Category I: General Security Concepts / Network Security / OS Security

1) Is there any difference between Information Security and IT Security? If yes, please explain
the difference.

Ans– Yes. Information Security and IT Security are both different terms often used
interchangeably. IT Security focuses on purely technical controls (like implementing antivirus,
firewall, hardening systems etc) while Information Security is more wider term which implies
securing “information” as an asset be it in any form. (ex shredding of paper documents to
prevent dumpster driving etc). So IT security can be considered as a subset of Information
Security.

2) What is the difference between Encoding, Encryption and Hashing?

Ans– At a very high level, all these 3 terms might appear to be similar and people often confuse
between them. But each of the technique is distinct and has different use case. The purpose of
encoding is to transform data so that it can be properly (and safely) consumed by a different type
of system, e.g. binary data being sent over email, or viewing special characters on a web page.
The goal is not to keep information secret, but rather to ensure that it’s able to be properly
consumed. It does not require a key as the only thing required to decode it is the algorithm that
was used to encode it. Examples: ASCII, Unicode, URL Encoding, Base64. The purpose of
encryption is to transform data in order to keep it secret from others. It uses a key, which is kept
secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption
operation. Examples: AES, Blowfish, RSA. The purpose of hashing is to take arbitrary input and
produce a fixed-length string that has the following attributes:

1. The same input will always produce the same output.

Examples- MD5, SHA1, SHA2 etc. Hashing is often used in computer forensics to verify
integrity of the digital evidence.

3) What is the difference between proxy, firewall, IDS and IPS?

A proxy server is a server (a computer system or an application) that acts as an intermediary for
requests from clients seeking resources from other servers. A client connects to the proxy server,
requesting some service, such as a file, connection, web page, or other resource available from a
different server and the proxy server evaluates the request as a way to simplify and control its
complexity. Firewall is basically meant for network traffic control/filtering mainly at layer-3. It
allows/denies packets and connections based on certain pre-defined rules. IDS- Intrusion
Detection System is an application which tries to detect intrusion attempts based on attack
signature database it has. IPS- Intrusion Prevention System detects the intrusion (like IDS) and
goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based
on rules)
Examples:

1. proxy – Squid
2. Firewall- IPTables, CISCO Pix, ZoneAlarm
3. IDS- SNORT
4. IPS- IBM Proventia

4) How does asymmetric encryption work?

5) How does SSL work? Are you aware about some of the latest vulnerabilities that were found
in SSL implementation?

6) What is port scanning? What are the countermeasures to prevent it?

7) What is Man in Middle attack? Can it be prevented?

8) What is the difference between false positive and false negative?

9) Explain the term ‘Defense in depth’.

10) What do you mean by stateful inspection by a firewall?

11) What is DMZ? Which systems should be placed in DMZ? What are common security
precautions for DMZ systems?

12) What is DLP? How does it work?

13) In what scenario, AD authentication should be used?

14) Is SSH completely secured? If not, can it be hardened more?

15) What is Virtualization? What are the security risks in it?

16) What do you mean by ‘BYOD’ ? Explain security concerns related with it.

17) What are the different layers of OSI model? Can you list 1 vulnerability corresponding to
each of the OSI layer?

18) What are honeypots?

19) Tell about any of the major security incident that happened recently.

20) How do you keep yourself updated with latest trends in Information Security?
Ans: I refer to various security news sites , blogs etc (Like thehackernews, Rapid7 blog etc) Also
I am subscribed to various online security magazines like Pentest magazine, HackInsight etc and
I surf through the archives of various security conferences held worldwide.

21) Which OS do you feel is more secure? Linux or Windows?

Ans: No OS is secured unless and until its administrator is smart enough to secure it. Though
Windows has more publicly found security issues, it can still be hardened appropriately. Its all
about perception and having right sense of security. Linux definitely provides robust security,
however a mis-configured Linux box could really pose a big threat to security.

22) Explain in brief, Multi Factor authentication.

