SOC Interview Questions

1. Define information security.

Information security refers to preserving information availability, integrity, and confidentiality. It is accomplished through risk management, in which you identify the valuable information, any assets connected to that information, vulnerabilities, threats to the information's CIA, and the potential effects of an incident on the information and the organization.

2. Differentiate between risk, vulnerability, and threat?

Vulnerability is a weakness in a system. Vulnerabilities are weaknesses, which means there is a gap in the protection of a system.
A threat is an attacker trying to exploit the vulnerability for their gain.
Risk measures potential loss when the threat actor exploits the vulnerability. If you think of a house, a vulnerability (weakness) might be not paying the bill for your alarm monitoring company. A threat actor (burglar in this case) might use this weakness to get into your house. You would need to analyze the risk to see whether you have valuables inside your home that justify paying for the alarm monitoring service.

3. What is the difference between asymmetric and symmetric encryption, and which one is better?

The same key is used for encryption and decryption in symmetric encryption. In Asymmetric, different keys are used for encryption and decryption.

Both have advantages and disadvantages. Typically, symmetric encryption is quicker than Although asymmetric; the key must be sent over an unencrypted channel.

Asymmetrical is more secure yet slower. The ideal approach is to combine the two.

4. What differentiates IPS from IDS?

When an intrusion is discovered, an intrusion detection system (IDS) simply issues an alarm, asking them to take additional action, the administrator.
Once the intrusion is discovered, an intrusion protection system (IPS) will take appropriate action to stop the invasion.

5. Encryption vs. Hashing?

Hashing is one-way, but encryption is reversible. In some situations, hashing can be broken using rainbow tables and collision attacks, but it cannot be reversed.

Data secrecy is ensured through encryption, and data integrity is ensured by hashing. Hashing preserves the integrity of data and is one-way. In contrast, encryption is used to secure the data itself.

It is two-way, meaning that if you encrypt something, you can decrypt it to see the original contents data as it appeared.

6. What is a security misconfiguration?

A security misconfiguration occurs when, for instance, a network, program, or device is configured such that an attacker can easily exploit it.

Using default login credentials is one of the most prevalent security mistakes in B2B and consumer markets.

Cloud settings, where access to critical data is not controlled, are another leading site for security misconfiguration

7. What are black hat, white hat, and gray hat hackers?

The term "black hat" is used to describe someone who tries to access systems or data even if they are not authorized to.

A white hat (ethical) hacker has the owner's consent.

A grey hat hacker violates security without authorization but does it for the benefit of all. The hacker who updated the firmware on household wireless access points (WAPs) to safeguard users is an excellent illustration of a grey hat.

8. What is a firewall?

A firewall acts as a gatekeeper and decides whether to let traffic be forwarded to the server based on predetermined rules, much like a gate guard decides whether to let you pass the gate.

9. How do you keep yourself updated with the information security news?

With this question, the interviewer gains insight into your enthusiasm and drive for the position. To evaluate cybersecurity news in one place, you can subscribe to SANS Newsletters or follow some of the more popular news sources (such as The Hacker News).

No one expects you to be up to date on everything, but you should be aware of the critical news stories that affect the online community each week. It will help if you take online courses because you can do it at your convenience to upskill yourself. Choose a training that offers CPE points.

10. What is the CIA triad?

Simply ensuring that only authorized users, systems, or applications have access to data is confidentiality.

Integrity is the assurance that the data hasn't been changed.

Ensuring the appropriate users have timely access to the relevant information is known as availability.

11. HIDS and NIDS – which one is better and why?

An Intrusion Detection System that resides on a host machine is known as a Host Intrusion Detection System (HIDS).

Host-based detection has the disadvantage that it can use significantly more computing resources than a Network Intrusion Detection System (NIDS).

While HIDSs and NIDSs carry out comparable tasks, a HIDS provides additional insight into a device's suspicious activities.

12. What is a security policy?

A security policy is a document that outlines the steps to take in the event of an incident as well as how to protect an organization from threats.

13. What are the core principles of information security?

The core principles is the CIA Triad. CIA is short for: Confidentiality, Integrity and Availability. These have been discussed in detail in the previous slides.

