TOP 50 Cybersecurity Interview Questions and Answers 2024

hey everybody my name is Josh and I've worked a whole bunch of different cybercity jobs in my career including senior cybercity analyst principal cybercity analyst senior cybercity engineer and cyber security program manager I've also taught in a local community college and I also teach my own cyber security course online here not only have I gone through a whole bunch of interviews myself as applicant in it cyber security and software engineering actually I've also been involved in hiring a lot of people as well like being on the other side of the interview process so I consider

myself okayish at interview in so you've put out hundreds of rums for cyber security jobs and it's finally time for the Moment of Truth the interview I highly highly recommend listening to the theory I'm about to talk about and definitely put it into practice but the interview questions do start at this time stamp so in addition to those like really basic things like making sure you're groomed and having good hygiene and stuff like that there are five big areas that you really need to acknowledge and focus on when you're preparing for your cyber security interview

so the first thing is the ability to gracefully answer interview questions that you don't really have experience with and or you don't really know the answer to the second thing is you need to be able to identify and properly deal with behavior-based questions such as tell me about a time when X the third thing is you need to be able to identify and properly deal with cyber security specific scenario based questions for example like what would you do if why happened the fourth thing is you need a strong industry awareness of past and current events

so for example somebody may ask you like what is your favorite breach for instance and finally you need to have a basic understanding in of those cyber security specific Frameworks and Regulatory bodies such as nist 853 nist 800 like 171 cyber security framework pcss gdpr Hippa like you don't need to be a pro at these things but you need to know what they are and be able to talk about them at least at a high level and before we get into the actual interview questions I'm going to dive into these five areas a bit just

to kind of help prime your brain and get you ready ready ready again highly recommend you watch this section before jumping into the questions okay the first point the ability to answer questions that you don't know the answer to there's always something you can say that's better than I don't know or I haven't worked with that before if someone asks you a question that you don't know the answer to the more labs and experimenting and studying you've done on your own the easier it's going to be to at least produce some kind of response to

a question that you don't know the answer to for example say you've never worked in cyber security before but the interviewer asks you tell me about a time when you had to plan for and Implement security controls in your environment at work most people having never worked in cyber before would probably Panic at this and either just say like I haven't or produce a poor answer or something but if you've done a lot of like kind of labbing and experimenting on your own you could come up with some kind of answer like oh I created

an environment in Microsoft Azure and the cloud and I I went through and applied nist 853 controls to it and then maybe you could talk about a specific control that you appli to secure one of your Cloud resources this answer is infinitely better than not having any answer at all or producing a poor answer and if someone who has hired people before and actively hires people I'd be like super happy with this answer I couldn't ask for more right especially if the person hasn't worked in cyber security before and if you're wondering like oh like

which Labs do I do like how do I practice um I don't necessarily mean to Shield my course in this but my my course has a really strong labs in it and as I'm answering the upcoming like you know 50 interview questions I'm going to answer that from the perspective of a student who has gone through my course so I'm going to talk about certain things that I've done that exist in the course and you don't need the course to do those things you can definitely go out and like you know emulate the course and

do them on your own but the course packages them nicely so if you're wondering like what I'm talking about it's just stuff that exists in the course point two is behavior-based questions it's really important to be able to identify these and attempt to answer them in Star Format and star stands for situation task action and result this is basically just a way that you can formulate your answer you talk about like what was the situation what was the task at hand what action did you take and what was the resulting outcome of that action that

you took it's actually very hard initially to answer questions like this cuz it's too much to think about you have to try to identify the question and you're like okay uh situation task it's like really hard to do if you haven't practiced it beforehand but I I highly recommend doing it cuz a lot of jobs in Tech that are kind of higher paying like over 100k they like to kind of uh receive answers in Star Format so I definitely get used to it I'm going to be giving some example of this in the upcoming interview

questions and then point three is dealing with scenario based questions these scenario based questions are really popular in cyber security interviews and they're usually trying to check you on one of two things like the first thing being they're trying to see if you understand incident response like the whole life cycle of it and the other thing is they're trying to see if you can think holistically and properly consider the business need an example of an incident response question is they might say something like a user reports their computer has malware on it what do you

do a novice answer might be something like oh I would remove the malware and give the PC back or something like this and and it's not the worst answer in the world but you can do way better because this is an instant response question in disguise a correct answer to this should revolve around like nist 861 computer instant handling guide so you should say something like okay now that the malware has been detected the next thing I would do is analyze it and make sure that it's an actual true positive before I took any action

once I determined that it was real I would work to quarantine the system eradicate the malware recover the system return it to the user and then do any kind of incident activities like documenting it and closing out the ticket and if you want to be extra fancy you can throw in at the end like in accordance with n 861 because as you notice this answer like perfectly aligns with the incident response life cycle divined by nist 861 is a good answer and an example question where they're trying to test your ability to think holistically and

consider business need they might say something like um okay you have a scenario where a critical vulnerability was discovered on a server but the engineering team is refusing to patch it because they're saying the system will become unusable if patched like what do you do and somebody who doesn't work in cyber before or just doesn't know any better they might say something like oh because it's a critical vulnerability I'll just like force them to patch it anyway and this is actually a bad answer it's not even average it's a bad answer I say it's a

bad answer because in the scenario you were given they said like if you patched it the server would become unusable and if you do that and make your server unusable you're no different than a bad actor doing a denial of service like against your own server right so you have to you have to think holistically think about the business a more correct answer to this question would definitely be more nuanced and would probably involve you asking some clarifying questions to the interviewer and would probably be something along the lines of like oh I would work

to implement some compensating controls in the interum that wouldn't bring the server down and I would work with the engineering team to come up with a poem that means plan of action and Milestones to patch the server sometime in the future without bringing it down and then point number four industry awareness and current events interviewers love to ask the question like tell me your favorite breach name three breaches in the past like these kind of questions like this and in my opinion the best way to kind of passively get this knowledge is to listen to

podcasts I highly recommend listening to the Cyber Wire by Dave Bitner as well as darket Diaries by Jack Reider the Cyber R is a highly highly produced cyber security podcast where they kind of talk about current events and this kind of thing I I would recommend just like picking it up from today's episode and just listening to that every day going forward you know until you get a job and then you know maybe even afterwards if you if you like the podcast and Dark Knight Diaries also really highly produced really high quality podcast but instead

of news it's more of like kind of Storytelling it's just really really entertaining and it will expand your mind onto what's possible cuz it covers the most crazy things that happen in like our industry all around the world for Dark Knight Diaries I would definitely start an episode one and just listen to all of them um at least maybe one episode per day I wouldn't cram like 10 of them in a day but just just listen to one per day until you get caught up and then finally Point number five basic knowledge of cyber security

in general cyber security Frameworks and cyber security regulatory bodies those kind of basic uh cyber security fundamentals can pretty much be obtained on the internet for free right from Professor Messer for instance um also Google cyber security professional certification is really good as well it's quite holistic and they have some Hands-On components there as well so just make sure that's like squared away as much as you can you don't want to like get all the way to an interview and then have something dumb happen like you can't answer some basic question about the CIA Triad

