OMWINDOWS
OMPRAKASH SINGH PRASTE  
Question 1: SQL injection explain this concept
Answer: SQL injection is a technique to add (or inject) malicious SQL code to a website for example that has a vulnerability in its entry field
The attacker can have the entry field dump the contents of a database to the attacker’s service.
-One method to fix the server would be to patch the vulnerability.
What is threat – in Computer security threat is possible danger that might exploit a vulnerability to breach security and thus cause possible harm.
What is signature? Its set of rules that and IDS/IPS used to detect intrusive activity such as dos attack ETC.
What is the difference between a vulnerability and an exploit?
A vulnerability is a weakness that could allow an attacker to compromise an asset, whereas an exploit is the code actually used to take advantage of a vulnerability
Question 2: What is a SYN Flood?
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Question 3: What’s the difference between Symmetric and Asymmetric encryption?
Symmetric encryption uses the same key to encrypt and decrypt, while Asymmetric uses different keys for encryption and decryption. Symmetric is usually much faster, but is difficult to implement most times due to the fact that you would have to transfer the key over an unencrypted channel. Therefore many times an Asymmetric connection will be established first, then send creates the Symmetric connection. This leads us into the next topic…
Question 4: What is SSL and why is it not enough when it comes to encryption?
SSL is identity verification, not hard data encryption. It is designed to be able to prove that the person you are talking to on the other end is who they say they are. SSL and its big brother TLS are both used almost everyone online, but the problem is because of this it is a huge target and is mainly attacked via its implementation (The Heartbleed bug for example) and its known methodology. As a result, SSL can be stripped in certain circumstances, so additional protections for data-in-transit and data-at-rest are very good ideas.
Question 5: What is the difference between an HIDS and a NIDS?
Both acronyms are Intrusion Detection Systems, however the first is a Host Intrusion Detection System whereas the second is a Network Intrusion Detection System. An HIDS runs as a background utility in the same as an anti-virus program for instance, while a Network Intrusion Detection System sniffs packets as they go across the network looking for things that aren’t quite ordinary. Both systems have two basic variants: signature based and anomaly based. Signature based is very much like an anti-virus system, looking for known values of known ‘bad things’, while anomaly looks more for network traffic that doesn’t fit the usual pattern of the network. This requires a bit more time to get a good baseline, but in the long term can be better on the uptake for custom attacks.
Question 6 : What is the difference between a vulnerability and an exploit?
A lot of people would say that they are the same thing, and in a sense they would be right. However, one is a potential problem while the other is an active problem. Think of it like this: You have a shed with a broken lock where it won’t latch properly. In some areas such as major cities, that would be a major problem that needs to be resolved immediately, while in others like rural areas its more of a nuisance that can be fixed when you get around to it. In both scenarios it would be a vulnerability, while the major cities shed would be an example of an exploit – there are people in the area, actively exploiting a known problem.
Question 7: What’s the difference between a White Box test and a Black Box test?
Information given by the person commissioning the test. A White Box test is one where the pen testing team is given as much information as possible regarding the environment, while a Black Box test is…well…a Black Box. They don’t know what’s inside.
Question 9: What is the difference between Information Protection and Information Assurance?
Information Protection is just what it sounds like- protecting information through the use of Encryption, Security software and other methods designed to keep it safe. Information Assurance on the other hand deals more with keeping the data reliable – RAID configurations, backups, non-repudiation techniques, etc.
Question 10: What is the difference between closed-source and open-source? Which is better?
Yet another opinion question. Closed-source is a typical commercially developed program. You receive an executable file which runs and does its job without the ability to look far under the hood. Open-source however provides the source code to be able to inspect everything it does, as well as be able to make changes yourself and recompile the code. Both have arguments for and against them, most have to do with audits and accountability. Closed-source advocates claim that open-source causes issues because everybody can see exactly how it works and exploit weaknesses in the program. Open-source counter saying that because closed-source programs don’t provide ways to fully check them out, its difficult to find and troubleshoot issues in the programs beyond a certain level.
Question 11: What is the Three-way handshake? How can it be used to create a DOS attack?
