1.What is a network?

Interconnection of two or more hosts for the purpose of exchanging data and sharing
resources.

2.How do you troubleshoot your network?

It is a way of maintaining a computer network and it ensures smooth operation.

When a problem arises, n/w admins use tools such as Ping, Traceroute and PathPing to identify
and solve the problem.

3.Can you explain about Private IP ranges?

Classification of Private IP Address:

Class Using IP Range
A Private 10.0.0.1 to 10.255.255.255
B Private 172.16.0.1 to 172.31.255.255
C Private 192.168.0.1 to 192.168.255.255

4.What is the difference between ARP and RARP?

ARP: It is an Address resolution protocol, used to translate between Layer 2 MAC addresses and
Layer 3 IP addresses.
RARP: It is a Response Address resolution protocol, used to translate between Layer 2 MAC
addresses and Layer 3 IP addresses.

5. What is the difference between SMTP, POP3 and IMAP?

Simple Mail Transfer 25 & It is a communication protocol which is used to transmit

TCP
Protocol (SMTP) 587 email messages over the internet to the destination server.
IMAP (Internet
143 IMAP stores the message on a server and synchronizes the
Message Access TCP
&993 message across multiple devices
Protocol)
Post Office Protocol 3 110 & POP3 downloads the email from a server to a single
TCP
(POP3) 995 computer, then deletes the email from the server

6. TCP IP

 TCP/IP model is oldest model, in this we have 4 Layers

 OSI is the reference model of TCP/IP
 The TCP/IP 4 Layers is converted to OSI 7 Layers, the work is similar only

7. OSI Module

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the
functions of a telecommunication or computing system into seven abstraction layers. These layers help
in understanding, designing, and discussing network architecture and protocols. The seven layers, from
the bottom up, are: Physical, Data Link, Network, Transport, Session, Presentation, and Application. Each
layer has specific functions and interacts with adjacent layers to facilitate communication between
devices in a network

Open system interconnection (OSI MODULE) is one module of sending packet to one network
to another network.

Application Layer:
The user starts the communication from using this layer, this is 7 Layer of the OSI
system, in this PDU (Protocol Data Unit) is Data.
Presentation Layer:
Translate the data into machine language, it is encrypting the data and compress the data, this
is 6 Layer of the OSI system, in this PDU (Protocol Data Unit) is Data.
Session Layer:
 Start the maintains and terminate the connection between the two hosts, this is 5 Layer of the
OSI system, in this PDU (Protocol Data Unit) is Data.
Transport Layer:
Acknowledgement messages, sequence numbers and ensuring Reliable data delivery as follows
in this layer, this is 4 Layer of the OSI system, in this PDU (Protocol Data Unit) is Segments.
Network Layer:
It chooses the best path packet for reach the destination, this is 3 Layer of the OSI system, in
this PDU (Protocol Data Unit) is packets.
Data link Layer:
It responsible for send the data one node to another node, this is 2 Layer of the OSI system, in
this PDU (Protocol Data Unit) is Frames.
Physical Layer:
It converts the digital signals into analogue signals, this is 1 Layer and lower layer of the OSI
system, in this PDU (Protocol Data Unit) is bits

8. What is the difference between TCP/IP Module and OSI Module.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two commonly used
transport layer protocols in networking.

TCP (Transmission Control Protocol):

TCP is a connection-oriented protocol that provides reliable and ordered delivery of data.
It establishes a connection before data transfer and ensures that data is delivered without errors and in
the correct order.
TCP is used for applications that require high reliability, such as web browsing, email, and file transfers.
It operates at the transport layer (Layer 4) of the OSI model.

UDP (User Datagram Protocol):

UDP is a connectionless protocol that does not guarantee reliable delivery or order of data.
It is more lightweight than TCP, making it suitable for real-time applications where low latency is crucial.
UDP is used in scenarios like streaming media, online gaming, and DNS (Domain Name System).
It also operates at the transport layer (Layer 4) of the OSI model.

Both TCP and UDP work at the transport layer of the OSI model, responsible for end-to-end
communication and data flow control between two devices on a network.
9. Which protocol come to which layer in OSI model?

Here's a brief overview of some common protocols and the OSI layers they correspond to:
Physical Layer (Layer 1): Protocols: Ethernet, USB, HDMI
Data Link Layer (Layer 2): Protocols: PPP (Point-to-Point Protocol), MAC (Media Access Control)
Network Layer (Layer 3): Protocols: IP (Internet Protocol), ICMP (Internet Control Message Protocol),
OSPF (Open Shortest Path First)
Transport Layer (Layer 4): Protocols: TCP (Transmission Control Protocol), UDP (User Datagram
Protocol)
Session Layer (Layer 5): Protocols: NetBIOS (Network Basic Input/Output System)
Presentation Layer (Layer 6): Protocols: SSL/TLS (Secure Sockets Layer/Transport Layer Security), JPEG
(Joint Photographic Experts Group)
Application Layer (Layer 7): Protocols: HTTP (Hypertext Transfer Protocol), FTP (File Transfer Protocol),
SMTP (Simple Mail Transfer Protocol)

Each layer in the OSI model performs specific functions, and the protocols associated with each layer
facilitate communication between devices in a network. Keep in mind that this is a simplified overview,
and some protocols may operate across multiple layers.

