Cybersecurity Analyst Interview Questions

The following list of questions is by no means exhaustive and some answers and explanations given for each are also non-exhaustive, but rather guidance for you to go out and do more reading and research so as to acquire more knowledge on the subject.

So here are some of the most probable cybersecurity analyst interview questions you will be asked during your job interview.

Each company, interviewer, and their perception of the role in the real world will vary. Not all companies use all available security technologies and methodologies. They will certainly have gaps in their security which hopefully you will fill for them, with your experience and expertise.

The questions serve as a starting point for you to practice for your interview and find any gaps in your knowledge that you must fill.

Do not memorize answers to the questions. Understand each concept deeply and practice describing them in your own words. That is how you will give the best answers.

Questions on Information and Cyber Security Theory

What is the main objective of Cybersecurity?

The primary goal of cybersecurity is to ensure the privacy of information, the correctness of data, and access to authorized users.

What is the CIA triad in information security?

The three letters in the “CIA triad” stand for Confidentiality, Integrity, and Availability. It is a fundamental cybersecurity model that acts as a foundation in the development of security policies designed to protect data.

We can assess threats and vulnerabilities by thinking about the impact that they might have on the CIA of an organization’s assets.

Name the most common cyberattacks

You can name some common cyberattacks like:

• malware
• ransomware
• phishing
• DoS and DDoS
• SQL injections
• XSS attacks
• Man-in-the-middle attacks
• brute-force attacks

Describe a cyber attack for each of the OSI layers

Research some of the common cyberattacks and be able to respond to which attack can occur on each of the 7 OSI layers.

For example:

Sniffing: physical layer

Spoofing: data link layer

MITM: network layer

Port scanning/reconnaissance: transport layer

Cookie hijacking: session layer

Phishing: presentation layer

DDoS attacks: application layer

What is the difference between a threat, a vulnerability, and a risk?

Risk is the potential for loss, damage, or destruction of assets or data. A threat is a negative event, such as the exploitation of a vulnerability. And a vulnerability is a weakness that exposes you to threats and therefore increases the likelihood of a negative event.

Describe what a residual risk is

How do you deal with residual risk?

Residual risk can be dealt with by:

• Reduction
• Avoidance
• Acceptance

What are some common security frameworks?

Some common information security frameworks are:

• NIST Cybersecurity Framework
• ISO 27001
• SOC2
• COBIT

Describe what the “Defence In Depth” approach is in cybersecurity

Defense In Depth is a common terminology in modern-day cybersecurity practices. It is a strategy that employs a series of mechanisms, also known as controls, to stop an attack on your organization.

Read more about defense in depth in this article

How would you log and monitor security events?

The most effective way to log security events is to collect them at a central location and use a SIEM to analyze and monitor for unauthorized events.

A SIEM’s purpose is to collect, store, analyze, investigate and report on logs for incident response, forensics, and regulatory compliance purposes, and to analyze the event data it ingests in real time to facilitate the early detection of targeted attacks, advanced threats, and data breaches.

Some well-known SIEM products are:

• Splunk Enterprise Security
• LogRhythm NextGen
• IBM QRadar
• McAfee Enterprise Security Manager
• AlienVault Unified Security Management
• Elastic Security SIEM

Is there a difference between a data breach and data leakage?

The difference between a data leak and a data breach lies in how they happen.

A data breach happens when an attack is carried out with the intention to steal data, but a data leak is not an actual attack but rather a lack of security controls on the protection of data.

Data breach and data leakage categories are accidental, intentional, and a result of a system hack.

Define data exfiltration

Data exfiltration refers to the unauthorized transfer of data from a computer system.

Some common data exfiltration methods are:

• email
• download to unauthorized devices
• upload to unauthorized cloud services
• hidden data through steganography to avoid detection
• through DNS because its traffic is often not being monitored

What is social engineering? Describe some of its types

Social engineering is a manipulation technique that exploits human behavior to gain access to private information or systems.

Some well-known types of social engineering are:

• Spear phishing
• Whaling
• Business Email Compromise (BEC)
• Vishing/voice phishing

Is there a difference between a vulnerability scan and a penetration test? Which would you choose?

There are differences between a vulnerability scan and a penetration test. You can read the full article here.

What are the uses of CVEs and CVSS?

The Common Vulnerability Scoring System (CVSS) is a system widely used in vulnerability management programs. CVSS indicates the severity of an information security vulnerability and is an integral component of many vulnerability scanning tools.

Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that are maintained by MITRE.

CVSS is the overall score assigned to a vulnerability. CVE is simply a list of all publicly disclosed vulnerabilities that include the CVE ID, a description, dates, and comments.

Questions on Systems and Networking

How would you design a highly secure network?

As a cybersecurity analyst, you should be able to use your technical knowledge to design a secure network or enhance an existing one.

