Cyber Security Interview Questions and Answers for 2025

Buffers are special memory storage locations that keep data temporarily. For example, when a larger file is being transferred at the receiving end, the data block is kept in a buffer area for syncing or ordering purposes. The buffer overflow attack utilizes the memory overwriting vulnerability of buffer management. Normally, when data exceeds the storage capacity of designated buffer memory, the exceeding data attempts to overwrite the data to the adjacent memory locations. Buffer overflow attack is possible in all those software that performs writing without doing a size checking. This can be understood by the difference between gets() vs fgets() or strcat() vs strncat(); gets and strcat do not compare the size of the source and destination memory, while fgets and strncat perform a comparison before performing the copy. Attackers normally use malformed inputs to perform a buffer overflow attack. The memory overwrite can have a different impact. For example, if the attack overwrites a location with executable code, the program behavior will become unpredictable. It may generate incorrect results, give memory access errors, crashes, or can execute an attacker's code. Attackers can change the execution path of the benign program to trigger the execution of the attacker's code. Launching buffer overflow will be easy and highly dangerous if attackers know the memory layout of a program. For example, knowing the memory and controlling the benign program, the attacker may be able to overwrite a pointer to its own payload. Stack and heap are two commonly used buffer overflow attacks.  

A software vulnerability is a  security flaw, glitch, or weakness found in software code that an attacker could exploit (threat source). Software vulnerabilities do not enter a system; rather, they are present from the start. There aren't many cases of cybercrime activities leading to vulnerabilities. They are typically caused by flaws in the operating system or network misconfiguration. Cyber security threats, on the other hand, are introduced into a system through methods such as a virus download or a social engineering attack. 

Cyber security risks are commonly classified as vulnerabilities, which can cause confusion because they are not the same thing. Risks are the likelihood and impact of a vulnerability being exploited. If these two variables in the software are low, the risk is low. It is directly proportional, so the inverse is also true; high vulnerability probability and impact lead to high risks. An exploitable software vulnerability is one that has at least one definite attack vector. For obvious reasons, attackers will seek out exploitable weaknesses in the system or network. Of course, no one wants to be vulnerable, but what you should be concerned about is whether or not it can be exploited.

Most software programs can have unintentional flaws known as vulnerabilities. Attackers may exploit these vulnerabilities to execute their attack payload. For example, suppose the software has gets () for string input. In that case, the software has a buffer overflow vulnerability, and attackers can exploit it to run their payload designed as an input string for the software. Security testers or the red team analyze software for known and new vulnerabilities, and on discovering any vulnerability, the blue team creates a "patch" to fix the vulnerability. Patches are often published individually or with a new version of the software. 

In contrast to the red team or security team, if the same vulnerability gets discovered by an attacker, then all instances of the software can be exploited by an attacker. 

So, there is an arm-race between the defender and the attacker to find the vulnerability. The vulnerability that gets detected by the attacker and doesn't have any know patch from the developers is known as a "zero-day" vulnerability. Zero-day vulnerabilities are difficult to find and the same time, very hard to defend against because there is no know solution or patch available. Keeping software up-to-date and keeping testing software for any possible zero days is the only mitigation against it. 

A software patch is a quick response for software, and it is designed to resolve functionality issues, improve security or add new features. However, the main purpose of a software patch is to fix bugs or address security vulnerabilities. Users can risk their devices vulnerable to various attacks by ignoring critical updates that can be prevented by installing these patches in advance. 

The importance of keeping software patching up to date increases in cybersecurity as it reduces the risk of cyber-attacks. Most users regard cyberattacks as impossible until they pose a real threat. They believe that a cyberattack occurs suddenly and without warning. Still, the best patch management software is often available before cyber attackers exploit a vulnerability and manipulate it to infiltrate systems. Patching provides two key benefits: 

• It avoids the loss of productivity. 

 Another unanticipated consequence of cyberattacks is the productivity loss caused by system downtime. To this extent, a cyberattack can cause two types of financial losses: the cost of patching systems and the cost of delayed projects and unproductive employees. 

• It protects customer data. 

It is the responsibility of business owners to protect the information that users entrust to their systems. Companies that fail to meet this standard may face severe repercussions. Consider the case of Equifax, which the Federal Trade Commission ordered to pay $125 or provide ten years of free credit monitoring for exposing the personal information of 147 million people in 2017. The software patching also protects the others on the network. 

Secure programming is a method of writing code in software that protects it from vulnerabilities, attacks, or anything else that could harm the software or the system that uses it. This includes implementing security features like authentication, encryption, and input validation, as well as adhering to secure coding best practices and testing for security vulnerabilities. It also entails being aware of the security implications of the technologies and libraries you use and the specific threat model your application faces. Secure programming is also known as secure coding because it deals with code security. Creating software, applications, or writing infrastructure as code requires cloud secrets to access and control cloud resources and sensitive parameters saved to enable automation. Countless scenarios could introduce vulnerabilities into the code, like leaked access keys and hardcoded application secrets. 

It is extremely difficult to protect and secure code to industry standards. Secure programming is important because it prevents malicious actors from exploiting software vulnerabilities to gain unauthorized access to sensitive data or disrupt system operations. This can include safeguarding against SQL injection attacks, validating and sanitizing input, and implementing appropriate authentication and access controls. Developers can ensure that their software is less likely to be compromised by writing secure code, which can help protect the software and its users. For example, if the software is written in 'C' programming, then security programming would not use any unsafe functions such as gets(), strcat(), or strcpy(), instead must use only sage alternatives like fgets(), strncat(), snprintf().