10. What is Three-way handshaking protocol?

TCP connection establishment (or)3-way handshaking:

TCP is a connection oriented, so it’s requiring connection establishment before data transfer
begins, for a connection establishment, two hosts are synchronizing on each other by initial
sequence number.
Initial sequence number: The 32-bit unique sequence number assigned to each new TCP
connection Is called Initial Sequence number
For Example:
 Client or Host A Server or Host B
Host B receive synchronize message from
Host A send synchronize message to host B for
host A than, host B send synchronized
initial connection
acknowledgement to host A
Host A received synchronized acknowledgement
than send acknowledgment to host B Host B received acknowledgement
This we can say TCP connection establishment or 3-way handshaking

TCP Header:

11. Explain about TCP termination.

The common way of terminating a TCP connection is by using the TCP header’s FIN flag. This
mechanism allows each host to release its own side of the connection individually.
 Client or Host A Server or Host B
Host B receive FIN message from host A
Host A send FIN message to host B to terminate
than, host B send FIN acknowledgement
connection
to host A
Host A received FIN acknowledgement than send
acknowledgment to host B Host B received acknowledgement

12. What is difference b/w TCP & UDP?

TCP is a Transmission control protocol UDP is a User datagram protocol

TCP is a connection-oriented Protocol
TCP more reliable than UDP
TCP header size is ( 20-60)Bytes
TCP has acknowledgement segments
TCP gives 100% guarantee for receiving data
UDP is a connectionless oriented Protocol
UDP is faster than TCP for sending data
UDP header size is 8 Bytes
UDP has No-acknowledgement
UDP gives NO guarantee for receiving data

13. What is a Firewall?

Ans. Firewalls is a network security device either hardware/software. It provides the secure
connection between the network. It controls the incoming and outgoing network. Traffic based
on the set of rules It work based on the IP address and port numbers.

Can: Firewalls can block the invalid packets and filters traffic based on a defined set filter
Can’t: Firewalls unable to block virus and malicious codes. Firewalls are unable to prevent
attacks by malicious users already behind the firewalls.

14. What is difference b/w IPS and IDS?

These are security devices: This are specially designed to monitor all inbound and out bond
network activity; it works based on the signature.
IDS: A device that analyze whole pocket both header and payload for known events When a
known event is detected log message is generated and detailing the event.
IPS: A device that analyze whole pocket both header and payload for known events When a
known event is detected the pocket is rejected.

15. What is difference b/w Anti-Virus vs EDR vs XDR vs MDR?

Anti-Virus EDR
 Targets known malware using signature-based
detection.
Relies on signatures to identify threats.
Focuses on removing malware.
Limited to file and program integrity.
Minimal; operates automatically.
Monitors, detects, and responds to a broader
range of threats, including sophisticated attacks.
Uses behavioral patterns and anomaly detection
for identifying advanced threats.
Includes real-time containment and detailed
investigation tools.
Offers broader protection with forensic tools and
network-wide analysis
Requires skilled personnel for effective
management and response.

Logical extensions of traditional EDR are Managed Detection and Response

(MDR) and Extended Detection and Response (XDR).

Many organizations use all three solutions together for a multilayered defense.

MDR:

MDR is a third-party-managed service for monitoring and incident response, often including EDR tools.

It detects and responds to cybersecurity threats across the organization's digital infrastructure
—endpoints, networks, cloud gateways, and more. EDR solutions are often a key part of this
managed service.

XDR:

XDR addresses threats on all parts of the organization's technology platforms.

It addresses threats across an organization's entire IT landscape and includes data from
multiple security tools throughout the enterprise.

16. Difference between TLS and SSL.

SSL and TLS are cryptographic protocols that It maintain the secure communication between
the client and server.

In Https transaction s is the Security socket layer. TLS is the successor protocol to SSL

TLS:
It is a protocol of a secured socket layer that uses asymmetric keys to transfer data over a
network. It uses 443 port and TCP protocol.

17. What are Encryption Algorithm methods?

Encryption Algorithm methods:
Advanced Encryption Standard (AES)-
Rivest-Shamir-Adleman (RSA) ...
Triple DES (Data Encryption Standard) AND Twofish.