The three-way handshake is a cornerstone of the TCP suite: SYN, SYN/ACK, ACK. SYN is the outgoing connection request from client to server. ACK is the acknowledgement of the server back to the client, saying that yes I hear you, let’s open a connection. SYN/ACK is the final connection, and allows the two to speak. The problem is that this can be used as a very basic type of Denial of Service Attack. The client opens up the SYN connection, the server responds with the SYN/ACK, but then the client sends another SYN. The server treats this as a new connection request and keeps the previous connection open. As this is repeated over and over many times very quickly, the server quickly becomes saturated with a huge number of connection requests, eventually overloading its ability to connect to legitimate users.
Question 11: If you were going to break into a database-based website, how would you do it?
And here’s other side of the coin: learning to break into your own systems so that you can pen test them yourself. While the exact methods are different for each type of database server and programming language, the easiest attack vector to test for first is an SQL injection technique. For example, if the input fields are not sterilized, just entering a specific set of symbols into a form field may be enough to get back data. Alternatively, depending again on how the site is written, using a specially crafted URL may be enough to get back data as well. Foot printing the server ahead of time can help in this task if it isn’t one you built yourself.
Question 12: Why are internal threats oftentimes more successful than external threats?
When you see something day in and day out, even if it shocks you at first, you tend to get used to it. This means that if you see somebody that pokes around day after day, month after month, you might get used to the fact that he’s just curious. You let your guard down, and don’t react as quickly to possible threats. On the other hand, say for example you have an annoyed employee that is soon to be fired and wants to show his soon to be former employer that he can bring them down, so he sells his still active credentials and card-key to a local group that specializes in white-collar crime. Still other infiltrators dress up as delivery people and wander around aimlessly in office buildings, getting information off of post-it notes and papers lying around. External threats do not have access to near this level of information about the company, and more often than not do not get in as far as somebody that spent 20 bucks on a knock-off UPS uniform.
Question 13: What is residual risk?
Residual Risk is what is left over after you perform everything that is cost-effective to increase security, but to go further than that is a waste of resources. Residual risk is what the company is willing to live with as a gamble in the hopes that it won’t happen.
Question 14: What is Exfiltration?
Infiltration is the method by which you enter or smuggle elements into a location. Exfiltration is just the opposite: getting sensitive information or objects out of a location without being discovered. In an environment with high security, this can be extremely difficult but not impossible. Again we turn to our friends in the fake delivery uniforms wandering around the building, and see that yes there are ways to get in and out without a lot of issues.
Question 15: What is a White List in Malware?
Whitelisting is a technique to allow content or software to be able to run and deny or restrict anything else. Application whitelisting is a security method that determines what applications are trusted and allowed to run. This technique is often used hand-in-hand with application blacklisting where applications that are not trusted are prevented from running. Whitelisting requires software to determine if software is trusted and apply the appropriate action.
Whitelisting can be used by any organization to detect previously undetectable malware threats. Simply install a good whitelisting program and run it in audit-only mode.
Question 16: Is there any difference between Information Security and IT Security?
Yes. Information Security and IT Security are both different terms often used interchangeably. IT Security focuses on purely technical controls (like implementing antivirus, firewall, hardening systems etc) while Information Security is more wider term which implies securing “information” as an asset be it in any form. (ex shredding of paper documents to prevent dumpster driving etc). So IT security can be considered as a subset of Information Security.
Question 17: What is the difference between proxy, firewall, IDS and IPS?
A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Firewall is basically meant for network traffic control/filtering mainly at layer-3. It allows/denies packets and connections based on certain pre-defined rules. IDS- Intrusion Detection System is an application which tries to detect intrusion attempts based on attack signature database it has. IPS- Intrusion Prevention System detects the intrusion (like IDS) and goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based on rules)
proxy – Squid
Firewall- IPTables, CISCO Pix, ZoneAlarm
IDS- SNORT
IPS- IBM Proventia
Question 18: How does SSL work? Are you aware about some of the latest vulnerabilities that were found in SSL implementation?
Question 19: What is port scanning? What are the countermeasures to prevent it?
Question 20: What is Man in Middle attack? Can it be prevented?
Question 21: What is the difference between false positive and false negative?
Question 22: What do you mean by stateful inspection by a firewall?
Question 23: What is DMZ? Which systems should be placed in DMZ? What are common security precautions for DMZ systems?
Question 24: What is DLP? How does it work?
Question 25: In what scenario, AD authentication should be used
Question 26: Is SSH completely secured? If not, can it be hardened more?
Question 27: What is Virtualization? What are the security risks in it?
Question 28: What do you mean by ‘BYOD’ ? Explain security concerns related with it.
