SOC Interview Questions Flashcards
Black Hat Hacker
hackers are criminals who break into computer networks with malicious intent.
White Hat Hacker
Also known as Ethical Hackers. They are certified hackers who learn hacking from courses. These are good hackers who try to secure our data, websites.
Grey Hat Hacker
A mix of both Black-Hat and White-Hat hackers. These types of hackers find vulnerabilities in systems without the permission of owners. They don’t have any malicious intent. However, this type of hacking is still considered illegal.
Port Scanning
A method of determining which ports on a network are open and could be receiving or sending data.
Red Team
A group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses.
Blue Team
A group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and make certain all security measures will continue to be effective after implementation.
Firewall
A device that allows or blocks the network traffic according to the rules.
Security Misconfiguration
A security vulnerability caused by incomplete or incorrect misconfiguration.
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Risk
The level of impact on agency operations (including mission functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Threat
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Compliance
Following the set of standards authorized by an organization, independent part, or government.
MITRE ATTACK
A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
2FA
An extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they will be required to provide another piece of information.
Share some general endpoint product categories
Antivirus
EDR (Endpoint Detection and Response)
XDR (Extended Detection and Response)
DLP (Data Loss Prevention)
What is HIDS?
HIDS means Host Intrusion Detection System. HIDS is located on each host.
What is NIDS?
NIDS means Network Intrusion Detection System. NIDS is located in the network.
CIA Triad
A common model that forms the basis for the development of security systems.
Confidentiality
Involves the efforts of an organization to make sure data is kept secret or private.
Integrity
Involves making sure your data is trustworthy and free from tampering.
Availability
Systems, networks, and applications must be functioning as they should and when they should.
What is AAA?
Authentication
Authorization
Accounting
Authentication
Involves a user providing information about who they are. Users present login credentials that affirm they are who they claim.
Authorization
A user can be granted privileges to access certain areas of a network or system.
Accounting
Keeps track of user activity while users are logged in to a network by tracking information such as how long they were logged in, the data they sent or received, their Internet Protocol (IP) address, the Uniform Resource Identifier (URI) they used, and the different services they accessed.
Cyber Kill Chain
Framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
SIEM
A security solution that provides the real time logging of events in an environment. The actual purpose for event logging is to detect security threats.
Indicator of Compromise (IoC)
Serve as forensic evidence of potential intrusions on a host system or network. These artifacts enable Information Security (InfoSec) professionals and system administrators to detect intrusion attempts or other malicious activities.
Indicator of Attack (IoA)
Demonstrate the intentions behind a cyberattack and the techniques used by the threat actor to accomplish their objectives.
True Positive
If the situation to be detected and the detected (triggered alert) situation are the same
False Positive
In short, it is a false alarm. When an IDS or IPS flags non-malicious traffic as malicious.
OSI Model
A conceptual model that describes the universal standard of communication functions of a telecommunication system or computing system.
Three-Way Handshake
A method used in a TCP/IP network to create a connection between the client and server.
Explain the Three-Way Handshake
- The client sends a SYN(Synchronize) packet to the server check if the server is up or has open ports
- The server sends SYN-ACK packet to the client if it has open ports
- The client acknowledges this and sends an ACK(Acknowledgment) packet back to the server
TCP/IP Model
Is the default method of data communication on the Internet. It was developed by the United States Department of Defense to enable the accurate and correct transmission of data between devices.
What is the difference between the TCP/IP Model and the OSI Model?
The TCP/IP model is a simpler, four-layer model that focuses on the actual workings of the internet, while the OSI model is a more detailed seven-layer model that provides a conceptual framework for understanding network communication.
Address Resolution Protocol (ARP)
Is a communication protocol used for discovering the Data Link Layer address, such as a MAC address, associated with a given Network Layer address, typically an IPv4 address.
Domain Host Configuration Protocol (DHCP)
Is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.
Domain Name Server (DNS)
Is like the internet’s phone book, translating domain names (like google.com) into IP addresses (like 172.217.1.46) so computers can communicate with each other.
Virtual Private Network (VPN)
Creates a secure, encrypted connection over a public network like the internet, allowing users to browse the web privately and securely. It masks their IP address and encrypts their data, enhancing privacy and security, particularly when accessing sensitive information or bypassing geographical restrictions.
Virtual Land Area Network (VLAN)
Is a network segmentation technique that allows administrators to logically divide a single physical network into multiple isolated virtual networks.
Router
Is a networking device that forwards data packets between computer networks. Responsible for directing traffic based on IP addresses, enabling communication between devices on different networks.
Switch
Is a networking device that connects multiple devices within a local area network (LAN) and forwards data packets to their intended destination based on MAC addresses. It operates at the data link layer of the OSI model and helps manage network traffic efficiently by creating direct paths between devices.
User Datagram Protocol (UDP)
Is a connectionless protocol that provides a simple and lightweight method for sending data packets over a network. It is commonly used for applications that prioritize speed and efficiency over reliability, such as real-time streaming or online gaming.
Transmission Control Protocol (TCP)
Is a connection-oriented protocol that ensures reliable and ordered delivery of data packets over a network. It establishes a virtual connection between sender and receiver, handling error correction, flow control, and congestion control to guarantee data integrity and successful transmission.
What is the difference between UDP and TCP?
UDP and TCP are transport layer protocols. TCP has error checking and guaranties that packets have been received while UDP does not.
Steps to ensure a server is secure
- Close all unnecessary ports
- Patch the server so that all software is up to date
- Tightly control user access
Traceroute
Is a tool used to trace the path of an IP packet as it traverses routers. It works by incrementing the TTL field until the packet reaches the destination IP.
Subnet
Is a logical subdivision of an IP network. The practice of dividing a network into two or more networks
MAC Address
Is a unique identifier assigned to a network interface controller for use as a network address in communications within a network segment.
Spanning Tree Protocol (STP)
Is a network protocol that builds a loop-free logical topology for Ethernet networks.
Load Balancer
The process of distributing a set of tasks over a set of resources, with the aim of making their overall processing more efficient.
Hypervisor
Also known as a virtual machine monitor or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines.
Conatiner
A package of software and its dependencies — such as code, system tools, settings, and libraries — that can run reliably on any operating system and infrastructure.
