Cybersecurity Analyst Interview Flashcards

Question 1

What is the CIA triad in security?

Accepted Answer

The CIA triad is the foundational model for information security: confidentiality (only authorized parties access data), integrity (data is accurate and untampered), and availability (systems and data are accessible when needed). Most controls and risks map back to protecting one or more of these properties.

Question 2

What does confidentiality mean in security?

Accepted Answer

Confidentiality ensures sensitive information is disclosed only to authorized parties, enforced through encryption, access controls, authentication, and least privilege. Breaches of confidentiality include data leaks and unauthorized access, making it central to protecting personal and proprietary data.

Question 3

What does integrity mean in security?

Accepted Answer

Integrity ensures data and systems remain accurate, complete, and unaltered except by authorized actions. It is protected with hashing, digital signatures, checksums, and access controls, and detected violations include tampering, corruption, or unauthorized modification of records.

Question 4

What does availability mean in security?

Accepted Answer

Availability ensures authorized users can access systems and data when required, supported by redundancy, backups, failover, and DDoS protection. Threats to availability include denial-of-service attacks, hardware failure, and ransomware, making uptime a core security objective alongside confidentiality and integrity.

Question 5

What is authentication?

Accepted Answer

Authentication confirms that an entity is who it claims to be, using factors like something you know (password), have (token), or are (biometric). It precedes authorization and is strengthened with multi-factor authentication to reduce the risk of credential compromise.

Question 6

How does authorization differ from authentication?

Accepted Answer

Authentication verifies who you are, while authorization determines what you are allowed to do once authenticated. Authorization is enforced through access controls, roles, and policies following least privilege, so a verified user still only reaches resources appropriate to their role.

Question 7

What is multi-factor authentication?

Accepted Answer

Multi-factor authentication requires two or more independent factors from different categories (knowledge, possession, inherence), such as a password plus a one-time code or biometric. Because an attacker must compromise multiple factors, MFA dramatically reduces account takeover even when passwords are stolen.

Question 8

What does encryption do?

Accepted Answer

Encryption transforms readable plaintext into ciphertext using an algorithm and key, so only holders of the correct key can decrypt it. It protects confidentiality for data at rest and in transit, and is a primary control against interception, theft, and unauthorized access.

Question 9

What is the difference between symmetric and asymmetric encryption?

Accepted Answer

Symmetric encryption (AES) uses a single shared key for both encryption and decryption, fast but requiring secure key exchange. Asymmetric encryption (RSA, ECC) uses a public key to encrypt and a private key to decrypt, solving key distribution and enabling digital signatures, but is slower, so the two are often combined.

Question 10

What is hashing and how does it differ from encryption?

Accepted Answer

Hashing maps input to a fixed-length value with a one-way function, so it cannot be reversed to recover the original, unlike encryption which is reversible with a key. It verifies integrity and stores passwords (salted and hashed); a good hash makes collisions and reversal computationally infeasible.

Question 11

What does a firewall do?

Accepted Answer

A firewall monitors and filters inbound and outbound network traffic against rules, blocking unauthorized connections while allowing legitimate ones. It enforces network boundaries; modern next-generation firewalls add application awareness, intrusion prevention, and deep packet inspection beyond basic port and IP filtering.

Question 12

What is malware?

Accepted Answer

Malware is any software intended to damage, disrupt, or gain unauthorized access to systems, including viruses, worms, trojans, ransomware, and spyware. It spreads via downloads, email, and exploits, and is defended against with endpoint protection, patching, and user awareness.

Question 13

What is a computer virus?

Accepted Answer

A virus is malware that inserts its code into legitimate files or programs and replicates when the host is executed, often requiring user action to spread. It can corrupt data, steal information, or damage systems, and is detected by antivirus signatures and behavior analysis.

Question 14

How does a worm differ from a virus?

Accepted Answer

A worm is self-propagating malware that spreads across networks by exploiting vulnerabilities, without needing a host file or user interaction, unlike a virus. Its autonomous replication can cause rapid, widespread infection and consume network resources, as seen in major outbreaks.

Question 15

What is a Trojan?

Accepted Answer

A Trojan masquerades as legitimate or desirable software to trick users into installing it, then performs malicious actions like opening backdoors, stealing data, or downloading more malware. Unlike viruses and worms it does not self-replicate, relying instead on deception and social engineering.

Question 16

What is ransomware?

Accepted Answer

Ransomware encrypts a victim's files or systems and demands payment for the decryption key, often with threats to leak stolen data (double extortion). Defenses include offline immutable backups, patching, least privilege, segmentation, and email security, since paying does not guarantee recovery.

Question 17

What is phishing?

