Cybersecurity Basics Interview Questions & Answers | Preplance

1. What does the CIA triad in cybersecurity stand for?

Difficulty: EasyType: MCQTopic: Security Design

Confidentiality, Integrity, Availability
Control, Integrity, Authentication
Confidentiality, Identity, Access
Control, Information, Assurance

The CIA triad is the foundation of all cybersecurity principles. It represents Confidentiality, Integrity, and Availability — three key pillars every system must maintain. Confidentiality means keeping information private and accessible only to authorized users. Integrity ensures data remains accurate and unaltered, protecting it from unauthorized changes. Availability means that systems and information are accessible whenever needed by legitimate users. In short, cybersecurity strategies aim to balance these three elements. For example, too much focus on confidentiality could reduce availability, so a good system finds the right balance between the three.

Correct Answer: Confidentiality, Integrity, Availability

2. Which statement correctly describes a vulnerability?

Difficulty: EasyType: MCQ

3. Which type of malware replicates itself without user interaction?

Difficulty: MediumType: MCQTopic: Malware

Worm
Trojan
Spyware
Rootkit

A worm is a self-replicating malware that spreads without any user action. Once inside a system, it copies itself across networks and devices, consuming bandwidth and causing disruption. Unlike a Trojan, which disguises itself as legitimate software, a worm doesn’t need to trick users to install it. It exploits vulnerabilities in operating systems or applications to move from one computer to another. Famous examples include the 'ILOVEYOU' and 'WannaCry' worms, which spread rapidly and caused massive global damage.

Correct Answer: Worm

4. What is the primary purpose of a firewall?

Difficulty: EasyType: MCQTopic: Security Controls

To filter network traffic between trusted and untrusted zones
To encrypt files on the disk
To detect malware inside applications
To manage user accounts

A firewall acts as a security guard that monitors and controls incoming and outgoing network traffic. It sits between a trusted internal network and an untrusted external network such as the internet. Firewalls use predefined security rules to allow or block data packets based on source, destination, and protocol. This helps prevent unauthorized access, data theft, or malware infiltration. Modern firewalls also perform deep packet inspection and application-level filtering, giving organizations better visibility and control over network behavior.

Correct Answer: To filter network traffic between trusted and untrusted zones

5. Which factor is an example of 'something you have' in multi-factor authentication?

Difficulty: MediumType: MCQTopic: IAM

A security token
A password
A fingerprint
A PIN

Multi-factor authentication (MFA) enhances security by combining two or more independent credentials from different categories — something you know, something you have, and something you are. ‘Something you know’ is a password or PIN. ‘Something you have’ is a physical or digital item like a smart card, phone, or security token. ‘Something you are’ refers to biometrics such as fingerprints or facial recognition. MFA significantly reduces the risk of unauthorized access, even if one factor, like a password, is compromised.

Correct Answer: A security token

6. What is the main purpose of encryption?

Difficulty: MediumType: MCQTopic: Cryptography

To convert data into unreadable form to protect confidentiality
To compress files for storage
To check for malware in data
To ensure system availability

Encryption protects sensitive information by converting it into a coded format that cannot be understood without the correct key. For example, when you send data over the internet, encryption ensures that even if someone intercepts it, they cannot read or modify it. Only the recipient with the decryption key can access the original information. Modern encryption standards such as AES and RSA are essential for secure online transactions, cloud storage, and communication systems.

Correct Answer: To convert data into unreadable form to protect confidentiality

7. Which access control model grants permissions based on user roles?

Difficulty: MediumType: MCQTopic: IAM

Role-Based Access Control
Mandatory Access Control
Discretionary Access Control
Rule-Based Access Control

Role-Based Access Control, or RBAC, assigns permissions to users based on their organizational role rather than individual identity. For example, all employees in the ‘HR’ department may have permission to view employee records, while only managers can modify them. This simplifies permission management and reduces errors. RBAC is one of the most widely used access control methods in enterprise environments due to its scalability and clarity.

Correct Answer: Role-Based Access Control

8. What is the main goal of a social engineering attack?

Difficulty: MediumType: MCQTopic: Social Engg

To trick people into revealing confidential information
To exploit software vulnerabilities
To overload a network
To encrypt files for ransom

Social engineering targets the human element of security rather than technical flaws. Attackers use manipulation, persuasion, or deception to make users reveal confidential information or perform risky actions. Common examples include phishing emails, fake support calls, or malicious links sent through social media. These attacks exploit trust, curiosity, or urgency. Training employees to recognize and report suspicious behavior is one of the most effective defenses against social engineering.

Correct Answer: To trick people into revealing confidential information

9. What is a phishing attack?

Difficulty: EasyType: MCQTopic: Social Engg

A fraudulent attempt to obtain sensitive data by pretending to be a trusted entity
A brute-force attack on passwords
A software exploit in operating systems
A denial of service attack

Phishing is a type of social engineering attack where an attacker pretends to be a legitimate organization or person to steal personal information. Most phishing attempts occur through email or fake websites that mimic real ones. Victims are tricked into entering passwords, credit card numbers, or OTPs. Being cautious of unexpected messages, verifying sender addresses, and never clicking suspicious links are key steps to avoid phishing.

Correct Answer: A fraudulent attempt to obtain sensitive data by pretending to be a trusted entity

10. What is considered a cybersecurity incident?

Difficulty: MediumType: MCQTopic: Incident Response

Any event that compromises confidentiality, integrity, or availability of data
Regular system maintenance
Scheduled software update
Network traffic monitoring

A cybersecurity incident is any event that violates or threatens an organization’s information security. This includes malware infections, data breaches, unauthorized access, or denial of service attacks. Even suspected or attempted attacks are treated as incidents. The goal of incident management is to detect, analyze, and respond quickly to minimize damage and prevent recurrence.

Correct Answer: Any event that compromises confidentiality, integrity, or availability of data

11. Explain the typical stages of a cyber attack lifecycle.

Difficulty: MediumType: SubjectiveTopic: Threats

A cyber attack usually follows several key stages. First comes reconnaissance, where attackers gather information about the target — like open ports, users, or software versions. Next is scanning, where they probe for weaknesses. Once a vulnerability is found, they exploit it to gain access. After entering, attackers install backdoors or tools to maintain control and move laterally within the system. Finally, they achieve their objective — stealing data, disrupting services, or causing damage — and often erase traces to avoid detection. Understanding this cycle helps organizations build defense mechanisms at every stage.

12. How is risk calculated in cybersecurity, and why is it important?

Difficulty: MediumType: SubjectiveTopic: Risk

In cybersecurity, risk is commonly described as the product of three elements — Threat, Vulnerability, and Impact. A threat is the potential for harm, a vulnerability is the weakness that can be exploited, and impact is the consequence of that exploitation. Risk = Threat × Vulnerability × Impact. By assessing risks, organizations can prioritize which vulnerabilities need immediate attention and allocate resources effectively. It ensures focus on what truly matters rather than spreading efforts thin across all areas.

13. What does 'Defense in Depth' mean in cybersecurity?

Difficulty: MediumType: SubjectiveTopic: Security Design

Defense in Depth is a layered approach to cybersecurity. Instead of relying on a single line of defense, it stacks multiple protective measures at different levels. For example, an organization might use a firewall, intrusion detection system, antivirus software, strong authentication, and user awareness training. Each layer covers potential gaps left by others. This strategy ensures that even if one control fails, additional layers can still prevent or slow down an attacker.

14. What is the Zero Trust model, and how does it differ from traditional network security?

Difficulty: HardType: SubjectiveTopic: Zero Trust

Zero Trust is a modern security model that assumes no user, device, or system should be trusted by default — even if it is inside the organization’s network. Traditional security models often trusted everything within the internal network once someone passed the firewall. Zero Trust removes this assumption. Every request must be authenticated, authorized, and continuously validated. It relies on the principles of least privilege, micro-segmentation, and continuous monitoring, minimizing the damage that could occur if a breach happens.

