Accreditation Bodies
Accreditation Bodies
Accreditation Bodies
Supercharge your career with our Multi-Cloud Engineer Bootcamp
KNOW MORECybersecurity is the domain of computer science that provides studies about methods, tools, and approaches to secure computing infrastructure. There is an enormous demand for skilled cybersecurity professionals, and cybersecurity jobs pay high salaries. Large MNCs often hire cybersecurity professionals to develop in-house security tools or managed security solutions. However, specialized security companies hired more cybersecurity professionals to research, develop and maintain security products and services. If you have a computer science background or are either a beginner or intermediate-level cybersecurity skill looking to establish your career in the domain, you will find this curated collection of cybersecurity interview questions very helpful as you prepare for different job roles and positions. These cybersecurity interview questions and answers have been curated by experts in the domain with rich experience working with the top tech companies worldwide. These are divided into interview questions for freshers and interview questions for experienced job positions.
Filter By
Clear all
Expect to come across this popular question in Cyber Security interview questions for freshers.
Threat: A threat in cyber security is an act to corrupt and steal confidential information. This action can be done by an individual or organization attempting to gain unauthorized access to a system and perform malicious activities. The main goal is to steal, cause damage, or disrupt the computing system. It is a negative event that takes advantage of the vulnerability and attacks the victim's system in order to steal and damage the data. A cyber threat can be caused by many different types of attackers, such as hacktivists, nation-oriented attackers, criminals and terrorists, hackers, and disgruntled or previous employees. This includes computer viruses, data breaches, Denial of Service(DoS) attacks, and other attack vectors.
Vulnerability: It refers to any weak spot within an organization's information or control system that cybercriminals can exploit to break into the system. These are the system's weaknesses that allow attackers to compromise an organization's assets. Every system has vulnerabilities, and it helps attackers deliver a successful attack more easily. Vulnerabilities are not generally introduced to a system, but they are present from the beginning and typically as a result of operating system damage or network misconfigurations occur. They can occur through flaws, features, or user errors, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal. These vulnerabilities are extremely important to monitor for the overall security posture, as gaps in a network can result in a full-scale breach of systems in an organization.
Risk: Risk is related to the loss of confidentiality, integrity, and availability of data or information that can affect the operational work of an organization. It is the measurement of loss that may occur from an attack that results in a huge loss of data or money. Cybersecurity risk is the probability of damage to critical assets and sensitive information from a cyber-attack or data breach within an organization's network. It may potentially impact the image and reputation of a brand or company. Risk is mainly defined by three components - threat, vulnerability, and consequence. Attackers seek a vulnerability and make use of it for an attack that leads to risk. As it results in actual harm and damage to the data, every organization must have a cybersecurity risk management strategy to help protect assets against evolving cyber threats.
Exploit: An exploit is any "piece of code" that takes advantage of a vulnerability or flaw in software to perform an attack. It takes advantage of the system's vulnerability to do malicious activities. Security researchers may write this code as a proof of concept threat or by attackers. An intruder can use an exploit to remotely access a network, gain privileges, and move deeper to the network's root. Exploit kits are popular among underground criminals as they provide management consoles and target different applications. The sale of exploit kits was first reported in 2016 by Russian underground hackers. These on-sale exploit kits were extensible by using the add-on to enhance the functions or customized to launch a different attack. The use of an add-on makes it easier to launch an attack. Often a multi-component attack uses various exploits to achieve its goal. Instead of using a malicious file, exploits can drop another malware, opening a backdoor path for trojans and spyware that can steal user information and perform many more activities.
Cross-site scripting is a vulnerability issue that arises within web applications. It especially occurs in websites with search engines, message boards, comment boxes, and login forms. Here, malicious scripts are injected into various trusted websites and carry-out attacks. It enables unauthorized users to execute their client-side scripts by other users and perform malicious activities. Cybercriminals exploit this vulnerability and inject executable files into the target website. Attackers target unsuspected end users and send them files with malicious scripts for execution. And the user has no idea about the file as they believe it came from a trusted source. This script can access sensitive content like session tokens, cookies, and other info within that page.
It can also alter the website's HTML page content by rewriting. Depending upon the injected files, the malicious scripts may not be present on the actual website, and they may transmit elements for the time being for exploitation. It creates the illusion of the actual website being compromised when it’s not, so victims get lured. These injected scripts can be harmlessly annoying or very dangerous, depending on the attackers. Harmless as an unexpected image shown on a legitimate website that may harm the reputation. It can also run malicious files automatically to steal sensitive data like login details and other confidential information depending on the attacker’s strategy.
Cross-site scripting (XSS) are of three types:
To avoid this, website owners can verify each input string before generating output for those strings in case of any code injection to the strings. Website developers should check for vulnerabilities and patch them accordingly. Keeping the websites updated and checking the server regularly to detect any issues. Users can avoid the issue by disabling scripting and avoiding clicking on suspicious links.
Honeypot is a technique to lure attackers by creating a virtual trap. It’s a decoy system to attract cybercriminals to study their moves. A computer system is compromised intentionally and exploits vulnerability through which attackers trespass without knowing they are exposed. Honeypots are used to detect and study various techniques of attackers and how they carry out their operations.
It acts as a potential system on the network and informs any unauthorized access to the system to the defenders. Various types of honeypots are present according to the organization’s needs. They are used to redirect the attacker’s attention from the actual target. As it's basically a trap, it should be attractive enough to capture the attacker’s attention for other processes to be done. Once trapped, we can study crucial information about the type of attack and other operations. Sometimes the actual system has the honeypot to check how the system exploits the attackers.
Like the decay, the system has a credit card and other confidential information, and an attack breaks down. Now defenders can learn how they are approaching and stealing the info, and according to that, a stronger information system can build.
A common common cyber security interview question, don't miss this one. Malware is short for "malicious software." It is the term used to represent all computer programs that are "purposefully or intentionally written to perform some malicious activities." The intended malicious activities depend upon the attackers and can be simply from password stealing to installing spying programs or anything depending upon the need.
Now to achieve different needs, these malicious programs need to be written in unique ways and should have special functions. Such diverse needs give rise to different types of malware, such as viruses, worms, trojans, botnets, and ransomware. Different types of malware are intended to achieve various tasks depending upon the attacker's needs.
To give an example, let's understand the difference between a trojan and vs botnet; a trojan is a malware that tries to hide its malicious intention (password stealing, spam email sending, etc.) by pretending to be a benign application such as a downloader software or music player. Similarly, a bot infects a device and aims to give control of the infected system to the master (often known as bot master). A bot master gets access to many infected devices through the bot and which is known as a botnet.
There are two important notes about malware:
Zombie system is a term used for a hacked computer that an attacker can remotely control. The computer system can be hacked using malware installation or exploiting any vulnerability in the system by the attacker. Attackers use zombie systems for many purposes, such as sending spam emails, operating as a proxy system, etc. The zombie system is also used to launch an attacker on another computer within the internal network or out of the network.
A bot is a computer program that is used to infect a computer program and connect back to an attacker's computer. Bot programs are tiny in size and often have the capability to execute the command. Bot programs are connected via a command and control server, issuing further instructions and commands. The attacker who controls the command and control server knows as the bot master.
The botnet is a network of similar bot programs. Every newly infected machine by a particular bot program join the network, and all infected system and command and control server all together are called a botnet. With a botnet, an attacker gets access and control of many computers at the same time. These computers, i.e., victim's devices, can be geographically distributed and very suitable for DDoS attacks. The botnet is also used to install further malware, like banking trojans, keyloggers, etc. A botnet can have centralized and decentralized command and control. Mirai, ZeuS, and Emotet are some popular botnets.
The term social engineering is used when a person's cyber system (Internet account or computer system) t affected by social manipulation by the attacker. It’s a tactic to deceive people by manipulating them to gain access to their information system. They trick humans into making security errors and expose their vulnerability to gain access. This attack can happen online or in in-person mode, depending on the strategic plan for controlling the system. Some victims may not know that they are being watched and exposed to confidential information. Social engineering has two goals, one is to breach or disrupt the data, and the other is to steal the data. Attackers first gather background information then they try to build a trusted connection. Once you believe the bond and expose your weakness, they start attacking and stealing the data.
Phishing: It’s a type of social engineering attack that is used to steal users’ personal information like login details and credit card information. Here, attackers make victims open any link, email, or instance messages. Once they click on the link, malicious files get downloaded without the knowledge of the user. Sometimes this attack freezes the system for the time being as a ransomware attack, or it may expose sensitive information about the system. Attacks like advance persistent threats (APTs) and ransom demand generally start with phishing.
In simple terms, a brute force attack is a method of trying all possibilities. For example, an ATM machine uses four digits as a lock PIN to identify an authentic user. Now, suppose an attacker gets access to a debit card and does any transaction. In that case, the attacker can try all possible four digits combinations one after another to get the actual PIN. This way attacker can pretend to be a genuine user.
A similar brute force attack approach can be applied in other authentication and authorization system like password-based authentication, OTP (one-time password), etc.
Brute force is a straightforward attack method so anyone can use, but it is time-consuming. There are many methods to fail or restrict a brute force attack by further increasing the required time to perform a brute force on the system, for example, locking the account after a limited number of wrong attempts (three in the case of the ATM example) or adding time validity to OTP.
A password cracking attack is a method to recover the password. Password cracking can be done with or without any given hashed value.
For example, try a dictionary word as a password for a particular username (it is similar to a brute force attack). But usually, password cracking is done to recover plain text from its hashed format.
Suppose an authentication system stores passwords in MD5 hashed value to protect it in case of any theft or internal user. Now, an attacker gets access to the password, but it is in a hashed format, so that can not be used. So, the attacker's job is to crack the password, i.e., get the original text for the equivalent hash value. As the hash value is one-directional, i.e., there is no direct way to reverse a hash to the actual text value.
In this scenario, various password-cracking method is used, such as rainbow table and dictionary-based attack. In the rainbow table attack, the attacker uses a table with pre-computed text phrase and hash, so the attacker needs to search with the targeted hash in the rainbow table.
Like the rainbow table attack, the attacker used plain dictionary words as a password in a dictionary-based attack. It is a brute force attack but restricted to dictionary words. There are many password attack dictionaries available to speed up brute forcing.
The intrusion detection system is a monitoring system that detects suspicious activities and alerts about them. Cybersecurity analysts can investigate the issue and take needful actions based on the alert.
There are two types of IDS
The key purpose of HIDS is to monitor and analyze the system configuration and various activities running on the system related to the network. The HIDS client/sensor can be installed on a device like a desktop PC or a server. These sensors take a current snapshot of existing system files and compare them with previous ones.
It looks for unexpected changes, such as the deletion of files, unknown access to certain ports, unusual client-server requests, etc. Then it alerts the administrators to investigate such activities. As some attacks can be made from the internal system of the organization, a host-based intrusion detection system is mostly used in mission-critical situations on each host in a network.
NIDS is used to monitor traffic from all devices residing on the network. It performs traffic analysis on the entire subnet and matches the ongoing traffic that is passed on the subnet library to detect any kind of attacks. When an attack or abnormal behavior is identified on the network, it alerts the administrator for further investigation. An example would be installing NIDS on the subnet where the firewalls are placed in order to check if someone is trying to break into the firewall. Generally, scanning all inbound and outbound traffic can detect any abnormal behavior. However, doing so might create a bottleneck and affect the overall speed of the network.
Network sniffing is a technique to monitor and record inbound and outbound network traffic by using sniffing tools such as Wireshark. During a network sniffing, all the network packets which travel from source to destination are recorded. These network packets carry lots of information like source and destination IP, port, and other protocol-specific configurations along with data.
Network sniffing has both benign and malicious use. For example, a network administrator uses network sniffing to observe the network status, such as bandwidth, failure, etc., and can use the information to fix any issues with the network. Similarly, security professionals can use captured packets to analyze and find any ongoing or past attack patterns. However, there is the malicious use of network sniffing, and the attacker uses it to understand the network behaviors, launch an attack, and extract credentials from unencrypted traffic.
Network sniffing can be carried out in the active or passive form. In active network sniffing, the third-party user (administrator or attacker) actively participates by modifying the content of network packets, like changing the source or destination address.
In contrast, passive network sniffing is very stealth; can user can only observe the network traffic or store the packets but strictly does not modify the content of the packets. Wireshark, Tcpdump, Windump, and network Miner are popular network sniffers.
Viruses, worms, and Trojans are all classes of malware, and each represents malware with a specific set of characteristics. For example, viruses represent all of that malware that replicates itself on the infected computer with user interaction. Most of the viruses attach themselves to other programs and get executed along with the execution of the benign program. The main aim of the virus program is to consume the resources in the infected system. The first know virus was named "brain"; since then, there have been many known viruses, such as "ILoveYou".
In contrast to virus programs, worms replicate over the network and do not require user interaction. "Morris" is the first and most popular known worm program.
Trojans are totally different from virus and worm programs in their infection, structure, and motives. Trojan malware structure and characteristics are inspired by the famous story of "soldiers hiding inside the big wooden horse". Similarly to this, attackers hid malicious code inside genuine-looking software promoted as free software. Once the user downloads and install these infected free software, the software works as listed features but executes the hidden malicious code without the user's knowledge. Trojan horses do not replicate but may offer initial infection points of further payload or another kind of malware. Zeus is one of the most popular examples of trojan horse malware.
Keylogger is a type of spyware that is used to steal information by recording consecutive keystrokes on which it is placed. It is the short form of a keystroke logger that log and spies on what you type on your keyboard. It not only monitors but also notes each keystroke on your system.
Keyloggers can enable cybercriminals to eavesdrop on what you do, watch you on your system camera, and listen to conversations over your smartphone's microphone. Keyloggers can fetch sensitive information like login credentials, credit card numbers, banking details, etc. It records and stores such information and sends those to the cybercriminal behind it. Different kinds of keyloggers are there; some record a broader range of inputs and do insidious activities.
A keylogger can be installed either as hardware or software. The Hardware keylogger can be embedded as an internal part of the PC itself or can be plugin secretly as an add-on, for example, between the keyboard and CPU. Software keyloggers can be installed like any other malware. Apart from malicious purposes, there are legitimate and legal ways to use a keylogger. For example, parents can use them to keep track of their kids online, and organizations can use them to monitor their workers.
Reconnaissance is a technique to collect detailed information about the target in stealth mode. It is the first step for the attack and defense team. Attackers use collected information to launch an attack on the target. In contrast, the defense team (pen-testing or ethical hacking team ) uses the collected information to provide a report on attack possibility and help to develop defense solutions.
Reconnaissance is often carried into multiple steps and iterations by utilizing information collected in the previous step and iteration. For example, basic information about a target will be collected, say the target is a network, then devices used, etc., are the initial information which will be further used to get more information like network topology, application, running services, software version, etc.
The reconnaissance technique depends upon the target type. For example, various network tools and techniques will be used for a network. If the target is an individual, then social engineering can be suitable. However, various techniques and sources are often combined to gather more information about the target and ease attacks.
Personally Identifiable Information, or PII, is all the data that can be useful to identify an individual. For example, name, email, date of birth, fingerprints, social security number, etc., are some examples of PII. Sometimes an individual PII can be enough to identify the individual or a combination of one or more PII will make the identity recognizable. For example, the social security number individually identifies an individual, while zip code is required to be used with other PII to be able to identify an individual, like a street number. PII is very important, and leaking PII can lead to various cyberattacks. So anonymization techniques are applied when there is a need to share PII for some specific requirements. Many privacy protection laws, such as GDPR, are also enacted to protect PII and users' privacy in the digital world.
Impersonation is one attack that misuses the PII. In an impersonation attack, the attacker utilizes the victim's PII and represents themself to that particular individual in online communication or remote communication. For example, an attacker can use the date of birth, phone number, parent's name, etc., to verify identity over the phone to the bank representative and then misuse it for getting or resetting account credentials, money transfers, etc. PII is also used for social engineering attacks in which attackers use this information to gain the victim's trust and further exploit them to get more information.
Identity theft is similar to impersonation, but in this, attackers mostly create the fake identity of the victim by using PII and other resources such as photos and other information. Once an attacker establishes a fake identity that can be misused for a further attack, like phishing over social media, etc.
It's no surprise that this one pops up often in interview questions on Cyber Security. Hacker is a weakly defined term and is often used for the attacker or cyber criminals. However, a hacker can be anyone who uses unconventional ways to access the computer system. On the basis of working methods and motivations, a hacker can be grouped into different groups such as white hat, black hat, gray hat, blue hat, and red hat. The white hat is used for ethical hackers, which means security professionals who test systems for preventive measures. In contrast, the black hat is used by cyber attackers who misuse computer access for malicious purposes. In contrast, the gray hat is used for security professionals who need to change the role between attackers and defenders.
Compared to previously defined hacker types, the blue hat and red hat is a well-defined terms for blue and red teams used for a security firm to test, develop and defend software and services. Blue team has security professionals who specialize in defense skills and work to detect and defend against attackers.
Security professionals in the Red team have attack skills, and they utilize their skills to test the system's defense by devising new methods and techniques to attack the system under observation. In larger organizations, both teams have separate people, while in shorter or mid-size, same professionals switch roles to act as a blue hat or red hat.
Apart from these terms, other terms are used to define the specified type of attackers; for example, script kiddies indicate attackers who possess very minimum skills and often use existing scripts to perform attacks. Similarly, hacktivists are used those attackers who target the government or private targets for activism.
IP stands for Internet protocol. The main task of IP is to deliver the packets from the source to the destination based on the IP addresses. It defines the structure of the packet and hides the data and the addressing method. This technique labels the datagram with source and destination information. The first version of IP was IPv4 which is a 32-bit address; later, in 2006, IPv6, which is 128 bits, was notified by IETF. IP is added with transmission control protocol and forms a TCP/IP model that is used for end-to-end delivery of packages. By adding IP to the TCP and UDP, we can build wireless connections, so internet protocol is also known as TCP/IP and UDP/IP.
A port is a virtual point where a connection start and ends. Each port is associated with specific tasks, differentiating the computer system on the traffic. It can be a programmatic point where information flows from a program to the system or over the Internet. A network port is provided by the Transport Layer protocols of the Internet Protocol suite, that is, for TCP and UDP. It generally serves endpoint communication between two computer systems.