Question 29: What are the different layers of OSI model? Can you list 1 vulnerability corresponding to each of the OSI layer?
Question 30: What are honeypots?
Question 31: Tell about any of the major security incident that happened recently.
Question 32: How do you keep yourself updated with latest trends in Information Security?
I refer to various security news sites , blogs etc (Like thehackernews, Rapid7 blog etc) Also I am subscribed to various online security magazines like Pentest magazine, HackInsight etc and I surf through the archives of various security conferences held worldwide.
Question 33: Which OS do you feel is more secure? Linux or Windows?
No OS is secured unless and until its administrator is smart enough to secure it. Though Windows has more publicly found security issues, it can still be hardened appropriately. Its all about perception and having right sense of security. Linux definitely provides robust security, however a mis-configured Linux box could really pose a big threat to security.
Question 34: Explain in brief, Multi Factor authentication.
Question 35: How to harden a Windows Machine and Linux Machine ?
Question 36: How can you prevent DOS/DDOS attack?
Question 37: What is a 0-Day Vulnerability? Can it be prevented?
Question 38: What is the biggest difference between Windows OS and Linux OS?
Question 39: Can an IDS be used to prevent intrusions?
Yes, ex- SNORT, one of the open source IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS
Question: 40 Explain any type of Wi-Fi Attack and how to prevent it.
Question 41: What is SIEM? Why it is useful?
Question 42: What is rainbow attack? Is there a way to prevent it?
Question 43: Explain the difference between hub, switch and router.
Question 44: What is NAT and PAT? Explain difference between them and how do they work.
Question 45: Comment on security concerns in Cloud Computing.
Question 46: What is single sign-on? What are security risks with it?
Category II: VA/PT
1) What is the difference between Vulnerability Assessment and Penetration Testing? Which one needs to be performed first?
2) What are the steps to perform VA/PT?
3) What precautions are required to be taken while performing VA/PT?
4) With whom would you share the findings of VA/PT and how would you convey the risk of the findings effectively so that mitigation can be initiated immediately?
5) What tools do you normally use for VA and PT? Which tool you find the best and why?
6) What all should be included in report of VA/PT assessment?
7) Is it possible to hack into a system without using any tool? If yes, how would you do it? (Manually?)
8) How can you identify whether a remote machine is a Windows Machine or Linux Machine?
9) What is the difference between active and passive information gathering? (give 1 example of each)
10) How does sniffing works? Explain how can you sniff into a network. Can sniffing attack be prevented and how?
11) What would you do if nmap port scans are blocked by network security administrator? How would you gather host information in such case?
12) What are the different components of metasploit? Explain client side exploits/attacks.
Category III: Web Application Security
1) Why is Web Application Security Important?
2) “Making the website HTTPS would make it secure” share your comments on this.
3) What are cookies? What security threat do they pose?
4) What is SQL Injection attack? What are its types?
5) What are the ways to prevent SQL Injection?
6) What is XSS attack? What are its types?
7) What are the ways to prevent XSS attacks?
8) What is CSRF? How to prevent it?
9) What are the top 5 Web Application Vulnerabilities you know?
10) Explain any case wherein you found some critical web application vulnerability and you also provided solution to fix the same.
11) How would you mitigate vulnerabilities in a legacy application where much of code change is not feasible?
12) What tools do you use for performing Web Application security testing?
13) What are common security threats in Web Services and how do you test them?
14) What is the difference between White Box Application Security testing and Blackbox Application Security testing?
15) Do you have hands on knowledge of source code review? Give any example of vulnerability/bug you found during source code review.
16) What standards do you refer for Web Application Security and related vulnerabilities?
17) What are the most important steps you would recommend to secure your new web server?
18) Will L-3 firewall be useful in protecting the web application against common attacks? If yes, then to what extent?
19) What is Directory Listing? What is its impact? How to prevent it?
20) Can you explain any 2 vulnerabilities occurring due to poor session management?
21) Where should be the Web Server and Database server placed in network for optimal security?
21) Is there any risk when conducting Application Security testing on production instance?
Ans: Ideally, Application Security testing should never be performed on production instance. Automated scanners can insert, modify or even delete data from the target application. This could be a big risk. So the testing should be carried out on test instance which should contain exact replica of the application code running on production instance. If at all you have to test on production instance, its owner must take responsibility (in writing) of any data loss that may occur after testing.
