1. What does the CIA triad stand for in information security?
Difficulty: EasyType: MCQTopic: Foundations
- Confidentiality, Integrity, Availability
- Control, Identity, Authentication
- Compliance, Integrity, Access
- Confidentiality, Identity, Assurance
The CIA triad is the foundational model in system security. Confidentiality means data is accessible only to authorised users. Integrity means data remains accurate and unaltered. Availability means authorised users can access data and systems when needed. Knowing this shows you understand basic security goals.
Correct Answer: Confidentiality, Integrity, Availability
2. What is the primary purpose of a firewall in network security?
Difficulty: EasyType: MCQTopic: NetSec
- To monitor and control incoming/outgoing network traffic based on rules
- To perform data backup automatically
- To scan for software bugs in code
- To balance network load across servers
A firewall acts as a barrier between trusted and untrusted networks. It filters traffic by applying security rules. Understanding this basic tool is vital for system security roles.
Correct Answer: To monitor and control incoming/outgoing network traffic based on rules
3. Which device or service filters HTTP(S) traffic specifically to protect web applications?
Difficulty: MediumType: MCQTopic: NetSec
- Web Application Firewall (WAF)
- Intrusion Detection System (IDS)
- Load-Balancer
- VPN Gateway
A WAF inspects HTTP/HTTPS traffic to and from a web application and blocks attacks like SQL injection or cross-site scripting. It’s specifically designed for web system security.
Correct Answer: Web Application Firewall (WAF)
4. What best describes an SQL injection attack?
Difficulty: HardType: MCQTopic: AppSec
- Malicious SQL code inserted into a query to access or manipulate data
- A DDoS attack on a database server
- Encryption of SQL traffic for security
- Use of NoSQL database instead of SQL
SQL injection is a major web-system vulnerability, where unsanitised user inputs allow attackers to execute arbitrary SQL commands on the database. Recognising this shows you understand application layer threats.
Correct Answer: Malicious SQL code inserted into a query to access or manipulate data
5. What principle underpins the Zero Trust security model?
Difficulty: MediumType: MCQTopic: Foundations
- Never trust any request by default; verify identity, device and context
- Trust internal network but not external
- Only use firewalls and ignore identity
- Use passwords only for access control
Zero Trust rejects the assumption that internal users or networks are safe. It emphasises continuous verification and is highly relevant in system-security architecture.
Correct Answer: Never trust any request by default; verify identity, device and context
6. How does network segmentation enhance system security?
Difficulty: MediumType: MCQTopic: NetSec
- By dividing a network into smaller parts and limiting lateral movement of attackers
- By merging all servers into one network zone
- By disabling routing between subnets
- By using one firewall for the entire network
Segmentation isolates different parts of a network so that if one part is compromised, the attacker cannot easily move to others. This is a key control in system security.
Correct Answer: By dividing a network into smaller parts and limiting lateral movement of attackers
7. What is a vulnerability scanner and how is it used in system security?
Difficulty: HardType: SubjectiveTopic: VulnMgmt
A vulnerability scanner is a tool that automatically inspects computers, networks or applications for known security weaknesses — missing patches, mis-configurations, open ports. Using such scanners helps organisations identify risk before attackers exploit it. For example, scanning externally facing servers for open services and then remediating issues. Understanding how to run, interpret and prioritise scanner findings is a valuable system-security skill.
8. Explain the principle of least privilege and its importance in system security.
Difficulty: MediumType: SubjectiveTopic: Foundations
The principle of least privilege means granting users or systems only the access rights they need to perform their tasks — no more, no less. This limits opportunities for misuse or damage if credentials are compromised. In system security interviews you might be asked how you applied this principle to role design and access control. Showing you understand this principle demonstrates maturity and alignment with secure practices.
9. Why is patch management critical in system security?
Difficulty: MediumType: MCQTopic: VulnMgmt
- Because many attacks exploit known vulnerabilities which are unpatched
- Because patches slow system performance
- Because you should never change running systems
- Because only antivirus matters
Failure to apply security patches is a common cause of compromise. Regular patch management is a basic but essential system-security control.
Correct Answer: Because many attacks exploit known vulnerabilities which are unpatched
10. What is the key difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)?
Difficulty: MediumType: MCQTopic: NetSec
- IDS monitors and alerts; IPS can block traffic in real-time
- IDS blocks traffic; IPS only logs events
- IDS only handles physical security; IPS only software
- There is no difference
An IDS observes network or system activity for malicious behavior and issues alerts, but typically does not stop the traffic. An IPS goes further by actively intervening and blocking or rejecting malicious traffic in real time. Knowing this distinction is important for system security tool knowledge.
Correct Answer: IDS monitors and alerts; IPS can block traffic in real-time
11. Which statement correctly describes the difference between a vulnerability scan and a penetration test?
Difficulty: MediumType: MCQTopic: VulnMgmt
- A vulnerability scan finds known weaknesses; a pen test attempts to exploit them
- A vulnerability scan fixes all vulnerabilities; a pen test only lists them
- A pen test is automated; a vulnerability scan is manual
- They are exactly the same
A vulnerability scan uses automated tools to identify known weaknesses like missing patches or mis-configurations. A penetration test goes further by simulating an attacker exploiting those weaknesses to determine real risk and exploitability. This knowledge is key in system security interviews.
Correct Answer: A vulnerability scan finds known weaknesses; a pen test attempts to exploit them
12. Why is log aggregation and centralisation important in system security?
Difficulty: MediumType: MCQTopic: Telemetry
- It allows monitoring of multiple systems, correlating events and detecting anomalies
- It eliminates the need for backups
- It slows down systems so attackers cannot act
- It only serves compliance reports
By centralising logs from endpoints, servers, network devices and applications into one location, security teams can correlate events across systems, identify patterns and detect threats which individual logs alone may not reveal. This is a key capability in modern system security operations.
Correct Answer: It allows monitoring of multiple systems, correlating events and detecting anomalies
13. Which of these is *not* typically classified as malware?
Difficulty: HardType: MCQTopic: IR/Forensics
- Hardware key-logger built into a USB stick
- Ransomware
- Worm
- Printer firmware update with vendor signature
Malware refers to software (or sometimes firmware) purposely designed to compromise systems — e.g., worms, ransomware, key-loggers. A legitimate firmware update signed by the vendor is not malware. Understanding detailed differences like this is valued in system security interviews.
Correct Answer: Printer firmware update with vendor signature
14. Explain what memory forensics is and how it is useful in system security investigations.
Difficulty: HardType: SubjectiveTopic: IR/Forensics
Memory forensics is the process of capturing and analysing the volatile memory (RAM) of a system to uncover live processes, network connections, loaded modules, encryption keys or other artefacts that may not persist on disk. It is especially useful in detecting stealthy threats like rootkits or file-less malware which leave no footprints on disk. This technique gives deeper visibility into attacker behaviour and is increasingly referenced in system security operations.
15. Which access control model enforces rules based on fixed security labels for subjects and objects (e.g., Top Secret, Secret, Unclassified)?
Difficulty: HardType: MCQTopic: Foundations
- Bell-LaPadula model
- Role-Based Access Control (RBAC)
- Discretionary Access Control (DAC)
- Container-Based Access Control
The Bell-LaPadula model is a formal state-machine model designed for enforcing confidentiality policies in military/government systems, using security classifications such as Top Secret and Secret. Knowing formal models shows strong system security theory knowledge.
Correct Answer: Bell-LaPadula model
16. Why is patch management critical in securing systems and how should it be managed?
Difficulty: MediumType: SubjectiveTopic: VulnMgmt
Patch management is essential because many attacks exploit known vulnerabilities for which patches exist but were not applied. Effective patch management includes maintaining an accurate inventory of systems, prioritising patches based on risk, testing updates in a staging environment, scheduling deployment, monitoring for failures and verifying success. Demonstrating this process shows practical system security understanding.
17. Which statement best explains the difference between a Web Application Firewall (WAF) and a network IDS in terms of coverage?
Difficulty: MediumType: MCQTopic: NetSec
- WAF protects specifically HTTP/HTTPS layer and applications; network IDS monitors broader network traffic
- WAF monitors network ports only; IDS inspects HTTP only
- WAF scans emails; IDS scans files
- They perform the same function
A WAF is designed to protect web applications by filtering and monitoring HTTP/HTTPS traffic, preventing attacks like SQL injection or XSS. On the other hand a network IDS inspects general network traffic across layers for signs of intrusion. This knowledge shows tool-level system security awareness.
Correct Answer: WAF protects specifically HTTP/HTTPS layer and applications; network IDS monitors broader network traffic
18. The principle of least privilege dictates which of the following?
Difficulty: EasyType: MCQTopic: Foundations
- Granting users only the minimum permissions needed to perform tasks
- Granting all users admin rights by default
- Allowing unlimited access for speed
- Removing access controls entirely
The principle of least privilege is fundamental to system security: it reduces attack surface and limits damage if credentials are compromised. Interviewers often test this control.
Correct Answer: Granting users only the minimum permissions needed to perform tasks
19. What tools and process would you employ during a system security incident response in a corporate environment?
Difficulty: HardType: SubjectiveTopic: IR/Forensics
In an incident response scenario you would use tools like EDR (Endpoint Detection & Response) to isolate systems, memory forensics on compromised hosts, SIEM to aggregate logs and trigger alerts, network packet capture for traffic analysis, and a run-book process to contain, eradicate and recover. You’d also document chain-of-custody, preserve evidence and communicate with stakeholders. Understanding both tools and process shows you are ready for system security operations.
20. What are CIS Benchmarks used for in system security?
Difficulty: EasyType: MCQTopic: Hardening
- Prescriptive secure-configuration checklists for hardening systems
- A penetration testing exploit database
- A network traffic encryption protocol
- Device driver performance tuning guides
CIS Benchmarks are consensus-built hardening guides that tell you exactly how to configure operating systems, databases, and platforms to reduce attack surface. Teams use them to baseline new builds and to assess drift over time. Source: Center for Internet Security overview and vendor explanations of CIS Benchmarks and hardened images.
Correct Answer: Prescriptive secure-configuration checklists for hardening systems
Example Code
Example items: disable unused services; enforce password policy; configure logging; restrict insecure protocols
21. On Windows, what does Sysmon mainly provide?
Difficulty: MediumType: MCQTopic: Telemetry
- Detailed event logging for detection and hunting
- Automatic blocking of malware
- Patch deployment
- Disk defragmentation
Sysmon (System Monitor) is a Windows service and driver that logs rich events such as process creations, network connections, and file hash data to Windows Event Log. It supports threat hunting and detection; it is not a prevention tool. Sources: Microsoft Sysinternals Sysmon documentation and practitioner guidance.
Correct Answer: Detailed event logging for detection and hunting
Example Code
Install example (admin): sysmon64.exe -accepteula -i sysmon-config.xml
22. What is the purpose of Linux auditd in hardening and operations?
Difficulty: MediumType: MCQTopic: Telemetry
- Record security-relevant events based on rules for later analysis
- Replace the kernel scheduler
- Provide GUI access control lists
- Only rotate system logs
The Linux Audit system (auditd plus the kernel audit module) captures policy-relevant events like file access, authentication, and admin actions. It helps investigations and compliance by producing a tamper-evident trail. Sources: Red Hat and SUSE security guides and modern auditd explanations.
Correct Answer: Record security-relevant events based on rules for later analysis
Example Code
Example rule: auditctl -w /etc/passwd -p wa -k identity_changes
23. Which statement best describes SELinux compared to AppArmor?
Difficulty: MediumType: MCQTopic: Hardening
- SELinux uses label-based mandatory access control; AppArmor is path/profile-based and simpler
- Both are the same and use path-only rules
- AppArmor provides finer labels than SELinux by default
- Neither can confine applications
SELinux enforces fine-grained MAC using labels on subjects and objects. AppArmor confines programs with path-based profiles and is often easier to administer. Choosing one depends on security requirements and team expertise. Sources: comparative overviews from Linux security vendors and technical blogs.
Correct Answer: SELinux uses label-based mandatory access control; AppArmor is path/profile-based and simpler
Example Code
Check mode: getenforce (SELinux); aa-status (AppArmor)
24. What is the primary goal of full-disk encryption tools like BitLocker (Windows) or LUKS (Linux)?
Difficulty: EasyType: MCQTopic: Crypto
- Protect data at rest if a device is lost, stolen, or decommissioned
- Speed up disk I/O for applications
- Replace backups
- Scan for malware during boot
Full-disk encryption safeguards stored data by requiring a key or passphrase before the drive contents are readable. BitLocker integrates with Windows; LUKS is the common standard on Linux. Proper key backup and recovery procedures are critical in enterprise rollouts.
Correct Answer: Protect data at rest if a device is lost, stolen, or decommissioned
Example Code
Windows: manage-bde -on C:
Linux: cryptsetup luksFormat /dev/sdx
25. Why enable UEFI Secure Boot on endpoints and servers?
Difficulty: MediumType: MCQTopic: Hardening
- It verifies bootloaders are signed, helping block boot-level malware
- It increases screen resolution during boot
- It disables all kernel modules
- It encrypts files automatically
Secure Boot validates that firmware and boot components are trusted before the OS loads, reducing the risk of rootkits and tampered boot chains. It complements disk encryption and OS hardening in a layered defense.
Correct Answer: It verifies bootloaders are signed, helping block boot-level malware
Example Code
Firmware setting: UEFI → Secure Boot → Enabled; enroll org keys if required
26. What do protections like ASLR and DEP primarily defend against?
Difficulty: MediumType: MCQTopic: Hardening
- Memory-corruption exploits such as buffer overflows and code injection
- Phishing emails
- Weak passwords
- Power outages
Data Execution Prevention stops executing data pages, and Address Space Layout Randomization makes memory locations unpredictable. Together they raise the bar for classic memory-safety exploits and should remain enabled as baseline hardening.
Correct Answer: Memory-corruption exploits such as buffer overflows and code injection
Example Code
Windows: bcdedit /set nx OptOut; Linux: check randomize_va_space in /proc/sys/kernel
27. Which SSH configuration is a widely recommended hardening step on Linux servers?
Difficulty: MediumType: MCQTopic: Hardening
- Disable root login over SSH and use key-based auth
- Allow passwordless root login
- Expose SSH on default port with password auth only
- Enable X11 forwarding for all users
Disabling direct root login reduces brute-force risk and audit ambiguity. Key-based authentication is stronger than passwords and enables MFA add-ons. Combine with allowlists, modern ciphers, and fail2ban or equivalent.
Correct Answer: Disable root login over SSH and use key-based auth
Example Code
In /etc/ssh/sshd_config:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
28. Why keep a host-based firewall (e.g., Windows Firewall, ufw/nftables) enabled even with a perimeter firewall?
Difficulty: EasyType: MCQTopic: Hardening
- To enforce local least-privilege network rules and reduce lateral movement
- Because it speeds up DNS resolution
- So that perimeter firewalls are not needed
- To disable logging
Host firewalls restrict inbound and outbound flows per machine, containing blast radius if an attacker lands on an endpoint. They complement, not replace, network firewalls and segmentation.
Correct Answer: To enforce local least-privilege network rules and reduce lateral movement
Example Code
Linux (ufw): ufw default deny incoming; ufw allow 22/tcp
Windows: New-NetFirewallRule -DisplayName "Allow SSH" -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow
29. How would you create and maintain a hardened baseline build for Windows and Linux?
Difficulty: MediumType: SubjectiveTopic: Hardening
Start with a trusted image and apply a recognized benchmark such as the CIS Benchmark to set secure defaults. Disable unused services, enforce password and lockout policies, enable disk encryption, configure logging (Windows: Sysmon plus security logs; Linux: auditd and systemd-journald), and turn on host firewalls. Automate with configuration management so every server is built the same. Continuously scan for drift, patch on a risk-based cadence, and review the baseline quarterly or when major vendor updates land. This process shrinks attack surface and keeps builds consistent across fleets.
Example Code
Pipeline steps: Image → CIS hardening → Join domain/IdP → Install EDR → Enable logs → Encrypt disk → Register in CM → Compliance scan
30. Design a Windows logging strategy for detection and forensics.
Difficulty: HardType: SubjectiveTopic: Telemetry
Enable Security, System, and PowerShell logs with sensible retention and forwarding. Add Sysmon for deep process, network, and file hash telemetry, using a community-vetted config to reduce noise. Forward events to a SIEM for correlation and alerting. Base detections on attack chains (for example suspicious parent-child process pairs, script block logging anomalies, unsigned binaries spawning network connections). Protect log integrity, monitor pipeline health, and routinely tune rules to balance fidelity and volume. This delivers visibility for both real-time detection and after-the-fact investigation.
Example Code
WinEvent → Windows Event Forwarding/Agent → SIEM
Sysmon install: sysmon64.exe -i sysmon-config.xml
31. Outline a practical Linux auditd policy for critical servers.
Difficulty: HardType: SubjectiveTopic: Telemetry
Monitor identity and integrity first. Watch auth files and user/privilege changes (for example passwd, shadow, sudoers). Track use of privileged binaries and kernel settings, and record changes under /etc. Capture execve of high-risk tools like bash, netcat, ssh, and package managers. Include network connection attempts from privileged processes. Send logs off-host to a central collector and set immutable audit rules for critical systems so attackers cannot disable auditing without notice. Tune to reduce noise while preserving high-value events to keep analysts focused.
Example Code
Example rules:
auditctl -w /etc/sudoers -p wa -k sudo
auditctl -a always,exit -F arch=b64 -S execve -k exec
augenrules --load
32. How would you roll out full-disk encryption at scale and avoid data-loss surprises?
Difficulty: MediumType: SubjectiveTopic: Crypto
Pick native tooling (BitLocker on Windows, LUKS on Linux) and integrate with key escrow so recovery keys are backed up securely. Pilot on a small group, validate performance and recovery flows, then phase to wider groups. Enforce pre-boot authentication where risk warrants and verify that recovery keys are retrievable before enabling at scale. Document support steps, train service desk, and test lost-device and rebuild scenarios. This balances confidentiality with operational safety and prevents lock-out incidents.
Example Code
Windows: enable BitLocker with escrow to Azure AD/MBAM
Linux: cryptsetup luksFormat + enroll keys; store recovery in vault
33. How do you tie hardening policies to day-to-day operations so they stay effective?
Difficulty: MediumType: SubjectiveTopic: Program
Translate policies into machine-readable controls: configuration-management code, CI checks, and compliance scans aligned to CIS or internal standards. Make every change go through the same pipeline so drift is caught early. Track metrics like percentage of compliant hosts, mean time to remediate drift, and patch SLAs. Review exceptions monthly, and close them or add compensating controls. Finally, feed incident lessons back into the baseline so policy evolves with real threats. This keeps hardening alive instead of a one-time exercise.
Example Code
Metrics: compliance% per control; drift tickets open>30 days; patch SLA met%
34. Which sequence best represents a standard incident response lifecycle?
Difficulty: EasyType: MCQTopic: IR/Forensics
- Preparation → Detection & Analysis → Containment → Eradication → Recovery → Lessons Learned
- Detection → Recovery → Eradication → Containment → Preparation → Lessons Learned
- Preparation → Recovery → Containment → Eradication → Detection → Lessons Learned
- Detection → Containment → Patch → Ignore → Close
Good response work starts before day one. Preparation builds playbooks, access, tools, and comms. Then you detect and analyze what really happened. Containment limits blast radius while you plan. Eradication removes root cause, not just symptoms. Recovery brings systems back safely with extra monitoring. Finally, lessons learned feeds fixes into people, process, and tech so the same issue does not return.
Correct Answer: Preparation → Detection & Analysis → Containment → Eradication → Recovery → Lessons Learned
35. During evidence collection, which order of volatility is the most appropriate?
Difficulty: MediumType: MCQTopic: IR/Forensics
- CPU registers/cache → RAM → running processes/network → disk → backups
- Disk → RAM → CPU cache → network → backups
- Backups → network → disk → RAM → CPU cache
- Disk → backups → network → RAM → CPU cache
Volatile data disappears first. Capture the most short-lived artifacts early: CPU state and memory, then process lists, connections, and live network data. Disk images and backups come later because they persist. Following this order preserves the best evidence for root-cause analysis.
Correct Answer: CPU registers/cache → RAM → running processes/network → disk → backups
36. What distinguishes an Indicator of Compromise (IOC) from an Indicator of Attack (IOA)?
Difficulty: MediumType: MCQTopic: IR/Forensics
- IOCs are evidence of something that already happened; IOAs describe patterns that suggest an attack is unfolding
- IOCs are only network based; IOAs are only host based
- IOCs are always hashes; IOAs are always domains
- There is no difference
IOCs are reactive clues like bad hashes, domains, or file paths that confirm compromise. IOAs are behavioral signals like suspicious parent-child processes, repeated credential failures, and privilege-seeking actions. Mature detection uses both: IOCs for quick blocking and IOAs for early disruption.
Correct Answer: IOCs are evidence of something that already happened; IOAs describe patterns that suggest an attack is unfolding
37. Why do many EDR tools offer a one-click “isolate host” action?
Difficulty: EasyType: MCQTopic: IR/Forensics
- To cut lateral movement while preserving forensic access
- To wipe the disk immediately
- To uninstall suspicious software automatically
- To reboot endpoints every hour
Network isolation stops an attacker from moving or exfiltrating, but EDR keeps a control channel so analysts can capture memory, pull logs, or run scripts. It buys time and reduces risk without destroying evidence.
Correct Answer: To cut lateral movement while preserving forensic access
38. Which is a safe containment action for a ransomware incident during active encryption?
Difficulty: MediumType: MCQTopic: IR/Forensics
- Remove the system from the network and disable scheduled tasks for that user
- Power off every server immediately without checking dependencies
- Delete suspicious files from all devices with a mass script
- Rotate all enterprise certificates at once
The goal is to stop spread without causing extra damage. Network-isolating infected endpoints and disabling the account’s scheduled or interactive access reduces impact while keeping data available for forensics. Blind mass deletion or global changes can destroy evidence or break operations.
Correct Answer: Remove the system from the network and disable scheduled tasks for that user
39. What does the 3-2-1 backup rule mean?
Difficulty: EasyType: MCQTopic: Ops
- Three copies, on two different media, with one off-site or offline
- Three backups per day, two weeks retention, one cloud copy
- Three media types, two locations, one restore test per year
- Three tapes, two disks, one USB
Resilience beats ransomware. Keep multiple copies, diversify storage (for example disk plus object storage), and ensure at least one copy is off-site or physically/virtually offline. That last part prevents attackers from encrypting your backups along with production.