you want to really avoid those scenarios so just make sure you know like all of those cyber security fundamentals like those really basic ones right and I will put a link in the description to Google's cyber security program I actually went through that myself and I I have the certificate and I just thought it was a really really decent program and then as far as those mainstream cyber security Frameworks and Regulatory bodies go the it's probably honestly like the most boring thing when it comes to studying cyber security topics unfortunately I try to touch on

these in my course in the most interesting way possible but I'll put a list of stuff that I think you should know below and these stuff will be included in the interview questions coming up as well so finally the reason why you came it's time to start going through the actual interview questions and answers and I do want to say I highly highly highly recommend I I can't say enough highes for this is that you go through all 50 questions and you practice articulating your answers to them like out loud you don't necessarily need to

have another person to do it you can have the questions on your phone you can you can go on a walk and just practice answering the questions out loud as if you were answering them in an interview this is going to help you immensely because when you actually get in the interview like like 50% of your brain is going to stop working and if you haven't practiced doing the stuff beforehand it's going to be way harder for you to come up with proper answers so I I highly recommend you practice answering them beforehand and then

when you get into the interview you'll kind of have already done it so you can kind of have that free extra real estate in your brain to pay attention to other things like maybe relating to the interviewer more and like you know talking about your your personal self more being less nervous it's just way better if you practice them a lot ahead of time and if you want check the description I'm going to put a spreadsheet with all 50 practice questions on there as well as some sample answers to them as well I'm also going

to provide some free compa Security Plus practice questions as well as some cssp practice questions as well check out the links in the description for those you just need Anki to make it work just install Anki it's free import the deck and then you can just start practicing okay on to the actual interview questions how do you configure rules within a Sim to identify potential security incidents please provide an example so for configuring rules within a Sim that is um you want to create an alert when something happens uh the first thing you'd want to

do is consider thinking about your use case like what exactly do you want to look for and alert for that could be anything from like unauthorized access to Brute Force attempts to viewing sensitive information something like this so for our example we can say like um I want to create an alert for instance whenever somebody looks at a highly sensitive credential inside the Enterprise password management system so first thing we'd want to do is make sure like the actual logs from the Enterprise password management system are being brought into the Sim in the first place

because if they're not we won't be able to create an alert or we won't be be able to query the logs if they don't exist right so um need to make sure the logs exist in there and then if we think about what we want to do if we just want to like create an alert anytime somebody looks at like a highly sensitive password like the global admin password for Azure actor directory for instance we need to make sure that we know like what that log looks like in order for us to successfully query it

if that makes sense so um what I would do is in a controlled environment maybe we go to like change board or something and say hey I need to create an alert for when somebody um observes a critical credential or the global admin password is something like this so we could have somebody look at it and then subsequently like the alert or the the log for that would be created and then we could kind of see what the log looks like and then we could kind of formulate our query around um what we wanted to

look for in terms of logs if that makes sense and our query could be like um SQL like structured query language kql custo query language SPL um if we're if you're using Splunk um whatever the case may be just make sure that our query like actually matches um that log that we're looking for and then when it does um we can implement the rule and and kind of make it live and then um fine-tune the rule going forward if we need to so for example if um we don't want to create an alert if you

know a certain person looks at theot looks at the password like a certain time of the day maybe we don't want to have to have false positives we can probably T we can tune the rule in some way that way but yeah that's how I would go about creating uh alert rules in a Sim describe a situation where you had to fine-tune a Sim alert rule to reduce false positives what steps did you take so a time when I had to fine-tune and alert rule to reduce false positives was during my internship at login Pacific

I was assisting a customer with their rule configurations for their Sim and they were getting a whole bunch of malware alerts for malware like popping up on a computer but actually like what was happening is they were they were doing testing um with the iar file uh iar file is like a it's like a special string that you can put in a text file and it will cause the um anti- malware engine to alert for malware it's like for testing purposes but um they didn't want to create alerts for that like specific instance um because

they know that it's a test file so we just find tuned the rule that looks at the actual logs when malware is found and we specified that if um it was an iar file like iar existed in the string then um don't won't return any results or subsequently don't uh spin up an alert for that or create an incident walk me through the incident response process you followed for a specific security incident at a previous job what tools did you use so an incident response process that I was involved in um I was an intern

I was working as an intern at login Pacific and I was responding to a an incident with a lot of Brute Force attempts to a a virtual machine that was exposed to the public internet and to kind of um work this incident I just worked it in line with nist 861 computer incident handling guide so basically those like preparation step was in place already cuz the Sim was stood up right and we had alerts configured and everything um detection phase was stood up and functioning right because the alerts were being created and then those like

um analysis section like my analysis would contain my analysis consisted of like making sure the actual alerts were were true positives and it wasn't um the customer doing something or something internal with somebody testing so once I kind of um verified that it was actually Mal malicious traffic from the public internet I worked to the contain phase which consisted of creating a network security group rule that's kind of like a firewall rule in the cloud that actually blocked those um malicious traffic or any traffic really from the the public internet and as far as like

eradication and Recovery um there's nothing to really eradicate or recover um it did there was no obvious indication like indicators of compromise and none of the auth none of the authentication attempts were actually successful so there was like nothing to do for those two steps and then like post incident activity um we were using Microsoft Sentinel right as a Sim and then all of that whole like Microsoft Defender for cloud ecosystem so basically um we just logged I just logged everything I did like verified that it was a true positive creating the um the firewall

rule to block public traffic from the internet and then we just kind of closed out the incident in Sentinel and that was the end of it what types of logs do you typically integrate into a Sim and why as far as which logs you integrate into a Sim it really depends on your environment and like what's important and what are your critical assets and critical resources right so typically in kind of like a vanilla setup all of those um like identity provider and like authentication and those kind of um really important servers like shared services

logs like all of that probably needs to be collected into the Sim whether or not you're using active directory or Azure active directory or some other random identity provider you it's a really good idea to uh ingest logs from all of your authentication Methods at least into your sim and then depending on um what your critical ass like your critical infrastructure your important resources are you need to identify those and then the systems holding those and the stuff that is used to like access those all of the logs for that stuff likely needs to be

brought into the Sim as well cuz you need to have eyes and ears on the thing that's kind of most important to your organization discuss a time when you had to collaborate with another department or person to address a security issue what was it and how did you handle it I've studied and labed quite a bit and I have a pretty good intuition uh for things in cyber security but I haven't had the chance to like collaborate with another department in the wild for something but I do understand um this comes up like quite a

bit and separation of Duties is a thing in cyber security so um I can give an example of what this might look like so for example if I'm on like the vulnerability management team and I'm scanning for vulnerabilities and trying to work with departments to remediate them usually like the person scanning for the vulnerability isn't going to be the person who's actually like remediating it and verifying that it's been remediated so basically like what I might do is maybe I'm conducting the scans and I'm the one who's verifying remediation so say I found a vulnerability

in a system and the person responsible to that for that maybe is like the the Windows desktop admin or something like this so what I would do in that situation is I would break down the vulnerability as best I could for them so say maybe it's like some out ofd um Adobe Reader or something like that I might provide them a solution like such as something like um some like automatic uninstallation and then automatic installation of the the updated software or just automatic upgrade or something like this along with any kind of documentation that they

might need to like understand why it's important and understand like what needs to happen basically like um if I need someone to do something or remediate something I'll just make their job as easy for them as it as it can be so they don't have to like spend too much time or energy they can just take what I gave them and then work on remediation and they they tell me when they're done and then I I'll verify that it's been remediated by providing or by conducting like another scan um that's basically like what I would

do what are some security controls you would recommend for a cloud-based application and why so as far as security controls go for a cloud-based application could be a a whole bunch of stuff right um perhaps like some kind of web application layer 7 firewall definitely some kind of Access Control maybe like a role-based Access Control depending on what the application is um definitely logging and monitoring um some kind of identity provider you definitely want to have some way to back up and recover in case something happen happens definitely you want to have encryption at rest

and absolutely you want to have encryption in transit um TLS 1.3 something like this um whole bunch of other stuff uh it just depends on what exactly the the application does and what you're trying to protect how would you set up monitoring and alerting for unauthorized access to sensitive data so in order to set up monitoring and alerting for unauthorized access to sensitive data basically you want to to make sure um it depends on like the system that you're working with um I'm just going to assume that it's maybe it's sitting on like some Windows