18. OWASP – Open worldwide Application Security Project

Broken access control ---Not giving privileged access

Cryptographic failures---Authentication failures
Injection----Sql Injections
Insecure design. ...Not proper design
Identification and authentication failures
Software and data integrity failures
Security logging and monitoring failures
Server-side request forgery.

19. Different types of boxes?

Types of Boxes:
White-Box: - Security Tester know the complete Infrastructure of the organization
Gray-Box: - Security Tester has partial knowledge on infrastructure of the organization.
Black-Box: - Security Tester has no knowledge on infrastructure of the organization.

Where Infrastructure includes what are the available IP, Ports, Servers, Tools.

20. Different types of Hackers?

Ethical Hacker: - These people work for organization to find out flaws & provides security to
Organization.
These people are going to prevent the cyberattacks by performing defensive actions.

Black Hat Hacker: - These people usually do malicious activities by performing offensive actions
and they work for themselves.

Gray Hat Hacker: - These people work for organization to test their knowledge for that purpose
they are going to do offensive and defense actions.

21. What are important windows event IDs?

Windows Event IDS:
4624 Successful accounts log on
4625 Failed accounts log on
4634 An account logged off
4722 A user account was enabled
4723 An attempt was made to change the password of an account
4725 A user account was disabled
4738 A user account was changed
4740 A user account was locked out
4767 A user account was unlocked
Windows failure Sub Status codes:

0xC0000064 User logon with misspelled or bad user account

0xC000006A User logon with misspelled or bad password
0xC000006F User logon outside authorized hours
0xC0000070 User logon from unauthorized workstation
0xC0000072 User logon to account disabled by administrator

22. Difference b/w Horizontal scan and port scan?

Port Scan:
A port scan is a technique hackers use to discover open doors or weak points in a network and
figure out whether they are receiving or sending data.

It can also reveal whether active security devices like firewalls are being used by an
organization.

Techniques are Ping, Vanilla, SYN, XMAS & FIN, FTP bounce and Sweep Scans.
Horizontal Scan:
A horizontal scan is described as scan against a group of IPs for a single port.

23. What is brute force attack?

It is the one of the most common methods to crack the passwords, this attack is basically trial
and error method usually to find the legitimate access. These attack takes time longer but its
successive rate is higher. In order to gain the password. Attackers can use passwords guessing
tools & scripts such a hash cat & rainbow crack etc

24. What is Password Spray attack?

A single common password is used against multiple accounts on the same application.
25. Difference b/w SQL injection and XSS?
SQL Injection:
SQL is structural quarry language. SQL injection is one of the most commonly exploitation web
application vulnerabilities at the data base layer. By using SQL method attacker can read the
data create or modify the data. The vulnerability is one oldest most prevalent and most
dangerous of web application vulnerability. It refers to an injection attack ,an attacker inject or
execute a malicious SQL statement or SQL script to web application database layer, that
controls the web application data base server.

XSS Scripting:
XSS is cross site scripting. An attacker injects a malicious script to the web. Whenever we
connected to the web, that malicious script downloaded to the system and gather the
information and send to the attacker.

26. Difference b/w DoS and DDoS?

Dos:
Dos is denial of service. When a single host attack. An attacker is going to send a lot of
connections to the victim computer such as tcp, udp and icmp connection. To overload the
system memory & increase the bandwidth it causes server become over loaded & stop working.
When someone wants to connected to a server its get down due to the overloaded.

DDos:
DDos is distributed denial of service. When a multiple host attack. An attacker is going to send a
lot of connections to the victim computer such as tcp, udp and icmp connection. To overload
the system memory & increase the bandwidth it causes server become over loaded & stop
working. When someone wants to connected to a server it gets down due to the overloaded.

27. Explain about cyber kill chain process.

This process has 7 phases, it is the roadmap for the attackers.

1. Reconnaissance: Attacker is going to gather information about the target through the
active or passive reconnaissance.
a) Active Reconnaissance: - Attacker is going to directly interact with the target with
the help of nmap, gen map, berb suite, crunch, linux to gain information about the
target.
b) Passive Reconnaissance: - By using social media like facebook, insta, Naukri, job
portal to gather information about the target.
2. Weaponization: Attacker is going to create a malicious payload ( the part of an exploit
code that intents to be damaging or creating some back door) for the vulnerabilities. By
using scripting or coding techniques
3. Delivery: The pay load is delivered through web or email.
4. Exploitation: Attackers are going to exploit the vulnerabilities and execute code on
victim’s s/m.
5. Installation: Attackers are going to install the code on the victim’s s/m.
 6. Command & Control: Attackers are going to create a channel in order to operate
victims’ machine remotely.
7. Action on Objectives: With the hands-on keyboard access attacker accomplish their
original goals or successfully creating the Backdoor.