Correct Answer: Three copies, on two different media, with one off-site or offline
40. A SIEM fired a high-confidence alert for suspicious PowerShell. What should be your first move?
Difficulty: MediumType: MCQTopic: Telemetry
- Validate the alert with context (host, user, command line, parent process) before taking action
- Block every PowerShell command globally
- Wipe the host immediately
- Publish a company-wide notice blaming the user
Great responders trust but verify. Pull the command line, script block logs if available, parent process, user context, and recent login activity. Quick validation prevents false positives from causing outages, and guides the right containment step if it is real.
Correct Answer: Validate the alert with context (host, user, command line, parent process) before taking action
41. Which security header specifically helps mitigate reflected and stored cross-site scripting in modern browsers?
Difficulty: MediumType: MCQTopic: AppSec
- Content-Security-Policy
- Strict-Transport-Security
- X-Frame-Options
- Referrer-Policy
Content-Security-Policy lets you whitelist trusted script sources and block inline or dynamic code execution paths. It dramatically reduces XSS risk when deployed with care and good testing. HSTS enforces HTTPS, X-Frame-Options prevents clickjacking, and Referrer-Policy limits sensitive referrer data.
Correct Answer: Content-Security-Policy
Example Code
Example: Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com
42. You suspect malicious admin activity on a Windows server. Which logs and events would you review first and why?
Difficulty: MediumType: SubjectiveTopic: Telemetry
Start with Security logs for logon events and privilege use. Look at successful and failed logons, logon type, source IP, and correlated account changes. Pull PowerShell logs and, if enabled, script block logging to see exact commands, not just start events. Review Sysmon or equivalent for process creation with full command line, parent-child relationships, and network connections. This mix quickly answers who did what, from where, and how, which is the fastest route to confidence.
Example Code
Windows Event IDs to watch: 4624/4625 logon, 4672 special privileges, 4688 process creation (if enabled), 4720/4728 account changes
43. Outline a quick triage on a suspicious Linux host before full forensics.
Difficulty: MediumType: SubjectiveTopic: IR/Forensics
First, avoid tipping off the attacker. Record who and what: users logged in, recent auth failures, and sudo history. Capture process trees with command lines, open network sockets, and recent cron or systemd timer entries. Check new or altered binaries in sensitive paths, unusual SUID files, and changes in /etc. Preserve memory if feasible to catch file-less tricks. Finally, isolate the host from the network while keeping analyst access. This snapshot informs whether you escalate to full acquisition.
Example Code
Handy cmds: who; last -n 20; sudo -l; ps -ef; ss -antup; crontab -l; ls -al /etc/cron.*; systemctl list-timers; find / -perm -4000 -type f 2>/dev/null
44. Which host-level artifact is a strong clue that privilege escalation may be underway on Linux?
Difficulty: HardType: MCQTopic: IR/Forensics
- New or unexpected SUID root binaries in writable paths
- A long-running backup job
- An SSH login from a known bastion host
- A user clearing their browser cache
SUID root bits allow normal users to run programs with elevated privileges. If such binaries appear in unusual or writable directories, it often signals exploitation or persistence. Backups and standard logins are routine; browser cache clearing is irrelevant on servers.
Correct Answer: New or unexpected SUID root binaries in writable paths
Example Code
find / -perm -4000 -type f -exec ls -l {} \; 2>/dev/null45. During an ongoing incident, how do you structure communication so the response stays efficient and safe?
Difficulty: MediumType: SubjectiveTopic: IR/Forensics
Keep a single incident commander. Use a dedicated channel that is logged and, if needed, out-of-band from potentially compromised systems. Define short situation reports on a fixed cadence: what is known, unknown, doing next, and blockers. Separate technical chat from executive updates to reduce noise. Avoid sharing live indicators publicly; route them to the right tools and owners. Clear comms reduces confusion, duplicate work, and accidental tip-offs.
46. Which activity best represents eradication rather than containment or recovery?
Difficulty: HardType: MCQTopic: IR/Forensics
- Removing the malicious service and its autoruns, and patching the exploited weakness
- Isolating the host from the network
- Restoring the VM from a known-good snapshot
- Increasing SIEM log retention for a week
Containment stops the bleeding. Recovery brings the system back. Eradication is about taking away the attacker’s foothold and closing the hole they used, so they cannot walk right back in after you un-isolate the system.
Correct Answer: Removing the malicious service and its autoruns, and patching the exploited weakness
47. What should a practical ‘lessons learned’ session produce after an incident?
Difficulty: MediumType: SubjectiveTopic: IR/Forensics
It should deliver concrete changes, not just a recap. Expect a short timeline of what happened, what helped, and what slowed you down. Then assign actions with owners and dates: missing detections to add, playbook steps to refine, controls to harden, and training to run. Finally, capture metrics like time to detect and time to contain so you can show progress next time. Real improvement is the point.
48. What is the main benefit of using multi-factor authentication (MFA) for user sign-in?
Difficulty: EasyType: MCQTopic: IAM
- It adds an extra independent factor so a stolen password alone cannot log in
- It removes the need for passwords forever
- It speeds up logins by skipping checks
- It only helps with data at rest
MFA combines two or more different factors, such as something you know, something you have, or something you are. If a password leaks, the attacker still needs the second factor to pass authentication, which sharply lowers account-takeover risk. Standards like N I S T eight hundred sixty-three B describe authenticator assurance levels and when to require multi-factor.
Correct Answer: It adds an extra independent factor so a stolen password alone cannot log in
Example Code
User enters password + TOTP from an authenticator app; server verifies both before issuing a session
49. How does OpenID Connect relate to OAuth 2.0?
Difficulty: MediumType: MCQTopic: IAM
- OIDC adds identity (ID tokens) on top of OAuth 2.0 authorization flows
- OIDC replaces OAuth 2.0 completely
- OAuth 2.0 adds identity on top of OIDC
- They are identical protocols
OAuth 2.0 is for authorization to protected resources using access tokens. OpenID Connect layers authentication on top and issues an I D token describing the user. Many providers implement both together for login plus API access. This difference is a frequent interview test.
Correct Answer: OIDC adds identity (ID tokens) on top of OAuth 2.0 authorization flows
Example Code
Response includes: access_token for API; id_token (JWT) for user identity
50. What does Kerberos primarily provide in enterprise networks?
Difficulty: MediumType: MCQTopic: IAM
- Strong network authentication via tickets and secret-key crypto
- File encryption for storage only
- A public blog platform
- An antivirus engine
Kerberos authenticates clients and services using tickets issued by a trusted Key Distribution Center. After initial authentication, clients use tickets to access multiple services without re-entering passwords. It is common in Windows domains and many Unix realms.
Correct Answer: Strong network authentication via tickets and secret-key crypto
Example Code
kinit user@REALM
klist # shows TGT and service tickets
51. Which practice best reduces risk in web session management?
Difficulty: MediumType: MCQTopic: IAM
- Use secure, httpOnly cookies with short idle and absolute timeouts
- Put the session id in the URL for easy bookmarking
- Allow infinite sessions for convenience
- Share session ids between users on the same device
Strong session management means random identifiers, secure and httpOnly cookies, and enforced expiry. Idle timeouts log out inactive users. Absolute timeouts end long-lived sessions even if active. These steps limit theft, fixation, and replay.
Correct Answer: Use secure, httpOnly cookies with short idle and absolute timeouts
Example Code
Set-Cookie: sid=abc...; Secure; HttpOnly; SameSite=Strict; Max-Age=1800
52. What is a key security point about JSON Web Tokens used for APIs?
Difficulty: MediumType: MCQTopic: IAM
- Signed J W T proves integrity; encrypted J W T protects confidentiality
- All J W T are always encrypted by default
- J W T cannot be revoked so they are unsafe to use
- J W T should be stored in localStorage for CSRF safety
A J W S (signed token) lets receivers verify that claims were not altered. A J W E (encrypted token) protects claim contents in transit. Many breaches stem from poor token handling rather than the format itself, so follow best practices for storage and lifetime.
Correct Answer: Signed J W T proves integrity; encrypted J W T protects confidentiality
Example Code
Header: { alg: RS256, typ: JWT }
Payload: { sub: "123", scope: "read" }
Signature: RSASSA-PKCS1-v1_5 over header.payload53. Which modern guideline aligns with N I S T eight hundred sixty-three B for user passwords?
Difficulty: EasyType: MCQTopic: IAM
- Allow long passphrases, screen against known breached passwords, limit forced periodic resets
- Require complex rules and rotate monthly for everyone always
- Disallow all special characters
- Limit passwords to eight characters max
Updated guidance favors usability and breach resistance: longer passphrases, no composition gymnastics, checks against compromised lists, and only reset on evidence of compromise. This reduces reuse and help-desk burden while improving security.
Correct Answer: Allow long passphrases, screen against known breached passwords, limit forced periodic resets
Example Code
Example: minLength 12; allow spaces; check against breached list; lockout after risk-based threshold
54. In OAuth 2.0, what are scopes used for?
Difficulty: MediumType: MCQTopic: IAM
- To limit what an access token can do on a resource
- To store user passwords
- To encrypt the TLS channel
- To reset sessions automatically
Scopes express permissions, such as read-only or write access to a specific API. Least-privilege scopes reduce blast radius if a token is stolen, which is critical in distributed systems.
Correct Answer: To limit what an access token can do on a resource
Example Code
Authorization request: scope=contacts.read%20calendar.read
55. Explain single sign-on benefits and risks for enterprise systems.
Difficulty: MediumType: SubjectiveTopic: IAM
Single sign-on improves user experience and reduces password sprawl. It centralizes policy, monitoring, and revocation, which helps compliance and incident response. But S S O concentrates risk: if the identity provider or its strong factors fail, many apps are at risk. Mitigate with multi-factor, conditional access, hardware-backed keys for admins, scoped tokens, and strong logging. Tie S S O to least-privilege and short-lived sessions to keep exposure small.
Example Code
IdP issues ID token + access token; apps validate signature and audience before granting access
56. How would you design privileged access management for admins and service accounts?
Difficulty: HardType: SubjectiveTopic: IAM
Separate human admin access from service identities. Use just-in-time elevation with approval, session recording, and command-level auditing. Rotate secrets automatically, prefer short-lived credentials, and lock high-risk actions behind step-up multi-factor. For services, use managed identities with scoping and time-boxed tokens over long-lived keys. Monitor admin sessions closely and alert on unusual source locations or off-hours activity. Map controls to assurance levels similar to those in national guidelines for authentication strength to avoid oversights.
Example Code
Example: Admin requests elevation → PAM broker issues time-boxed role → session proxied and recorded; auto-revoke on logout
57. On Linux, what does Pluggable Authentication Modules (PAM) control?
Difficulty: HardType: MCQTopic: IAM
- Stackable authentication and account policies for services like sshd and sudo
- Only disk encryption
- Only kernel scheduling priority
- Only package installation
PAM lets each service define a stack of modules for auth, account, password, and session management. You can add multi-factor, set login bans, or force password policies per service without modifying the daemon itself. It is a core building block for access control on Unix-like systems.