Accepted Answer

Phishing uses fraudulent emails, texts, or sites impersonating trusted entities to trick users into revealing credentials, financial data, or installing malware. Variants include spear phishing (targeted) and whaling (executives); defenses combine user training, email filtering, MFA, and link inspection.

Question 18

What is social engineering?

Accepted Answer

Social engineering exploits human psychology, such as trust, urgency, and authority, to manipulate people into divulging information or performing unsafe actions, bypassing technical controls. Techniques include phishing, pretexting, baiting, and tailgating; defense centers on awareness training and verification procedures.

Question 19

What is a vulnerability in security?

Accepted Answer

A vulnerability is a flaw or weakness in software, configuration, or process that an attacker can exploit to violate security. Vulnerabilities are catalogued (CVE), scored (CVSS), and remediated through patching, configuration hardening, or compensating controls before they are exploited.

Question 20

What is an exploit?

Accepted Answer

An exploit is the method, code, or sequence of commands that leverages a vulnerability to achieve an unauthorized outcome like code execution or privilege escalation. A zero-day exploit targets an unknown or unpatched flaw, making timely patching and defense in depth important.

Question 21

What is a threat in cybersecurity?

Accepted Answer

A threat is a potential event or actor that could exploit a vulnerability to cause harm, such as a hacker, malware, insider, or natural disaster. Risk combines threat, vulnerability, and impact; threat modeling identifies relevant threats so defenses can be prioritized.

Question 22

What is risk in security terms?

Accepted Answer

Risk is the potential for loss, expressed as the likelihood that a threat exploits a vulnerability multiplied by the impact. Risk management identifies, assesses, and treats risks by mitigating, transferring, accepting, or avoiding them, focusing resources where likelihood and impact are highest.

Question 23

Why is patch management important?

Accepted Answer

Patch management is the process of identifying, testing, and deploying software updates that fix security vulnerabilities and bugs. Timely patching closes known holes that attackers actively exploit; a disciplined program prioritizes by severity and exposure and balances speed against stability through testing.

Question 24

What does a VPN provide?

Accepted Answer

A VPN creates an encrypted tunnel between a device and a network or server, protecting data confidentiality and integrity over untrusted networks like public Wi-Fi and masking the user's IP. It enables secure remote access to internal resources, though it is increasingly complemented by zero-trust access models.

Question 25

What is the difference between an IDS and an IPS?

Accepted Answer

An intrusion detection system (IDS) monitors traffic or hosts and raises alerts on suspicious activity but does not stop it. An intrusion prevention system (IPS) sits inline and can actively block or drop malicious traffic. Both use signatures and anomaly detection; IPS adds enforcement at the cost of potential false-positive disruption.

Question 26

What does a SIEM do?

Accepted Answer

A Security Information and Event Management system aggregates logs and events from across the environment, correlates them with rules and analytics to detect threats, and supports alerting, investigation, and compliance reporting. It gives analysts centralized visibility and is core to security operations centers.

Question 27

What is the principle of least privilege?

Accepted Answer

Least privilege grants each user, process, or system only the minimum permissions required to perform its function, and no more. It limits the damage from compromised accounts or insider misuse, shrinks the attack surface, and is enforced through role-based access control and regular access reviews.

Question 28

What is defense in depth?

Accepted Answer

Defense in depth applies multiple, overlapping layers of security controls (network, host, application, data, and human) so that if one fails, others still protect the asset. This redundancy assumes no single control is perfect and increases the effort required for an attacker to succeed.

Question 29

What is the zero trust security model?

Accepted Answer

Zero trust assumes no user, device, or network is inherently trusted; every access request is continuously authenticated, authorized, and validated based on identity, device posture, and context with least privilege. It replaces the implicit trust of perimeter models and limits lateral movement after a breach.

Question 30

What is a brute force attack?

Accepted Answer

A brute force attack systematically tries many credential or key combinations until it finds the correct one. Defenses include strong, long passwords, account lockouts, rate limiting, MFA, and CAPTCHA. Variants include dictionary attacks and credential stuffing using leaked password lists.

Question 31

What is a denial-of-service attack?

Accepted Answer

A denial-of-service attack floods a target with traffic or requests to exhaust resources and make it unavailable; a distributed (DDoS) version uses many compromised machines. Defenses include traffic filtering, rate limiting, CDNs, anycast, and specialized DDoS protection services to absorb or disperse the load.

Question 32

What is a man-in-the-middle attack?

Accepted Answer

In a man-in-the-middle attack, the attacker positions between two communicating parties to eavesdrop or tamper with traffic, for example on unsecured Wi-Fi or via ARP/DNS spoofing. Encryption (TLS), certificate validation, and mutual authentication defend against it by ensuring confidentiality and verifying identities.

Question 33

What is SQL injection?

