JMN Academy

SOC Analyst Interview Questions

1. Explain risk, vulnerability and threat?

TIP: A good way to start this answer is by explaining vulnerability, and threat, and then risk. Back this up with an easy-to-understand example. Vulnerability (weakness) is a gap in the protection efforts of a system, a threat is an attacker who exploits that weakness. Risk is the measure of potential loss when that the vulnerability is exploited by the threat e.g. Default username and password for a server – An attacker can easily crack into this server and compromise it

2. What is the difference between Asymmetric and Symmetric encryption and which one is better?

TIP: Keep the answer simple as this is a vast topic. Symmetric encryption uses the same key for both encryption and decryption, while Asymmetric encryption uses different keys for encryption and decryption. Symmetric is usually much faster but the key needs to be transferred over an unencrypted channel. Asymmetric on the other hand is more secure but slow. Hence, a hybrid approach should be preferred. Setting up a channel using asymmetric encryption and then sending the data using a symmetric process.

3. What is an IPS and how does it differ from IDS?

IDS is an intrusion detection system whereas an IPS is an intrusion prevention system. IDS will just detect the intrusion and will leave the rest to the administrator for further action whereas an IPS will detect the intrusion and will take further action to prevent the intrusion. Another difference is the positioning of the devices in the network. Although they work on the same basic concept but the placement is different.

4. What is XSS, how will you mitigate it?

Cross site scripting is a JavaScript vulnerability in web applications. The easiest way to explain this is a case when a user enters a script in the client-side input fields and that input gets processed without getting validated. This leads to untrusted data getting saved and executed on the client-side. Countermeasures of XSS are input validation, implementing a CSP (Content security policy), etc.

5. What is the difference between encryption and hashing?

TIP: Keep the answer short and straight.

Point 1: Encryption is reversible whereas hashing is irreversible. Hashing can be cracked using rainbow tables and collision attacks but is not reversible.

Point 2: Encryption ensures confidentiality whereas hashing ensures Integrity.

6. Are you a coder/developer or know any coding languages?

TIP: You are not expected to be a PRO; understanding of the language will do the job.

Although this is not something an information security guy is expected to know but the knowledge of HTML, JavaScript and Python can be of great advantage. HTML and JavaScript can be used in web application attacks whereas python can be used to automate tasks, exploit development etc. A little knowledge of the three can be of great advantage – both in the interview and on the floor.

7. What is CSRF?

Cross-Site Request Forgery is a web application vulnerability in which the server does not check whether the request came from a trusted client or not. The request is just processed directly. It can be further followed by the ways to detect this, examples, and countermeasures.

8. What is a Security Misconfiguration?

Security misconfiguration is a vulnerability when a device/application/network is configured in a way that can be exploited by an attacker to take advantage of it. This can be as simple as leaving the default username/password unchanged or too simple for device accounts etc.

9. What is a Black hat, white hat, and Grey hat hacker?

TIP: Keep the answer simple.

Black hat hackers are those who hack without authority. White hat hackers are authorized to perform a hacking attempt under a signed NDA. Grey hat hackers are white hat hackers who sometimes perform unauthorized activities.

10. What is a firewall?

TIP: Be simple with the answer, as this can get complex and lead to looped questions.

A firewall is a device that allows/blocks traffic as per the defined set of rules. These are placed on the boundary of trusted and untrusted networks.

11. How do you keep yourself updated with the information security news?
TIP: Just in case you haven’t followed any: the hacker news, ThreatPost, Pentest mag etc.

Be sure to check and follow a few security forums so that you get regular updates on what is happening in the market and about the latest trends and incidents.

12. The world has recently been hit by ……. Attack/virus etc. What have you done to protect your organization as a security professional?

Different organizations work in different ways, the ways to handle an incident is different for all. Some take this seriously and some not. The answer to this should be the process to handle an incident. Align this with the one you had and go on… just don’t exaggerate.

13. CIA triangle?

Confidentiality: Keeping the information secret.

Integrity: Keeping the information unaltered.

Availability: Information is available to the authorized parties at all times.

14. HIDS vs NIDS and which one is better and why?

HIDS is a host intrusion detection system and NIDS is a network intrusion detection system. Both the systems work on similar lines. It’s just that the placement is different. HIDS is placed on each host whereas NIDS is placed in the network. For an enterprise, NIDS is preferred as HIDS is difficult to manage, plus it consumes the processing power of the host as well.

15. What is port scanning?

Port scanning is the process of sending messages in order to gather information about the network, system, etc. by analyzing the response received.