The attacks targeted operating systems majorly aimed to exploit and be successful because of vulnerable OS versions. However, the newer version of the operating system may also contain a zero-day vulnerability. Hence, this is a never-ending cycle of discovering and patching bugs and vulnerabilities in any software and OS. 

Bugs in an operating system's source code are another way for attackers to gain access. This vulnerability could result from a mistake made by the developer while developing the program code. Attackers can exploit these mistakes to gain access to the system. A range of cyberattacks targeted at operating systems can be discussed, like ransomware, denial of service, rootkits, remote code execution, phishing, etc. Malware is the commonly used cyberattack targeted at the operating system, which includes viruses, worms, trojans, and other forms of malicious software that can infect and operate the system and cause damage or steal sensitive information. The purpose of cyberattacks targeted at operating systems could be gaining unauthorized access to a system or network, disrupting operations, stealing sensitive information, or ransomware. Several actions can be taken to prevent cyberattacks on operating systems, like using a firewall, keeping the software and operating systems up to date, using antivirus and anti-malware, implementing network segmentation, and educating the crew.

The process of securing an operating system by reducing its attack surface and making it less vulnerable to cyberattacks is known as operating system hardening. This can be accomplished by removing unnecessary software and features, installing security updates, and securely configuring the operating system and its components. 

 The overarching goal of operating system hardening is to make it as difficult for an attacker to exploit vulnerabilities and gain system access as possible. It is critical to remember that operating system hardening is an ongoing process and that an operating system's security must be constantly monitored and updated in order to remain effective against ever-evolving threats. 

Here are some examples of operating system hardening: 

• Getting rid of unnecessary services and protocols: Services and protocols that are no longer in use or are no longer necessary should be removed from the system. 
• Setting up security settings: Operating systems include security settings that can be tweaked to increase security. The firewall, for example, can be configured to block incoming traffic, and user accounts can be set to require strong passwords. Applying security updates on a regular basis can aid in the patching of known vulnerabilities in the operating system and its components. 
• Disabling unnecessary user accounts: Disabling unnecessary user accounts can help to reduce the number of potential attack vectors. 
• Using a least privilege model: limiting user and process permissions and access to only what is required to perform their functions. 
• Use security software: Use anti-virus and anti-malware software, and ensure it's up to date. 

Creating and delivering a product or service to a customer, typically involving multiple companies and organizations, is referred to as a supply chain. A supply-chain attack with respect to the software industry is a cyberattack targeting a company's or organization's supply chain of software. In a supply-chain attack, the attacker attempts to gain access to the targeted organization's network or steal sensitive information by targeting a weak point in the supply chain, such as a third-party vendor or a software component. The types of supply chain attacks include compromised software with malicious code, tempered hardware like servers and routers, phishing attacks via third-party vendors or suppliers, misconfigured cloud services, etc. 

Because the attack occurs at a different point in the supply chain than the targeted organization, the malicious code or malware may only be detected once it has already entered the organization's network. Data breaches, intellectual property theft, and operational disruption can all result from supply-chain attacks on the targeted organization. Organizations must have visibility into their supply chain and implement security measures to protect themselves from these attacks. 

Specific steps that any organization can take to prevent supply-chain attacks include: conducting thorough background checks on third-party vendors and suppliers, putting in place secure software development practices, putting in place safe procurement practices, and Monitoring and reviewing third-party vendor and supplier security regularly. Furthermore, strict access controls, digital signatures, and an incident response plan implementation make organizations more vigilant and proactive in protecting themselves. It is also critical to review and updates these measures regularly to ensure they remain effective against the changing threat landscape. 

Keeping application programs up to date is critical for various reasons. Security is one of the primary reasons. When new vulnerabilities or security threats are discovered, software updates frequently include patches or fixes to address these issues and protect the user's data and device. Furthermore, software updates may include new features or improvements to the application's user experience and performance. The application may not function properly or become vulnerable to security risks if it is not updated. Automatic and manual updates of the application programs ensure the system's high efficiency and maintain the software and hardware security in the long run. Some operating systems have built-in update managers or software updaters that can check for updates for multiple applications at once.  

 There are several methods for safeguarding an operating system against malware attacks: 

1. Update the operating system and all software: Many security flaws are discovered and patched through software updates. Updating the operating system and all software can help prevent malware from taking advantage of known vulnerabilities. 
2. Anti-virus and anti-malware software should be used: Anti-virus and anti-malware software can scan the system for known malware and protect against new threats in real-time. 
3. Use a firewall: A firewall can help prevent unauthorized system access and malware from communicating with command-and-control servers. 
4. Be cautious of email attachments and links: Malware is frequently distributed via email attachments or links to malicious websites. Open email attachments and click links from unknown senders with caution. 
5. Keep your browser up-to-date: Many browser exploit kits are designed to exploit well-known browser flaws. Keeping your browser up to date can aid in preventing malware from exploiting these flaws. 
6. Use a VPN for encrypted internet communication: VPN encrypts your internet connection, making it difficult for malware to intercept and steal sensitive data. 

Cyberattack is any attempt to damage, destroy or perform unauthorized access to a computer, network, and data. An individual or group who performs the cyberattack is called a cybercriminal, or loosely people call them hackers. Many methods, techniques, and tools are available to launch a cyberattack. Most cyberattacks are possible due to existing vulnerabilities in the target system software or hardware. An attacker needs to discover a vulnerability and then develop a method to exploit it to execute their payload. A cyberattack can be targeted or untargeted. In a targeted attack, the victim is chosen specifically, while the untargeted attack randomly launches an attack in the wild and hopes to get access to any device or user. Some of the most prominent cyber-attacks are:

• Malware
• Phishing
• SQL injection
• DoS and DDoS
• Password cracking
• Identity theft

A cyberattack cannot be avoided completely. However, the possible attack can be mitigated or prevented by proactive actions such as installing security software and keeping software and hardware up-to-date by installing newly published patches and updates.