Media Access Control (MAC) address is known as the physical address. A vendor-specific unique combination of numbers represents it, and it is assigned to each device that connects to a network. The unique combination is made up of 48 bits number that is embedded in the network card during manufacturing. For easy writing and reading, the 48 bits are normally represented by 12 digit hexadecimal number separated by a colon into six pairs. It provides a trustworthy mechanism to find senders or receivers in the network, and MAC-based filtering is used to prevent unwanted access to the network. The data link layer uses MAC to identify hosts on the network. It's unique for all devices. ARP and RARP protocols map IP to MAC and vice-versa, respectively.
The IP address and the Port number combination are called a socket or socket address. The socket address is useful and associated with OS and network connection processes.
Authentication is the process of verifying the identity of a user to offer products and services. Passwords and biometrics have been the most used methods for authentication. Biometric is more secure; however not suitable to be used with the Internet, so passwords have been prevalent for authentication for web and online services.
Due to the weakness and the possibility of stealing or cracking passwords, recently, two-factor authentication has been developed. Two-factor authentication advocates using two separate mediums to authenticate a single user/sign-in. For example, with a password, the user must also provide an OTP (one-time password) sent as an email or SMS. Two-factor assumes that it is hard for an attacker to gain control of two mediums simultaneously, so two-factor will improve security.
Two-factor authentication is implemented by any combination of two secrets, such as a password and OTP, a password and app-based password, and a password and two OTP (email + SMS). Overtime OTP has been improved by adding expiry time with OTP to reduce attack surface further. On the smartphone, the password is also combined with biometrics such as fingerprint or face recognition or PIN to provide two-factor authentication for sensitive operations.
Authentication and Authorization are used in combination to protect access computing resources from unauthorized access. Authentication assures and verifies the user's identity, while Authorization uses the user's identity to grant or reject access to the resources. Authentication is done by asking for and validating the pre-agreed or chosen credentials. Registration is the process of choosing or agreeing to use credentials, such as usernames and passwords, security questions and answers, or biometrics, such as fingerprint or facial recognition. During authentication, user's asked these credentials and match them with pre-stored info and only grant permission if both matches. While Authorization verifies whether access is allowed through policies, Authorization always comes after successful authentication. Authorization works with access rights, and users get access to a resource based on their verified identity during authorization. For example, if a user is authenticated as an "admin," they can install software or delete files on the devices. At the same time, a simple user can't perform these operations.
Let's use a real-life example to differentiate; in a university, students and staff both have access cards. Entry to the university is allowed for both after authenticating themself as students or staff. At the same time, access to the question vault is only authorized if the identity is staff, while the entry of "student" is not allowed.
Cross-site request forgery (CSRF) attacks exploit and bypass the same origin policy of web applications which aims to protect websites' inferences in each other contents and access. Using CSRF, the attacker tricks users into performing unintended actions that fulfill the attacker's purpose, and often users are unaware of the performed actions. For a CSRF attack to be successful, three key conditions must be fulfilled:
Secure Shell or SSH is a network communication protocol that allows two computers to securely share data and communicate with one another. SSH has the inherent feature of encrypting all the communication between two computers, making it possible to secure communication over open and insecure networks channel.
Mostly SSH is used for "login" into a remote computer and performing operations; however, with SSH, data transfer can be done securely. Many programs are available that enable SSH clients for this communication, and some operating systems, such as Mac OS X and Linux, have this capability built-in. SSH clients typically support SCP (Secure Copy) and/or SFTP (SSH File Transfer Protocol) for transferring data to/from the server. Clients use a program on their computer to connect to the service server and transfer the data to/from their storage using either a graphical user interface or a command line.
A VPN (a virtual private network) is the most simple and effective way to protect internet traffic and maintain online anonymity. When a user connects to a secure VPN server, their internet traffic is routed through an encrypted tunnel so even attackers, governments, or the internet service provider, can know about the content. To protect and enhance privacy, the user should use a VPN every time when connects to the internet. The VPN application runs as a background process, so it doesn't interfere with the user's activities, such as browsing, chatting, gaming, or downloading.
In software and computer, reverse engineering is the process of recovering high-level programs from binary or low-level representation. In this process, a piece of software or hardware is taken, and an analyst analyzes its functions and information flow to understand its functionality and behavior.
In computer security, reverse engineering is used to investigate binary files for security analysis. However, reverse engineering is mainly used for malware analysis for developing tools to detect and protect against known malware. For example, reverse engineering creates a signature for detected malware and adds to anti-virus software. A cyber reverse engineer examines malware and software by breaking it down to pure code to understand its potential vulnerability better. Malware analyst also works to determine how the malware affects existing security and help create detection and prevention mechanisms.
Disassembling and debugging are very helpful techniques for reverse engineering. Disassembling is done with the help of a disassembler that converts binary files to human-readable assembly code that can be analyzed by the analyst for functionality or to find malicious code blocks. With a debugger's help, we can understand the program flows. It works with source code or even with binary files. Often tools have both these functionalities together. For example, IDA Pro, Immunity Debugger (ImmDBG), and Olly Debugger (OllyDBG) are some very popular, powerful, and most-used disassemblers and debuggers.
Job stability concerns computer-related fields like software development, testing, and marketing. However, cybersecurity jobs are very stable for two main reasons. First, there is a consistent shortage of skilled cybersecurity professionals, which makes cybersecurity professionals demanding, and hence layoffs, etc., very rare. Second, the specific skills required for cybersecurity jobs. Various job roles in cybersecurity require specific skills which are difficult to gain and often require long training and practice. For example, learning malware analysis required lots of practice and specific skills like reverse engineering and static and dynamic analysis, etc. It takes time to learn the required skills, so jobs are stable in cybersecurity domains. The fact is, due to job stability, many software developers are learning through online courses for a cybersecurity job switch.
Yes, software development and cybersecurity are two different domains and hence require different skills, and both have different jobs or work styles. The significant difference is that software development requirements come from a client that can be understood properly, and over time changes can be made as per the client's request, so work requirements are very well defined. In contrast, cybersecurity jobs often protect systems, software, and resources from an unknown adversary, which is very challenging. The defense and development are mostly done for unknown causes and ever-evolving attackers. Many cybersecurity professionals agree that working in the domain is like a cat-mouse game that is fun and challenging simultaneously.
Today, computer and ICT are used everywhere, and there is seldom any organization that doesn't use software and services in their day-to-day activities. So, in short, now every organization hires cybersecurity professionals directly or gets security services by outsourcing them to a specialized security company. Hiring security professionals also depends upon organization size, i.e., a large-sized company can have an in-house cybersecurity team. In contrast, a small-sized company prefers to outsource its cybersecurity requirements. While working as a security professional, you will be working for a large variety of companies and products; for example, you may be building products or protecting the digital resources of a fashion company or a drug manufacturing company. Lastly, to name a few organizations, a financial organization like banking, trading, etc., needs more cybersecurity professionals. Similarly, a digital company (an organization whose business depends upon ICT) needs many cybersecurity professionals to keep their products and services uninterrupted against cyberattacks. In addition, organizations with lift critical services like smart grid or smart transportation services also need cybersecurity professionals given the critical nature of services. Both private and public organization hires cybersecurity professionals.
Malware detection is the process of identifying any type of malware on computing devices. Generally, these processes are implemented as software called anti-virus or anti-malware software.
Malware detection techniques can be divided into two main groups: Signature-based detection and non-signature-based detection.
Signature-based detection is very simple, and it is similar to the real world, where a signature is used to identify an individual. Similarly, malware analysts (from an anti-virus company) create a signature for all known malware samples and supply these signatures with the anti-virus product. So, the job of an anti-virus system is to scan all targeted files against the signature list and flag any matching files as malware.
There are a couple of key limitations and challenges of signature-based methods, such as:
Recently, many companies and researchers have developed non-signature-based methods to address the limitations of signature-based techniques. These non-signature-based method doesn't use signatures and try to profile the malware behaviors, so they can detect new malware, and scanning is also faster. Machine learning-based solutions are also being used, which have also come under non-signature-based techniques.
One of the most frequently posed cyber security interview questions for experienced, be ready for it. Malware analysis is the process of analyzing malware samples to understand their functionalities to develop detection and prevention solutions. For example, malware analysis creates a signature for anti-virus software. Similarly, malware analysis is used to extract features for building machine learning-based malware classifiers in the case of ransomware; malware analysis help to find out ways to decrypt or recover the files infected by the ransomware.
Malware analysis can be done in two ways: static or dynamic. In static analysis, the malware sample is not executed. In contrast, in dynamic analysis, the sample under observation is executed in a safe and isolated environment, also known as a sandbox. The aim of static analysis is to understand the structure and static features of the sample. Static analysis is supported by reverse engineering. However, static analysis has limitations; for example, understanding the encrypted or complex code is difficult. In addition, modern malware has anti-analysis features like packed or polymorphic code.
The dynamic analysis provides solutions for the limitations of static analysis by executing and observing files in an analysis environment, also known as a sandbox. However, modern malware also has the capability to avoid dynamic analysis by the use of conditional code blocks. So the malicious code only gets executed if the code is running in a real device and stays dormant in the sandbox. Despite these limitations, normally, dynamic analysis helps to understand network activities, file operations, and OS interaction very well by recording the system instructions. Cuckoo Sandbox is very popular for dynamic malware analysis.
Dynamic analysis is costly in terms of computing and time requirements. So, the sample is triaged for dynamic analysis after static analysis. However, malware analysts perform static and dynamic analysis for a complex malware sample to better understand by correlating findings.
This question is a regular feature in cyber security engineer interview questions, be ready to tackle it. A firewall can be software or hardware to monitor and filter inbound and outbound network traffic. Network filtering can mix commonly known threat patterns and organization-specific requirements. The filtering is performed by configuring rules in the firewall.
Generally, a firewall sits between an internal and external network and performs the gatekeeper role to allow and deny network traffic based on the rules.
A firewall can simply scan all the network packets or filter based on application-lever configuration. A firewall is not industrial software, so even a simple user can configure and use a firewall on their device. For example, iptables provides firewall features for Linux and Windows defender for Windows OS.
Based on functioning (filtering method), there are four types of firewalls;
It scans individual network packets and applies filtering rules. Due to working on isolated packets, it is easy to bypass the rules. However, it is simple, very fast in scanning, and does not require many computing resources.
Such application has filtering rules based on the applications.
In contrast to packet filtering, stateful inspection considers packets' context by using the packets' relationship with each other. It is slow and often requires more resources due to storing packets for collection and finding relations with other packets.
It is the term used for a firewall that combines or uses features of other security solutions, like a firewall with IDS and IPS capabilities.
DMZ (Demilitarized zone) is the term used for an isolated computer network zone that has a different access policy than the external and internal network. Access to resources under DMZ often has very high restrictions because it has very sensitive resources like email servers, DNS servers, File servers, web servers, and proxy servers. DMZ is created to provide fast access to the in-house server through the internal network and protect these resources from attacks that may be possible via an external access. Interestingly, the DMZ is within the internal network but not directly connected or accessible via internal devices. DMZ can be designed with a single firewall or dual firewall setup. DMZ works on the principle of "security by isolation," which is very simple to the sandbox, which isolates the execution of the application, and DMZ isolates network access of critical networked resources.
The software and applications store the password in hashed form to prevent or delay password cracking by external or direct access to passwords by internal attackers. An internal attacker says the system admin can easily get the user's password if the password is stored in plain text. Password cracking is a method of getting a user's password, and it is done via interacting with the authentication system or, many a time, the attacker gets access to a password dump in hash form (the result of a hack, etc.).
The rainbow table is used for cracking a hashed password. It is simply a table of dictionary words and equivalent different computed hashes (MD5, SHA, etc.) of each word. It aims to speed up password cracking with pre-computed hashes and offers a simple search of the target password hash to get the password in plain text.
A dictionary attack is another password-cracking attack, and it often attempts to get the password from the authentication interface by trying various dictionary words. So, a dictionary attack uses different dictionaries (similar to the rainbow table but without computed hashes) during the cracking. These dictionaries are custom-made to narrow down possible passwords, for example, a dictionary with first and last names, a dictionary with the most used passwords, a dictionary with the date of birth in various formats, etc. Most password-cracking tools come with a pre-available dictionary, and attackers can add their own custom dictionaries.
Denial-of-Service attack (DoS) is a method in which the attacker aims to stop any system's service offering. For example, a DoS attack on an email server will stop the email services such as forwarding and receiving emails. Generally, a DoS attack is launched by misusing the genuine features of the system; for example, an email server is supposed to receive any email that has an email server address as the destination. An attacker can now send many emails (junk emails) to the targeted email server by knowing the maximum memory or number of possible emails the server can handle. And when the server reaches its maximum limit with junk emails of attackers, it will stop receiving any further emails (benign emails), known as a DoS attack.
DoS attack is a very old method, so many techniques exist to detect and prevent DoS attacks. For example, in the previous example, the email server can limit a user's email count and filter any user who tries to send more than the limit.
Distributed Denial-of-Service (DDoS) is an updated version of a DoS attack. It tries to bypass many DoS prevention implemented by the system. In DDoS, the attack is launched by different devices, so the user-based filter on the victim machine can't separate the attacker and the benign user. Often, a single attacker controls many devices by getting unauthorized access or using a botnet to automate the process. Apart from directly sending attack packets from zombie devices, there are methods where attackers indirectly distribute the attack. For example, a DNS Flood attack just exploits DNS reply functionality by replacing the reply-to address with the victim address and making DNS requests to various DNS servers.
Sandboxing is a process for running an untrusted software program in a restricted environment. In cybersecurity, suspicious code is run, observed, and analyzed in a safe, isolated computing environment. It is important that the sandbox mimics end-user operating environments (OS and other application software).
Sandboxing confines the code to a test environment, preventing it from infecting or damaging the host machine or operating system. Sandboxing is a preemptive way to improve an organization's security by proactively restricting risky software. Sandboxing works by isolating potentially malicious or dangerous code from the rest of the organization's environment. This allows it to be safely analyzed without compromising your operating system or host devices. If a threat is detected, it can be removed immediately. Sandboxing can be used in multiple tasks like cloud-based implementation, software bundles, a web browser extension, and dedicated appliances onsite in an organization.
Sandboxing is very useful for dynamic malware analysis because it helps to understand the functioning of malware without any side effects of executing the malware for observations.
SQL injection (also SQLi) is one of the most common code vulnerabilities. An SQL injection attack occurs when an attacker inserts or "injects" malicious SQL code into the application's input data. SQL injection allows the attacker to read, modify, or delete sensitive data and perform administrative tasks on the database.
SQL injection attackers simply modify an existing SQL command to suit their needs. SQL statements are used in many website applications, from providing a list of customers to identifying visitors with usernames and passwords against a server-side database.
The SQL injection attack can return information about all employees by modifying a SQL command to remove limitations such as vulnerability scanning for only active employees or those in a specific department to which the user has access. This could lead to the disclosure of sensitive personal information.
The most common method for preventing SQL injection is to code SQL queries with parameters in a more controlled manner. Instead of structuring the command solely from user input content, this method, known as parameterized queries or prepared statements, uses a pre-defined query with filter options supplied as parameters. Implementing an intrusion detection system can assist in detecting user behaviors that attempt to exploit application vulnerabilities.
Sanitize or validate any browser-supplied input values that will be used in the SQL query when creating SQL commands. To detect problems, use DAST/SAST tools. Install a web application firewall (WAF) capable of detecting and filtering SQL injection attacks (along with other vulnerabilities.) Such firewalls weed out known threats by constantly updating lists of signatures that should be blocked.
Using best practices in web application development and performing SQL injection tests as an integrated step in development will provide better SQL injection vulnerability protection. This additional level of testing can be accomplished by incorporating static (SAST) and dynamic (DAST) analysis tools into the development pipeline.
Spyware is malware that monitors and tracks user actions as well as collects personal information. Spyware programs generally install themselves on the user's computer and profit the third party by collecting data from the user without his knowledge. Furthermore, spyware steals users' passwords and personal information by running in the background of the system. Common types of spyware are Bonzibuddy and Downloadware.
Ransomware has emerged in recent years and can target individuals or organizations. Ransomware is malware that is designed to prevent users from accessing their own systems until a ransom fee is paid to the creator of the Ransomware. Ransomware is far more dangerous than regular malware and spreads via phishing emails with infected attachments. A ransomware infection can encrypt the entire operating system or a specific file, which largely depends upon the nature of Ransomware (that comes from the attacker's motive). A sum of money is then demanded from the person whose data has been held, hostage. To protect your system from Ransomware, keep an eye on it and have the proper security software installed from the start because prevention is always better than cure. Types of Ransomware are CryptoLocker, Bad Rabbit, and WannaCry.
Expect to come across this popular question in interview questions on cyber security. Traditionally, the CIA triad refers to three key security requirements, i.e., confidentiality, integrity, and availability. Confidentiality refers to keeping information secret and only accessible to authorized users. Integrity focuses on detecting modification of data, i.e., it is possible to know and verify even a single bit of modification of data, and it is applied to both stored data and communication data. Availability aims to guarantee the access of services and resources to the intended user whenever demanded.
These three are well-accepted and established security requirements. However, over time, authenticity and non-repudiation also became key security requirements and were often referred to as an extended CIA triad. In addition to these, there is another extension of the CIA as Parkerian hexad, which added three more elements of information security to the existing CIA, and those newly added elements are Possession or Control, Authenticity, and Utility.
A backdoor is a code block inserted into software to allow hidden access to its creator or someone who learns how to invoke the existing backdoor. A backdoor can be created for both fun, benign and malicious purposes. For example, a developer inserts a backdoor to go around the authentication for show-off. The benign use of a backdoor can be an administrative tool for monitoring or managing the software. The fun and benign backdoors can be a security risk because they can be found by threat actors and exploited. Many malware also install backdoors after infecting the victims and deleting the infection code to avoid detection. A backdoor can be the main malware payload or the first stage of installing more complex malware.
A rootkit is a special type of malware that runs at the lowest level and is often placed between hardware and OS. So, the rootkit can only be installed on a target machine when the attacker has root-level access to the device. Detection of a rootkit with OS-level security software is impossible because it can control the system call and modify the response. A rootkit-infected system turns into an always-open access system for the attacker. Due to the privileged access, with a rootkit, an attacker can elevate privileges for another user on the devices. Mostly, the rootkit opens to receive commands and execute them locally on the infected machine. A rootkit is also one method to create a backdoor into the infected system, which is hard to detect and has root access to execute a command on the system.
