1. What does the CIA triad in cybersecurity stand for?
Difficulty: EasyType: MCQTopic: Security Design
- Confidentiality, Integrity, Availability
- Control, Integrity, Authentication
- Confidentiality, Identity, Access
- Control, Information, Assurance
The CIA triad is the foundation of all cybersecurity principles. It represents Confidentiality, Integrity, and Availability — three key pillars every system must maintain.
Confidentiality means keeping information private and accessible only to authorized users. Integrity ensures data remains accurate and unaltered, protecting it from unauthorized changes. Availability means that systems and information are accessible whenever needed by legitimate users.
In short, cybersecurity strategies aim to balance these three elements. For example, too much focus on confidentiality could reduce availability, so a good system finds the right balance between the three.
Correct Answer: Confidentiality, Integrity, Availability
2. Which statement correctly describes a vulnerability?
Difficulty: EasyType: MCQTopic: Threats
- A weakness that can be exploited by a threat
- An event that causes data loss
- A type of malware
- A defense mechanism
A vulnerability is a flaw or weakness in software, hardware, or human behavior that can be exploited to cause harm.
For instance, an outdated operating system or a weak password is a vulnerability. A threat is anything that might exploit this weakness — such as a hacker, malware, or even natural disasters. The combination of both creates risk.
Understanding this relationship helps cybersecurity teams focus on patching vulnerabilities and reducing exposure to threats before they can cause real damage.
Correct Answer: A weakness that can be exploited by a threat
3. Which type of malware replicates itself without user interaction?
Difficulty: MediumType: MCQTopic: Malware
A worm is a self-replicating malware that spreads without any user action. Once inside a system, it copies itself across networks and devices, consuming bandwidth and causing disruption.
Unlike a Trojan, which disguises itself as legitimate software, a worm doesn’t need to trick users to install it. It exploits vulnerabilities in operating systems or applications to move from one computer to another.
Famous examples include the 'ILOVEYOU' and 'WannaCry' worms, which spread rapidly and caused massive global damage.
Correct Answer: Worm
4. What is the primary purpose of a firewall?
Difficulty: EasyType: MCQTopic: Security Controls
- To filter network traffic between trusted and untrusted zones
- To encrypt files on the disk
- To detect malware inside applications
- To manage user accounts
A firewall acts as a security guard that monitors and controls incoming and outgoing network traffic. It sits between a trusted internal network and an untrusted external network such as the internet.
Firewalls use predefined security rules to allow or block data packets based on source, destination, and protocol. This helps prevent unauthorized access, data theft, or malware infiltration.
Modern firewalls also perform deep packet inspection and application-level filtering, giving organizations better visibility and control over network behavior.
Correct Answer: To filter network traffic between trusted and untrusted zones
5. Which factor is an example of 'something you have' in multi-factor authentication?
Difficulty: MediumType: MCQTopic: IAM
- A security token
- A password
- A fingerprint
- A PIN
Multi-factor authentication (MFA) enhances security by combining two or more independent credentials from different categories — something you know, something you have, and something you are.
‘Something you know’ is a password or PIN. ‘Something you have’ is a physical or digital item like a smart card, phone, or security token. ‘Something you are’ refers to biometrics such as fingerprints or facial recognition.
MFA significantly reduces the risk of unauthorized access, even if one factor, like a password, is compromised.
Correct Answer: A security token
6. What is the main purpose of encryption?
Difficulty: MediumType: MCQTopic: Cryptography
- To convert data into unreadable form to protect confidentiality
- To compress files for storage
- To check for malware in data
- To ensure system availability
Encryption protects sensitive information by converting it into a coded format that cannot be understood without the correct key.
For example, when you send data over the internet, encryption ensures that even if someone intercepts it, they cannot read or modify it. Only the recipient with the decryption key can access the original information.
Modern encryption standards such as AES and RSA are essential for secure online transactions, cloud storage, and communication systems.
Correct Answer: To convert data into unreadable form to protect confidentiality
7. Which access control model grants permissions based on user roles?
Difficulty: MediumType: MCQTopic: IAM
- Role-Based Access Control
- Mandatory Access Control
- Discretionary Access Control
- Rule-Based Access Control
Role-Based Access Control, or RBAC, assigns permissions to users based on their organizational role rather than individual identity.
For example, all employees in the ‘HR’ department may have permission to view employee records, while only managers can modify them. This simplifies permission management and reduces errors.
RBAC is one of the most widely used access control methods in enterprise environments due to its scalability and clarity.
Correct Answer: Role-Based Access Control
8. What is the main goal of a social engineering attack?
Difficulty: MediumType: MCQTopic: Social Engg
- To trick people into revealing confidential information
- To exploit software vulnerabilities
- To overload a network
- To encrypt files for ransom
Social engineering targets the human element of security rather than technical flaws. Attackers use manipulation, persuasion, or deception to make users reveal confidential information or perform risky actions.
Common examples include phishing emails, fake support calls, or malicious links sent through social media. These attacks exploit trust, curiosity, or urgency.
Training employees to recognize and report suspicious behavior is one of the most effective defenses against social engineering.
Correct Answer: To trick people into revealing confidential information
9. What is a phishing attack?
Difficulty: EasyType: MCQTopic: Social Engg
- A fraudulent attempt to obtain sensitive data by pretending to be a trusted entity
- A brute-force attack on passwords
- A software exploit in operating systems
- A denial of service attack
Phishing is a type of social engineering attack where an attacker pretends to be a legitimate organization or person to steal personal information.
Most phishing attempts occur through email or fake websites that mimic real ones. Victims are tricked into entering passwords, credit card numbers, or OTPs.
Being cautious of unexpected messages, verifying sender addresses, and never clicking suspicious links are key steps to avoid phishing.
Correct Answer: A fraudulent attempt to obtain sensitive data by pretending to be a trusted entity
10. What is considered a cybersecurity incident?
Difficulty: MediumType: MCQTopic: Incident Response
- Any event that compromises confidentiality, integrity, or availability of data
- Regular system maintenance
- Scheduled software update
- Network traffic monitoring
A cybersecurity incident is any event that violates or threatens an organization’s information security.
This includes malware infections, data breaches, unauthorized access, or denial of service attacks. Even suspected or attempted attacks are treated as incidents.
The goal of incident management is to detect, analyze, and respond quickly to minimize damage and prevent recurrence.
Correct Answer: Any event that compromises confidentiality, integrity, or availability of data
11. Explain the typical stages of a cyber attack lifecycle.
Difficulty: MediumType: SubjectiveTopic: Threats
A cyber attack usually follows several key stages. First comes reconnaissance, where attackers gather information about the target — like open ports, users, or software versions.
Next is scanning, where they probe for weaknesses. Once a vulnerability is found, they exploit it to gain access. After entering, attackers install backdoors or tools to maintain control and move laterally within the system.
Finally, they achieve their objective — stealing data, disrupting services, or causing damage — and often erase traces to avoid detection. Understanding this cycle helps organizations build defense mechanisms at every stage.
12. How is risk calculated in cybersecurity, and why is it important?
Difficulty: MediumType: SubjectiveTopic: Risk
In cybersecurity, risk is commonly described as the product of three elements — Threat, Vulnerability, and Impact.
A threat is the potential for harm, a vulnerability is the weakness that can be exploited, and impact is the consequence of that exploitation. Risk = Threat × Vulnerability × Impact.
By assessing risks, organizations can prioritize which vulnerabilities need immediate attention and allocate resources effectively. It ensures focus on what truly matters rather than spreading efforts thin across all areas.
