Open in app

Sign in

Write

Sign in

Security Interview Prep Series — 2. Open-ended questions

Shraddha M.
5 min readJan 14, 2025

--

1. How do harden a system?

  • Disable unnecessary services: Unused ports, services and software
  • Enforce strong authentication: MFA, Strong password policies
  • Restrict access: RBAC, Firewalls
  • Patch management: OS upgrade, software updates, regular patch cycles
  • File system integrity: Encryption (BitLocker), enable audit logs
  • Log monitoring: SIEM tool, syslog

2. How do you elevate permissions?

  • Achieve sudo permissions (Linux)
  • Achieve admin access (Windows)
  • Exploit vulnerabilities

3. How do you harden a home network?

  • Secure your WiFi: WPA3, strong passwords, Disable SSID broadcasting for hidden networks
  • Firewall rules: Router rules to disable unnecessary ports
  • Segmentation: Isolate IoT devices from main networks using VLANs
  • Regular updates
  • Monitor traffic: Pi-hole for DNS filtering

4. What would do you if you discovered an infected host?

  • Contain the host from the network: Stop the spread.
  • Check the spread: Look for indicators of compromise (IoCs), check for malicious process, verify logs
  • Remove malware: Use next-gen EDR/anti-virus tools or manually remove the malware
  • Patch the vulnerabilities: Apply security patches, update security misconfigurations.
  • Monitor the environment and rescan the whole environment to check the spread.

5. How do you analyze the memory dump of a potentially compromised system?

  • Use tools like volatility
  • Identify the suspicious process, DLL(s), executables
  • Check for unauthorized network connections
  • Look for strings, hashes, IoCs
  • Document the findings

6. How would you reverse engineer a custom protocol packet?

  • Capture packets: Wireshark to capture traffic
  • Analyze headers: Identify patterns, fields and lengths in the packet structure.
  • Reconstruct the protocol: Infer the protocol logic by analyzing behavior and responses.
  • Test hypotheses: Craft custom packets to validate your understanding.
  • Document the findings

7. What do you do if a user brings you a PC that is acting ‘weird’? You suspect malware.

  • Understand symptoms: Ask the user what they have observed (e.g. slow performance, pop-ups, unauthorized logins)
  • Isolate the system: Network isolation (Do not disconnect the PC without consulting a forensic expert).
  • Boot into safe mode: Restart the PC in safe mode to prevent non-essential apps from running (including potential malware)
  • Run antivirus/anti-malware scans: Use tools such as MalwareBytes, Windows Defender or specialized bootable antivirus utilities
  • Analyze running processes: Use tools like task manager or process explorer to identify suspicious processes or services
  • Check startup programs: Review startup items for unauthorized or suspicious entries.
  • Inspect network traffic: Use tools like Wireshark or TCPDump to monitor unusual outbound connections.
  • Check logs and files: Analyze system logs and recent file modifications for signs of tampering.
  • Quarantine and remove malware: If malware is detected, quarantine and remove it using antivirus software.
  • Backup data and reinstall OS: Backup data (only if there is no infection) and reinstall OS. Always use incremental backups (recover backup from the version before the security incident).
  • Apply patches and updates: Ensure the system is fully updated and patched to prevent future infections.
  • Educate the user: Train the user on safe browsing practices, email phishing awareness and the importance of updates.

8. Our database was stolen/exfiltrated. It was secured with one round of SHA256 with a static salt. What do we now? Are we at risk? What do we change?

  • Assess the breach: Identify how the breach occurred. Isolate affected systems to prevent further data loss.
  • Inform stakeholders: Notify affected users and legal teams based on regulatory requirements.
  • Monitor for abuse: Monitor for leaked data on dark web forums or other platforms. Watch for unauthorized logins using stolen credentials.
  • The company will be at risk. SHA256 with static salt is insufficient to resist brute force or rainbow table attacks if the salt is disclosed.
  • Improvements:
  1. Strengthen password hashing: Switch to strong password hashing algorithms designed for security such as Argon2, bcrypt, PBKDF2.
  2. Force password resets: Immediately enforce password resets for all affected users.
  3. Enhance database security: Encrypt data at rest. Implement MFA for database access.
  4. Develop incident response plan.