15. Why is ethical hacking important for cybersecurity?

Difficulty: MediumType: SubjectiveTopic: Pentesting

Ethical hacking allows trained professionals, called white-hat hackers, to test and strengthen systems legally and safely. By simulating real attacks, they help identify vulnerabilities before malicious hackers can exploit them. Ethical hackers use tools and techniques similar to cybercriminals but always with permission and a goal to improve security. This proactive approach helps organizations fix weaknesses early, reduce risk, and comply with security standards like ISO 27001 and PCI DSS.

16. What best defines a cyber threat?

Difficulty: EasyType: MCQTopic: Threats

A potential event or action that can cause harm to systems or data
A physical damage to hardware
An outdated software system
A system upgrade process

A cyber threat is any potential danger that could exploit a vulnerability and cause harm to a system, network, or data. It doesn’t have to be an active attack; even the potential for malicious activity qualifies as a threat. For example, an unpatched application represents a threat because an attacker could exploit it. Cyber threats can originate from hackers, malware, insider misuse, or even human error. The goal of cybersecurity is to identify, assess, and mitigate these threats before they turn into real incidents.

Correct Answer: A potential event or action that can cause harm to systems or data

17. Phishing primarily targets which aspect of security?

Difficulty: EasyType: MCQTopic: Social Engg

Human trust and awareness
Network configurations
Database structures
Server firewalls

Phishing attacks exploit the human factor — the easiest and weakest link in security. Attackers send deceptive emails or messages pretending to be legitimate entities, such as banks or employers, to trick people into sharing confidential data like passwords or credit card details. The best defense against phishing is user education. Employees must be trained to recognize suspicious emails, verify sender authenticity, and avoid clicking unknown links. Technical defenses like email filters can help, but awareness is the strongest line of defense.

Correct Answer: Human trust and awareness

18. What is the main goal of a ransomware attack?

Difficulty: MediumType: MCQTopic: Malware

Encrypt victim’s data and demand payment for decryption
Steal passwords for unauthorized access
Monitor user activities secretly
Send spam emails across the network

Ransomware is a form of malicious software that locks or encrypts a victim’s files, demanding a ransom to restore access. Victims often receive a message demanding payment, usually in cryptocurrency, to get a decryption key. These attacks can cripple businesses, hospitals, and even government systems. The best defense is regular data backups, updated security patches, and user education to avoid opening suspicious attachments or links. Paying the ransom is never guaranteed to restore access and may encourage further attacks.

Correct Answer: Encrypt victim’s data and demand payment for decryption

19. What happens during a Distributed Denial of Service (DDoS) attack?

Difficulty: MediumType: MCQTopic: Attacks

A flood of traffic overwhelms a target system, making it unavailable
Attackers steal confidential data
Malware encrypts system files
Unauthorized users gain root access

A Distributed Denial of Service (DDoS) attack occurs when multiple compromised systems flood a target server or network with massive amounts of traffic, overwhelming its capacity and making it unavailable to legitimate users. These attacks often use botnets — large networks of infected devices — to send huge volumes of fake requests. Mitigation techniques include traffic filtering, rate limiting, and using DDoS protection services that detect and block malicious traffic before it reaches the target.

Correct Answer: A flood of traffic overwhelms a target system, making it unavailable

20. What does an attacker exploit in an SQL Injection attack?

Difficulty: MediumType: MCQTopic: Attacks

Poorly validated database queries
Weak encryption algorithms
Network firewalls
File permission errors

SQL Injection happens when an application fails to properly validate user inputs before including them in database queries. Attackers can inject malicious SQL statements to access, modify, or delete data from the database. For example, entering `' OR '1'='1` into a login field could trick the system into granting access without valid credentials. Preventing SQL Injection involves using parameterized queries, stored procedures, and input validation to sanitize all user inputs.

Correct Answer: Poorly validated database queries

21. In a Man-in-the-Middle (MITM) attack, what does the attacker do?

Difficulty: MediumType: MCQTopic: Attacks

Intercepts and possibly alters communication between two parties
Directly hacks into a database
Overloads the network with traffic
Deletes system logs to hide traces

A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts communication between two systems, such as a user and a website. The attacker can eavesdrop, steal sensitive data, or modify messages without the users realizing it. Using secure protocols like HTTPS, implementing end-to-end encryption, and avoiding public Wi-Fi networks without VPN protection are key defenses against MITM attacks.

Correct Answer: Intercepts and possibly alters communication between two parties

22. Who is involved in an insider threat?

Difficulty: MediumType: MCQTopic: Threats

A current or former employee who misuses authorized access
An external hacker with stolen credentials
A software developer from a vendor company
A third-party auditor

Insider threats come from individuals within an organization who intentionally or accidentally misuse their legitimate access to systems and data. They are particularly dangerous because insiders often already have trusted credentials and understand the organization’s security mechanisms. Preventing insider threats involves strict access controls, continuous monitoring, behavioral analytics, and a culture of security awareness.

Correct Answer: A current or former employee who misuses authorized access

23. What makes a zero-day exploit particularly dangerous?

Difficulty: HardType: MCQTopic: Threats

It targets vulnerabilities unknown to the software vendor
It uses social engineering only
It requires physical access to the system
It is easily detected by antivirus software

A zero-day exploit takes advantage of a software vulnerability that is unknown to the vendor or unpatched. Since there is no official fix yet, these attacks are extremely difficult to prevent. Zero-day vulnerabilities can be sold on the dark web and are often used by advanced threat actors. Regular patch management, network segmentation, and intrusion detection can help reduce exposure and damage from such attacks.

Correct Answer: It targets vulnerabilities unknown to the software vendor

24. What does a brute force attack involve?

Difficulty: MediumType: MCQTopic: Attacks

Trying all possible password combinations until the correct one is found
Sending phishing emails repeatedly
Injecting malicious scripts into web pages
Spoofing IP addresses

A brute force attack systematically tries every possible combination of passwords until it finds the correct one. It’s a simple but effective method if passwords are weak or short. Modern attackers use automated tools that can test millions of combinations per second. To defend against brute force attacks, enforce strong password policies, use account lockouts, and implement multi-factor authentication.

Correct Answer: Trying all possible password combinations until the correct one is found

25. What distinguishes an Advanced Persistent Threat (APT) from other attacks?

Difficulty: HardType: MCQTopic: Threats

It is long-term, stealthy, and targets specific organizations
It causes immediate visible damage
It relies solely on social engineering
It is always performed by individuals, not groups

Advanced Persistent Threats (APTs) are sophisticated, prolonged attacks often carried out by organized groups or nation-states. They aim to infiltrate a network, remain undetected, and steal sensitive information over an extended period. Unlike common attacks that are quick and noisy, APTs focus on stealth and persistence. Defense requires layered security, continuous monitoring, and threat intelligence to detect unusual behavior early.

Correct Answer: It is long-term, stealthy, and targets specific organizations

26. What is a supply chain attack, and why is it difficult to detect?

Difficulty: HardType: SubjectiveTopic: Threats

A supply chain attack targets the trusted third-party vendors or software providers that an organization relies on. Instead of directly attacking the main target, attackers compromise the supplier’s system to inject malicious code or components into legitimate software updates. This makes detection extremely difficult because the compromised software appears to come from a trusted source. High-profile examples include the SolarWinds and Kaseya breaches. The best defense is to vet suppliers carefully, use code-signing verification, and maintain strict security standards across all vendors.

27. Explain the main types of social engineering attacks.

Difficulty: MediumType: SubjectiveTopic: Social Engg

Social engineering comes in several forms. The most common is phishing — fake emails or messages pretending to be from trusted sources. Spear phishing is a more targeted form aimed at specific individuals or companies. Vishing uses voice calls to trick victims, while smishing uses SMS messages. Another variant is baiting, where attackers leave infected USB drives or links that tempt users to engage. All these methods exploit human emotions like curiosity, fear, or urgency, rather than technical weaknesses.

28. Describe the lifecycle of a malware attack.

Difficulty: MediumType: SubjectiveTopic: Malware

A malware attack generally follows several stages. First, the attacker delivers the malicious file through email attachments, downloads, or infected websites. Next, the malware executes and installs itself on the target system. Once active, it may connect to a command-and-control server, steal data, or spread to other systems. Finally, it hides its presence by modifying system files or disabling antivirus defenses. Understanding this lifecycle helps security teams respond at each stage — from detection to containment and removal.