Server somewhere just to make the example easy um so I would you definitely want to turn on file system um file file system auditing for sure so on somebody like reads like you know create read update delete any files like logs are created for example in our example in like the the Windows Event log right so turn on file system auditing um def definitely you want to define the the files or the data that you want protect because you don't want to detect on like all data you want to detect on uh certain data right

so Define your scope of like what you want to detect on and then you want to Define um what what it means to be like unauthorized right versus authorized so we don't want to alert like when anyone looks at like a certain file or something um so maybe we can create our alert that's like you know if assuming that we have you know Jim and Bob we expect Jim and Bob to look at these files like only these two so in our like query rule like once we we know we have the logs coming into

the SIM from our file system auditing we know what the logs look like when somebody actually looks at or does anything to those files so to alert on you know unauthorized you know create read update delete to those files we could in our query we can say something like um you know if if the user principle is not Jim or Bob um then return results or create an alert or something like this um it really depends there's like a lot of nuance depending on what the system is that's holding the actual data that you want

to protect and you know the granularity of like the log that's created by the system but in in a general at a high level like this is basically what I would do describe an experience where you had to conduct a forensic analysis following a security incident what tools did you use and what were your findings I'm not sure if I can call this a full-on forensic analysis but um when I I was interning at login Pacific I was uh doing some po incident analysis like basically the situation was um a lot of Brute Force attempts

were coming in and there was actually a Brute Force success alert happened and The Brute Force success alert um in that case was defined by 10 or more failed logins from the same user against the same machine followed by one successful and like in the same hour time span so um we did have a Brute Force success um against a particular virtual machine and there were some known good users to log into that virtual machine um so I I really um I did some work to make sure that there was no like unusual activity from

the actual legitimate accounts that have logged into that virtual machine elsewhere if that makes if that makes sense I wanted to make sure like those accounts like didn't get compromised by the person who like brute forced in into the machine from the internet so basically to do this um Microsoft Sentinel has something called an entity map and like a an investigative UI where you can see like a map um that shows like the bad actor on the internet and like all the all of our resources that they touched locally and then um you can see

other accounts that have like logged into those where incidents were spun up so I basically just like went through those and looked at everything and kind of made sure that the actual like legitimate accounts that logged into the machine weren't compromised and they weren't doing other stuff or creating other alerts if that makes sense um in the end it didn't look like there were there was no really obvious indicators of compromise um after the brute for Success happened we basically you know went through the incident response life cycle like contain eradicate recovery um reset the

password isolated the virtual machine and um essentially closed out the uh locked down the virtual machine with the network security group and then ended up uh closing out the incident how do you keep up to date with the latest cyber security threats and vulnerabilities so for for me to stay up to date with cyber security vulnerabilities and threats um primarily I like to listen to the Cyber wire daily they're pretty fast at reporting um really high quality and I I tend to just listen to them every single morning it just keeps me in tune with

the industry um in conjunction with that I like to follow um siza on Twitter they tend to post pretty fast and I tend to see things like quicker even faster than the Cyber wire so yeah uh Twitter and the Cyber wire daily tell me about a time when you had to remediate complicated vulnerability what was it and what did you do so a time when I had to remediate a complicated vulnerability um this happened when I was doing an internship at login Pacific basically the complicated vulnerability was the customers using um Microsoft key vault which

is essentially Microsoft Azure like Cloud native Enterprise password manager but it was um the endpoint for it was exposed over the public internet and the the solution or the remediation for that would be to like apply what's called um private endpoint which essentially takes makes the endpoint like off the public internet and makes it only accessible to the the back end on the customers like through their virtual Network so that part is like kind of trivial um that part is kind of trivial but the the difficult part of that is um you need to make

sure like other systems that happen to be like using the key Vault um they need to be configured as well to like not reach out like over the internet but like through through the back end if that makes sense so we made we made the necessary configurations like app private endpoint turned on the firewall so like the um the keyal endpoint couldn't be reached over the public internet and we did our testing everything seemed to work okay and then we essentially had the vulnerability remediated once uh once private endpoint was uh successfully applied tell me

about a time when you identified as security vulnerability in your organization how did you discover it and what actions did you take to remediate it so this will be be my first cyber security job so I haven't done this in the real world yet but I I have done quite a few vulnerability management Labs so I can I can talk about those a little bit um so basically like the situation was I was setting up a lab for myself to kind of practice vulnerability management um create some virtual machines in Azure install some old software

titles on them like old versions of Firefox old versions of Adobe Reader um the action for this I took um I set up openvz AKA Green born and I kind of scanned my virtual machine like did a credential scan to kind of discover any vulnerabilities that it could find um of course it found the out ofd software iall installed on it um the action I took was I updated one of the software titles like I updated Firefox to the most recent version um I uninstalled the old version of Adobe Pro I I rescanned it like

a a re redid a credential scan to kind of verify the um stuff has been remediated and the result was the vulnerabilities were remediated and um I was able to you know get a better intuition of how vulnerability management worked can you recount a situation where you had to respond to a critical security incident Lo me through the steps you took from Discovery to resolution so responding to a critical security incident so basically the situation was um I was doing my internship at login Pacific we were doing some incident response tabletop exercises and basically the

situation was um an incident got spun up for a large amount of inbound malicious flows from the internet basically what that means is um there's like network security groups AKA kind of like Cloud firewalls in front of the virtual machines and when traffic that's like deemed malicious by Microsoft's algorithm like passes through them it's like allowed into the network that's kind of considered a malicious flow and when there's a certain number of those an alert an incident will automatically get spun up um so the action for this was to kind of go ahead and practice

that normal nist 861 incident response life cycle um preparation detection so detection happened right the incident was spun up uh analysis of this would be to like inspect it and make sure the traffic is actually like M's traffic traffic from the internet um which it was and then those containment and eradication steps um that consisted of um locking down the network security group to stop allowing those random bad traffic from the internet to come in and so the action yeah the action was locking down the network security group and then the result at the end

um there were no more inbound malicious flows U for the next 24 hours and then going forward as well so um at after that um we kind of after that I was able to document everything what I my findings what I did and then essentially close out the incident tell me about a time when you had to collaborate with a non-technical staff to implement a security measure how did you ensure they understood its importance so this is going to be my first job in cyber security so I haven't had a chance to do this in