14. What is non-repudiation (as it applies to IT security)?

In essence, non-repudiation means that neither the sender nor the recipient of the information can dispute that they never sent or received it.

Human-to-human, human-to-machine, or machine-to-machine communication could be the sender or recipient. Organizations should log all types of communication for future reference.

15. What is the difference between logical and physical security? Can you give an example of both?

Physical security keeps unauthorized parties from physically gaining access to places or things they shouldn't. for example, CCTV cameras can be installed to perform surveillance in restricted areas and to prevent unapproved access.

Logical security includes blocking illegal access through electronic means. You might achieve this by utilizing encryption for data at rest and in transit to prevent unauthorized access to the data.

16. What is a security control?

Security controls are safeguards or methods that reduce security risks to tangible assets such as information, computers, or other assets by preventing, detecting, countering, or minimizing such hazards. These controls safeguard the availability, confidentiality, and integrity of information.

17. What are the different types of security controls?

There are three main types of security controls:

Logical controls are another name for technical controls. The use of encryption, ACLs, firewalls, IDS/IPS, SIEM tools, and antivirus software are a few examples of technical controls.
Administrative controls are policies, procedures, or guidelines that help the organization manage its risk. Administrative controls are executed by people and are called operational controls.
Physical security controls include biometrics, locks, security guards, alarm systems, CCTV cameras, and ID scanners.

18. What is Information Security governance?

Information security governance is a company's structure for security accountability. C-level executives frequently determine the organization's risk tolerance and set compliance and performance goals.

Then, a cybersecurity manager will decide how to implement security and define risk tolerance so that the company doesn't go over its risk tolerance.

19. What is the Chain of Custody?

The chain of custody is simply the paper trail that documents who handled each piece of evidence from the time it was gathered until it was submitted in court.

20. Do you prefer filtered ports or closed ports using firewall and why?

You should choose closed ports over filtered ports. By closing ports, we limit the attack surface for the attacker. Drop would silently drop the traffic for a matching Security Policy without any kind of acknowledgement back to the sender.

21. What are the layers of the OSI model?

● Layer 1 – The physical layer, when a physical medium is used to transport a raw bitstream (that is, fibre optic cable, copper cables, and electromagnetic waves).

● Layer 2 – The Data Link Layer, the layer of the data network that regulates data transmission between nodes on the same LAN segment and includes the logical link control and media access control (MAC) sub-layers (LLC). This layer is where the MAC address appears (for example, ff:ff:ff:ff:ff:ff), and the data there is frames are marked.

● Layer 3 – The network layer, determines the direction the data will go in. The packets are routed and transported over network borders by this layer. IP routing exists at this layer, where data is referred to as packets. At this layer, an example of an Internet Protocol version 4 (IPv4) address would be 192.168.0.55, and an example of an IPv6 address would be 2001:0DB6:AC10:FE01:0000:0000:0000:0000, or expressed in the abbreviated form 2001:0DB6:AC10:FE01::::. Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP), Domain Name System (DNS), Internet Control Message Protocol (ICMP), and Dynamic Host Configuration Protocol (DHCP) are some of the protocols at this tier.

● Layer 4 – The transport layer sends data using protocols like User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) (UDP). The transport layer is in charge of breaking down application-provided data into digestible chunks; at this layer, the data is designated as a segment. Despite being faster than TCP, the UDP protocol only sends data and doesn't care if it is received on the other end. With TCP, a three-way handshake is formed, enabling the sender to verify that the intended receiver received the data.

● Layer 5 – The session layer controls the ports and sessions and maintains connections. The session layer handles a session's formation, use, and dissolution. Additionally, it manages the session's tokens.

● Layer 6 – The presentation layer is where data is displayed in a usable format, and encrypted data is presented in the presentation layer. This layer manages data compression and decompression while maintaining the syntax of the data being delivered.

● Layer 7 – The application layer, where users interact with applications. Hypertext Transfer Protocol (HTTP), Secure Shell (SSH), File Transport Protocol (FTP), and Simple Mail Transfer Protocol are a few examples of layer 7 protocols (SMTP).