Defense in depth is a primary consideration, where you are going to have redundancy of technical and other security controls, so in case one fails, or is bypassed, there would be other security controls to mitigate the threat.

Compartmentalization is another practice you should employ, by which you create different “zones” for different purposes: inside zone, outsize zone, DMZ, intranet, management VLAN, web server farm, database servers, and so on.

You should be able to describe the placement of routers, firewalls, switches, IPS, VLAN ACLs, and the reason behind those decisions.

Is there a difference between an IDS and an IPS?

An intrusion detection system (IDS) monitors traffic on your network, analyzes that traffic for signatures matching known attacks, and when something suspicious happens, you’re alerted. In the meantime, the traffic keeps flowing.

An intrusion prevention system (IPS) also monitors traffic. But when something unusual happens, the traffic stops altogether until you investigate and decide to allow the traffic.

Five main types of IDS exist:

1. Network: Choose a point on your network and examine all traffic on all devices from that point.
2. Host: Examine traffic to and from independent devices within your network, and leave all other devices alone.
3. Protocol-based: Place protection between a device and the server, and monitor all traffic that goes between them.
4. Application protocol-based: Place protection within a group of servers and watch how they communicate with one another.
5. Hybrid: Combine some of the approaches listed above into a system made just for you. 

Four main types of IPS exist:

1. Network: Analyze and protect traffic on your network.
2. Wireless: Observe anything happening within a wireless network and defend against an attack launched from there.
3. Network behavior: Spot attacks that involve unusual traffic on your network.
4. Host-based: Scan events that occur within a host you specify. 

*Be ready to respond to the question “would you place an IPS in front or behind a firewall” (usually sits behind the firewall ;))?

What is port scanning and what are some different types of scans?

Port scanning is a method of determining which ports on a network are open and could be receiving or sending data. It is also a process for sending packets to specific ports on a host and analyzing responses to identify vulnerabilities.

TCP and UDP are frequently the protocols used in port scanning.

To perform TCP scans you can use different methods:

• SYN scans, the most common form of TCP scanning, involve establishing a half-open connection to the target port by sending a SYN packet and evaluating the response.
• TCP connect scan, in which the scanner tries to connect to a port via TCP using the connect system call and the full TCP handshake process.
• NULL, FIN, and Xmas scans are three scan types that involve manipulating TCP header flags.

Can you detect a port scan?

Network intrusion detection systems and firewalls are usually configured to detect scans, but scanners can attempt to avoid some common detection rules by altering their scanning rate, accessing ports out of order, or spoofing their source address.

What are some common types of brute-force attacks?

A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.

1. Simple Brute Force Attack  
2. Dictionary Attack  
3. Hybrid Attack  
4. Credential Stuffing  
5. Reverse Brute Force Attack  
6. Rainbow Table Attack 
7. Password Spraying 

How can you prevent a brute-force attack?

You may use some of the following methods to prevent a brute force attack:

• Limit login attempts
• Monitor and block IP addresses
• Use 2FA
• Use CAPTCHAs
• Use a WAF

How would you detect and prevent a DDoS attack?

A DDoS attack is a flood of traffic to your web host or server. With enough traffic, an attacker can eat away at your bandwidth and server resources until they can no longer function.

DDoS attacks can take a variety of forms. Common DDoS attacks include:

• Volumetric attacks flood network ports with excess data
• Protocol attacks slow down intra-network communication
• Application attacks overwhelm web traffic and other application-level operations

There are several clues that indicate an ongoing DDoS attack is happening:

• Statistical: An IP address makes X requests over Y seconds
• Your server responds with a 503 due to service outages
• The TTL (time to live) on a ping request times out
• If you use the same connection for internal software, employees notice slowness issues
• Log analysis solutions show a huge spike in traffic

Preventing a DDoS attack

Preventing a DDoS attack is sometimes hard and even impossible…

The most effective way to protect against DDoS attacks is to employ cloud-based protection which can handle large-scale attacks.

There are other methods you can use to make your network and applications more resilient to DDoS attacks:

• Span your data centers on different networks and locations,

• have a DDoS response plan in place so every team knows what to do to recover and communicate with internal staff, customers, and vendors.
• scale up your bandwidth to be able to absorb more than the volume of traffic you usually have
• using anti-DDoS hardware and software. Some can be provided as a service by your ISP

What is a botnet?

A botnet is a network of computers infected with malware that is controlled by a bot herder.

The bot herder is the person who operates the botnet infrastructure and uses the compromised computers to launch attacks designed to crash a target’s network, inject malware, harvest credentials or execute CPU-intensive tasks.

Each individual device within the botnet network is called a bot.

Learn more about botnets here.

What is a honeypot? What is it used for?

Honeypots are decoy systems or servers deployed alongside production systems within your network.