Recently, ransomware and supply-chain attacks have evolved and caused many large-scale cyberattacks. In a ransomware attack, the attacker infects the victim's computer with malware that encrypts the files or locks the operating system and then pop-up ransom notes for payment. Ransomware is a unique cyberattack because the attacker purposefully notifies victims about the attack post-infection. This is also unique in the sense that the main motive of a ransomware attack is to get financial benefits in terms of ransom money. One main reason for the rise in ransomware attacks is the possibility of getting ransom as cryptocurrency, which is hard to track and encourages attackers to get the ransom. WannaCry, Petya, CryptoLocaker etc., are some of the widespread ransomware.  

SolarWinds, Kaseya VSA attack, target data breach, and Eastern European ATM malware are very recent, popular, and high-profile supply-chain attacks. The supply-chain attack is also prevalent in the past couple of years. In a supply-chain attack, an attacker injects malicious code into some source software, waits to supply this software to the users (primarily organizations), and then attacks the software users by previously injected code. The supply-chain attack is critical because millions of users may use a single software, and the attacker can compromise all of those by attacking only one software. An attacker can launch attacks on many victims, from organizations to high-profile end-users. 

There are many motivations for launching a cyberattack. In the beginning, an attack was a way to show a superiority of skills and was mostly made for fun. However, the development of ICT and the adoption of digital technology have given many other motivations for cyber-attacks. Some of the critical motivations are as follows: 

• Financial motivations: Many cyberattacks are done for financial gain. Cyber-attacks on financial institutes or banking-related attacks directly aim for financial gain. Ransomware attacks also strive for financial gain. 
• Revenge: Revenge is one of the interesting motivations for a cyber-attack. A previous employee can do it against the organization or a friend to another. 
• Cyber warfare: Recent state and national actors use cyberattacks to attack and defend digital infrastructure for the national interest. Cyberattacks are also done in parallel to physical war. 
• Hacktivism: Many cyberattacks against government organization is done to gain access to confidential information to bring those to the public domain. Attackers do this as a sense of activism and take the side of getting social justice etc. 

The use of security software can prevent cyberattacks. However, some good practices from users and system administrators can help to mitigate many cyberattacks, also known as cyber hygiene. Such as: 

• Using strong passwords, often changing passwords, keeping the password safe and never sharing a password with others. 
• Avoid clicking any link from unknown senders or any suspicious links sent via email, social media, or SMS. 
• Report any suspicious activities to the IT team or responsible agency. 
• Keep software up-to-date by installing news updates and patches. 
• Avoid using software or files downloaded from an untrusted source or the Internet. Verify downloaded files using hashes or by scanning through anti-virus software. 
• Activate security and privacy features available in the device, mobile apps or web application, such as two-factor authentication, biometrics, and audition set-up on social media. 
• Avoid phishing or social engineering attack by controlling greed and human emotion. Follow the principle, "too good to be true", and raise suspicion of any lucrative Internet offers. 
• Use security tools and secure versions of network protocols VPN, SSH, and HTTPS. Avoid visiting the unsafe website and use an ad-blocker plug-in. 

Over time security domains have become a multi-billion software industry that creates and offers a wide range of security software to protect individual users and organizations from cyberattacks. Some of the standard software that can help an individual to defend themself against cyberattacks are as follows: 

• Anti-virus software: Malware is the most prominent method of attack; hence, having anti-virus software is very important. Anti-virus software is only helpful if it is updated regularly, and the user must not disable it to execute any software. Anti-virus software should be used on all operating systems because many believe Linux and Macintosh OS don't require anti-virus software. 
• Install pop-up and ad-blocker in the browser: The browser is the main software to access the internet, so attackers attack users via web applications. It is good practice to install pop-ups and ad-blocker in the browser. Modern browsers also have inbuilt security (URL scanner, sandbox and javascript disable etc.) and privacy features, so the user must activate and configure these features for added security and privacy. 
• Password manager: Today, most web and mobile applications require a password to log in. A single user may be using lots of applications, and it is suggested to use different passwords for each service. For this reason, a user will have to remember lots of passwords which is not feasible, so using a password manager is a good solution. 
• Use Host firewall: it is challenging for an average user to configure and use a firewall on their computer. However, many Operating systems have firewall by default, and it has basic configurations. So, the user either needs to activate the firewall or, if activated, doesn't disable it by following the instructions of any software or online users. 

Encryption is a technique of converting plain text (message) to cipher text. The encryption is done using an encryption algorithm (E), plain text (P), key (k), and output cipher text (C). So, Encryption: E(P,K) gives C.

For example, if the encryption algorithm is "Addition", plain text is "A" represented by a number "1" (representing A-Z through numbers 1-26), and the key is 3, then,

E(1,3) will give 1+3= 4; if we map the cipher back to text then 4 will be "D".

Decryption is the reverse process of encryption. It recovers plain text/message (P) from the cipher text (C). Normally, decryption algorithm (d) implements the reverse operations of it encryption counterpart. So,

Decryption: D(C, K) gives back P

For example, continuing from the previous example to decrypt

D(4,3) will give 4-3 = 1, 1 will be mapped back to "A"

Some popular algorithms are DES, AES, etc.