16. What is the difference between VA and PT?

Vulnerability Assessment is an approach used to find flaws in an application/network whereas Pe*******on testing is the practice of finding exploitable vulnerabilities like a real attacker will do. VA is like traveling on the surface whereas PT is digging it for gold.

17. What are the objects that should be included in a good pe*******on testing report?

A VAPT report should have an executive summary explaining the observations on a high level along with the scope, period of testing etc. This can be followed by no of observations, category-wise split into high, medium and low. Also include detailed observation along with replication steps, screenshots of proof of concept along the remediation.

18. What is compliance?

Abiding by a set of standards set by a government/Independent party/organization. E.g. An industry which stores, processes or transmits payment-related information needs to have complied with PCI DSS (Payment card Industry Data Security Standard). Other compliance examples can be an organization complying with its own policies.

19. Tell us about your Personal achievements or certifications?

Keep this simple and relevant, getting a SOC CERTIFICATION BY SIEM XPERT can be one personal achievement. Explain how it started and what kept you motivated. How you feel now and what are your next steps.

20. Various response codes from a web application?

1xx – Informational responses
2xx – Success
3xx – Redirection
4xx – Client-side error
5xx – Server side error

21. When do you use tracert/traceroute?

In case you can’t ping the final destination, tracert will help to identify where the connection stops or gets broken, whether it is the firewall, ISP, router, etc.

22. DDoS and its mitigation?

DDoS stands for distributed denial of service. When a network/server/application is flooded with a large number of requests which it is not designed to handle making the server unavailable to legitimate requests. The requests can come from different not related sources hence it is a distributed denial-of-service attack. It can be mitigated by analyzing and filtering the traffic in the scrubbing centres. The scrubbing centres are centralized data cleansing station wherein the traffic to a website is analyzed and the malicious traffic is removed.

23. What is a WAF and what are its types?
TIP: This topic is usually not asked in detail.

WAF stands for web application firewall. It is used to protect the application by filtering legitimate traffic from malicious traffic. WAF can be either a box type or cloud-based.

24. Explain the objects of Basic web architecture?
TIP: Different organizations follow different models and networks. BE GENERIC.

A basic web architecture should contain a front-ending server, a web application server, a database server.

29. How do you handle AntiVirus alerts?

Check the policy for the AV and then the alert. If the alert is for a legitimate file then it can be whitelisted and if this is a malicious file then it can be quarantined/deleted. The hash of the file can be checked for reputation on various websites like virustotal, malwares.com, etc. AV needs to be fine-tuned so that the alerts can be reduced.

30. What is a false positive and false negative in case of IDS?

When the device generated an alert for an intrusion that has actually not happened: this is a false positive and if the device has not generated any alert and the intrusion has actually happened, this is the case of a false negative.

31. Which one is more acceptable?

False positives are more acceptable. False negatives will lead to intrusions happening without getting noticed.

32. Software testing vs. pe*******on testing?

Software testing just focuses on the functionality of the software and not the security aspect. Pe*******on testing will help identify and address security vulnerabilities.

33. What are your thoughts about Blue team and red team?

A red team is an attacker and a blue team the defender. Being on the red team seems fun but being in the blue team is difficult as you need to understand the attacks and methodologies the red team may follow.

34. What is you preferred – Bug bounty or security testing?

Both are fine, just support your answer like Bug Bounty is decentralized, can identify rare bugs, large pool of testers etc.

35. Tell us about your Professional achievements/major projects?

This can be anything like setting up your own team and processes or a security practice you have implemented. Even if the achievement is not from a security domain just express it well.

36. 2 quick points on Web server hardening?
TIP: This is a strong topic, get over with the exact answer and carry on the conversation over the lines.

Web server hardening is the filtering of unnecessary services running on various ports and the removal of default test scripts from the servers. Although web server hardening is a lot more than this and usually organizations have a customized checklist for hardening the servers. Any server getting created has to be hardened and hardening has to be re-confirmed on a yearly basis. Even the hardening checklist has to be reviewed on a yearly basis for new add-ons.

37. What is data leakage? How will you detect and prevent it?

Data leak is when data gets out of the organization in an unauthorized way. Data can get leaked through various ways – emails, prints, laptops getting lost, unauthorized upload of data to public portals, removable drives, photographs, etc. There are various controls which can be placed to ensure that the data does not get leaked, a few controls can be restricting upload on internet websites, following an internal encryption solution, restricting the mails to the internal network, restriction on printing confidential data, etc.