23) Explain in short how Kerberos works.

24) How to harden a Windows Machine?

25) How to harden a Linux Machine?

26) How can you prevent DOS/DDOS attack?

27) What is a 0-Day Vulnerability? Can it be prevented?

28) What is the biggest difference between Windows OS and Linux OS?

29) Can an IDS be used to prevent intrusions? (Ans is yes, ex- SNORT, one of the open source
IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS)

30) Explain any type of Wi-Fi Attack and how to prevent it.

31) What is SIEM? Why it is useful?

32) What is rainbow attack? Is there a way to prevent it?

33) Explain the difference between hub, switch and router.

34) What do you mean by reverse shell in Linux?

35) Explain file ACL’s (permissions) in Linux. What is the use of sticky bit?

36) What is NAT and PAT? Explain difference between them and how do they work.

37) Comment on security concerns in Cloud Computing.

38) What is the use of ‘salt’ in reference to passwords? Are there any limitations of using it?
39) What is single sign-on? What are security risks with it?

Category II: VA/PT

1) What is the difference between Vulnerability Assessment and Penetration Testing? Which one
needs to be performed first?

2) What are the steps to perform VA/PT?

3) What precautions are required to be taken while performing VA/PT?

4) With whom would you share the findings of VA/PT and how would you convey the risk of the
findings effectively so that mitigation can be initiated immediately?

5) What tools do you normally use for VA and PT? Which tool you find the best and why?

6) What all should be included in report of VA/PT assessment?

7) Is it possible to hack into a system without using any tool? If yes, how would you do it?
(Manually?)

8) How can you identify whether a remote machine is a Windows Machine or Linux Machine?

9) What is the difference between active and passive information gathering? (give 1 example of
each)

10) How does sniffing works? Explain how can you sniff into a network. Can sniffing attack be
prevented and how?

11) What would you do if nmap port scans are blocked by network security administrator? How
would you gather host information in such case?

12) What are the different components of metasploit? Explain client side exploits/attacks.

Category III: Web Application Security

1) Why is Web Application Security Important?

2) “Making the website HTTPS would make it secure” share your comments on this.

3) What are cookies? What security threat do they pose?

4) What is SQL Injection attack? What are its types?

5) What are the ways to prevent SQL Injection?

7) What are the ways to prevent XSS attacks?

8) What is CSRF? How to prevent it?

9) What are the top 5 Web Application Vulnerabilities you know?

10) Explain any case wherein you found some critical web application vulnerability and you also
provided solution to fix the same.

11) How would you mitigate vulnerabilities in a legacy application where much of code change
is not feasible?

12) What tools do you use for performing Web Application security testing?

13) What are common security threats in Web Services and how do you test them?

14) What is the difference between White Box Application Security testing and Blackbox
Application Security testing?

15) Do you have hands on knowledge of source code review? Give any example of
vulnerability/bug you found during source code review.

16) What standards do you refer for Web Application Security and related vulnerabilities?

17) What are the most important steps you would recommend to secure your new web server?

18) Will L-3 firewall be useful in protecting the web application against common attacks? If yes,
then to what extent?

19) What is Directory Listing? What is its impact? How to prevent it?

20) Can you explain any 2 vulnerabilities occurring due to poor session management?

21) Where should be the Web Server and Database server placed in network for optimal
security?

21) Is there any risk when conducting Application Security testing on production instance?

Ans: Ideally, Application Security testing should never be performed on production instance.
Automated scanners can insert, modify or even delete data from the target application. This
could be a big risk. So the testing should be carried out on test instance which should contain
exact replica of the application code running on production instance. If at all you have to test on
production instance, its owner must take responsibility (in writing) of any data loss that may
occur after testing.
22) How would you investigate or trace any security incident which occurred due to exploitation
of some vulnerability in your web application?

23) Please explain how would you test a mobile application for security vulnerabilities?

24) Explain about Database Security. What are common controls for securing Databases.

25) How would you convince the developer to fix the vulnerabilities you found in the Web
Application?

