Top 30 Information Security Interview Questions and Answers For 2021:

Even for highly-experienced candidates, it is not easy to interview for security information positions. Each person you interview has one chance to make a good impression. You will feel more confident if you are prepared. These are the steps to help you be your best.

This article will cover the following topics:

Beginner Level Questions:

Question – 1: What Are The Three Transmission Modes?

The three transmission modes are simplex, half-duplex, and duplex.

Simplex: Simplex transmission involves a signal traveling in only one direction, just like a one-way street. This type of transmission only transmits signals but never receives signals.

Half-duplex: With a half-duplex communication, the signal can be transmitted or received; however, only one action can occur at a time. What this means is that you can either transmit or receive at a given time. Such transmissions are seen in walkie-talkies.

Full Duplex: With full-duplex communication, the signal can be transmitted and received simultaneously. Such transmission is seen in telephone communication.

Question – 2: What’s The Difference Between UDP and TCP?

UDP and TCP are transport layer protocols used for sending packets between end-users. TCP stands for Transmission Control Protocol, and UDP stands for User Datagram Protocol. TCP is more reliable thanks to its error correction feature, ensuring that data arrives in the proper order. UDP isn’t reliable; however, it is fast. This is because it has no error correction feature, which makes it faster.

UDP is used for live streaming, online calls, and any time-sensitive transmission. TCP, on the other hand, is used for email transmissions and file transfer.

Question – 3: What Is Datacenter Multi-tier Design?

Multi-tier designs have been incorporated into the design of modern-day data centers. It is a multi-layer architecture divided into three-layer tiers for maximum flexibility; however, one major disadvantage of this design is that it is expensive.

This design consist of three tiers:

The Core Layer: This layer is the backbone that ensures packets are reliably delivered at a high transfer rate.

The Distribution Layer: This layer ensures data packets are correctly routed between the subnets of the organization.

The Access Layer: This layer connects endpoints.

Question – 4: Are You A Team Player Or An Individual Contributor?

There is no right or wrong answer to this question. However, you want to state the pros and cons of either option. We highly recommend you choose to work as a team because the field of cybersecurity is broad, and one person cannot know everything. So, your answer should be something like:

I am versatile, and I can work as either an individual or a team player, depending on my task. Working as an individual means, I will complete my work much faster; however, my work will have limited ideas. Working in a team might take time to produce results; however, the results produced are high quality.

Question – 5: What Are The Three Tenets Of Information Security?

The three tenets of information security are confidentiality, integrity, and availability.

Confidentiality: This means you want to ensure you protect people’s private information by limiting access to information. What this means is that only legitimate people can access sensitive information. We use methods like biometric verification, two-factor authentication, passwords, and encryption to enforce confidentiality.

Integrity: This means the information is correct and trustworthy. This ensures that the data stays the same as it was entered without any alteration unless an authorized user changes it. We use measures like user access control, checksum, and file permission to enforce integrity.

Availability: This ensures that the information is readily accessible to those who have the right to access such information. We use measures like system upgrades, fast data recovery, and reliable bandwidth to ensure data availability.

Question – 6: What Are The Intrusion Detection Methods?

There are two intrusion detection methods. These are signature-based detection and anomaly-based detection.

Signature-based detection: With signature-based IDS, there is a database of recognized attacks. The idea is to compare current activities with the activities stored in the database (the signature). It does this by comparing current data payloads and packets with those stored on the database. If any anomaly is detected, an alarm is raised. The downside to signature-based detection is that it might raise some false-positives alarms for normal activities. Also, if an attack isn’t on the database or attackers devise new attacks, this detection method might not notice such an attack.

Anomaly-based detection: This is also known as behavioral-based. This IDS detects intrusion through usage anomalies. Instead of comparing all logs to previous logs, it looks for activities that sway from the regular user activity. This type of IDS studies the behavior of its user and then keeps a record of this behavior. So, when a new activity sways from the normal, then an alarm is raised. With this IDS, it learns and improves its user usage pattern. The only disadvantage of this system is that it raises more false-positive alarms; however, unlike signature-based, no attack will go unnoticed.

Question – 7: What is SNMP?

SNMP stands for Simple Network Management Protocol. This protocol provides a framework that helps us gather data to enable us to manage, monitor, and modify device parameters on a network. This protocol is found in the application layer, and it utilizes ports 161 and 162.

Question – 8: What Are The Types Of Sniffing Attacks?

Sniffing can be categorized as either passive or active sniffing.

Passive Sniffing: This type of sniffing can be executed when a group of devices or computers are connected to a hub. With a hub, traffic is visible to every host on the network. So, all the attacker does is enable the sniffer to listen to the traffic sent to every device on the same collision domain.