Traceroute assists in determining the precise path that a data packet must take to reach its destination. The user can enter tracert <ip address> into the command prompt.
Ping is a command that can be used to test network connectivity and name resolution. To test network connectivity, go to the command prompt and type ping <ip address> followed by the enter key.
If there is no response to the ping request, then the tracert command can be helpful in finding the failure point of the data packet.
The major difference between the two is ping is a network connectivity and name resolution test. Traceroute assists in determining the precise path of a data packet to its destination. It also assists in determining whether the fault occurred along the path.
Traceroute is a network utility that tracks a packet's path across a network from source to destination. Ping is a popular network utility tool that is used to test the connectivity of two nodes or devices.
In conclusion, traceroute and ping appear to be similar, but they are not. The distinction between ping and traceroute is that the former is used to test network connectivity and name resolution. In contrast, the latter determines the actual path from source to destination.
A MAC address is a 48-bit unique address assigned by the manufacturer to a network adapter to transmit data to the destination host. In the network layer, MAC is associated as a sublayer in the data link layer, which is responsible for physical addressing. If a device has multiple network adapters, such as Ethernet, Wi-Fi, Bluetooth, and so on, each standard will have its own MAC address, which makes the device more vulnerable to flooding attacks. The attacker can also use an ARP spoofing attack as a shadow attack to maintain access to private data after the network switches recover from the initial MAC flooding attack.
The attacker floods the switch with a massive number of requests, each with a forged MAC address, to rapidly saturate the table. When the MAC table reaches its storage limit, it replaces old addresses with new ones.
The IP address used on the internet is literally called your PUBLIC IP address. An IP address is needed for source and destination information. The typical hacker can look up your city and state with an IP address since one’s local ISP owns that IP address. If it is in a database somewhere, then MAYBE they can correlate that IP to your name and address. They can scan for open ports on your router (this is something you have to do manually), and even then, they will need to be able to hack/exploit whatever program that port is tied to.
The IP, the hacker gets is the Public IP of the router, not your computer itself. The router has a fundamental feature called NAT (Network Address Translation); this feature provides a roadmap to the router to know who asked for what data.
A port in the computer network is represented by a number and is associated with the network protocol. Each Port is specific to a service that maps to a running process on the operating system. For example, port number 80 is associated with HTTP protocol, and when the host computer receives a network packet, the network protocol with the port number and specific process to receive and process the packets. The port number comes with a 16-bit number, so there can be 65536 ports (0-65535). The port number from 0-1023 is reserved for the known and popular network protocol, and after that, others can be assigned to other network applications and services.
Port blocking is a defense and filtering method by blocking a specific port from the well-known port number (0-1023). Executing services can be restricted. For example, if port 80 is blocked on a device, the user cannot access or process a web response. So, Port blocking within the local network help network administrator restrict access to services.
In contrast, port forwarding is a technique to allow external access to devices or services placed within the local internal network. Port forwarded is done by mapping an external port to an internal socket (IP + Port). Port forwarding is done via router configuration. In simple terms, port forwarding makes internal devices look like external devices accessible directly via the Internet.
Netscape invented SSL (Secure Sockets Layer) in 1994. SSL encryption/decryption is a technique for keeping internet connections secure, whether they are client-to-client, server-to-server, or (much more commonly) client-to-server. This prevents unauthorized third parties from viewing or altering any user data transmitted over the internet. It was originally designed to secure connections between customers and online businesses. Unfortunately, as the value of seemingly innocuous personal information and browsing habits rises, attackers have broadened their net to include non-commerce sites as well. As a result, SSL has become widely used. But, as time passed, an updated protocol was released in 1999, and it has since completely replaced SSL as the standard security certificate (TLS discussed below).
Transport Layer Security (TLS) is similar to but more secure than SSL. More precisely, the Internet Engineering Task Force has recommended that SSL be replaced with TLS.
TLS is used for achieving privacy, authentication, and data integrity over computer networks and is used in web browsing, instant messaging, email, and other applications using various cryptographic constructs like encryption, hashing etc. TLS is more trustworthy for a variety of reasons, including the fact that it was designed to address known SSL vulnerabilities and support stronger, more secure cipher suites and algorithms. In TLS encryption, message authentication is used. The message's authentication is done via a keyed-hash message authentication code (HMAC) algorithm. Message authentication helps system to verify that during transmission, data has not been modified, and it also allows the receiver to verify the source of the message or sender.
HTTPS is the secure version of HTTP. The HTTP protocol is the main protocol that is used to send data between a web client (for example web browser) and a web server. HTTPS is encrypted to increase data transfer security. This is especially important when users send sensitive data, such as when they log into a bank account, email service, or health insurance provider. HTTPS prevents websites from broadcasting their information in a way that anyone snooping on the network can easily view. When data is sent over standard HTTP, it is divided into data packets that can be easily "sniffed" using free software. As a result, communication over an insecure medium, such as public Wi-Fi, is extremely vulnerable to interception. In fact, all HTTP communications are in plain text, making them highly accessible to anyone with the right tools and vulnerable to on-path attacks. HTTPS encrypts traffic so that they appear as nonsensical characters even if packets are sniffed or otherwise intercepted.
Benign or malicious reasons can cause a slow process on the computer. Benign reasons include low memory on the device, out of space on the cache, limited temporary memory, outdated software, etc.. Although benign reasons are not a matter of concern, these issues can be addressed by managing the computing resources by updating and upgrading the system.
In contrast to benign reasons, various malicious reasons exist, such as unauthorized remote access, data extraction, and malware infection. During remote access, there is a high utility of computing resources such as memory and process, which slow down the computer's access. Similarly, if there is a data extraction attack on the system, then the network and memory resources will have high usage and hence slow performance. Many malware is specially crafted to consume system resources in an attempt to perform a Denial of service attack. Most virus programs replicate multiple times to the infected computer and try to out space resources. Other malware like Trojan, bots and spyware also uses computing resources as a background process, slowing down the foreground activity.
For either reason, slowing down, updating, upgrading, and scanning with security software (anti-malware), etc., will be the proper way to recover system performance.
The mouse movement and flash terminal screens can have benign reasons like operating system upgrades or other software updates in the background due to auto-update configuration in the system. These benign background processes can be stopped by changing the options in the settings and disabling any auto-update by OS or software.
Malicious operations in the background can cause the mouse cursor movement or flash the terminal. Some probable reasons could be malicious code execution due to video file playing. Many users download pirated videos from the Internet, and attackers exploit this and embed malicious code into a video file that gets executed during playing by the player (given the player has the intended software vulnerability). Apart from this, the mouse movement or terminal screen can also be caused by unauthorized remote access, i.e., an attacker is accessing the computer remotely, or any malware is trying to execute further payload based on the trigger. The trigger is a particular condition in malware that provides conditional execution of payload on the infected system. In this scenario, the trigger can be associated with media player software that minimizes user interaction and allows attackers or malware to execute code in the background.
Subject: Urgent Bank account blocking
Dear user,
I noticed unusual activity in your bank account, and to protect you, we will block your account.
Please provide the following account to verify the authenticity and avoid blocking and restricting account access.
Name:
Date of Birth:
CVV:
Bank account number Number:
This is a time-sensitive matter, so you must respond within two hours, else your account will be blocked, and all associated cards will be blocked.
Security Team,
XYZ bank.
The email is a phishing email that must be reported or avoided without clicking any link or responding. These few points help to identify a phishing email.
The email uses "user" instead of a username, i.e., Bob; if the email is from the bank and for a specific user, it must address the account holder's name. The use of "user" indicates a mass mailing phishing email.
Asking for information like CVV, date of birth, and bank account indicates an attempt to harvest the user's information back either has some of this information (date of birth, account number) and will never ask for other details like CVV.
The email tries to create urgency for sharing the information and warning of blocking the account; these two are typical combinations used by an attacker to intimidate users and pressure them to share the details without analyzing the situation appropriately.
What are your thoughts on clicking the link?
Instruction for "Clicking the link" on the Internet should always consider suspicious and proper care should be taken before clicking the link. The rule of thumb is, "never click a link sent by a stranger." In the given scenario, the link comes from a close friend, so the user can be careless and click the link. However, social media accounts should not be trusted because users' accounts can be hacked and used to launch a further attack. Apart from account hacking, there are impersonation attacks, in which attackers create fake profiles (by using publicly available images on other places on the Internet), pretending to be close to the target and sending the malicious link to the target.
The message asks to click the link to be added to the guest list, which is very suspicious in itself, and the user must verify it with a close friend via another communication channel such as a phone call, email, familiar friend, etc. However, if verification is not possible, there are software and services like Virustotal where users can check any URL and get results about malicious or benign links.
Safe password is proportional to the password's strength, i.e., a combination of upper case, lower case, digits, and special characters with a significant length (example greater than 8). The strength of "Anb@!1245" is better than others because it has an upper case letter, two special characters (@!), small case letters, and digits, which makes it harder to crack than others.
A quick comment on the password sample is as follows:
There is a good tool for password generation, testing, and storing the password, so users can use these tools to generate a more robust and safer password.
Dear user,
Thank you for using our sarvices. Please loging to your account to protect it from deactivation.
Click to Here to login.
Manager,
Xyz website
A phishing email can be identified using common mistakes the attacker made. Grammar mistakes, embedded login links, etc., are prevalent mistakes or patterns in phishing emails.
In the given email, the following are the red flags that classify an email as a phishing email:
What will be your initial thought, and classify this as a type of cyber-attack?
Getting a call from the bank's customer care is routine; representatives call for various purposes like credit card schemes, insurance, and loans. So, getting a call is not malicious or raises any suspicions. However, requests for sensitive information like card numbers and CVV should indicate the attempt of a cyber-attack. Such taking, which involves a phone call to trick the user into disclosing personal information or log-in credential, is called Vishing. Vishing is equivalent to its textual counterpart, i.e., phishing. The attacker uses a voice call to make the phishing more authentic because a call makes the user trust and reduces the chances of suspicion.
Email 1:
Subject: Urgent action required
Dear User,
Your account is blocked due to inaction. Please log in using the below link to activate your account again.
Click the Login link.
Yours,
Community manager.
Email 2:
Subject: Offer for unlimited memory space
Greetings!
We are XYZ cloud service company and offering unlimited memory space as the new year offer.
Please register for our services and get benefits.
www.xyz.com
Bob Marle
Marketing head,
Xyz.com
Phishing and spam email look very similar, and there is a very slight difference between these two emails. However, the intention and structure of email give indications that can help to classify an email as phishing or spam. In the given two emails example, email 1 is very similar to a phishing email, while email 2 matches with spam email.
The subject of email 1 creates urgency, and the email uses the general term "user" to address the receiver. In addition, the email body has an embedded link for login. The message that the account is blocked also creates suspicion, a blocked account would be known to the user in advance, and the user will initiate proper action to unblock their account.
The second email, i.e., email 2, has a typical marketing subject using words like an offer. The email body doesn't create any urgency or have any login link except the product website. The receiver needs to create an account to access the services, so the user is independent to take actions to reject or follow the email.
The email header provides information to track the source of the email. However, attackers apply many proxies to send phishing or spam emails. The use of hacked devices or anonymization services by the attacker is widespread, and so many times, a traced source IP doesn't belong to the attacker but to a victim's computer. Further use of Peer-to-peer services like Tor network makes it challenging to track the source of an email or network access.
Given the resource and capability (getting information from service providers on request etc.) accessible to the CERT team, it is highly likely that the track IP would belong to an attacker. However, it can only be specific, especially for the advanced attacker (highly skilled and have more computing resources in the form of hacked PC and services). So, The CERT team needs to use secondary sources to verify the claim, such as traffic correlation analysis or device study, i.e., looking for a forensic artifact that can prove that the track IP and system owner are the same and hence the attacker.
Computer user activities can be monitored using workspace monitoring tools. Many organizations installed monitoring tools before issuing a computer to the employee (under company policy and known to the user). However, suppose any employee wants to send critical files (internal attacker). In that case, they can disable the monitoring tool or adopt some other techniques, such as steganography, to send the file in hidden ways.
To verify the attack, the IT team can perform a forensic analysis of the suspect device to determine the user's activities. In addition to device forensics, network traffic analysis can be helpful in knowing the data sent and received to and from a particular MAC /IP address. Deleted files from the device can be recovered through recovery software, and all sent files can also be carved out from the network traffic. Wireshark is one of the popular tools for network traffic analysis.
Physical access blocking and network traffic filtering and blocking can be suitable actions to stop data theft. Physical access blocking can be achieved by applying a physical authentication process to access sensitive devices, and blocking USB access, file transfer access, etc., can also help prevent any internal attacker data theft.
In addition to physical restriction, network traffic monitoring, filtering and blocking can be applied to restrict network communication. For example, blocking all the file transfer-related (FTP, SFTP, etc.) outbound traffic can limit the user to send any files outside. Similarly, access control can be applied to network access that will help to filter out which user will access what type of inbound and outbound traffic.
To stop attackers, the inbound traffic must scan with a firewall, IDS, and anti-malware software. Using a proxy, honeypot and DMZ are some solutions that will provide additional security from external attackers.
The malware sample used for the attack can be recovered from two locations: the infected devices and the network traffic. If the malware used in the attack is not fileless ( i.e., code directly injected into some running process, and no actual code downloaded to the device), then it can be recovered by using the forensic method by taking a memory dump of the primary and secondary memory. However, modern malware uses advanced techniques to make it challenging to collect the actual sample to avoid detection and analysis. In such cases, device forensics may not recover the malware sample, so the second location, i.e., network traffic, can be used to carve out the malware code used for the attack. By using all the in and out network traffic (i.e., network packets ) from the infected devices, the malware code can be recovered from the data part of network packets.
Email activities can primarily be tracked using a user email account (mostly not accessible) and email server. The network administrator controls the email server so it can be analyzed to find the communication related to the case. The email communication can be recovered using various server logs, even if the email is deleted.
In addition to the email server, the network traffic would also help verify the information gathered at the email server. The network traffic can also recover the "sent excel file" from demonstrating and proving the allegations.
If an email client is used to send the email, then a device forensic of the user can also be used to recover the email content and the activities that can be correlated (using timestamp, content, etc.) with server and network traffic analysis.
Pirated software is often used for distributing attack vectors and malware (Trojan is primarily distributed in this manner). It is easy to embed malicious code or specially crafted code blocks in pirated or cracked software. By this method, attackers can efficiently distribute malicious code and infect more and more computers easily and without the user's suspicion. The attacker can sometimes execute its code with high access (like an administrative profile) because users provide access rights to install pirated software.
Sometimes costly software is also distributed over the internet after removing the payment gateway functionality etc., so to be sure that the downloaded software is not infected or malicious, one needs to verify the software with on-device anti-virus software or can be verified using online software such as virustotal which provide scan results of multiple anti-virus software. Advance users can also perform static and dynamic analysis to ensure that no malicious code block is embedded into the downloaded software.
Apart from verifying the downloaded software and using it directly on the main computer, running such suspicious software in a restricted environment is advisable using a sandbox or virtualization software like VirtualBox, etc..
Access restriction or authentication is a common mistake in adding a printer to the network. Any network user can access any printers added to the internal network without any authentication or access. The given scenario is similar to authentication-less printer availability, so to restrict access to printers or allow only authenticated users to access a particular printer, user-based authentication, and access right can be added. So, now every print can be associated with a user and traced to any printer misuse.
However, suppose the misuse is happening despite of authentication system. In that case, it can be due to attacking some printer vulnerabilities, which is common in printer firmware due to the lack of security features in printers. In the case of the second scenario, a software update will be helpful.
The SYN flood, or half-open attack, is a network-tier attack that floods a server with connection requests while failing to respond to acknowledgments. The large number of open TCP connections that result consumes the server's resources, effectively crowding out legitimate traffic and making it difficult or impossible for the server to function correctly for authorized users who are already connected.
Every client-server conversation starts with a three-way handshake. The client sends an SYN packet, and the server responds with an SYN-ACK, completing the TCP connection. In an SYN flood attack, the client sends a large number of SYN requests while never responding to the server's SYN-ACK messages.
This leaves open connections on the server, awaiting further communication from the client. Each is recorded in the server's TCP connection table, which eventually fills up and prevents any further connection attempts from any source. As a result, business continuity and data access are disrupted.
Bots connecting from spoofed IP addresses frequently perform SYN floods to make the attack harder to identify and mitigate. Botnets can launch SYN floods as distributed denial-of-service (DDoS) attacks.
DNS spoofing is a cyberattack that misuses tampered DNS server data to redirect users to bogus or attacker's controlled websites. These malicious sites frequently appear legitimate, but their true purpose is to install malware on users' devices, steal sensitive data, or redirect traffic. When a user uses a URL (Uniform Resource Locator) to search for a website, their device sends the request to a DNS server, which matches the URL to the associated IP address — a unique string of numbers and periods assigned to every device, server, and website. The system directs the user to the requested site once the DNS server associates the request with an IP address. Unfortunately, DNS records are not very secure, and attackers can use their flaws to launch DNS spoofing attacks.
There are several methods attackers can use to carry out DNS spoofing attacks, but they all aim to fool users and their servers into believing a fraudulent website is legitimate. Attackers typically take the following three steps to accomplish spoofing:
DNS spoofing can be difficult to detect because it affects both user devices and DNS servers. On the other hand, individuals and businesses can take precautions to reduce their vulnerability to an attack.
ARP spoofing and ARP poisoning are the two types of ARP attacks. A malicious developer seeking access to sensitive data may expose vulnerabilities and sneak inside, and you may be unaware. ARP spoofing occurs when a hacker sends bogus ARP packets that connect an attacker's MAC address to an IP address of a computer already on the LAN. ARP poisoning: Following successful ARP spoofing, a hacker modifies the company's ARP table to include forged MAC maps. The virus spreads. The goal is to connect the hacker's MAC to the LAN. As a result, any traffic sent to the compromised LAN will instead be routed to the attacker. After launching a successful ARP attack, the attacker can hijack, deny service and sit in the middle.
RARP is an abbreviation for Reverse Address Resolution Protocol, a computer networking protocol used by a client computer to obtain its IP address. MAC to IP address mapping is done using a request to the gateway server, which refers to the Address Resolution Protocol table or cache to respond with the assigned client's IP address. The network administrator creates a table in the gateway router to map the MAC address and IP address.
Network scanning is the process of detecting active devices with running services and open or closed ports. It is done by using different network protocols by sending network packets with various configured and receiving and processing the response from the target device. Network scanning can be targeted to a device or to the complete network.