Ans: It is a normal human mentality not to accept our mistakes. Same applies in this case. No
developer would easily accept that code written by him has serious security bugs. So, you have
to demonstrate him the vulnerability you discovered with proper PoC. And explain him the
severity and impact if the vulnerability gets exploited. You have to be polite while explaining
and not get into arguments.

26) How does HTTP handles state?

Ans: HTTP is a stateless protocol.

27) How do you identify that an application is vulnerable to blind SQL Injection attack?

28) What is clickjacking and how do you prevent it?

29) What are the top 5 Mobile Application security threats?

30) At which stage of SDLC should the security controls be applied?

Category IV: Risk Management/ Compliance/ Security Frameworks

1) What is Risk Assessment and Risk Management? Are they same?

2) What are the standards available for Risk Management?

3) What are the types of Risks?

4) What are the possible ways to treat the risk?

5) What is the difference between threat, vulnerability , exploit and risk?

5) What is residual risk? Can it be eliminated?

6) What is ISO 27001? Why an organization should adopt it?

7) What is the difference between ISO 27001 and ISO 27002?

9) What type of organizations are required to be compliant with PCI-DSS?

10) What is the difference between a standard, policy, procedure?

11) What would you do to make security program / initiative successful in the organization?

12) How would you convince the senior management to invest in certain security initiative?

13) How much would you ideally spend on securing a Windows Server? (This is a very generic
question, but would really test whether the candidate is clear with the basics like asset value,
impact analysis etc)

14) What is the difference between technical controls and procedural controls? (give 1 example
of each)

15) Explain high level steps for initiating and implementing ISO27001.

Category V: Strategic / Scenario Based Questions

1) Please comment: Which one would be more securely built? Open Source software or
Commercial/Proprietary software?

2) Whom do you get inspired from in the field of Information Security?

3) How many packets would travel from a laptop if a user initiates a traceroute to [Link]?

4) Consider a scenario, the network has become extremely slow, there are many escalations
coming to service desk, what would you do a as security professional? Do you see a possibility
of any security threat in this? How would you face this situation?

5) Suppose business team wants to launch an application or urgent basis, but you know its
vulnerable to some critical attacks, what would you do in such case? Should business
requirement be given priority or security should be the priority?

6) What are the latest trends in Information Security?

7) Is Internet Banking really safe and secure? What are your views on this?

8) Where do you see yourself (in which role/position) after 3-4 years?

9) Should social networking websites (like facebook) be allowed or blocked? Justify with proper
reason.
10) Anonymous hackers are hacking into some critical infrastructure around the world. Can you
comment on how would they be doing this?

11) Have you heard about stuxnet? Explain your views on it and how could it have been
prevented?

Category VI: Computer Forensics/Laws

1) What do you mean by checksum? What are the popular algorithms for calculating checksums?
What is its significance in computer forensics?

2) Describe steganography, its types and how to detect it?

3) What do you mean by file carving?

4) What is meant by bit stream image? Why it is important in forensics?

5) What is swap space? What is its relevance in forensics? What is page file?

6) Explain high level steps for seizing a live computer system.

7) What are the main challenges in computer forensics?

8) What is file shredding?

Ans: File Shredding is a technique used to securely erase/wipe or destroy the file (logical or
physical) in such a way that it cannot be re-constructed to derive its original meaning.

9) Can data be recovered after shredding is performed?

10) What are the famous tools used in computer forensics?

11) What hardware is necessary for performing computer forensics?

12) What care should be taken while packaging the seized evidence?

13) What is slack space?

14) List few situations wherein lost data cannot be recovered.

Ans: If the data is stored on magnetic media, and that media comes in contact with very strong
magnetic field then it may result in permanent loss of data. If data is on the disk is over-written
more then 30 times, it may get in unrecoverable state. If the media is physically destroyed like
completely burnt or turned into fine powder then it won’t be possible to recover the data.

15) How would you traced a spoofed email sent from spoofed IP address?