13. What does 'Defense in Depth' mean in cybersecurity?
Difficulty: MediumType: SubjectiveTopic: Security Design
Defense in Depth is a layered approach to cybersecurity. Instead of relying on a single line of defense, it stacks multiple protective measures at different levels.
For example, an organization might use a firewall, intrusion detection system, antivirus software, strong authentication, and user awareness training. Each layer covers potential gaps left by others.
This strategy ensures that even if one control fails, additional layers can still prevent or slow down an attacker.
14. What is the Zero Trust model, and how does it differ from traditional network security?
Difficulty: HardType: SubjectiveTopic: Zero Trust
Zero Trust is a modern security model that assumes no user, device, or system should be trusted by default — even if it is inside the organization’s network.
Traditional security models often trusted everything within the internal network once someone passed the firewall. Zero Trust removes this assumption. Every request must be authenticated, authorized, and continuously validated.
It relies on the principles of least privilege, micro-segmentation, and continuous monitoring, minimizing the damage that could occur if a breach happens.
15. Why is ethical hacking important for cybersecurity?
Difficulty: MediumType: SubjectiveTopic: Pentesting
Ethical hacking allows trained professionals, called white-hat hackers, to test and strengthen systems legally and safely.
By simulating real attacks, they help identify vulnerabilities before malicious hackers can exploit them. Ethical hackers use tools and techniques similar to cybercriminals but always with permission and a goal to improve security.
This proactive approach helps organizations fix weaknesses early, reduce risk, and comply with security standards like ISO 27001 and PCI DSS.
16. What best defines a cyber threat?
Difficulty: EasyType: MCQTopic: Threats
- A potential event or action that can cause harm to systems or data
- A physical damage to hardware
- An outdated software system
- A system upgrade process
A cyber threat is any potential danger that could exploit a vulnerability and cause harm to a system, network, or data. It doesn’t have to be an active attack; even the potential for malicious activity qualifies as a threat.
For example, an unpatched application represents a threat because an attacker could exploit it. Cyber threats can originate from hackers, malware, insider misuse, or even human error. The goal of cybersecurity is to identify, assess, and mitigate these threats before they turn into real incidents.
Correct Answer: A potential event or action that can cause harm to systems or data
17. Phishing primarily targets which aspect of security?
Difficulty: EasyType: MCQTopic: Social Engg
- Human trust and awareness
- Network configurations
- Database structures
- Server firewalls
Phishing attacks exploit the human factor — the easiest and weakest link in security. Attackers send deceptive emails or messages pretending to be legitimate entities, such as banks or employers, to trick people into sharing confidential data like passwords or credit card details.
The best defense against phishing is user education. Employees must be trained to recognize suspicious emails, verify sender authenticity, and avoid clicking unknown links. Technical defenses like email filters can help, but awareness is the strongest line of defense.
Correct Answer: Human trust and awareness
18. What is the main goal of a ransomware attack?
Difficulty: MediumType: MCQTopic: Malware
- Encrypt victim’s data and demand payment for decryption
- Steal passwords for unauthorized access
- Monitor user activities secretly
- Send spam emails across the network
Ransomware is a form of malicious software that locks or encrypts a victim’s files, demanding a ransom to restore access. Victims often receive a message demanding payment, usually in cryptocurrency, to get a decryption key.
These attacks can cripple businesses, hospitals, and even government systems. The best defense is regular data backups, updated security patches, and user education to avoid opening suspicious attachments or links. Paying the ransom is never guaranteed to restore access and may encourage further attacks.
Correct Answer: Encrypt victim’s data and demand payment for decryption
19. What happens during a Distributed Denial of Service (DDoS) attack?
Difficulty: MediumType: MCQTopic: Attacks
- A flood of traffic overwhelms a target system, making it unavailable
- Attackers steal confidential data
- Malware encrypts system files
- Unauthorized users gain root access
A Distributed Denial of Service (DDoS) attack occurs when multiple compromised systems flood a target server or network with massive amounts of traffic, overwhelming its capacity and making it unavailable to legitimate users.
These attacks often use botnets — large networks of infected devices — to send huge volumes of fake requests. Mitigation techniques include traffic filtering, rate limiting, and using DDoS protection services that detect and block malicious traffic before it reaches the target.
Correct Answer: A flood of traffic overwhelms a target system, making it unavailable
20. What does an attacker exploit in an SQL Injection attack?
Difficulty: MediumType: MCQTopic: Attacks
- Poorly validated database queries
- Weak encryption algorithms
- Network firewalls
- File permission errors
SQL Injection happens when an application fails to properly validate user inputs before including them in database queries. Attackers can inject malicious SQL statements to access, modify, or delete data from the database.
For example, entering `' OR '1'='1` into a login field could trick the system into granting access without valid credentials. Preventing SQL Injection involves using parameterized queries, stored procedures, and input validation to sanitize all user inputs.
Correct Answer: Poorly validated database queries
21. In a Man-in-the-Middle (MITM) attack, what does the attacker do?
Difficulty: MediumType: MCQTopic: Attacks
- Intercepts and possibly alters communication between two parties
- Directly hacks into a database
- Overloads the network with traffic
- Deletes system logs to hide traces
A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts communication between two systems, such as a user and a website. The attacker can eavesdrop, steal sensitive data, or modify messages without the users realizing it.
Using secure protocols like HTTPS, implementing end-to-end encryption, and avoiding public Wi-Fi networks without VPN protection are key defenses against MITM attacks.
Correct Answer: Intercepts and possibly alters communication between two parties
22. Who is involved in an insider threat?
Difficulty: MediumType: MCQTopic: Threats
- A current or former employee who misuses authorized access
- An external hacker with stolen credentials
- A software developer from a vendor company
- A third-party auditor
Insider threats come from individuals within an organization who intentionally or accidentally misuse their legitimate access to systems and data.
They are particularly dangerous because insiders often already have trusted credentials and understand the organization’s security mechanisms. Preventing insider threats involves strict access controls, continuous monitoring, behavioral analytics, and a culture of security awareness.
Correct Answer: A current or former employee who misuses authorized access
23. What makes a zero-day exploit particularly dangerous?
Difficulty: HardType: MCQTopic: Threats
- It targets vulnerabilities unknown to the software vendor
- It uses social engineering only
- It requires physical access to the system
- It is easily detected by antivirus software
A zero-day exploit takes advantage of a software vulnerability that is unknown to the vendor or unpatched. Since there is no official fix yet, these attacks are extremely difficult to prevent.
Zero-day vulnerabilities can be sold on the dark web and are often used by advanced threat actors. Regular patch management, network segmentation, and intrusion detection can help reduce exposure and damage from such attacks.
Correct Answer: It targets vulnerabilities unknown to the software vendor
24. What does a brute force attack involve?
Difficulty: MediumType: MCQTopic: Attacks
- Trying all possible password combinations until the correct one is found
- Sending phishing emails repeatedly
- Injecting malicious scripts into web pages
- Spoofing IP addresses
A brute force attack systematically tries every possible combination of passwords until it finds the correct one. It’s a simple but effective method if passwords are weak or short.
Modern attackers use automated tools that can test millions of combinations per second. To defend against brute force attacks, enforce strong password policies, use account lockouts, and implement multi-factor authentication.
Correct Answer: Trying all possible password combinations until the correct one is found
25. What distinguishes an Advanced Persistent Threat (APT) from other attacks?
Difficulty: HardType: MCQTopic: Threats
- It is long-term, stealthy, and targets specific organizations
- It causes immediate visible damage
- It relies solely on social engineering
- It is always performed by individuals, not groups
Advanced Persistent Threats (APTs) are sophisticated, prolonged attacks often carried out by organized groups or nation-states. They aim to infiltrate a network, remain undetected, and steal sensitive information over an extended period.