22) How would you investigate or trace any security incident which occurred due to exploitation of some vulnerability in your web application?
23) Please explain how would you test a mobile application for security vulnerabilities?
24) Explain about Database Security. What are common controls for securing Databases.
25) How would you convince the developer to fix the vulnerabilities you found in the Web Application?
Ans: It is a normal human mentality not to accept our mistakes. Same applies in this case. No developer would easily accept that code written by him has serious security bugs. So, you have to demonstrate him the vulnerability you discovered with proper PoC. And explain him the severity and impact if the vulnerability gets exploited. You have to be polite while explaining and not get into arguments.
26) How does HTTP handles state?
Ans: HTTP is a stateless protocol.
27) How do you identify that an application is vulnerable to blind SQL Injection attack?
28) What is clickjacking and how do you prevent it?
29) What are the top 5 Mobile Application security threats?
30) At which stage of SDLC should the security controls be applied?
Category IV: Risk Management/ Compliance/ Security Frameworks
1) What is Risk Assessment and Risk Management? Are they same?
2) What are the standards available for Risk Management?
3) What are the types of Risks?
4) What are the possible ways to treat the risk?
5) What is the difference between threat, vulnerability , exploit and risk?
5) What is residual risk? Can it be eliminated?
6) What is ISO 27001? Why an organization should adopt it?
7) What is the difference between ISO 27001 and ISO 27002?
8) What is PCI-DSS? Is there any similarity between PCI-DSS and ISO27001?
Payment card Industry data security standard for organization that handle branded credit card , the satnderd was created to increase control around cardholder data to reduce credit card fraud.
9) What type of organizations are required to be compliant with PCI-DSS?
10) What is the difference between a standard, policy, procedure?
11) What would you do to make security program / initiative successful in the organization?
12) How would you convince the senior management to invest in certain security initiative?
13) How much would you ideally spend on securing a Windows Server? (This is a very generic question, but would really test whether the candidate is clear with the basics like asset value, impact analysis etc)
14) What is the difference between technical controls and procedural controls? (give 1 example of each)
15) Explain high level steps for initiating and implementing ISO27001.
Category V: Strategic / Scenario Based Questions
1) Please comment: Which one would be more securely built? Open Source software or Commercial/Proprietary software?
2) Whom do you get inspired from in the field of Information Security?
3) How many packets would travel from a laptop if a user initiates a traceroute to facebook.com?
4) Consider a scenario, the network has become extremely slow, there are many escalations coming to service desk, what would you do a as security professional? Do you see a possibility of any security threat in this? How would you face this situation?
5) Suppose business team wants to launch an application or urgent basis, but you know its vulnerable to some critical attacks, what would you do in such case? Should business requirement be given priority or security should be the priority?
6) What are the latest trends in Information Security?
7) Is Internet Banking really safe and secure? What are your views on this?
8) Where do you see yourself (in which role/position) after 3-4 years?
9) Should social networking websites (like facebook) be allowed or blocked? Justify with proper reason.
10) Anonymous hackers are hacking into some critical infrastructure around the world. Can you comment on how would they be doing this?
11) Have you heard about stuxnet? Explain your views on it and how could it have been prevented?
Category VI: Computer Forensics/Laws
1) What do you mean by checksum? What are the popular algorithms for calculating checksums? What is its significance in computer forensics?
2) Describe steganography, its types and how to detect it?
3) What do you mean by file carving?
4) What is meant by bit stream image? Why it is important in forensics?
5) What is swap space? What is its relevance in forensics? What is page file?
6) Explain high level steps for seizing a live computer system.
7) What are the main challenges in computer forensics?
8) What is file shredding?
Ans: File Shredding is a technique used to securely erase/wipe or destroy the file (logical or physical) in such a way that it cannot be re-constructed to derive its original meaning.
9) Can data be recovered after shredding is performed?
10) What are the famous tools used in computer forensics?
11) What hardware is necessary for performing computer forensics?
12) What care should be taken while packaging the seized evidence?
13) What is slack space?
14) List few situations wherein lost data cannot be recovered.
Ans: If the data is stored on magnetic media, and that media comes in contact with very strong magnetic field then it may result in permanent loss of data. If data is on the disk is over-written more then 30 times, it may get in unrecoverable state. If the media is physically destroyed like completely burnt or turned into fine powder then it won’t be possible to recover the data.
15) How would you traced a spoofed email sent from spoofed IP address?