Network scanning is done to monitor and manage an internal network's devices by a network administrator. At the same time, attackers can perform scanning from outside to learn about the network and draft attacks according to the scanning report. Ping is the most used and simplest network scanning tool to check a device's state over the network. An active device responds to the ping request, while there is no response from an inactive device.
In addition to simple monitoring and managing, the defender uses network scanning to find any vulnerable devices and help to patch any open vulnerability. In contrast, attackers consistently keep scanning the network to find any possible vulnerability that can be exploited to gain access to the network. However, external scanning can be detected and blocked by the network administrator. Many scripts and tools are available to automate the scanning and attacking network. NMAP and Metasploit are very popular tools with network scanning and exploitation capabilities.
A computer network attack is an attempt to gain unauthorized access to the network to steal data or engage in other malicious activity. These attacks are classified into two types:
Some common types of computer network attacks are
Buffers are special memory storage locations that keep data temporarily. For example, when a larger file is being transferred at the receiving end, the data block is kept in a buffer area for syncing or ordering purposes. The buffer overflow attack utilizes the memory overwriting vulnerability of buffer management. Normally, when data exceeds the storage capacity of designated buffer memory, the exceeding data attempts to overwrite the data to the adjacent memory locations. Buffer overflow attack is possible in all those software that performs writing without doing a size checking. This can be understood by the difference between gets() vs fgets() or strcat() vs strncat(); gets and strcat do not compare the size of the source and destination memory, while fgets and strncat perform a comparison before performing the copy. Attackers normally use malformed inputs to perform a buffer overflow attack. The memory overwrite can have a different impact. For example, if the attack overwrites a location with executable code, the program behavior will become unpredictable. It may generate incorrect results, give memory access errors, crashes, or can execute an attacker's code. Attackers can change the execution path of the benign program to trigger the execution of the attacker's code. Launching buffer overflow will be easy and highly dangerous if attackers know the memory layout of a program. For example, knowing the memory and controlling the benign program, the attacker may be able to overwrite a pointer to its own payload. Stack and heap are two commonly used buffer overflow attacks.
A software vulnerability is a security flaw, glitch, or weakness found in software code that an attacker could exploit (threat source). Software vulnerabilities do not enter a system; rather, they are present from the start. There aren't many cases of cybercrime activities leading to vulnerabilities. They are typically caused by flaws in the operating system or network misconfiguration. Cyber security threats, on the other hand, are introduced into a system through methods such as a virus download or a social engineering attack.
Cyber security risks are commonly classified as vulnerabilities, which can cause confusion because they are not the same thing. Risks are the likelihood and impact of a vulnerability being exploited. If these two variables in the software are low, the risk is low. It is directly proportional, so the inverse is also true; high vulnerability probability and impact lead to high risks. An exploitable software vulnerability is one that has at least one definite attack vector. For obvious reasons, attackers will seek out exploitable weaknesses in the system or network. Of course, no one wants to be vulnerable, but what you should be concerned about is whether or not it can be exploited.
Most software programs can have unintentional flaws known as vulnerabilities. Attackers may exploit these vulnerabilities to execute their attack payload. For example, suppose the software has gets () for string input. In that case, the software has a buffer overflow vulnerability, and attackers can exploit it to run their payload designed as an input string for the software. Security testers or the red team analyze software for known and new vulnerabilities, and on discovering any vulnerability, the blue team creates a "patch" to fix the vulnerability. Patches are often published individually or with a new version of the software.
In contrast to the red team or security team, if the same vulnerability gets discovered by an attacker, then all instances of the software can be exploited by an attacker.
So, there is an arm-race between the defender and the attacker to find the vulnerability. The vulnerability that gets detected by the attacker and doesn't have any know patch from the developers is known as a "zero-day" vulnerability. Zero-day vulnerabilities are difficult to find and the same time, very hard to defend against because there is no know solution or patch available. Keeping software up-to-date and keeping testing software for any possible zero days is the only mitigation against it.
A software patch is a quick response for software, and it is designed to resolve functionality issues, improve security or add new features. However, the main purpose of a software patch is to fix bugs or address security vulnerabilities. Users can risk their devices vulnerable to various attacks by ignoring critical updates that can be prevented by installing these patches in advance.
The importance of keeping software patching up to date increases in cybersecurity as it reduces the risk of cyber-attacks. Most users regard cyberattacks as impossible until they pose a real threat. They believe that a cyberattack occurs suddenly and without warning. Still, the best patch management software is often available before cyber attackers exploit a vulnerability and manipulate it to infiltrate systems. Patching provides two key benefits:
Another unanticipated consequence of cyberattacks is the productivity loss caused by system downtime. To this extent, a cyberattack can cause two types of financial losses: the cost of patching systems and the cost of delayed projects and unproductive employees.
It is the responsibility of business owners to protect the information that users entrust to their systems. Companies that fail to meet this standard may face severe repercussions. Consider the case of Equifax, which the Federal Trade Commission ordered to pay $125 or provide ten years of free credit monitoring for exposing the personal information of 147 million people in 2017. The software patching also protects the others on the network.
Secure programming is a method of writing code in software that protects it from vulnerabilities, attacks, or anything else that could harm the software or the system that uses it. This includes implementing security features like authentication, encryption, and input validation, as well as adhering to secure coding best practices and testing for security vulnerabilities. It also entails being aware of the security implications of the technologies and libraries you use and the specific threat model your application faces. Secure programming is also known as secure coding because it deals with code security. Creating software, applications, or writing infrastructure as code requires cloud secrets to access and control cloud resources and sensitive parameters saved to enable automation. Countless scenarios could introduce vulnerabilities into the code, like leaked access keys and hardcoded application secrets.
It is extremely difficult to protect and secure code to industry standards. Secure programming is important because it prevents malicious actors from exploiting software vulnerabilities to gain unauthorized access to sensitive data or disrupt system operations. This can include safeguarding against SQL injection attacks, validating and sanitizing input, and implementing appropriate authentication and access controls. Developers can ensure that their software is less likely to be compromised by writing secure code, which can help protect the software and its users. For example, if the software is written in 'C' programming, then security programming would not use any unsafe functions such as gets(), strcat(), or strcpy(), instead must use only sage alternatives like fgets(), strncat(), snprintf().
The attacks targeted operating systems majorly aimed to exploit and be successful because of vulnerable OS versions. However, the newer version of the operating system may also contain a zero-day vulnerability. Hence, this is a never-ending cycle of discovering and patching bugs and vulnerabilities in any software and OS.
Bugs in an operating system's source code are another way for attackers to gain access. This vulnerability could result from a mistake made by the developer while developing the program code. Attackers can exploit these mistakes to gain access to the system. A range of cyberattacks targeted at operating systems can be discussed, like ransomware, denial of service, rootkits, remote code execution, phishing, etc. Malware is the commonly used cyberattack targeted at the operating system, which includes viruses, worms, trojans, and other forms of malicious software that can infect and operate the system and cause damage or steal sensitive information. The purpose of cyberattacks targeted at operating systems could be gaining unauthorized access to a system or network, disrupting operations, stealing sensitive information, or ransomware. Several actions can be taken to prevent cyberattacks on operating systems, like using a firewall, keeping the software and operating systems up to date, using antivirus and anti-malware, implementing network segmentation, and educating the crew.
The process of securing an operating system by reducing its attack surface and making it less vulnerable to cyberattacks is known as operating system hardening. This can be accomplished by removing unnecessary software and features, installing security updates, and securely configuring the operating system and its components.
The overarching goal of operating system hardening is to make it as difficult for an attacker to exploit vulnerabilities and gain system access as possible. It is critical to remember that operating system hardening is an ongoing process and that an operating system's security must be constantly monitored and updated in order to remain effective against ever-evolving threats.
Here are some examples of operating system hardening:
Creating and delivering a product or service to a customer, typically involving multiple companies and organizations, is referred to as a supply chain. A supply-chain attack with respect to the software industry is a cyberattack targeting a company's or organization's supply chain of software. In a supply-chain attack, the attacker attempts to gain access to the targeted organization's network or steal sensitive information by targeting a weak point in the supply chain, such as a third-party vendor or a software component. The types of supply chain attacks include compromised software with malicious code, tempered hardware like servers and routers, phishing attacks via third-party vendors or suppliers, misconfigured cloud services, etc.
Because the attack occurs at a different point in the supply chain than the targeted organization, the malicious code or malware may only be detected once it has already entered the organization's network. Data breaches, intellectual property theft, and operational disruption can all result from supply-chain attacks on the targeted organization. Organizations must have visibility into their supply chain and implement security measures to protect themselves from these attacks.
Specific steps that any organization can take to prevent supply-chain attacks include: conducting thorough background checks on third-party vendors and suppliers, putting in place secure software development practices, putting in place safe procurement practices, and Monitoring and reviewing third-party vendor and supplier security regularly. Furthermore, strict access controls, digital signatures, and an incident response plan implementation make organizations more vigilant and proactive in protecting themselves. It is also critical to review and updates these measures regularly to ensure they remain effective against the changing threat landscape.
Keeping application programs up to date is critical for various reasons. Security is one of the primary reasons. When new vulnerabilities or security threats are discovered, software updates frequently include patches or fixes to address these issues and protect the user's data and device. Furthermore, software updates may include new features or improvements to the application's user experience and performance. The application may not function properly or become vulnerable to security risks if it is not updated. Automatic and manual updates of the application programs ensure the system's high efficiency and maintain the software and hardware security in the long run. Some operating systems have built-in update managers or software updaters that can check for updates for multiple applications at once.
There are several methods for safeguarding an operating system against malware attacks:
Cyberattack is any attempt to damage, destroy or perform unauthorized access to a computer, network, and data. An individual or group who performs the cyberattack is called a cybercriminal, or loosely people call them hackers. Many methods, techniques, and tools are available to launch a cyberattack. Most cyberattacks are possible due to existing vulnerabilities in the target system software or hardware. An attacker needs to discover a vulnerability and then develop a method to exploit it to execute their payload. A cyberattack can be targeted or untargeted. In a targeted attack, the victim is chosen specifically, while the untargeted attack randomly launches an attack in the wild and hopes to get access to any device or user. Some of the most prominent cyber-attacks are:
A cyberattack cannot be avoided completely. However, the possible attack can be mitigated or prevented by proactive actions such as installing security software and keeping software and hardware up-to-date by installing newly published patches and updates.
Recently, ransomware and supply-chain attacks have evolved and caused many large-scale cyberattacks. In a ransomware attack, the attacker infects the victim's computer with malware that encrypts the files or locks the operating system and then pop-up ransom notes for payment. Ransomware is a unique cyberattack because the attacker purposefully notifies victims about the attack post-infection. This is also unique in the sense that the main motive of a ransomware attack is to get financial benefits in terms of ransom money. One main reason for the rise in ransomware attacks is the possibility of getting ransom as cryptocurrency, which is hard to track and encourages attackers to get the ransom. WannaCry, Petya, CryptoLocaker etc., are some of the widespread ransomware.
SolarWinds, Kaseya VSA attack, target data breach, and Eastern European ATM malware are very recent, popular, and high-profile supply-chain attacks. The supply-chain attack is also prevalent in the past couple of years. In a supply-chain attack, an attacker injects malicious code into some source software, waits to supply this software to the users (primarily organizations), and then attacks the software users by previously injected code. The supply-chain attack is critical because millions of users may use a single software, and the attacker can compromise all of those by attacking only one software. An attacker can launch attacks on many victims, from organizations to high-profile end-users.
There are many motivations for launching a cyberattack. In the beginning, an attack was a way to show a superiority of skills and was mostly made for fun. However, the development of ICT and the adoption of digital technology have given many other motivations for cyber-attacks. Some of the critical motivations are as follows:
The use of security software can prevent cyberattacks. However, some good practices from users and system administrators can help to mitigate many cyberattacks, also known as cyber hygiene. Such as:
Over time security domains have become a multi-billion software industry that creates and offers a wide range of security software to protect individual users and organizations from cyberattacks. Some of the standard software that can help an individual to defend themself against cyberattacks are as follows:
Encryption is a technique of converting plain text (message) to cipher text. The encryption is done using an encryption algorithm (E), plain text (P), key (k), and output cipher text (C). So, Encryption: E(P,K) gives C.
For example, if the encryption algorithm is "Addition", plain text is "A" represented by a number "1" (representing A-Z through numbers 1-26), and the key is 3, then,
E(1,3) will give 1+3= 4; if we map the cipher back to text then 4 will be "D".
Decryption is the reverse process of encryption. It recovers plain text/message (P) from the cipher text (C). Normally, decryption algorithm (d) implements the reverse operations of it encryption counterpart. So,
Decryption: D(C, K) gives back P
For example, continuing from the previous example to decrypt
D(4,3) will give 4-3 = 1, 1 will be mapped back to "A"
Some popular algorithms are DES, AES, etc.
Unlike encryption, Hashing is the technique for generating a fixed value for a given plain text /message. The output of a hash value is called a message digest or hash value. Hashing is a one-way function i.e., and there is no reverse algorithm to recover plain text from a hash value. Some common hash algorithms are MD5, SHA, etc.
Hashing: H(P) gives the hash value.
Using Cryptanalysis, attackers analyze the cipher text with or without plain and cipher text pair to recover the key of encryption, using which attackers can crack the cipher text and get the plain text.
The algorithm uses a single key (same key) for encryption and decryption in symmetric encryption.
The E(P, K) -> C and D(C, K) -> P use the same K.
Symmetric encryption is faster. However, each communicating pair has to maintain its keys and so managing keys is very challenging in symmetric encryption. DES is a symmetric encryption.
Unlike symmetric encryption, asymmetric encryption needs pair of keys for encryption and decryption. Each user creates a pair of keys (public, private), and the user shares the public key to the public repository and keeps the private key secure. For encryption, the sender uses the receiver's public key for encryption, while the receiver uses his private key for decryption.
For example, suppose,
user 1 has K1(public) and K1(private)
user 2 has K2(public) and K2(private)
K1(public) and K2(public) is known to everyone.
if user 1 sends a message (M) to user 2 then
Encryption: E(M,K2(Public) gives C
after receiving cipher (C), and user 2 will decrypt
Decryption: D(C, K2(Private) to get M
Asymmetric encryption is also known as public key encryption. RSA is a public key encryption algorithm.
Symmetric encryption can work in two modes: Block cipher and Stream cipher.
In block cipher mode, the encryption is done on a fixed-sized message called a block. Generally, the block size is decided as a multiple of 8 bits for easy implementation of various cryptographic processes. So, 64-bit, 128-bit, 256-bit, etc., are commonly used block sizes. However, there is the possibility that the message text is smaller than the required block size. In that case, the message bits are padded with zero to complete the required bits.
In stream cipher mode, encryption is done on continuous incoming messages like a stream, and so the plain text is of variable size. So algorithm encrypts plain text bit-by-bit using keystreams. Generating unique keystreams is challenging, and it must be unique for each iteration; otherwise, the cipher text can be cracked, i.e., encryption will have low security against cryptanalysis. RC4 is an example of a stream cipher. Stream cipher methods are faster than block cipher.
Key exchange is the process of sharing a secret key to start encrypted communication. In symmetric cryptography, both sender and receiver use the same key for encryption and decryption, so the key exchange method help to create the same key at both ends.
The key exchange algorithm ensures that the actual secret key never being shared via the communication channel because, initially, the sender and receiver communicate via unencrypted media. So, during the key exchange, the sender and receiver follow the procedure, and at the end of the exchange, both can generate the same key at their end that they can use for further encrypted communication.
Key exchange is required because it helps two users have the same secret key they can use with symmetric encryption. Many a time, asymmetric encryption is used for secret share keys and serves as a key exchange algorithm. However, there is a specialized key exchange algorithm like Diffie-Hellman that help to generate the same key at both communicating ends.
Key exchange is used by many secure internet protocols like FTPS, HTTPS, SFTP, etc.; these protocols first exchange keys between sender and client or server and client, etc.. After generating the key, both parties use a shared secret key for further encrypted communication. In the case of internet applications, these key generations are often limited to particular sessions and get revoked after completion of the session.
A digital signature is the application of public key encryption, and it is used to identify or authenticate the sender. It is equivalent to a physical signature. In public encryption, it is assumed that the private key is only known to the user who generates it. Also, the pair of keys work together as linked for encryption and decryption, i.e., Bob's public key is used for encrypting the message, then cipher text can only be decrypted using the private key of Bob, or if Bob's private key is used for encryption, then only Bob's public key can be used for decryption.
For the digital signature, the sender uses their own private key for encryption and sends the message, so the receiver then uses the sender's public key to decrypt the cipher text. The purpose of a digital signature is to identify the user, so if decryption is successful, then the user's identity can be authenticated else; authentication will be denied.
The digital certificate is an extension of the digital signature concept. However, with a digital certificate, further information about the sender is also verified. Unlike digital signatures, a digital certificate requires a certificate authority to collect, associate, and verify information about the sender.
Expect to come across this popular question in Cyber Security interview questions for freshers.
Threat: A threat in cyber security is an act to corrupt and steal confidential information. This action can be done by an individual or organization attempting to gain unauthorized access to a system and perform malicious activities. The main goal is to steal, cause damage, or disrupt the computing system. It is a negative event that takes advantage of the vulnerability and attacks the victim's system in order to steal and damage the data. A cyber threat can be caused by many different types of attackers, such as hacktivists, nation-oriented attackers, criminals and terrorists, hackers, and disgruntled or previous employees. This includes computer viruses, data breaches, Denial of Service(DoS) attacks, and other attack vectors.
Vulnerability: It refers to any weak spot within an organization's information or control system that cybercriminals can exploit to break into the system. These are the system's weaknesses that allow attackers to compromise an organization's assets. Every system has vulnerabilities, and it helps attackers deliver a successful attack more easily. Vulnerabilities are not generally introduced to a system, but they are present from the beginning and typically as a result of operating system damage or network misconfigurations occur. They can occur through flaws, features, or user errors, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal. These vulnerabilities are extremely important to monitor for the overall security posture, as gaps in a network can result in a full-scale breach of systems in an organization.