For a honeypot to work, the system should appear to be legitimate.

Some free, open-source honey pots you may use are:

• Honeydrive – a Linux distribution that comes pre-installed with a lot of active defense capabilities.
• cowrie – SSH/Telnet Honeypot
• tpotce – The All In One Honeypot Platform
• Dionaea – a multi-protocol honeypot that covers everything from FTP to SIP (VoIP attacks)
• ElasticHoney – emulates an ElasticSearch instance, and looks for attempted remote code execution.

By properly monitoring your honeypots, you can get insight into attacker tools, tactics, and procedures (TTPs) and gather forensic and legal evidence without putting the rest of your network at risk.

Explain what ARP spoofing attacks are

An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows attackers to intercept communication between network devices. The attack works as follows:

1. The attacker must have access to the network. They scan the network to determine the IP addresses of at least two devices⁠—let’s say these are a workstation and a router. 
2. The attacker uses a spoofing tool, such as Arpspoof or Driftnet, to send out forged ARP responses. 
3. The forged responses advertise that the correct MAC address for both IP addresses, belonging to the router and workstation, is the attacker’s MAC address. This fools both router and workstation to connect to the attacker’s machine, instead of to each other.
4. The two devices update their ARP cache entries and from that point onwards, communicate with the attacker instead of directly with each other.
5. The attacker is now secretly in the middle of all communications.

What is security hardening on systems and network devices

Hardening is the practice of reducing a system’s vulnerability by reducing its attack surface.

Reducing attack vectors through hardening also involves cutting unnecessary services or processes. Overall, a system that provides more services has a much broader attack surface than one performing just one function.

You may employ CIS benchmarks as configuration baselines and best practices for securely configuring a system. There are also pre-made CIS Hardened Images are securely configured virtual machine images based on CIS Benchmarks hardened to either a Level 1 or Level 2 CIS benchmark profile.

Describe VPN and what you would do to secure it further

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

There are two main types of VPN you can use:

• Remote Access VPN
• Site-to-site VPN

To further secure a VPN you can:

• Implement MFA
• Limit VPN access to specific authorized users
• use OpenVPN or IKEv2/IPSec
• enable DNS leak protection
• check if your IPv6 is “leaking” and disable it

What are some ways used to authenticate someone?

A person may use the following methods, or a combination of them, for authentication.

• Password,
• OTP
• PIN
• ID Card
• biometric
• code sent to mobile phone

How would you secure a corporate wireless network?

• Physically secure the wireless access points
• Update the firmware and software
• Change the default account information (user, password)
• Turn off WPS
• Disable the default network name and hide the new SSID
• Use WPA2
• Regularly scan and eliminate rogue Access Points
• Don’t use the same wireless network for guest and corporate user access
• Employ Network Access Control (NAC) for corporate users and devices

Questions on Email Security

What are some email authentication methods?

• SPF
• DKIM
• DMARC

You should be able to explain what each of the methods above do, and how you can properly configure them.

Is SPF enough to authenticate an email?

SPF alone can only authenticate the source of the message but not the original author. Any email sent would pass SPF checks and they could still spoof the From header which is out of the scope of SPF.

Only in combination with DMARC and DKIM can SPF be used to prevent email spoofing

What types of attacks occur through email?

• Fraud
• Account takeover
• Email interception
• Phishing
• Malware

What are some email protection security controls?

• Limit the number of connections to reduce the chance of spam and DDoS attacks
• Verify the sender through reverse DNS lookup before accepting the message
• Use content filtering to heuristically block or quarantine probable spam.
• Disable email relaying
• Restrict local email domain
• restrict attachments like .exe, .bat, .vbs, .jar, .swf etc.
• Use email encryption

Questions on Cryptography

What is the difference between encryption, encoding, and hashing?

Encryption is the process of securely encoding data in such a way that only authorized users with a key or password can decrypt the data to reveal the original. Encryption is used when data needs to be protected so those without the decryption keys cannot access the original data.

Encoding is a reversible process and data can be encoded to a new format and decoded to its original format.

An example of encoding is: Base64

Hashing is a one-way process where data is transformed into a fixed-length alphanumeric string. This string is known as a hash or message digest. A hash cannot be reversed back to the original data because it is a one-way operation. Hashing is commonly used to verify the integrity of data, commonly referred to as a checksum.

What is the difference between symmetric and asymmetric encryption

In Symmetric-key encryption the message is encrypted by using a key and the same key is used to decrypt the message which makes it easy to use but less secure. It also requires a safe method to transfer the key from one party to another.

Asymmetric Key Encryption is based on public and private key encryption techniques. It uses two different keys to encrypt and decrypt the message. It is more secure than the symmetric key encryption technique but is much slower.

What do we mean by “end-to-end encryption”?