29. What is the key difference between symmetric and asymmetric encryption?

Difficulty: MediumType: MCQTopic: Cryptography

Symmetric uses one key; asymmetric uses a key-pair (public/private)
Symmetric uses a key-pair; asymmetric uses one shared key
Symmetric encrypts only files; asymmetric encrypts only network traffic
There is no difference

Symmetric encryption uses a single secret key for both encryption and decryption. That means both sender and receiver must have the same key and keep it safe. Asymmetric encryption uses two distinct but mathematically related keys: a public key (shared openly) and a private key (kept secret). The public key encrypts data, and only the corresponding private key can decrypt it. This approach solves the key-distribution problem inherent in symmetric schemes. Understanding this difference helps you choose the right encryption method based on performance, key management, and use case.

Correct Answer: Symmetric uses one key; asymmetric uses a key-pair (public/private)

30. Which statement best describes hashing compared to encryption?

Difficulty: MediumType: MCQTopic: Cryptography

Hashing is one-way and irreversible; encryption is reversible with a key
Hashing requires two keys; encryption uses one key
Hashing encrypts data for transmission; encryption stores data securely
There is no difference

Hashing transforms data into a fixed-length value (hash) and is designed to be one-way: you cannot feasibly get the original data back from the hash. It’s ideal for verifying integrity or storing passwords (with salt). Encryption transforms data so it can be reversed (decrypted) using a key. It ensures confidentiality of data in transit or at rest. Knowing when to use hashing vs encryption is vital: use hashing for integrity or password storage, and encryption when you need to recover original data.

Correct Answer: Hashing is one-way and irreversible; encryption is reversible with a key

31. Which type of firewall filters traffic at the application layer?

Difficulty: EasyType: MCQTopic: Security Controls

Next-generation firewall (NGFW)
Packet-filtering firewall
Stateful inspection firewall
Proxy firewall

A next-generation firewall (NGFW) adds application-layer inspection (layer 7) in addition to traditional packet-filtering (layer 3) and stateful inspection (layer 4). It can identify applications (e.g., Facebook, Dropbox), enforce policies per application, detect intrusions, and block advanced threats. Understanding different firewall types helps you design security architecture appropriate to an organisation’s threat profile.

Correct Answer: Next-generation firewall (NGFW)

32. Why is multi-factor authentication (MFA) considered a strong security mechanism?

Difficulty: EasyType: MCQTopic: IAM

Because it uses at least two independent authentication factors
Because it eliminates the need for passwords
Because it only uses biometric verification
Because it stores passwords in plain text

Multi-factor authentication (MFA) strengthens access controls by requiring two or more independent factors: something you know (password or PIN), something you have (token, phone), and something you are (biometric). This reduces the risk of account compromise—even if one factor is stolen or guessed, the attacker still lacks the other factor(s). In many entry-level security roles this is one of the first controls expected to be implemented.

Correct Answer: Because it uses at least two independent authentication factors

33. Which access control model enforces restrictions based on data classification labels and user clearances?

Difficulty: MediumType: MCQTopic: IAM

Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
Rule-Based Access Control (RBAC)

Mandatory Access Control (MAC) uses system-enforced labels: every resource has sensitivity labels (e.g., Top-Secret) and every user has a clearance level. The system enforces access decisions—not the user. In contrast, DAC lets users decide access, and RBAC uses roles rather than labels. Recognising these models shows interviewers you understand how organisations implement access restriction in secure environments.

Correct Answer: Mandatory Access Control (MAC)

34. What is the Principle of Least Privilege (PoLP)?

Difficulty: MediumType: MCQTopic: IAM

Granting users the minimum access they need to perform their job
Giving administrators full access always
Using two-factor authentication for all users
Allowing users to share accounts

The Principle of Least Privilege (PoLP) restricts user and system privileges to only what is necessary for their role. By limiting unnecessary permissions, organisations reduce the attack surface and the risk of misuse of credentials—particularly from insider threats or compromised accounts. This principle is foundational in secure system design.

Correct Answer: Granting users the minimum access they need to perform their job

35. Explain what is meant by Defense in Depth and why organisations use it.

Difficulty: MediumType: SubjectiveTopic: Security Design

Defense in Depth refers to implementing multiple layers of security controls so that if one control fails, others still protect the system. Imagine a castle: moat, walls, guards, lookouts — if one fails, the next layer still defends. Organisations use this because no single control is perfect. For example, combining firewalls, intrusion detection systems, encryption, access controls, and security-aware users means many small failures won’t result in a breach. It emphasises resilience, redundancy, and the idea that security is not just one thing, but a set of overlapping protections.

36. Differentiate between encryption at rest and encryption in transit and state why both are needed.

Difficulty: MediumType: SubjectiveTopic: Cryptography

Encryption in transit protects data while it moves between systems (for example using TLS or VPNs). Encryption at rest protects data stored on disks or in databases from being read if the storage media is stolen or compromised. Both are needed because protecting only one phase leaves the other vulnerable: if you encrypt in transit but store plaintext data, a thief could access it easily. Conversely, encrypting at rest but moving data unprotected exposes it to interception. A full security posture covers both.

37. Which statement best describes the role of a Security Information and Event Management (SIEM) system?

Difficulty: HardType: MCQTopic: Security Controls

Collects, analyses, and correlates log events from multiple sources to detect threats
Manages user passwords and credentials
Scans for vulnerabilities on endpoints
Acts as a firewall between networks

A SIEM system aggregates logs and events from firewalls, servers, endpoints, applications, and network devices. It normalises and correlates data, applies rules or machine-learning models, and alerts analysts to potential incidents. It’s central to monitoring and response operations in many modern organisations and shows interviewers you understand how operational security works at scale.

Correct Answer: Collects, analyses, and correlates log events from multiple sources to detect threats

38. What is the purpose of Secure Boot in a system’s firmware?

Difficulty: HardType: MCQTopic: Security Controls

Ensure that only trusted signed bootloaders and OS kernels are allowed to run
Encrypt the file system at runtime
Disable network ports until authentication
Monitor user activity

Secure Boot is a firmware-level security mechanism used by UEFI systems. During system startup, it checks digital signatures on bootloaders and OS kernels. If they aren’t signed by trusted keys, boot is halted. This stops rootkits and boot-level malware from persistent infiltration. For roles dealing with endpoints or hardware security, mentioning this shows depth and awareness of low-level controls.

Correct Answer: Ensure that only trusted signed bootloaders and OS kernels are allowed to run

39. What is the main function of a Web Application Firewall (WAF)?

Difficulty: HardType: MCQTopic: Security Controls

Filter, monitor, and block HTTP traffic to web applications
Encrypt all database traffic
Scan for network vulnerabilities
Manage user sessions

A Web Application Firewall (WAF) is designed to protect web applications by inspecting HTTP/HTTPS traffic, enforcing rules to block attacks like SQL Injection, Cross-Site Scripting (XSS), and other OWASP Top Ten threats. It sits between the client and application server and reduces application-layer risk. Including WAF knowledge shows you understand application security controls, not just network ones.

Correct Answer: Filter, monitor, and block HTTP traffic to web applications

40. What is the primary purpose of ISO 27001?

Difficulty: EasyType: MCQTopic: Compliance

To establish, implement and maintain an information security management system (ISMS)
To define encryption algorithms for data
To regulate payroll in organizations
To monitor network traffic in real-time

ISO 27001 is an international standard that provides requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). :contentReference[oaicite:0]{index=0} An ISMS gives an organization a systematic approach to managing sensitive company information so that it remains secure. Using ISO 27001 helps organizations build structured processes around risk, controls, monitoring and continuous improvement.

Correct Answer: To establish, implement and maintain an information security management system (ISMS)

41. Which of the following is a core principle of the GDPR?

Difficulty: MediumType: MCQTopic: Compliance

Data minimisation
Unlimited data retention
No individual rights
Only internal processing

One of the key GDPR principles is data minimisation — organisations should only collect and process personal data which is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. :contentReference[oaicite:1]{index=1} Understanding GDPR principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality is essential for compliance roles.