Unlike encryption, Hashing is the technique for generating a fixed value for a given plain text /message. The output of a hash value is called a message digest or hash value. Hashing is a one-way function i.e., and there is no reverse algorithm to recover plain text from a hash value. Some common hash algorithms are MD5, SHA, etc.

Hashing: H(P) gives the hash value.

Using Cryptanalysis, attackers analyze the cipher text with or without plain and cipher text pair to recover the key of encryption, using which attackers can crack the cipher text and get the plain text.

The algorithm uses a single key (same key) for encryption and decryption in symmetric encryption. 

The E(P, K) -> C and D(C, K) -> P use the same K. 

Symmetric encryption is faster. However, each communicating pair has to maintain its keys and so managing keys is very challenging in symmetric encryption.  DES is a symmetric encryption. 

Unlike symmetric encryption, asymmetric encryption needs pair of keys for encryption and decryption. Each user creates a pair of keys (public, private), and the user shares the public key to the public repository and keeps the private key secure. For encryption, the sender uses the receiver's public key for encryption, while the receiver uses his private key for decryption. 

For example, suppose, 

user 1 has K1(public) and K1(private) 

user 2 has K2(public) and K2(private) 

K1(public) and K2(public) is known to everyone. 

if user 1 sends a message (M) to user 2 then 

Encryption: E(M,K2(Public) gives C 

after receiving cipher (C), and user 2 will decrypt 

Decryption: D(C, K2(Private) to get M 

Asymmetric encryption is also known as public key encryption. RSA is a public key encryption algorithm. 

Symmetric encryption can work in two modes: Block cipher and Stream cipher. 

In block cipher mode, the encryption is done on a fixed-sized message called a block. Generally, the block size is decided as a multiple of 8 bits for easy implementation of various cryptographic processes. So, 64-bit, 128-bit, 256-bit, etc., are commonly used block sizes. However, there is the possibility that the message text is smaller than the required block size. In that case, the message bits are padded with zero to complete the required bits. 

In stream cipher mode, encryption is done on continuous incoming messages like a stream, and so the plain text is of variable size. So algorithm encrypts plain text bit-by-bit using keystreams. Generating unique keystreams is challenging, and it must be unique for each iteration; otherwise, the cipher text can be cracked, i.e., encryption will have low security against cryptanalysis. RC4 is an example of a stream cipher. Stream cipher methods are faster than block cipher. 

Key exchange is the process of sharing a secret key to start encrypted communication. In symmetric cryptography, both sender and receiver use the same key for encryption and decryption, so the key exchange method help to create the same key at both ends.

The key exchange algorithm ensures that the actual secret key never being shared via the communication channel because, initially, the sender and receiver communicate via unencrypted media. So, during the key exchange, the sender and receiver follow the procedure, and at the end of the exchange, both can generate the same key at their end that they can use for further encrypted communication.

Key exchange is required because it helps two users have the same secret key they can use with symmetric encryption. Many a time, asymmetric encryption is used for secret share keys and serves as a key exchange algorithm. However, there is a specialized key exchange algorithm like Diffie-Hellman that help to generate the same key at both communicating ends.

Key exchange is used by many secure internet protocols like FTPS, HTTPS, SFTP, etc.; these protocols first exchange keys between sender and client or server and client, etc.. After generating the key, both parties use a shared secret key for further encrypted communication. In the case of internet applications, these key generations are often limited to particular sessions and get revoked after completion of the session.

A digital signature is the application of public key encryption, and it is used to identify or authenticate the sender. It is equivalent to a physical signature. In public encryption, it is assumed that the private key is only known to the user who generates it. Also, the pair of keys work together as linked for encryption and decryption, i.e., Bob's public key is used for encrypting the message, then cipher text can only be decrypted using the private key of Bob, or if Bob's private key is used for encryption, then only Bob's public key can be used for decryption.

For the digital signature, the sender uses their own private key for encryption and sends the message, so the receiver then uses the sender's public key to decrypt the cipher text. The purpose of a digital signature is to identify the user, so if decryption is successful, then the user's identity can be authenticated else; authentication will be denied.

The digital certificate is an extension of the digital signature concept. However, with a digital certificate, further information about the sender is also verified. Unlike digital signatures, a digital certificate requires a certificate authority to collect, associate, and verify information about the sender.

Denial-of-Service attack (DoS) is a method in which the attacker aims to stop any system's service offering. For example, a DoS attack on an email server will stop the email services such as forwarding and receiving emails. Generally, a DoS attack is launched by misusing the genuine features of the system; for example, an email server is supposed to receive any email that has an email server address as the destination. An attacker can now send many emails (junk emails) to the targeted email server by knowing the maximum memory or number of possible emails the server can handle. And when the server reaches its maximum limit with junk emails of attackers, it will stop receiving any further emails (benign emails), known as a DoS attack.

DoS attack is a very old method, so many techniques exist to detect and prevent DoS attacks. For example, in the previous example, the email server can limit a user's email count and filter any user who tries to send more than the limit.

Distributed Denial-of-Service (DDoS) is an updated version of a DoS attack. It tries to bypass many DoS prevention implemented by the system. In DDoS, the attack is launched by different devices, so the user-based filter on the victim machine can't separate the attacker and the benign user. Often, a single attacker controls many devices by getting unauthorized access or using a botnet to automate the process. Apart from directly sending attack packets from zombie devices, there are methods where attackers indirectly distribute the attack. For example, a DNS Flood attack just exploits DNS reply functionality by replacing the reply-to address with the victim address and making DNS requests to various DNS servers.