Unlike common attacks that are quick and noisy, APTs focus on stealth and persistence. Defense requires layered security, continuous monitoring, and threat intelligence to detect unusual behavior early.
Correct Answer: It is long-term, stealthy, and targets specific organizations
26. What is a supply chain attack, and why is it difficult to detect?
Difficulty: HardType: SubjectiveTopic: Threats
A supply chain attack targets the trusted third-party vendors or software providers that an organization relies on. Instead of directly attacking the main target, attackers compromise the supplier’s system to inject malicious code or components into legitimate software updates.
This makes detection extremely difficult because the compromised software appears to come from a trusted source. High-profile examples include the SolarWinds and Kaseya breaches. The best defense is to vet suppliers carefully, use code-signing verification, and maintain strict security standards across all vendors.
27. Explain the main types of social engineering attacks.
Difficulty: MediumType: SubjectiveTopic: Social Engg
Social engineering comes in several forms. The most common is phishing — fake emails or messages pretending to be from trusted sources. Spear phishing is a more targeted form aimed at specific individuals or companies.
Vishing uses voice calls to trick victims, while smishing uses SMS messages. Another variant is baiting, where attackers leave infected USB drives or links that tempt users to engage. All these methods exploit human emotions like curiosity, fear, or urgency, rather than technical weaknesses.
28. Describe the lifecycle of a malware attack.
Difficulty: MediumType: SubjectiveTopic: Malware
A malware attack generally follows several stages. First, the attacker delivers the malicious file through email attachments, downloads, or infected websites. Next, the malware executes and installs itself on the target system.
Once active, it may connect to a command-and-control server, steal data, or spread to other systems. Finally, it hides its presence by modifying system files or disabling antivirus defenses. Understanding this lifecycle helps security teams respond at each stage — from detection to containment and removal.
29. What is the key difference between symmetric and asymmetric encryption?
Difficulty: MediumType: MCQTopic: Cryptography
- Symmetric uses one key; asymmetric uses a key-pair (public/private)
- Symmetric uses a key-pair; asymmetric uses one shared key
- Symmetric encrypts only files; asymmetric encrypts only network traffic
- There is no difference
Symmetric encryption uses a single secret key for both encryption and decryption. That means both sender and receiver must have the same key and keep it safe. Asymmetric encryption uses two distinct but mathematically related keys: a public key (shared openly) and a private key (kept secret). The public key encrypts data, and only the corresponding private key can decrypt it. This approach solves the key-distribution problem inherent in symmetric schemes. Understanding this difference helps you choose the right encryption method based on performance, key management, and use case.
Correct Answer: Symmetric uses one key; asymmetric uses a key-pair (public/private)
30. Which statement best describes hashing compared to encryption?
Difficulty: MediumType: MCQTopic: Cryptography
- Hashing is one-way and irreversible; encryption is reversible with a key
- Hashing requires two keys; encryption uses one key
- Hashing encrypts data for transmission; encryption stores data securely
- There is no difference
Hashing transforms data into a fixed-length value (hash) and is designed to be one-way: you cannot feasibly get the original data back from the hash. It’s ideal for verifying integrity or storing passwords (with salt). Encryption transforms data so it can be reversed (decrypted) using a key. It ensures confidentiality of data in transit or at rest. Knowing when to use hashing vs encryption is vital: use hashing for integrity or password storage, and encryption when you need to recover original data.
Correct Answer: Hashing is one-way and irreversible; encryption is reversible with a key
31. Which type of firewall filters traffic at the application layer?
Difficulty: EasyType: MCQTopic: Security Controls
- Next-generation firewall (NGFW)
- Packet-filtering firewall
- Stateful inspection firewall
- Proxy firewall
A next-generation firewall (NGFW) adds application-layer inspection (layer 7) in addition to traditional packet-filtering (layer 3) and stateful inspection (layer 4). It can identify applications (e.g., Facebook, Dropbox), enforce policies per application, detect intrusions, and block advanced threats. Understanding different firewall types helps you design security architecture appropriate to an organisation’s threat profile.
Correct Answer: Next-generation firewall (NGFW)
32. Why is multi-factor authentication (MFA) considered a strong security mechanism?
Difficulty: EasyType: MCQTopic: IAM
- Because it uses at least two independent authentication factors
- Because it eliminates the need for passwords
- Because it only uses biometric verification
- Because it stores passwords in plain text
Multi-factor authentication (MFA) strengthens access controls by requiring two or more independent factors: something you know (password or PIN), something you have (token, phone), and something you are (biometric). This reduces the risk of account compromise—even if one factor is stolen or guessed, the attacker still lacks the other factor(s). In many entry-level security roles this is one of the first controls expected to be implemented.
Correct Answer: Because it uses at least two independent authentication factors
33. Which access control model enforces restrictions based on data classification labels and user clearances?
Difficulty: MediumType: MCQTopic: IAM
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Role-Based Access Control (RBAC)
- Rule-Based Access Control (RBAC)
Mandatory Access Control (MAC) uses system-enforced labels: every resource has sensitivity labels (e.g., Top-Secret) and every user has a clearance level. The system enforces access decisions—not the user. In contrast, DAC lets users decide access, and RBAC uses roles rather than labels. Recognising these models shows interviewers you understand how organisations implement access restriction in secure environments.
Correct Answer: Mandatory Access Control (MAC)
34. What is the Principle of Least Privilege (PoLP)?
Difficulty: MediumType: MCQTopic: IAM
- Granting users the minimum access they need to perform their job
- Giving administrators full access always
- Using two-factor authentication for all users
- Allowing users to share accounts
The Principle of Least Privilege (PoLP) restricts user and system privileges to only what is necessary for their role. By limiting unnecessary permissions, organisations reduce the attack surface and the risk of misuse of credentials—particularly from insider threats or compromised accounts. This principle is foundational in secure system design.
Correct Answer: Granting users the minimum access they need to perform their job
35. Explain what is meant by Defense in Depth and why organisations use it.
Difficulty: MediumType: SubjectiveTopic: Security Design
Defense in Depth refers to implementing multiple layers of security controls so that if one control fails, others still protect the system. Imagine a castle: moat, walls, guards, lookouts — if one fails, the next layer still defends. Organisations use this because no single control is perfect. For example, combining firewalls, intrusion detection systems, encryption, access controls, and security-aware users means many small failures won’t result in a breach. It emphasises resilience, redundancy, and the idea that security is not just one thing, but a set of overlapping protections.
36. Differentiate between encryption at rest and encryption in transit and state why both are needed.
Difficulty: MediumType: SubjectiveTopic: Cryptography
Encryption in transit protects data while it moves between systems (for example using TLS or VPNs). Encryption at rest protects data stored on disks or in databases from being read if the storage media is stolen or compromised. Both are needed because protecting only one phase leaves the other vulnerable: if you encrypt in transit but store plaintext data, a thief could access it easily. Conversely, encrypting at rest but moving data unprotected exposes it to interception. A full security posture covers both.
37. Which statement best describes the role of a Security Information and Event Management (SIEM) system?
Difficulty: HardType: MCQTopic: Security Controls
- Collects, analyses, and correlates log events from multiple sources to detect threats
- Manages user passwords and credentials
- Scans for vulnerabilities on endpoints
- Acts as a firewall between networks
A SIEM system aggregates logs and events from firewalls, servers, endpoints, applications, and network devices. It normalises and correlates data, applies rules or machine-learning models, and alerts analysts to potential incidents. It’s central to monitoring and response operations in many modern organisations and shows interviewers you understand how operational security works at scale.