28. What is Ransomware attack?

Ransomware Attack: Ransomware is malware, when we installed that on victim’s computer the
data will be encrypted demands payment for description. The attacker warns that the ransom
payment is not done in certain criteria or time, the data will lose forever. Ransom ware
programs may also call crypto virus, crypto Trojans and crypto worms etc.

29. What is Malware attack?

Malware attacks: Malware is a malicious software or malicious code. This is a software that is
specially designed to gain access or damage a computer without knowledge of the owners.

1)Virus
2)Worm
3)Trojan horse
4)Spyware
5)Adware are various types of malwares.

30. What is difference between Virus & Worm?

Virus: It is a malicious software or a code. The virus is a code, it is injected to an executable file
when we installed that file and whenever we run that file at that virus is spread to the whole
system. Without human action the virus can’t spread itself. Virus damages our hardware,
software or files.
Worm: It is another category of malicious software or code. Worms also injected to the
executable file when we installed that file, that worm downloaded and spread to whole system,
it will automatically Replicated to the system, Worms Without human action this worm can
spread to one system to another system. These types of worms damage our hardware,
software or files.

31. What is the difference Man in the middle attack vs Session Hijacking?

Man in the middle or connection hijacking attack:

This kind of attack interrupts a legitimate communication between the two systems. To control
the flow of communication and after the information sent by one of the original participants
without their knowledge. In http transaction the target is the TCP connection between client
and server. An attacker splits the original TCP connection into 2 new connection using different
technologies. One between client and attacker and another attacker to server in this, attacker
acts as a proxy being able to insert, read and modify the data.
Session hijacking:
It is known as TCP session hijacking & cookie hijacking is the exploitation of valid computer
session. These kinds of attacks are used to exploit the valid computer session, to gain the un
authorized access and information. The session hijacking occurs when a session taken is sent to
a client browser from the web server. The main session hijacking concept is, in http transaction
an attacker hijacks the whole session from client to server.
In man in the middle attack, an attacker acts as a proxy but here an attacker hijack the whole
session

32. What is meant by zero-day attack?

An attacker compromises the vulnerability before the developer releases patches to the
vulnerabilities.
We can’t confirm the attack will happen in a particular day.

OR

an attack that exploits computer application vulnerabilities before the software developer
releases a patch for the vulnerability.

33. What is Incident Response life cycle?

a) Preparation
b) Detection
c) Analysis
d) Containment
e) Eradication
f) Recovery
g) lesson learned

34. What is Mitre attack framework?

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework is a
knowledge base that is used to describe the actions and behaviors of cyber adversaries during various
stages of the cyber attack lifecycle. It provides a comprehensive and detailed mapping of tactics,
techniques, and procedures (TTPs) employed by attackers.

Key components of the MITRE ATT&CK Framework include:

Tactics: High-level objectives or goals of an adversary, such as initial access, execution, persistence,
privilege escalation, defense evasion, etc.
Techniques: Specific methods or means used by adversaries to achieve the objectives within each tactic.
Techniques are more granular and describe the actual actions taken.
Procedures: Concrete examples of how a technique is executed. Procedures provide more detailed
information about specific instances of a technique.
The MITRE ATT&CK Framework is widely used in the cybersecurity community for threat intelligence,
red teaming, blue teaming, and security operations. It helps organizations understand and improve their
detection, defense, and response capabilities by aligning with real-world adversary behaviors.

35. What are types of DNS records?

36. How do you investigate a malware incident and Phishing incident?

37. How do you investigate any incident end-to-end process?

Incident management is a critical component of cybersecurity and IT operations that involves

identifying, responding to, and resolving security incidents. The incident management workflow typically
follows a structured process to ensure that incidents are handled in a systematic and efficient manner.
While specific workflows may vary between organizations, here is a general incident management
workflow: Incident Identification: The process begins with the identification of potential security
incidents. This can be achieved through various means, including automated monitoring systems, user
reports, and alerts from security tools. Incident Logging and Triage: Once an incident is identified, it is
logged in an incident tracking system. The incident is then triaged to assess its severity and prioritize the
response. Triage involves gathering initial information about the incident, such as the affected systems,
potential impact, and any indicators of compromise. Initial Response: The incident response team
initiates an initial response to contain and mitigate the incident. This may involve isolating affected
systems, disabling compromised accounts, or implementing temporary measures to prevent further
damage. Investigation and Analysis: A thorough investigation is conducted to understand the nature and
scope of the incident. This includes analyzing logs, conducting forensics, and identifying the root cause.
The goal is to gather evidence that can be used to improve security controls and prevent similar
incidents in the future. Communication: Communication is essential during incident management.
Teams need to communicate internally to coordinate the response, and there may also be a need for
external communication, such as informing stakeholders, customers, or regulatory authorities,
depending on the nature and severity of the incident. Containment and Eradication: After understanding
the incident, the focus shifts to containment and eradication. Containment involves preventing the
incident from spreading further, and eradication involves removing the threat from the environment.
This may involve deploying patches, removing malware, or implementing additional security controls.
Recovery: Once the threat is eradicated, the organization works on recovering affected systems and
services. This may involve restoring data from backups, validating the integrity of systems, and ensuring
that normal operations can resume. Post-Incident Analysis (PIA) or Post-Mortem: After the incident is
resolved, a post-incident analysis is conducted to review the incident response process, identify areas
for improvement, and update incident response plans. This analysis helps enhance the organization's
overall security posture. Documentation and Reporting: Comprehensive documentation is crucial for
record-keeping and regulatory compliance. Incident reports are created to document the details of the
incident, including the timeline, actions taken, and lessons learned. Continuous Improvement: The
incident management workflow is an iterative process. Lessons learned from each incident are used to
improve incident response procedures, update security controls, and enhance the organization's overall
security posture. By following a structured incident management workflow, organizations can effectively
respond to security incidents, minimize potential damage, and continually improve their security
defenses.
38. What are alerts do you receive in Sentinel, DLP, EDR, Proofpoint?