Risk: Risk is related to the loss of confidentiality, integrity, and availability of data or information that can affect the operational work of an organization. It is the measurement of loss that may occur from an attack that results in a huge loss of data or money. Cybersecurity risk is the probability of damage to critical assets and sensitive information from a cyber-attack or data breach within an organization's network. It may potentially impact the image and reputation of a brand or company. Risk is mainly defined by three components - threat, vulnerability, and consequence. Attackers seek a vulnerability and make use of it for an attack that leads to risk. As it results in actual harm and damage to the data, every organization must have a cybersecurity risk management strategy to help protect assets against evolving cyber threats.
Exploit: An exploit is any "piece of code" that takes advantage of a vulnerability or flaw in software to perform an attack. It takes advantage of the system's vulnerability to do malicious activities. Security researchers may write this code as a proof of concept threat or by attackers. An intruder can use an exploit to remotely access a network, gain privileges, and move deeper to the network's root. Exploit kits are popular among underground criminals as they provide management consoles and target different applications. The sale of exploit kits was first reported in 2016 by Russian underground hackers. These on-sale exploit kits were extensible by using the add-on to enhance the functions or customized to launch a different attack. The use of an add-on makes it easier to launch an attack. Often a multi-component attack uses various exploits to achieve its goal. Instead of using a malicious file, exploits can drop another malware, opening a backdoor path for trojans and spyware that can steal user information and perform many more activities.
Cross-site scripting is a vulnerability issue that arises within web applications. It especially occurs in websites with search engines, message boards, comment boxes, and login forms. Here, malicious scripts are injected into various trusted websites and carry-out attacks. It enables unauthorized users to execute their client-side scripts by other users and perform malicious activities. Cybercriminals exploit this vulnerability and inject executable files into the target website. Attackers target unsuspected end users and send them files with malicious scripts for execution. And the user has no idea about the file as they believe it came from a trusted source. This script can access sensitive content like session tokens, cookies, and other info within that page.
It can also alter the website's HTML page content by rewriting. Depending upon the injected files, the malicious scripts may not be present on the actual website, and they may transmit elements for the time being for exploitation. It creates the illusion of the actual website being compromised when it’s not, so victims get lured. These injected scripts can be harmlessly annoying or very dangerous, depending on the attackers. Harmless as an unexpected image shown on a legitimate website that may harm the reputation. It can also run malicious files automatically to steal sensitive data like login details and other confidential information depending on the attacker’s strategy.
Cross-site scripting (XSS) are of three types:
To avoid this, website owners can verify each input string before generating output for those strings in case of any code injection to the strings. Website developers should check for vulnerabilities and patch them accordingly. Keeping the websites updated and checking the server regularly to detect any issues. Users can avoid the issue by disabling scripting and avoiding clicking on suspicious links.
Honeypot is a technique to lure attackers by creating a virtual trap. It’s a decoy system to attract cybercriminals to study their moves. A computer system is compromised intentionally and exploits vulnerability through which attackers trespass without knowing they are exposed. Honeypots are used to detect and study various techniques of attackers and how they carry out their operations.
It acts as a potential system on the network and informs any unauthorized access to the system to the defenders. Various types of honeypots are present according to the organization’s needs. They are used to redirect the attacker’s attention from the actual target. As it's basically a trap, it should be attractive enough to capture the attacker’s attention for other processes to be done. Once trapped, we can study crucial information about the type of attack and other operations. Sometimes the actual system has the honeypot to check how the system exploits the attackers.
Like the decay, the system has a credit card and other confidential information, and an attack breaks down. Now defenders can learn how they are approaching and stealing the info, and according to that, a stronger information system can build.
A common common cyber security interview question, don't miss this one. Malware is short for "malicious software." It is the term used to represent all computer programs that are "purposefully or intentionally written to perform some malicious activities." The intended malicious activities depend upon the attackers and can be simply from password stealing to installing spying programs or anything depending upon the need.
Now to achieve different needs, these malicious programs need to be written in unique ways and should have special functions. Such diverse needs give rise to different types of malware, such as viruses, worms, trojans, botnets, and ransomware. Different types of malware are intended to achieve various tasks depending upon the attacker's needs.
To give an example, let's understand the difference between a trojan and vs botnet; a trojan is a malware that tries to hide its malicious intention (password stealing, spam email sending, etc.) by pretending to be a benign application such as a downloader software or music player. Similarly, a bot infects a device and aims to give control of the infected system to the master (often known as bot master). A bot master gets access to many infected devices through the bot and which is known as a botnet.
There are two important notes about malware:
Zombie system is a term used for a hacked computer that an attacker can remotely control. The computer system can be hacked using malware installation or exploiting any vulnerability in the system by the attacker. Attackers use zombie systems for many purposes, such as sending spam emails, operating as a proxy system, etc. The zombie system is also used to launch an attacker on another computer within the internal network or out of the network.
A bot is a computer program that is used to infect a computer program and connect back to an attacker's computer. Bot programs are tiny in size and often have the capability to execute the command. Bot programs are connected via a command and control server, issuing further instructions and commands. The attacker who controls the command and control server knows as the bot master.
The botnet is a network of similar bot programs. Every newly infected machine by a particular bot program join the network, and all infected system and command and control server all together are called a botnet. With a botnet, an attacker gets access and control of many computers at the same time. These computers, i.e., victim's devices, can be geographically distributed and very suitable for DDoS attacks. The botnet is also used to install further malware, like banking trojans, keyloggers, etc. A botnet can have centralized and decentralized command and control. Mirai, ZeuS, and Emotet are some popular botnets.
The term social engineering is used when a person's cyber system (Internet account or computer system) t affected by social manipulation by the attacker. It’s a tactic to deceive people by manipulating them to gain access to their information system. They trick humans into making security errors and expose their vulnerability to gain access. This attack can happen online or in in-person mode, depending on the strategic plan for controlling the system. Some victims may not know that they are being watched and exposed to confidential information. Social engineering has two goals, one is to breach or disrupt the data, and the other is to steal the data. Attackers first gather background information then they try to build a trusted connection. Once you believe the bond and expose your weakness, they start attacking and stealing the data.
Phishing: It’s a type of social engineering attack that is used to steal users’ personal information like login details and credit card information. Here, attackers make victims open any link, email, or instance messages. Once they click on the link, malicious files get downloaded without the knowledge of the user. Sometimes this attack freezes the system for the time being as a ransomware attack, or it may expose sensitive information about the system. Attacks like advance persistent threats (APTs) and ransom demand generally start with phishing.
In simple terms, a brute force attack is a method of trying all possibilities. For example, an ATM machine uses four digits as a lock PIN to identify an authentic user. Now, suppose an attacker gets access to a debit card and does any transaction. In that case, the attacker can try all possible four digits combinations one after another to get the actual PIN. This way attacker can pretend to be a genuine user.
A similar brute force attack approach can be applied in other authentication and authorization system like password-based authentication, OTP (one-time password), etc.
Brute force is a straightforward attack method so anyone can use, but it is time-consuming. There are many methods to fail or restrict a brute force attack by further increasing the required time to perform a brute force on the system, for example, locking the account after a limited number of wrong attempts (three in the case of the ATM example) or adding time validity to OTP.
A password cracking attack is a method to recover the password. Password cracking can be done with or without any given hashed value.
For example, try a dictionary word as a password for a particular username (it is similar to a brute force attack). But usually, password cracking is done to recover plain text from its hashed format.
Suppose an authentication system stores passwords in MD5 hashed value to protect it in case of any theft or internal user. Now, an attacker gets access to the password, but it is in a hashed format, so that can not be used. So, the attacker's job is to crack the password, i.e., get the original text for the equivalent hash value. As the hash value is one-directional, i.e., there is no direct way to reverse a hash to the actual text value.
In this scenario, various password-cracking method is used, such as rainbow table and dictionary-based attack. In the rainbow table attack, the attacker uses a table with pre-computed text phrase and hash, so the attacker needs to search with the targeted hash in the rainbow table.
Like the rainbow table attack, the attacker used plain dictionary words as a password in a dictionary-based attack. It is a brute force attack but restricted to dictionary words. There are many password attack dictionaries available to speed up brute forcing.
The intrusion detection system is a monitoring system that detects suspicious activities and alerts about them. Cybersecurity analysts can investigate the issue and take needful actions based on the alert.
There are two types of IDS
The key purpose of HIDS is to monitor and analyze the system configuration and various activities running on the system related to the network. The HIDS client/sensor can be installed on a device like a desktop PC or a server. These sensors take a current snapshot of existing system files and compare them with previous ones.
It looks for unexpected changes, such as the deletion of files, unknown access to certain ports, unusual client-server requests, etc. Then it alerts the administrators to investigate such activities. As some attacks can be made from the internal system of the organization, a host-based intrusion detection system is mostly used in mission-critical situations on each host in a network.
NIDS is used to monitor traffic from all devices residing on the network. It performs traffic analysis on the entire subnet and matches the ongoing traffic that is passed on the subnet library to detect any kind of attacks. When an attack or abnormal behavior is identified on the network, it alerts the administrator for further investigation. An example would be installing NIDS on the subnet where the firewalls are placed in order to check if someone is trying to break into the firewall. Generally, scanning all inbound and outbound traffic can detect any abnormal behavior. However, doing so might create a bottleneck and affect the overall speed of the network.
Network sniffing is a technique to monitor and record inbound and outbound network traffic by using sniffing tools such as Wireshark. During a network sniffing, all the network packets which travel from source to destination are recorded. These network packets carry lots of information like source and destination IP, port, and other protocol-specific configurations along with data.
Network sniffing has both benign and malicious use. For example, a network administrator uses network sniffing to observe the network status, such as bandwidth, failure, etc., and can use the information to fix any issues with the network. Similarly, security professionals can use captured packets to analyze and find any ongoing or past attack patterns. However, there is the malicious use of network sniffing, and the attacker uses it to understand the network behaviors, launch an attack, and extract credentials from unencrypted traffic.
Network sniffing can be carried out in the active or passive form. In active network sniffing, the third-party user (administrator or attacker) actively participates by modifying the content of network packets, like changing the source or destination address.
In contrast, passive network sniffing is very stealth; can user can only observe the network traffic or store the packets but strictly does not modify the content of the packets. Wireshark, Tcpdump, Windump, and network Miner are popular network sniffers.
Viruses, worms, and Trojans are all classes of malware, and each represents malware with a specific set of characteristics. For example, viruses represent all of that malware that replicates itself on the infected computer with user interaction. Most of the viruses attach themselves to other programs and get executed along with the execution of the benign program. The main aim of the virus program is to consume the resources in the infected system. The first know virus was named "brain"; since then, there have been many known viruses, such as "ILoveYou".
In contrast to virus programs, worms replicate over the network and do not require user interaction. "Morris" is the first and most popular known worm program.
Trojans are totally different from virus and worm programs in their infection, structure, and motives. Trojan malware structure and characteristics are inspired by the famous story of "soldiers hiding inside the big wooden horse". Similarly to this, attackers hid malicious code inside genuine-looking software promoted as free software. Once the user downloads and install these infected free software, the software works as listed features but executes the hidden malicious code without the user's knowledge. Trojan horses do not replicate but may offer initial infection points of further payload or another kind of malware. Zeus is one of the most popular examples of trojan horse malware.
Keylogger is a type of spyware that is used to steal information by recording consecutive keystrokes on which it is placed. It is the short form of a keystroke logger that log and spies on what you type on your keyboard. It not only monitors but also notes each keystroke on your system.
Keyloggers can enable cybercriminals to eavesdrop on what you do, watch you on your system camera, and listen to conversations over your smartphone's microphone. Keyloggers can fetch sensitive information like login credentials, credit card numbers, banking details, etc. It records and stores such information and sends those to the cybercriminal behind it. Different kinds of keyloggers are there; some record a broader range of inputs and do insidious activities.
A keylogger can be installed either as hardware or software. The Hardware keylogger can be embedded as an internal part of the PC itself or can be plugin secretly as an add-on, for example, between the keyboard and CPU. Software keyloggers can be installed like any other malware. Apart from malicious purposes, there are legitimate and legal ways to use a keylogger. For example, parents can use them to keep track of their kids online, and organizations can use them to monitor their workers.
Reconnaissance is a technique to collect detailed information about the target in stealth mode. It is the first step for the attack and defense team. Attackers use collected information to launch an attack on the target. In contrast, the defense team (pen-testing or ethical hacking team ) uses the collected information to provide a report on attack possibility and help to develop defense solutions.
Reconnaissance is often carried into multiple steps and iterations by utilizing information collected in the previous step and iteration. For example, basic information about a target will be collected, say the target is a network, then devices used, etc., are the initial information which will be further used to get more information like network topology, application, running services, software version, etc.
The reconnaissance technique depends upon the target type. For example, various network tools and techniques will be used for a network. If the target is an individual, then social engineering can be suitable. However, various techniques and sources are often combined to gather more information about the target and ease attacks.
Personally Identifiable Information, or PII, is all the data that can be useful to identify an individual. For example, name, email, date of birth, fingerprints, social security number, etc., are some examples of PII. Sometimes an individual PII can be enough to identify the individual or a combination of one or more PII will make the identity recognizable. For example, the social security number individually identifies an individual, while zip code is required to be used with other PII to be able to identify an individual, like a street number. PII is very important, and leaking PII can lead to various cyberattacks. So anonymization techniques are applied when there is a need to share PII for some specific requirements. Many privacy protection laws, such as GDPR, are also enacted to protect PII and users' privacy in the digital world.
Impersonation is one attack that misuses the PII. In an impersonation attack, the attacker utilizes the victim's PII and represents themself to that particular individual in online communication or remote communication. For example, an attacker can use the date of birth, phone number, parent's name, etc., to verify identity over the phone to the bank representative and then misuse it for getting or resetting account credentials, money transfers, etc. PII is also used for social engineering attacks in which attackers use this information to gain the victim's trust and further exploit them to get more information.
Identity theft is similar to impersonation, but in this, attackers mostly create the fake identity of the victim by using PII and other resources such as photos and other information. Once an attacker establishes a fake identity that can be misused for a further attack, like phishing over social media, etc.
It's no surprise that this one pops up often in interview questions on Cyber Security. Hacker is a weakly defined term and is often used for the attacker or cyber criminals. However, a hacker can be anyone who uses unconventional ways to access the computer system. On the basis of working methods and motivations, a hacker can be grouped into different groups such as white hat, black hat, gray hat, blue hat, and red hat. The white hat is used for ethical hackers, which means security professionals who test systems for preventive measures. In contrast, the black hat is used by cyber attackers who misuse computer access for malicious purposes. In contrast, the gray hat is used for security professionals who need to change the role between attackers and defenders.
Compared to previously defined hacker types, the blue hat and red hat is a well-defined terms for blue and red teams used for a security firm to test, develop and defend software and services. Blue team has security professionals who specialize in defense skills and work to detect and defend against attackers.
Security professionals in the Red team have attack skills, and they utilize their skills to test the system's defense by devising new methods and techniques to attack the system under observation. In larger organizations, both teams have separate people, while in shorter or mid-size, same professionals switch roles to act as a blue hat or red hat.
Apart from these terms, other terms are used to define the specified type of attackers; for example, script kiddies indicate attackers who possess very minimum skills and often use existing scripts to perform attacks. Similarly, hacktivists are used those attackers who target the government or private targets for activism.
IP stands for Internet protocol. The main task of IP is to deliver the packets from the source to the destination based on the IP addresses. It defines the structure of the packet and hides the data and the addressing method. This technique labels the datagram with source and destination information. The first version of IP was IPv4 which is a 32-bit address; later, in 2006, IPv6, which is 128 bits, was notified by IETF. IP is added with transmission control protocol and forms a TCP/IP model that is used for end-to-end delivery of packages. By adding IP to the TCP and UDP, we can build wireless connections, so internet protocol is also known as TCP/IP and UDP/IP.
A port is a virtual point where a connection start and ends. Each port is associated with specific tasks, differentiating the computer system on the traffic. It can be a programmatic point where information flows from a program to the system or over the Internet. A network port is provided by the Transport Layer protocols of the Internet Protocol suite, that is, for TCP and UDP. It generally serves endpoint communication between two computer systems.
Media Access Control (MAC) address is known as the physical address. A vendor-specific unique combination of numbers represents it, and it is assigned to each device that connects to a network. The unique combination is made up of 48 bits number that is embedded in the network card during manufacturing. For easy writing and reading, the 48 bits are normally represented by 12 digit hexadecimal number separated by a colon into six pairs. It provides a trustworthy mechanism to find senders or receivers in the network, and MAC-based filtering is used to prevent unwanted access to the network. The data link layer uses MAC to identify hosts on the network. It's unique for all devices. ARP and RARP protocols map IP to MAC and vice-versa, respectively.
The IP address and the Port number combination are called a socket or socket address. The socket address is useful and associated with OS and network connection processes.
Authentication is the process of verifying the identity of a user to offer products and services. Passwords and biometrics have been the most used methods for authentication. Biometric is more secure; however not suitable to be used with the Internet, so passwords have been prevalent for authentication for web and online services.
Due to the weakness and the possibility of stealing or cracking passwords, recently, two-factor authentication has been developed. Two-factor authentication advocates using two separate mediums to authenticate a single user/sign-in. For example, with a password, the user must also provide an OTP (one-time password) sent as an email or SMS. Two-factor assumes that it is hard for an attacker to gain control of two mediums simultaneously, so two-factor will improve security.
Two-factor authentication is implemented by any combination of two secrets, such as a password and OTP, a password and app-based password, and a password and two OTP (email + SMS). Overtime OTP has been improved by adding expiry time with OTP to reduce attack surface further. On the smartphone, the password is also combined with biometrics such as fingerprint or face recognition or PIN to provide two-factor authentication for sensitive operations.
Authentication and Authorization are used in combination to protect access computing resources from unauthorized access. Authentication assures and verifies the user's identity, while Authorization uses the user's identity to grant or reject access to the resources. Authentication is done by asking for and validating the pre-agreed or chosen credentials. Registration is the process of choosing or agreeing to use credentials, such as usernames and passwords, security questions and answers, or biometrics, such as fingerprint or facial recognition. During authentication, user's asked these credentials and match them with pre-stored info and only grant permission if both matches. While Authorization verifies whether access is allowed through policies, Authorization always comes after successful authentication. Authorization works with access rights, and users get access to a resource based on their verified identity during authorization. For example, if a user is authenticated as an "admin," they can install software or delete files on the devices. At the same time, a simple user can't perform these operations.
