Cyber Security Interview Questions and Common Mistakes

Introduction

  • Overview of purpose for the video: Preparing for entry-level cyber security interviews.

  • Total of 25 interview questions shared with answers from cyber security professionals.

  • Each question includes a correct and an incorrect answer to illustrate points.

  • Video is structured in five main sections, with each section dedicated to a specialization in cyber security.

Structure of the Video

  • Section 1: General Cyber Security Questions (Prepared by Sandra)

  • Section 2: Security Operations Center Questions (Prepared by Josh)

  • Section 3: Network Security Questions (Prepared by Roden)

  • Section 4: Cloud Security Questions (Prepared by William)

  • Common Mistakes: After each section, five common interview mistakes made by candidates will be shared.

Section 1: General Cyber Security Questions

Question 1: How do you stay current with cyber security threats and cyber security news?

  • Incorrect Answer: Just scrolling through Twitter and relying on friends to inform about big events.

  • Correct Answer: Subscribe to threat intelligence feeds (CISA, Krebs on Security), follow CVE announcements, engage in cyber security communities (Reddit NetSack, OWASP), and maintain home lab environments to gain hands-on experience.

Question 2: Explain the difference between a vulnerability, a threat, and risk.

  • Incorrect Answer: They are all basically the same thing.

  • Correct Answer: - Vulnerability: A weakness in a system.

    • Threat: Anything that can exploit that vulnerability.

    • Risk: Potential impact if the threat is successful. Example: Unpatched server (vulnerability), ransomware (threat), data loss and downtime (risk).

Question 3: Walk me through the steps that you will take to investigate a phishing incident.

  • Incorrect Answer: Advising users to delete the email as it happens often.

  • Correct Answer: 1. Isolate the affected user, 2. Collect email headers and content, 3. Analyze sender domain, links, and attachments using sandboxing tools, 4. Review login activity for suspicious access, 5. Document incident and deploy awareness messaging to prevent future incidents.

Question 4: What would you do if you detect an alert at 2:00 a.m.?

  • Incorrect Answer: Wait until morning unless severe; rely on senior team members.

  • Correct Answer: Investigate immediately if classified as critical, using logs and SIEM queries; follow escalation runbook (and notify on-call team); log/record lower priority alerts for later review.

Question 5: Tell me about a time when you had to explain something technical to a non-technical stakeholder.

  • Incorrect Answer: Avoided explanation as they wouldn’t understand.

  • Correct Answer: Explained multi-factor authentication to management using an analogy about locks on a door to illustrate security trade-offs (adds a few-more seconds, but prevents costly break-ins).

Common Interview Mistake After Section 1

  • Mistake 1: Arriving unprepared; candidates should know definitions and foundational concepts like vulnerability, threat, and risk.

  • Recommendation: Google Cyber Security Certificate for foundational knowledge, covers beginner concepts, operating systems, and networking.

Section 2: Security Operations Center Questions

Question 6: Key differences between patch management and vulnerability management?

  • Incorrect Answer: Patch Management applies patches; vulnerability management remediates vulnerabilities.

  • Correct Answer: Patches are counted as vulnerabilities; they remediate weaknesses, while vulnerabilities include misconfigurations and outdated software (patches are a subset of vulnerabilities). Together, they lower overall risk through iterative processes.

Question 7: How would you detect and monitor cyber threats in a SOC?

  • Incorrect Answer: Use SIEM with alert rules, respond when alerts trigger; reference NIST only.

  • Correct Answer: Utilize an EDR platform in conjunction with SIEM, collecting logs for analysis, alerting based on anomalies; follow NIST 861 for incident response and management.

Question 8: Describe a time when you responded to a cyber security incident.

  • Incorrect Answer: Gave basic details about a compromised machine with minimal follow-up.

  • Correct Answer: Detailed misconfigurations leading to a brute-force attack, actions taken to quarantine and remediate affected VMs, and communication with Microsoft regarding branding concerns.

Question 9: How would you prioritize and communicate security risks to non-technical stakeholders?

  • Incorrect Answer: Simplified jargon when explaining to non-technical audiences.

  • Correct Answer: Tailored communication based on audience needs, providing relatable examples; quantified impacts with business relevance, avoiding excessive technical details.

Question 10: How do you see AI used in enhancing cyber security defenses?