the wild yet but I'm super aware of the importance of communicating those like really technical ideas to non-technical people so I can kind of give an example of what this might look like um like kind of a madeup scenario so like the situation might be I'm a vulnerability Management program manager for instance and we're onboarding um some new like server from a third party for some software or something like this so um the task would be you know we need to as part of the onboarding process the task would be to run a vol vulnerability

scan against it to make sure there's no like super crazy bad vulnerability it could like hurt the organization so we' scan that um say that we found they're using like uh SSL 3.0 and they have smb1 enabled or something like this so the action for this would be I I would need to communicate these vulnerabilities to our point of contact who's probably not a technical person who would then need to go and take this to their engineering team to get it fixed so in this case I would probably give some kind of analogy of why

we need to have um these smv1 and like SSL 3.0 vulnerability is patched so I'll just give like some kind of example like why encryption is important and how you know running smb1 potentially creates a vulnerability which could you know hackers could exploit or hackers could uh attack or exploit in one way or another and you know essentially causing the business to lose money or downtime or something like this and then the result in scenario hopefully we'd go back and forth a few times and we'd work with them to kind of mediate uh the vulnerability

but it's really important to like kind of communicate those really technical jargon in a way that those stakeholders and more like business-minded people can understand describe an instance where you had to balance security measures with usability how did you approach this challenge so balancing security measures with usability um I know this is super super important in the end like the security professional is not there to like lock everything down rather it's more so to make everything as secure as possible while still allowing the business to function normally so I haven't had to do this in

the wild yet but I can kind of give a contrived scenario um maybe there's like a situation where um I'm a vulnerability management person and I discover a you know a critical vulnerability on some business critical system right the action would be for me I would attempt to get the system owner to fix the vulnerability to remediate it right and maybe they would push back to me and say something like oh if we patch this um the system is going to go down and business critical so we can't patch it um so the action in

this scenario like I might probably try to apply some compensating controls on it like if we can't patch it maybe we can put like you know an extra strong firewall on it or some other kind of control that doesn't affect the usability um in the meantime maybe it's not as good as remediating it but it is Extra Protection right um so that would be the action hopefully you know we'd go back and forth they would accept it we' create like a plan of action and Milestone um for the the future to like properly remediate it

but in the end hopefully the result would be like their risk is at least reduced a little bit and we can kind of like you know move on to the next vulnerability tell me about a time when you had to adapt your communication style to effectively convey a security risk to stakeholders because this will potentially be my first job in cyber security I haven't had to do this yet in the wild but I do know it's like really really important to be able to effectively communicate risk depending on who is listening to right so if

I'm talking to my um technical colleague they kind of understand the risks of like running insecure software and like they understand the impact potential impact of ransomware and stuff but if I'm talking to you know upper management or somebody in the SE Suite like the the situation is there's um some vulnerability that makes us susceptible to ransomware um I might have the task of convincing that or I might have the task of conveying the risk to them in terms of like a dollar amount or you know reputation or something like quantifying it in a way

to them to where it makes sense from a business standpoint hopefully the result of this is um they understand and maybe they meet eye to eye with me on like whatever my ask is if I need more budget or something like this um but speaking in the language of like your your audience understands is really really important in cyber security and Tech in general and it's something I'm I'm really aware of can you describe a situation where you had to prioritize One Security project over another what criteria did you use to make your decision so

in a situation where I have competing security projects um for me to prioritize them I would probably just look at them from an economic standpoint so say like um the action I would take as I would look at both projects maybe one project project is MFA implementing MFA that is multiactor authentication um say the other project is creating a hardware and software like asset inventory right cuz that's that's part of the CIS controls right that's that is a security control I'll look at both of those and see how long they both took and I'll try

to come up with a way to see how much they're protecting the organization say um this is a and this is an arbitrary number but say implementing MFA saves like a million dollars a year right um but creating and creating a nice functioning Asset Management scenario system maybe that like saves 300K a year or something maybe MFA takes like 1 month to implement and the inventory system takes 3 months to implement in this case like economically speaking um MFA has more impact so from a business standpoint it kind of makes sense to prioritize the efforts

to implement MFA first and ideally the result would be um more risk is reduced than otherwise and then more money is like potentially you know prevented from being lost or or saved um from you know proper prioritization of tasks tell me about a time when you had to quickly learn a new new security technology or tool to solve an immediate problem how did you go about it so this is a bit of an un unconventional answer um the situation was I I really wanted to get into cyber security and because of this I had to

learn a bunch of Technology um as fast as I could um especially security related technology and like methodologies and that type of thing so basically um that's the situation the task um I just decided to do my best to create like a miniature sock like a miniature security operations Center in the cloud and create a honey net um so I created a bunch of resources in Azure like a lot of virtual machines um Azure key VA storage account um I I learned how to spin up an instance of azure or Microsoft Sentinel which is Microsoft's

Cloud native Sim and expose everything to the internet let it get attacked by Bad actors and just go through and practice incident response and kind of learn what I need to learn to respond to respond to incidents and then subsequently secure all of my devices or all of my resources in the cloud and the result was I was able to do that I I learned quite a bit I had some nice stuff to put on my resume and then ultimately I was able to get this interview describe an experience where you contributed to the development

or Improvement of a company security policy so I haven't had to do this yet actually um because this is potentially going to be my first cyber security job but I I do recognize the importance of having security policy um cuz on the security policy it should outline what you're trying to protect and and how you protect it in in any kind of security policy so what I would do if I were to do this um in the situation where I need to either augment or create a security policy um the action I would take is

I would interview the necessary stakeholders prob that's likely going to be like the CIO CTO sizo and then other other maybe sea levels and business owners and see like what our actual critical assets are and then I would kind of draft the security policy around that to make sure we're addressing what we need to address in order to protect our critical assets um I then after the initial draft was created I would kind of bring it to the different stakeholders and be like is this something that it looks like we can uphold is this something

that looks like like what you would expect to see if they say yes I would go to the actual teams who need to be actually doing the implementing of the security policy and be like the ones who are actually upholding it I would go to them and be like does this look good does this look like something that's um feasible for you to maintain and if they say Yes um I'll just get it signed by the necessary party and then get it enacted or get it uh put into place and the result hopefully would be

we have a nice either new or augmented um security policy that we can look to for you know if we need to justify budget or or anything like that in the future tell me about a time when you had to conduct user training to approve security awareness what approach did you take and what were the outcomes so I haven't had to actually um run a security training I've been like on the other end of it like as a normal end user where I have to go through the security training but it is something I think

about a lot so if I was the one in charge of um actually running the training what I would probably do is I would take like a more positive approach to it and try to reward people for completing their training cuz from what I've seen the big problem is people like either just put off the training or they don't do it or they don't um do it properly right so what I would do I I would try to make sure that the training is like absolutely as as interesting as it could possibly be like I

might use no before the training platform has some really interesting um like movie like Netflix like uh scenarios on it that are actually entertaining and fun and I would try to reward individuals and departments for completing the training early if that makes sense and for the people who kind of straggled or didn't complete it um I would re I would do like um nice reach outs to them like a few times before I started escalating to the m manager cuz I don't want to have like bad relationships um you know with the people I'm I'm