Correct Answer: Data minimisation

42. Which formula is commonly used to express risk in a compliance context?

Difficulty: MediumType: MCQTopic: Risk

Risk = Threat × Vulnerability × Impact
Risk = Cost + Benefit
Risk = Asset − Control
Risk = Availability / Integrity

In risk management, one common model expresses risk as the product of threat, vulnerability and impact. This helps organisations prioritise risks and allocate resources accordingly. By quantifying risk this way, teams can identify which combinations of threat and vulnerability result in greatest impact and then design appropriate controls or mitigation plans.

Correct Answer: Risk = Threat × Vulnerability × Impact

43. What best describes the difference between compliance and audit?

Difficulty: MediumType: MCQTopic: Audits

Compliance is meeting standards; audit is verifying that compliance
Compliance is only technical; audit is only administrative
Compliance is optional; audit is always mandatory
Compliance is external only; audit is internal only

Compliance refers to a state of adhering to laws, regulations, standards or policies. Audit is the process of conducting a systematic evaluation to determine whether the compliance state is achieved and maintained. In interview contexts, understanding this distinction shows you recognise both ongoing control activities (compliance) and assurance activities (audit). :contentReference[oaicite:2]{index=2}

Correct Answer: Compliance is meeting standards; audit is verifying that compliance

44. Which process is used to assess third-party vendor risk in compliance frameworks?

Difficulty: HardType: MCQTopic: Third Party

Third-party vendor risk assessment
Firewall configuration review
Password policy enforcement
Software patch schedule

Assessing third-party vendor risk is critical because organisations often rely on external suppliers that can introduce vulnerabilities. A structured vendor risk assessment examines vendor’s security posture, compliance certifications, contract terms, history of incidents, and controls. Interviewers expect candidates to know that vendor risk cannot be ignored just because the vendor is external; it must be managed, monitored and included in the organisation’s risk-treatment process. :contentReference[oaicite:3]{index=3}

Correct Answer: Third-party vendor risk assessment

45. In the context of ISO 27001, what does PDCA stand for?

Difficulty: HardType: MCQTopic: Compliance

Plan-Do-Check-Act
Protect-Detect-Control-Audit
Prepare-Develop-Coordinate-Assess
Prevent-Detect-Respond-Recover

PDCA (Plan-Do-Check-Act) is a continual improvement cycle used by ISO 27001 and other management standards. The organisation plans its ISMS, implements and operates it (Do), monitors and reviews it (Check), and then takes actions to improve (Act). :contentReference[oaicite:4]{index=4}

Correct Answer: Plan-Do-Check-Act

46. Which assessment is required for high-risk data processing under GDPR?

Difficulty: HardType: MCQTopic: Compliance

Data Protection Impact Assessment (DPIA)
Malware risk assessment
Business continuity review
Firewall penetration test

Under GDPR, organisations must perform a Data Protection Impact Assessment (DPIA) for processing operations that are likely to result in a high risk to individuals’ rights and freedoms. This assessment identifies, evaluates and mitigates privacy risks. :contentReference[oaicite:5]{index=5}

Correct Answer: Data Protection Impact Assessment (DPIA)

47. Explain three common compliance frameworks used in cybersecurity and the differences between them.

Difficulty: MediumType: SubjectiveTopic: Compliance

Common compliance frameworks include ISO 27001 (an information security management standard), NIST Cybersecurity Framework (CSF) which provides a risk-based approach with functions Identify, Protect, Detect, Respond and Recover, and GDPR for data protection law in Europe. :contentReference[oaicite:6]{index=6} ISO 27001 focuses on establishing an ISMS and controlling information security risk. NIST CSF gives a high-level structure organisations can use to manage security risk and integrate with other standards. GDPR is a regulatory law that applies to personal data protection and has legal penalties for non-compliance. Understanding how they differ helps you explain framework selection and obligations in interviews.

48. How should incident response be integrated in a Governance, Risk & Compliance (GRC) programme?

Difficulty: MediumType: SubjectiveTopic: Incident Response

An effective GRC programme needs incident response to be tightly integrated. Governance sets policy and roles; risk management identifies and prioritises threats; compliance ensures controls are in place and audited. Incident response ties these together by providing processes to detect, contain, recover from and learn from incidents. The feedback loop from incidents into risk assessments and policy updates ensures continuous improvement. Demonstrating this integration shows maturity in compliance roles.

49. Discuss the difference between an internal audit, external audit and management review in a compliance programme.

Difficulty: HardType: SubjectiveTopic: Audits

An internal audit is conducted by the organisation’s internal staff or internal audit department to evaluate compliance and effectiveness of controls. An external audit is performed by an independent certification body or regulator to verify compliance with standards or laws (e.g., ISO 27001 certification audit). A management review is a periodic senior management meeting to assess ISMS performance, allocate resources and approve improvements. Understanding these roles and how they feed into each other demonstrates interview readiness for compliance and risk roles.

50. What is a key first step when a new regulation is introduced that affects your organisation?

Difficulty: MediumType: MCQTopic: Compliance

Assess impact on existing controls and processes
Ignore and wait for enforcement
Immediately hire more staff
Discontinue all current compliance training

When a new regulation is introduced, the first critical action is to assess how it affects the organisation’s existing controls, processes, and risk posture. This means mapping the regulation to current practices, identifying gaps, and planning remediation. Doing this early helps avoid non-compliance and aligns strategy with business operations.

Correct Answer: Assess impact on existing controls and processes

51. Your vendor has had a breach that may impact your data. Which action is most appropriate?

Difficulty: HardType: MCQTopic: Third Party

Activate incident response, assess impact, and review contract & controls with vendor
Terminate contract immediately without review
Publicly announce vendor fault without investigation
Ignore unless internal data is directly stolen

In case of a vendor breach, it’s essential to treat it as a potential incident affecting your organisation: activate incident-response procedures, assess impact on your data and systems, collaborate with the vendor to review their controls and contract obligations, and determine remediation steps. Ignoring or reacting prematurely without analysis can increase risk or liability.

Correct Answer: Activate incident response, assess impact, and review contract & controls with vendor

52. Why is implementing a whistleblower mechanism important in a compliance programme?

Difficulty: MediumType: MCQTopic: Third Party

It encourages reporting of unethical behaviour and protects the reporter
It allows anonymous complaints only
It replaces audits entirely
It only applies to financial services firms

A whistleblower mechanism is a vital component of compliance programmes because it provides a safe channel for employees or stakeholders to report unethical or non-compliant behaviour without fear of retaliation. This support mechanism helps organisations detect issues early, uphold ethics, satisfy regulatory requirements and maintain trust.

Correct Answer: It encourages reporting of unethical behaviour and protects the reporter

53. After an internal audit reveals multiple control failures, what is the optimal next step?

Difficulty: HardType: MCQTopic: Audits

Prioritise remediation based on risk and assign owners with timelines
Ignore findings until next year
Delete audit records
Publish findings without action plan

When audit findings surface control failures, best practice is to prioritise remediation based on the level of risk, assign responsible owners for each item, set clear timelines, and track progress. This shows maturity in compliance and risk management — handling findings isn't enough, ensuring they’re fixed is key.

Correct Answer: Prioritise remediation based on risk and assign owners with timelines

54. Which statement accurately describes the relationship between Governance, Risk & Compliance (GRC)?

Difficulty: MediumType: MCQTopic: GRC

Governance sets strategy; Risk identifies what could go wrong; Compliance ensures controls adhere to laws and policies
Governance = Risk + Compliance
Risk and Compliance are the same
Compliance always precedes governance

In a GRC model, Governance provides the organisational strategy and structure; Risk management identifies threats and vulnerabilities to achieving objectives; Compliance ensures that laws, regulations, and internal policies are followed. Understanding these distinctions is important in interviews for compliance/risk roles.