Correct Answer: Collects, analyses, and correlates log events from multiple sources to detect threats
38. What is the purpose of Secure Boot in a system’s firmware?
Difficulty: HardType: MCQTopic: Security Controls
- Ensure that only trusted signed bootloaders and OS kernels are allowed to run
- Encrypt the file system at runtime
- Disable network ports until authentication
- Monitor user activity
Secure Boot is a firmware-level security mechanism used by UEFI systems. During system startup, it checks digital signatures on bootloaders and OS kernels. If they aren’t signed by trusted keys, boot is halted. This stops rootkits and boot-level malware from persistent infiltration. For roles dealing with endpoints or hardware security, mentioning this shows depth and awareness of low-level controls.
Correct Answer: Ensure that only trusted signed bootloaders and OS kernels are allowed to run
39. What is the main function of a Web Application Firewall (WAF)?
Difficulty: HardType: MCQTopic: Security Controls
- Filter, monitor, and block HTTP traffic to web applications
- Encrypt all database traffic
- Scan for network vulnerabilities
- Manage user sessions
A Web Application Firewall (WAF) is designed to protect web applications by inspecting HTTP/HTTPS traffic, enforcing rules to block attacks like SQL Injection, Cross-Site Scripting (XSS), and other OWASP Top Ten threats. It sits between the client and application server and reduces application-layer risk. Including WAF knowledge shows you understand application security controls, not just network ones.
Correct Answer: Filter, monitor, and block HTTP traffic to web applications
40. What is the primary purpose of ISO 27001?
Difficulty: EasyType: MCQTopic: Compliance
- To establish, implement and maintain an information security management system (ISMS)
- To define encryption algorithms for data
- To regulate payroll in organizations
- To monitor network traffic in real-time
ISO 27001 is an international standard that provides requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). :contentReference[oaicite:0]{index=0}
An ISMS gives an organization a systematic approach to managing sensitive company information so that it remains secure. Using ISO 27001 helps organizations build structured processes around risk, controls, monitoring and continuous improvement.
Correct Answer: To establish, implement and maintain an information security management system (ISMS)
41. Which of the following is a core principle of the GDPR?
Difficulty: MediumType: MCQTopic: Compliance
- Data minimisation
- Unlimited data retention
- No individual rights
- Only internal processing
One of the key GDPR principles is data minimisation — organisations should only collect and process personal data which is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. :contentReference[oaicite:1]{index=1}
Understanding GDPR principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality is essential for compliance roles.
Correct Answer: Data minimisation
42. Which formula is commonly used to express risk in a compliance context?
Difficulty: MediumType: MCQTopic: Risk
- Risk = Threat × Vulnerability × Impact
- Risk = Cost + Benefit
- Risk = Asset − Control
- Risk = Availability / Integrity
In risk management, one common model expresses risk as the product of threat, vulnerability and impact. This helps organisations prioritise risks and allocate resources accordingly.
By quantifying risk this way, teams can identify which combinations of threat and vulnerability result in greatest impact and then design appropriate controls or mitigation plans.
Correct Answer: Risk = Threat × Vulnerability × Impact
43. What best describes the difference between compliance and audit?
Difficulty: MediumType: MCQTopic: Audits
- Compliance is meeting standards; audit is verifying that compliance
- Compliance is only technical; audit is only administrative
- Compliance is optional; audit is always mandatory
- Compliance is external only; audit is internal only
Compliance refers to a state of adhering to laws, regulations, standards or policies. Audit is the process of conducting a systematic evaluation to determine whether the compliance state is achieved and maintained.
In interview contexts, understanding this distinction shows you recognise both ongoing control activities (compliance) and assurance activities (audit). :contentReference[oaicite:2]{index=2}
Correct Answer: Compliance is meeting standards; audit is verifying that compliance
44. Which process is used to assess third-party vendor risk in compliance frameworks?
Difficulty: HardType: MCQTopic: Third Party
- Third-party vendor risk assessment
- Firewall configuration review
- Password policy enforcement
- Software patch schedule
Assessing third-party vendor risk is critical because organisations often rely on external suppliers that can introduce vulnerabilities. A structured vendor risk assessment examines vendor’s security posture, compliance certifications, contract terms, history of incidents, and controls.
Interviewers expect candidates to know that vendor risk cannot be ignored just because the vendor is external; it must be managed, monitored and included in the organisation’s risk-treatment process. :contentReference[oaicite:3]{index=3}
Correct Answer: Third-party vendor risk assessment
45. In the context of ISO 27001, what does PDCA stand for?
Difficulty: HardType: MCQTopic: Compliance
- Plan-Do-Check-Act
- Protect-Detect-Control-Audit
- Prepare-Develop-Coordinate-Assess
- Prevent-Detect-Respond-Recover
PDCA (Plan-Do-Check-Act) is a continual improvement cycle used by ISO 27001 and other management standards. The organisation plans its ISMS, implements and operates it (Do), monitors and reviews it (Check), and then takes actions to improve (Act). :contentReference[oaicite:4]{index=4}
Correct Answer: Plan-Do-Check-Act
46. Which assessment is required for high-risk data processing under GDPR?
Difficulty: HardType: MCQTopic: Compliance
- Data Protection Impact Assessment (DPIA)
- Malware risk assessment
- Business continuity review
- Firewall penetration test
Under GDPR, organisations must perform a Data Protection Impact Assessment (DPIA) for processing operations that are likely to result in a high risk to individuals’ rights and freedoms. This assessment identifies, evaluates and mitigates privacy risks. :contentReference[oaicite:5]{index=5}
Correct Answer: Data Protection Impact Assessment (DPIA)
47. Explain three common compliance frameworks used in cybersecurity and the differences between them.
Difficulty: MediumType: SubjectiveTopic: Compliance
Common compliance frameworks include ISO 27001 (an information security management standard), NIST Cybersecurity Framework (CSF) which provides a risk-based approach with functions Identify, Protect, Detect, Respond and Recover, and GDPR for data protection law in Europe. :contentReference[oaicite:6]{index=6}
ISO 27001 focuses on establishing an ISMS and controlling information security risk. NIST CSF gives a high-level structure organisations can use to manage security risk and integrate with other standards. GDPR is a regulatory law that applies to personal data protection and has legal penalties for non-compliance. Understanding how they differ helps you explain framework selection and obligations in interviews.
48. How should incident response be integrated in a Governance, Risk & Compliance (GRC) programme?
Difficulty: MediumType: SubjectiveTopic: Incident Response
An effective GRC programme needs incident response to be tightly integrated. Governance sets policy and roles; risk management identifies and prioritises threats; compliance ensures controls are in place and audited. Incident response ties these together by providing processes to detect, contain, recover from and learn from incidents. The feedback loop from incidents into risk assessments and policy updates ensures continuous improvement. Demonstrating this integration shows maturity in compliance roles.
49. Discuss the difference between an internal audit, external audit and management review in a compliance programme.
Difficulty: HardType: SubjectiveTopic: Audits
An internal audit is conducted by the organisation’s internal staff or internal audit department to evaluate compliance and effectiveness of controls. An external audit is performed by an independent certification body or regulator to verify compliance with standards or laws (e.g., ISO 27001 certification audit). A management review is a periodic senior management meeting to assess ISMS performance, allocate resources and approve improvements. Understanding these roles and how they feed into each other demonstrates interview readiness for compliance and risk roles.
50. What is a key first step when a new regulation is introduced that affects your organisation?
Difficulty: MediumType: MCQTopic: Compliance
- Assess impact on existing controls and processes
- Ignore and wait for enforcement
- Immediately hire more staff
- Discontinue all current compliance training
When a new regulation is introduced, the first critical action is to assess how it affects the organisation’s existing controls, processes, and risk posture. This means mapping the regulation to current practices, identifying gaps, and planning remediation. Doing this early helps avoid non-compliance and aligns strategy with business operations.