Active Sniffing: This type of sniffing occurs in devices connected to a switch. With this switching, the attacker actively injects malicious traffic into the network to bombard and hoax the memory table to redirect traffic to the attacker. This attack can be achieved using MAC flooding, ARP poisoning, MAC duplicating.

Question – 9: What Are The Data Transmission Types In The Data Link Layer?

The data link layer has three main transmission modes. These are unicast, broadcast, and multicast.

Unicast: Unicast involves sending frames to a single receiver.

Multicast: This involves sending frames to multiple receivers.

Broadcast: This involves sending frames to all recipients.

Question – 10: What Is DHCP?

DHCP is a layer three protocol that helps us manage IP addresses. DHCP stands for Dynamic Host Configuration Protocol, and this protocol assigns new IP addresses to devices that connect to a LAN.

Intermediate-Level Questions.

Question – 1: What Is The Biggest Weakness in Most Organizations?

The biggest weakness to most organizations is ignorant employees. This is because no matter the firewalls, VPNs, and security measures put in place, all it has to take is for one ignorant employee to click on a malicious link, or bad email, or even post a picture of the working environment on the internet to compromise the security of an organization. Interestingly, 96% of social cybersecurity attacks are from phishing scams. This shows how vulnerable a company’s security system can be if the employees aren’t educated.

Question – 2: What Is UEBA?

UEBA stands for User and Entity Behavior Analytics, it uses innovative analytic techniques such as deep learning and machine learning to discover abnormal activities by analyzing users’ behavior. It establishes a standard profile through machine learning algorithms that do not conform to predefined correlations. Any action or activity that doesn’t conform to the standard profile will be considered an anomaly.

A UEBA can identify new attacks that have been developed by attackers and can identify zero-day attacks.

Question – 3: How Should Companies Manage Their Security?

This will usually be a follow-up question to the above question.

As an information security person, we recommend companies have a top to down security management policy. This means that companies shouldn’t just assign security to the IT or computer department and expect things to fall in place. Companies must ensure that they educate everyone on cybersecurity. The education should be organization-wide to ensure security measures and policies are effective.

Question – 4: How Would You Ensure each System Is Secured In This Organization?

It will depend on the system. Each system has a different cost required to protect the system. So, if the cost to protect the system from hackers is way more than the money the system generates, then you might not secure the system. What I mean by this is, if it costs an organization $500,000 annually to secure a specific system; however, that system generates annual revenue of only $100,000, then it may not be a financially justifiable reason to fully secure this system.

Also, suppose you are given limited funds to secure systems. In that case, you will ensure that you can differentiate between the company’s critical assets and non-critical assets, and then make sure you protect the critical assets first.

However, you will ensure that the devices are updated with the latest security feature as an information security person. You will ensure that the relevant pentest and vulnerability scans will be performed on each system.

Question – 5: Explain the Spine and Leaf Architecture, And When Do You Choose It Over The Multi-tier Design?

The spine-leaf architecture is a two-layer architecture that composes of two components: leaf switches and spine switches. The leaf switch, also known as the top of the rack switches or end of the rack switch, serves as an access point to servers, WAN, and storage devices.

The spine layer connects all leaf switches and routes the traffic between them. A mesh topology is used to connect every leaf switch to a spine switch.

Because of containerized infrastructure and integration of the cloud in modern data centers, the spine and leaf architecture enables us to utilize the fastest route possible to transmit data. This solves the problem of latency experienced in the multi-tier design.

This type of architecture is ideal for data centers with east-to-west network traffic, while a three-layer model is ideal for a south-to-north data flow.

Question – 6: What Are The Steps In Cyber Kill Chain, and What Are The Purpose?

The cyber kill chain is a model that helps us to understand and neutralize cyberattacks. It is derived from the military kill chain strategy that describes the structure of an attack to understand how a cyberattack is prepared and executed. It presents IT, teams, with a strategy to contain or kill an attacker.

It is divided into seven stages, which give insight into the various steps an attacker takes to execute an attack. These stages include:

  • Reconnaissance: This is the observation stage where an attacker observes and scopes a target to find vulnerabilities.
  • Weaponization: This stage involves the attacker devising a strategy or an attack to exploit the vulnerabilities found.
  • Delivery: This is the phase where the attacker transmits the payload needed to execute the attack.
  • Exploitation: This is where the attacker exploits the vulnerability discovered.
  • Installation: This is the stage where the attacker tries to establish a backdoor to gain continuous access. More can be going on at this stage, including lateral movement, denial of service, and privilege escalation.
  • Command and Control: This is where the attacker sends commands such as APT code to the network.
  • Actions/Objective: This is where the attacker achieves the end goal or motivation of their attack.