Correct Answer: Stackable authentication and account policies for services like sshd and sudo
Example Code
/etc/pam.d/sshd includes pam_unix.so, pam_faildelay.so, pam_google_authenticator.so (example)
58. Which cookie settings most directly help against session theft in browsers?
Difficulty: MediumType: MCQTopic: IAM
- Secure and HttpOnly with a strict SameSite policy
- Max-Age set to one year
- No path attribute
- Plaintext cookies over H T T P
Secure prevents sending the cookie over plain H T T P. HttpOnly stops most script access to the cookie. SameSite limits cross-site requests that could carry the cookie, which helps reduce cross-site request forgery and some leakage. These align with session management guidance.
Correct Answer: Secure and HttpOnly with a strict SameSite policy
Example Code
Set-Cookie: sid=...; Secure; HttpOnly; SameSite=Strict; Path=/; Max-Age=1800
59. List common J W T implementation pitfalls and how to avoid them.
Difficulty: HardType: SubjectiveTopic: IAM
Frequent mistakes include accepting tokens without verifying signature, using none or weak algorithms, failing to check audience and issuer, and giving tokens very long lifetimes. Others include storing tokens where scripts can read them, not rotating keys, and mixing authentication and authorization data without care. Fix these by enforcing strong algorithms, validating signature and claims on every call, keeping tokens short-lived with refresh where needed, storing tokens in secure httpOnly cookies, and rotating signing keys. Use reputable libraries and follow cheat-sheet guidance.
Example Code
Verify: alg=RS256; check iss/aud/exp/nbf; reject none; rotate kid keys; token TTL minutes, not days
60. For a browser-based enterprise app needing federation with partners, which is most appropriate?
Difficulty: MediumType: MCQTopic: IAM
- OpenID Connect or SAML for federated authentication; OAuth 2.0 for API authorization
- FTP with username and password
- SMTP relaying
- Raw TCP sockets for identity
Federation standards let users authenticate with their own identity provider while the app trusts assertions. Choose OpenID Connect for modern web and mobile, or SAML for older enterprise stacks. Use OAuth 2.0 tokens to gate API calls after the user is authenticated.
Correct Answer: OpenID Connect or SAML for federated authentication; OAuth 2.0 for API authorization
Example Code
Front-channel OIDC login → ID token; back-channel API uses access_token with least-privilege scopes
61. Design a sane account-lockout and recovery policy for high-risk apps.
Difficulty: MediumType: SubjectiveTopic: IAM
Use adaptive lockouts that trigger on suspicious patterns instead of a fixed small number. Combine rate limiting, progressive delays, and device or network reputation. Require step-up multi-factor for resets, and log every reset with alerting on unusual patterns. Provide secure self-service recovery with verified channels. Keep user experience in mind so you do not create a denial of service for real users. Align thresholds to your authenticator assurance level and monitor outcomes to tune the policy.
Example Code
Example: 5 failures → 15-minute cool-down; repeated across IPs triggers CAPTCHA and step-up MFA; audited reset flow
62. Why do we use network Access Control Lists (ACLs)?
Difficulty: EasyType: MCQTopic: Foundations
- To allow or deny traffic based on source, destination, protocol, and port
- To accelerate CPU performance
- To compress packets on the wire
- To store encryption keys
ACLs act like simple, fast filters on routers, firewalls, or cloud subnets. They enforce least-privilege by permitting only the traffic patterns your system actually needs. Clear rules reduce attack surface and limit lateral movement if a host is compromised.
Correct Answer: To allow or deny traffic based on source, destination, protocol, and port
Example Code
Example idea: allow tcp 10.0.1.10:443 from 10.0.2.0/24; deny all else
63. What is the key advantage of a stateful firewall over a stateless one?
Difficulty: MediumType: MCQTopic: NetSec
- It tracks connection state and allows return traffic automatically
- It increases Wi-Fi speed
- It encrypts all traffic by default
- It replaces the need for IDS
A stateful firewall remembers flows. If an internal host initiates an outbound session, the firewall knows the return packets belong to that flow and lets them back. This makes rules simpler and safer than writing one-off permit rules for both directions.
Correct Answer: It tracks connection state and allows return traffic automatically
Example Code
Concept: allow outbound tcp 443; stateful engine auto permits inbound replies
64. Which design best limits lateral movement inside a data center?
Difficulty: MediumType: MCQTopic: NetSec
- Micro-segmentation with per-app or per-tier policies
- A single flat VLAN for all servers
- Port-forwarding everything to one host
- Only an external perimeter firewall
Attackers move side to side after the first foothold. Micro-segmentation places policy boundaries between tiers, apps, and even workloads. That way a breach in one segment does not grant free access to the rest of the environment.
Correct Answer: Micro-segmentation with per-app or per-tier policies
Example Code
Example policy: web → app tcp 8443 only; app → db tcp 5432 only; deny all other east-west
65. Why should modern systems prefer TLS over legacy SSL?
Difficulty: EasyType: MCQTopic: Crypto
- Legacy SSL versions are broken; TLS offers stronger, maintained ciphers and features
- TLS is faster because it skips encryption
- SSL supports more modern ciphers
- TLS only works for email, not web
Old SSL versions have known weaknesses. Modern TLS fixes protocol flaws, adds better cipher suites, enables perfect forward secrecy, and is actively maintained. Enforcing current TLS versions closes a big class of downgrade and crypto attacks.
Correct Answer: Legacy SSL versions are broken; TLS offers stronger, maintained ciphers and features
Example Code
Server idea: min protocol TLS 1.2; prefer ECDHE; disable RC4/3DES; enable HSTS at app layer
66. What is the primary security side-effect of Network Address Translation (NAT)?
Difficulty: MediumType: MCQTopic: NetSec
- It hides internal IPs behind a public address, making unsolicited inbound access harder
- It encrypts packets end-to-end
- It replaces firewalls entirely
- It eliminates the need for logging
NAT was designed for address conservation, but it also obscures internal hosts and blocks unsolicited inbound sessions by default. It is not a security control on its own, but it adds friction for attackers when combined with strong firewall rules.
Correct Answer: It hides internal IPs behind a public address, making unsolicited inbound access harder
Example Code
Example: 10.0.0.0/24 → 198.51.100.10 with stateful rules; inbound ports explicitly DNATed only as needed
67. What problem does DNSSEC aim to solve?
Difficulty: HardType: MCQTopic: NetSec
- It adds signature validation to protect DNS answers from tampering
- It hides DNS queries with full encryption by default
- It replaces DHCP
- It blocks all phishing domains automatically
DNSSEC lets resolvers verify that the DNS data they received is authentic by checking digital signatures. It defends against cache poisoning and spoofed answers. It does not encrypt queries; for privacy you would add protocols like DoT or DoH.
Correct Answer: It adds signature validation to protect DNS answers from tampering
Example Code
Resolver behavior: validate RRSIG with DNSKEY; if signature fails, mark response bogus
68. What does Nmap primarily help you do during a network assessment?
Difficulty: MediumType: MCQTopic: NetSec
- Discover hosts and enumerate open ports and services
- Encrypt traffic
- Generate SSL certificates
- Replace router firmware
Nmap quickly maps your attack surface. It finds live hosts, scans ports, fingerprints services, and can probe versions. In interviews, showing how you translate scan results into risk and remediation earns points.
Correct Answer: Discover hosts and enumerate open ports and services
Example Code
nmap -sS -sV -O 10.0.2.0/24
69. How does a forward proxy differ from a firewall for outbound web access?
Difficulty: MediumType: MCQTopic: NetSec
- A proxy terminates client sessions and can inspect HTTP(S) at app level; a firewall enforces network-level rules
- A proxy replaces TLS entirely
- A proxy manages routing tables only
- There is no difference
Proxies understand application protocols and can filter by URL categories, methods, or content. Firewalls focus on IPs, ports, and sessions. Many enterprises use both for layered control over outbound traffic.
Correct Answer: A proxy terminates client sessions and can inspect HTTP(S) at app level; a firewall enforces network-level rules
Example Code
Policy idea: allow category Business; block Malware and Newly-registered domains; log user and URL
70. What does IEEE 802.1X provide in wired or wireless networks?
Difficulty: HardType: MCQTopic: NetSec
- Port-based network access control using authentication before granting access
- Stronger Wi-Fi signal strength
- Automatic patching of endpoints
- Only guest network isolation
With 802.1X, a switch port or AP checks the device identity before allowing full network access. This keeps rogue devices from plugging in and roaming freely. Combined with VLAN assignment, it enforces least-privilege at the first hop.
Correct Answer: Port-based network access control using authentication before granting access
Example Code
High level: supplicant → authenticator (switch/AP) → RADIUS server; on success, port unblocks and VLAN applies
71. Which statement about IPSec modes is accurate?
Difficulty: MediumType: MCQTopic: NetSec
- Transport mode protects payload only; tunnel mode encapsulates and protects the entire original packet
- Tunnel mode protects only payload; transport protects the whole packet
- Both are identical in operation
- IPSec cannot be used for site-to-site VPNs
Transport mode is often used host-to-host, while tunnel mode is common for site-to-site VPNs because it wraps the full packet. Picking the right mode is crucial for performance and routing needs.
Correct Answer: Transport mode protects payload only; tunnel mode encapsulates and protects the entire original packet
Example Code
Site VPN: gateway A ⇄ gateway B in tunnel mode; internal subnets reach each other securely
72. How do flow logs like NetFlow or VPC Flow Logs help in detection and response?
Difficulty: MediumType: SubjectiveTopic: NetSec
Flow logs show who talked to whom, when, and how much. You spot odd patterns: sudden spikes to unknown IPs, strange ports, or data egress outside business hours. During incidents, flows confirm scope and timing even when packet payloads are unavailable. They also feed baselines that power anomaly alerts. The result is faster triage and better containment decisions.
Example Code
Example fields: src_ip, dst_ip, src_port, dst_port, proto, bytes, action, start_time, end_time
73. When would you choose deep packet capture over flow data, and what are the trade-offs?
Difficulty: HardType: SubjectiveTopic: NetSec
Use packet capture when you need payload details: exploit content, credentials in clear channels, protocol misuse, or to rebuild a session for forensics. The trade-offs are storage and privacy. Payloads consume space and may include sensitive data. Also, capture at the wrong point can miss encrypted content. A good strategy blends both: flows for broad visibility and packets on demand for drill-down around the alert window.
Example Code
Quick peek: tcpdump -i eth0 host 203.0.113.10 and port 443 -w suspect.pcap
74. Which control helps reduce risk from ARP spoofing in local networks?
Difficulty: MediumType: MCQTopic: NetSec
- Dynamic ARP Inspection with trusted ports and DHCP snooping
- Disabling TLS 1.2
- Turning off DNS
- Using only public IP addresses
ARP spoofing lets an attacker redirect traffic on a LAN. Switch features like DHCP snooping build a binding table, and Dynamic ARP Inspection checks ARP replies against that table. Together they stop forged ARP messages on untrusted access ports.
Correct Answer: Dynamic ARP Inspection with trusted ports and DHCP snooping
Example Code
Switch idea: ip dhcp snooping; ip arp inspection vlan 10; trust uplink ports; untrust access ports
75. How do you safely test new firewall rules for a production app?
Difficulty: MediumType: SubjectiveTopic: NetSec
First, map required flows from architecture and logs. Stage the rule in a lower environment and capture before-and-after traffic. In prod, deploy with a temporary shadow rule in log-only if supported, or a narrow time window with rollback. Monitor latency, error rates, and dropped packets. Keep a back-out plan and document the change. This keeps users safe while you tighten policy.