What are the Sentinel alerts you will monitor daily Basis:
1.Abnormal Activity in SharePoint via previously unseen IP’s
2.Sign in Attempt from a Disabled Account
3.SharePoint File Operation via devices with previously unseen user agents
4.User Account created and deleted within 10 min
5.Admin login failed 3 times
6.Multiple Authentication failures followed by a success.
7.Multiple Password Reset by user
8.New executable via office file Uploaded Operation
9.User account enabled and disabled within 10 mins
10.Creation of forwarding/Redirect rule
What are the MCAS alerts you will monitor daily Basis:
1.Impossible travel Activity
2.Mass Delete
What is the Defender alerts you will monitor daily Basis:
1.Malware was prevented was detected by Microsoft defender for endpoints
2.Suspecious connection blocked by network protection by Microsoft defender for endpoints
3.Suspicious access to any service was detected by Microsoft defender for endpoints
4.Mlicious file access it was prevented detected by Microsoft defender for endpoints
What is the Phishing alerts you will monitor daily Basis:
1.Attachment Défense Alert
2.URL Défense Alert

What are the DLP alerts you will monitor daily Basis:
1.SMTP
2.HTTP/HTTPS
3.Print/Fax
4.Cloud Storage
5.Removal Disk

39. What is the architecture of Sentinel?

40. Difference b/w Active Directory & LDA?
41. Name any tactics in the mitre attack framework.
42. What tactics comes for the Phishing alerts?
43. A process got executed in machine explain me root cause analysis?
44. Explain any P1 incident you receive in your organization?
45. How did you guys handle P1 incident?
46. Explain email architecture?
47. What are alerts you receive in organization?
48. What is the team size in org, clients, location you prefer, expected salary etc.
49. What is the difference between NIDS and HIDS?
50. What is the difference between Honey pot and Honey net.
51. What is CRL?
52. What is the difference between phishing and smishing?
53. What are the tools used in EDR, DLP and their versions?

Alchemy interview questions

54. What is soc?

In the context of a Security Operations Center (SOC), cybersecurity involves monitoring and protecting
an organization's information systems from cyber threats. SOC teams are responsible for analyzing
security data, detecting and responding to incidents, and implementing measures to enhance overall
cybersecurity. They play a crucial role in safeguarding networks, systems, and sensitive data from
various cyber threats, including malware, phishing attacks, and unauthorized access

55. What is SIEM?

SIEM stands for Security Information and Event Management. It's a comprehensive approach to security
management that combines Security Information Management (SIM) and Security Event Management
(SEM) functions. SIEM systems collect and analyze log data generated throughout an organization's
technology infrastructure, from host systems and applications to network and security devices like
firewalls and antivirus filters.

The primary goals of SIEM are to:

Provide a comprehensive view of an organization's information security.

Detect and respond to security incidents in real-time.
Provide reports for compliance and regulatory purposes.

SIEM solutions use advanced analytics, correlation, and real-time monitoring to identify patterns, detect
anomalies, and alert security personnel about potential security events or incidents. They help
organizations improve their overall security posture by centralizing and analyzing diverse sources of
security data to facilitate faster and more effective incident response.