Question – 7: How Would You Build an Effective Cybersecurity Incidence Response Plan:

A good cybersecurity plan should compose of the following phases:

  • Preparation: This is planning the processes you will take to contain and mitigate any security incident.
  • Detection and Analysis: Your plan should contain information on how you plan on noticing the precursors and indicators of incidents.
  • Containment, Eradication, and Recovery: This is where a strategy is devised to identify, mitigate threats, and restore a system under attack.
  • Post-incident activity: This is the reviewing stage where you note down the lessons learned and update your systems.

Question – 8: Explain SSL

HTTP is the protocol that defines how we transfer information between users and servers. However, HTTP isn’t protected and is susceptible to criminal attacks. HTTP was ideal for surfing the web; however, when it came to filling out sensitive information, criminals were able to exploit HTTP to retrieve any sensitive information inputted by a user on a website because the data inputted is transmitted in cleartext.

This led to the development of SSL, which, when integrated with HTTP, gives us HTTPS. SSL is known as Secure Socket Layer, it encrypts information on webpages and transmits them.

Question – 9: Web Server vs. Application Server?

A web server is designed to serve web applications using the HTTP protocol. A web server will process an HTTP request with an HTML page. Web servers only deal with static content and come with no server-side programming, which means no business logic is attached to the application being run.

An application server, on the other hand, provides business logic to applications. This implies that when a user requests a web app, information is transmitted to the app’s backend for processing. The application server handles all applications between users and the backend databases.

Question – 10: What’s The Difference Between HIDS and NIDs?

HIDS stands for Host Intrusion Detection System, and they inspect and analyze all inbound and outbound traffic on each host on a network to find suspicious activities. In case any suspicious activity is detected, it sends an alarm to the administrator.

A NID stands for Network Intrusion Detection System, and this is a device placed in a segment of the network to detect any intrusions in that segment. It achieves this by sampling every packet that passes through that segment.

So, the difference between both is that while HIDs and NIDs are both intrusion detection systems, a HIDS monitors a single system, while a NID monitors a network segment.

Expert-Level Questions.

Question – 1: What’s Is Data Exfiltration?

Data exfiltration has to do with an attacker extracting sensitive information from a server or computer without anyone noticing. One of the most common and most successful exfiltration techniques is DNS exfiltration.

So, how does DNS exfiltration occur?

An attacker infects a workstation that has access to the servers with malware capable of moving sensitive information from the server to the attacker’s computer. If the attacker tries to move this sensitive information directly from the server to their computer, chances are a firewall will halt the transmission.

The way an attacker can get the information transmitted without being noticed will be to exploit DNS. DNS is the most critical aspect of the internet because it is the backbone of the internet. Therefore, every firewall has a port that only allows DNS traffic. What the attacker does is encode this sensitive data. It is encoded such that binary content is converted into ASCII and transformed into DNS queries.

These queries then get partitioned into smaller DNS queries and sent to a local DNS server. This is done to make it impossible for the local server to interpret such queries, so these queries get forwarded through the firewall to a server controlled by the attacker. Once it gets there, the attacker decodes the message and retrieves the sensitive information.

Question – 2: What Is Chain Of Custody?

Chain of custody becomes crucial when you are collecting evidence about an attack. Chain of custody ensures that you maintain the integrity of the information gathered at the crime scene. This ensures that you can look at it later to confirm that the evidence gathered at the initial attack phase is examined later.

Chain of custody is a legal document that records who, when, and how people interacted with evidence. This makes a chain of custody important when you need to prosecute an attacker since it ensures that the evidence hasn’t been tampered with.

Question – 3: Which Is Dangerous: False Positive Or False Negative?

False-positive alerts are much safer than false-negative alerts. This is because, with a false positive alert, every suspicious anomaly is being highlighted by the IDS. Even though this might be annoying, the IDS can be improved to deal with this.

However, with false negatives, malicious activity can be interpreted as non-malicious, and wouldn’t be detected. This gives the malicious activity a free pass which can be detrimental to an organization. So, I would rather deal with the annoyance of a false positive than the ignorance of a false negative.

Question – 4: What Is The Difference Between Information Assurance and Information Protection.

Information assurance is the practice of protecting information systems and the information on these systems to ensure that these systems conform to the three tenets of information security. Information protection involves putting measures in place to ensure that data is protected from attackers or unauthorized users.

Question – 5: Walk Us Through Your Cybersecurity Incident Handling Procedure?

