SOC Interview Questions Flashcards
Black Hat Hacker
hackers are criminals who break into computer networks with malicious intent.
White Hat Hacker
Also known as Ethical Hackers. They are certified hackers who learn hacking from courses. These are good hackers who try to secure our data, websites.
Grey Hat Hacker
A mix of both Black-Hat and White-Hat hackers. These types of hackers find vulnerabilities in systems without the permission of owners. They don’t have any malicious intent. However, this type of hacking is still considered illegal.
Port Scanning
A method of determining which ports on a network are open and could be receiving or sending data.
Red Team
A group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses.
Blue Team
A group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and make certain all security measures will continue to be effective after implementation.
Firewall
A device that allows or blocks the network traffic according to the rules.
Security Misconfiguration
A security vulnerability caused by incomplete or incorrect misconfiguration.
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Risk
The level of impact on agency operations (including mission functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Threat
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Compliance
Following the set of standards authorized by an organization, independent part, or government.
MITRE ATTACK
A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
2FA
An extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they will be required to provide another piece of information.
Share some general endpoint product categories
Antivirus
EDR (Endpoint Detection and Response)
XDR (Extended Detection and Response)
DLP (Data Loss Prevention)
What is HIDS?
HIDS means Host Intrusion Detection System. HIDS is located on each host.
What is NIDS?
NIDS means Network Intrusion Detection System. NIDS is located in the network.
CIA Triad
A common model that forms the basis for the development of security systems.
Confidentiality
Involves the efforts of an organization to make sure data is kept secret or private.
Integrity
Involves making sure your data is trustworthy and free from tampering.
Availability
Systems, networks, and applications must be functioning as they should and when they should.
What is AAA?
Authentication
Authorization
Accounting
Authentication
Involves a user providing information about who they are. Users present login credentials that affirm they are who they claim.
Authorization
A user can be granted privileges to access certain areas of a network or system.
Accounting
Keeps track of user activity while users are logged in to a network by tracking information such as how long they were logged in, the data they sent or received, their Internet Protocol (IP) address, the Uniform Resource Identifier (URI) they used, and the different services they accessed.
Cyber Kill Chain
Framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
SIEM
A security solution that provides the real time logging of events in an environment. The actual purpose for event logging is to detect security threats.
Indicator of Compromise (IoC)
Serve as forensic evidence of potential intrusions on a host system or network. These artifacts enable Information Security (InfoSec) professionals and system administrators to detect intrusion attempts or other malicious activities.
Indicator of Attack (IoA)
Demonstrate the intentions behind a cyberattack and the techniques used by the threat actor to accomplish their objectives.
True Positive
If the situation to be detected and the detected (triggered alert) situation are the same
False Positive
In short, it is a false alarm. When an IDS or IPS flags non-malicious traffic as malicious.
OSI Model
A conceptual model that describes the universal standard of communication functions of a telecommunication system or computing system.
Three-Way Handshake
A method used in a TCP/IP network to create a connection between the client and server.
Explain the Three-Way Handshake
- The client sends a SYN(Synchronize) packet to the server check if the server is up or has open ports
- The server sends SYN-ACK packet to the client if it has open ports
- The client acknowledges this and sends an ACK(Acknowledgment) packet back to the server
TCP/IP Model
Is the default method of data communication on the Internet. It was developed by the United States Department of Defense to enable the accurate and correct transmission of data between devices.
What is the difference between the TCP/IP Model and the OSI Model?
The TCP/IP model is a simpler, four-layer model that focuses on the actual workings of the internet, while the OSI model is a more detailed seven-layer model that provides a conceptual framework for understanding network communication.
Address Resolution Protocol (ARP)
Is a communication protocol used for discovering the Data Link Layer address, such as a MAC address, associated with a given Network Layer address, typically an IPv4 address.
Domain Host Configuration Protocol (DHCP)
Is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.
Domain Name Server (DNS)
Is like the internet’s phone book, translating domain names (like google.com) into IP addresses (like 172.217.1.46) so computers can communicate with each other.
Virtual Private Network (VPN)
Creates a secure, encrypted connection over a public network like the internet, allowing users to browse the web privately and securely. It masks their IP address and encrypts their data, enhancing privacy and security, particularly when accessing sensitive information or bypassing geographical restrictions.
Virtual Land Area Network (VLAN)
Is a network segmentation technique that allows administrators to logically divide a single physical network into multiple isolated virtual networks.
Router
Is a networking device that forwards data packets between computer networks. Responsible for directing traffic based on IP addresses, enabling communication between devices on different networks.
Switch
Is a networking device that connects multiple devices within a local area network (LAN) and forwards data packets to their intended destination based on MAC addresses. It operates at the data link layer of the OSI model and helps manage network traffic efficiently by creating direct paths between devices.