  • Incorrect Answer: Generalizations on job displacement due to AI in cyber security.

  • Correct Answer: Discussed a personal project using AI for threat hunting (threat hunting AI that uses ChatGPT’s API endpoint, which allows analysis of large data volumes for anomalous logs, up to x200-x300 compared to human analysts), scenarios involving anomaly detection and the implications of generative AI for security testing; acknowledged data privacy considerations (obviously you shouldn’t feed PII into the AI system).

Common Interview Mistake After Section 2

  • Mistake 2: Relying solely on theoretical knowledge; practical experience and hands-on training are crucial.

Section 3: GRC Questions

Question 11: What is the purpose of a risk register?

  • Correct Answer: [Document that] Tracks risks, likelihood, impact, owners, and mitigation strategies, ensuring visibility and line with organizational risk appetite.

Question 12: Difference between a policy and a procedure?

  • Incorrect Answer: They are fundamentally the same.

  • Correct Answer: Policy sets expectations; procedures describe implementation steps detailing data protection measures, access levels, and implementation steps.

Question 13: Importance of compliance?

  • Incorrect Answer: Compliance seen as just box-ticking activities.

  • Correct Answer: Compliance ensures the fulfillment of legal, contractual, and regulatory obligations and enhances customer trust in security practices (by allowing customers to view the security practices you adhere to, it shows you value security seriously).

Question 14: What is asset management?

  • Incorrect Answer: Merely a list of devices.

  • Correct Answer: Identifies and classifies information, physical assets, digital assets (e.g., software, licenses), and even personnel, prioritizing their protection and criticality.

Question 15: Difference between inherent risk and residual risk?

  • Incorrect Answer: Residual risk is ignored post-control; inherent risk cannot be protected.

  • Correct Answer: Inherent risk exists before application controls; residual risk requires post-management controls (e.g., inherent risk = a device that connects to the internet; residual risk = user access/privileges for who can access the device after a firewall has been applied).

Common Interview Mistake After Section 3

  • Mistake 3: Hyperfocus on one specialization; candidates should develop a general knowledge base applicable across several areas in cybersecurity.

Section 4: Network Security Questions

Question 16: Difference between a firewall and an IPS/IDS?

  • Incorrect Answer: They fundamentally serve the same purpose.

  • Correct Answer: Firewalls filter traffic (based on sand are typically placed , while IDS detects threats and IPS can actively block attacks; effective layered defense requires both (Next-Generation Firewalls/NGFW.

Question 17: Difference between symmetric and asymmetric encryption?

  • Incorrect Answer: Characterization of older and newer technologies.

  • Correct Answer: Symmetric uses one key (and is generally faster, but more insecure for sharing data compared to asymmetric encryption); asymmetric involves public/private pairs (sender encrypts message with public key, receiver decrypts message with private key), explains usage in SSL/TLS.

Question 18: What is a VPN and why is it needed?

  • Incorrect Answer: VPNs are primarily for accessing streaming services abroad.

  • Correct Answer: VPNs create secure tunnels to encrypt data and protect against interception within the corporate context.

Question 19: Common types of network attacks?

  • Incorrect Answer: Basic description of password guessing or viruses.

  • Correct Answer: Identified various attacks like DDoS, man-in-the-middle, and phishing, along with recommended defenses.

Question 20: How to secure a company’s Wi-Fi?

  • Incorrect Answer: Suggesting only password security.

  • Correct Answer: Implement WPA3, disable WPS, change defaults, implement MAC filtering, segment networks, and use effective authentication.

Common Interview Mistakes After Section 4

  • Mistake 4: Not doing adequate research on the position or the company before the interview.

Section 5: Cloud Security Questions

Question 21: What is role-based access control?

  • Incorrect Answer: Misunderstanding the communal basis of user roles.

  • Correct Answer: Standardized role assigned based on job functions (e.g., AWS uses roles for developers), for efficient permissions management embodying the principle of least privilege.

Question 22: Difference between encryption at rest and in transit?

  • Incorrect Answer: Only referencing public connections.

  • Correct Answer: Properly defines data encryption for stored data (encryption provided on a disk/database) versus data transmission (encryption while data is between two different locations).

Question 23: What is a security group?