Sandboxing is a process for running an untrusted software program in a restricted environment. In cybersecurity, suspicious code is run, observed, and analyzed in a safe, isolated computing environment. It is important that the sandbox mimics end-user operating environments (OS and other application software). 

Sandboxing confines the code to a test environment, preventing it from infecting or damaging the host machine or operating system. Sandboxing is a preemptive way to improve an organization's security by proactively restricting risky software. Sandboxing works by isolating potentially malicious or dangerous code from the rest of the organization's environment. This allows it to be safely analyzed without compromising your operating system or host devices. If a threat is detected, it can be removed immediately. Sandboxing can be used in multiple tasks like cloud-based implementation, software bundles, a web browser extension, and dedicated appliances onsite in an organization. 

Sandboxing is very useful for dynamic malware analysis because it helps to understand the functioning of malware without any side effects of executing the malware for observations.

SQL injection (also SQLi) is one of the most common code vulnerabilities. An SQL injection attack occurs when an attacker inserts or "injects" malicious SQL code into the application's input data. SQL injection allows the attacker to read, modify, or delete sensitive data and perform administrative tasks on the database. 

SQL injection attackers simply modify an existing SQL command to suit their needs. SQL statements are used in many website applications, from providing a list of customers to identifying visitors with usernames and passwords against a server-side database. 

The SQL injection attack can return information about all employees by modifying a SQL command to remove limitations such as vulnerability scanning for only active employees or those in a specific department to which the user has access. This could lead to the disclosure of sensitive personal information. 

The most common method for preventing SQL injection is to code SQL queries with parameters in a more controlled manner. Instead of structuring the command solely from user input content, this method, known as parameterized queries or prepared statements, uses a pre-defined query with filter options supplied as parameters. Implementing an intrusion detection system can assist in detecting user behaviors that attempt to exploit application vulnerabilities. 

Sanitize or validate any browser-supplied input values that will be used in the SQL query when creating SQL commands. To detect problems, use DAST/SAST tools. Install a web application firewall (WAF) capable of detecting and filtering SQL injection attacks (along with other vulnerabilities.) Such firewalls weed out known threats by constantly updating lists of signatures that should be blocked. 

Using best practices in web application development and performing SQL injection tests as an integrated step in development will provide better SQL injection vulnerability protection. This additional level of testing can be accomplished by incorporating static (SAST) and dynamic (DAST) analysis tools into the development pipeline.

Spyware is malware that monitors and tracks user actions as well as collects personal information. Spyware programs generally install themselves on the user's computer and profit the third party by collecting data from the user without his knowledge. Furthermore, spyware steals users' passwords and personal information by running in the background of the system. Common types of spyware are Bonzibuddy and Downloadware.

Ransomware has emerged in recent years and can target individuals or organizations. Ransomware is malware that is designed to prevent users from accessing their own systems until a ransom fee is paid to the creator of the Ransomware. Ransomware is far more dangerous than regular malware and spreads via phishing emails with infected attachments. A ransomware infection can encrypt the entire operating system or a specific file, which largely depends upon the nature of Ransomware (that comes from the attacker's motive). A sum of money is then demanded from the person whose data has been held, hostage. To protect your system from Ransomware, keep an eye on it and have the proper security software installed from the start because prevention is always better than cure. Types of Ransomware are CryptoLocker, Bad Rabbit, and WannaCry.

Expect to come across this popular question in interview questions on cyber security. Traditionally, the CIA triad refers to three key security requirements, i.e., confidentiality, integrity, and availability. Confidentiality refers to keeping information secret and only accessible to authorized users. Integrity focuses on detecting modification of data, i.e., it is possible to know and verify even a single bit of modification of data, and it is applied to both stored data and communication data. Availability aims to guarantee the access of services and resources to the intended user whenever demanded. 

These three are well-accepted and established security requirements. However, over time, authenticity and non-repudiation also became key security requirements and were often referred to as an extended CIA triad. In addition to these, there is another extension of the CIA as Parkerian hexad, which added three more elements of information security to the existing CIA, and those newly added elements are Possession or Control,  Authenticity, and Utility.

A backdoor is a code block inserted into software to allow hidden access to its creator or someone who learns how to invoke the existing backdoor. A backdoor can be created for both fun, benign and malicious purposes. For example,  a developer inserts a backdoor to go around the authentication for show-off. The benign use of a backdoor can be an administrative tool for monitoring or managing the software. The fun and benign backdoors can be a security risk because they can be found by threat actors and exploited. Many malware also install backdoors after infecting the victims and deleting the infection code to avoid detection. A  backdoor can be the main malware payload or the first stage of installing more complex malware. 

A rootkit is a special type of malware that runs at the lowest level and is often placed between hardware and OS. So, the rootkit can only be installed on a target machine when the attacker has root-level access to the device. Detection of a rootkit with OS-level security software is impossible because it can control the system call and modify the response. A rootkit-infected system turns into an always-open access system for the attacker. Due to the privileged access, with a rootkit, an attacker can elevate privileges for another user on the devices. Mostly, the rootkit opens to receive commands and execute them locally on the infected machine. A rootkit is also one method to create a backdoor into the infected system, which is hard to detect and has root access to execute a command on the system. 

Traceroute assists in determining the precise path that a data packet must take to reach its destination. The user can enter tracert <ip address> into the command prompt. 

Ping is a command that can be used to test network connectivity and name resolution. To test network connectivity, go to the command prompt and type ping <ip address> followed by the enter key. 

If there is no response to the ping request, then the tracert command can be helpful in finding the failure point of the data packet. 

