you are ready for system security operations.
Data Execution Prevention stops executing data pages, and Address Space Layout Randomization makes memory locations unpredictable. Together they raise the bar for classic memory-safety exploits and should remain enabled as baseline hardening.
Windows: bcdedit /set nx OptOut; Linux: check randomize_va_space in /proc/sys/kernel
Start with a trusted image and apply a recognized benchmark such as the CIS Benchmark to set secure defaults. Disable unused services, enforce password and lockout policies, enable disk encryption, configure logging (Windows: Sysmon plus security logs; Linux: auditd and systemd-journald), and turn on host firewalls. Automate with configuration management so every server is built the same. Continuously scan for drift, patch on a risk-based cadence, and review the baseline quarterly or when major vendor updates land. This process shrinks attack surface and keeps builds consistent across fleets.
Pipeline steps: Image → CIS hardening → Join domain/IdP → Install EDR → Enable logs → Encrypt disk → Register in CM → Compliance scan
Authorize every request on the server. Check both object ownership and property-level rights before updates. Never trust client-side filtering. Use short-lived tokens and scopes. Rate-limit hot paths like login and resets. Log denies with context. Add tests for IDOR and mass-assignment. These steps address the top API risks and stop common data leaks early.
if (obj.owner !== auth.userId) return 403; const allowed = pick(req.body, editableFieldsFor(auth));
Volatile data disappears first. Capture the most short-lived artifacts early: CPU state and memory, then process lists, connections, and live network data. Disk images and backups come later because they persist. Following this order preserves the best evidence for root-cause analysis.
Network isolation stops an attacker from moving or exfiltrating, but EDR keeps a control channel so analysts can capture memory, pull logs, or run scripts. It buys time and reduces risk without destroying evidence.
Osquery lets you query endpoints like a database using standard SQL to retrieve processes, users, sockets, and more. It is cross-platform and designed for analytics and monitoring.
SELECT pid, name, path FROM processes WHERE name='powershell.exe';
Content-Security-Policy lets you whitelist trusted script sources and block inline or dynamic code execution paths. It dramatically reduces XSS risk when deployed with care and good testing. HSTS enforces HTTPS, X-Frame-Options prevents clickjacking, and Referrer-Policy limits sensitive referrer data.
Example: Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com
SUID root bits allow normal users to run programs with elevated privileges. If such binaries appear in unusual or writable directories, it often signals exploitation or persistence. Backups and standard logins are routine; browser cache clearing is irrelevant on servers.
find / -perm -4000 -type f -exec ls -l {} \; 2>/dev/nullIt should deliver concrete changes, not just a recap. Expect a short timeline of what happened, what helped, and what slowed you down. Then assign actions with owners and dates: missing detections to add, playbook steps to refine, controls to harden, and training to run. Finally, capture metrics like time to detect and time to contain so you can show progress next time. Real improvement is the point.
Kerberos authenticates clients and services using tickets issued by a trusted Key Distribution Center. After initial authentication, clients use tickets to access multiple services without re-entering passwords. It is common in Windows domains and many Unix realms.
kinit user@REALM klist # shows TGT and service tickets
Strong session management means random identifiers, secure and httpOnly cookies, and enforced expiry. Idle timeouts log out inactive users. Absolute timeouts end long-lived sessions even if active. These steps limit theft, fixation, and replay.
Set-Cookie: sid=abc...; Secure; HttpOnly; SameSite=Strict; Max-Age=1800
Scopes express permissions, such as read-only or write access to a specific API. Least-privilege scopes reduce blast radius if a token is stolen, which is critical in distributed systems.
Authorization request: scope=contacts.read%20calendar.read
Secure prevents sending the cookie over plain H T T P. HttpOnly stops most script access to the cookie. SameSite limits cross-site requests that could carry the cookie, which helps reduce cross-site request forgery and some leakage. These align with session management guidance.
Set-Cookie: sid=...; Secure; HttpOnly; SameSite=Strict; Path=/; Max-Age=1800
Frequent mistakes include accepting tokens without verifying signature, using none or weak algorithms, failing to check audience and issuer, and giving tokens very long lifetimes. Others include storing tokens where scripts can read them, not rotating keys, and mixing authentication and authorization data without care. Fix these by enforcing strong algorithms, validating signature and claims on every call, keeping tokens short-lived with refresh where needed, storing tokens in secure httpOnly cookies, and rotating signing keys. Use reputable libraries and follow cheat-sheet guidance.
Verify: alg=RS256; check iss/aud/exp/nbf; reject none; rotate kid keys; token TTL minutes, not days
CSP whitelists script sources and can block inline execution when designed well. It complements secure coding and output encoding to cut XSS risk.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com
Attackers move side to side after the first foothold. Micro-segmentation places policy boundaries between tiers, apps, and even workloads. That way a breach in one segment does not grant free access to the rest of the environment.
Example policy: web → app tcp 8443 only; app → db tcp 5432 only; deny all other east-west
DNSSEC lets resolvers verify that the DNS data they received is authentic by checking digital signatures. It defends against cache poisoning and spoofed answers. It does not encrypt queries; for privacy you would add protocols like DoT or DoH.
Resolver behavior: validate RRSIG with DNSKEY; if signature fails, mark response bogus
Proxies understand application protocols and can filter by URL categories, methods, or content. Firewalls focus on IPs, ports, and sessions. Many enterprises use both for layered control over outbound traffic.
Policy idea: allow category Business; block Malware and Newly-registered domains; log user and URL
Transport mode is often used host-to-host, while tunnel mode is common for site-to-site VPNs because it wraps the full packet. Picking the right mode is crucial for performance and routing needs.
Site VPN: gateway A ⇄ gateway B in tunnel mode; internal subnets reach each other securely
Use packet capture when you need payload details: exploit content, credentials in clear channels, protocol misuse, or to rebuild a session for forensics. The trade-offs are storage and privacy. Payloads consume space and may include sensitive data. Also, capture at the wrong point can miss encrypted content. A good strategy blends both: flows for broad visibility and packets on demand for drill-down around the alert window.
Quick peek: tcpdump -i eth0 host 203.0.113.10 and port 443 -w suspect.pcap
Broken access control lets a user reach data or actions they should not. Common causes include missing server-side checks, IDOR issues, and deny-by-default not enforced. OWASP lists this as the top web risk and gives practical examples and fixes.
if (resource.ownerId !== auth.userId) return res.status(403).end();
SameSite limits when browsers send cookies on cross-site requests. It helps against CSRF and some cross-site leaks. It is a defense in depth and should be combined with tokens.
Set-Cookie: sid=...; Secure; HttpOnly; SameSite=Strict
APIs are easy to automate. Attackers exploit this for brute force, scraping, and credential stuffing. Rate limits slow abuse and protect upstream services. Apply limits per user, per IP, and per token. Include burst and sustained windows. Return clear errors and backoff hints. Combine with detection for anomalous patterns and block lists. Tie limits to critical operations, like login or password reset, for stronger protection.
POST /login 5 req per min per account; 100 req per min per IP; exponential backoff on 429
Clickjacking tricks a user into clicking a hidden frame. Deny framing or allow only trusted parents. Pair this with CSRF defenses on state-changing actions to limit damage.
X-Frame-Options: DENY Content-Security-Policy: frame-ancestors 'none'
Watch for egress calls to link-local and RFC-1918 ranges, odd DNS names, and unusual response sizes from metadata hosts. Add egress allowlists at app and network layers. Log request targets and block raw redirects. Use DNS and HTTP proxies with policies to prevent direct access to internal endpoints. In cloud, harden the metadata service and use instance profiles with the latest protections. Alerts on these signals help you stop credential theft and lateral movement early.
Alert if dest in 169.254.169.0/16 or 10.0.0.0/8 and Host header not in allowlist
Fileless techniques avoid writing obvious binaries to disk. They live in memory, use scripts, and leverage trusted tools like PowerShell or WMI. Disk-based antivirus may miss them, so telemetry and behavior rules are key.
Example: powershell -enc <base64> launched by Office process
A sandbox executes a sample in a controlled VM or container. You watch file, registry, process, and network activity without risking production systems. It speeds triage and supports safer signature creation.
Observed: drops %APPDATA%\svc.dll; beacons to hxxp://example[.]com/api
Kernel-mode code can intercept system calls and alter what tools see. That allows stealth, persistence, and powerful tampering. Detection relies on attestation, golden images, and low-level telemetry.
Symptom: ps shows no process but port 4444 is listening
Memory holds live secrets that never touch disk. You can see running processes, injected code, command lines, network sockets, decrypted payloads, and sometimes keys or tokens. Fileless techniques and in-memory implants leave few disk traces. A timely RAM capture can reveal the full execution chain and shorten the hunt. After that, a clean disk image provides persistence details and timeline. Together, they tell the complete story.
Windows: winpmem.exe --format raw --output mem.raw
YARA rules use text, hex, and logic to match families or traits. You can scan endpoints and memory to find variants, even if hashes change. This speeds threat hunting and scoping.
rule sample { strings: $s = "rundll32" nocase condition: $s }S3 Block Public Access provides centralized switches at account, access point, and bucket levels to keep data from becoming public, even if a user sets a permissive policy. It is a default-on safety net for many orgs.
aws s3control put-public-access-block --account-id 123456789012 --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
Multi-Region trails record activity in all enabled Regions, including seldom-used ones, so you do not miss events or attacks that target an unexpected Region. This is a common best practice in AWS guidance.
aws cloudtrail create-trail --name org-trail --is-multi-region-trail --s3-bucket-name audit-logs
The Pod Security Standards define privileged, baseline, and restricted policies. The Pod Security Admission controller enforces these at the namespace level so pods meet your chosen profile.
kubectl label ns prod pod-security.kubernetes.io/enforce=restricted
Managed Identities allow Azure resources to get access tokens from Microsoft Entra without hard-coding keys. This reduces secret sprawl and rotation effort while fitting into RBAC and conditional access.
az vm identity assign -g rg -n myvm // then grant the VM’s identity least-privilege role on target
Wireshark is a protocol analyzer that captures packets and lets you examine them in detail. It is widely used for troubleshooting, investigations, and protocol learning.
tshark -i eth0 -f "tcp port 443" -w capture.pcapng
Start deny by default. Turn on S3 Block Public Access at the account and bucket levels so no policy can make data public by mistake. Use least-privilege IAM policies bound to roles, not users. Encrypt objects with KMS and audit key use. Enable CloudTrail with a multi-Region trail and log file integrity so you can track who did what and when. Add bucket policies that require TLS and a specific VPC endpoint if possible. Finally, monitor for policy drift and unusual access. This structure lowers exposure and improves auditability.
Bucket policy idea: aws:SecureTransport=true AND aws:SourceVpce in allowed_list; deny if not met
S L S A (pronounced salsa) defines levels with controls to prevent tampering and to improve artifact integrity, from basic build script hardening up to hermetic, reproducible builds with strong provenance. It is widely cited in interviews because it connects engineering actions to measurable levels. (Sources: slsa.dev and Open S S F pages.)
Goal: produce artifact + provenance attestation signed by CI; verify before deploy
Cosign lets you sign images and store signatures in the registry. With keyless flows, the CI identity is proven via O I D C and recorded publicly, making trust decisions easier at deploy time. This directly supports artifact integrity and provenance checks. (Sources: Sigstore docs and introductions.)
cosign sign --keyless $IMAGE cosign verify $IMAGE
Provenance ties artifacts back to their sources and the build process. Verifying provenance before deployment helps spot substituted code or compromised builders. Frameworks like S L S A formalize this as a release gate. (Sources: slsa.dev.)
Verify: artifact.sig + provenance.json → policy engine before deploy
When outputs match exactly, you can compare community builds against release artifacts. Differences point to tampering or non-determinism. Many S L S A recommendations implicitly push toward reproducibility for this reason. (Source: slsa.dev concepts.)
Strategy: pin toolchains; fixed timestamps; hermetic builds; containerized builders
Prefer short-lived keys tied to workload identity. In CI, use O I D C to get a token and sign with a transient key or a service that attests the identity, as Sigstore does. Store long-lived keys only in a managed H S M with strict roles and rotation. Record signatures in a transparency log when possible. Enforce verification at deploy time so signatures are not just decorative.
cosign sign --keyless image:tag // CI identity via O I D C; verify on admission
S L S A defines incremental levels that add controls for tamper resistance and provenance. It is designed as a staged journey for producers and consumers of software. (Sources: slsa.dev and Open S S F.)
Plan: target S L S A 2 this quarter (central builder, provenance); S L S A 3 next
Nessus from Tenable scans networks, systems, and applications for known vulnerabilities and misconfigurations, then provides reports and remediation guidance.
Typical flow: discovery scan → credentialed scan → review CVEs → export report
A WAF is designed to protect web applications by filtering and monitoring HTTP/HTTPS traffic, preventing attacks like SQL injection or XSS. On the other hand a network IDS inspects general network traffic across layers for signs of intrusion. This knowledge shows tool-level system security awareness.
SELinux enforces fine-grained MAC using labels on subjects and objects. AppArmor confines programs with path-based profiles and is often easier to administer. Choosing one depends on security requirements and team expertise. Sources: comparative overviews from Linux security vendors and technical blogs.
Check mode: getenforce (SELinux); aa-status (AppArmor)
Monitor identity and integrity first. Watch auth files and user/privilege changes (for example passwd, shadow, sudoers). Track use of privileged binaries and kernel settings, and record changes under /etc. Capture execve of high-risk tools like bash, netcat, ssh, and package managers. Include network connection attempts from privileged processes. Send logs off-host to a central collector and set immutable audit rules for critical systems so attackers cannot disable auditing without notice. Tune to reduce noise while preserving high-value events to keep analysts focused.
Example rules: auditctl -w /etc/sudoers -p wa -k sudo auditctl -a always,exit -F arch=b64 -S execve -k exec augenrules --load
Great responders trust but verify. Pull the command line, script block logs if available, parent process, user context, and recent login activity. Quick validation prevents false positives from causing outages, and guides the right containment step if it is real.
MFA combines two or more different factors, such as something you know, something you have, or something you are. If a password leaks, the attacker still needs the second factor to pass authentication, which sharply lowers account-takeover risk. Standards like N I S T eight hundred sixty-three B describe authenticator assurance levels and when to require multi-factor.
User enters password + TOTP from an authenticator app; server verifies both before issuing a session
Separate human admin access from service identities. Use just-in-time elevation with approval, session recording, and command-level auditing. Rotate secrets automatically, prefer short-lived credentials, and lock high-risk actions behind step-up multi-factor. For services, use managed identities with scoping and time-boxed tokens over long-lived keys. Monitor admin sessions closely and alert on unusual source locations or off-hours activity. Map controls to assurance levels similar to those in national guidelines for authentication strength to avoid oversights.
Example: Admin requests elevation → PAM broker issues time-boxed role → session proxied and recorded; auto-revoke on logout