trying to Usher through the training if that makes sense so hopefully the result would be um like a measurable increase in compliance in terms of training hopefully describe a situation where you had to work under tight deadlines to resolve a security issue how did you manage the pressure so this will potentially be my first cyber security job and I haven't had to deal with this yet but I'm super aware that incidents um they don't wait like they don't work on like a 9 to 5 schedule like the rest of us they can pretty much come

at any time and so for me um the way I would kind of deal with getting through it and dealing with the pressure and everything um hopefully the org that I worked at um they would be practicing a good they would have like a good instant response plan in place maybe it follows like nist 861 in which case the first step is preparation right so hopefully the preparation stage has been done and it kind of outlines like at least at a high level of the stuff we need to do during the incident in terms of

like communication flow and like priorities and stuff like that so hopefully I'll would be able to lean into our preparation for that and just kind of um you know calmly uh execute on things and work through the incident life cycle as we um discover and contain and eradicate and recover and document afterwards so that's um that's basically what I would do and it's just if you're working in security and you're involved in incident response um you're likely just going to have to work overtime or work off hours sometimes um that's just the nature of instant

response and if I go into the job with that mindset it's not a big deal um like I likely won't stay up for 48 hours but staying late sometimes or coming in like super early to deal with something um it's not a big deal you just have to prepare for it and just um calmly go and do it and execute your incident response plan to resolution what would you do if the IT department was reluctant to implement critical security patches immediately citing concerns about system downtime so whe regardless of whether or not it's HR or

the engineering department or some other department um I'll just try to convey the importance of patching in a way that that particular audience understands so um with HR I might talk about risk and mitigating risk and the importance of it in terms of monetary loss and um other things that could be a detriment to the business perhaps give some examples of situations where um major breaches haveen happened um due to not patching and like what the outcome was for that and try to um at least get them to understand in that sense and if they're

super adamant about um not patching it and I'm being like seriously roadblocked depending on the organization um we could do something like get that particular Department to sign off on the risk and like accept the risk in the in the case that something bad does happen what would you do if the HR department refused to enforce a new password policy arguing it would be too burdensome for new employees didn't want to accept uh and implement the password policy I'll would just try to explain to them in a way that they could understand perhaps talking about

mon monetary loss due to data breach or loss of public trust Etc um and also if we can't Implement a simple password policy like what hope do we have to do something slightly more complicated like implementing MFA for example where we might require people to use some kind of a token device or authenticator app it's more complicated than just having a simply um long or more complex password so I just kind of explain these in a way that uh HR could understand and do what I could do to possibly um create some education for the

users or instructions on how to deal with like the longer password just make things as easily as possible just make things as easy as possible what would you do if the marketing department wanted to roll out a new customer facing application without a Security review citing time constraints so if the marketing department or any Department wanted to roll out a new software without any kind of security re review being done um I'll just kind of explain the risks uh associated with doing that like we could I mean depending on what what kind of information that's

being stored and processed in the application it could you know have big ramifications for the business if some kind of breach happened due to the software being insecure or something like this um if they really didn't want to do a Security review I I might go to the the vendor of the software cuz often times there some kind of like a public like trust section on their site where they kind of talk about the compliance that they do and like the you know rigorous security testing maybe they do like a quarterly vulnerability management maybe they

have a sock 2 type two report readily available for their platform that we can reference so I would do the best that I can like if they don't want to do a review I would see if the vendor had anything um if the vendor didn't have anything and the marketing department didn't want to do a review um I'll would try to get backup um from my boss if I could and depending on like the organization um I might try to make them like if they were absolutely like not having it I would try to get

them to sign up on the risk for it um just so we have something on file showing that me and my department tried to do our our job what would you do if the finance department objected to the cost of a recommended security solution asking you to find a cheaper alternative well if any Department objected to the cost of a proposed security solution asking us to get something cheaper it it really depends on what the actual um system is we're trying to protect and if it's a a legal requirement or not or we're just trying

to practice better security hygiene so assuming that you know we can compromise on it and it's not something we have to have I might try to come up with something like perhaps um a different control like a a compensating control that's maybe not as good as the other one but it does still provide some protection um reducing the risk a little bit at a a a reduced cost um just kind of depends depends on what's Happening um another alternative would be you know using something like um some kind of open- source solution depending on what

it is or coming up with some kind of um inhouse solution for the control that need to be needed to be implemented so there's a lot of things that we can do it just kind of depends on the thing that you're trying to protect and you know if there's like legal regulatory bodies involved like how much leeway we have but um probably come up with some kind of compensating control uh at the very least what would you do if the legal department advised against conducting a thorough incident investigation after a minor data breach due to

potential legal risks so if the legal department didn't want to do a thorough investigation of an incident this is like a a huge organizational red flag and depending on my position um I may have to it it depends right cuz if this is like Department of Defense or something and National Security is at you know in question I I may have to become a whistleblower right it just depends on the situation um if it's a normal corporate job um I would and I was you know I was like the you know incident response manager or

something I may have to like defer to the siso and like get them involved um and and see what we can do cuz it it it depending on like you know the organization it's possible like people going to go to jail over a breach right and if the legal department is actually like trying to cover it up it's it's a big deal and I don't want to get myself you know implicated right so I would I would probably bring my my manager get my manager involved um and at the very least like if I I

could not do anything depending on what it was I I I don't know I may try to get the legal department to sign off on the risk of it or or something like this but um it's a tough call um it just really depends on what the breach was and like what happened and what type of organization it was but I guess in short um be a whistleblower and or get my manager involved and or try to get the legal department to sign off and like accept the risk uh themselves what would you do if

you noticed an unexpected and significant increase in network traffic originating from a single IP address within your network if I noticed a large amount of traffic um originating from within our Network going out to the public internet or or somewhere else I would kind of um I would spin up an incident and follow that nist 861 incident response um kind of life cycle so those preparation and detection already happened because we we actually detected it occurring um so the next phase the analysis phase I would try to look at the traffic and do my best

to determine if it was actually like legitimate traffic like somebody was actually on that computer doing their job and they just so happened to be like sending a lot of traffic outbound or perhaps the computer was compromised and maybe some data is being exfiltrated or something like this so um I would take my time to in the analysis phase to figure out like what exactly was happening um to do that like more specifically I might look at the end points that the traffic is going to outside and if I didn't recognize any of them I

might like use some kind of um intelligence service or virus total or something and look at the domains that the traffic is going to to kind of figure out whether or not it's you know uh bad traffic or not and if it is bad I would kind of move on to the containment phase and this might look like um quarantining that actual computer or whatever the device is taking it off the network um following our standard operating procedures for that like um eradication and Recovery that might look like reimaging the device depending on what it

is and then um kind of making sure that any of the other user accounts or computers associated with that device weren't doing any kind of anomalous Behavior making sure that the accounts associated with that device weren't doing anything strange or anomalous and and just kind of um go from there like finish the eradication and Recovery phase um reimage the computer it just depends on what the scenario happen happed to be um recover it put it back online and then document what happened document what happened during the incident and then just kind of um close it

out from there what would you do if you received an alert that unauthorized files were being uploaded to a company cloud storage account so if someone was uploading a lot of unauthorized files to a company cloud storage account um I would follow the normal incident response life cycle that n 861 um detection already happened obviously cuz I noticed it happening so um jumping into the analysis phase I would make sure that for example if you know Bob Jones at linpa is actually moving the files I would I would make sure like the actual human Bob