9. Given a CVE, Walk Us Through It and How the Solution Works

CVE-2022–22965: Spring4Shell Vulnerability

Summary: A remote code execution (RCE) vulnerability in Spring Framework when running on JDK 9+.

Exploitation: Exploits the @RequestMapping mechanism to inject malicious payloads. Attacker modifies classLoader properties to upload arbitrary files.

Impact: Full control of the target server.

Solution: Update to patched Spring Framework versions (5.3.18 or 5.2.20). Use security configurations to disable classLoader manipulation.

10. How Would You Analyze a Suspicious Email Link?

Initial Inspection: Hover over the link to check the URL.Look for typo-squatting or unusual domains (e.g., paypall-secure.com).

Analyze the Email Headers: Check the From and Reply-To fields for spoofing. Validate the email’s SPF, DKIM, and DMARC records.

Check the Link in a Sandbox: Use a virtual machine or sandbox to open the link safely.

Use Online Tools: Scan the URL using services like VirusTotal or URLScan.io.

Decompile the HTML: Look for embedded scripts or obfuscated code.

Behavior Analysis: If the link downloads a file, inspect it for known malware signatures. Analyze network traffic for suspicious connections.

Report: Notify your IT/security team and report the link to anti-phishing services.

11. Explain Data Leakage and Give Examples of Some of the Root Causes

Data leakage refers to unauthorized transfer or exposure of sensitive information to unintended parties.

  1. Human Error: Misconfigured servers, accidental email misdelivery.
  2. Insider Threats: Employees intentionally or unintentionally leaking data.
  3. Weak Access Controls: Excessive privileges or unprotected endpoints.
  4. Unsecured Devices: Lost or stolen laptops or mobile devices.
  5. Malware/Phishing: Attackers exfiltrate data using malicious tools.
  6. Shadow IT: Usage of unapproved applications or cloud storage.

12. What Are Some Effective Ways to Control Data Leakage?

  1. Data Loss Prevention (DLP) Tools: Monitor and control sensitive data movement.
  2. Encryption: Protect data in transit and at rest.
  3. Access Controls: Implement least privilege and multi-factor authentication.
  4. Endpoint Protection: Secure devices using antivirus and device control policies.
  5. Employee Training: Educate users on phishing, secure file sharing, and shadow IT risks.
  6. Auditing and Monitoring: Log and review access to sensitive data regularly.

13. Describe the 80/20 Rules of Networking

The 80/20 rule states that 80% of network traffic is local (within a LAN), while 20% is external (e.g., to the internet).

  • Implications: Design networks with local traffic optimization (e.g., VLANs, local servers).
  • Modern Context: The rise of cloud services and remote work has shifted the ratio, making external traffic more significant.

14. You’re working in the SOC when you receive three different alerts. Each are high-criticality, and have a 30-minute SLA timer. You are also the only analyst working on shift. The alerts are as follows:
- Potential infostealer on an executive’s personal device
- Potential persistence mechanism detected on a production Windows server
- Outbound traffic detected from a Domain Controller

1. Domain controller
2. Persistence on production server
3. Infostealer on executive phone

I would work on the alert for the Domain Controller outbound traffic first because Domain Controllers (DCs) are critical infrastructure. If a DC is compromised, it can lead to a full domain takeover. After handling the DC alert, I would address the potential persistence mechanism on the production Windows server, as persistence can indicate an active foothold by an attacker. Lastly, I would investigate the infostealer on the executive’s personal device, since personal devices are important but may not directly impact core infrastructure.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Shraddha M.
Shraddha M.

Written by Shraddha M.

0 Followers
2 Following

Security Architect

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams