25+ ArcSight Interview Questions and Answers [BEST & NEW]-2020
ArcSight Interview Questions and Answers

25+ ArcSight Interview Questions and Answers [BEST & NEW]

Last updated on 04th Jul 2020, Blog, Interview Questions

About author

Arunkumar (Cyber Security Consultant )

(5.0) | 16547 Ratings 5005

1 . What will ArcSight electronic warfare symbolize and what’s its primary use? 


  • Micro Focus ArcSight is a cyber security product, first released in 2000, that provides big data security analytics and intelligence software for security information and event management (SIEM) and log management.
  • ArcSight is designed to help customers identify and prioritize security threats, organize and track incident response activities, and simplify audit and compliance activities.
  • ArcSight became a subsidiary of Hewlett-Packard in 2010. It was merged with Micro Focus on September 1, 2017.
  • ArcSight ESM leverages the Security Open Data Platform, whose SmartConnectors can connect to 450+ data source types to collect, aggregate, clean, and enrich your data before feeding it into your security analytics.
  • By structuring your data, ESM makes it both more useful and more cost-effective. It’s also scalable, so you don’t have to worry about data growth.

2 . What will SIEM symbolize and what’s it about?


  • SIEM stands for Security data and Event management.
  • So this can be a platform wherever a holistic read of the protection method is enforced at intervals in the organization.
  • The letter e is silent and it’s addressed as the “SIM” platform.
  • Basically, during this method, the information is all gathered into one secure repository wherever the logs area unit used for future security analysis.
  • This method is widely utilized in the Payment Card trade. It’s really classified as information security normal within the Payment Card trade.

3 . What area unit the key options of the ArcSight Enterprise Security Manager?


The key options of the ArcSight Enterprise Security Manager Area unit as follows.

1. Enriched Security Event knowledge

2. Powerful period knowledge visual image and correlation

3. machine-controlled workflows

4. Security method optimized

5. ArcSight Enterprise Security Manager tool is compatible with ArcSight knowledge Platform and ArcSight Investigate

4 . Make a case for however ArcSight electronic warfare is protective businesses across the globe?


The subsequent area unit the various ways in which the business is truly protected by victimization ArcSight electronic warfare tool, as follows.

1. It’s capable of collection knowledge or data from any variety of log supply.

2. It enormously reduces the latent period and conjointly helps in reducing the harm also.

3. It will expeditiously store data wherever the data will be retrieved as we have a tendency to typically neutralize enterprise-level databases.

4. It provides role relevant reports that area unit out there at intervals the enterprise.

5. The design is ascendable.

6. Simply customizable and maintains the superior system.

5 . However will ArcSight electronic warfare offer Powerful period knowledge correlation?


  • Well, ArcSight electronic warfare provides powerful period knowledge correlation by the process of the number of events per second.
  • Supporting this analysis an additional correct outcome is projected.
  • Therefore supported this analysis, the threats that violate the interior rules area unit escalated at intervals on the platform.
  • Electronic warfare really processes seventy-five, 000 events per-second basis.

6 . What will be done to victimize ArcSight ESM?


ArcSight electronic warfare really helps the organizations and also the people as below.

  • All the event knowledge is collected centrally and hold on and monitor.
  • User-friendly compliance reportage AN exceedingly in a very single bit provides necessary knowledge in an acceptable format.
  • It has the capability to observe and mitigate the chance.
  • Eliminates manual method the maximum amount as attainable.
  • Saves valuable hours of security analyst wherever they pay on false alarms.
  • Brings awareness to the team concerning the protection method in situ and also the countermeasures enforced.

7. Why do organizations like Security data and Event Management systems?


  • Well, most of the tiny firms haven’t got enough men to create certain that their security method is unbroken.
  • However they will not be ready to be proactive and warn the team that there can be an attainable threat attack, this can be as a result of they do not have any automatic mechanism that triggers a threat attack.
  • Therefore to resolve the period issue and conjointly confirm the protection checks area unit monitored and analyzed, we have got a Security data and Event Management system.
  • Out of this method is ArcSight SEM. therefore essentially all the machine log knowledge is analyzed and understands the patterns of traditional behavior vs abnormal behavior.
  • So creating it an ideal tool wherever it will perceive the protection logs to this point and supported the analysis will trigger some data which could stop an even bigger threat to the complete organization.

8 . However will ArcSight electronic warfare facilitate organizations in terms of security aspects?


Well, ArcSight electronic warfare will facilitate the organizations building additional increased use cases to boost the APT’s (Advanced Persistent Threats) which can permit a quicker and targeted response in an exceedingly timely fashion.

9 . What will ArcSight feller do?


  • So, ArcSight feller is nothing however a log management answer that may be used widely in security practices.
  • Therefore victimization answers, the users are ready to capture and analyze a completely different variety of log knowledge and supply necessary inputs to all or any the individual’s groups therefore their queries area unit answered.
  • Eventually, this could be enlarged into an Associate in nursing enterprise-level log management answer if required.
  • So victimization this answer, topics like compliance and risk management area unit are taken into due thought.
  • Also, the information will be used for looking, indexing, reporting, analysis functions, and retention also.

10 . What’s the SIEM tool, make a case for briefly?


In the field of data technology and pc security, the product which {offer} or offer services like period security generated alerts analysis will be classified as SIEM tool.

11 . What’s a SOC team?


  • The term SOC stands for “Security Operations Center”.
  • So essentially this can be middle for all the websites, applications, databases, knowledge centers and servers, networks area unit punctually monitored and analyzed, and well defended.

12 . Make a case for what’s the core providing of ArcSight ESM?


The core providing of ArcSight electronic warfare is.

1. Analyzes completely different threats to an info

2. Checks with the logs that were captured

3. Offer attainable solutions or recommendation supported the chance level

13 . What’s the purpose of ArcSight Express?


  • Essentially, ArcSight specifically provides constant functionalities that they are doing at ArcSight electronic warfare however at a really abundant smaller scale.
  • ArcSight specifically analyzes threats at intervals info and provides the choice items.

14 . What’s the best use of ArcSight Logger?


The most use of ArcSight feller is to capture or stream period knowledge and reason them into completely different buckets of specific logs.

15 . What area unit the key capabilities of ArcSight Logger?


The key capabilities of ArcSight feller are.

1. It collects logs from any style of log generating supply

2. Once collection the information, it categorizes and registers as Common Event Format (CEF)

3. These events will be searched with the employment of a straightforward interface

4. It will handle and store year’s price of logs data

5. it’s good for automation analysis which might be later used for reportage, the intelligence of logs or events for IT Security functions, and logs analytics.

16 . What will ArcSight Connectors mean?


The most use of ArcSight Connectors is listed below.

  •  With the employment of ArcSight connectors, the user will really modify the method of collection and managing the logs regardless of the device. All the information will be normalized into a CEF, i.e. Common Event Format
  • ArcSight connectors offer a bunch of universal knowledge collections from completely different distinctive devices.

17 . What will ArcSight Manager do, make a case for in brief?


  • The employment of ArcSight manager is to easily place in situ sturdy security parameters at intervals of the organization.
  • Therefore it’s one amongst the superior service engines that really filters, manages, correlates all security-related events that are unit collected by the IT system.

The main components that area unit essential for the ArcSight manager to figure fittingly are.

  • ArcSight Console
  •  ACC
  • CORR Engine
  • ArcSight Smart Connectors

The operational atmosphere for ArcSight Manager is nothing however the underlying OS and also the filing system that area unit in situ.

18 . What will IDS stand for?


IDS stands for “Intrusion Detection System”. This can be the most part once it involves ArcSight electronic warfare.

19 . Few bullet points on ArcSight ESM?


The subsequent area unit the small print concerning the ArcSight electronic warfare tool.

1. With this tool, directors and analyst will really sight additional incidents

2. Operate additional expeditiously

3. Constant knowledge set will be used for period correlation of the information and a log management application will use a constant dataset.

20 . What area unit the system needs for implementing ArcSight ESM?


Supported in operating systems are.