User Datagram Protocol (UDP)
Is a connectionless protocol that provides a simple and lightweight method for sending data packets over a network. It is commonly used for applications that prioritize speed and efficiency over reliability, such as real-time streaming or online gaming.
Transmission Control Protocol (TCP)
Is a connection-oriented protocol that ensures reliable and ordered delivery of data packets over a network. It establishes a virtual connection between sender and receiver, handling error correction, flow control, and congestion control to guarantee data integrity and successful transmission.
What is the difference between UDP and TCP?
UDP and TCP are transport layer protocols. TCP has error checking and guaranties that packets have been received while UDP does not.
Steps to ensure a server is secure
- Close all unnecessary ports
- Patch the server so that all software is up to date
- Tightly control user access
Traceroute
Is a tool used to trace the path of an IP packet as it traverses routers. It works by incrementing the TTL field until the packet reaches the destination IP.
Subnet
Is a logical subdivision of an IP network. The practice of dividing a network into two or more networks
MAC Address
Is a unique identifier assigned to a network interface controller for use as a network address in communications within a network segment.
Spanning Tree Protocol (STP)
Is a network protocol that builds a loop-free logical topology for Ethernet networks.
Load Balancer
The process of distributing a set of tasks over a set of resources, with the aim of making their overall processing more efficient.
Hypervisor
Also known as a virtual machine monitor or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines.
Conatiner
A package of software and its dependencies — such as code, system tools, settings, and libraries — that can run reliably on any operating system and infrastructure.
DHCP Relay
Allow devices to connect to a network even if they are not located within the same subnet or broadcast domain.
Link Aggregation or Port Trunking
Is a way of bundling two or more network interfaces together to act as one
Proxy Server
A system or router that provides a gateway between users and the internet.
Packet Sniffing
A method of detecting and assessing packet data sent over a network.
Network Segmentation
A physical or virtual architectural approach dividing a network into multiple segments.
SSL
A security protocol that creates an encrypted link between a web server and a web browser.
TLS
Encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit.
Port 80
What port is HTTP?
Port 443
What port is HTTPS?
Port 21
What port is FTP?
Port 22
What port is SSH?
Port 23
What port is Telnet?
Port 25
What port is SMTP (Simple Mail Transfer Protocol)?
Port 53
What port is DNS?
Port 67
What port is DHCP
Port 69
What port is TFTP (Trivial File Transfer Protocol)
Port 123
What port is NTP (Network Time Protocol)
Port 389
What port is LDAP (Lightweight Directory Access Protocol)
Port 3389
What port is RDP
Port 5900
What port is VNC (Virtual Network Computing)
Port 110
What port is POP3 (Post Office Protocol version 3)
Port 143
What port is IMAP (Internet Message Access Protocol)
SSH
Is a secure network protocol used for remote access and control of devices over an unsecured network
FTP
Is a standard network protocol used for transferring files between a client and a server on a computer network.
SNMP
Is an Internet-standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.
LDAP
is an open and cross-platform protocol used for accessing and maintaining distributed directory information services over a network.
RDP
Is a proprietary protocol developed by Microsoft that enables users to remotely access and control a computer desktop over a network connection.
Wired Equivalent Privacy (WEP)
Is meant to protect Wi-Fi transmissions by encrypting the data so outsiders who are not inside the encrypted network will not be able to read the messages or data contained within.
Wi-Fi Protected Access (WPA)
Is a security standard for computing devices with wireless internet connections.
General network security product names
Firewall
IDS (Intrusion Detection System)
IPS (Intrusion Prevention System)
WAF (Web Application Firewall)
What’s the difference between an IDS and IPS?
An IDS alerts only to malicious traffic while an IPS alerts/blocks malicious traffic
How can you protect yourself from Man-in-the-middle (on-path) attacks?
Caution with connecting to public Wi-Fi
Use a VPN.
What are the HTTP response codes?
1XX: Informational
2XX: Success
3XX: Redirection
4XX: Client-Side Error
5XX: Server-Side Error
OWASP Top 10
Is a standard awareness document that represents a broad consensus about the most critical security risks to web applications.
SQL Injection
In which malicious SQL statements are inserted into an entry field for execution.
Preventing SQL Injection
Use parameterized queries or prepared statements.
Implement input validation to ensure data integrity.
Use proper access controls to limit database privileges.
Cross-Site Scripting (XSS)
A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Cross-Site Request Forgery (CSRF)
An attack that forces an end user to execute unwanted actions on a web application they’re currently authenticated.
Prevent XSS and CSRF
Implement proper input validation and sanitization.