56. What is EDR, DLP, NAC, IPS,IDS & HIPS?

EDR (Endpoint Detection and Response): EDR solutions focus on detecting and responding to suspicious
activities on individual endpoints (computers, servers, devices). They provide real-time monitoring,
threat detection, and response capabilities to protect against advanced threats. DLP (Data Loss
Prevention): DLP aims to prevent unauthorized access, use, or transmission of sensitive data. It involves
monitoring and controlling data transfers to ensure that sensitive information is not accidentally or
maliciously leaked. NAC (Network Access Control): NAC solutions control and manage access to a
network, ensuring that only authorized and compliant devices can connect. They enforce security
policies, such as ensuring devices have updated antivirus software or specific configurations before
granting network access. IPS (Intrusion Prevention System): IPS is a network security technology that
monitors and analyzes network and/or system activities for malicious exploits or security policy
violations. It can take automated actions to block or prevent identified threats. IDS (Intrusion Detection
System): IDS monitors network or system activities to identify and alert on suspicious patterns or known
attack signatures. Unlike IPS, IDS typically focuses on detection and alerts without taking automated
preventive actions. HIPS (Host-based Intrusion Prevention System): HIPS operates on individual hosts or
endpoints, monitoring and controlling activities at the host level. It aims to prevent malicious activities
or exploits on the specific device it is installed on. These cybersecurity technologies collectively
contribute to a layered defense strategy, helping organizations protect their networks, endpoints, and
sensitive data from a variety of cyber threats

57. What is Next Gen AntiVirus?

Next-Generation Antivirus (NGAV) refers to a modern approach to antivirus solutions that goes beyond
traditional signature-based detection methods. NGAV solutions incorporate advanced technologies and
techniques to enhance their ability to detect and respond to sophisticated cyber threats. Key features of
Next-Generation Antivirus include: Behavioral Analysis: NGAV solutions analyze the behavior of files and
processes in real-time. This allows them to identify and block malicious activities based on suspicious
behavior rather than relying solely on known signatures. Machine Learning and AI: Machine learning
algorithms are often used to train antivirus models on vast datasets, enabling them to recognize
patterns indicative of malware. Artificial intelligence is employed for adaptive and dynamic threat
detection. Endpoint Detection and Response (EDR) Integration: NGAV solutions often integrate with EDR
capabilities, providing a more comprehensive approach to endpoint security. This allows for realtime
monitoring, threat detection, and response on individual endpoints. Cloud-Based Threat Intelligence:
NGAV solutions leverage cloud-based threat intelligence to stay updated on the latest threats and attack
patterns. This helps in improving detection accuracy and response capabilities. Zero-Day Threat
Protection: NGAV focuses on identifying and mitigating zero-day threats, which are attacks exploiting
vulnerabilities for which no patch or signature exists. By combining these advanced features, Next-
Generation Antivirus aims to provide a more proactive and adaptive defense against a wide range of
cyber threats, including those that may not have known signatures or rely on sophisticated evasion
techniques.

58. What is SLA in Incident Management?

SLA stands for Service Level Agreement, and in the context of Incident Management, it refers to a
documented agreement between a service provider (such as an IT department) and the customer
(internal or external) that outlines the expected level of service for incident resolution. The SLA defines
various parameters and commitments related to incident response and resolution timeframes. Key
components of an SLA in Incident Management include: Incident Response Time: The agreed-upon time
within which the service provider commits to acknowledging and responding to reported incidents.
Resolution Time: The timeframe in which the service provider aims to resolve the incident and restore
normal service operations. Priority Levels: Different incidents may have different priority levels based on
their impact and urgency. The SLA often outlines the response and resolution times corresponding to
each priority level. Communication Protocols: Guidelines on how communication between the service
provider and the customer will occur during incident resolution, including status updates and
escalations. Escalation Procedures: Procedures for escalating incidents to higher levels of support or
management if they are not resolved within the specified timeframes. SLAs help set clear expectations
between service providers and customers, establish accountability, and ensure a timely and efficient
response to incidents. They are a crucial component of IT service management and contribute to overall
service quality and customer satisfaction.