Correct Answer: Governance sets strategy; Risk identifies what could go wrong; Compliance ensures controls adhere to laws and policies

55. Explain how you would design a compliance training programme for a global workforce.

Difficulty: MediumType: SubjectiveTopic: Awareness

Designing a global compliance training programme involves several key steps: first, understand the regulatory requirements across all jurisdictions where the organisation operates and tailor content for regional relevance. Then segment the workforce by role and risk level to deliver targeted modules (e.g., higher risk teams get more in-depth content). Use a mix of formats — eLearning, live webinars, role-play, and scenario-based learning — to engage diverse learners. Ensure content is accessible in local languages and culturally adapted. Finally, measure effectiveness via quizzes, feedback surveys, and track completion metrics; refresh periodically as regulations and risks evolve.

56. How do you balance business objectives with compliance requirements?

Difficulty: HardType: SubjectiveTopic: Compliance

Balancing business objectives and compliance requirements means finding ways to enable the business while protecting the organisation. First, ensure all stakeholders understand that compliance is not a roadblock but an enabler of sustainable growth and trust. Prioritise compliance risks that directly threaten business value and operations. Provide practical controls that are efficient rather than overly restrictive, and incorporate compliance requirements early in project planning (shift-left). Communicate clearly about the cost of non-compliance (reputation, fines, operational downtime) and align compliance goals with business strategy to win stakeholder buy-in.

57. Describe how you would manage a relationship with a regulatory body during a regulatory inspection.

Difficulty: MediumType: SubjectiveTopic: Compliance

Managing a regulator relationship during an inspection involves transparency, cooperation and structured communication. Before inspection, prepare documentation, self-assess controls, and brief key stakeholders. During inspection, assign a liaison to the regulator, provide requested information promptly, highlight remediation efforts, and maintain open dialogue. After inspection, review findings, develop an action plan, communicate with senior management, track progress, and ensure publicly required disclosures or filings are completed. Building this relationship proactively helps reduce risk and demonstrate good governance.

58. Which tool or process supports continuous monitoring in a compliance programme?

Difficulty: HardType: MCQTopic: Security Controls

Automated control dashboards and event-based alerting
Annual manual review only
Monthly paper-based reports
No monitoring required if controls are designed

Continuous monitoring in compliance means using technology to track control performance, detect anomalies or control breakdowns in real time, and generate alerts or dashboards for action. Relying solely on annual reviews is no longer sufficient given fast-moving risks and regulations. Mentioning automation, dashboards and event-based alerting shows you understand modern compliance operations.

Correct Answer: Automated control dashboards and event-based alerting

59. What does GRC stand for in cybersecurity and corporate governance context?

Difficulty: EasyType: MCQTopic: GRC

Governance, Risk & Compliance
General Risk Control
Global Regulation Committee
Governance, Rights & Controls

GRC stands for Governance, Risk & Compliance. Governance refers to the structures and oversight that guide organisational strategy and policies. Risk is about identifying, assessing and managing threats to business objectives. Compliance is the process of meeting laws, regulations, standards and internal policies. Understanding this acronym and the interplay between its three parts is foundational for any GRC or cybersecurity interview. :contentReference[oaicite:0]{index=0}

Correct Answer: Governance, Risk & Compliance

60. Which statement best describes the role of GRC software in an organisation?

Difficulty: MediumType: MCQTopic: GRC

It centralises control, risk, and compliance workflows for visibility and efficiency
It replaces all human audit activities entirely
It functions only as a document repository
It only tracks firewall logs

GRC software enables organisations to consolidate risk registers, compliance frameworks, control assessments, audit findings and vendor risk into one platform. It helps standardise workflows, provide dashboards for leadership, and automate repetitive tasks. While it does not replace human judgement and audit entirely, it significantly enhances efficiency. According to expert guides, evaluating GRC software is a key topic in GRC interviews. :contentReference[oaicite:1]{index=1}

Correct Answer: It centralises control, risk, and compliance workflows for visibility and efficiency

61. Which metric is most likely used to measure the effectiveness of a GRC programme?

Difficulty: MediumType: MCQTopic: GRC

Percentage of control issues remediated on time
Number of coffee breaks per day
Amount of server uptime only
Number of employee transfers

An effective GRC programme is measured by meaningful metrics. One such metric is the percent of control issues (audit findings, control failures) that have been remediated within defined timeframes. This shows responsiveness and execution, which leadership often tracks. Understanding how to select and interpret GRC metrics is a strong interview topic. :contentReference[oaicite:2]{index=2}

Correct Answer: Percentage of control issues remediated on time

62. What are the main emerging challenges in GRC today and how should organisations adapt?

Difficulty: HardType: SubjectiveTopic: GRC

Modern GRC faces several emerging challenges including rapid regulatory change, digital transformation, cloud-native environments, third-party risks, AI/ML integration and increasing cyber threats. For example, organisations must adapt to new data privacy laws, need to embed controls into DevOps, manage vendor ecosystems globally and use analytics for risk insight. To adapt, organisations should build flexible frameworks, use automation for controls and monitoring, embed risk management early in product lifecycles and maintain continuous awareness of regulatory change. Demonstrating awareness of these trends is highly valued in interviews. :contentReference[oaicite:3]{index=3}

63. Why are dashboards important in a GRC programme?

Difficulty: MediumType: MCQTopic: GRC

They provide leadership visibility into risk and compliance status
They substitute the need for controls
They only show IT server logs
They eliminate the need for training

Dashboards in GRC programmes summarise key indicators – number of open audit findings, vendor risks, remediation backlog, control health, compliance status – and provide leadership with real-time visibility. They support decision-making and help align GRC outcomes with business objectives. Many interview guides point to dashboards as a key topic. :contentReference[oaicite:4]{index=4}

Correct Answer: They provide leadership visibility into risk and compliance status

64. Explain how you would automate third-party risk management in a global organisation.

Difficulty: HardType: SubjectiveTopic: Third Party

Automating third-party risk involves integrating a vendor/onboarding platform with risk-assessment tools and GRC systems. First, classify vendors by criticality and geographic risk. Then trigger automated questionnaires when vendors are onboarded or renewed. Use scoring engines to assess risk and create dashboards showing vendor risk tiers. Integrate remediation tracking, alerts for high-risk vendors and link to contract management. Use APIs to pull continuous vendor security ratings. Finally align tasks with local legal/regulatory requirements. Demonstrating a structured automation approach shows practical advanced GRC reasoning. :contentReference[oaicite:5]{index=5}

65. Which activity supports staying current with regulatory change in GRC?

Difficulty: MediumType: MCQTopic: Compliance

Subscribing to regulatory news feeds and updating control frameworks
Never changing anything once the controls are set
Only monitoring internal policies
Waiting for external audit to highlight changes

Staying current with regulatory change is essential for compliance. Leading practitioners subscribe to regulatory news feeds, monitor law-maker updates, update their control frameworks proactively and re-train staff. Interviews in GRC highlight this as a common question. :contentReference[oaicite:6]{index=6}

Correct Answer: Subscribing to regulatory news feeds and updating control frameworks

66. How might artificial intelligence (AI) impact GRC practices in the next five years?

Difficulty: HardType: SubjectiveTopic: GRC

AI has the potential to transform GRC through predictive analytics for risk, natural-language processing to review policy and control documents, continuous monitoring of control activity and anomaly detection in control execution. For example, AI models can identify patterns of vendor non-compliance automatically, flag emerging regulatory trends, or adapt controls in near-real-time. However, this also introduces new risks (model bias, transparency, data quality). Explaining this dual nature—opportunity and risk—demonstrates forward-thinking maturity. Research studies highlight this growing area in GRC. :contentReference[oaicite:7]{index=7}

67. What is control-framework mapping in GRC context?

Difficulty: MediumType: MCQTopic: GRC

Aligning multiple regulatory, standard and internal control requirements into a unified control set
Mapping hardware devices in the network
Tracking employee shifts for audit
Backing up logs to cloud

Control-framework mapping is a process where organisations align different frameworks (for example ISO 27001, NIST CSF, PCI-DSS) into a unified control catalogue. This avoids duplication, simplifies audit preparation and helps maintain consistency. Many interview resources highlight this as an advanced yet common topic. :contentReference[oaicite:8]{index=8}

Correct Answer: Aligning multiple regulatory, standard and internal control requirements into a unified control set

68. Which process best supports continuous monitoring in a GRC programme?

Difficulty: HardType: MCQTopic: Security Controls

Automated alerts tied to control thresholds and exception management
Once-a-year audit only
Manual checklist sent by email annually
Ad-hoc vendor reviews only

Continuous monitoring in GRC means the control environment is observed, measured and alerted in near real time rather than once a year. Automated alerts for control failures or threshold breaches, integration with IT systems and exception management are key. Highlighting this in interview shows you understand modern operational compliance. :contentReference[oaicite:9]{index=9}

Correct Answer: Automated alerts tied to control thresholds and exception management

69. What is the primary difference between ethical hacking and malicious hacking?

Difficulty: EasyType: MCQTopic: Pentesting

Ethical hacking is done with explicit permission; malicious hacking is not
Ethical hacking always uses viruses; malicious hacking never uses viruses
Ethical hacking never writes reports; malicious hacking always does
There is no difference

Ethical hacking is the practice of legally probing systems, networks or applications **with authorization** from the owner to discover vulnerabilities and strengthen the system. :contentReference[oaicite:0]{index=0} Malicious hacking, by contrast, is unauthorized, aims to exploit vulnerabilities for personal or malicious gain, and does not seek to help the system owner. Understanding this distinction is foundational in ethical-hacking interviews.

Correct Answer: Ethical hacking is done with explicit permission; malicious hacking is not

70. Which of these is the correct sequence of the five standard phases in ethical hacking?

Difficulty: MediumType: MCQTopic: Pentesting

Reconnaissance → Scanning → Gaining Access → Maintaining Access → Covering Tracks
Covering Tracks → Scanning → Reconnaissance → Gaining Access → Maintaining Access
Scanning → Reconnaissance → Gaining Access → Covering Tracks → Maintaining Access
Gaining Access → Reconnaissance → Maintaining Access → Scanning → Covering Tracks

According to multiple sources, ethical hacking (and penetration testing) is often described in five key steps: Reconnaissance (information gathering), Scanning (port & vulnerability detection), Gaining Access (exploiting vulnerabilities), Maintaining Access (establishing persistence), and Covering Tracks (removing evidence). :contentReference[oaicite:1]{index=1} Interviewers often ask you to walk through these phases, because it shows you understand the attack lifecycle from the hacker’s view and thus how to defend against it.

Correct Answer: Reconnaissance → Scanning → Gaining Access → Maintaining Access → Covering Tracks

71. Which one of these is a type of hacker classification based on intent?

Difficulty: EasyType: MCQTopic: Pentesting

White-Hat Hacker
Red-Team Architect
Green-Box Hacker
Data-Miner Analyst

Hackers are often classed by their intent and legality: White-Hat hackers are ethical hackers conducting authorized tests; Black-Hat hackers act illegally with malicious intent; Grey-Hat hackers operate in between (sometimes legal, sometimes not). :contentReference[oaicite:2]{index=2} Being able to name and differentiate these shows you understand hacker taxonomy and motivate your role as ethical hacker.

Correct Answer: White-Hat Hacker

72. What is ‘footprinting’ in the context of ethical hacking?

Difficulty: MediumType: MCQTopic: Pentesting

Collecting information about a target system to identify weaknesses
Installing backdoors in a target system
Erasing logs after intrusion
Covering network cables

Footprinting is the first technical stage of ethical hacking where the tester gathers as much information as possible about the target: DNS records, network blocks, open ports, user enumeration, social engineering. :contentReference[oaicite:3]{index=3} This step is critical because a thorough information-gathering phase sets up later scanning and exploitation. Interviewers ask this to see if you understand the early phases of penetration testing.

Correct Answer: Collecting information about a target system to identify weaknesses

73. Which of these tools is commonly used for network scanning in ethical hacking?

Difficulty: MediumType: MCQTopic: Pentesting

Nmap
Photoshop
Slack
Excel

Nmap (Network Mapper) is widely used by ethical hackers for port scanning, host discovery, service enumeration and OS detection. Many interview resources list Nmap among top tools to know. :contentReference[oaicite:4]{index=4} Familiarity with such tools demonstrates hands-on awareness, which interviewers value.

Correct Answer: Nmap

74. Which of the following best describes SQL injection?

Difficulty: HardType: MCQTopic: Attacks

An attacker injects malicious SQL code into an input field causing unauthorized data access
An attacker uses SQL to speed up queries
A firewall blocking SQL commands
Encrypting database fields

SQL Injection is a common web application vulnerability where user inputs are improperly sanitized and malicious SQL is embedded (for example ' OR 1=1) to bypass authentication or extract data. :contentReference[oaicite:5]{index=5} Interviewers ask this frequently in ethical hacking roles because it shows you know vulnerabilities, not just theory.

Correct Answer: An attacker injects malicious SQL code into an input field causing unauthorized data access

75. In a man-in-the-middle (MITM) attack, what does the attacker do?

Difficulty: HardType: MCQTopic: Attacks

Intercepts and possibly alters communications between two parties
Deletes files on both ends
Only watches you but does nothing else
Breaks the firewall physically

A MITM attack occurs when an attacker secretly places themselves in the communication path between two parties—this can allow eavesdropping, data theft or modification of messages. It is a critical vulnerability scenario in penetration testing interviews. :contentReference[oaicite:6]{index=6} Understanding this helps you propose encryption, certificate validation or VPN solutions for defence.

Correct Answer: Intercepts and possibly alters communications between two parties

76. Explain what privilege escalation is in the context of ethical hacking and why it is dangerous.

Difficulty: HardType: SubjectiveTopic: Attacks

Privilege escalation is the process where an attacker (or tester) starts with limited user access and then finds a way to elevate that access to higher privileges — such as administrator or root. It is dangerous because once administrative rights are obtained, the attacker can disable security controls, create new accounts, extract sensitive data or maintain persistence indefinitely. In a pentest interview, being able to explain both vertical (user→admin) and horizontal (user→another user account) escalation and give example methods (e.g., unpatched kernel exploit, weak SUID binaries, service mis-configuration) shows depth.

77. What is a buffer overflow attack? How would you test for it during a penetration test?

Difficulty: HardType: SubjectiveTopic: Attacks

A buffer overflow attack happens when more data than a buffer can hold is written into it, which then allows the attacker to overwrite adjacent memory—including code pointers—and execute arbitrary code. During a penetration test you would identify vulnerable input fields (for example file upload or network service), send increasingly larger payloads, monitor memory/call stacks, use tools like gdb or WinDbg, and attempt to control the execution flow (e.g., return-oriented programming). Demonstrating this in interview shows you understand low-level exploitation and its relevance in real world.

78. Why is a penetration test report important and what key components should it include?

Difficulty: MediumType: SubjectiveTopic: Pentesting

After a penetration test or ethical hack, the report is crucial: it documents vulnerabilities found, exploit evidence, business impact, risk ratings, remediation steps and executive summary for non-technical stakeholders. It shows the business value of what was done and helps the client fix issues. Interviewers ask this to check if you understand the full lifecycle of ethical hacking—not only the attack but its business context.

79. In cloud security, what does the Shared Responsibility Model refer to?

Difficulty: EasyType: MCQTopic: Cloud Security

The cloud provider secures some layers; the customer secures the rest
The cloud provider is fully responsible for all security
The customer handles all security while provider just provides hardware
There is no shared responsibility—it’s always one party

In cloud environments, security isn’t entirely the provider’s job nor entirely the customer’s. The Shared Responsibility Model clarifies which security aspects the cloud provider handles (for example infrastructure, physical data centre) and which the customer handles (for example data, access management, application configuration). Understanding this model helps you know where to focus when securing cloud systems.

Correct Answer: The cloud provider secures some layers; the customer secures the rest

80. Why is Identity and Access Management (IAM) critical in cloud security?

Difficulty: MediumType: MCQTopic: Cloud Security

Because cloud services depend heavily on role configuration, permissions and identity to prevent unauthorized access
Because only network firewalls matter in the cloud
Because physical locks secure cloud data centres fully
Because encryption alone is sufficient without IAM

In cloud environments, resources are often accessible via APIs and through identities rather than physical boundaries. IAM allows you to define who can do what, in which context, and under what conditions. Mis-configured IAM can lead to over-privileged users or service accounts, which become a major attack path. Knowing how to design least-privilege IAM, configure roles, policies and service-principals is a strong interview topic.

Correct Answer: Because cloud services depend heavily on role configuration, permissions and identity to prevent unauthorized access

81. Which of the following best describes encryption at rest versus encryption in transit in the cloud?

Difficulty: MediumType: MCQTopic: Cryptography

Encryption at rest protects stored data; encryption in transit protects data moving over network
Encryption at rest protects network traffic; encryption in transit protects storage devices
They are exactly the same thing
Neither is needed if the cloud provider is used

Protecting data in a cloud environment means handling two distinct states: data stored (at rest) and data moving (in transit). Encryption at rest ensures that if storage media is compromised the data remains unreadable. Encryption in transit ensures that as data moves between services or to/from cloud, it cannot be intercepted and read. Interviewers will expect you to recognise both and know how to implement each in cloud settings.

Correct Answer: Encryption at rest protects stored data; encryption in transit protects data moving over network

82. What is a common cloud security risk stemming from misconfiguration?

Difficulty: MediumType: MCQTopic: Cloud Security

Publicly exposed storage buckets with sensitive data
Too much encryption
No identity management
No backups at all

One of the most frequent root causes of cloud breaches is misconfiguration—such as storage buckets (S3, Blob) being left publicly readable or writable. Even if the cloud provider infrastructure is secure, mis-configured permissions or defaults can expose data. Recognising and remediating these misconfigurations is a key part of cloud security practice.

Correct Answer: Publicly exposed storage buckets with sensitive data

83. Why is logging and monitoring especially important in cloud security?

Difficulty: MediumType: MCQTopic: Cloud Security

Because cloud resources scale dynamically and can be changed quickly, visibility is crucial
Because static on-prem servers don’t need monitoring
Because logging is only for compliance and not security
Because cloud providers disable logs by default

In a cloud environment, resources like VMs, containers and services can be created, modified and destroyed rapidly. Without proper logging and monitoring you may miss changes, anomalous behaviour or unauthorized access. Monitoring also supports incident detection, investigation and compliance. Interviewers expect candidates to discuss which logs matter, how to implement alerts and how to retain data securely.

Correct Answer: Because cloud resources scale dynamically and can be changed quickly, visibility is crucial

84. What is a vendor lock-in risk in the cloud context?

Difficulty: HardType: MCQTopic: Third Party

Being unable to migrate services or data freely because of proprietary services, making exit costly or impossible
Getting locked out of your account by your vendor
Being forced to pay higher network fees for on-prem hardware
All cloud services are vendor locked automatically

Vendor lock-in means that once you adopt a vendor’s specific cloud services (for example a proprietary database or serverless offering), you may become dependent on them and find it difficult or expensive to switch providers. From a security and resilience standpoint, lock-in can reduce flexibility, increase risk and delay response to threats. Mentioning this shows you understand strategic risks beyond technical controls. :contentReference[oaicite:0]{index=0}

Correct Answer: Being unable to migrate services or data freely because of proprietary services, making exit costly or impossible

85. What are some challenges of performing digital forensics in cloud environments, and how can they be addressed?

Difficulty: HardType: SubjectiveTopic: Cloud Security

Cloud forensics introduces unique challenges unlike traditional on-prem data centres: shared infrastructure means access to physical hardware may be limited; data may be replicated across multiple regions; timestamps and log aggregation may vary; isolation of a single customer’s data can be difficult. Researchers highlight that these issues make attribution, collection and chain of custody harder. :contentReference[oaicite:1]{index=1} To address them, companies should build cloud-specific incident response plans that include provider cooperation, use of cloud-native audit logs, maintaining snapshots, and ensuring service provider contracts allow forensic access.

86. Explain how you would apply a cloud security framework or standard (such as CSA CCM or ISO 27017) in an organisation.

Difficulty: MediumType: SubjectiveTopic: Cloud Security

Applying a cloud security framework begins with understanding the organisation’s risk profile and choosing a framework that fits. For example, the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) covers cloud-specific controls; ISO 27017 provides guidance for cloud services under ISO 27001 context. You would map current controls to the framework, identify gaps, implement missing controls, define metrics, perform audits, and maintain continuous improvement. Being able to explain mapping, gap analysis, control implementation and monitoring shows depth in interviews. :contentReference[oaicite:3]{index=3}

87. In a cloud environment, what does the Zero Trust security model emphasise?

Difficulty: HardType: MCQTopic: Cloud Security

Never trust, always verify — assume breach and ensure identity, device and context verification before granting access
Trust all internal resources since cloud is protected
Disable MFA for performance
Allow access once network perimeter is bypassed

Zero Trust is especially relevant in cloud contexts because traditional network perimeters become blurred. The model emphasises assuming that breach is always possible, and verifies identity, device posture, context and continuous authentication for every access. Mentioning Zero Trust architectures in cloud security interviews shows you’re familiar with modern security paradigms.

Correct Answer: Never trust, always verify — assume breach and ensure identity, device and context verification before granting access

88. Which of the following tools is commonly used to discover misconfigurations in a multi-cloud environment?

Difficulty: HardType: MCQTopic: Cloud Security

CSPM (Cloud Security Posture Management) tool
Spreadsheet software only
Manual code review only
Only antivirus

CSPM tools scan cloud environments (across AWS, Azure, GCP) for misconfigurations, policy violations, exposed resources, unused permissions and risky service deployments. They help organisations manage cloud-native risk at scale. Being aware of CSPM is important for a cloud security professional. :contentReference[oaicite:4]{index=4}

Correct Answer: CSPM (Cloud Security Posture Management) tool

89. What is a key first step in assessing cloud security risk for a new workload?

Difficulty: MediumType: MCQTopic: Cloud Security

Classify the data and map data flows in and out of the cloud service
Purchase full disk encryption immediately
Disable all user access and then open gradually
Assume the cloud provider handles all security entirely

Before implementing controls, you must understand what you are protecting. That means classifying the data (sensitivity, regulatory status) and mapping how it moves into, around, and out of the cloud workload. Without this you cannot determine where the risks are, which controls apply, or how the NIST Cybersecurity Framework core functions (Identify, Protect, Detect, Respond, Recover) apply. :contentReference[oaicite:1]{index=1}

Correct Answer: Classify the data and map data flows in and out of the cloud service

90. In a serverless cloud architecture, what’s a key additional security concern compared to traditional server-based models?

Difficulty: HardType: MCQTopic: Cloud Security

Function-level permissions and runtime invocation context must be strictly managed
You can ignore the IAM model completely
There is no need for monitoring as vendor handles it
You only worry about physical servers now

Serverless functions run in highly ephemeral environments and often execute with privileges assigned to the function role. Because they are event-triggered, run in managed infrastructure and can scale rapidly, controlling invocation context and permissions becomes critical. Misconfiguration can lead to unauthorized execution or data access. Advanced cloud-security interview guides emphasise function permissions, invocation sources, context awareness and least‐privilege in serverless. :contentReference[oaicite:2]{index=2}

Correct Answer: Function-level permissions and runtime invocation context must be strictly managed

91. What risks are introduced when using Infrastructure as Code (IaC) in cloud deployments, and how can you mitigate them?