Use output encoding or escaping
Implement anti-CSRF tokens in web forms
Insecure Direct Object Reference (IDOR)
Is a vulnerability caused by the lack of an authorization mechanism or because it is not used properly.
Remote File Inclusion (RFI)
Occurs when a file on a different server is included without sanitizing the data obtained from a user.
Local File Inclusion (LFI)
Occurs when a local file is included without sanitizing the data obtained from a user.
What is the difference between LFI and RFI?
LFI involves exploiting a vulnerability to include files that are already locally present on the server, while RFI involves injecting files from a remote server into the web application.
Web Application Firewall (WAF)
Helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
Cryptography
Is the practice and study of techniques for secure communication in the presence of third parties, typically involving encryption and decryption of data.
Encoding
Converts the data in the desired format required for exchange between different systems.
Hashing
Maintains the integrity of a message or data. Any change did any day could be noticed.
Encryption
Ensures that the data is secure and one needs a digital verification code or image in order to open it or access it.
What is the difference between hashing and encryption?
Hashing transforms data into a fixed-size string of characters, while encryption encodes data with a key that can be decoded to its original form.
Salted Hashes
Added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like hash tables.
Compiler
Name of the software that compiles written code?
Disassembler
Name of the software that translates machine codes into assembly language?
Static Malware Analysis
It is the approach of analyzing malicious software by reverse engineering methods without running them.
Dynamic Malware Analysis
It is the approach that examines the behavior of malicious software on the system by running it. Applications that can examine registry, file, network and process events are installed in the system, and their behavior is examined by running malicious software.
How does malware achieve persistence on Windows?
Services
Registry Run Keys (Run, RunOnce)
Task Scheduler
Infecting to clean files
Which event logs are available default on Windows?
System
Application
Security
Malware
Is malicious software designed to disrupt, damage, or gain unauthorized access to computer systems or data.
Virus
A type of malicious software that attaches itself to other programs or files and spreads by replicating when those files are executed, often causing harm to the host system.
Difference between virus and malware
Virus is a specific type of malware that self-replicates by attaching to other programs or files, malware encompasses a broader range of malicious software designed to disrupt, damage, or gain unauthorized access to computer systems or data.
Examples of Malware
Trojan Horse
Spyware
Adware
Rootkit
Examples of Viruses
Wannacry
Stuxnet
Code Red
Distributed Denial of Service (DDOS)
Is a cyberattack that causes the servers to refuse to provide services to genuine clients.
Preventatives for DDOS
Configure Firewalls and Routers
Use Load Balancing
Ransomware
Is a type of malicious software that encrypts files on a victim’s computer or network, rendering them inaccessible, and demands payment (usually in cryptocurrency) for the decryption key to restore access.
Preventatives to Ransomware
Network Segmentation
Keep Anti-Virus Software up to date
Password Spraying
Is a cyberattack technique where attackers attempt to gain unauthorized access to multiple user accounts by using commonly used passwords or easily guessable credentials.
Dictionary Attack
Is a type of cyberattack where an attacker systematically tries every word in a pre-compiled list (dictionary) of potential passwords to gain unauthorized access to user accounts or systems.
Brute Force Attack
Is a cyberattack method where an attacker systematically tries every possible combination of characters until the correct password or encryption key is discovered
Vulnerability Assessment
Is the process of identifying, quantifying, and prioritizing vulnerabilities in computer systems, networks, and applications to determine potential security risks and take appropriate remedial actions.
SSID
Is a unique name that identifies a wireless network
Peer to Peer
Network type that allows each user to act as both client or server
Server
A computer system or software program that provides services or resources to other computers, known as clients, over a network, fulfilling requests and facilitating communication and data exchange between devices.
WIC (WAN Interface Card)
Is a hardware component used in networking equipment, such as routers and switches, to connect to wide area networks (WANs) and provide access to remote networks or the internet.
Data in Transit
Refers to information that is actively being transferred between two endpoints over a network.
Data at Rest
Information that is stored or archived in a persistent state
What is Cybersecurity?
Is the protection of critical systems and sensitive information from digital security threats.
Data Leakage
Is an intentional or unintentional transmission of data from within the organization to an external unauthorized destination.
3 Types of Data Leakage
Accidental Breach
Intentional Breach
System Hack
Common Cyber Attacks
Malware
Phishing
Password Attacks
DDoS
Man in the Middle
Prevent Identity Theft
- Ensure strong and unique password.
- Avoid sharing confidential information online, especially on social media.
- Shop from known and trusted websites
- Install advanced malware and spyware tools.
- Update anti-virus software
NetBIOS
Is a networking protocol suite that allows applications and devices on a local area network (LAN) to communicate with each other
Port Blocking
Restricting the users from accessing a set of services within the local area network