Accepted Answer

SQL injection exploits applications that build database queries from unsanitized user input, letting attackers read, modify, or delete data or bypass authentication. It is prevented with parameterized queries/prepared statements, input validation, least-privilege database accounts, and ORMs, and remains a top web vulnerability.

Question 34

What is cross-site scripting?

Accepted Answer

Cross-site scripting (XSS) injects malicious JavaScript into web pages that other users' browsers then execute, enabling session theft, defacement, or redirection. It is prevented by output encoding, input validation, Content Security Policy, and treating all user input as untrusted.

Question 35

What is a data breach?

Accepted Answer

A data breach is an incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized parties. Responses include containment, investigation, notification (often legally required), and remediation, while prevention relies on encryption, access control, and monitoring.

Question 36

What is a security incident?

Accepted Answer

A security incident is any event that actually or potentially compromises the confidentiality, integrity, or availability of information or systems, such as malware, unauthorized access, or data loss. Organizations follow an incident response process to detect, contain, eradicate, recover, and learn from incidents.

Question 37

What is an access control list?

Accepted Answer

An access control list (ACL) defines permissions attached to a resource, specifying which users or systems may access it and which operations they may perform. ACLs enforce authorization at the network, file, or object level and implement least privilege when properly scoped and reviewed.

Question 38

What is public key infrastructure (PKI)?

Accepted Answer

PKI is the framework of certificate authorities, digital certificates, and policies that binds public keys to verified identities, enabling encryption, authentication, and digital signatures. Certificate authorities issue and revoke certificates, and trust chains let parties verify identities, underpinning TLS and secure email.

Question 39

What does TLS protect?

Accepted Answer

Transport Layer Security encrypts data in transit and authenticates the server (and optionally client) using certificates, protecting against eavesdropping and tampering. It secures HTTPS, email, and many protocols, negotiating keys via a handshake; SSL is its deprecated predecessor.

Question 40

What is endpoint security?

Accepted Answer

Endpoint security protects user and server devices (laptops, desktops, mobiles) with antivirus, EDR, encryption, and configuration hardening. Because endpoints are common attack entry points, modern endpoint detection and response tools monitor behavior to detect and contain threats that evade signatures.

Question 41

Why are audit logs important?

Accepted Answer

Audit logs record who did what and when across systems, providing the evidence trail needed to detect suspicious activity, investigate incidents, support forensics, and meet compliance. Their value depends on completeness, integrity (tamper protection), retention, and centralized review via tools like a SIEM.

Question 42

What is penetration testing?

Accepted Answer

Penetration testing is an authorized, simulated attack where testers attempt to exploit vulnerabilities to assess real-world security and demonstrate impact. Unlike automated scanning, it includes human creativity and chaining of flaws, producing prioritized findings and remediation guidance.

Question 43

Why is security awareness training important?

Accepted Answer

Security awareness training educates employees to recognize phishing, social engineering, and unsafe behavior, reducing the human-driven risk that causes many breaches. Effective programs are ongoing, include simulations, and build a security culture, turning staff into a defensive layer rather than a weak point.

Question 44

What is a CVE?

Accepted Answer

A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly disclosed security flaw, giving everyone a common reference. CVEs are often scored with CVSS for severity and help organizations track, prioritize, and communicate about vulnerabilities consistently.

Question 45

What does antivirus software do?

Accepted Answer

Antivirus software scans files and processes for known malware using signatures and increasingly heuristics and behavior analysis, then quarantines or removes threats. It is a baseline endpoint control, though it is complemented by EDR and other layers because it can miss novel or fileless attacks.

Question 46

Why is spam a security concern

Accepted Answer

Beyond cluttering inboxes, spam is a primary delivery vehicle for phishing, scams, and malware attachments. Email security gateways filter spam using reputation, content analysis, and authentication checks (SPF, DKIM, DMARC) to block malicious messages before users see them.

Question 47

Why are backups a key security control?

Accepted Answer

Backups create recoverable copies of data so an organization can restore after ransomware, accidental deletion, hardware failure, or corruption. Best practice follows the 3-2-1 rule, keeps offline or immutable copies safe from attackers, and regularly tests restores to ensure they actually work.

Question 48

What is a honeypot?

Accepted Answer

A honeypot is a deliberately exposed decoy system or data that has no legitimate use, so any interaction signals malicious activity. It diverts attackers from real assets, generates high-fidelity alerts, and lets defenders study attacker techniques, while requiring isolation so it is not used as a pivot.

Question 49

What is separation of duties?

Accepted Answer

Separation of duties divides critical functions among multiple people so no single individual can complete a sensitive action alone, reducing fraud and error. For example, one person requests a change and another approves it. It complements least privilege as a key internal control.