1. Red Hat Enterprise Linux Version half-dozen.2, 64 bit CPU

2. Memory 16-36GB

3. Space for 2-4 TB

4. Average Compression of 10.1 SAS 15K rev

    Subscribe For Free Demo

    21 . How is the Licensing completed in Arcsight? Is it supported no. of devices or the EPS or the other data?


    All market-leading SIEMs licenses supported EPS. ArcSight conjointly takes device count.

    22 . What is a special feature in ArcSight that makes it prime siem product?


    • MSSP Support, Custom device integration, filtering in agent level, additional variety of device sort support. No different products have agent level filters.
    • Wow, Archsight is comparable to other SIEM tools out there in market viz. RSA envision, McAfee electronic warfare, etc.?
    • All different SIEMs doesn’t have a separate full-fledged console for admin and analysis purpose. Conjointly different SIEMs doesn’t have Smart Connectors which can do the subsequent functionalities.
    • Collect all the information you would like from a supply device, therefore you are doing not got to return to the device throughout Associate in Nursing investigation or audit.
    • Save network information measure and space for storing by filtering out the knowledge you recognize won’t be required for analysis.
    • Take apart individual events and normalize them into a standard schema (format) to be used by electronic warfare.
    • Mixture events to cut back the number of events sent to the Manager.

    23 . Can you please share the Arcsight Dashboard and also the functions?


    • Dashboards show indicators that communicate the state of your enterprise as reportable by Smart Connectors from knowledge sources on your network.
    • Dashboards area unit created of individual knowledge monitors and/or question viewers in an exceeding style of graphical and tabular formats that summarize the event flow and communicate the impact of event traffic on specific systems on the network or show the standing of electronic warfare parts.
    • The protection Activity Statistics dashboard is simply one amongst the quality dashboards that display a spread of system standing knowledge monitors, that communicate the state of your network security conjointly you’ll be able to produce bespoken dashboards as per the environment.

    24 . Where is that knowledge held primarily in ArcSight. electronic warfare or Logger?


    If there’s no feller in your atmosphere electronic warfare can store all data. If feller out there storing knowledge in feller is better.

    25 . What area unit devices will we monitor victimization Arcsight?


    • We can monitor any devices that all area unit generating logs. If ArcSight connectors support the logs we will directly use good connectors.
    • For different non-supported devices, we’ve to develop custom connectors.

    26 . What is SIEM ? 


    Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organizations information technology (IT) security.

    27 . What are the general monitoring parameters for middleware applications like sharepoint?


    • Application logs, access logs can be monitored.
    • In backend if the application is using database then database audit logs can be monitor.

     28 . What all parameters can be monitored using the tool ?


    This is based on the device logs… For example if it’s a firewall then all the traffic and configuration logs can be monitored.   

    29 . List out the features of SIEM? 


    Log management, Log monitoring, Dashboard, pattern discovery, Asset modeling and many more features  

    30 . Using ArcSight how can we secure our application environment? 


    • Since Arcsight is an SIEM tool where we can monitor the logs for any vulnerabilities.
    • So by using this Arcsight we can alert the application owner for suspicious activity…..   
    Course Curriculum

    Learn Experts Curated ArcSight Training to Build Your Skills & Ability

    • Instructor-led Sessions
    • Real-life Case Studies
    • Assignments
    Explore Curriculum

    31 . What is the diff bw SIEM,SIM and SEM   


    • Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organizations information technology (IT) security.
    • SIEM combines SIM (security information management) and SEM (security event management) functions into one security management system. 

    32 . Why to use Arcsight, when other tools like RSA and Q-Radar are available in the market ?  


    • Arcsight is an agent based SIEM Tool.
    • Compared to RSA, Arcsight is a user friendly tool.
    • Based on the requirement we can select the tool.

    33 . Difference between arcsight express & ESM


    Arcsight Express is a Appliance based and ESM is an ApplicationSoftware based   

    34 . Why do we need to use ArcSight ?


    For log management and Live log monitoring wch helps us to identify the suspicious traffic  

    35 . From an architecture standpoint, what all components do we have we have in arcsight ?  