Correct Answer: Assess impact on existing controls and processes
51. Your vendor has had a breach that may impact your data. Which action is most appropriate?
Difficulty: HardType: MCQTopic: Third Party
- Activate incident response, assess impact, and review contract & controls with vendor
- Terminate contract immediately without review
- Publicly announce vendor fault without investigation
- Ignore unless internal data is directly stolen
In case of a vendor breach, it’s essential to treat it as a potential incident affecting your organisation: activate incident-response procedures, assess impact on your data and systems, collaborate with the vendor to review their controls and contract obligations, and determine remediation steps. Ignoring or reacting prematurely without analysis can increase risk or liability.
Correct Answer: Activate incident response, assess impact, and review contract & controls with vendor
52. Why is implementing a whistleblower mechanism important in a compliance programme?
Difficulty: MediumType: MCQTopic: Third Party
- It encourages reporting of unethical behaviour and protects the reporter
- It allows anonymous complaints only
- It replaces audits entirely
- It only applies to financial services firms
A whistleblower mechanism is a vital component of compliance programmes because it provides a safe channel for employees or stakeholders to report unethical or non-compliant behaviour without fear of retaliation. This support mechanism helps organisations detect issues early, uphold ethics, satisfy regulatory requirements and maintain trust.
Correct Answer: It encourages reporting of unethical behaviour and protects the reporter
53. After an internal audit reveals multiple control failures, what is the optimal next step?
Difficulty: HardType: MCQTopic: Audits
- Prioritise remediation based on risk and assign owners with timelines
- Ignore findings until next year
- Delete audit records
- Publish findings without action plan
When audit findings surface control failures, best practice is to prioritise remediation based on the level of risk, assign responsible owners for each item, set clear timelines, and track progress. This shows maturity in compliance and risk management — handling findings isn't enough, ensuring they’re fixed is key.
Correct Answer: Prioritise remediation based on risk and assign owners with timelines
54. Which statement accurately describes the relationship between Governance, Risk & Compliance (GRC)?
Difficulty: MediumType: MCQTopic: GRC
- Governance sets strategy; Risk identifies what could go wrong; Compliance ensures controls adhere to laws and policies
- Governance = Risk + Compliance
- Risk and Compliance are the same
- Compliance always precedes governance
In a GRC model, Governance provides the organisational strategy and structure; Risk management identifies threats and vulnerabilities to achieving objectives; Compliance ensures that laws, regulations, and internal policies are followed. Understanding these distinctions is important in interviews for compliance/risk roles.
Correct Answer: Governance sets strategy; Risk identifies what could go wrong; Compliance ensures controls adhere to laws and policies
55. Explain how you would design a compliance training programme for a global workforce.
Difficulty: MediumType: SubjectiveTopic: Awareness
Designing a global compliance training programme involves several key steps: first, understand the regulatory requirements across all jurisdictions where the organisation operates and tailor content for regional relevance. Then segment the workforce by role and risk level to deliver targeted modules (e.g., higher risk teams get more in-depth content). Use a mix of formats — eLearning, live webinars, role-play, and scenario-based learning — to engage diverse learners. Ensure content is accessible in local languages and culturally adapted. Finally, measure effectiveness via quizzes, feedback surveys, and track completion metrics; refresh periodically as regulations and risks evolve.
56. How do you balance business objectives with compliance requirements?
Difficulty: HardType: SubjectiveTopic: Compliance
Balancing business objectives and compliance requirements means finding ways to enable the business while protecting the organisation. First, ensure all stakeholders understand that compliance is not a roadblock but an enabler of sustainable growth and trust. Prioritise compliance risks that directly threaten business value and operations. Provide practical controls that are efficient rather than overly restrictive, and incorporate compliance requirements early in project planning (shift-left). Communicate clearly about the cost of non-compliance (reputation, fines, operational downtime) and align compliance goals with business strategy to win stakeholder buy-in.
57. Describe how you would manage a relationship with a regulatory body during a regulatory inspection.
Difficulty: MediumType: SubjectiveTopic: Compliance
Managing a regulator relationship during an inspection involves transparency, cooperation and structured communication. Before inspection, prepare documentation, self-assess controls, and brief key stakeholders. During inspection, assign a liaison to the regulator, provide requested information promptly, highlight remediation efforts, and maintain open dialogue. After inspection, review findings, develop an action plan, communicate with senior management, track progress, and ensure publicly required disclosures or filings are completed. Building this relationship proactively helps reduce risk and demonstrate good governance.
58. Which tool or process supports continuous monitoring in a compliance programme?
Difficulty: HardType: MCQTopic: Security Controls
- Automated control dashboards and event-based alerting
- Annual manual review only
- Monthly paper-based reports
- No monitoring required if controls are designed
Continuous monitoring in compliance means using technology to track control performance, detect anomalies or control breakdowns in real time, and generate alerts or dashboards for action. Relying solely on annual reviews is no longer sufficient given fast-moving risks and regulations. Mentioning automation, dashboards and event-based alerting shows you understand modern compliance operations.
Correct Answer: Automated control dashboards and event-based alerting
59. What does GRC stand for in cybersecurity and corporate governance context?
Difficulty: EasyType: MCQTopic: GRC
- Governance, Risk & Compliance
- General Risk Control
- Global Regulation Committee
- Governance, Rights & Controls
GRC stands for Governance, Risk & Compliance. Governance refers to the structures and oversight that guide organisational strategy and policies. Risk is about identifying, assessing and managing threats to business objectives. Compliance is the process of meeting laws, regulations, standards and internal policies. Understanding this acronym and the interplay between its three parts is foundational for any GRC or cybersecurity interview. :contentReference[oaicite:0]{index=0}
Correct Answer: Governance, Risk & Compliance
60. Which statement best describes the role of GRC software in an organisation?
Difficulty: MediumType: MCQTopic: GRC
- It centralises control, risk, and compliance workflows for visibility and efficiency
- It replaces all human audit activities entirely
- It functions only as a document repository
- It only tracks firewall logs
GRC software enables organisations to consolidate risk registers, compliance frameworks, control assessments, audit findings and vendor risk into one platform. It helps standardise workflows, provide dashboards for leadership, and automate repetitive tasks. While it does not replace human judgement and audit entirely, it significantly enhances efficiency. According to expert guides, evaluating GRC software is a key topic in GRC interviews. :contentReference[oaicite:1]{index=1}
Correct Answer: It centralises control, risk, and compliance workflows for visibility and efficiency
61. Which metric is most likely used to measure the effectiveness of a GRC programme?
Difficulty: MediumType: MCQTopic: GRC
- Percentage of control issues remediated on time
- Number of coffee breaks per day
- Amount of server uptime only
- Number of employee transfers
An effective GRC programme is measured by meaningful metrics. One such metric is the percent of control issues (audit findings, control failures) that have been remediated within defined timeframes. This shows responsiveness and execution, which leadership often tracks. Understanding how to select and interpret GRC metrics is a strong interview topic. :contentReference[oaicite:2]{index=2}
Correct Answer: Percentage of control issues remediated on time
62. What are the main emerging challenges in GRC today and how should organisations adapt?
Difficulty: HardType: SubjectiveTopic: GRC
Modern GRC faces several emerging challenges including rapid regulatory change, digital transformation, cloud-native environments, third-party risks, AI/ML integration and increasing cyber threats. For example, organisations must adapt to new data privacy laws, need to embed controls into DevOps, manage vendor ecosystems globally and use analytics for risk insight. To adapt, organisations should build flexible frameworks, use automation for controls and monitoring, embed risk management early in product lifecycles and maintain continuous awareness of regulatory change. Demonstrating awareness of these trends is highly valued in interviews. :contentReference[oaicite:3]{index=3}