  • Incorrect Answer: Incorrectly assuming a security group encrypts traffic.

  • Correct Answer: Defines function as a virtual firewall managing inbound/outbound access rules within cloud resources. Defines which traffic is allowed based on protocol, source, and destination IP addresses.

Question 24: What is infrastructure as code?

  • Incorrect Answer: Focusing only on automation and speed.

  • Correct Answer: Developing infrastructure through code rather than manual configs. Includes benefits of consistency, version control, and reduced human error while emphasizing security improvements.

Question 25: What is secrets management?

  • Incorrect Answer: Oversimplification as just encrypting passwords.

  • Correct Answer: The process of securing and managing sensitive information. Aim to prevent private information from being hardcoded into app code or config files.

Common Interview Mistake After Section 5

  • Mistake 5: Under-preparing candidates’ knowledge—importance of broader cyber security know-how beyond single-completion certifications.

Conclusion

  • Candidates are encouraged to pursue practical education, gaining experience through hands-on training and multiple learning avenues to succeed in interviews.

Runway to Resilience: Improving Cybersecurity in Airport Operational Technology

  • $10 million ransomware attack on Kuala Lumpur International Airport

  • Operational technology systems are vulnerable to cyber breaches due to increased asset performance and remote access capabilities.

  • OT and IT operators may face conflict: OT managers can manage hardware but not cyber; IT managers can deploy patches that degrade availability.

  • Honeywell’s OT Cyber assessment solves this by identifying connected assets and relevant misconfigs - the baseline. Honeywell Cyber Insights then offers continuous monitoring for IoCs.

Penetration Tester Interview Questions   

Question 26: What are the differences between a hub, a switch, and a router?

  • Hubs indiscriminately send data to all connected devices and operate on OSI layer 1; switches direct it to specific devices based on MAC addresses and operate on OSI layer 2; and routers manage traffic between multiple networks and operate on OSI layer 3.

Question 27: What is a port?

  • 16-bit communication endpoint that allows different programs or services on a device to communicate with each other over a network - the numbers range from 0-65335, and different ports can be reserved for different services (e.g., port 443 for HTTPS).

Question 28: What is SSL and how does it work?

SSL/TLS is a protocol used to encrypt data between web servers and clients, SSL (Secure Sockets Layer) is the more outdated version, replaced by TLS (Tranport Layer Security). The protocol functions using a “handshake”, where:

  1. The client sends supported TLS versions, cipher suites, and a "client random" string.

  2. The server responds with its chosen cipher suite, its SSL certificate, and a "server random" string.

  3. Authentication: The client verifies the server's certificate against trusted Certificate Authorities (CAs)

  4. Key Exchange & Generation: Both parties use the exchanged information to generate identical, symmetric session keys.

  5. Finished: Both sides send encrypted "finished" messages, confirming the handshake is complete and secure.

Question 29: What is SQL injection?

Web-based cyberattack where attackers send malicious SQL queries to gain sensitive information. Includes:

  1. In-band SQLi - SQL attack where the attacker uses the same channel for attacks/info gathering.

  2. Blind SQLi - SQL attack where the attacker deduces information from the application's behavior instead of the responses.

  3. Out-of-band SQLi - SQL attack where the attacker uses a different channel to gather the result of the SQL query, often relying on functionalities such as email, HTTP, or DNS.

Question 30: What is Cross-Site Scripting?

Cross-Site Scripting (XSS) - A security vulnerability that allows attackers to inject malicious JavaScript code into web pages viewed by users, often exploiting the trust a user has for a particular site. Includes:

  1. Stored XSS (Persistent): The malicious script is permanently stored on the target server (e.g., in databases, comment fields, or visitor logs). It is highly dangerous as it impacts all users who access the stored data.

  2. Reflected XSS (Non-Persistent): The script is "reflected" off a web server, usually delivered via a link in an email or chat. It requires the attacker to trick a user into clicking a crafted link, immediately executing the script.

  3. DOM-based XSS: The vulnerability exists entirely in the client-side code (JavaScript) rather than the server-side. The attack occurs by modifying the Document Object Model (DOM) in the victim's browser.

Question 31: How could you perform a TCP scan with Nmap?

Question 32: What is Burp Suite, and how does it work?

  • What is Phishing?

Question 33: What is vulnerability scanning?