Cyber Security¶
17 cards — 🟢 3 easy | 🟡 4 medium | 🔴 10 hard
🟢 Easy (3)¶
1. What is defense in depth and give three examples of layers.
Show answer
Defense in depth is a security strategy using multiple layers of controls so that if one fails, others still protect the system. Examples: 1) Network layer: firewalls, network segmentation, WAF; 2) Host layer: OS hardening, patching, antivirus, host-based IDS; 3) Application layer: input validation, authentication, authorization, encryption; 4) Data layer: encryption at rest, access controls, backups.2. What is vulnerability scanning and name three common tools.
Show answer
Vulnerability scanning is the automated process of probing systems and applications for known security weaknesses. It checks against databases like CVE and NVD. Common tools: 1) Nessus: commercial network/host scanner; 2) Trivy: open-source container and filesystem scanner; 3) OWASP ZAP: open-source web application scanner. Scanning should be integrated into CI/CD for continuous security feedback.3. Explain the difference between symmetric and asymmetric encryption.
Show answer
Symmetric: same key for encryption and decryption (e.g., AES). Fast, used for bulk data encryption. Challenge: secure key distribution.Asymmetric: uses a key pair (public key encrypts, private key decrypts, e.g., RSA, ECDSA). Slower, used for key exchange, digital signatures, and TLS handshakes. In practice, TLS uses asymmetric crypto to exchange a symmetric session key, then uses symmetric crypto for the data.
🟡 Medium (4)¶
1. What is the OWASP Top 10 and why does it matter for DevOps?
Show answer
The OWASP Top 10 is a regularly updated list of the most critical web application security risks. Current top entries include: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging Failures, and SSRF. DevOps teams use it to prioritize security testing in CI/CD pipelines and set security gates.2. What are the core principles of zero trust security?
Show answer
Zero trust assumes no implicit trust based on network location. Principles: 1) Verify explicitly (authenticate and authorize every request); 2) Use least privilege access; 3) Assume breach (segment access, use end-to-end encryption, monitor continuously). Implementation involves: identity-based access, micro-segmentation, continuous validation, and device health checks. "Never trust, always verify."3. What are the phases of incident response?
Show answer
1) Preparation: policies, tools, training, runbooks.2) Identification: detect and confirm the incident via monitoring, alerts, or reports.
3) Containment: limit damage (short-term: isolate affected systems; long-term: apply temporary fixes).
4) Eradication: remove the root cause (malware, compromised accounts, vulnerabilities).
5) Recovery: restore systems to normal operation, verify integrity.
6) Lessons Learned: post-incident review, update procedures, improve defenses.
4. How do you implement least privilege in cloud IAM?
Show answer
1) Start with zero permissions and add only what is needed; 2) Use managed policies scoped to specific services; 3) Avoid wildcard permissions (Resource: "*"); 4) Use conditions (IP range, MFA required, time-based); 5) Separate roles for different workloads; 6) Use IAM Access Analyzer to find unused permissions; 7) Regularly audit and remove stale permissions; 8) Prefer short-lived credentials (STS AssumeRole) over long-lived access keys.🔴 Hard (10)¶
1. Rsync triggered Linux OOM killer on a single 50 GB file. How does the OOM killer decide which process to kill first? How to control this?
Show answer
The OOM killer selects processes to kill based on their `oom_score` (viewable at `/proc/To control it:
- Check a process score: `cat /proc/
- Protect a process: `echo -17 > /proc/
- Use cgroups to set `oom.priority` — 0 makes processes immune, higher values make them preferred targets
- System-wide: `/proc/sys/vm/overcommit_memory` controls whether the kernel overcommits memory (default 0 = heuristic overcommit)
2. Using a Linux system with a limited number of packages installed, and telnet is not available. Use sysfs virtual filesystem to test connection on all interfaces (without loopback).