63. Why are dashboards important in a GRC programme?
Difficulty: MediumType: MCQTopic: GRC
- They provide leadership visibility into risk and compliance status
- They substitute the need for controls
- They only show IT server logs
- They eliminate the need for training
Dashboards in GRC programmes summarise key indicators – number of open audit findings, vendor risks, remediation backlog, control health, compliance status – and provide leadership with real-time visibility. They support decision-making and help align GRC outcomes with business objectives. Many interview guides point to dashboards as a key topic. :contentReference[oaicite:4]{index=4}
Correct Answer: They provide leadership visibility into risk and compliance status
64. Explain how you would automate third-party risk management in a global organisation.
Difficulty: HardType: SubjectiveTopic: Third Party
Automating third-party risk involves integrating a vendor/onboarding platform with risk-assessment tools and GRC systems. First, classify vendors by criticality and geographic risk. Then trigger automated questionnaires when vendors are onboarded or renewed. Use scoring engines to assess risk and create dashboards showing vendor risk tiers. Integrate remediation tracking, alerts for high-risk vendors and link to contract management. Use APIs to pull continuous vendor security ratings. Finally align tasks with local legal/regulatory requirements. Demonstrating a structured automation approach shows practical advanced GRC reasoning. :contentReference[oaicite:5]{index=5}
65. Which activity supports staying current with regulatory change in GRC?
Difficulty: MediumType: MCQTopic: Compliance
- Subscribing to regulatory news feeds and updating control frameworks
- Never changing anything once the controls are set
- Only monitoring internal policies
- Waiting for external audit to highlight changes
Staying current with regulatory change is essential for compliance. Leading practitioners subscribe to regulatory news feeds, monitor law-maker updates, update their control frameworks proactively and re-train staff. Interviews in GRC highlight this as a common question. :contentReference[oaicite:6]{index=6}
Correct Answer: Subscribing to regulatory news feeds and updating control frameworks
66. How might artificial intelligence (AI) impact GRC practices in the next five years?
Difficulty: HardType: SubjectiveTopic: GRC
AI has the potential to transform GRC through predictive analytics for risk, natural-language processing to review policy and control documents, continuous monitoring of control activity and anomaly detection in control execution. For example, AI models can identify patterns of vendor non-compliance automatically, flag emerging regulatory trends, or adapt controls in near-real-time. However, this also introduces new risks (model bias, transparency, data quality). Explaining this dual nature—opportunity and risk—demonstrates forward-thinking maturity. Research studies highlight this growing area in GRC. :contentReference[oaicite:7]{index=7}
67. What is control-framework mapping in GRC context?
Difficulty: MediumType: MCQTopic: GRC
- Aligning multiple regulatory, standard and internal control requirements into a unified control set
- Mapping hardware devices in the network
- Tracking employee shifts for audit
- Backing up logs to cloud
Control-framework mapping is a process where organisations align different frameworks (for example ISO 27001, NIST CSF, PCI-DSS) into a unified control catalogue. This avoids duplication, simplifies audit preparation and helps maintain consistency. Many interview resources highlight this as an advanced yet common topic. :contentReference[oaicite:8]{index=8}
Correct Answer: Aligning multiple regulatory, standard and internal control requirements into a unified control set
68. Which process best supports continuous monitoring in a GRC programme?
Difficulty: HardType: MCQTopic: Security Controls
- Automated alerts tied to control thresholds and exception management
- Once-a-year audit only
- Manual checklist sent by email annually
- Ad-hoc vendor reviews only
Continuous monitoring in GRC means the control environment is observed, measured and alerted in near real time rather than once a year. Automated alerts for control failures or threshold breaches, integration with IT systems and exception management are key. Highlighting this in interview shows you understand modern operational compliance. :contentReference[oaicite:9]{index=9}
Correct Answer: Automated alerts tied to control thresholds and exception management
69. What is the primary difference between ethical hacking and malicious hacking?
Difficulty: EasyType: MCQTopic: Pentesting
- Ethical hacking is done with explicit permission; malicious hacking is not
- Ethical hacking always uses viruses; malicious hacking never uses viruses
- Ethical hacking never writes reports; malicious hacking always does
- There is no difference
Ethical hacking is the practice of legally probing systems, networks or applications **with authorization** from the owner to discover vulnerabilities and strengthen the system. :contentReference[oaicite:0]{index=0} Malicious hacking, by contrast, is unauthorized, aims to exploit vulnerabilities for personal or malicious gain, and does not seek to help the system owner. Understanding this distinction is foundational in ethical-hacking interviews.
Correct Answer: Ethical hacking is done with explicit permission; malicious hacking is not
70. Which of these is the correct sequence of the five standard phases in ethical hacking?
Difficulty: MediumType: MCQTopic: Pentesting
- Reconnaissance → Scanning → Gaining Access → Maintaining Access → Covering Tracks
- Covering Tracks → Scanning → Reconnaissance → Gaining Access → Maintaining Access
- Scanning → Reconnaissance → Gaining Access → Covering Tracks → Maintaining Access
- Gaining Access → Reconnaissance → Maintaining Access → Scanning → Covering Tracks
According to multiple sources, ethical hacking (and penetration testing) is often described in five key steps: Reconnaissance (information gathering), Scanning (port & vulnerability detection), Gaining Access (exploiting vulnerabilities), Maintaining Access (establishing persistence), and Covering Tracks (removing evidence). :contentReference[oaicite:1]{index=1} Interviewers often ask you to walk through these phases, because it shows you understand the attack lifecycle from the hacker’s view and thus how to defend against it.
Correct Answer: Reconnaissance → Scanning → Gaining Access → Maintaining Access → Covering Tracks
71. Which one of these is a type of hacker classification based on intent?
Difficulty: EasyType: MCQTopic: Pentesting
- White-Hat Hacker
- Red-Team Architect
- Green-Box Hacker
- Data-Miner Analyst
Hackers are often classed by their intent and legality: White-Hat hackers are ethical hackers conducting authorized tests; Black-Hat hackers act illegally with malicious intent; Grey-Hat hackers operate in between (sometimes legal, sometimes not). :contentReference[oaicite:2]{index=2} Being able to name and differentiate these shows you understand hacker taxonomy and motivate your role as ethical hacker.
Correct Answer: White-Hat Hacker
72. What is ‘footprinting’ in the context of ethical hacking?
Difficulty: MediumType: MCQTopic: Pentesting
- Collecting information about a target system to identify weaknesses
- Installing backdoors in a target system
- Erasing logs after intrusion
- Covering network cables
Footprinting is the first technical stage of ethical hacking where the tester gathers as much information as possible about the target: DNS records, network blocks, open ports, user enumeration, social engineering. :contentReference[oaicite:3]{index=3} This step is critical because a thorough information-gathering phase sets up later scanning and exploitation. Interviewers ask this to see if you understand the early phases of penetration testing.
Correct Answer: Collecting information about a target system to identify weaknesses
73. Which of these tools is commonly used for network scanning in ethical hacking?
Difficulty: MediumType: MCQTopic: Pentesting
Nmap (Network Mapper) is widely used by ethical hackers for port scanning, host discovery, service enumeration and OS detection. Many interview resources list Nmap among top tools to know. :contentReference[oaicite:4]{index=4} Familiarity with such tools demonstrates hands-on awareness, which interviewers value.