Difficulty: MediumType: SubjectiveTopic: Cloud Security

Using Infrastructure as Code (IaC) brings speed and repeatability, but also introduces risks: mis-checked permissions in templates, hard-coded credentials, insecure defaults, drift between declared state and actual state, and uncontrolled changes. Mitigation strategies include embedding security-checks in CI/CD pipelines (linting, static analysis, policy-as-code), enforcing least privilege for IaC service accounts, conducting template reviews, using version control, and running periodic drift scans. Discussions on Reddit and practitioner blogs show these are increasingly expected in cloud-security interviews. :contentReference[oaicite:3]{index=3}

92. What is a “cost-based” attack unique to cloud environments?

Difficulty: HardType: MCQTopic: Data Loss

An attacker drives up resource consumption (e.g., compute/storage) – creating a huge bill for the owner
A brute-force attack on credentials only
A server room break-in only
A phishing email to an on-premises employee only

In cloud environments the pay-as-you‐go model can be abused: an attacker may spin up expensive resources, trigger large data transfers, or abuse auto-scaling to incur a high cost. This is a form of Denial-of-Wallet rather than Denial-of-Service. Interview guides list it as a unique cloud threat vector. :contentReference[oaicite:4]{index=4}

Correct Answer: An attacker drives up resource consumption (e.g., compute/storage) – creating a huge bill for the owner

93. How do you approach governance across a multi-cloud environment?

Difficulty: MediumType: SubjectiveTopic: Cloud Security

Governance in a multi-cloud context requires unified policy definition, centralised visibility, consistent identity and access control, cross-cloud logging, control standardisation, cost monitoring and vendor-risk management. Approach: define common security and compliance baseline, use policy-as-code applied across cloud providers, centralise logs and alerts (SIEM or cloud‐native), ensure identity federation, manage least privilege and rotate credentials, evaluate vendor‐specific risks and avoid lock-in. Demonstrating such strategy shows you understand enterprise-scale cloud security practices.

94. Which statement best captures the Zero Trust model for cloud environments?

Difficulty: MediumType: MCQTopic: Cloud Security

Never trust any request by default; always verify identity, device posture and context before granting access
Trust anything inside the vendor network automatically
Only monitor traffic on the VPN
Trust all internal services once authenticated once

The Zero Trust security model is highly relevant in cloud computing because network perimeters are blurred. Effective cloud security strategies assume breach and verify every access: user identity, device integrity, context, least privilege. Interview resources point out Zero Trust as a key phrase in cloud-security discussions. :contentReference[oaicite:5]{index=5}

Correct Answer: Never trust any request by default; always verify identity, device posture and context before granting access

95. Describe how you would prepare an incident response plan specifically for a cloud-native environment.

Difficulty: MediumType: SubjectiveTopic: Cloud Security

A cloud-native incident response plan should include identification of cloud services, trusted identities, audit/log sources, automated alerting, data isolation steps, legal/regulatory reporting, and collaboration with provider (SaaS/PaaS/IaaS). You’d define runbooks for snapshotting virtual services/storage, extracting logs, preserving chain of custody in shared infrastructure, and communicating with vendor support. You’d also practise and update the plan, integrate with SIEM/EDR tools, and ensure credential revocation and lateral-movement prevention. Being able to articulate this-tailored plan shows operational readiness in interviews.

96. Which statement reflects an emerging threat trend in cloud security?

Difficulty: HardType: MCQTopic: Cloud Security

Misconfigured serverless functions leading to data exposure
Only on-premises infrastructure gets attacked now
Encryption is no longer needed
Cloud providers guarantee absolute security

One of the latest trends in cloud security is attackers exploiting misconfigurations in serverless architectures (functions, containers, APIs) that were deployed rapidly without strong controls. Interview guides highlight misconfiguration, identity abuse, and ‘Denial-of-Wallet’ threats as emerging vectors. :contentReference[oaicite:6]{index=6}

Correct Answer: Misconfigured serverless functions leading to data exposure

Master Interviews Anywhere, Anytime

All Cybersecurity Basics Interview Questions

Overview

1. What does the CIA triad in cybersecurity stand for?

2. Which statement correctly describes a vulnerability?

Continue your preparation

3. Which type of malware replicates itself without user interaction?

4. What is the primary purpose of a firewall?

5. Which factor is an example of 'something you have' in multi-factor authentication?

6. What is the main purpose of encryption?

7. Which access control model grants permissions based on user roles?

8. What is the main goal of a social engineering attack?

9. What is a phishing attack?

10. What is considered a cybersecurity incident?

11. Explain the typical stages of a cyber attack lifecycle.

12. How is risk calculated in cybersecurity, and why is it important?

13. What does 'Defense in Depth' mean in cybersecurity?

14. What is the Zero Trust model, and how does it differ from traditional network security?

15. Why is ethical hacking important for cybersecurity?

16. What best defines a cyber threat?

17. Phishing primarily targets which aspect of security?

18. What is the main goal of a ransomware attack?

19. What happens during a Distributed Denial of Service (DDoS) attack?

20. What does an attacker exploit in an SQL Injection attack?

21. In a Man-in-the-Middle (MITM) attack, what does the attacker do?

22. Who is involved in an insider threat?

23. What makes a zero-day exploit particularly dangerous?

24. What does a brute force attack involve?

25. What distinguishes an Advanced Persistent Threat (APT) from other attacks?

26. What is a supply chain attack, and why is it difficult to detect?

27. Explain the main types of social engineering attacks.

28. Describe the lifecycle of a malware attack.

29. What is the key difference between symmetric and asymmetric encryption?

30. Which statement best describes hashing compared to encryption?

31. Which type of firewall filters traffic at the application layer?

32. Why is multi-factor authentication (MFA) considered a strong security mechanism?

33. Which access control model enforces restrictions based on data classification labels and user clearances?

34. What is the Principle of Least Privilege (PoLP)?

35. Explain what is meant by Defense in Depth and why organisations use it.

36. Differentiate between encryption at rest and encryption in transit and state why both are needed.

37. Which statement best describes the role of a Security Information and Event Management (SIEM) system?

38. What is the purpose of Secure Boot in a system’s firmware?

39. What is the main function of a Web Application Firewall (WAF)?

40. What is the primary purpose of ISO 27001?

41. Which of the following is a core principle of the GDPR?

42. Which formula is commonly used to express risk in a compliance context?

43. What best describes the difference between compliance and audit?

44. Which process is used to assess third-party vendor risk in compliance frameworks?

45. In the context of ISO 27001, what does PDCA stand for?

46. Which assessment is required for high-risk data processing under GDPR?

47. Explain three common compliance frameworks used in cybersecurity and the differences between them.

48. How should incident response be integrated in a Governance, Risk & Compliance (GRC) programme?

49. Discuss the difference between an internal audit, external audit and management review in a compliance programme.

50. What is a key first step when a new regulation is introduced that affects your organisation?

51. Your vendor has had a breach that may impact your data. Which action is most appropriate?

52. Why is implementing a whistleblower mechanism important in a compliance programme?

53. After an internal audit reveals multiple control failures, what is the optimal next step?

54. Which statement accurately describes the relationship between Governance, Risk & Compliance (GRC)?

55. Explain how you would design a compliance training programme for a global workforce.

56. How do you balance business objectives with compliance requirements?

57. Describe how you would manage a relationship with a regulatory body during a regulatory inspection.

58. Which tool or process supports continuous monitoring in a compliance programme?

59. What does GRC stand for in cybersecurity and corporate governance context?

60. Which statement best describes the role of GRC software in an organisation?

61. Which metric is most likely used to measure the effectiveness of a GRC programme?

62. What are the main emerging challenges in GRC today and how should organisations adapt?

63. Why are dashboards important in a GRC programme?

64. Explain how you would automate third-party risk management in a global organisation.

65. Which activity supports staying current with regulatory change in GRC?

66. How might artificial intelligence (AI) impact GRC practices in the next five years?

67. What is control-framework mapping in GRC context?

68. Which process best supports continuous monitoring in a GRC programme?

69. What is the primary difference between ethical hacking and malicious hacking?

70. Which of these is the correct sequence of the five standard phases in ethical hacking?

71. Which one of these is a type of hacker classification based on intent?

72. What is ‘footprinting’ in the context of ethical hacking?

73. Which of these tools is commonly used for network scanning in ethical hacking?

74. Which of the following best describes SQL injection?

75. In a man-in-the-middle (MITM) attack, what does the attacker do?

76. Explain what privilege escalation is in the context of ethical hacking and why it is dangerous.

Master Interviews
Anywhere, Anytime