Show answer
For example:```bash
#!/usr/bin/bash
for iface in $(ls /sys/class/net/ | grep -v lo) ; do
if [[ $(cat /sys/class/net/$iface/carrier) = 1 ]] ; then state=1 ; fi
done
if [[ ${state:-0} -ne 1 ]] ; then echo "no connection" > /dev/stderr ; exit ; fi
```
3. An application encounters some performance issues. You should to find the code we have to optimize. How to profile app in Linux environment?
Show answer
Key profiling tools on Linux:1. **top** (batch mode): `top -b -p $(pidof app)` — shows CPU, memory, threads over time
2. **ps**: `ps --format pid,pcpu,cputime,etime,size,vsz,cmd -p $(pidof app)`
3. **perf**: Record with `perf record -g -p $(pidof app) sleep 10`, analyze with `perf report --stdio` — shows per-function CPU breakdown and call chains
4. **valgrind/callgrind**: `valgrind --tool=callgrind ./binary` then visualize with `kcachegrind`
5. **pstack/lsstack**: Quick stack snapshots of a running process
4. Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header in Nginx?
Show answer
Yes. Use `if` blocks to match `$http_origin` against a regex of allowed domains, then set the header dynamically:```
location / {
if ($http_origin ~* (^https?://([^/]+\.)*(domain1|domain2)\.com$)) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
}
}
```
Key point: you cannot list multiple origins in a single `Access-Control-Allow-Origin` header. Instead, dynamically echo back the matched origin.
5. How to recover deleted file held open e.g. by Apache?
Show answer
A deleted file that is still open retains its inode (hard link count = 0). Linux exposes open file descriptors via `/proc/To recover: `cat /proc/
To find the fd: check `ls -l /proc/
6. Write two golden rules for reducing the impact of hacked system.
Show answer
1. **Principle of Least Privilege**: Run services with the minimum permissions needed. If Apache is compromised, the attacker is limited to what the `apache` user can access — not root.2. **Principle of Separation of Privileges**: Isolate components — e.g., give the web app a read-only database account. Use SELinux or AppArmor to enforce mandatory access controls. Whitelist allowed actions rather than blacklisting bad ones to reduce attack surface.
7. Explain :(){ :|:& };: and how stop this code if you are already logged into a system?
Show answer
It is a **fork bomb**. `:()` defines a function named `:`. The body `:|:&` calls itself, pipes output to another copy of itself, and backgrounds it. The final `:` executes it, causing exponential process creation.To stop it if already logged in:
- `killall -STOP -u
- If the shell can't fork: `exec killall -STOP -u
Prevention: use PAM (`/etc/security/limits.conf`) to limit per-user process count (`nproc`).
8. The team of admins needs your support. You must remotely reinstall the system on one of the main servers. There is no access to the management console (e.g. iDRAC). How to install Linux on disk, from and where other Linux exist and running?
Show answer
Use `debootstrap` to install a minimal Linux into a working directory, chroot into it, then mount and wipe the old root filesystem, restore from backup, and reinstall GRUB.High-level steps:
1. `debootstrap` a minimal system to `/mnt/system`
2. Bind-mount `/proc`, `/sys`, `/dev` and chroot in
3. Mount the old root (e.g., `/dev/sda1`), delete old files, extract backup tarball
4. Chroot into restored system, run `grub-install` and `update-grub`
5. Reboot with `sync; reboot -f` (normal shutdown commands won't work from chroot)
9. What is threat modeling and name a common framework for it.
Show answer
Threat modeling is the process of identifying potential threats to a system during design. It answers: What are we building? What can go wrong? What are we going to do about it?STRIDE is a common framework: Spoofing (identity), Tampering (data), Repudiation (deniability), Information Disclosure (confidentiality), Denial of Service (availability), Elevation of Privilege (authorization). Each maps to a security property to protect.
10. What is the difference between penetration testing and red teaming?
Show answer
Penetration testing: scoped, time-boxed assessment of specific systems or applications. Goal is to find as many vulnerabilities as possible. The target team usually knows it is happening.Red teaming: adversary simulation that tests the organization holistically (people, processes, technology). Goal is to test detection and response capabilities. Often covert, longer duration, uses social engineering and physical access. Red teams emulate real attackers; pen testers find bugs.