22. What are the three ways to authenticate a person?

23. In firewall detection,which one is more dangerous: a false negative or a false positive? And why?

A false negative state is the most severe and dangerous state. This is when the IDS identifies an activity as acceptable when the action is an attack. A false negative is when the IDS misses an attack. This is the most dangerous state since the security professional has no idea that an attack took place

24. How often should you perform patch management?

Numerous variables affect this. While we might cycle some patches on a particular date, other patches must be deployed immediately.

Although Microsoft has its infamous Patch Tuesday, not all businesses deploy updates on this day. Organizations should typically test patches on systems and networks that are not used to see if they break anything else.

25. What is the difference between TCP and UDP?

While UDP is a connectionless protocol, TCP is a connection-oriented protocol. Speed is a fundamental distinction between TCP and UDP, with TCP being noticeably slower than UDP. Overall, UDP is a lot faster, easier, and more effective protocol, but only TCP allows for the retransmission of lost data packets.

26. What is a playbook/runbook in SOC?

A playbook, commonly referred to as a standard operating procedure (SOP), is a set of instructions for how the SOC should respond to security incidents and alarms. The SOC analyst would use the playbook to help determine what steps to follow, for instance, if production servers were compromised.

27. What is the difference between firewall deny and drop?

The firewall will stop the connection and return a reset packet to the sender if configured with a deny rule. This notifies the sender that a firewall is in use.

The connection request will be denied if the firewall is configured with a drop rule and does not notify the sender. To prevent an attacker from discovering that you are filtering the traffic using a firewall, it is advised that you configure the firewall to prohibit egress (outbound) traffic and set the incoming traffic to drop.

28. What is DNS?

The Domain Name Server is essentially the internet's phone book. Suppose you type siemintelligence.com into your browser to view the information on their website. Your browser will translate the domain name (siemintelligence.com) into an IP address (192.172.6.33 in this example).

This eliminates the need to memorise each SIEM Intelligence server's IP address.

There are four DNS servers involved in your request to access SIEM Intelligence's web page:

The root nameserver is the first place where information that can be read by humans (such as siemintelligence.com) is converted into an IP address. This is comparable to the library's index card informing you that the book is in the non-fiction department. This nameserver would inform you, using our siemintelligence.com example, that the desired web page is located in the SIEM Intelligence part of the library.
The final part of the hostname is hosted by the top-level domain (TLD) nameserver, which is the next step (.com in our siemintelligence.com example). In our hypothetical library, the librarian might inform you that the book is located in the SIEM Intelligence section on shelf 45.
The authoritative nameserver can be thought of as the master index card that tells you specifically where the book is in the library.

29. What is cognitive cybersecurity?

Artificial intelligence (AI) modeled after human brain processes are used in cognitive cybersecurity to identify risks and safeguard physical and digital systems.

It mimics the functioning of the human brain via data mining, pattern recognition, and natural language processing.

30. What is port blocking?

Data moves around the internet through ports. When a port is blocked, data can't move through it. Basically port blocking means we want to stop the transmission of network flow. Blocking unused ports can help us minimize the attack surface.

31. What is an incident response plan?

Incident Response plans to ensure that the appropriate individuals and processes are in place to handle risks. This enables the IR team to conduct an organized investigation into the events to identify the indicators of compromise (IOC) and the threat actor's tactics, methods, and procedures (TTP)(s). The phases of the Kill Chain can be skipped depending on the occurrence, but an IR strategy is like a step-by-step manual to follow in the event of an incident. Different phases are as follows:

● Preparation

● Detection and analysis

● Containment, eradication, and recovery

● Post-incident activity

32. What is a botnet?

A group of Internet-connected devices joined to a botnet each operates one or more bots. Distributed Denial-of-Service assaults, data theft, spam distribution, and gaining access to the target device and its connection are all possible with the help of botnets. Using command and control software, the owner can manage the botnet.

The Mirai and Emotet botnet infrastructures, which took control of IoT devices, are famous examples.

Application Security Interview Question

contact@cybertechinfosolutions.com

VAPT Interview Question