Correct Answer: Nmap
74. Which of the following best describes SQL injection?
Difficulty: HardType: MCQTopic: Attacks
- An attacker injects malicious SQL code into an input field causing unauthorized data access
- An attacker uses SQL to speed up queries
- A firewall blocking SQL commands
- Encrypting database fields
SQL Injection is a common web application vulnerability where user inputs are improperly sanitized and malicious SQL is embedded (for example ' OR 1=1) to bypass authentication or extract data. :contentReference[oaicite:5]{index=5} Interviewers ask this frequently in ethical hacking roles because it shows you know vulnerabilities, not just theory.
Correct Answer: An attacker injects malicious SQL code into an input field causing unauthorized data access
75. In a man-in-the-middle (MITM) attack, what does the attacker do?
Difficulty: HardType: MCQTopic: Attacks
- Intercepts and possibly alters communications between two parties
- Deletes files on both ends
- Only watches you but does nothing else
- Breaks the firewall physically
A MITM attack occurs when an attacker secretly places themselves in the communication path between two parties—this can allow eavesdropping, data theft or modification of messages. It is a critical vulnerability scenario in penetration testing interviews. :contentReference[oaicite:6]{index=6} Understanding this helps you propose encryption, certificate validation or VPN solutions for defence.
Correct Answer: Intercepts and possibly alters communications between two parties
76. Explain what privilege escalation is in the context of ethical hacking and why it is dangerous.
Difficulty: HardType: SubjectiveTopic: Attacks
Privilege escalation is the process where an attacker (or tester) starts with limited user access and then finds a way to elevate that access to higher privileges — such as administrator or root. It is dangerous because once administrative rights are obtained, the attacker can disable security controls, create new accounts, extract sensitive data or maintain persistence indefinitely. In a pentest interview, being able to explain both vertical (user→admin) and horizontal (user→another user account) escalation and give example methods (e.g., unpatched kernel exploit, weak SUID binaries, service mis-configuration) shows depth.
77. What is a buffer overflow attack? How would you test for it during a penetration test?
Difficulty: HardType: SubjectiveTopic: Attacks
A buffer overflow attack happens when more data than a buffer can hold is written into it, which then allows the attacker to overwrite adjacent memory—including code pointers—and execute arbitrary code. During a penetration test you would identify vulnerable input fields (for example file upload or network service), send increasingly larger payloads, monitor memory/call stacks, use tools like gdb or WinDbg, and attempt to control the execution flow (e.g., return-oriented programming). Demonstrating this in interview shows you understand low-level exploitation and its relevance in real world.
78. Why is a penetration test report important and what key components should it include?
Difficulty: MediumType: SubjectiveTopic: Pentesting
After a penetration test or ethical hack, the report is crucial: it documents vulnerabilities found, exploit evidence, business impact, risk ratings, remediation steps and executive summary for non-technical stakeholders. It shows the business value of what was done and helps the client fix issues. Interviewers ask this to check if you understand the full lifecycle of ethical hacking—not only the attack but its business context.
79. In cloud security, what does the Shared Responsibility Model refer to?
Difficulty: EasyType: MCQTopic: Cloud Security
- The cloud provider secures some layers; the customer secures the rest
- The cloud provider is fully responsible for all security
- The customer handles all security while provider just provides hardware
- There is no shared responsibility—it’s always one party
In cloud environments, security isn’t entirely the provider’s job nor entirely the customer’s. The Shared Responsibility Model clarifies which security aspects the cloud provider handles (for example infrastructure, physical data centre) and which the customer handles (for example data, access management, application configuration). Understanding this model helps you know where to focus when securing cloud systems.
Correct Answer: The cloud provider secures some layers; the customer secures the rest
80. Why is Identity and Access Management (IAM) critical in cloud security?
Difficulty: MediumType: MCQTopic: Cloud Security
- Because cloud services depend heavily on role configuration, permissions and identity to prevent unauthorized access
- Because only network firewalls matter in the cloud
- Because physical locks secure cloud data centres fully
- Because encryption alone is sufficient without IAM
In cloud environments, resources are often accessible via APIs and through identities rather than physical boundaries. IAM allows you to define who can do what, in which context, and under what conditions. Mis-configured IAM can lead to over-privileged users or service accounts, which become a major attack path. Knowing how to design least-privilege IAM, configure roles, policies and service-principals is a strong interview topic.
Correct Answer: Because cloud services depend heavily on role configuration, permissions and identity to prevent unauthorized access
81. Which of the following best describes encryption at rest versus encryption in transit in the cloud?
Difficulty: MediumType: MCQTopic: Cryptography
- Encryption at rest protects stored data; encryption in transit protects data moving over network
- Encryption at rest protects network traffic; encryption in transit protects storage devices
- They are exactly the same thing
- Neither is needed if the cloud provider is used
Protecting data in a cloud environment means handling two distinct states: data stored (at rest) and data moving (in transit). Encryption at rest ensures that if storage media is compromised the data remains unreadable. Encryption in transit ensures that as data moves between services or to/from cloud, it cannot be intercepted and read. Interviewers will expect you to recognise both and know how to implement each in cloud settings.
Correct Answer: Encryption at rest protects stored data; encryption in transit protects data moving over network
82. What is a common cloud security risk stemming from misconfiguration?
Difficulty: MediumType: MCQTopic: Cloud Security
- Publicly exposed storage buckets with sensitive data
- Too much encryption
- No identity management
- No backups at all
One of the most frequent root causes of cloud breaches is misconfiguration—such as storage buckets (S3, Blob) being left publicly readable or writable. Even if the cloud provider infrastructure is secure, mis-configured permissions or defaults can expose data. Recognising and remediating these misconfigurations is a key part of cloud security practice.
Correct Answer: Publicly exposed storage buckets with sensitive data
83. Why is logging and monitoring especially important in cloud security?
Difficulty: MediumType: MCQTopic: Cloud Security
- Because cloud resources scale dynamically and can be changed quickly, visibility is crucial
- Because static on-prem servers don’t need monitoring
- Because logging is only for compliance and not security
- Because cloud providers disable logs by default
In a cloud environment, resources like VMs, containers and services can be created, modified and destroyed rapidly. Without proper logging and monitoring you may miss changes, anomalous behaviour or unauthorized access. Monitoring also supports incident detection, investigation and compliance. Interviewers expect candidates to discuss which logs matter, how to implement alerts and how to retain data securely.
Correct Answer: Because cloud resources scale dynamically and can be changed quickly, visibility is crucial
84. What is a vendor lock-in risk in the cloud context?
Difficulty: HardType: MCQTopic: Third Party
- Being unable to migrate services or data freely because of proprietary services, making exit costly or impossible
- Getting locked out of your account by your vendor
- Being forced to pay higher network fees for on-prem hardware
- All cloud services are vendor locked automatically
Vendor lock-in means that once you adopt a vendor’s specific cloud services (for example a proprietary database or serverless offering), you may become dependent on them and find it difficult or expensive to switch providers. From a security and resilience standpoint, lock-in can reduce flexibility, increase risk and delay response to threats. Mentioning this shows you understand strategic risks beyond technical controls. :contentReference[oaicite:0]{index=0}
Correct Answer: Being unable to migrate services or data freely because of proprietary services, making exit costly or impossible
85. What are some challenges of performing digital forensics in cloud environments, and how can they be addressed?
Difficulty: HardType: SubjectiveTopic: Cloud Security
Cloud forensics introduces unique challenges unlike traditional on-prem data centres: shared infrastructure means access to physical hardware may be limited; data may be replicated across multiple regions; timestamps and log aggregation may vary; isolation of a single customer’s data can be difficult. Researchers highlight that these issues make attribution, collection and chain of custody harder. :contentReference[oaicite:1]{index=1} To address them, companies should build cloud-specific incident response plans that include provider cooperation, use of cloud-native audit logs, maintaining snapshots, and ensuring service provider contracts allow forensic access.