Let's use a real-life example to differentiate; in a university, students and staff both have access cards. Entry to the university is allowed for both after authenticating themself as students or staff. At the same time, access to the question vault is only authorized if the identity is staff, while the entry of "student" is not allowed.
Cross-site request forgery (CSRF) attacks exploit and bypass the same origin policy of web applications which aims to protect websites' inferences in each other contents and access. Using CSRF, the attacker tricks users into performing unintended actions that fulfill the attacker's purpose, and often users are unaware of the performed actions. For a CSRF attack to be successful, three key conditions must be fulfilled:
Secure Shell or SSH is a network communication protocol that allows two computers to securely share data and communicate with one another. SSH has the inherent feature of encrypting all the communication between two computers, making it possible to secure communication over open and insecure networks channel.
Mostly SSH is used for "login" into a remote computer and performing operations; however, with SSH, data transfer can be done securely. Many programs are available that enable SSH clients for this communication, and some operating systems, such as Mac OS X and Linux, have this capability built-in. SSH clients typically support SCP (Secure Copy) and/or SFTP (SSH File Transfer Protocol) for transferring data to/from the server. Clients use a program on their computer to connect to the service server and transfer the data to/from their storage using either a graphical user interface or a command line.
A VPN (a virtual private network) is the most simple and effective way to protect internet traffic and maintain online anonymity. When a user connects to a secure VPN server, their internet traffic is routed through an encrypted tunnel so even attackers, governments, or the internet service provider, can know about the content. To protect and enhance privacy, the user should use a VPN every time when connects to the internet. The VPN application runs as a background process, so it doesn't interfere with the user's activities, such as browsing, chatting, gaming, or downloading.
In software and computer, reverse engineering is the process of recovering high-level programs from binary or low-level representation. In this process, a piece of software or hardware is taken, and an analyst analyzes its functions and information flow to understand its functionality and behavior.
In computer security, reverse engineering is used to investigate binary files for security analysis. However, reverse engineering is mainly used for malware analysis for developing tools to detect and protect against known malware. For example, reverse engineering creates a signature for detected malware and adds to anti-virus software. A cyber reverse engineer examines malware and software by breaking it down to pure code to understand its potential vulnerability better. Malware analyst also works to determine how the malware affects existing security and help create detection and prevention mechanisms.
Disassembling and debugging are very helpful techniques for reverse engineering. Disassembling is done with the help of a disassembler that converts binary files to human-readable assembly code that can be analyzed by the analyst for functionality or to find malicious code blocks. With a debugger's help, we can understand the program flows. It works with source code or even with binary files. Often tools have both these functionalities together. For example, IDA Pro, Immunity Debugger (ImmDBG), and Olly Debugger (OllyDBG) are some very popular, powerful, and most-used disassemblers and debuggers.
Job stability concerns computer-related fields like software development, testing, and marketing. However, cybersecurity jobs are very stable for two main reasons. First, there is a consistent shortage of skilled cybersecurity professionals, which makes cybersecurity professionals demanding, and hence layoffs, etc., very rare. Second, the specific skills required for cybersecurity jobs. Various job roles in cybersecurity require specific skills which are difficult to gain and often require long training and practice. For example, learning malware analysis required lots of practice and specific skills like reverse engineering and static and dynamic analysis, etc. It takes time to learn the required skills, so jobs are stable in cybersecurity domains. The fact is, due to job stability, many software developers are learning through online courses for a cybersecurity job switch.
Yes, software development and cybersecurity are two different domains and hence require different skills, and both have different jobs or work styles. The significant difference is that software development requirements come from a client that can be understood properly, and over time changes can be made as per the client's request, so work requirements are very well defined. In contrast, cybersecurity jobs often protect systems, software, and resources from an unknown adversary, which is very challenging. The defense and development are mostly done for unknown causes and ever-evolving attackers. Many cybersecurity professionals agree that working in the domain is like a cat-mouse game that is fun and challenging simultaneously.
Today, computer and ICT are used everywhere, and there is seldom any organization that doesn't use software and services in their day-to-day activities. So, in short, now every organization hires cybersecurity professionals directly or gets security services by outsourcing them to a specialized security company. Hiring security professionals also depends upon organization size, i.e., a large-sized company can have an in-house cybersecurity team. In contrast, a small-sized company prefers to outsource its cybersecurity requirements. While working as a security professional, you will be working for a large variety of companies and products; for example, you may be building products or protecting the digital resources of a fashion company or a drug manufacturing company. Lastly, to name a few organizations, a financial organization like banking, trading, etc., needs more cybersecurity professionals. Similarly, a digital company (an organization whose business depends upon ICT) needs many cybersecurity professionals to keep their products and services uninterrupted against cyberattacks. In addition, organizations with lift critical services like smart grid or smart transportation services also need cybersecurity professionals given the critical nature of services. Both private and public organization hires cybersecurity professionals.
Malware detection is the process of identifying any type of malware on computing devices. Generally, these processes are implemented as software called anti-virus or anti-malware software.
Malware detection techniques can be divided into two main groups: Signature-based detection and non-signature-based detection.
Signature-based detection is very simple, and it is similar to the real world, where a signature is used to identify an individual. Similarly, malware analysts (from an anti-virus company) create a signature for all known malware samples and supply these signatures with the anti-virus product. So, the job of an anti-virus system is to scan all targeted files against the signature list and flag any matching files as malware.
There are a couple of key limitations and challenges of signature-based methods, such as:
Recently, many companies and researchers have developed non-signature-based methods to address the limitations of signature-based techniques. These non-signature-based method doesn't use signatures and try to profile the malware behaviors, so they can detect new malware, and scanning is also faster. Machine learning-based solutions are also being used, which have also come under non-signature-based techniques.
One of the most frequently posed cyber security interview questions for experienced, be ready for it. Malware analysis is the process of analyzing malware samples to understand their functionalities to develop detection and prevention solutions. For example, malware analysis creates a signature for anti-virus software. Similarly, malware analysis is used to extract features for building machine learning-based malware classifiers in the case of ransomware; malware analysis help to find out ways to decrypt or recover the files infected by the ransomware.
Malware analysis can be done in two ways: static or dynamic. In static analysis, the malware sample is not executed. In contrast, in dynamic analysis, the sample under observation is executed in a safe and isolated environment, also known as a sandbox. The aim of static analysis is to understand the structure and static features of the sample. Static analysis is supported by reverse engineering. However, static analysis has limitations; for example, understanding the encrypted or complex code is difficult. In addition, modern malware has anti-analysis features like packed or polymorphic code.
The dynamic analysis provides solutions for the limitations of static analysis by executing and observing files in an analysis environment, also known as a sandbox. However, modern malware also has the capability to avoid dynamic analysis by the use of conditional code blocks. So the malicious code only gets executed if the code is running in a real device and stays dormant in the sandbox. Despite these limitations, normally, dynamic analysis helps to understand network activities, file operations, and OS interaction very well by recording the system instructions. Cuckoo Sandbox is very popular for dynamic malware analysis.
Dynamic analysis is costly in terms of computing and time requirements. So, the sample is triaged for dynamic analysis after static analysis. However, malware analysts perform static and dynamic analysis for a complex malware sample to better understand by correlating findings.
This question is a regular feature in cyber security engineer interview questions, be ready to tackle it. A firewall can be software or hardware to monitor and filter inbound and outbound network traffic. Network filtering can mix commonly known threat patterns and organization-specific requirements. The filtering is performed by configuring rules in the firewall.
Generally, a firewall sits between an internal and external network and performs the gatekeeper role to allow and deny network traffic based on the rules.
A firewall can simply scan all the network packets or filter based on application-lever configuration. A firewall is not industrial software, so even a simple user can configure and use a firewall on their device. For example, iptables provides firewall features for Linux and Windows defender for Windows OS.
Based on functioning (filtering method), there are four types of firewalls;
It scans individual network packets and applies filtering rules. Due to working on isolated packets, it is easy to bypass the rules. However, it is simple, very fast in scanning, and does not require many computing resources.
Such application has filtering rules based on the applications.
In contrast to packet filtering, stateful inspection considers packets' context by using the packets' relationship with each other. It is slow and often requires more resources due to storing packets for collection and finding relations with other packets.
It is the term used for a firewall that combines or uses features of other security solutions, like a firewall with IDS and IPS capabilities.
DMZ (Demilitarized zone) is the term used for an isolated computer network zone that has a different access policy than the external and internal network. Access to resources under DMZ often has very high restrictions because it has very sensitive resources like email servers, DNS servers, File servers, web servers, and proxy servers. DMZ is created to provide fast access to the in-house server through the internal network and protect these resources from attacks that may be possible via an external access. Interestingly, the DMZ is within the internal network but not directly connected or accessible via internal devices. DMZ can be designed with a single firewall or dual firewall setup. DMZ works on the principle of "security by isolation," which is very simple to the sandbox, which isolates the execution of the application, and DMZ isolates network access of critical networked resources.
The software and applications store the password in hashed form to prevent or delay password cracking by external or direct access to passwords by internal attackers. An internal attacker says the system admin can easily get the user's password if the password is stored in plain text. Password cracking is a method of getting a user's password, and it is done via interacting with the authentication system or, many a time, the attacker gets access to a password dump in hash form (the result of a hack, etc.).
The rainbow table is used for cracking a hashed password. It is simply a table of dictionary words and equivalent different computed hashes (MD5, SHA, etc.) of each word. It aims to speed up password cracking with pre-computed hashes and offers a simple search of the target password hash to get the password in plain text.
A dictionary attack is another password-cracking attack, and it often attempts to get the password from the authentication interface by trying various dictionary words. So, a dictionary attack uses different dictionaries (similar to the rainbow table but without computed hashes) during the cracking. These dictionaries are custom-made to narrow down possible passwords, for example, a dictionary with first and last names, a dictionary with the most used passwords, a dictionary with the date of birth in various formats, etc. Most password-cracking tools come with a pre-available dictionary, and attackers can add their own custom dictionaries.
Denial-of-Service attack (DoS) is a method in which the attacker aims to stop any system's service offering. For example, a DoS attack on an email server will stop the email services such as forwarding and receiving emails. Generally, a DoS attack is launched by misusing the genuine features of the system; for example, an email server is supposed to receive any email that has an email server address as the destination. An attacker can now send many emails (junk emails) to the targeted email server by knowing the maximum memory or number of possible emails the server can handle. And when the server reaches its maximum limit with junk emails of attackers, it will stop receiving any further emails (benign emails), known as a DoS attack.
DoS attack is a very old method, so many techniques exist to detect and prevent DoS attacks. For example, in the previous example, the email server can limit a user's email count and filter any user who tries to send more than the limit.
Distributed Denial-of-Service (DDoS) is an updated version of a DoS attack. It tries to bypass many DoS prevention implemented by the system. In DDoS, the attack is launched by different devices, so the user-based filter on the victim machine can't separate the attacker and the benign user. Often, a single attacker controls many devices by getting unauthorized access or using a botnet to automate the process. Apart from directly sending attack packets from zombie devices, there are methods where attackers indirectly distribute the attack. For example, a DNS Flood attack just exploits DNS reply functionality by replacing the reply-to address with the victim address and making DNS requests to various DNS servers.
Sandboxing is a process for running an untrusted software program in a restricted environment. In cybersecurity, suspicious code is run, observed, and analyzed in a safe, isolated computing environment. It is important that the sandbox mimics end-user operating environments (OS and other application software).
Sandboxing confines the code to a test environment, preventing it from infecting or damaging the host machine or operating system. Sandboxing is a preemptive way to improve an organization's security by proactively restricting risky software. Sandboxing works by isolating potentially malicious or dangerous code from the rest of the organization's environment. This allows it to be safely analyzed without compromising your operating system or host devices. If a threat is detected, it can be removed immediately. Sandboxing can be used in multiple tasks like cloud-based implementation, software bundles, a web browser extension, and dedicated appliances onsite in an organization.
Sandboxing is very useful for dynamic malware analysis because it helps to understand the functioning of malware without any side effects of executing the malware for observations.
SQL injection (also SQLi) is one of the most common code vulnerabilities. An SQL injection attack occurs when an attacker inserts or "injects" malicious SQL code into the application's input data. SQL injection allows the attacker to read, modify, or delete sensitive data and perform administrative tasks on the database.
SQL injection attackers simply modify an existing SQL command to suit their needs. SQL statements are used in many website applications, from providing a list of customers to identifying visitors with usernames and passwords against a server-side database.
The SQL injection attack can return information about all employees by modifying a SQL command to remove limitations such as vulnerability scanning for only active employees or those in a specific department to which the user has access. This could lead to the disclosure of sensitive personal information.
The most common method for preventing SQL injection is to code SQL queries with parameters in a more controlled manner. Instead of structuring the command solely from user input content, this method, known as parameterized queries or prepared statements, uses a pre-defined query with filter options supplied as parameters. Implementing an intrusion detection system can assist in detecting user behaviors that attempt to exploit application vulnerabilities.
Sanitize or validate any browser-supplied input values that will be used in the SQL query when creating SQL commands. To detect problems, use DAST/SAST tools. Install a web application firewall (WAF) capable of detecting and filtering SQL injection attacks (along with other vulnerabilities.) Such firewalls weed out known threats by constantly updating lists of signatures that should be blocked.
Using best practices in web application development and performing SQL injection tests as an integrated step in development will provide better SQL injection vulnerability protection. This additional level of testing can be accomplished by incorporating static (SAST) and dynamic (DAST) analysis tools into the development pipeline.
Spyware is malware that monitors and tracks user actions as well as collects personal information. Spyware programs generally install themselves on the user's computer and profit the third party by collecting data from the user without his knowledge. Furthermore, spyware steals users' passwords and personal information by running in the background of the system. Common types of spyware are Bonzibuddy and Downloadware.
Ransomware has emerged in recent years and can target individuals or organizations. Ransomware is malware that is designed to prevent users from accessing their own systems until a ransom fee is paid to the creator of the Ransomware. Ransomware is far more dangerous than regular malware and spreads via phishing emails with infected attachments. A ransomware infection can encrypt the entire operating system or a specific file, which largely depends upon the nature of Ransomware (that comes from the attacker's motive). A sum of money is then demanded from the person whose data has been held, hostage. To protect your system from Ransomware, keep an eye on it and have the proper security software installed from the start because prevention is always better than cure. Types of Ransomware are CryptoLocker, Bad Rabbit, and WannaCry.
Expect to come across this popular question in interview questions on cyber security. Traditionally, the CIA triad refers to three key security requirements, i.e., confidentiality, integrity, and availability. Confidentiality refers to keeping information secret and only accessible to authorized users. Integrity focuses on detecting modification of data, i.e., it is possible to know and verify even a single bit of modification of data, and it is applied to both stored data and communication data. Availability aims to guarantee the access of services and resources to the intended user whenever demanded.
These three are well-accepted and established security requirements. However, over time, authenticity and non-repudiation also became key security requirements and were often referred to as an extended CIA triad. In addition to these, there is another extension of the CIA as Parkerian hexad, which added three more elements of information security to the existing CIA, and those newly added elements are Possession or Control, Authenticity, and Utility.
A backdoor is a code block inserted into software to allow hidden access to its creator or someone who learns how to invoke the existing backdoor. A backdoor can be created for both fun, benign and malicious purposes. For example, a developer inserts a backdoor to go around the authentication for show-off. The benign use of a backdoor can be an administrative tool for monitoring or managing the software. The fun and benign backdoors can be a security risk because they can be found by threat actors and exploited. Many malware also install backdoors after infecting the victims and deleting the infection code to avoid detection. A backdoor can be the main malware payload or the first stage of installing more complex malware.
A rootkit is a special type of malware that runs at the lowest level and is often placed between hardware and OS. So, the rootkit can only be installed on a target machine when the attacker has root-level access to the device. Detection of a rootkit with OS-level security software is impossible because it can control the system call and modify the response. A rootkit-infected system turns into an always-open access system for the attacker. Due to the privileged access, with a rootkit, an attacker can elevate privileges for another user on the devices. Mostly, the rootkit opens to receive commands and execute them locally on the infected machine. A rootkit is also one method to create a backdoor into the infected system, which is hard to detect and has root access to execute a command on the system.
Traceroute assists in determining the precise path that a data packet must take to reach its destination. The user can enter tracert <ip address> into the command prompt.
Ping is a command that can be used to test network connectivity and name resolution. To test network connectivity, go to the command prompt and type ping <ip address> followed by the enter key.
If there is no response to the ping request, then the tracert command can be helpful in finding the failure point of the data packet.
The major difference between the two is ping is a network connectivity and name resolution test. Traceroute assists in determining the precise path of a data packet to its destination. It also assists in determining whether the fault occurred along the path.
Traceroute is a network utility that tracks a packet's path across a network from source to destination. Ping is a popular network utility tool that is used to test the connectivity of two nodes or devices.
In conclusion, traceroute and ping appear to be similar, but they are not. The distinction between ping and traceroute is that the former is used to test network connectivity and name resolution. In contrast, the latter determines the actual path from source to destination.
A MAC address is a 48-bit unique address assigned by the manufacturer to a network adapter to transmit data to the destination host. In the network layer, MAC is associated as a sublayer in the data link layer, which is responsible for physical addressing. If a device has multiple network adapters, such as Ethernet, Wi-Fi, Bluetooth, and so on, each standard will have its own MAC address, which makes the device more vulnerable to flooding attacks. The attacker can also use an ARP spoofing attack as a shadow attack to maintain access to private data after the network switches recover from the initial MAC flooding attack.
The attacker floods the switch with a massive number of requests, each with a forged MAC address, to rapidly saturate the table. When the MAC table reaches its storage limit, it replaces old addresses with new ones.
The IP address used on the internet is literally called your PUBLIC IP address. An IP address is needed for source and destination information. The typical hacker can look up your city and state with an IP address since one’s local ISP owns that IP address. If it is in a database somewhere, then MAYBE they can correlate that IP to your name and address. They can scan for open ports on your router (this is something you have to do manually), and even then, they will need to be able to hack/exploit whatever program that port is tied to.
The IP, the hacker gets is the Public IP of the router, not your computer itself. The router has a fundamental feature called NAT (Network Address Translation); this feature provides a roadmap to the router to know who asked for what data.
A port in the computer network is represented by a number and is associated with the network protocol. Each Port is specific to a service that maps to a running process on the operating system. For example, port number 80 is associated with HTTP protocol, and when the host computer receives a network packet, the network protocol with the port number and specific process to receive and process the packets. The port number comes with a 16-bit number, so there can be 65536 ports (0-65535). The port number from 0-1023 is reserved for the known and popular network protocol, and after that, others can be assigned to other network applications and services.