There are six procedures I follow when there is a security issue that needs to be handled.

The first step is to gather my team, and I do this by writing a list of people who have the proper knowledge and skillset to tackle the problem.

The second step will be to identify the source of the problem and then devise a plan with my team to contain it. This step includes us analyzing the incident to understand the type of attack. We do this by performing an endpoint analysis to help us find any evidence or track left by the attacker. Binary analysis should help us understand the malicious tools the attacker used. And an enterprise hunting is to scan through all computer logs and compromised documents and accounts to understand how we will neutralize the attack.

The next step will be to contain and neutralize the attack. The first process will be to identify all affected devices and perform a coordinated shutdown to turn off compromised machines in a coordinated manner. We could also completely wipe out affected devices depending on the nature of the attack and then reset passwords or block certain accounts.

The next step will be to restore and rebuild. This will be to rebuild the entire operating system and then validate that everything is working as it should.

The fifth step will be to write down a report to assess the damage caused by the attack and then inform all relevant governing bodies of all the necessary information they need to know.

The final step will be to put in the appropriate measure to prevent such an attack from happening in the future.

Question – 6: What is a MITM attack and how to prevent it?

A MITM(Man-in-the-Middle) attack is a type of attack in which the hacker inserts himself between two parties to steal their information. Let’s say there are two parties, party A and B, communicating with one another. The hacker then joins the communication. The hacker pretends to be a Party B to A and Party A to B. After this interception, all the data between the two parties passes through to the attacker. Although they may appear to be communicating with one another, the hacker is communicating with them.

These are the best ways to prevent MITM attacks:

  • Use VPN
  • Public Key Pair Based Authentication
  • Strong WEP/WPA encryption is recommended
  • Use Intrusion Detection Systems
  • Force HTTPS

Question -7: What is a DDOS attack and how to prevent it?

This is a crucial Cybersecurity Interview Question. DDOS (Distributed Denial Of Service) attack is a cyberattack in which servers refuse to offer services to legitimate clients. There are two types of DDOS attacks:

Flooding attacks: In this type, the hacker sends vast amounts of traffic to the server that the server cannot handle. The server is then unable to function. This attack is often carried out by automated programs that send packets to the server continuously.

Crash attacks: This type of attack involves hackers exploiting a vulnerability in the server, causing the system to crash and preventing the client from receiving service.

These are some of the ways you can stop DDOS attacks:

  • Take advantage of Anti-DDOS services.
  • Manage Traffic Spikes
    Configure Routers and Firewalls.
  • Use front-end hardware
    implement Load Balancing.

Question -8: What is an XSS attack, and how to prevent it?

XSS (Cross-Site Scripting). This cyberattack allows hackers to insert malicious client-side scripts onto web pages. XSS can be used for hacking sessions, stealing cookies, modifying DOM, executing remote code, and crashing the server.

These are some ways to prevent XSS attacks:

  • Validate and Santizr user inputs
  • Encode special characters
  • Use Anti-XSS tools/services
  • Use XSS HTML filter

Question – 9: What is SQL Injection and how to prevent it?

SQL Injection(SQLi), a code injection attack, is where an attacker manipulates data sent to the server to execute malicious SQL statement to control a web app’s database server. This allows for access, modification, and deletion of unauthorized data. This attack is used to overthrow database servers.

These practices can help you prevent SQL Injection attacks:

  • Prepared statements are best.
  • Be sure to use stored procedures.
  • Always Validate user input.

Question – 10: IT personnel received a lot of complaints about a campus computer sending Viagra spam. The IT team investigated and found that a hacker had placed a program on the computer to automatically send spam emails without the owner’s knowledge.

How did the hacker get into the computer?

It was actually a result of a hacked password or passphrase. It is important to protect passwords from being easily guessable. Passwords should at a minimum be 8 characters long and contain a mix of upper and lowercase letters, numbers, symbols, and other characters.

Hacked passwords may not be the only reason, other possible causes include.

  • Patches/updates out of date
  • Anti-virus software is not up-to-date or inactive


Cybersecurity is a rapidly changing field. You need to stay on top of the latest developments in cybersecurity to protect your system and network from sophisticated and sneaky cyber threats. Hackers operate in a variety of ways. They can work alone, with others, or with the help of a government. To be vigilant against malicious cyber actors and their unending cyberattacks, keep your reactive and proactive security up to date.

These 30 questions and answers will help to brush up on your knowledge, before you go for an interview

Interested in kickstarting your career in Cybersecurity no matter your educational background or experience? Click Here to find out.


Care to Share? Please spread the word :)