59. What is last year breaches and who was threat vector?

A) January 2 -→ Victoria Court System Data Breach: The Guardian reports that the court system in
Victoria, Australia has been hacked – and the unauthorized parties gained access the recordings of
various court hearings. However, “no other court systems or records, including employee or financial
data, were accessed,” chief executive Louise Anderson said in a statement. B) On September 11, 2022,→
Revolut suffered a data breach with saw a third party gain access to Revolut’s database and the personal
information of 50,150 users. The data breach was caused by a social engineering attack. Malicious actors
accessed data including names, addresses, email addresses and partial payment card information during
the cyber attack, although Revolut has stated that card details were hashed. C) Infosys Data Breach:
Indian IT services company Infosys says they've been struck with a “security event” which made several
of the firm's applications unavailable in its US unit, called Infosys McCamish Systems. The company is
still investigating the impact the attack has had on its systems. D) Indian Council of Medical Research
Data Breach: Around 815 million Indian citizens may have had their Covid test and other health data
exposed to a huge data breach. A US security firm first alerted the Indian authorities in mid-October
after a threat actor going by the name of “pwn0001” claimed to have the names, addresses, and phone
numbers of hundreds of millions of Indians for sale. E) OKTA-→ he unauthorized access to Okta’s
customer support system leveraged a service account stored in the system itself. This service account
was granted permissions to view and update customer support cases” Okta's chief security office said in
a recent statement. “During our investigation into suspicious use of this account, Okta Security identified
that an employee had signed in to their personal Google profile on the Chrome browser of their
Oktamanaged laptop
Common Attack Vector Examples 1. Compromised Credentials Usernames and passwords are still the
most common type of access credential and continue to be exposed in data leaks, phishing scams, and
malware. When lost, stolen, or exposed, credentials give attackers unfettered access. This is why
organizations are now investing in tools to continuously monitor for data exposures and leaked
credentials. Password managers, two-factor authentication (2FA), multi-factor authentication (MFA),
and biometrics can reduce the risk of leak credentials resulting in a security incident too. 2. Weak
Credentials Weak passwords and reused passwords mean one data breach can result in many more.
Teach your organization how to create a secure password, invest in a password manager or a single sign-
on tool, and educate staff on their benefits. 3. Insider Threats Disgruntled employees or malicious
insiders can expose private information or provide information about company-specific vulnerabilities.
4. Missing or Poor Encryption Common data encryption methods like SSL certificates and DNSSEC can
prevent man-in-the-middle attacks and protect the confidentiality of data being transmitted. Missing or
poor encryption for data at rest can mean that sensitive data or credentials are exposed in the event of
a data breach or data leak. 5. Misconfiguration Misconfiguration of cloud services, like Google Cloud
Platform, Microsoft Azure, or AWS, or using default credentials can lead to data breaches and data leaks,
check your S3 permissions or someone else will. Automate configuration management where possible to
prevent configuration drift. 6. Ransomware Ransomware is a form of extortion where data is deleted or
encrypted unless a ransom is paid, such as WannaCry. Minimize the impact of ransomware attacks by
maintaining a defense plan, including keeping your systems patched and backing up important data.
Track supply chain risks with this free pandemic questionnaire template > 7. Phishing Phishing attacks
are social engineering attacks where the target is contacted by email, telephone, or text message by
someone who is posing to be a legitimate colleague or institution to trick them into providing sensitive
data, credentials, or personally identifiable information (PII). Fake messages can send users to malicious
websites with viruses or malware payloads. Learn the different types of phishing attacks here. 8.
Vulnerabilities New security vulnerabilities are added to the CVE every day and zero-day vulnerabilities
are found just as often. If a developer has not released a patch for a zero-day vulnerability before an
attack can exploit it, it can be hard to prevent zero-day attacks. Learn more about vulnerabilities here. 9.
Brute Force Brute force attacks are based on trial and error. Attackers may continuously try to gain
access to your organization until one attack works. This could be by attacking weak passwords or
encryption, phishing emails, or sending infected email attachments containing a type of malware. Read
our full post on brute force attacks. 10. Distributed Denial of Service (DDoS) DDoS attacks are cyber
attacks against networked resources like data centers, servers, websites, or web applications and can
limit the availability of a computer system. The attacker floods the network resource with messages
which cause it to slow down or even crash, making it inaccessible to users. Potential mitigations include
CDNs and proxies. 11. SQL Injections SQL stands for a structured query language, a programming
language used to communicate with databases. Many of the servers that store sensitive data use SQL to
manage the data in their database. An SQL injection uses malicious SQL to get the server to expose
information it otherwise wouldn't. This is a huge cyber risk if the database stores customer information,
credit card numbers, credentials, or other personally identifiable information (PII). 12. Trojans Trojan
horses are malware that misleads users by pretending to be a legitimate program and are often spread
via infected email attachments or fake malicious software. 13. Cross-Site Scripting (XSS) XSS attacks
involve injecting malicious code into a website but the website itself is not being attacked, rather it aims
to impact the website's visitors. A common way attackers can deploy crosssite scripting attacks is by
injecting malicious code into a comment e.g. embedding a link to malicious JavaScript in a blog post's
comment section. 14. Session Hijacking When you log into a service, it generally provides your computer
with a session key or cookie so you don't need to log in again. This cookie can be hijacked by an attacker
who uses it to gain access to sensitive information. 15. Man-in-the-Middle Attacks Public Wi-Fi networks
can be exploited to perform man-in-the-middle attacks and intercept traffic that was supposed to go
elsewhere, such as when you log into a secure system. 16. Third and Fourth-Party Vendors The rise in
outsourcing means that your vendors pose a huge cybersecurity risk to your customer's data and your
proprietary data. Some of the biggest data breaches were caused by third parties.