Port blocking is a defense and filtering method by blocking a specific port from the well-known port number (0-1023). Executing services can be restricted. For example, if port 80 is blocked on a device, the user cannot access or process a web response. So, Port blocking within the local network help network administrator restrict access to services.
In contrast, port forwarding is a technique to allow external access to devices or services placed within the local internal network. Port forwarded is done by mapping an external port to an internal socket (IP + Port). Port forwarding is done via router configuration. In simple terms, port forwarding makes internal devices look like external devices accessible directly via the Internet.
Netscape invented SSL (Secure Sockets Layer) in 1994. SSL encryption/decryption is a technique for keeping internet connections secure, whether they are client-to-client, server-to-server, or (much more commonly) client-to-server. This prevents unauthorized third parties from viewing or altering any user data transmitted over the internet. It was originally designed to secure connections between customers and online businesses. Unfortunately, as the value of seemingly innocuous personal information and browsing habits rises, attackers have broadened their net to include non-commerce sites as well. As a result, SSL has become widely used. But, as time passed, an updated protocol was released in 1999, and it has since completely replaced SSL as the standard security certificate (TLS discussed below).
Transport Layer Security (TLS) is similar to but more secure than SSL. More precisely, the Internet Engineering Task Force has recommended that SSL be replaced with TLS.
TLS is used for achieving privacy, authentication, and data integrity over computer networks and is used in web browsing, instant messaging, email, and other applications using various cryptographic constructs like encryption, hashing etc. TLS is more trustworthy for a variety of reasons, including the fact that it was designed to address known SSL vulnerabilities and support stronger, more secure cipher suites and algorithms. In TLS encryption, message authentication is used. The message's authentication is done via a keyed-hash message authentication code (HMAC) algorithm. Message authentication helps system to verify that during transmission, data has not been modified, and it also allows the receiver to verify the source of the message or sender.
HTTPS is the secure version of HTTP. The HTTP protocol is the main protocol that is used to send data between a web client (for example web browser) and a web server. HTTPS is encrypted to increase data transfer security. This is especially important when users send sensitive data, such as when they log into a bank account, email service, or health insurance provider. HTTPS prevents websites from broadcasting their information in a way that anyone snooping on the network can easily view. When data is sent over standard HTTP, it is divided into data packets that can be easily "sniffed" using free software. As a result, communication over an insecure medium, such as public Wi-Fi, is extremely vulnerable to interception. In fact, all HTTP communications are in plain text, making them highly accessible to anyone with the right tools and vulnerable to on-path attacks. HTTPS encrypts traffic so that they appear as nonsensical characters even if packets are sniffed or otherwise intercepted.
Benign or malicious reasons can cause a slow process on the computer. Benign reasons include low memory on the device, out of space on the cache, limited temporary memory, outdated software, etc.. Although benign reasons are not a matter of concern, these issues can be addressed by managing the computing resources by updating and upgrading the system.
In contrast to benign reasons, various malicious reasons exist, such as unauthorized remote access, data extraction, and malware infection. During remote access, there is a high utility of computing resources such as memory and process, which slow down the computer's access. Similarly, if there is a data extraction attack on the system, then the network and memory resources will have high usage and hence slow performance. Many malware is specially crafted to consume system resources in an attempt to perform a Denial of service attack. Most virus programs replicate multiple times to the infected computer and try to out space resources. Other malware like Trojan, bots and spyware also uses computing resources as a background process, slowing down the foreground activity.
For either reason, slowing down, updating, upgrading, and scanning with security software (anti-malware), etc., will be the proper way to recover system performance.
The mouse movement and flash terminal screens can have benign reasons like operating system upgrades or other software updates in the background due to auto-update configuration in the system. These benign background processes can be stopped by changing the options in the settings and disabling any auto-update by OS or software.
Malicious operations in the background can cause the mouse cursor movement or flash the terminal. Some probable reasons could be malicious code execution due to video file playing. Many users download pirated videos from the Internet, and attackers exploit this and embed malicious code into a video file that gets executed during playing by the player (given the player has the intended software vulnerability). Apart from this, the mouse movement or terminal screen can also be caused by unauthorized remote access, i.e., an attacker is accessing the computer remotely, or any malware is trying to execute further payload based on the trigger. The trigger is a particular condition in malware that provides conditional execution of payload on the infected system. In this scenario, the trigger can be associated with media player software that minimizes user interaction and allows attackers or malware to execute code in the background.
Subject: Urgent Bank account blocking
Dear user,
I noticed unusual activity in your bank account, and to protect you, we will block your account.
Please provide the following account to verify the authenticity and avoid blocking and restricting account access.
Name:
Date of Birth:
CVV:
Bank account number Number:
This is a time-sensitive matter, so you must respond within two hours, else your account will be blocked, and all associated cards will be blocked.
Security Team,
XYZ bank.
The email is a phishing email that must be reported or avoided without clicking any link or responding. These few points help to identify a phishing email.
The email uses "user" instead of a username, i.e., Bob; if the email is from the bank and for a specific user, it must address the account holder's name. The use of "user" indicates a mass mailing phishing email.
Asking for information like CVV, date of birth, and bank account indicates an attempt to harvest the user's information back either has some of this information (date of birth, account number) and will never ask for other details like CVV.
The email tries to create urgency for sharing the information and warning of blocking the account; these two are typical combinations used by an attacker to intimidate users and pressure them to share the details without analyzing the situation appropriately.
What are your thoughts on clicking the link?
Instruction for "Clicking the link" on the Internet should always consider suspicious and proper care should be taken before clicking the link. The rule of thumb is, "never click a link sent by a stranger." In the given scenario, the link comes from a close friend, so the user can be careless and click the link. However, social media accounts should not be trusted because users' accounts can be hacked and used to launch a further attack. Apart from account hacking, there are impersonation attacks, in which attackers create fake profiles (by using publicly available images on other places on the Internet), pretending to be close to the target and sending the malicious link to the target.
The message asks to click the link to be added to the guest list, which is very suspicious in itself, and the user must verify it with a close friend via another communication channel such as a phone call, email, familiar friend, etc. However, if verification is not possible, there are software and services like Virustotal where users can check any URL and get results about malicious or benign links.
Safe password is proportional to the password's strength, i.e., a combination of upper case, lower case, digits, and special characters with a significant length (example greater than 8). The strength of "Anb@!1245" is better than others because it has an upper case letter, two special characters (@!), small case letters, and digits, which makes it harder to crack than others.
A quick comment on the password sample is as follows:
There is a good tool for password generation, testing, and storing the password, so users can use these tools to generate a more robust and safer password.
Dear user,
Thank you for using our sarvices. Please loging to your account to protect it from deactivation.
Click to Here to login.
Manager,
Xyz website
A phishing email can be identified using common mistakes the attacker made. Grammar mistakes, embedded login links, etc., are prevalent mistakes or patterns in phishing emails.
In the given email, the following are the red flags that classify an email as a phishing email:
What will be your initial thought, and classify this as a type of cyber-attack?
Getting a call from the bank's customer care is routine; representatives call for various purposes like credit card schemes, insurance, and loans. So, getting a call is not malicious or raises any suspicions. However, requests for sensitive information like card numbers and CVV should indicate the attempt of a cyber-attack. Such taking, which involves a phone call to trick the user into disclosing personal information or log-in credential, is called Vishing. Vishing is equivalent to its textual counterpart, i.e., phishing. The attacker uses a voice call to make the phishing more authentic because a call makes the user trust and reduces the chances of suspicion.
Email 1:
Subject: Urgent action required
Dear User,
Your account is blocked due to inaction. Please log in using the below link to activate your account again.
Click the Login link.
Yours,
Community manager.
Email 2:
Subject: Offer for unlimited memory space
Greetings!
We are XYZ cloud service company and offering unlimited memory space as the new year offer.
Please register for our services and get benefits.
www.xyz.com
Bob Marle
Marketing head,
Xyz.com
Phishing and spam email look very similar, and there is a very slight difference between these two emails. However, the intention and structure of email give indications that can help to classify an email as phishing or spam. In the given two emails example, email 1 is very similar to a phishing email, while email 2 matches with spam email.
The subject of email 1 creates urgency, and the email uses the general term "user" to address the receiver. In addition, the email body has an embedded link for login. The message that the account is blocked also creates suspicion, a blocked account would be known to the user in advance, and the user will initiate proper action to unblock their account.
The second email, i.e., email 2, has a typical marketing subject using words like an offer. The email body doesn't create any urgency or have any login link except the product website. The receiver needs to create an account to access the services, so the user is independent to take actions to reject or follow the email.
The email header provides information to track the source of the email. However, attackers apply many proxies to send phishing or spam emails. The use of hacked devices or anonymization services by the attacker is widespread, and so many times, a traced source IP doesn't belong to the attacker but to a victim's computer. Further use of Peer-to-peer services like Tor network makes it challenging to track the source of an email or network access.
Given the resource and capability (getting information from service providers on request etc.) accessible to the CERT team, it is highly likely that the track IP would belong to an attacker. However, it can only be specific, especially for the advanced attacker (highly skilled and have more computing resources in the form of hacked PC and services). So, The CERT team needs to use secondary sources to verify the claim, such as traffic correlation analysis or device study, i.e., looking for a forensic artifact that can prove that the track IP and system owner are the same and hence the attacker.
Computer user activities can be monitored using workspace monitoring tools. Many organizations installed monitoring tools before issuing a computer to the employee (under company policy and known to the user). However, suppose any employee wants to send critical files (internal attacker). In that case, they can disable the monitoring tool or adopt some other techniques, such as steganography, to send the file in hidden ways.
To verify the attack, the IT team can perform a forensic analysis of the suspect device to determine the user's activities. In addition to device forensics, network traffic analysis can be helpful in knowing the data sent and received to and from a particular MAC /IP address. Deleted files from the device can be recovered through recovery software, and all sent files can also be carved out from the network traffic. Wireshark is one of the popular tools for network traffic analysis.
Physical access blocking and network traffic filtering and blocking can be suitable actions to stop data theft. Physical access blocking can be achieved by applying a physical authentication process to access sensitive devices, and blocking USB access, file transfer access, etc., can also help prevent any internal attacker data theft.
In addition to physical restriction, network traffic monitoring, filtering and blocking can be applied to restrict network communication. For example, blocking all the file transfer-related (FTP, SFTP, etc.) outbound traffic can limit the user to send any files outside. Similarly, access control can be applied to network access that will help to filter out which user will access what type of inbound and outbound traffic.
To stop attackers, the inbound traffic must scan with a firewall, IDS, and anti-malware software. Using a proxy, honeypot and DMZ are some solutions that will provide additional security from external attackers.
The malware sample used for the attack can be recovered from two locations: the infected devices and the network traffic. If the malware used in the attack is not fileless ( i.e., code directly injected into some running process, and no actual code downloaded to the device), then it can be recovered by using the forensic method by taking a memory dump of the primary and secondary memory. However, modern malware uses advanced techniques to make it challenging to collect the actual sample to avoid detection and analysis. In such cases, device forensics may not recover the malware sample, so the second location, i.e., network traffic, can be used to carve out the malware code used for the attack. By using all the in and out network traffic (i.e., network packets ) from the infected devices, the malware code can be recovered from the data part of network packets.
Email activities can primarily be tracked using a user email account (mostly not accessible) and email server. The network administrator controls the email server so it can be analyzed to find the communication related to the case. The email communication can be recovered using various server logs, even if the email is deleted.
In addition to the email server, the network traffic would also help verify the information gathered at the email server. The network traffic can also recover the "sent excel file" from demonstrating and proving the allegations.
If an email client is used to send the email, then a device forensic of the user can also be used to recover the email content and the activities that can be correlated (using timestamp, content, etc.) with server and network traffic analysis.
Pirated software is often used for distributing attack vectors and malware (Trojan is primarily distributed in this manner). It is easy to embed malicious code or specially crafted code blocks in pirated or cracked software. By this method, attackers can efficiently distribute malicious code and infect more and more computers easily and without the user's suspicion. The attacker can sometimes execute its code with high access (like an administrative profile) because users provide access rights to install pirated software.
Sometimes costly software is also distributed over the internet after removing the payment gateway functionality etc., so to be sure that the downloaded software is not infected or malicious, one needs to verify the software with on-device anti-virus software or can be verified using online software such as virustotal which provide scan results of multiple anti-virus software. Advance users can also perform static and dynamic analysis to ensure that no malicious code block is embedded into the downloaded software.
Apart from verifying the downloaded software and using it directly on the main computer, running such suspicious software in a restricted environment is advisable using a sandbox or virtualization software like VirtualBox, etc..
Access restriction or authentication is a common mistake in adding a printer to the network. Any network user can access any printers added to the internal network without any authentication or access. The given scenario is similar to authentication-less printer availability, so to restrict access to printers or allow only authenticated users to access a particular printer, user-based authentication, and access right can be added. So, now every print can be associated with a user and traced to any printer misuse.
However, suppose the misuse is happening despite of authentication system. In that case, it can be due to attacking some printer vulnerabilities, which is common in printer firmware due to the lack of security features in printers. In the case of the second scenario, a software update will be helpful.
The SYN flood, or half-open attack, is a network-tier attack that floods a server with connection requests while failing to respond to acknowledgments. The large number of open TCP connections that result consumes the server's resources, effectively crowding out legitimate traffic and making it difficult or impossible for the server to function correctly for authorized users who are already connected.
Every client-server conversation starts with a three-way handshake. The client sends an SYN packet, and the server responds with an SYN-ACK, completing the TCP connection. In an SYN flood attack, the client sends a large number of SYN requests while never responding to the server's SYN-ACK messages.
This leaves open connections on the server, awaiting further communication from the client. Each is recorded in the server's TCP connection table, which eventually fills up and prevents any further connection attempts from any source. As a result, business continuity and data access are disrupted.
Bots connecting from spoofed IP addresses frequently perform SYN floods to make the attack harder to identify and mitigate. Botnets can launch SYN floods as distributed denial-of-service (DDoS) attacks.
DNS spoofing is a cyberattack that misuses tampered DNS server data to redirect users to bogus or attacker's controlled websites. These malicious sites frequently appear legitimate, but their true purpose is to install malware on users' devices, steal sensitive data, or redirect traffic. When a user uses a URL (Uniform Resource Locator) to search for a website, their device sends the request to a DNS server, which matches the URL to the associated IP address — a unique string of numbers and periods assigned to every device, server, and website. The system directs the user to the requested site once the DNS server associates the request with an IP address. Unfortunately, DNS records are not very secure, and attackers can use their flaws to launch DNS spoofing attacks.
There are several methods attackers can use to carry out DNS spoofing attacks, but they all aim to fool users and their servers into believing a fraudulent website is legitimate. Attackers typically take the following three steps to accomplish spoofing:
DNS spoofing can be difficult to detect because it affects both user devices and DNS servers. On the other hand, individuals and businesses can take precautions to reduce their vulnerability to an attack.
ARP spoofing and ARP poisoning are the two types of ARP attacks. A malicious developer seeking access to sensitive data may expose vulnerabilities and sneak inside, and you may be unaware. ARP spoofing occurs when a hacker sends bogus ARP packets that connect an attacker's MAC address to an IP address of a computer already on the LAN. ARP poisoning: Following successful ARP spoofing, a hacker modifies the company's ARP table to include forged MAC maps. The virus spreads. The goal is to connect the hacker's MAC to the LAN. As a result, any traffic sent to the compromised LAN will instead be routed to the attacker. After launching a successful ARP attack, the attacker can hijack, deny service and sit in the middle.
RARP is an abbreviation for Reverse Address Resolution Protocol, a computer networking protocol used by a client computer to obtain its IP address. MAC to IP address mapping is done using a request to the gateway server, which refers to the Address Resolution Protocol table or cache to respond with the assigned client's IP address. The network administrator creates a table in the gateway router to map the MAC address and IP address.
Network scanning is the process of detecting active devices with running services and open or closed ports. It is done by using different network protocols by sending network packets with various configured and receiving and processing the response from the target device. Network scanning can be targeted to a device or to the complete network.
Network scanning is done to monitor and manage an internal network's devices by a network administrator. At the same time, attackers can perform scanning from outside to learn about the network and draft attacks according to the scanning report. Ping is the most used and simplest network scanning tool to check a device's state over the network. An active device responds to the ping request, while there is no response from an inactive device.
In addition to simple monitoring and managing, the defender uses network scanning to find any vulnerable devices and help to patch any open vulnerability. In contrast, attackers consistently keep scanning the network to find any possible vulnerability that can be exploited to gain access to the network. However, external scanning can be detected and blocked by the network administrator. Many scripts and tools are available to automate the scanning and attacking network. NMAP and Metasploit are very popular tools with network scanning and exploitation capabilities.
A computer network attack is an attempt to gain unauthorized access to the network to steal data or engage in other malicious activity. These attacks are classified into two types:
Some common types of computer network attacks are
Buffers are special memory storage locations that keep data temporarily. For example, when a larger file is being transferred at the receiving end, the data block is kept in a buffer area for syncing or ordering purposes. The buffer overflow attack utilizes the memory overwriting vulnerability of buffer management. Normally, when data exceeds the storage capacity of designated buffer memory, the exceeding data attempts to overwrite the data to the adjacent memory locations. Buffer overflow attack is possible in all those software that performs writing without doing a size checking. This can be understood by the difference between gets() vs fgets() or strcat() vs strncat(); gets and strcat do not compare the size of the source and destination memory, while fgets and strncat perform a comparison before performing the copy. Attackers normally use malformed inputs to perform a buffer overflow attack. The memory overwrite can have a different impact. For example, if the attack overwrites a location with executable code, the program behavior will become unpredictable. It may generate incorrect results, give memory access errors, crashes, or can execute an attacker's code. Attackers can change the execution path of the benign program to trigger the execution of the attacker's code. Launching buffer overflow will be easy and highly dangerous if attackers know the memory layout of a program. For example, knowing the memory and controlling the benign program, the attacker may be able to overwrite a pointer to its own payload. Stack and heap are two commonly used buffer overflow attacks.