The major difference between the two is ping is a network connectivity and name resolution test. Traceroute assists in determining the precise path of a data packet to its destination. It also assists in determining whether the fault occurred along the path. 

Traceroute is a network utility that tracks a packet's path across a network from source to destination. Ping is a popular network utility tool that is used to test the connectivity of two nodes or devices. 

In conclusion, traceroute and ping appear to be similar, but they are not. The distinction between ping and traceroute is that the former is used to test network connectivity and name resolution. In contrast, the latter determines the actual path from source to destination.

A MAC address is a 48-bit unique address assigned by the manufacturer to a network adapter to transmit data to the destination host. In the network layer, MAC is associated as a sublayer in the data link layer, which is responsible for physical addressing. If a device has multiple network adapters, such as Ethernet, Wi-Fi, Bluetooth, and so on, each standard will have its own MAC address, which makes the device more vulnerable to flooding attacks. The attacker can also use an ARP spoofing attack as a shadow attack to maintain access to private data after the network switches recover from the initial MAC flooding attack. 

The attacker floods the switch with a massive number of requests, each with a forged MAC address, to rapidly saturate the table. When the MAC table reaches its storage limit, it replaces old addresses with new ones. 

The IP address used on the internet is literally called your PUBLIC IP address. An IP address is needed for source and destination information. The typical hacker can look up your city and state with an IP address since one’s local ISP owns that IP address. If it is in a database somewhere, then MAYBE they can correlate that IP to your name and address. They can scan for open ports on your router (this is something you have to do manually), and even then, they will need to be able to hack/exploit whatever program that port is tied to. 

The IP, the hacker gets is the Public IP of the router, not your computer itself. The router has a fundamental feature called NAT (Network Address Translation); this feature provides a roadmap to the router to know who asked for what data. 

A port in the computer network is represented by a number and is associated with the network protocol. Each Port is specific to a service that maps to a running process on the operating system. For example, port number 80 is associated with HTTP protocol, and when the host computer receives a network packet, the network protocol with the port number and specific process to receive and process the packets. The port number comes with a 16-bit number, so there can be 65536 ports (0-65535). The port number from 0-1023 is reserved for the known and popular network protocol, and after that, others can be assigned to other network applications and services. 

Port blocking is a defense and filtering method by blocking a specific port from the well-known port number (0-1023). Executing services can be restricted. For example, if port 80 is blocked on a device, the user cannot access or process a web response. So, Port blocking within the local network help network administrator restrict access to services. 

In contrast, port forwarding is a technique to allow external access to devices or services placed within the local internal network. Port forwarded is done by mapping an external port to an internal socket (IP + Port). Port forwarding is done via router configuration. In simple terms, port forwarding makes internal devices look like external devices accessible directly via the Internet. 

Netscape invented SSL (Secure Sockets Layer) in 1994. SSL encryption/decryption is a technique for keeping internet connections secure, whether they are client-to-client, server-to-server, or (much more commonly) client-to-server. This prevents unauthorized third parties from viewing or altering any user data transmitted over the internet. It was originally designed to secure connections between customers and online businesses. Unfortunately, as the value of seemingly innocuous personal information and browsing habits rises, attackers have broadened their net to include non-commerce sites as well. As a result, SSL has become widely used. But, as time passed, an updated protocol was released in 1999, and it has since completely replaced SSL as the standard security certificate (TLS discussed below). 

Transport Layer Security (TLS) is similar to but more secure than SSL. More precisely, the Internet Engineering Task Force has recommended that SSL be replaced with TLS. 

TLS is used for achieving privacy, authentication, and data integrity over computer networks and is used in web browsing, instant messaging, email, and other applications using various cryptographic constructs like encryption, hashing etc. TLS is more trustworthy for a variety of reasons, including the fact that it was designed to address known SSL vulnerabilities and support stronger, more secure cipher suites and algorithms. In TLS encryption, message authentication is used. The message's authentication is done via a keyed-hash message authentication code (HMAC) algorithm. Message authentication helps system to verify that during transmission, data has not been modified, and it also allows the receiver to verify the source of the message or sender. 

HTTPS is the secure version of HTTP. The HTTP protocol is the main protocol that is used to send data between a web client (for example web browser) and a web server. HTTPS is encrypted to increase data transfer security. This is especially important when users send sensitive data, such as when they log into a bank account, email service, or health insurance provider. HTTPS prevents websites from broadcasting their information in a way that anyone snooping on the network can easily view. When data is sent over standard HTTP, it is divided into data packets that can be easily "sniffed" using free software. As a result, communication over an insecure medium, such as public Wi-Fi, is extremely vulnerable to interception. In fact, all HTTP communications are in plain text, making them highly accessible to anyone with the right tools and vulnerable to on-path attacks. HTTPS encrypts traffic so that they appear as nonsensical characters even if packets are sniffed or otherwise intercepted. 

Benign or malicious reasons can cause a slow process on the computer. Benign reasons include low memory on the device, out of space on the cache, limited temporary memory, outdated software, etc.. Although benign reasons are not a matter of concern, these issues can be addressed by managing the computing resources by updating and upgrading the system. 

In contrast to benign reasons, various malicious reasons exist, such as unauthorized remote access, data extraction, and malware infection. During remote access, there is a high utility of computing resources such as memory and process, which slow down the computer's access. Similarly, if there is a data extraction attack on the system, then the network and memory resources will have high usage and hence slow performance. Many malware is specially crafted to consume system resources in an attempt to perform a Denial of service attack. Most virus programs replicate multiple times to the infected computer and try to out space resources. Other malware like Trojan, bots and spyware also uses computing resources as a background process, slowing down the foreground activity. 

