SOC Interview Questions and Answers Flashcards
- What is the CIA triad?
The CIA triad stands for confidentiality, integrity, and availability
Confidentiality makes sure the only those authorized have access
Integrity verifies the data has not been altered or compromised and is accurate, the availability means the data is accessible when needed
- What is a SIEM? What are some of its uses?
Security Information and Event Management
It is a solution the is used to store log events and alerts and manage those network events
- What are the differences between symmetric and asymmetric encryption?
Symmetric encryption uses a single secret key for both encryption and decryption.
Asymmetric encryption uses a public key for encryption and a private key for decryption. Data encrypted with the public key can only be decrypted with the corresponding private key.
- What is Worse, a false positive or a false negative?
False negative is worse because it would be detecting no threat when there is an actual threat
- What is the difference between IDS and IPS?
IDS will only alert about a potential incident but an IPS will block the attempt
- What are the different layers of the OSI model?
Physical, Data Link, Network, Transport, Sessions, Presentation Application
- What is IP and MAC Addresses?
IP is an Internet address and the MAC is a unique physical address. A network packet needs both to get to its destination
- What are risk, vulnerability, and threat, and how do they relate to each other?
A Vulnerability is a weakness or flaw
A Threat is a malicious or negative event that takes advantage of a vulnerability.
A Risk is the probability of a potential for loss and damage when the threat does occur.
All affect CIA
Risk = threat X vulnerabilty
- Explain the XSS attack. How to prevent it?
Cross-site scripting is a web security vulnerability that allows an attacker to compromise a users interaction with applications.
It can occur by injecting malicious javascript code
Encode data on output and Validate input on arrival
- What is data protection in transit vs. data protection at rest?
Data at rest is inactive data not moving between networks. (stored data)
Data in transit is moving data. It is being transferred between locations over private network or Internet
For data in transit you can protect with encryption methods like HTTPS, SSL and TLS
Data at rest you can monitor and audit data
What is CSRF?
Cross Site Request Forgery
A web application vulnerability in which the server does not check whether the request came from a trusted client.
- Is Encryption Different From Hashing
Encryption is a two way function that requires a key and hashing is a one way function that can be used to verify that the data has not been altered
encryption can be reversed hashing cannot
- What Is the Difference Between Black Box Testing and White Box Testing?
The Black Box Test is a test that only considers the external behavior of the system; the internal workings of the software is not taken into account.
The White Box Test is a method used to test a software taking into consideration its internal functioning.
- What Is ARP Poisoning? Can You Explain With an Example?
ARP Poisoning (also known as ARP Spoofing) is a type of cyber attack that involves sending (false) malicious ARP packets to a default gateway in order to change the pairings in its IP to MAC address table.
It’s a Man in the Middle (MitM) attack that allows attackers to intercep
- What is the difference between signature-base detection and anomaly-base detection?
Signature-based detections only generate alerts when they identify an exact match of a known indicators and can detect malware
Anomaly-based system can generate alerts when activity is outside an accepted range.
- What is ARP?
Address Resolution Protocol (ARP) is a protocol that enables network communications to reach a specific device on the network. ARP translates Internet Protocol (IP) addresses to a Media Access Control (MAC) address, and vice versa.
What is SOC?
Security Operations Center centralized location where an organization’s security professionals monitor and analyze the organization’s computer systems and networks to identify and mitigate potential security threats.
What does a SOC analyst do?
Actively monitoring network activity, responding to security alerts, and conducting investigations into potential security breaches.
Do you have any experience in scripting or programming? If yes - what languages?
I have basic knowledge of powershell and am currently learning python
Can you describe the difference between UDP and TCP?
UDP is connectionless and will not retransmit loss packets
TCP is connection oriented and retransmits lost packets.
What is the TCP handshake?
First step in the TCP handshake
SYN packet
Syn-Ack client request SYN + ACK flags set.
Ack last step client acknowledges the response
How much command line (CLI) experience do you have (on any OS)?
I have been using command line in Kali Linux, Ubuntu and Windows to complete labs. I have not mastered all the commands but I do know how to rely on my resources to find the commands needed
What is the standard cyber incident response process or steps?
Preparation - have a plan in palce
Detection - determine if an incident occcured
Containment and Eridication Recovery - halt effects, find cause and retore services
Post-Incident Activity - Lessons learned
How would you approach a problem you’ve never seen before?
Google, ask a colleague research the issue. Most likely someone has seen this before