A software vulnerability is a security flaw, glitch, or weakness found in software code that an attacker could exploit (threat source). Software vulnerabilities do not enter a system; rather, they are present from the start. There aren't many cases of cybercrime activities leading to vulnerabilities. They are typically caused by flaws in the operating system or network misconfiguration. Cyber security threats, on the other hand, are introduced into a system through methods such as a virus download or a social engineering attack.
Cyber security risks are commonly classified as vulnerabilities, which can cause confusion because they are not the same thing. Risks are the likelihood and impact of a vulnerability being exploited. If these two variables in the software are low, the risk is low. It is directly proportional, so the inverse is also true; high vulnerability probability and impact lead to high risks. An exploitable software vulnerability is one that has at least one definite attack vector. For obvious reasons, attackers will seek out exploitable weaknesses in the system or network. Of course, no one wants to be vulnerable, but what you should be concerned about is whether or not it can be exploited.
Most software programs can have unintentional flaws known as vulnerabilities. Attackers may exploit these vulnerabilities to execute their attack payload. For example, suppose the software has gets () for string input. In that case, the software has a buffer overflow vulnerability, and attackers can exploit it to run their payload designed as an input string for the software. Security testers or the red team analyze software for known and new vulnerabilities, and on discovering any vulnerability, the blue team creates a "patch" to fix the vulnerability. Patches are often published individually or with a new version of the software.
In contrast to the red team or security team, if the same vulnerability gets discovered by an attacker, then all instances of the software can be exploited by an attacker.
So, there is an arm-race between the defender and the attacker to find the vulnerability. The vulnerability that gets detected by the attacker and doesn't have any know patch from the developers is known as a "zero-day" vulnerability. Zero-day vulnerabilities are difficult to find and the same time, very hard to defend against because there is no know solution or patch available. Keeping software up-to-date and keeping testing software for any possible zero days is the only mitigation against it.
A software patch is a quick response for software, and it is designed to resolve functionality issues, improve security or add new features. However, the main purpose of a software patch is to fix bugs or address security vulnerabilities. Users can risk their devices vulnerable to various attacks by ignoring critical updates that can be prevented by installing these patches in advance.
The importance of keeping software patching up to date increases in cybersecurity as it reduces the risk of cyber-attacks. Most users regard cyberattacks as impossible until they pose a real threat. They believe that a cyberattack occurs suddenly and without warning. Still, the best patch management software is often available before cyber attackers exploit a vulnerability and manipulate it to infiltrate systems. Patching provides two key benefits:
Another unanticipated consequence of cyberattacks is the productivity loss caused by system downtime. To this extent, a cyberattack can cause two types of financial losses: the cost of patching systems and the cost of delayed projects and unproductive employees.
It is the responsibility of business owners to protect the information that users entrust to their systems. Companies that fail to meet this standard may face severe repercussions. Consider the case of Equifax, which the Federal Trade Commission ordered to pay $125 or provide ten years of free credit monitoring for exposing the personal information of 147 million people in 2017. The software patching also protects the others on the network.
Secure programming is a method of writing code in software that protects it from vulnerabilities, attacks, or anything else that could harm the software or the system that uses it. This includes implementing security features like authentication, encryption, and input validation, as well as adhering to secure coding best practices and testing for security vulnerabilities. It also entails being aware of the security implications of the technologies and libraries you use and the specific threat model your application faces. Secure programming is also known as secure coding because it deals with code security. Creating software, applications, or writing infrastructure as code requires cloud secrets to access and control cloud resources and sensitive parameters saved to enable automation. Countless scenarios could introduce vulnerabilities into the code, like leaked access keys and hardcoded application secrets.
It is extremely difficult to protect and secure code to industry standards. Secure programming is important because it prevents malicious actors from exploiting software vulnerabilities to gain unauthorized access to sensitive data or disrupt system operations. This can include safeguarding against SQL injection attacks, validating and sanitizing input, and implementing appropriate authentication and access controls. Developers can ensure that their software is less likely to be compromised by writing secure code, which can help protect the software and its users. For example, if the software is written in 'C' programming, then security programming would not use any unsafe functions such as gets(), strcat(), or strcpy(), instead must use only sage alternatives like fgets(), strncat(), snprintf().
The attacks targeted operating systems majorly aimed to exploit and be successful because of vulnerable OS versions. However, the newer version of the operating system may also contain a zero-day vulnerability. Hence, this is a never-ending cycle of discovering and patching bugs and vulnerabilities in any software and OS.
Bugs in an operating system's source code are another way for attackers to gain access. This vulnerability could result from a mistake made by the developer while developing the program code. Attackers can exploit these mistakes to gain access to the system. A range of cyberattacks targeted at operating systems can be discussed, like ransomware, denial of service, rootkits, remote code execution, phishing, etc. Malware is the commonly used cyberattack targeted at the operating system, which includes viruses, worms, trojans, and other forms of malicious software that can infect and operate the system and cause damage or steal sensitive information. The purpose of cyberattacks targeted at operating systems could be gaining unauthorized access to a system or network, disrupting operations, stealing sensitive information, or ransomware. Several actions can be taken to prevent cyberattacks on operating systems, like using a firewall, keeping the software and operating systems up to date, using antivirus and anti-malware, implementing network segmentation, and educating the crew.
The process of securing an operating system by reducing its attack surface and making it less vulnerable to cyberattacks is known as operating system hardening. This can be accomplished by removing unnecessary software and features, installing security updates, and securely configuring the operating system and its components.
The overarching goal of operating system hardening is to make it as difficult for an attacker to exploit vulnerabilities and gain system access as possible. It is critical to remember that operating system hardening is an ongoing process and that an operating system's security must be constantly monitored and updated in order to remain effective against ever-evolving threats.
Here are some examples of operating system hardening:
Creating and delivering a product or service to a customer, typically involving multiple companies and organizations, is referred to as a supply chain. A supply-chain attack with respect to the software industry is a cyberattack targeting a company's or organization's supply chain of software. In a supply-chain attack, the attacker attempts to gain access to the targeted organization's network or steal sensitive information by targeting a weak point in the supply chain, such as a third-party vendor or a software component. The types of supply chain attacks include compromised software with malicious code, tempered hardware like servers and routers, phishing attacks via third-party vendors or suppliers, misconfigured cloud services, etc.
Because the attack occurs at a different point in the supply chain than the targeted organization, the malicious code or malware may only be detected once it has already entered the organization's network. Data breaches, intellectual property theft, and operational disruption can all result from supply-chain attacks on the targeted organization. Organizations must have visibility into their supply chain and implement security measures to protect themselves from these attacks.
Specific steps that any organization can take to prevent supply-chain attacks include: conducting thorough background checks on third-party vendors and suppliers, putting in place secure software development practices, putting in place safe procurement practices, and Monitoring and reviewing third-party vendor and supplier security regularly. Furthermore, strict access controls, digital signatures, and an incident response plan implementation make organizations more vigilant and proactive in protecting themselves. It is also critical to review and updates these measures regularly to ensure they remain effective against the changing threat landscape.
Keeping application programs up to date is critical for various reasons. Security is one of the primary reasons. When new vulnerabilities or security threats are discovered, software updates frequently include patches or fixes to address these issues and protect the user's data and device. Furthermore, software updates may include new features or improvements to the application's user experience and performance. The application may not function properly or become vulnerable to security risks if it is not updated. Automatic and manual updates of the application programs ensure the system's high efficiency and maintain the software and hardware security in the long run. Some operating systems have built-in update managers or software updaters that can check for updates for multiple applications at once.
There are several methods for safeguarding an operating system against malware attacks:
Cyberattack is any attempt to damage, destroy or perform unauthorized access to a computer, network, and data. An individual or group who performs the cyberattack is called a cybercriminal, or loosely people call them hackers. Many methods, techniques, and tools are available to launch a cyberattack. Most cyberattacks are possible due to existing vulnerabilities in the target system software or hardware. An attacker needs to discover a vulnerability and then develop a method to exploit it to execute their payload. A cyberattack can be targeted or untargeted. In a targeted attack, the victim is chosen specifically, while the untargeted attack randomly launches an attack in the wild and hopes to get access to any device or user. Some of the most prominent cyber-attacks are:
A cyberattack cannot be avoided completely. However, the possible attack can be mitigated or prevented by proactive actions such as installing security software and keeping software and hardware up-to-date by installing newly published patches and updates.
Recently, ransomware and supply-chain attacks have evolved and caused many large-scale cyberattacks. In a ransomware attack, the attacker infects the victim's computer with malware that encrypts the files or locks the operating system and then pop-up ransom notes for payment. Ransomware is a unique cyberattack because the attacker purposefully notifies victims about the attack post-infection. This is also unique in the sense that the main motive of a ransomware attack is to get financial benefits in terms of ransom money. One main reason for the rise in ransomware attacks is the possibility of getting ransom as cryptocurrency, which is hard to track and encourages attackers to get the ransom. WannaCry, Petya, CryptoLocaker etc., are some of the widespread ransomware.
SolarWinds, Kaseya VSA attack, target data breach, and Eastern European ATM malware are very recent, popular, and high-profile supply-chain attacks. The supply-chain attack is also prevalent in the past couple of years. In a supply-chain attack, an attacker injects malicious code into some source software, waits to supply this software to the users (primarily organizations), and then attacks the software users by previously injected code. The supply-chain attack is critical because millions of users may use a single software, and the attacker can compromise all of those by attacking only one software. An attacker can launch attacks on many victims, from organizations to high-profile end-users.
There are many motivations for launching a cyberattack. In the beginning, an attack was a way to show a superiority of skills and was mostly made for fun. However, the development of ICT and the adoption of digital technology have given many other motivations for cyber-attacks. Some of the critical motivations are as follows:
The use of security software can prevent cyberattacks. However, some good practices from users and system administrators can help to mitigate many cyberattacks, also known as cyber hygiene. Such as:
Over time security domains have become a multi-billion software industry that creates and offers a wide range of security software to protect individual users and organizations from cyberattacks. Some of the standard software that can help an individual to defend themself against cyberattacks are as follows:
Encryption is a technique of converting plain text (message) to cipher text. The encryption is done using an encryption algorithm (E), plain text (P), key (k), and output cipher text (C). So, Encryption: E(P,K) gives C.
For example, if the encryption algorithm is "Addition", plain text is "A" represented by a number "1" (representing A-Z through numbers 1-26), and the key is 3, then,
E(1,3) will give 1+3= 4; if we map the cipher back to text then 4 will be "D".
Decryption is the reverse process of encryption. It recovers plain text/message (P) from the cipher text (C). Normally, decryption algorithm (d) implements the reverse operations of it encryption counterpart. So,
Decryption: D(C, K) gives back P
For example, continuing from the previous example to decrypt
D(4,3) will give 4-3 = 1, 1 will be mapped back to "A"
Some popular algorithms are DES, AES, etc.
Unlike encryption, Hashing is the technique for generating a fixed value for a given plain text /message. The output of a hash value is called a message digest or hash value. Hashing is a one-way function i.e., and there is no reverse algorithm to recover plain text from a hash value. Some common hash algorithms are MD5, SHA, etc.
Hashing: H(P) gives the hash value.
Using Cryptanalysis, attackers analyze the cipher text with or without plain and cipher text pair to recover the key of encryption, using which attackers can crack the cipher text and get the plain text.
The algorithm uses a single key (same key) for encryption and decryption in symmetric encryption.
The E(P, K) -> C and D(C, K) -> P use the same K.
Symmetric encryption is faster. However, each communicating pair has to maintain its keys and so managing keys is very challenging in symmetric encryption. DES is a symmetric encryption.
Unlike symmetric encryption, asymmetric encryption needs pair of keys for encryption and decryption. Each user creates a pair of keys (public, private), and the user shares the public key to the public repository and keeps the private key secure. For encryption, the sender uses the receiver's public key for encryption, while the receiver uses his private key for decryption.
For example, suppose,
user 1 has K1(public) and K1(private)
user 2 has K2(public) and K2(private)
K1(public) and K2(public) is known to everyone.
if user 1 sends a message (M) to user 2 then
Encryption: E(M,K2(Public) gives C
after receiving cipher (C), and user 2 will decrypt
Decryption: D(C, K2(Private) to get M
Asymmetric encryption is also known as public key encryption. RSA is a public key encryption algorithm.
Symmetric encryption can work in two modes: Block cipher and Stream cipher.
In block cipher mode, the encryption is done on a fixed-sized message called a block. Generally, the block size is decided as a multiple of 8 bits for easy implementation of various cryptographic processes. So, 64-bit, 128-bit, 256-bit, etc., are commonly used block sizes. However, there is the possibility that the message text is smaller than the required block size. In that case, the message bits are padded with zero to complete the required bits.
In stream cipher mode, encryption is done on continuous incoming messages like a stream, and so the plain text is of variable size. So algorithm encrypts plain text bit-by-bit using keystreams. Generating unique keystreams is challenging, and it must be unique for each iteration; otherwise, the cipher text can be cracked, i.e., encryption will have low security against cryptanalysis. RC4 is an example of a stream cipher. Stream cipher methods are faster than block cipher.
Key exchange is the process of sharing a secret key to start encrypted communication. In symmetric cryptography, both sender and receiver use the same key for encryption and decryption, so the key exchange method help to create the same key at both ends.
The key exchange algorithm ensures that the actual secret key never being shared via the communication channel because, initially, the sender and receiver communicate via unencrypted media. So, during the key exchange, the sender and receiver follow the procedure, and at the end of the exchange, both can generate the same key at their end that they can use for further encrypted communication.
Key exchange is required because it helps two users have the same secret key they can use with symmetric encryption. Many a time, asymmetric encryption is used for secret share keys and serves as a key exchange algorithm. However, there is a specialized key exchange algorithm like Diffie-Hellman that help to generate the same key at both communicating ends.
Key exchange is used by many secure internet protocols like FTPS, HTTPS, SFTP, etc.; these protocols first exchange keys between sender and client or server and client, etc.. After generating the key, both parties use a shared secret key for further encrypted communication. In the case of internet applications, these key generations are often limited to particular sessions and get revoked after completion of the session.
A digital signature is the application of public key encryption, and it is used to identify or authenticate the sender. It is equivalent to a physical signature. In public encryption, it is assumed that the private key is only known to the user who generates it. Also, the pair of keys work together as linked for encryption and decryption, i.e., Bob's public key is used for encrypting the message, then cipher text can only be decrypted using the private key of Bob, or if Bob's private key is used for encryption, then only Bob's public key can be used for decryption.
For the digital signature, the sender uses their own private key for encryption and sends the message, so the receiver then uses the sender's public key to decrypt the cipher text. The purpose of a digital signature is to identify the user, so if decryption is successful, then the user's identity can be authenticated else; authentication will be denied.
The digital certificate is an extension of the digital signature concept. However, with a digital certificate, further information about the sender is also verified. Unlike digital signatures, a digital certificate requires a certificate authority to collect, associate, and verify information about the sender.
A cyber security job interview question is a mix of computer-related topics and security-related concepts. You can follow below the tips and tricks to perform the job interview well. It is also good practice to do a mock preparation by answering question sets like scenario-based cyber security interview questions and cyber security technical interview questions.
Cybersecurity has many job roles, and interviews vary from beginner to expert levels. For example, if you are going for a beginner-level interview, prepare with question sets like cyber security basic interview questions, while for the experienced position, you can practice with cyber security technical interview questions. It is good practice to choose job roles per your skills and interests and prepare concepts related to them. One cannot master all topics and concepts, so it is better to pick a career path early and prepare accordingly. For example, you have an interest in web application security, in that case, knowing more about javascript, HTTP protocol, and tools related to web applications like Burp suite will be more helpful to qualify for a web-related job interview. Cybersecurity indeed requires multiple skills to defend against attackers. However, many skills can be learned while working, so focusing on one path and domain is better initially.
Some of the key job roles in cybersecurity are as follows (based on LinkedIn job availability):
Some top companies that employ skilled cybersecurity workforce are IBM, Microsoft, Cisco, Fortinet, Crowdstrike, checkpoint, Trend Micro, Zscaler, Splunk, Sophos etc. In addition to these MNCs, all anti-virus companies, such as McAfee, Symantec, Norton, Kaspersky, ESET, Bitdefender etc., hire security professionals. However, in an anti-virus company, most jobs are related to malware.
The demand and high salary of cybersecurity jobs are due to special skills requirements different from traditional computer education. So, to get hired and work in the cybersecurity industry, you need to acquire specialized skills by doing courses in Cyber Security.
Working as a cybersecurity professional requires a mindset to handle unseen and unknown scenarios, so often, in a cybersecurity interview, you will be challenged by a unique problem. You must not be worried and should approach the problem with the fundamental known concepts, and often, you will be able to find the solution. It is best to prepare with question sets like cyber security interview questions and answers for freshers, which have all fundamental questions.
In addition, cybersecurity jobs require practical hands-on skills, so it is good practice to learn popular open-source or community editions of paid security software. It will help you to answer interview questions by explaining how-to steps, which will put you on the positive side of the interviewer. Learn the skills to protect your organization from cyber threats with our comprehensive Ethical Hacking course! Enroll now and take the first step in becoming a certified ethical hacker.
Cybersecurity is critical to protect digital assets and users. There is a high demand for cybersecurity professionals. However, various reports suggest that despite high salaries, there is a need for more cybersecurity professionals. This article provides comprehensive cybersecurity interview questions and answers, keeping the requirements of cybersecurity job roles and required concepts. There are questions and answers for beginners and advanced learning. In addition, there are questions based on scenarios which are typical ways of asking questions during a job interview. We have also identified vital subjects from traditional computer science subjects and provided essential questions and answers for those subjects.
The best way to use this article is by going through all questions once and then choosing questions related to specific job roles. For example, suppose you are interested in a malware analyst job and will attend an interview for the same position. In that case, it is better to pick all questions related to malware from all sections and practice them.
The article is focused on cybersecurity interview questions and answers. However, a security job interview may also have questions from traditional computer subjects essential for cyber security, such as computer networks, operating systems, databases, C programming and web development. So it is suggested to study those subjects too, along with the questions and answers from this article. Listen and understand the question during an interview and then reply with a structural response. For example, if the interviewer asked a question like "What is malware?" your answer must include the definition and type of malware. If time permits, then you also briefly list the need and challenge of malware detection.
Submitted questions and answers are subjecct to review and editing,and may or may not be selected for posting, at the sole discretion of Knowledgehut.
Get a 1:1 Mentorship call with our Career Advisor
By tapping submit, you agree to KnowledgeHut Privacy Policy and Terms & Conditions