For either reason, slowing down, updating, upgrading, and scanning with security software (anti-malware), etc., will be the proper way to recover system performance. 

The mouse movement and flash terminal screens can have benign reasons like operating system upgrades or other software updates in the background due to auto-update configuration in the system. These benign background processes can be stopped by changing the options in the settings and disabling any auto-update by OS or software. 

Malicious operations in the background can cause the mouse cursor movement or flash the terminal. Some probable reasons could be malicious code execution due to video file playing. Many users download pirated videos from the Internet, and attackers exploit this and embed malicious code into a video file that gets executed during playing by the player (given the player has the intended software vulnerability). Apart from this, the mouse movement or terminal screen can also be caused by unauthorized remote access, i.e., an attacker is accessing the computer remotely, or any malware is trying to execute further payload based on the trigger. The trigger is a particular condition in malware that provides conditional execution of payload on the infected system. In this scenario, the trigger can be associated with media player software that minimizes user interaction and allows attackers or malware to execute code in the background.

Subject: Urgent Bank account blocking 

Dear user, 

I noticed unusual activity in your bank account, and to protect you, we will block your account. 

Please provide the following account to verify the authenticity and avoid blocking and restricting account access. 

Name: 

Date of Birth: 

CVV: 

Bank account number Number: 

This is a time-sensitive matter, so you must respond within two hours, else your account will be blocked, and all associated cards will be blocked. 

Security Team, 

XYZ bank. 

The email is a phishing email that must be reported or avoided without clicking any link or responding. These few points help to identify a phishing email. 

The email uses "user" instead of a username, i.e., Bob; if the email is from the bank and for a specific user, it must address the account holder's name. The use of "user" indicates a mass mailing phishing email. 

Asking for information like CVV, date of birth, and bank account indicates an attempt to harvest the user's information back either has some of this information (date of birth, account number) and will never ask for other details like CVV. 

The email tries to create urgency for sharing the information and warning of blocking the account; these two are typical combinations used by an attacker to intimidate users and pressure them to share the details without analyzing the situation appropriately.

Instruction for "Clicking the link" on the Internet should always consider suspicious and proper care should be taken before clicking the link. The rule of thumb is, "never click a link sent by a stranger." In the given scenario, the link comes from a close friend, so the user can be careless and click the link. However, social media accounts should not be trusted because users' accounts can be hacked and used to launch a further attack. Apart from account hacking, there are impersonation attacks, in which attackers create fake profiles (by using publicly available images on other places on the Internet), pretending to be close to the target and sending the malicious link to the target.

The message asks to click the link to be added to the guest list, which is very suspicious in itself, and the user must verify it with a close friend via another communication channel such as a phone call, email, familiar friend, etc. However, if verification is not possible, there are software and services like Virustotal where users can check any URL and get results about malicious or benign links.

1. Bob1235
2. anb@1111
3. Anb@!1245
4. BaBaaxgieg

Safe password is proportional to the password's strength, i.e., a combination of upper case, lower case, digits, and special characters with a significant length (example greater than 8). The strength of "Anb@!1245" is better than others because it has an upper case letter, two special characters (@!), small case letters, and digits, which makes it harder to crack than others.

A quick comment on the password sample is as follows:

1. Bob1235: It has a name; a strong password should avoid person, place, city, name, or dictionary words. In addition, the password doesn't have any special characters, which makes it weaker.
2. anb@1111 : This password doesn't have an uppercase letter.
3. Anb@!1245: This password is safer than others because it combines uppercase, lowercase, special character, and digits with a length greater than 8.
4. BaBaaxgieg : This password doesn't have special characters or digits. However, the length of the password is good.

There is a good tool for password generation, testing, and storing the password, so users can use these tools to generate a more robust and safer password.

Dear user,

Thank you for using our sarvices. Please loging to your account to protect it from deactivation.

Click to Here to login.

Manager,

Xyz website

A phishing email can be identified using common mistakes the attacker made. Grammar mistakes, embedded login links, etc., are prevalent mistakes or patterns in phishing emails.

In the given email, the following are the red flags that classify an email as a phishing email:

• Addressing the receiver using the general term "user" instead of the user name.
• There are spelling mistakes in the email body, such as "sarvices" and "loging".
• Link is provided to log in. Usually, a user should type the bank website address to log in. Embedded links aim to redirect the user to the attacker's control website, which is prevalent in phishing emails. Clicking on the embedded link takes the user to a website similar to the actual website, and the victim discloses their user credential by attempting to log in through the attacker's controlled link.

What will be your initial thought, and classify this as a type of cyber-attack? 

Getting a call from the bank's customer care is routine; representatives call for various purposes like credit card schemes, insurance, and loans. So, getting a call is not malicious or raises any suspicions. However, requests for sensitive information like card numbers and CVV should indicate the attempt of a cyber-attack. Such taking, which involves a phone call to trick the user into disclosing personal information or log-in credential, is called Vishing. Vishing is equivalent to its textual counterpart, i.e., phishing. The attacker uses a voice call to make the phishing more authentic because a call makes the user trust and reduces the chances of suspicion.

Email 1:  

Subject: Urgent action required 

Dear User, 

Your account is blocked due to inaction. Please log in using the below link to activate your account again. 

Click the Login link. 

Yours, 

Community manager. 

Email 2:  

Subject: Offer for unlimited memory space 

Greetings! 

We are XYZ cloud service company and offering unlimited memory space as the new year offer. 