38. What are the different levels of data classification and why are they required?

Data needs to be segregated into various categories so that its severity can be defined, without this segregation a piece of information can be critical for one but not so critical for others. There can be various levels of data classification depending on organization to organization, in broader terms data can be classified into:

Top secret – Its leakage can cause drastic effect to the organization, e.g. trade secrets etc.

Confidential – Internal to the company e.g. policy and processes.

Public – Publicly available, like newsletters etc.

39. In a situation where a user needs admin rights on his system to do daily tasks, what should be done – should admin access be granted or restricted?

Users are usually not provided with admin access to reduce the risk, but in certain cases, the users can be granted admin access. Just ensure that the users understand their responsibility. In case any incident happens, the access should be provided for only a limited time post senior management approval and a valid business justification.

40. What are your views on usage of social media in office?
TIP: Keep an open mind with these kinds of questions.

Social media is acceptable, just ensure content filtering is enabled and uploading features are restricted. Read-only mode is acceptable till the time it does not interfere with work.

41. What are the various ways by which the employees are made aware about information security policies and procedures?

There can be various ways in which this can be done:

Employees should undergo mandatory information security training post joining the organisation. This should also be done on yearly basis, and this can be either a classroom session followed by a quiz or an online training.

Sending out notifications on regular basis in the form of slides, one-pagers, etc. to ensure that the employees are kept aware.

42. In a situation where both Open source software and licensed software are available to get the job done. What should be preferred and why?
TIP: Think from a security perspective and not from the functionality point.

For an enterprise, it is better to go for the licensed version of the software as most of the software have an agreement clause that the software should be used for individual usage and not for commercial purpose. Plus, the licensed version is updated and easy to track in an organization. It also helps the clients develop confidence in the organizations’ software and practices.

43. When should a security policy be revised?

There is no fixed time for reviewing the security policy but all this should be done at least once a year. Any changes made should be documented in the revision history of the document and versioning. In case there are any major changes the changes need to be notified to the users as well.

44. What all should be included in a CEO level report from a security standpoint?

A CEO level report should have not more than 2 pages:

A summarized picture of the state of the security structure of the organization.

Quantified risk and ALE (Annual Loss Expectancy) results along with countermeasures.

45. How do you report risks?

Risk can be reported but it needs to be assessed first. Risk assessment can be done in 2 ways: Quantitative analysis and qualitative analysis. This approach will cater to both technical and business guys. The business guy can see a probable loss in numbers whereas the technical guys will see the impact and frequency. Depending on the audience, the risk can be assessed and reported.

46. What is an incident and how do you manage it?

Any event which leads to compromise of the security of an organization is an incident. The incident process goes like this:

Identification of the Incident

Logging it (Details)

Investigation and root cause analysis (RCA)

Escalation or keeping the senior management/parties informed

Remediation steps

Closure report.

47. Is social media secure?
TIP: This is another debatable question but be generic.

Not sure if the data is secure or not but users can take steps from their end to ensure safety.

Connect with trusted people

Do not post/upload confidential information

Never use the same username password for all accounts

48. Chain of custody?

For legal cases the data/device (evidence) needs to be integrated, hence any access needs to be documented – who, what when, and why. Compromise in this process can cause legal issues for the parties involved.
Source : https://www.siemxpert.com/blog/soc-analyst-interview-question/

SOC ANALYST INTERVIEW QUESTIONS – siemxpert SOC ANALYST INTERVIEW QUESTIONS 4 Comments / Interview Questions / By siemxpert SOC ANALYST INTERVIEW QUESTIONS 2021. THE MOST FREQUENTLY ASKED QUESTIONS IN THE INTERVIEW Join Real-Time SOC Analyst Training by SIEM XPERT 1. Explain risk, vulnerability and threat? TIP: A good way to start this answer...

https://jmnacademy.blogspot.com/2021/09/ceh-practical.html

jmnacademy.blogspot.c

HOW TO WRITE A PhD LITERATURE REVIEW

1. Pick a topic

It can be as broad as you like, because this is just a starting point. If you are still picking your specific topic for your PhD, that’s fine, but you should at least know roughly what area you want to explore.

2. Find your way in

A quick google scholar search for your subject area could turn up as many as 1 million results. Clearly you can’t read them all, so you need to look for an easy way in.

The vast majority of academic papers are written for people already familiar with the subject. They will refer to theories and methodologies assuming that the reader knows what they are.

So to start with just any paper at random would be a demoralizing waste of time, as you’ll be overwhelmed by the jargon. Instead, you need something you can understand easily to give yourself a foundation of knowledge to build upon.