Example Code
Change steps: inventory flows → stage test → deploy with monitoring → verify → commit or rollback
76. Describe how you would apply Zero Trust ideas at the network layer for a legacy app.
Difficulty: HardType: SubjectiveTopic: Foundations
Wrap the app with identity-aware access. Put a policy-enforcing proxy or gateway at the edge, terminate TLS, and authenticate users and devices before letting traffic in. Inside, restrict east-west flows to the minimal ports and addresses. Use per-service allowlists, segment the database, and add continuous signals like device posture. Over time, refactor hard-coded trust by shifting from broad subnets to identity and context-based rules.
Example Code
Plan: user/device auth at gateway → policy engine → allow only app:port from approved sources → log and adapt
77. Across modern web apps, which risk most often causes users to act outside their permissions?
Difficulty: MediumType: MCQTopic: Foundations
- Broken access control
- Weak password complexity rules
- Insecure DNS settings
- Lack of HTTPS
Broken access control lets a user reach data or actions they should not. Common causes include missing server-side checks, IDOR issues, and deny-by-default not enforced. OWASP lists this as the top web risk and gives practical examples and fixes.
Correct Answer: Broken access control
Example Code
if (resource.ownerId !== auth.userId) return res.status(403).end();
78. Which situation best fits Security Misconfiguration?
Difficulty: MediumType: MCQTopic: Hardening
- Leaving default accounts enabled and exposing verbose error pages in prod
- Using parameterized queries for DB access
- Rotating API keys quarterly
- Returning 404 for unknown routes
Security misconfiguration includes unsafe defaults, extra features, verbose errors, open cloud storage, and missing patches. It is common and easy to fix with hardened baselines and automation.
Correct Answer: Leaving default accounts enabled and exposing verbose error pages in prod
Example Code
spring.profiles.active=prod
server.error.include-stacktrace=never
79. What is the recommended primary defense pattern against CSRF in stateful web sessions?
Difficulty: MediumType: MCQTopic: AppSec
- Synchronizer anti-CSRF token validated on state-changing requests
- Using HTTP basic auth
- Putting the user id in a hidden field only
- Relying only on CAPTCHA
Anti-CSRF tokens are unique per session or request and validated by the server. They should not ride in URLs and should not be stored in cookies for synchronized patterns. SameSite adds defense in depth but is not enough alone.
Correct Answer: Synchronizer anti-CSRF token validated on state-changing requests
Example Code
POST /transfer
Headers: X-CSRF-Token: abcd1234
Body: amount=500&to=42
80. What does the cookie attribute SameSite primarily help with?
Difficulty: EasyType: MCQTopic: AppSec
- Reducing cross-site requests that include the cookie
- Encrypting the cookie value
- Extending cookie life
- Forcing HTTP only
SameSite limits when browsers send cookies on cross-site requests. It helps against CSRF and some cross-site leaks. It is a defense in depth and should be combined with tokens.
Correct Answer: Reducing cross-site requests that include the cookie
Example Code
Set-Cookie: sid=...; Secure; HttpOnly; SameSite=Strict
81. Why is SSRF dangerous in cloud environments?
Difficulty: HardType: MCQTopic: AppSec
- Back-end servers can be tricked to call internal services like cloud metadata endpoints
- It only affects client browsers
- It requires physical access to the server
- It is blocked by TLS automatically
SSRF abuses a server’s ability to make HTTP calls. In cloud, attackers often target metadata services to steal credentials or pivot. Recent research shows active campaigns and rising prevalence; vendors recommend layered mitigations.
Correct Answer: Back-end servers can be tricked to call internal services like cloud metadata endpoints
Example Code
GET http://169.254.169.254/latest/meta-data/iam/security-credentials/
82. Which API issue is highlighted by OWASP as API1:2023?
Difficulty: MediumType: MCQTopic: AppSec
- Broken Object Level Authorization (BOLA)
- Insecure Direct File Upload
- Lack of TLS
- Password reuse
BOLA occurs when endpoints expose object identifiers without enforcing ownership checks, allowing unauthorized reads or edits. It remains the top API risk.
Correct Answer: Broken Object Level Authorization (BOLA)
Example Code
GET /api/users/1234 // must verify auth.userId == 1234 before returning
83. Which mistake leads to Mass Assignment or property-level auth bugs in APIs?
Difficulty: MediumType: MCQTopic: AppSec
- Binding the entire JSON body directly into a model without whitelisting
- Using rate limiting
- Returning 201 on create
- Compressing responses
If the API blindly maps client fields to server models, attackers can set sensitive fields like isAdmin. OWASP’s API list merges this with property-level authorization concerns. Use explicit allowlists and server-side checks.
Correct Answer: Binding the entire JSON body directly into a model without whitelisting
Example Code
allowed = pick(req.body, ['name','email']);
user.update(allowed);
84. Which header helps reduce XSS by controlling where scripts can load from?
Difficulty: MediumType: MCQTopic: AppSec
- Content-Security-Policy
- Strict-Transport-Security
- Referrer-Policy
- ETag
CSP whitelists script sources and can block inline execution when designed well. It complements secure coding and output encoding to cut XSS risk.
Correct Answer: Content-Security-Policy
Example Code
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com
85. Why is rate limiting essential for public APIs and how should it be applied?
Difficulty: MediumType: SubjectiveTopic: AppSec
APIs are easy to automate. Attackers exploit this for brute force, scraping, and credential stuffing. Rate limits slow abuse and protect upstream services. Apply limits per user, per IP, and per token. Include burst and sustained windows. Return clear errors and backoff hints. Combine with detection for anomalous patterns and block lists. Tie limits to critical operations, like login or password reset, for stronger protection.
Example Code
POST /login 5 req per min per account; 100 req per min per IP; exponential backoff on 429
86. What does CORS actually control for browsers?
Difficulty: MediumType: MCQTopic: AppSec
- Which origins can read responses via browser scripts
- Who can open a TCP connection to the server
- Whether TLS is required
- Password rotation policies
CORS does not block raw HTTP requests. It governs whether browser-run code can read the response. Configure explicit allowlists and avoid reflecting wildcard with credentials. This prevents unintended data exposure to other sites.
Correct Answer: Which origins can read responses via browser scripts
Example Code
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Credentials: true
87. Explain how parameterized queries stop SQL injection and when to add ORM or stored procedure checks.
Difficulty: MediumType: SubjectiveTopic: AppSec
Parameterized queries send the SQL and the data separately. The driver never treats input as code, so injected quotes do not change the query plan. Use prepared statements by default. If you use an ORM, still validate fields and avoid dynamic string concatenation. For complex reports, stored procedures can help, but they must also use parameters. Add least-privilege DB accounts and monitor for unusual query patterns.
Example Code
SELECT * FROM users WHERE email = ?; // driver binds value, not SQL
88. Which control best prevents clickjacking on sensitive pages?
Difficulty: EasyType: MCQTopic: AppSec
- X-Frame-Options DENY or a CSP frame-ancestors policy
- Disabling JavaScript entirely
- Using 302 redirects
- Turning off caching
Clickjacking tricks a user into clicking a hidden frame. Deny framing or allow only trusted parents. Pair this with CSRF defenses on state-changing actions to limit damage.
Correct Answer: X-Frame-Options DENY or a CSP frame-ancestors policy
Example Code
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
89. How do you detect and contain SSRF attempts in production?
Difficulty: HardType: SubjectiveTopic: AppSec
Watch for egress calls to link-local and RFC-1918 ranges, odd DNS names, and unusual response sizes from metadata hosts. Add egress allowlists at app and network layers. Log request targets and block raw redirects. Use DNS and HTTP proxies with policies to prevent direct access to internal endpoints. In cloud, harden the metadata service and use instance profiles with the latest protections. Alerts on these signals help you stop credential theft and lateral movement early.
Example Code
Alert if dest in 169.254.169.0/16 or 10.0.0.0/8 and Host header not in allowlist
90. Design robust authorization checks for an API that serves user-owned objects.
Difficulty: HardType: SubjectiveTopic: AppSec
Enforce ownership at every read and write. Do not rely on the client to hide IDs. Check object access with server-side lookups and role rules. Validate both object-level and property-level authorization so users cannot set privileged fields. Log deny decisions for audit. Add tests for IDOR and for mass-assignment paths. This aligns with OWASP API Top 10 guidance and reduces high-impact data leaks.
Example Code
const obj = await repo.get(id);
if (obj.owner !== auth.userId) return 403;
const allowed = pick(body, editableFieldsFor(auth));
91. List practical rules for issuing and validating CSRF tokens in SPAs and classic server-rendered apps.
Difficulty: MediumType: SubjectiveTopic: AppSec
Generate strong, unpredictable tokens. Tie them to the user session. Send them in HTML or JSON, not in a cookie for synchronized token patterns. Validate on every state-changing request. Do not put tokens in URLs or logs. Rotate on login and at session renewal. For SPAs, fetch the token via a safe endpoint and attach it as a header. Keep SameSite on cookies for extra defense, but never rely on it alone
Example Code
fetch('/csrf').then(t => localStorage.setItem('csrf', t))
// later: xhr.setRequestHeader('X-CSRF-Token', localStorage.getItem('csrf'))92. Which option best describes a ransomware attack?
Difficulty: EasyType: MCQTopic: IR/Forensics
- Malware that encrypts files and demands payment for the key
- Malware that only shows ads on websites
- Tool that scans networks for open ports
- A script that updates system packages
Ransomware locks data by encrypting it and pressures the victim to pay for decryption. The core impact is loss of availability and potential data loss. Good backups, segmentation, and fast detection reduce damage.
Correct Answer: Malware that encrypts files and demands payment for the key
Example Code
Common note file: README.txt with payment instructions
93. What makes fileless malware harder to detect?
Difficulty: MediumType: MCQTopic: IR/Forensics
- It runs mainly in memory and abuses legitimate tools
- It only targets mobile phones
- It requires admin passwords to install
- It always uses custom kernel drivers
Fileless techniques avoid writing obvious binaries to disk. They live in memory, use scripts, and leverage trusted tools like PowerShell or WMI. Disk-based antivirus may miss them, so telemetry and behavior rules are key.
Correct Answer: It runs mainly in memory and abuses legitimate tools
Example Code
Example: powershell -enc <base64> launched by Office process
94. Which is a typical Indicator of Compromise (IOC)?
Difficulty: EasyType: MCQTopic: IR/Forensics
- Known malicious hash observed on a host
- A new security patch from the vendor
- A daily backup job completion
- A healthy CPU utilization graph
IOCs are concrete signs that something bad likely happened. Hashes, domains, IPs, mutex names, and file paths are common. Pair them with behavior to avoid false positives.
Correct Answer: Known malicious hash observed on a host
Example Code
sha256: d2a5... observed in C:\Windows\Temp\svc.exe
95. Why use a malware sandbox during analysis?
Difficulty: MediumType: MCQTopic: IR/Forensics
- To detonate suspicious samples in isolation and observe behavior
- To increase system performance in production
- To replace EDR across the fleet
- To store encryption keys securely
A sandbox executes a sample in a controlled VM or container. You watch file, registry, process, and network activity without risking production systems. It speeds triage and supports safer signature creation.