Please register for our services and get benefits. 

www.xyz.com 

Bob Marle 

Marketing head, 

Xyz.com 

Phishing and spam email look very similar, and there is a very slight difference between these two emails. However, the intention and structure of email give indications that can help to classify an email as phishing or spam. In the given two emails example, email 1 is very similar to a phishing email, while email 2 matches with spam email.  

The subject of email 1 creates urgency, and the email uses the general term "user" to address the receiver. In addition, the email body has an embedded link for login. The message that the account is blocked also creates suspicion, a blocked account would be known to the user in advance, and the user will initiate proper action to unblock their account. 

The second email, i.e., email 2, has a typical marketing subject using words like an offer. The email body doesn't create any urgency or have any login link except the product website. The receiver needs to create an account to access the services, so the user is independent to take actions to reject or follow the email.

The email header provides information to track the source of the email. However, attackers apply many proxies to send phishing or spam emails. The use of hacked devices or anonymization services by the attacker is widespread, and so many times, a traced source IP doesn't belong to the attacker but to a victim's computer. Further use of Peer-to-peer services like Tor network makes it challenging to track the source of an email or network access.

Given the resource and capability (getting information from service providers on request etc.) accessible to the CERT team, it is highly likely that the track IP would belong to an attacker. However, it can only be specific, especially for the advanced attacker (highly skilled and have more computing resources in the form of hacked PC and services). So, The CERT team needs to use secondary sources to verify the claim, such as traffic correlation analysis or device study, i.e., looking for a forensic artifact that can prove that the track IP and system owner are the same and hence the attacker.

Computer user activities can be monitored using workspace monitoring tools. Many organizations installed monitoring tools before issuing a computer to the employee (under company policy and known to the user). However, suppose any employee wants to send critical files (internal attacker). In that case, they can disable the monitoring tool or adopt some other techniques, such as steganography, to send the file in hidden ways. 

To verify the attack, the IT team can perform a forensic analysis of the suspect device to determine the user's activities. In addition to device forensics, network traffic analysis can be helpful in knowing the data sent and received to and from a particular MAC /IP address. Deleted files from the device can be recovered through recovery software, and all sent files can also be carved out from the network traffic. Wireshark is one of the popular tools for network traffic analysis. 

Physical access blocking and network traffic filtering and blocking can be suitable actions to stop data theft. Physical access blocking can be achieved by applying a physical authentication process to access sensitive devices, and blocking USB access, file transfer access, etc., can also help prevent any internal attacker data theft. 

In addition to physical restriction, network traffic monitoring, filtering and blocking can be applied to restrict network communication. For example, blocking all the file transfer-related (FTP, SFTP, etc.)  outbound traffic can limit the user to send any files outside. Similarly, access control can be applied to network access that will help to filter out which user will access what type of inbound and outbound traffic. 

To stop attackers, the inbound traffic must scan with a firewall, IDS, and anti-malware software. Using a proxy, honeypot and DMZ are some solutions that will provide additional security from external attackers.

The malware sample used for the attack can be recovered from two locations: the infected devices and the network traffic. If the malware used in the attack is not fileless ( i.e., code directly injected into some running process, and no actual code downloaded to the device), then it can be recovered by using the forensic method by taking a memory dump of the primary and secondary memory. However, modern malware uses advanced techniques to make it challenging to collect the actual sample to avoid detection and analysis. In such cases, device forensics may not recover the malware sample, so the second location, i.e., network traffic, can be used to carve out the malware code used for the attack. By using all the in and out network traffic (i.e., network packets ) from the infected devices, the malware code can be recovered from the data part of network packets. 

Email activities can primarily be tracked using a user email account (mostly not accessible) and email server. The network administrator controls the email server so it can be analyzed to find the communication related to the case. The email communication can be recovered using various server logs, even if the email is deleted. 

In addition to the email server, the network traffic would also help verify the information gathered at the email server. The network traffic can also recover the "sent excel file" from demonstrating and proving the allegations. 

If an email client is used to send the email, then a device forensic of the user can also be used to recover the email content and the activities that can be correlated (using timestamp, content, etc.) with server and network traffic analysis. 

Pirated software is often used for distributing attack vectors and malware (Trojan is primarily distributed in this manner). It is easy to embed malicious code or specially crafted code blocks in pirated or cracked software. By this method, attackers can efficiently distribute malicious code and infect more and more computers easily and without the user's suspicion. The attacker can sometimes execute its code with high access (like an administrative profile) because users provide access rights to install pirated software. 

Sometimes costly software is also distributed over the internet after removing the payment gateway functionality etc., so to be sure that the downloaded software is not infected or malicious, one needs to verify the software with on-device anti-virus software or can be verified using online software such as virustotal which provide scan results of multiple anti-virus software. Advance users can also perform static and dynamic analysis to ensure that no malicious code block is embedded into the downloaded software. 

Apart from verifying the downloaded software and using it directly on the main computer, running such suspicious software in a restricted environment is advisable using a sandbox or virtualization software like VirtualBox, etc..

Access restriction or authentication is a common mistake in adding a printer to the network. Any network user can access any printers added to the internal network without any authentication or access. The given scenario is similar to authentication-less printer availability, so to restrict access to printers or allow only authenticated users to access a particular printer, user-based authentication, and access right can be added. So, now every print can be associated with a user and traced to any printer misuse.

However, suppose the misuse is happening despite of authentication system. In that case, it can be due to attacking some printer vulnerabilities, which is common in printer firmware due to the lack of security features in printers. In the case of the second scenario, a software update will be helpful.