Jones was doing it and not like someone using his account so that might look like um something like um calling Bob Jones as manager and talking to Bob Jones right and seeing if he was the the actual person doing it or not um if he was then we would just kind of um move forward to like the containment um eradication and Recovery phase that the containment of that that might it just would look like telling Bob to stop doing that um eradication and Recovery removing the unauthorized files or deleting them it really depends on what

the files are and how sensitive they are and if moving the files into there like constituted an actual breach or not the scope of the incident might expand so it just it just depends on what the system was and it depends on what the information was um in the case that it was Bob Jones account but it was not actually Bob Jones the human doing it means his account got compromised and the scope of the incident expanded so we would have to um you know do containment um eradication recovery like containment on the account that

might look like disabling the account um while it's disabled kind of see what else the account did on the network um and see if you know something else happened that we didn't that we didn't expect and then just move through the rest of the incident response life cycle like um eradication recovery um whatever that happens to look like you know undo the stuff that his account did if it was indeed a compromised account um document everything in the incident and just kind of close it out at that point what would you do if a senior

executive clicked on a fishing link and compromised their account so if a senior executive clicked on a fishing link and compromised their endpoint um again I would follow those nist 861 instent response life cycle um detection happened because they actually clicked the link um analysis um the analysis depend this really depends on you know the organization and what happened but analysis we' make sure like he actually did click like an actual real fishing link for sure before we start doing actions and once we determined that the fishing link that he clicked or the link that

he clicked was indeed a fishing link and it was indeed bad we just move on to those like containment phas and that might look like definitely like disabling the executive's account at least temporarily taking their computer offline and quarantining quarantining the computer and during this time um depending on like our capability and like the maturity of the department we might look at the actual laptop and see what happened when you click the link like in a sandbox and see if like maybe um something was downloaded from the internet and like a script was run or

something like that like see exactly what happened after the link was clicked um assuming that um it wasn't too bad and just like that device got compromised we' probably just move on to those um eradication and Recovery phase that might look like um reimaging the laptop or just reissuing him a new laptop making sure his account didn't actually get compromised before we um reenable it and that might look like um looking through the Sim logs for instances of his account and kind of see what I was doing for the last few days just to make

sure there's like nothing abnormal in there and if everything's okay we just um probably reset their password uh most likely reenable the account reissue a computer back to them and then um just do those POs incident documentation and close things out what would you do if you found out that a software used across the organization had a known vulnerability that was actively being exploited in the wild I found out some of the software using had a serious vulnerability and it's actively being exploited in the wild I would the first thing I would do is i'

try to determine the scope of the software in our in our organization like who who uses it and where exactly is it um once we kind of determined that um we'd come up with uh I would come up with a remediation plan for this um that might look like setting up um whatever our vulnerability management platform is like maybe setting up a group inside of there that contains all of the affected devices that have the vulnerability on it uh do a scan come up with a plan for remediation and kind of start reaching out to

depending on you know the maturity of our department um reaching out to the people who do remediations and kind of warned the end users that we need to remediate a vulnerability on a software that we use and we just kind of um wouldn't remediate everything at once but maybe do it in batches but be kind of aggressive about it so we can get it taken care of um i' probably prioritize Remediation in terms of system critical criticality most likely so what I mean by that is if some of the systems are like um business critical

or they're internet facing I might consider hitting those first if there's like not that much risk um in applying the patch like if the system becomes unstable or something I probably remediate the more critical um assets first and then just kind of like move on down the list um working with the end users all the way what would you do if you discovered that an employee was using the same password for multiple Company accounts so if I somehow was able to find out that people were using the same password for multiple accounts inside of the

organization um I'm going to give kind of like a perfect scenario answer I would I would work toward implementing single signon like I would get some kind of identity provider like Azure active directory I guess it's called entra ID now or on premise or on premise active directory and I would try to use um single signon as much as I could everywhere across the organization instead of using these kind of like siloed identities everywhere um it's it's better to use like a a single sign on in conjunction with multiactor authentication so again perfect world I'll

just Implement SSO and then implement multiactor authentication um if it didn't exist already and that would likely uh reduce the risk associated with you know using the same password like everywhere can you name a major recent cyber security breach and discuss its impact on the industry a recent cyber security breach um that comes to mind this is not super recent but it had a pretty big impact um that would be the solar winds breach where the supply chain was compromised I believe it was the code repository got compromised and actual um compromised code got pushed

into production therefore like everybody using some certain aspect of solar winds um essentially got back doored by the the attackers and this changed the industry a lot because it kind of shined light on like it's possible to compromise the supply chain of any product or or anything and have like really widespread negative impact on the industry and like the companies right who supply chain got compromised and I believe even nist um added I'm not sure if it was to the SF for 853 but I believe they included um supply chain controls in there as well

so yeah definitely the supply chain compromised from solar winds what are some emerging Technologies in cyber security that you think will become more important in the next few years so some emerging technologies that I think will be important um definitely Ai and machine learning um I can't speak on those super in-depth but I know a lot of progress has been made on those recently with like the you know Advent of chat GPT and GPT 4 and like those cool other tools like stable diffusion and mid Journey there's like a lot of application coming out um

for sure it's going to affect both sides like the good guys and the bad bad guys um another thing that comes to mind is iot although it's not necessarily like really new but iot um with iot brings a lot of like bring your own devices bod to work and with that there's a lot more consideration for appropriate security controls and trying to safeguard data and that type of stuff so yeah um definitely Ai and ML and then iot devices how has the rise of remote work impacted cyber security what measures do you think organizations should

take to mitigate new risks so the rise of work from home uh is definitely impacting security uh especially in the sense of it's becoming more decentralized as in uh people are not in the office so it's a bit more challenging to lock down their devices cuz with work from home there's a lot of mobile devices that need to be taken into consideration whether or not they're like bring your own device or a company issue um you can't it's kind of challenging to control like the pH the physical location of where the employee is working from

so a lot of consideration needs to be taken for like you know mobile application management and data protection on mobile devices that needs to be um considered quite a bit and the appropriate controls need to be um you know taken into consideration and deployed essentially so the measures I think organizations should take um definitely they need to pay attention to um end user training because you can have the best possible Technical and administrative security controls in the world but if your end users are like cyber illiterate rather they they don't know what good cyber hygiene

is and they can't recognize a fishing email that's going to like not completely negate but like you know it's the controls are not going to to work once somebody actually like you know clicks on a fishing link so I think a lot of um energy should be put into end user training and then you know again the appropriate controls for um mobile devices what are some of the key regulations affecting cyber security practices in your country or industry how do they impact your work so this will be my first cyber security job so I haven't

dealt with these regulatory bodies directly at work but I am really aware of them and some that come to mind um is gdpr that's the general data protection regulation um that states that you if you store or process um data that's owned by EU citizens you need to make sure that your gdpr compliant whether or not you're operating in the EU or America or somewhere else you just need to take that into consideration um some other ones would be Hippa and PCI DSS Hippa is for a few store process electronic electronic protected health information you