Question 50

What is the difference between a patched vulnerability and a zero-day?

Accepted Answer

A zero-day is a vulnerability unknown to the vendor or without an available patch, so defenders have zero days to prepare and attackers can exploit it freely. A patched vulnerability has a fix available, shifting the risk to whether organizations apply it promptly; both highlight the importance of layered defenses.

Question 51

What is threat modeling?

Accepted Answer

Threat modeling analyzes a system to identify assets, threats, and vulnerabilities and prioritize mitigations before attackers find them. Frameworks like STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) guide the analysis, ideally done during design to build security in.

Question 52

What is an attack surface?

Accepted Answer

The attack surface is the total set of entry points, such as exposed services, ports, APIs, inputs, accounts, and dependencies, that an attacker could exploit. Reducing it (closing ports, removing unused software, limiting privileges, minimizing exposure) is a core hardening strategy that lowers risk.

Question 53

What is the cyber kill chain?

Accepted Answer

The cyber kill chain describes attack phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Mapping defenses to each stage lets teams detect and disrupt attacks early, breaking the chain before the attacker reaches their goal.

Question 54

What is the MITRE ATT&CK framework?

Accepted Answer

MITRE ATT&CK is a curated matrix of adversary tactics (goals like persistence or exfiltration) and techniques (how they achieve them), based on observed real-world behavior. Defenders use it to map detection coverage, assess gaps, prioritize controls, and communicate about threats with a common language.

Question 55

What are the phases of incident response?

Accepted Answer

The incident response lifecycle (NIST) consists of preparation, detection and analysis, containment, eradication, recovery, and post-incident lessons learned. Following a defined process ensures incidents are handled consistently to limit damage, preserve evidence, restore operations, and improve defenses over time.

Question 56

What are indicators of compromise?

Accepted Answer

Indicators of compromise (IOCs) are observable artifacts, such as malicious IPs, file hashes, domains, or registry changes, that signal a possible intrusion. They feed detection rules and threat hunting, though they are reactive; behavioral indicators (TTPs) are more durable since attackers can change IOCs easily.

Question 57

What does endpoint detection and response provide?

Accepted Answer

EDR continuously records endpoint activity (processes, files, network, registry), applies behavioral analytics to detect suspicious activity that signature antivirus misses, and enables investigation and response like isolating a host. It gives deep visibility and is central to modern endpoint defense and threat hunting.

Question 58

How does network segmentation improve security?

Accepted Answer

Network segmentation divides a network into isolated zones with controlled traffic between them, so a compromise in one segment cannot freely reach others, limiting lateral movement and blast radius. Micro-segmentation extends this to per-workload policies, a key zero-trust technique.

Question 59

What is privilege escalation?

Accepted Answer

Privilege escalation is when an attacker increases their access, either vertically (a normal user gaining admin/root) or horizontally (accessing another user's resources), often by exploiting misconfigurations or vulnerabilities. It is a key step toward full compromise, mitigated by least privilege, patching, and monitoring.

Question 60

What is lateral movement in an attack?

Accepted Answer

Lateral movement is how attackers pivot from an initial foothold to additional systems, harvesting credentials and exploiting trust relationships to reach high-value targets. Detection focuses on unusual internal connections and credential use; segmentation, least privilege, and MFA limit it.

Question 61

What is credential stuffing?

Accepted Answer

Credential stuffing automates logins with username/password pairs from prior breaches, exploiting password reuse across sites. Defenses include MFA, breached-password detection, rate limiting, bot management, and device fingerprinting, since users reusing credentials make many accounts vulnerable at once.

Question 62

Why are passwords stored as salted hashes?

Accepted Answer

Passwords are stored as hashes so a database leak does not reveal them directly, and a unique random salt per password prevents attackers from using precomputed rainbow tables and from seeing identical passwords as identical hashes. Slow, adaptive algorithms like bcrypt, scrypt, or Argon2 further resist brute force.

Question 63

What is a rainbow table attack and what defeats it?

Accepted Answer

A rainbow table is a precomputed mapping of hashes to plaintexts that lets attackers reverse unsalted password hashes quickly. Adding a unique random salt to each password makes precomputation infeasible because every password would need its own table, which is why salting is mandatory for password storage.

Question 64

What does the CVSS score represent?

Accepted Answer

The Common Vulnerability Scoring System rates vulnerability severity from 0 to 10 using base metrics (exploitability and impact), plus optional temporal and environmental metrics. It standardizes prioritization, but teams should combine it with real exposure, exploit availability, and asset value rather than relying on the number alone.

All Cybersecurity Analyst Interview Flashcards

Easy (50)

Medium (50)

Hard (50)

Ready to practice the full interview?