In an end-to-end encrypted system, the only people who can access the data are the sender and the intended recipient. In true end-to-end, encryption occurs at the device level. Messages and files are encrypted before they leave the phone or computer and aren’t decrypted until they reach their destination.

Hackers can’t access data on the server because they don’t have the private keys required to decrypt the data. Instead, secret keys are stored on the individual user’s device.

What is the strongest form of encryption?

AES 256-bit encryption is the strongest and most robust encryption standard that is commercially available today.

What is Public Key Infrastructure (PKI) and how does it work?

Public Key Infrastructure (PKI) is a set of policies that secures the communication between a server and a client. It uses two cryptographic keys, public and private. PKI enables trusted digital identities for people, and grants secure access to digital resources. The core of PKI is a certificate authority, which ensures the trustworthiness of the digital data.

The working of Public Key Infrastructure (PKI) at a macro level is as follows:

• Firstly, the request for the Digital Certificate is sent to the appropriate CA (Certificate Authority).
• Once the request is processed, the Digital Certificate is issued to the person requesting it.
• After that, the Digital Certificate gets signed by confirming the identity of the person.
• Now, the Digital Certificate can be used to encrypt the cleartext into a ciphertext, which is sent from the sending party to the other party.

Explain SSL and TLS, is there a difference?

SSL refers to Secure Sockets Layer whereas TLS refers to Transport Layer Security. 

SSL and TLS are cryptographic protocols that authenticate data transfer between servers, systems, applications, and users.

SSL was a first-of-its-kind cryptographic protocol. TLS on the other hand was a recently upgraded version of SSL.

The differences between SSL and TLS are very minor and include: different cipher suites, alert messages, record protocol, handshake process, message authentication

What are the main objectives of cryptography?

• Confidentiality: Confidentiality helps in keeping the information safe from unauthorized people. 
• Non–repudiation: Non-repudiation prevents denial in an electronic transaction.
• Authenticity: Authenticity helps in identifying the source of the created information.
• Integrity: Integrity makes sure that the data received by the receiver is not modified.

Questions on Web Application Security

What is a Web Application Firewall?

A web application firewall (WAF) protects web applications from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others.

Name the OWASP Top 10

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

1. Broken Access Control (A01:2021)
2. Cryptographic Failures (A02:2021)
3. Injection (A03:2021)
4. Insecure Design (A04:2021)
5. Security Misconfiguration (A05:2021)
6. Vulnerable and Outdated Components (A06:2021)
7. Identification and Authentication Failures (A07:2021)
8. Software and Data Integrity Failures (A08:2021)
9. Security Logging and Monitoring Failures (A09:2021)
10. Server-Side Request Forgery (A10:2021)

Read more on each of the OWASP Top 10 to understand each in-depth and be able to give proper responses to questions on them.

What are some common HTTP status codes?

1xxs – Informational responses: The server is thinking through the request.

2xxs – Success! The request was successfully completed and the server gave the browser the expected response.

3xxs – Redirection: You got redirected somewhere else. The request was received, but there’s a redirect of some kind.

4xxs – Client errors: Page not found. The site or page couldn’t be reached. (The request was made, but the page isn’t valid — this is an error on the website’s side of the conversation and often appears when a page doesn’t exist on the site.)

5xxs – Server errors: Failure. A valid request was made by the client but the server failed to complete the request.

What are some common tools to perform web application security testing?

You should have hands-on experience with several tools, among them, tools used for web application security testing. Here are a few well-known tools for web application security testing. Many of them are open source, so go and practice with them and gain some experience.

• Zed Attack Proxy (ZAP)
• BurpSuite
• Wfuzz
• Nikto
• W3af
• BeeF
• SQLMap
• SonarQube
• Nogotofail
• Acunetix
• Qualys
• Invicti

Questions on Database Security

What are the 3 security aspects of database security?

The protection of a database can entail different security controls to focus on different aspects. A layered structured approach, as shown in the “defense in depth” concept should also be applied for database security, by giving focus to:

• Data protection
• Access control
• Tracking of activities

What are some database security practices?

• Separate web application servers from database servers
• Restrict network connectivity to the database server to unwanted traffic
• Encrypt databases
• Pay attention to user roles and restrict them as much as possible according to the user role in the organization (least privilege)
• Use strong user passwords and employ encrypted password hashes
• Keep your DBMS up to date with the latest versions and security updates
• Perform regular backups and store them safely with encryption
• Monitor database access for suspicious activity

What is SQL injection and how would you protect from such a vulnerability?

SQL injection is an attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed or accessed.

A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables, and, in certain cases, the attacker gaining administrative rights to a database.

There are different types of SQL injection:

• In-band SQLi
• Blind SQLi
• Out-of-band SQLi

Countermeasures:

• Stored procedures shall be used instead of direct queries
• MVC Architecture shall be implemented
• Use of WAF