need to make sure you have the appropriate controls in place and you know logging needs to be up to par as it's outlined in the security and privacy Rule and then PCI DSS if you store process any kind of card holder data um you need to you know ensure that you have the appropriate controls in place to meet PCI compliance so those are just a couple of regulatory bodies that um you should be aware of can you discuss a cyber security topic that has been in the news recently how do you think it will influence

the industry so this isn't like any one particular incident but recently with the progression of AI it's becoming increasingly more and more easy to make deep fakes um both Visual and auditory and just like a straightup video of something that looks real but it's actually fake and even before this existed there was kind of already a problem with like U misinformation campaigns and spreading propaganda in general information that's not really true um mix that in with the Deep fakes and it's just going to become uh a like larger and larger problem that it's just another

thing that people need to care about online so yeah I would say misinformation um fueled and Amplified by artificial intelligence and machine learning are there any cyber security podcasts blogs or influencers that you follow what have you learned from them so in terms of podcast I like to listen to the Cyber daily it's a nice um you know high quality Daily News where I use it to kind of keep in touch with the industry um another one I really like is darket Diaries by Jack Reider that one's good because it kind of expands my mind

in what's possible in cyber security and like the type of breaches that have happened in the past and then as far as YouTubers um I like to follow Josh Mador on YouTube um he talks about how to break into cyber security and gives a lot of cool projects um I also follow Sandra on YouTube as well Nicole um Gerald they're all great resources that I like to follow just to kind of um keep in touch with the industry what do you think about the cyber security skill Gap how can it be addressed so the Cyber

secur skill Gap um it is a problem but I think it's kind of being addressed slowly um basically the idea is there's like a lot of jobs available and there's a lot of people who want to work those jobs but they don't know how to like bridge the gap from you know having Security Plus into actually you know being able to be hired as some kind of security analyst or something like this and a lot of work is being done in the space um like Google IBM Microsoft they're all coming out with kind of comprehensive

certifications to help people like you know bridge the gap to actually get hired and then there's other like you know YouTuber type people as well who make courses specifically designed to give people um the necessarily handson experience to kind of help them bridge the gap from Security Plus to actually being able to work so I think once that uh more and more people do these things and it becomes more and more common to actually go those sort of like program routes or these courses routes I think it's going to help um kind of bridge that

Gap and get people to where they need to be where they can actually start working in cyber security can you discuss a recent software vulnerability that has widespread implications how could it have been mitigated the thing that comes to mind was like the log Pro J vulnerability it wasn't that recent but that's kind of the first thing that comes to mind cuz it was like really big and kind of inyour face in terms of like the news um that's where they I believe it was a Java Library had some vulnerability in it and like a

lot of people using that Library so it pretty much is like everywhere and I I think it allowed for remote code execution I believe um in terms of like how it could have been uh mitigated or prevented it it's hard to say to be honest cuz you know that hindsight thing but probably you know some like a really strong application security function for the developers of that like maybe like a stronger vulnerability Management program could have caught it or something like this but you never really you know you never really know we just kind of

do our best but um in terms of like the people who actually had that library in use to help mitigate it if those people had like a you know a strong application security or a strong vulnerability Management program or function in place um would help them kind of quickly deal with like the remediation of those um if that makes sense what are your thoughts on ransomware attacks Target targeting critical infrastructure how should organizations and governments respond so in terms of um Ransom or attacks on critical infrastructure I think this is something that really needs to

be considered right and I think that critical infrastructure is like a big Target for nation states whether or not it's for cyber warfare or actual kinetic Warfare um it's just something that needs to be taken into consideration when those nation states are doing threat modeling for their National Security right critical infrastructure is super important so um to respond to these uh ransomware attacks I I think people should or the Nations should be proactive about it right um whether or not that's you know setting up hot sits or redundancy to kind of deal with the ransomware

attack after the fact um in conjunction with uh end user training like just the normal end users or people who operate the actual critical infrastructure I think they should be like put through like a rigorous training program because like that's one of the main defense es against ransomware as like the end user and like user training so um yeah just maybe tabletop exercises as well like simulating ransomware attacks and like how you would like effectively respond to them would be a good step to take as well how has the adoption of iot devices impacted cyber

security can you discuss any recent incidents or vulnerabilities related to iot so the adoption of iot devices um basically has widened the attack surface quite a bit in terms of cyber security because the manufacturers of them at least originally they're not like super concerned with security they're more concerned with like the functionality of it and the sales of it right and adding on security as usual it's just like a cost center right so we have um like a whole bunch of devices being pushed out that are potentially like insecure or they're they're hard to patch

like once they're out in the wild so it's kind of like you know increase the attack surface everywhere and then as far as like recent incidents or vulnerabilities um nothing like super recent comes to mind but I know there was um some incident where there was was like a a child like kid's like stuffed animal that um it can like record your voice or something and like store it in the cloud but there was like some breach with those where someone was able to I think I can't remember if they were able to access the

actual voice recordings that the stuffed animal recorded or something like this but there's like all kinds of stuff um like this out there like a kind of insecure iot device where the data ends up getting like leaked to the the either the general public or some kind of malicious actor or something like this but yeah there's a lot of those type of cases please explain the key components of the nist cyber security framework so nist cyber security framework um it's basically just a framework that outlines in kind of five high level steps things you can

do to help your security hygiene for your organization so that that is like identify protect detect respond and recover to security incidents and like each one of these five areas there's a lot of a lot more like subtopics and sub like areas of things that you can um Implement to kind of um increase inrease the security posture of your organization and respond to security incidents what is the difference between nist 837 and nist 853 so the difference between nist 837 and nist 853 is 837 is the risk management framework um it's basically a framework that's

designed to help you like reduce the organiz organizational risk to a certain level and then kind of keep the risk at that level through like an ongoing cycle process where you're managing your risk in an ongoing basis and then n 853 it's the security and privacy control catalog it's just a a really large list of security controls that you can Implement to you know increase your the security posture of your organization and there's like a um General control then there's like a 853 low medium and then High depending on like the the level of rigor

that you need to apply to your security controls so for example if you um working in defense where you know security is Paramount you're whatever your organization is you might be required to implement High controls which are super super safe if that makes sense yeah uh reduce risk keep it at the same level for 837 and then uh control catalog for 853 how does PCI DSS compliance differ from Hippa compliance so PCI DSS differs from Hippa in the sense that um PCI for payment cards that's payment card industry data security standard and Hippa is um

health insurance portability and accountability act and it deals with um protecting electronic protected health information or just protected health information so if you're an organization that stores or processed credit card information um you likely need to be PCI Compliant and if you store or process um some kind of protected health information you need to look into Hippa and make sure you have the the necessary controls in place like the security Rule and the Privacy Rule to make sure that you are hipa compliant and if you receive a breach in any one of these areas and

you store or process that type of data and you weren't compliant likely you're going to U be subject to large findes can you explain what CIS controls are and give an example of when they might be applied so CIS stands for a center for Internet Security and the CIS controls consist of um 18 like a highlevel control families that you can uh apply to your organization to reduce organizational risk increase security hygiene and all that stuff um so and the process to actually apply the controls it it depends on your organization um to be honest

cuz not every control is going to be applicable um so for example there's one control family that's like a software inventory or something but if somehow your organization like doesn't you know doesn't use software for example like maybe you don't even need to use any controls from that control family so um it's kind of up to you I I think there's like a nist special publication that you can that's specifically for choosing security controls but I don't remember what it is off the top of my head but um a really like simplistic approach would just

be to get a hold of the CIS controls and like go down the list and then kind of see what applies to your organization and think about like your critical resources for your organization in terms of prioritization and then just look down the list of controls and see what makes sense and then pick out controls that um would help you know increase your security posture and reduce risk how does gdpr impact data storage and transfer for organizations outside of the European Union so I don't believe gdpr actually impacts data storage and transmission outside of the

