InfoSec Notes
Comprehensive collection of information security interview questions covering fundamentals, scenarios, and technical depth for all experience levels.
Overview
Comprehensive collection of information security interview questions covering fundamentals, scenarios, and technical depth for all experience levels. These questions range from fundamental concepts to advanced scenarios that test both theoretical knowledge and practical experience.
Fundamental Questions
Q1: Explain the CIA Triad and give a real-world example of each.
Answer: The CIA Triad consists of Confidentiality (data accessible only to authorized parties — e.g., encrypted medical records), Integrity (data accurate and unmodified — e.g., SHA-256 checksums on software downloads), and Availability (systems accessible when needed — e.g., redundant servers with load balancing for a banking website).
Q2: What is the difference between a vulnerability, a threat, and a risk?
Answer: A vulnerability is a weakness in a system (e.g., unpatched Apache server). A threat is something that could exploit the vulnerability (e.g., an attacker with an exploit). Risk is the likelihood and impact of the threat exploiting the vulnerability (e.g., 40% chance of compromise resulting in $1M loss = $400K expected risk).
Q3: Explain defense in depth with examples at each layer.
Answer: Multiple overlapping security controls:
- Physical: Locked server rooms, badge access
- Network: Firewalls, IDS/IPS, segmentation
- Host: OS hardening, antivirus, host firewall
- Application: Input validation, authentication, WAF
- Data: Encryption, backup, DLP
- People: Training, background checks, policies
Technical Questions
Q4: How does TLS 1.3 handshake work?
Answer:
| 1. ClientHello | Client sends supported ciphers + ECDHE key share |
| 2. ServerHello | Server chooses cipher + sends key share |
| 3. Client | Verifies certificate, sends Finished |
Q5: What is the difference between symmetric and asymmetric encryption?
Answer:
| Feature | Symmetric | Asymmetric |
|---|---|---|
| Keys | Same key for encrypt/decrypt | Public/private key pair |
| Speed | Fast (hardware accelerated) | 1000x slower |
| Key distribution | Requires secure channel | Public key shared freely |
| Use case | Bulk data encryption | Key exchange, signatures |
| Examples | AES-256, ChaCha20 | RSA, ECC, DH |
| Key size (128-bit security) | 128 bits | 3072 bits (RSA) |
Q6: How would you investigate a potential data breach?
Answer:
- Contain: Isolate affected systems, preserve evidence
- Identify scope: What data, how many records, what systems
- Determine attack vector: Logs, forensics, IOC matching
- Assess timeline: When did breach start, when detected
- Evaluate impact: Regulatory notification requirements
- Remediate: Patch vulnerability, reset credentials
- Report: Regulatory bodies, affected individuals, management
- Improve: Update controls, detection rules, playbooks
Scenario-Based Questions
Q7: You notice unusual outbound traffic at 3 AM from a database server. What do you do?
Answer:
- Immediately: Capture network traffic (PCAP), don't kill connection yet (preserve evidence)
- Assess: Check traffic destination (threat intel lookup), volume, protocol
- Investigate: Review database access logs, check for unauthorized queries
- Contain: If confirmed malicious, isolate the server from network
- Analyze: What data was accessed/exfiltrated, how did attacker get access
- Respond: Follow IR playbook, escalate to management, consider notification obligations
Q8: A developer says "our application doesn't need HTTPS because we don't handle passwords."
Answer: Challenge this thinking:
- Session tokens in cookies are just as sensitive as passwords (session hijacking)
- HTTPS prevents content injection by ISPs/networks (ad injection, malware)
- SEO impact (Google ranks HTTPS higher)
- Browser warnings scare users away from HTTP sites
- Mixed content blocks resources on HTTPS pages
- Modern attacks target non-password data (PII, behavior, preferences)
- Certificates are free (Let's Encrypt) — there's no reason NOT to use HTTPS
Q9: Your CEO received a phishing email that appears to be from the CFO asking for a wire transfer.
Answer:
- Don't send the money (obvious but critical)
- Verify: Call CFO directly on known phone number (not from the email)
- Analyze: Check email headers for origin, Reply-To address, domain spoofing
- Report: To IT security team immediately
- Investigate: Was CFO's email compromised? (Check login logs, sent items)
- Protect: Implement DMARC/DKIM/SPF, email authentication policies
- Train: This is Business Email Compromise (BEC) — establish verification procedures for wire transfers
Q10: How would you secure a new AWS deployment from scratch?
Answer:
- Account: Enable MFA on root, create organizational structure, SCPs
- IAM: Least privilege roles, no access keys for root, use SSO
- Network: VPC with private subnets, NACLs, security groups (deny by default)
- Compute: Hardened AMIs, Systems Manager patching, no public SSH
- Data: Encryption at rest (KMS), encryption in transit (TLS), backups
- Logging: CloudTrail, VPC Flow Logs, GuardDuty, Config Rules
- Monitoring: Security Hub, custom CloudWatch alarms
- Automation: Infrastructure as Code (Terraform/CloudFormation), CI/CD security
Advanced Questions
Q11: Explain how a padding oracle attack works against CBC mode.
Answer: The attacker exploits the server's different error responses for valid vs invalid padding. By modifying ciphertext bytes and observing responses, they can determine the intermediate state and decrypt the entire message byte-by-byte without the key. Prevention: Use authenticated encryption (GCM), don't reveal padding errors (generic error message).
Q12: What is the difference between SAST, DAST, and IAST?
Answer:
- SAST (Static): Scans source code without executing. Finds code-level bugs. Fast but high false positive rate.
- DAST (Dynamic): Tests running application from outside. Finds runtime vulnerabilities. Lower false positives but needs running app.
- IAST (Interactive): Agent inside application during testing. Combines SAST accuracy with DAST's runtime context. Best detection but requires instrumentation.
Interview Tips
- Use frameworks: Structure answers with CIA Triad, kill chain, or NIST functions
- Give examples: Abstract concepts + concrete examples = strong answers
- Acknowledge trade-offs: Security always involves balancing risk vs usability vs cost
- Show thinking process: Walk through your reasoning, not just the conclusion
- Be honest about unknowns: "I'm not sure about X, but here's how I'd approach it..."
Summary
Preparing for information security interviews requires both breadth (understanding many domains) and depth (being able to dive deep into your specialization). Practice explaining complex concepts simply, always tie answers to business value, and demonstrate that you think about security holistically.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Information Security Interview Questions.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, interview, preparation, questions, information security interview questions
Related Information Security Topics