Correct Answer: To detonate suspicious samples in isolation and observe behavior
Example Code
Observed: drops %APPDATA%\svc.dll; beacons to hxxp://example[.]com/api
96. What is the key difference between static and dynamic malware analysis?
Difficulty: MediumType: MCQTopic: IR/Forensics
- Static inspects code or artifacts at rest; dynamic runs the sample and watches behavior
- Static always needs internet, dynamic never does
- Dynamic only works on Linux, static on Windows
- Static cleans the malware automatically
Static analysis includes strings, headers, and control-flow. Dynamic analysis executes the sample to see live process, file, and network actions. Mature investigations mix both to cross-check findings.
Correct Answer: Static inspects code or artifacts at rest; dynamic runs the sample and watches behavior
Example Code
strings sample.bin | findstr http
97. Why are kernel-mode rootkits especially dangerous?
Difficulty: HardType: MCQTopic: IR/Forensics
- They run with high privileges and can hide processes, files, or network activity
- They only affect user profiles
- They require no vulnerabilities to install
- They cannot persist across reboots
Kernel-mode code can intercept system calls and alter what tools see. That allows stealth, persistence, and powerful tampering. Detection relies on attestation, golden images, and low-level telemetry.
Correct Answer: They run with high privileges and can hide processes, files, or network activity
Example Code
Symptom: ps shows no process but port 4444 is listening
98. In digital forensics, what is the purpose of chain of custody?
Difficulty: MediumType: MCQTopic: IR/Forensics
- To document who handled evidence, when, and how, to preserve integrity
- To improve CPU speed during imaging
- To encrypt the case notes
- To compress disk images
Good records make evidence defensible. You track acquisition, transfers, tools, hashes, and storage. If challenged, you can prove the data is original and untampered.
Correct Answer: To document who handled evidence, when, and how, to preserve integrity
Example Code
Record: time, handler, device id, hash (SHA-256), action, location
99. Explain why capturing memory (RAM) can be more valuable than only imaging the disk during an active incident.
Difficulty: HardType: SubjectiveTopic: IR/Forensics
Memory holds live secrets that never touch disk. You can see running processes, injected code, command lines, network sockets, decrypted payloads, and sometimes keys or tokens. Fileless techniques and in-memory implants leave few disk traces. A timely RAM capture can reveal the full execution chain and shorten the hunt. After that, a clean disk image provides persistence details and timeline. Together, they tell the complete story.
Example Code
Windows: winpmem.exe --format raw --output mem.raw
100. During live response, which order best follows the order of volatility?
Difficulty: MediumType: MCQTopic: IR/Forensics
- CPU/Cache → RAM → Network/Processes → Disk → Backups
- Disk → Backups → RAM → Processes → Network
- Backups → Disk → Network → CPU → RAM
- Processes → CPU → Disk → RAM → Backups
Volatile data disappears first. Capture the most short-lived items early. That preserves evidence that would be gone by the time you power off or image the drive.
Correct Answer: CPU/Cache → RAM → Network/Processes → Disk → Backups
Example Code
Quick set: mem dump → netstat → process list → selective disk grabs
101. How do you build a forensic timeline after an intrusion and what sources do you prefer?
Difficulty: MediumType: SubjectiveTopic: IR/Forensics
Start with a clear time anchor, like the first alert. Pull endpoint logs, EDR telemetry, Windows Event Logs, Sysmon, Linux audit logs, web server logs, DNS, VPN, and proxy records. Normalize timestamps to one zone. Sequence key events: initial access, privilege change, lateral movement, data staging, exfil. Fill gaps with file system metadata and registry or config changes. A solid timeline reveals scope, helps with containment, and validates eradication.
Example Code
Sort by time: log_source, user, host, action, indicator, result
102. What does a YARA rule help an analyst do?
Difficulty: MediumType: MCQTopic: IR/Forensics
- Describe patterns to find related malware across files or memory
- Automatically patch the operating system
- Crack passwords using GPUs
- Encrypt logs in transit
YARA rules use text, hex, and logic to match families or traits. You can scan endpoints and memory to find variants, even if hashes change. This speeds threat hunting and scoping.
Correct Answer: Describe patterns to find related malware across files or memory
Example Code
rule sample { strings: $s = "rundll32" nocase condition: $s }103. Why do attackers pack or obfuscate binaries?
Difficulty: HardType: MCQTopic: IR/Forensics
- To evade static signatures and slow analysis
- To reduce network latency
- To pass code signing checks
- To avoid using encryption
Packers compress or wrap code to hide strings and structure. Unpacking at runtime reveals the real payload. Analysts rely on behavior, emulation, and memory dumps to see through the layer.
Correct Answer: To evade static signatures and slow analysis
Example Code
Symptom: high entropy sections; suspicious unpacking loops
104. What is a web shell and why is it dangerous?
Difficulty: MediumType: MCQTopic: IR/Forensics
- A server-side script that gives remote command execution via web requests
- A browser plugin that blocks ads
- A secure shell replacement for admins
- A load-testing tool for web apps
Web shells provide stealthy persistence on web servers. They blend with normal traffic and can survive short rebuilds if stored in shared content. Hunt for odd file paths, recent changes, and suspicious parameters.
Correct Answer: A server-side script that gives remote command execution via web requests
Example Code
Example: /var/www/html/.cache/assets/.img.php?cmd=id
105. Describe a safe containment and recovery plan for a malware outbreak in a mixed Windows and Linux environment.
Difficulty: MediumType: SubjectiveTopic: IR/Forensics
Isolate affected hosts at the switch or EDR while keeping a control channel. Snapshot VMs and capture memory from key systems. Reset exposed credentials and disable risky accounts. Identify patient zero and lateral paths. Rebuild from known-good images, patch aggressively, and restore data from clean backups. Keep heightened monitoring during the first week after recovery. Finally, review gaps in detection, hardening, and user training so the environment comes back stronger.
Example Code
Playbook: isolate → capture → credentials → eradicate → rebuild → monitor → lessons
106. In public cloud, what does the shared responsibility model mean for security?
Difficulty: EasyType: MCQTopic: CloudSec
- Provider secures the cloud; customers secure what they run in the cloud
- Provider handles everything including your app code
- Customers handle only physical data center security
- Security is not required if encryption is on
The cloud provider is responsible for security of the cloud, like data center, hardware, and the virtualization layer. Customers are responsible for security in the cloud, like configuration, identity, data, and workloads. Understanding this split prevents dangerous assumptions and audit gaps.
Correct Answer: Provider secures the cloud; customers secure what they run in the cloud
Example Code
Rule of thumb: provider = infra layer; you = identity, config, data, app
107. What is the purpose of Amazon S3 Block Public Access?
Difficulty: EasyType: MCQTopic: CloudSec
- Account and bucket level guardrails that override policies to prevent public access
- A tool to encrypt objects with KMS
- A feature to accelerate downloads
- A setting to auto-delete old versions
S3 Block Public Access provides centralized switches at account, access point, and bucket levels to keep data from becoming public, even if a user sets a permissive policy. It is a default-on safety net for many orgs.
Correct Answer: Account and bucket level guardrails that override policies to prevent public access
Example Code
aws s3control put-public-access-block --account-id 123456789012 --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
108. Why do many teams require EC2 Instance Metadata Service v2 (IMDSv2)?
Difficulty: MediumType: MCQTopic: CloudSec
- It uses session tokens that mitigate simple SSRF style metadata theft
- It encrypts all EBS volumes by default
- It blocks outbound internet for instances
- It replaces CloudTrail logging
IMDSv2 requires a token obtained via a local hop and enforces hop limits. This design reduces trivial metadata theft and credential exposure compared to IMDSv1. You can set new instances to require v2 only.
Correct Answer: It uses session tokens that mitigate simple SSRF style metadata theft
Example Code
AWS CLI at launch: --metadata-options HttpTokens=required HttpEndpoint=enabled
109. What CloudTrail configuration is widely recommended to ensure complete coverage?
Difficulty: MediumType: MCQTopic: CloudSec
- Create a multi-Region trail that logs all Regions
- Create a single-Region trail only in the Region you use most
- Disable logging for global services
- Rotate trails weekly to new buckets
Multi-Region trails record activity in all enabled Regions, including seldom-used ones, so you do not miss events or attacks that target an unexpected Region. This is a common best practice in AWS guidance.
Correct Answer: Create a multi-Region trail that logs all Regions
Example Code
aws cloudtrail create-trail --name org-trail --is-multi-region-trail --s3-bucket-name audit-logs
110. What is envelope encryption with AWS KMS?
Difficulty: MediumType: MCQTopic: Crypto
- Encrypt data with a data key, then encrypt that data key under a KMS key
- Directly encrypt all files with a customer master key only
- Compress data before encrypting
- Store keys in application code
Envelope encryption uses short-lived data keys to encrypt content and then protects those data keys under a key encryption key managed by KMS. It scales and limits key exposure while keeping decryption under API control.
Correct Answer: Encrypt data with a data key, then encrypt that data key under a KMS key
Example Code
GenerateDataKey → use plaintext DEK to encrypt → store ciphertext DEK alongside data → decrypt via KMS when needed
111. In Kubernetes, which control enforces standardized pod restrictions like running as non-root?
Difficulty: MediumType: MCQTopic: CloudSec
- Pod Security Standards with Pod Security Admission
- Only kube-proxy rules
- CronJobs
- Ingress controllers
The Pod Security Standards define privileged, baseline, and restricted policies. The Pod Security Admission controller enforces these at the namespace level so pods meet your chosen profile.
Correct Answer: Pod Security Standards with Pod Security Admission
Example Code
kubectl label ns prod pod-security.kubernetes.io/enforce=restricted
112. What do Kubernetes Network Policies primarily control?
Difficulty: MediumType: MCQTopic: CloudSec
- Allowed pod-to-pod and pod-to-external traffic at L3 and L4
- Pod resource limits like CPU and memory
- Cluster autoscaling
- Container image signing
Network policies define which pods can talk to which destinations and on which ports. They reduce lateral movement inside the cluster and support a Zero Trust posture.
Correct Answer: Allowed pod-to-pod and pod-to-external traffic at L3 and L4
Example Code
spec: podSelector: {}; ingress: - from: - podSelector: {matchLabels: app:web} ports: - port: 5432113. Which resource lists common risks specific to cloud-native apps and platforms?
Difficulty: MediumType: MCQTopic: CloudSec
- OWASP Cloud-Native Application Security Top 10
- PCI DSS supplement only
- ISO 9001 quality basics
- TCP RFCs
OWASP maintains a dedicated Top Ten for cloud-native threats that complements general web and API risks. It is useful for interviews and design reviews focused on containers and orchestration.
Correct Answer: OWASP Cloud-Native Application Security Top 10
Example Code
Use it to cross-check: identity, secrets, supply chain, workload isolation, and runtime protection
114. According to the OWASP API Security 2023 list, which risk covers property-level authorization problems (e.g., setting isAdmin)?
Difficulty: MediumType: MCQTopic: AppSec
- Broken Object Property Level Authorization
- Injection
- Insecure Transport
- Caching Issues
API3:2023 merges earlier categories to stress that servers must check authorization not only at the object level but also for each writable field. Blind model binding without allowlists causes painful leaks and privilege flips.
