Cyber Security Interview Guide
Master Cyber Security Interview Guide
Modern Attack Techniques & Security Mitigations
Built specifically around the requirements in the role description.
This guide only includes:
- Need-to-know concepts
- Simple explanations
- Interview-relevant terminology
- Core security understanding
XDR
What is XDR?
XDR stands for:
Extended Detection and Response
It is an advanced security platform that combines multiple security tools into one system.
Instead of security tools working separately:
- email security
- endpoint security
- firewall logs
- cloud logs
XDR connects them together.
Why is XDR useful?
Attackers rarely attack only one system.
Example:
- User receives phishing email
- Malicious file runs on laptop
- Credentials are stolen
- Attacker accesses cloud services
XDR links all those events together so security teams can detect attacks faster.
EDR
What is EDR?
EDR stands for:
Endpoint Detection and Response
It protects devices such as:
- laptops
- desktops
- servers
It monitors behaviour on devices looking for suspicious activity.
Difference Between Antivirus and EDR
| Antivirus | EDR |
|---|---|
| Looks for known malware | Looks for suspicious behaviour |
| Signature-based | Behaviour-based |
| Basic protection | Advanced detection and investigation |
SIEM
What is SIEM?
SIEM stands for:
Security Information and Event Management
A SIEM collects logs from multiple systems into one platform.
SOAR
What is SOAR?
SOAR stands for:
Security Orchestration, Automation and Response
It automates security tasks.
MFA
What is MFA?
MFA means:
Multi-Factor Authentication
Users must provide more than one form of authentication.
Usually:
- password
- mobile app approval/code
Zero Trust
What is Zero Trust?
Zero Trust assumes:
nobody should be automatically trusted.
Users and devices must continuously verify identity and security posture.
Conditional Access
What is Conditional Access?
Conditional Access controls WHEN users are allowed access.
Access depends on conditions such as:
- MFA passed
- Device compliant
- User location approved
- Risk level acceptable
Least Privilege
What does Least Privilege mean?
Users should only have the minimum access required for their job.
Lateral Movement
What is Lateral Movement?
After attackers compromise one machine, they try moving through the network to reach more valuable systems.
Network Segmentation
What is Network Segmentation?
Separating networks into smaller sections to limit attacker movement.
Defence in Depth
What does Defence in Depth mean?
Using multiple security layers because no single security control is perfect.
Ransomware
What is Ransomware?
Malware that encrypts files or systems and demands payment.
Modern ransomware groups often:
- steal data first
- then encrypt systems
This is called Double Extortion.
Phishing
What is Phishing?
Attackers trick users into:
- clicking malicious links
- downloading malware
- entering passwords
Usually through fake emails or websites.
Threat Hunting
What is Threat Hunting?
Proactively searching for threats that may not have triggered alerts.
IAM
What is IAM?
IAM stands for:
Identity and Access Management
It controls:
- who can access systems
- what they can do
- what permissions they have
AWS Security Groups
What are Security Groups?
Virtual firewall rules in AWS.
They control:
- inbound traffic
- outbound traffic
Terraform
What is Terraform?
Terraform is:
Infrastructure as Code (IaC)
Infrastructure is deployed using code instead of manual clicking.
KQL
What is KQL?
KQL stands for:
Kusto Query Language
Used to search and analyse logs in Microsoft tools like Sentinel.
Example:
SecurityEvent
| where EventID == 4625
NIST
What is NIST?
NIST is a cyber security framework that helps organisations manage security risk.
5 Core Functions
| Function | Meaning |
|---|---|
| Identify | Understand assets and risks |
| Protect | Implement security controls |
| Detect | Detect threats |
| Respond | Handle incidents |
| Recover | Restore services |
Mnemonic for NIST
“Identify Problems, Detect Risks Rapidly”
- Identify
- Protect
- Detect
- Respond
- Recover
CIA Triad
What is the CIA Triad?
The 3 core principles of security:
| Term | Meaning |
|---|---|
| Confidentiality | Only authorised people access data |
| Integrity | Data is not altered improperly |
| Availability | Systems/data remain accessible |
Common Ports To Know
| Service | Port | Purpose |
|---|---|---|
| HTTP | 80 | Web traffic |
| HTTPS | 443 | Secure web traffic |
| SSH | 22 | Secure remote access |
| Telnet | 23 | Insecure remote access |
| FTP | 21 | File transfer |
| SFTP | 22 | Secure file transfer |
| TFTP | 69 | Lightweight file transfer |
| DNS | 53 | Name resolution |
| DHCP | 67/68 | Automatic IP addressing |
| SMTP | 25 | Email sending |
| POP3 | 110 | Email retrieval |
| IMAP | 143 | Email retrieval/sync |
| LDAP | 389 | Directory services |
| LDAPS | 636 | Secure LDAP |
| RDP | 3389 | Remote desktop |
| SNMP | 161 | Network monitoring |
| SNMP Trap | 162 | SNMP alerts |
| NTP | 123 | Time synchronisation |
| SMB | 445 | Windows file sharing |
| NetBIOS | 137-139 | Legacy Windows networking |
| Syslog | 514 | Logging |
| SQL Server | 1433 | Microsoft SQL |
| MySQL | 3306 | MySQL database |
| PostgreSQL | 5432 | PostgreSQL database |
| Oracle DB | 1521 | Oracle database |
| SIP | 5060 | VoIP signalling |
| SIP TLS | 5061 | Secure VoIP signalling |
| Kerberos | 88 | Authentication |
| BGP | 179 | Routing protocol |
| LDAP Global Catalog | 3268 | Active Directory searches |
| WinRM | 5985/5986 | Windows remote management |
| VNC | 5900 | Remote desktop sharing |
Most Important Interview Mindset
Good interview answers explain:
- What the threat is
- Why it matters
- How to reduce the risk
That is what strong cyber security engineers do.