EU it's not necessarily like where it is it depends on like the actual data that's being stored in processed right so regardless of if you're inside the EU or you know America or somewhere else if you're storing or processing data that that belongs to EU citizens that's where you need to be um be aware of that you need to be gdpr compliant CU if you store process EU citizens data and you suffer a breach um no doubt you're going to be um sus susceptible to finds please describe the incident response life cycle as outlined by

nist 861 nist 861 that's the um computer incident response handling guide um basically outlines the incident response life cycle that you can follow and that consists of um prepare detect analyze contain eradicate recover and then those post incident activities where you kind of go over Lessons Learned like what happened and stuff um all for the sake of kind of hardening your organization for the next time uh an incident occurs so as far as nist 853 controls there's there's a whole bunch of control families and there there's it's unlike unlikely I can um recite all of

them but a few of them probably are like um hardware and software inventory controls logging and monitoring um there's a control family I think called boundary protection um secure configuration um definitely incident response control I'm not not sure if I said access control again or already U but yeah there's a whole bunch of um whole bunch of controls in there why would an organization want to use nist 837 an organization may use nist 837 which is risk management framework in order to manage risk essentially so what that kind of means is looking at your it

could be like your organization as a whole or it could be um a s a single like product or or an offering within your organization you can apply 837 to to anything any scale right but um if it assuming it's for your organization um nist 837 can be used to identify risk and reduce risk to an acceptable level and then you would kind of use the 837 life cycle on a continual basis to make sure that there's no risk creep in the sense that like you're you accidentally accept more risk it's kind of designed to

keep the risk at that kind of acceptable level that you defined um in the beginning so yeah yeah manage risk reduce risk keep it um at that reduced level what is Hippa and what is the significance of it in cyber security so the primary purpose of HIPPA is essentially to safeguard um protected health information and electronic protected health information through the security and privacy rule which nist guideline would you refer to for security and privacy controls in federal information systems and organizations so the guideline or a special publication for security and privacy controls from nist

would be 800 53 what are some of the key objectives of PCI DSS so the main goal of PCI DSS is essentially just protection of card holder data and this is accomplished through a lot of um other smaller controls like Network protection uh ensuring encryption at rest and in transit Access Control Network segmentation uh and things like this outlined in the pcidss guidelines please briefly compare and contrast nist 853 controls with the CIS controls so a compare and contrast of CIS controls to nist 85053 controls um in my head uh those CIS controls are kind

of more generalized um if that makes sense so for example if you if your organization like you want to increase your security posture like generally speaking but you don't have any kind of uh you don't store or process any kind of data that is regulated right you you won't you don't have to be like PCI Compliant or hipa compliant um it might be a good idea to just kind of go down the CIS control list and apply what makes sense just to kind of generally increase your security posture whereas those nist 853 controls they can

be exhaustive like there's um nist 853 low medium and high where high is like a a really stringent control that covers a lot of areas and um the federal government I I Believe In some cases will require nist 853 um you know low medium and high depending on like what the application is so in summary um 800 853 can can be more exhaustive and you you could be required to use 853 controls depending on your government agency whereas the CIS controls I don't I'm not sure but I don't believe anyone requires CIS controls but they

can be used um in general to increase security posture when you don't necessarily have any regulated um data that you're storing or processing how does gdpr Define personal data and what implications does this have for cyber security so I believe gdpr defines personal data as any information that kind of can kind of be tied to an individual which kind of sounds like self-defining um so like somebody's name or address like first or last name address phone number or something like this they have like a more rigorous definition for sure um but I believe it's like

kind of any data that can be tied to that individual and the implications this has for cyber security is it makes it um really easy for organizations to fall under the scope of gdpr if if they are like you know storing or processing any data related to um EU citizens if that makes sense so it's just something they need to consider CU if you get breached uh and you are you know you're in scope for gdpr and you're you're not gdpr compliant for sure for sure you're going to get fin so it's just something that

you need that organizations need to be aware of for organizations who store and process electronic protected health information what are some of the risks associated with foregoing Hippa compliance cyber security metrics that would be useful in reporting compliance for Hippa um probably anything that falls under the security rule or Privacy Rule um security Rule and Privacy Rule outlin a b bunch of stuff that you need to consider or needs to be in place in order to meet hipa compliance so it could be things like um you know your incident response plan that you have any

incidents that happened um log duration or the retention of you know um relevant log files like how long they're being retained um just things like this things that fall under the the two Ru two rules that need to be in place in order for compliance any of that stuff is probably important for you know compliance reporting purposes what are some of the main goals of the nist cyber security framework so the main goals of nist CSF that's the cyber security framework is essentially um increasing security hygiene on kind of an ongoing basis and helping the

organization better respond to threats and incidents so NSF high level is um identify protect detect respond and recover and in in one of in each one of these areas it kind of outlines certain things that you can do in order to um increase your capability in that area if that makes sense so n CSF um it's like a framework well it is a framework right and you can use other controls to to accomplish the thing that the things that it's talking about so like identify like under the identify one it list out stuff and then

you can pick stuff from even like CIS controls or you can pick stuff from nist 850 three controls and like plug them into here in order to like um increase your capability for identify right and same thing for protect detect respond recover um you can mix and match controls from different control sets if you want or you can grab all from CIS um it doesn't really matter it depends I shouldn't say it doesn't matter but it depends on the needs of the the organization right so it just essentially provides a framework of like what you

need to do you can kind of use that as a gap analysis of where you are now where you wish you were in the future and then you can use controls to kind of uh bridge that Gap and bring your security posture or your security hygiene up to where it needs to be I do highly recommend practicing each one of these interview questions multiple times like you don't necessarily need another human to like read them to you and you respond but I do recommend like getting your phone maybe going on a walk or sitting in

your room or something and just practice articulating your answers to each one of these questions like several times at least 10 times ideally which I I get that it seems like will take forever but once you actually get into the interview it's it's going to be like your IQ gets cut in half and you just are ceased to function very well but if you if you go through the action of practicing your response to these it's going to be way easier to respond to these questions or similar questions that you might be asked and it's

going to really like free up a lot of your brain power to to focus on other things like not being so nervous and relating to the interviewer well and like asking other questions is going to help you a lot if you practice answering these question questions beforehand and I do want to say you can definitely use chat GPT to answer some of these questions if you want to generate an answer different than what I might have given and as a reminder you can say stuff like you know answer this question as if you're new to

cyber security answer this question as if you're like a seasoned siso answer this question is X or Y to kind of generate you know varying levels of answers if that makes sense and I do want to say if you go through all of these questions practice them multiple times you're going to be way ahead of like 99% % of people for sure so definitely do your best practice them check out my course as well it's gotten a lot of people jobs a lot of Hands-On cyber security stuff and yeah we will see you in the

next video