86. Explain how you would apply a cloud security framework or standard (such as CSA CCM or ISO 27017) in an organisation.
Difficulty: MediumType: SubjectiveTopic: Cloud Security
Applying a cloud security framework begins with understanding the organisation’s risk profile and choosing a framework that fits. For example, the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) covers cloud-specific controls; ISO 27017 provides guidance for cloud services under ISO 27001 context. You would map current controls to the framework, identify gaps, implement missing controls, define metrics, perform audits, and maintain continuous improvement. Being able to explain mapping, gap analysis, control implementation and monitoring shows depth in interviews. :contentReference[oaicite:3]{index=3}
87. In a cloud environment, what does the Zero Trust security model emphasise?
Difficulty: HardType: MCQTopic: Cloud Security
- Never trust, always verify — assume breach and ensure identity, device and context verification before granting access
- Trust all internal resources since cloud is protected
- Disable MFA for performance
- Allow access once network perimeter is bypassed
Zero Trust is especially relevant in cloud contexts because traditional network perimeters become blurred. The model emphasises assuming that breach is always possible, and verifies identity, device posture, context and continuous authentication for every access. Mentioning Zero Trust architectures in cloud security interviews shows you’re familiar with modern security paradigms.
Correct Answer: Never trust, always verify — assume breach and ensure identity, device and context verification before granting access
88. Which of the following tools is commonly used to discover misconfigurations in a multi-cloud environment?
Difficulty: HardType: MCQTopic: Cloud Security
- CSPM (Cloud Security Posture Management) tool
- Spreadsheet software only
- Manual code review only
- Only antivirus
CSPM tools scan cloud environments (across AWS, Azure, GCP) for misconfigurations, policy violations, exposed resources, unused permissions and risky service deployments. They help organisations manage cloud-native risk at scale. Being aware of CSPM is important for a cloud security professional. :contentReference[oaicite:4]{index=4}
Correct Answer: CSPM (Cloud Security Posture Management) tool
89. What is a key first step in assessing cloud security risk for a new workload?
Difficulty: MediumType: MCQTopic: Cloud Security
- Classify the data and map data flows in and out of the cloud service
- Purchase full disk encryption immediately
- Disable all user access and then open gradually
- Assume the cloud provider handles all security entirely
Before implementing controls, you must understand what you are protecting. That means classifying the data (sensitivity, regulatory status) and mapping how it moves into, around, and out of the cloud workload. Without this you cannot determine where the risks are, which controls apply, or how the NIST Cybersecurity Framework core functions (Identify, Protect, Detect, Respond, Recover) apply. :contentReference[oaicite:1]{index=1}
Correct Answer: Classify the data and map data flows in and out of the cloud service
90. In a serverless cloud architecture, what’s a key additional security concern compared to traditional server-based models?
Difficulty: HardType: MCQTopic: Cloud Security
- Function-level permissions and runtime invocation context must be strictly managed
- You can ignore the IAM model completely
- There is no need for monitoring as vendor handles it
- You only worry about physical servers now
Serverless functions run in highly ephemeral environments and often execute with privileges assigned to the function role. Because they are event-triggered, run in managed infrastructure and can scale rapidly, controlling invocation context and permissions becomes critical. Misconfiguration can lead to unauthorized execution or data access. Advanced cloud-security interview guides emphasise function permissions, invocation sources, context awareness and least‐privilege in serverless. :contentReference[oaicite:2]{index=2}
Correct Answer: Function-level permissions and runtime invocation context must be strictly managed
91. What risks are introduced when using Infrastructure as Code (IaC) in cloud deployments, and how can you mitigate them?
Difficulty: MediumType: SubjectiveTopic: Cloud Security
Using Infrastructure as Code (IaC) brings speed and repeatability, but also introduces risks: mis-checked permissions in templates, hard-coded credentials, insecure defaults, drift between declared state and actual state, and uncontrolled changes. Mitigation strategies include embedding security-checks in CI/CD pipelines (linting, static analysis, policy-as-code), enforcing least privilege for IaC service accounts, conducting template reviews, using version control, and running periodic drift scans. Discussions on Reddit and practitioner blogs show these are increasingly expected in cloud-security interviews. :contentReference[oaicite:3]{index=3}
92. What is a “cost-based” attack unique to cloud environments?
Difficulty: HardType: MCQTopic: Data Loss
- An attacker drives up resource consumption (e.g., compute/storage) – creating a huge bill for the owner
- A brute-force attack on credentials only
- A server room break-in only
- A phishing email to an on-premises employee only
In cloud environments the pay-as-you‐go model can be abused: an attacker may spin up expensive resources, trigger large data transfers, or abuse auto-scaling to incur a high cost. This is a form of Denial-of-Wallet rather than Denial-of-Service. Interview guides list it as a unique cloud threat vector. :contentReference[oaicite:4]{index=4}
Correct Answer: An attacker drives up resource consumption (e.g., compute/storage) – creating a huge bill for the owner
93. How do you approach governance across a multi-cloud environment?
Difficulty: MediumType: SubjectiveTopic: Cloud Security
Governance in a multi-cloud context requires unified policy definition, centralised visibility, consistent identity and access control, cross-cloud logging, control standardisation, cost monitoring and vendor-risk management. Approach: define common security and compliance baseline, use policy-as-code applied across cloud providers, centralise logs and alerts (SIEM or cloud‐native), ensure identity federation, manage least privilege and rotate credentials, evaluate vendor‐specific risks and avoid lock-in. Demonstrating such strategy shows you understand enterprise-scale cloud security practices.
94. Which statement best captures the Zero Trust model for cloud environments?
Difficulty: MediumType: MCQTopic: Cloud Security
- Never trust any request by default; always verify identity, device posture and context before granting access
- Trust anything inside the vendor network automatically
- Only monitor traffic on the VPN
- Trust all internal services once authenticated once
The Zero Trust security model is highly relevant in cloud computing because network perimeters are blurred. Effective cloud security strategies assume breach and verify every access: user identity, device integrity, context, least privilege. Interview resources point out Zero Trust as a key phrase in cloud-security discussions. :contentReference[oaicite:5]{index=5}
Correct Answer: Never trust any request by default; always verify identity, device posture and context before granting access
95. Describe how you would prepare an incident response plan specifically for a cloud-native environment.
Difficulty: MediumType: SubjectiveTopic: Cloud Security
A cloud-native incident response plan should include identification of cloud services, trusted identities, audit/log sources, automated alerting, data isolation steps, legal/regulatory reporting, and collaboration with provider (SaaS/PaaS/IaaS). You’d define runbooks for snapshotting virtual services/storage, extracting logs, preserving chain of custody in shared infrastructure, and communicating with vendor support. You’d also practise and update the plan, integrate with SIEM/EDR tools, and ensure credential revocation and lateral-movement prevention. Being able to articulate this-tailored plan shows operational readiness in interviews.
96. Which statement reflects an emerging threat trend in cloud security?
Difficulty: HardType: MCQTopic: Cloud Security
- Misconfigured serverless functions leading to data exposure
- Only on-premises infrastructure gets attacked now
- Encryption is no longer needed
- Cloud providers guarantee absolute security
One of the latest trends in cloud security is attackers exploiting misconfigurations in serverless architectures (functions, containers, APIs) that were deployed rapidly without strong controls. Interview guides highlight misconfiguration, identity abuse, and ‘Denial-of-Wallet’ threats as emerging vectors. :contentReference[oaicite:6]{index=6}
Correct Answer: Misconfigured serverless functions leading to data exposure