Correct Answer: Broken Object Property Level Authorization
Example Code
allowedFields = ['name','email']; user.update(pick(req.body, allowedFields))
115. Why are Azure Managed Identities preferred over embedding secrets in code?
Difficulty: MediumType: MCQTopic: CloudSec
- They provide an automatically managed identity for Azure services to request tokens without stored credentials
- They remove the need for RBAC
- They work only for VMs with public IPs
- They disable logging by default
Managed Identities allow Azure resources to get access tokens from Microsoft Entra without hard-coding keys. This reduces secret sprawl and rotation effort while fitting into RBAC and conditional access.
Correct Answer: They provide an automatically managed identity for Azure services to request tokens without stored credentials
Example Code
az vm identity assign -g rg -n myvm // then grant the VM’s identity least-privilege role on target
116. Which practice is recommended for Google Cloud service accounts?
Difficulty: MediumType: MCQTopic: CloudSec
- Avoid user-managed keys; prefer managed identities and Workload Identity Federation
- Share one service account across all apps
- Store JSON keys in source control with rotation
- Give service accounts Owner role for convenience
GCP guidance recommends avoiding long-lived user-managed keys. Use workload identity and scoped roles, create single-purpose service accounts, and disable unused accounts to reduce lateral movement risk.
Correct Answer: Avoid user-managed keys; prefer managed identities and Workload Identity Federation
Example Code
gcloud iam service-accounts disable svc@proj.iam.gserviceaccount.com // retire unused accounts
117. Design a safe data access pattern for S3 buckets that host sensitive files.
Difficulty: MediumType: SubjectiveTopic: CloudSec
Start deny by default. Turn on S3 Block Public Access at the account and bucket levels so no policy can make data public by mistake. Use least-privilege IAM policies bound to roles, not users. Encrypt objects with KMS and audit key use. Enable CloudTrail with a multi-Region trail and log file integrity so you can track who did what and when. Add bucket policies that require TLS and a specific VPC endpoint if possible. Finally, monitor for policy drift and unusual access. This structure lowers exposure and improves auditability.
Example Code
Bucket policy idea: aws:SecureTransport=true AND aws:SourceVpce in allowed_list; deny if not met
118. Outline a quick Kubernetes hardening plan for a production cluster.
Difficulty: HardType: SubjectiveTopic: CloudSec
Enforce Pod Security Standards at restricted where possible, baseline elsewhere, using Pod Security Admission. Lock down network with namespace-scoped Network Policies so only required flows are allowed. Use minimal images, read-only root filesystems, and run as non-root. Rotate secrets and prefer external secret managers. Restrict node metadata access and audit RBAC for least privilege. Capture and ship audit logs. These steps reduce breakout, lateral movement, and credential theft in real clusters.
Example Code
Namespace labels: pod-security.kubernetes.io/enforce=restricted; create default-deny netpol; allow only app→db ports
119. How would you structure cloud audit logging to speed investigations across many AWS accounts?
Difficulty: MediumType: SubjectiveTopic: CloudSec
Create a multi-Region CloudTrail per account or an organization trail that feeds a central log bucket with strict access. Enable log file integrity validation. Forward to your SIEM with clear account and Region tags. Keep retention long enough for compliance and threat dwell time. This gives responders a single, trustworthy place to search and correlate events across environments.
Example Code
OrgTrail → S3 audit bucket (write-only for accounts) → SIEM ingestion with account_id and region fields
120. List practical rules for securing cloud APIs that expose user objects.
Difficulty: MediumType: SubjectiveTopic: AppSec
Authorize every request on the server. Check both object ownership and property-level rights before updates. Never trust client-side filtering. Use short-lived tokens and scopes. Rate-limit hot paths like login and resets. Log denies with context. Add tests for IDOR and mass-assignment. These steps address the top API risks and stop common data leaks early.
Example Code
if (obj.owner !== auth.userId) return 403; const allowed = pick(req.body, editableFieldsFor(auth));
121. What does N I S T’s Secure Software Development Framework (SSDF) provide to organizations?
Difficulty: MediumType: MCQTopic: SupplyChain
- A set of high-level, outcome-focused practices that integrate into any S D L C
- A specific tool you must install on build servers
- Only a checklist for web apps
- A law that replaces internal policies
SSDF describes core practices such as preparing the organization, protecting code and tools, producing well-secured software, and responding to vulnerabilities. It is outcome-based and fits into any life cycle model. You map your processes to these outcomes to raise assurance. This framing is common in interviews because it shows you can align engineering with policy. (Source: NIST SP 800-218 overview.)
Correct Answer: A set of high-level, outcome-focused practices that integrate into any S D L C
Example Code
Examples: policy for code signing; hardened CI; documented build provenance; vuln response playbook
122. OWASP S C V S is primarily used to:
Difficulty: MediumType: MCQTopic: SupplyChain
- Assess and improve software supply chain assurance including asking suppliers for S B O Ms
- Replace all penetration testing
- Tune kernel performance
- Encrypt production databases
The Software Component Verification Standard gives you activities and controls to measure component risk and supplier transparency. It explicitly supports requesting S B O Ms and organizing maturity in layers, which helps teams adopt it step by step. (Sources: OWASP SCVS site and guidance.)
Correct Answer: Assess and improve software supply chain assurance including asking suppliers for S B O Ms
Example Code
Use S B O M + attestation required in contracts; map to SCVS L1→L3
123. What is S L S A in the context of supply chain security?
Difficulty: MediumType: MCQTopic: SupplyChain
- A maturity framework with levels that harden build integrity and provenance
- A static analysis tool for JavaScript
- A cloud key vault
- A vulnerability scanner for mobile apps
S L S A (pronounced salsa) defines levels with controls to prevent tampering and to improve artifact integrity, from basic build script hardening up to hermetic, reproducible builds with strong provenance. It is widely cited in interviews because it connects engineering actions to measurable levels. (Sources: slsa.dev and Open S S F pages.)
Correct Answer: A maturity framework with levels that harden build integrity and provenance
Example Code
Goal: produce artifact + provenance attestation signed by CI; verify before deploy
124. Which statement about S B O M formats is most accurate today?
Difficulty: MediumType: MCQTopic: SupplyChain
- SPDX and CycloneDX are both common; choice depends on use case and ecosystem
- There is a single global S B O M format and others are obsolete
- S B O Ms are only for open source
- CycloneDX is only for mobile apps
Both SPDX and CycloneDX are widely used and overlapping. CycloneDX is popular in AppSec and component analysis; SPDX is strong for compliance metadata. Many teams support both and even convert between them. (Sources: Sonatype and other comparisons.)
Correct Answer: SPDX and CycloneDX are both common; choice depends on use case and ecosystem
Example Code
Tools: syft, cyclonedx-cli, spdx-sbom-generator; convert between formats as needed
125. In container supply chains, what does Sigstore Cosign help you achieve?
Difficulty: MediumType: MCQTopic: SupplyChain
- Sign and verify container images and attestations, often with keyless O I D C identities
- Compress images for faster pulls
- Auto-patch the base image
- Scan Kubernetes logs
Cosign lets you sign images and store signatures in the registry. With keyless flows, the CI identity is proven via O I D C and recorded publicly, making trust decisions easier at deploy time. This directly supports artifact integrity and provenance checks. (Sources: Sigstore docs and introductions.)
Correct Answer: Sign and verify container images and attestations, often with keyless O I D C identities
Example Code
cosign sign --keyless $IMAGE
cosign verify $IMAGE
126. Which practice best reduces risk from typosquatting and dependency confusion?
Difficulty: MediumType: MCQTopic: SupplyChain
- Pin exact versions with lockfiles, use private registries/namespace rules, and verify publisher identity
- Always use the latest versions without review
- Disable code review to speed dependency updates
- Mirror only transitive dependencies
Attackers exploit name look-alikes and resolution rules between internal and public packages. Lockfiles, private scopes, and publisher verification cut this risk. A simple allowlist plus automated checks in CI prevents most mistakes. This is a favorite practical interview topic.
Correct Answer: Pin exact versions with lockfiles, use private registries/namespace rules, and verify publisher identity
Example Code
npm ci // honors package-lock.json
pip install -r requirements.txt # hashes pinned
127. Why is build provenance important for releasing software?
Difficulty: HardType: MCQTopic: SupplyChain
- It records who built what, when, with which sources and builder, enabling tamper detection
- It speeds up unit tests
- It replaces pentesting
- It hides vulnerabilities from scanners
Provenance ties artifacts back to their sources and the build process. Verifying provenance before deployment helps spot substituted code or compromised builders. Frameworks like S L S A formalize this as a release gate. (Sources: slsa.dev.)
Correct Answer: It records who built what, when, with which sources and builder, enabling tamper detection
Example Code
Verify: artifact.sig + provenance.json → policy engine before deploy
128. Which is a direct example of an SSDF-aligned control?
Difficulty: MediumType: MCQTopic: SupplyChain
- Separate, hardened CI with least-privilege tokens and auditable build artifacts
- Developers sharing admin passwords over chat
- Disabling code review on release branches
- Publishing unsigned images to production
SSDF emphasizes protecting tools and artifacts and proving that secure practices happened. Hardened CI, short-lived credentials, and evidence like signed attestations all support the framework’s outcomes. (Sources: NIST SP 800-218 summary pages.)
Correct Answer: Separate, hardened CI with least-privilege tokens and auditable build artifacts
Example Code
CI: ephemeral runner; O I D C to cloud; write-only to release repo; artifact signing enabled
129. How would you use an S B O M operationally, not just for compliance?
Difficulty: MediumType: SubjectiveTopic: SupplyChain
Treat the S B O M as living inventory. Feed it to vulnerability intelligence so you can answer “am I affected” quickly when a new CVE drops. Track licenses for legal risk. Compare S B O Ms across releases to spot unexpected component drift. Tie components to exploitability context so teams can prioritize by real risk, not just counts. Over time this reduces patch noise and speeds response.
Example Code
Workflow: generate S B O M → ingest to VEX/SIEM → alert on impacted components → create prioritized tickets
130. Why do reproducible builds increase trust?
Difficulty: HardType: MCQTopic: SupplyChain
- Anyone can rebuild the same source to the same bits, making hidden changes easier to detect
- They always run faster
- They remove the need for code review
- They allow builds without source code
When outputs match exactly, you can compare community builds against release artifacts. Differences point to tampering or non-determinism. Many S L S A recommendations implicitly push toward reproducibility for this reason. (Source: slsa.dev concepts.)
Correct Answer: Anyone can rebuild the same source to the same bits, making hidden changes easier to detect
Example Code
Strategy: pin toolchains; fixed timestamps; hermetic builds; containerized builders
131. For open-source intake, which gate is the most effective baseline?
Difficulty: MediumType: MCQTopic: SupplyChain
- Allowlist by namespace and license, static checks, and automated update PRs reviewed by code owners
- Auto-merge all updates without review
- Use only latest nightly builds
- Ban all dependencies
A realistic baseline mixes policy and automation: approve trusted publishers, scan for issues, and use bot PRs with human review. This balances speed and safety and is easy to explain in an interview.
Correct Answer: Allowlist by namespace and license, static checks, and automated update PRs reviewed by code owners
Example Code
Dependabot/Renovate + policy bot → PR with S B O M diff + risk notes
132. Describe a practical key management approach for signing code and containers.
Difficulty: MediumType: SubjectiveTopic: Crypto
Prefer short-lived keys tied to workload identity. In CI, use O I D C to get a token and sign with a transient key or a service that attests the identity, as Sigstore does. Store long-lived keys only in a managed H S M with strict roles and rotation. Record signatures in a transparency log when possible. Enforce verification at deploy time so signatures are not just decorative.