Textbooks and review articles can be good places to start, though even these can be highly technical. If you can’t find one you can understand easily, then look for a book written for the general, non-academic public.

The idea is to gain a quick, broad background knowledge before getting into more specialised technical detail.

3. History, people & ideas

The idea of a literature review is to give some background and context to your own work. You need to show how your research fits into the big picture, relating it to what has been done before.

You don’t need to write a comprehensive history of your subject, but it helps if you know roughly how it has developed over time.

So as you read a few general introductions to your topic, you’ll start to get an overview of the key ideas and theories, who developed them, and when.

Also note any conflicting ideas, any controversy or disagreement in the field, as you’ll need to know this kind of thing.

Now you can start to look for specific papers.

4. Find the world-changing literature

Once you know who the world changers were, you can go in search of their papers.

You need to make sure you understand these key concepts, as they will help you decipher other papers which built upon these ideas.

Sometimes, those world changing papers can be tough to read, but as long as you know roughly what they did and understand the key principle, that’s enough.

5. Get specific

Only once you have a grasp of the key ideas in your field should you get more specific.

There may be several angles you can take in your research, and you may have to explore many areas of the literature. So divide your literature search into sections to make it easier to manage. For each section, think of several keywords to try out in different combinations.

6. Filter

Even when you look at highly specialised sub-topics, there may still be thousands upon thousands of papers, so you need to filter them. Here are a few ways to reduce the numbers:

Look at the number of citations as an indication of quality
Make your keywords more specific

Scan the abstract and make a quick decision as to whether it will be relevant or not

Don’t be afraid to reject papers. You can always come back to them later, but you have to start with something manageable.

7. Filter again

You might not be able to read everything in depth immediately. From the papers you selected, give them a ranking A, B, or C.

A = must read, highly relevant, high quality

B = unsure, probably relevant, but not yet sure how

C = probably irrelevant, not what you thought it was when you read the title

If you’ve printed them , put the letter A, B, or C on the front so you can tell quickly when you come back to them (maybe months or years later)

8. Use other people’s bibliographies

Even if you can only find one good quality paper, read the introduction carefully and see who they cite. There may be a few gems there you didn’t find with the search engine.

Also see who else has cited that one paper since it was published (this is also a very quick way to update your bibliography if you are coming back to it a year or more later).

9. Get to know the big players

In any research field, no matter how specialised, there will be leading experts or competing research groups. Figure out who they are, and read their work.

10. Make sure your research idea is original

As the saying goes, you can’t prove a negative. How can you prove that nobody else has done what you plan to do, without searching every paper ever published?

Well, it’s worth spending a day or two searching every keyword combination you can think of related to your specific research plan.

11. Write about ideas

When you finally start writing your literature review, focus on ideas and use examples from the literature to illustrate them.

Don’t just write about every paper you have found (I call this the telephone-directory approach), as it will be tedious to write and impossible to read.

The aim should always be to cite the best and most relevant research, rather than going for sheer quantity.

12. Remember, you aren’t writing a textbook

So you can leave out big chunks. Write about what is relevant to your research.

13. Vary the detail

When talking about a broad topic, only cite the very, very best papers. You’ll have a lot to choose from , so why choose anything but the best?

Then when you get into more specialised sections, you can include a larger number of less well-known papers (but still the highest quality you can find).

14. Don’t cite anything…

Don’t cite anything you haven’t read or don’t understand

15. Get experience

Your perspective on the literature will be quite different once you have done your own research. If you are in your first year, get your literature review done quickly so you can move on with your own work, and don’t let it hold you back.

It takes time to figure out what makes a good paper and what makes a bad one, and that comes with experience of carrying out research, talking to other researchers, and just reading more.

Credit: James Hayton

LIKE AND SHARE if it is useful infp/tips for you !!

For FREE Consultation-->>[email protected]

Dapatkan E-Book 13 Strategi Pantas dan Mudah Graduate On Time! --->>>http://researchjourneys.com/ (FREE)

HugeDomains.com - Shop for over 300,000 Premium Domains

Research Methods

How to write a Journal Article for paper publication

Preparing Tomorrow's workforce

JMN Academy is an Authorized and globally recognized leader in the development and delivery of online, certified, instructor led, Computer Network and Security Training and Employment. JMN Academy has provided the best of IT education with state of the art infrastructure, as we understand that nothing but the intellect today can help a company grow.

JMN Academy provides training to Diploma / Undergraduate/ Graduate Students which is designed as entirely project based.