60. What is vulnerability and how to apply mitigation for vulnerability

In the context of cybersecurity, a vulnerability refers to a weakness or flaw in a system's design,

implementation, or configuration that could be exploited by an attacker to compromise the system's
integrity, confidentiality, or availability. Vulnerabilities can exist in various software, hardware, network
protocols, and configurations. Mitigating vulnerabilities is a crucial aspect of cybersecurity to reduce the
risk of exploitation. Here are general steps you can take to apply mitigation for vulnerabilities: Regular
Software Updates and Patch Management: Ensure that all software, operating systems, and applications
are kept up-to-date with the latest security patches. Software vendors release patches to fix known
vulnerabilities. Vulnerability Scanning: Regularly scan your systems and networks for vulnerabilities
using specialized tools. This helps identify weaknesses that could be exploited by attackers. Network
Segmentation: Implement network segmentation to limit the potential impact of a successful attack.
Isolate sensitive systems and data from less critical parts of the network. Least Privilege Principle: Follow
the principle of least privilege, granting users and systems the minimum level of access needed to
perform their tasks. This limits the potential damage that can be caused by a compromised account or
system. Firewalls and Intrusion Prevention Systems (IPS): Deploy firewalls and IPS to monitor and
control incoming and outgoing network traffic. These can help detect and prevent attacks based on
known vulnerabilities. Security Training and Awareness: Educate employees and users about security
best practices, social engineering tactics, and the importance of avoiding actions that could introduce
vulnerabilities, such as clicking on suspicious links or downloading malicious attachments. Web
Application Security: Implement secure coding practices for web applications and regularly perform
security assessments, such as penetration testing, to identify and address vulnerabilities in web
applications. Incident Response Plan: Develop and regularly test an incident response plan. This plan
should outline the steps to be taken in the event of a security incident, including the mitigation of
vulnerabilities and the recovery of systems. Encryption: Use encryption to protect sensitive data, both in
transit and at rest. This helps ensure that even if a vulnerability is exploited, the data remains
confidential. Continuous Monitoring: Implement continuous monitoring of systems and networks to
detect and respond to potential security incidents promptly. It's important to note that cybersecurity is
an ongoing process, and organizations should stay vigilant, adapt to new threats, and continuously
update their security measures. Regular risk assessments and audits can help identify and address
vulnerabilities effectively.
61. Do you have working knowledge on any of SIEM technology ( Qradar, Splunk, ArcSight, LogRhythm,
etc )

Yes, I have knowledge on Qradar & Azure sentinel

62. How do keep yourself updated for trending cyber security news?

1. Subscribe to Cybersecurity News Websites: • Follow reputable cybersecurity news

websites and subscribe to their newsletters or RSS feeds. Some popular sources include: •
The Hacker News • Krebs on Security • Dark Reading • Threatpost • CyberScoop 2.
Follow Cybersecurity Blogs: • Many cybersecurity experts and organizations maintain
blogs where they share insights, analyses, and the latest developments. Follow these
blogs to gain valuable perspectives. Examples include: • Schneier on Security (Bruce
Schneier) • Brian Krebs' Blog (Krebs on Security) • SANS Internet Storm Center Diary 3.
Use Social Media: • Follow cybersecurity experts, organizations, and news outlets on
social media platforms like Twitter and LinkedIn. Many professionals share real-time
updates and insights. Create lists or follow relevant hashtags to streamline your feed. 4.
Participate in Forums and Communities: • Join online forums and communities where
cybersecurity professionals discuss current issues and share information. Platforms like
Reddit (r/netsec, r/AskNetsec) and specialized forums offer a wealth of knowledge. 5.
Attend Conferences and Webinars: • Participate in cybersecurity conferences, either in
person or virtually. Many conferences provide insights into the latest threats, research,
and industry trends. Examples include Black Hat, DEFCON, and RSA Conference. 6.
Enroll in Training and Certifications: • Consider enrolling in cybersecurity training
programs and certifications. Many organizations, such as SANS Institute, offer courses
that cover the latest trends and technologies. 7. Listen to Cybersecurity Podcasts: • Tune
in to cybersecurity podcasts for discussions on current events, interviews with experts,
and educational content. Examples include: • Security Now • CyberWire • Risky
Business 8. Set Up Google Alerts: • Use Google Alerts to receive email notifications for
specific cybersecurityrelated keywords. This allows you to stay updated on topics of
interest. 9. Read Security Reports and Whitepapers: • Explore security reports and
whitepapers published by cybersecurity vendors, research organizations, and government
agencies. These documents often provide in-depth analyses of emerging threats. 10. Join
Information Sharing and Analysis Centers (ISACs): • ISACs facilitate information
sharing within specific industries. Joining an ISAC relevant to your sector allows you to
receive timely threat intelligence and collaborate with peers. 11. Stay Informed about
Regulatory Changes: • Be aware of changes in cybersecurity regulations and compliance
requirements. This is especially important for professionals in industries with specific
regulatory frameworks.
63. What are teams in your organization

IAM – AD team,
Firewall team,
Network/security team,