Example Code
cosign sign --keyless image:tag // CI identity via O I D C; verify on admission
133. How would you vet a third-party software supplier for supply chain risk?
Difficulty: MediumType: SubjectiveTopic: SupplyChain
Ask for an S B O M and vulnerability status. Review their build and signing process, including provenance and who can push releases. Check policy for reporting and fixing vulnerabilities. Map their controls to SSDF or SCVS so you have a common language. Finally, test updates in a sandbox and monitor behavior. This shows you can turn policy into real checks.
Example Code
Checklist: SBOM → signing & provenance → vuln SLA → access control → incident comms → pilot test
134. Outline concrete steps to harden a C I platform against supply chain attacks.
Difficulty: HardType: SubjectiveTopic: SupplyChain
Run builds on ephemeral workers. Isolate secrets and prefer O I D C federation to cloud over long-lived keys. Restrict who can modify pipelines and who can approve releases. Pin actions and plugins by digest. Scan build images and runners. Sign artifacts and generate provenance in CI, then verify in the deploy gate. Log everything to a central trail. These steps remove silent back doors and make tampering noisy.
Example Code
Pin: uses: org/action@sha256:…; runners ephemeral; least-priv tokens; admission enforces signature + provenance
135. A team wants a stepwise path with levels for build integrity controls. Which framework fits best?
Difficulty: MediumType: MCQTopic: Program
- S L S A levels
- Only ISO nine thousand one
- PCI D S S
- A generic uptime S L A
S L S A defines incremental levels that add controls for tamper resistance and provenance. It is designed as a staged journey for producers and consumers of software. (Sources: slsa.dev and Open S S F.)
Correct Answer: S L S A levels
Example Code
Plan: target S L S A 2 this quarter (central builder, provenance); S L S A 3 next
136. What is Nmap primarily used for in security assessments?
Difficulty: EasyType: MCQTopic: NetSec
- Port, service, and OS discovery on targets
- Encrypting network traffic end to end
- Detecting web vulnerabilities automatically
- Breaking password hashes with GPUs
Nmap, the Network Mapper, is best known for fast and flexible port scanning, service and version detection, host discovery, and OS fingerprinting. It helps you map an attack surface before deeper testing.
Correct Answer: Port, service, and OS discovery on targets
Example Code
nmap -sV -O -Pn 10.10.10.10
137. Which description best fits Wireshark?
Difficulty: EasyType: MCQTopic: NetSec
- A network packet analyzer for capturing and inspecting traffic
- A host-based antivirus engine
- A cloud compliance auditor
- A password recovery tool
Wireshark is a protocol analyzer that captures packets and lets you examine them in detail. It is widely used for troubleshooting, investigations, and protocol learning.
Correct Answer: A network packet analyzer for capturing and inspecting traffic
Example Code
tshark -i eth0 -f "tcp port 443" -w capture.pcapng
138. What is the core role of Burp Suite in web security testing?
Difficulty: MediumType: MCQTopic: AppSec
- Intercepting and manipulating HTTP requests and automating web scans
- Hardening Linux kernels automatically
- Collecting Windows event logs
- Decrypting wireless handshakes
Burp Suite is a PortSwigger platform for hands-on web testing. It acts as an intercepting proxy, supports manual probing, and can automate DAST-style scans with add-ons from its marketplace.
Correct Answer: Intercepting and manipulating HTTP requests and automating web scans
Example Code
Proxy: set browser to 127.0.0.1:8080, intercept on → modify request → forward
139. OWASP ZAP is mainly used to:
Difficulty: EasyType: MCQTopic: AppSec
- Scan and probe web apps as a free, open-source DAST tool
- Crack password hashes
- Image disk evidence
- Build Android apps
ZAP, the Zed Attack Proxy, is a widely used open-source web security scanner and proxy with automation options and a community add-on marketplace.
Correct Answer: Scan and probe web apps as a free, open-source DAST tool
Example Code
zap-cli quick-scan --self-contained --spider --scanners all https://target.local
140. What problem does Nessus primarily solve?
Difficulty: MediumType: MCQTopic: VulnMgmt
- Automated vulnerability scanning and reporting
- Real-time packet capture
- Memory forensics
- Container image signing
Nessus from Tenable scans networks, systems, and applications for known vulnerabilities and misconfigurations, then provides reports and remediation guidance.
Correct Answer: Automated vulnerability scanning and reporting
Example Code
Typical flow: discovery scan → credentialed scan → review CVEs → export report
141. How does OpenVAS relate to vulnerability assessment?
Difficulty: MediumType: MCQTopic: VulnMgmt
- It is an open-source vulnerability scanner within Greenbone’s G V M stack
- It is a Windows event log forwarder
- It is an exploit framework
- It is a protocol analyzer
OpenVAS is the scanner component of Greenbone Vulnerability Management, supporting authenticated and unauthenticated tests across many protocols with a frequently updated feed.
Correct Answer: It is an open-source vulnerability scanner within Greenbone’s G V M stack
Example Code
Run full and fast scan → validate findings → compare with credentialed results
142. Why do defenders deploy Sysmon on Windows endpoints?
Difficulty: MediumType: MCQTopic: Telemetry
- To log detailed process, network, and file-creation telemetry for detection and hunting
- To replace the Windows firewall
- To crack NTLM hashes
- To block outbound DNS
Sysmon is a Sysinternals service and driver that persists across reboots and writes rich security-relevant events to the Windows Event Log, such as process creation and network connections.
Correct Answer: To log detailed process, network, and file-creation telemetry for detection and hunting
Example Code
sysmon.exe -i sysmonconfig.xml // then ship Microsoft-Windows-Sysmon/Operational
143. What makes osquery useful to security teams?
Difficulty: MediumType: MCQTopic: Telemetry
- It exposes system state as SQL tables for fast queries across fleets
- It encrypts traffic between microservices
- It replaces disk imaging
- It is a web proxy scanner
Osquery lets you query endpoints like a database using standard SQL to retrieve processes, users, sockets, and more. It is cross-platform and designed for analytics and monitoring.
Correct Answer: It exposes system state as SQL tables for fast queries across fleets
Example Code
SELECT pid, name, path FROM processes WHERE name='powershell.exe';
144. Which statement about Suricata is accurate?
Difficulty: MediumType: MCQTopic: NetSec
- It is an open-source IDS, IPS, and NSM engine maintained by O I S F
- It is only a host antivirus
- It is a proprietary SIEM
- It is a memory dump analyzer
Suricata provides high-performance network intrusion detection and prevention and network security monitoring. It is developed by the Open Information Security Foundation.
Correct Answer: It is an open-source IDS, IPS, and NSM engine maintained by O I S F
Example Code
suricata -c /etc/suricata/suricata.yaml -i eth0
145. What is Snort commonly used for?
Difficulty: EasyType: MCQTopic: NetSec
- Rule-based network intrusion detection and prevention
- Disk encryption at rest
- Kubernetes admission control
- Log aggregation
Snort is a free, open-source IDS and IPS that performs real-time traffic analysis and packet logging using a powerful rule language.
Correct Answer: Rule-based network intrusion detection and prevention
Example Code
alert tcp any any -> 10.0.0.5 22 (msg:"SSH scan"; flags:S; sid:1000001; rev:1;)
146. How does Zeek differ from signature-only NIDS tools?
Difficulty: MediumType: MCQTopic: NetSec
- It focuses on rich network logs and protocol analytics for investigations
- It only blocks traffic inline
- It is a Windows-only EDR
- It replaces vulnerability scanners
Zeek, formerly Bro, is a passive network security monitor that generates detailed logs and enables custom analysis beyond simple signatures, supporting investigations and hunting.
Correct Answer: It focuses on rich network logs and protocol analytics for investigations
Example Code
Outputs: conn.log, http.log, dns.log for timeline and pivoting
147. What is the main purpose of the Volatility Framework?
Difficulty: MediumType: MCQTopic: IR/Forensics
- Memory forensics to analyze RAM images during investigations
- Static code analysis of source code
- Web application fuzzing
- Container orchestration
Volatility is an open-source framework for memory forensics. Analysts use it to extract processes, network artifacts, injected code, and other volatile evidence from RAM captures.
Correct Answer: Memory forensics to analyze RAM images during investigations
Example Code
vol.py -f mem.raw windows.pslist
148. Why do analysts write YARA rules?
Difficulty: MediumType: MCQTopic: IR/Forensics
- To describe byte or text patterns that identify malware families across files or memory
- To compress PCAP files
- To manage Kubernetes pods
- To brute-force SSH passwords
YARA lets researchers create rule-based patterns to find related malware in files or memory. It is widely used for hunting and triage.
Correct Answer: To describe byte or text patterns that identify malware families across files or memory
Example Code
rule find_rundll32 { strings: $a = "rundll32" nocase condition: $a }149. What is Hashcat primarily used for in security work?
Difficulty: MediumType: MCQTopic: Program
- High-performance password hash cracking for recovery and testing
- Endpoint antivirus scanning
- TLS certificate management
- Web API fuzzing
Hashcat is an advanced, multi-platform password recovery tool that uses CPU and GPU acceleration and multiple attack modes to test or recover passwords at scale.
Correct Answer: High-performance password hash cracking for recovery and testing
Example Code
hashcat -m 1000 hashes.txt wordlist.txt -r rules/best64.rule
150. Explain how Linux auditd helps incident responders and what data you would collect first.
Difficulty: MediumType: SubjectiveTopic: Telemetry
Auditd is the userspace component of the Linux Auditing System. With kernel audit rules, it records security-relevant events, such as file writes, privilege use, and syscalls, to an immutable log. During an incident, responders pull targeted aureport and ausearch results for key paths, sensitive syscalls, and identity changes, then correlate with endpoint and network logs. This timeline shows what changed, who did it, and when.
Example Code
auditctl -w /etc/passwd -p wa -k id_change
ausearch -k id_change | aureport -f -i
151. You need to investigate beaconing and possible data exfiltration. Compare using Zeek, Suricata/Snort, and Wireshark for this job.
Difficulty: MediumType: SubjectiveTopic: Program
Start broad with Zeek to get rich connection, DNS, and HTTP logs that summarize flows and give a fast timeline for beacon patterns. Use Suricata or Snort when you want signature-based alerts, real-time detection, or IPS blocking on known indicators. Drop to Wireshark when you need packet-level ground truth to decode protocols, confirm payloads, or extract files. In practice, teams combine all three to move from signals to deep proof.
Example Code
Zeek: zeek -i eth0
Suricata: eve.json alerts
Wireshark: follow TCP stream to verify payload
152. When would you reach for Burp Suite versus OWASP ZAP during a web assessment?
Difficulty: MediumType: SubjectiveTopic: AppSec
Burp Suite shines for deep manual testing using intercept, repeater, intruder, and its ecosystem, while also offering automated scans. ZAP is a strong free option for proxying, spidering, and automation pipelines with community add-ons. For quick CI checks or budget-constrained teams, ZAP automation is great. For advanced manual exploitation and commercial reporting, Burp Pro is often preferred. Many assessors keep both.
Example Code
ZAP automation: zap-baseline.py -t https://app.local
Burp: Proxy on, send to Repeater, craft request