    For ESM. We should have Manager and database server, Console which is used to monitor the logs, Web browser, Arcsight web server, and agent

    36 . Is there any provision in Arcsight which can check the connectivity between servers to monitor assets?   


    We need to enable device monitoring at connector level. Also by seeing the connector status we can identify the connection. 

    37 . What is the difference between Arcsight logger and Smart Connector? 


    Arcsight logger is an appliance or Application which is used to store the logs for longer days. Smart connector is a connector/agent used to collect the logs.

    38 . What is the major difference b/w Arcsight and RSA Envision tool   


    Arcsight is agent based Tool and RSA is a agent less based Tool   

    39 . Which is the arcsight smart connector for sharepoint? 


    • Arcsight has some 300+ default smart connectors.
    • For SharePoint we don’t have smart connector hence we need to develop Flex connector 

    40 . What is the difference b/w correlation,aggregation,normalization. 


    • Correlation: Logically linking events based on multiple conditions. A rule can have one or more conditions.
    • If there is one condition, the rule acts as a filtering tool.
    • If there is more than one condition, the rule acts as a correlation tool. 
    • A rule can be created for any incoming event from one or more event generators, with various conditions, logic statements, and thresholds. 
    • Aggregation: Aggregation is a composition technique for building a new event from one or more existing events that support some or all of the new event’s conditions. 
    • Normalization: This will convert Raw events to CEF Common event format 

    41 . Is this arcsight application available on net for practice ?? 



    42 . What is Basic knowledge required to monitor these tools ,as in technical knowledge ?? 


    Basic security and network knowledge   

    43 . Is SIEM software based or hardware based? 


    Both are available. Its completely based on the type tool/vendor….   

    44 . Is it restricted to network and security device monitoring ? 


    No… we can monitor security , network, application and own house application also… 

    45 . Heard about connectors, loggers and all. Can you please brief me about that? 


    • Connector. its is used to collect the logs and push towards the arcsight database server.
    • Logger is used to collect the logs from the collector and also it can store the logs.

    46 . Whether from arc sight we can detect Zero day attacks? if yes How?  


    Yes … but we need to analyze logs… also with the help of Pattern discovery….  

    47 . How is a smart connector different from RSA collector appliances ? 


    RSA collector appliance is a windows based server… and Arcsight collector connector is an application where we can install on any OS flavors….  

    48 . Is Storage device can be support by ArcSight   



    49 . What are the minimum requirement for implementing the tool in a new environment?


    Prerequisites will vary based on the end devices.   

    50 . What is latest version of arcsight and on what is the base OS for the same. 


    6.5C it will Linux 6.2 Red hat….  

    Course Curriculum

    Get ArcSight Certification Course By Experts Trainers

    Weekday / Weekend BatchesSee Batch Details

    51 . In Arcsight Have on box or off box collectors?   



    52 . Can u pls tell me how the data flows in Arcsight tool.


    End device to-collector–to- Arcsight Manager -to–Arcsight database  

    53 . What is Connector, Logger?? Is it related to ESM?   


    Connector and logger is explained already ….Yes both are related to ESM…But based on the Setup…. 

    54 . What are the ports to be opened for logger and SmartConnectors?   


    In between Logger and smart connector — Https 443  

    55 . Whether this tool will only identify the suspicious traffic or it will block/rectify traffic?


    Its monitoring tool.We can’t block the traffic through the Arcsight…  

    56 . Can we integrate Arcsight with WHIPS? 


    Yes,we have Arcsight smart connector.   

    57 . What is the difference between flex connector and smart connector ? 


    Smart connector is a Arcsight Default connector and Flex connector is Customized connector. 

    58 . Can you suggest some good books/links to learn about ArcSight. 


    ESM 101 document..https.//protect724.arcsight.com   

    59 . How we can take the configuration backup.   


    Through packages and also through databases.   

    60 . What is ArcSight Manager? How does it work? 


    • The Manager is the heart of the ESM solution.
    • It is a Java-based server that drives analysis, workflow, and services.
    • The Manager is portable across a variety of operating systems and hardware platforms.
    • It also correlates output from a wide variety of security systems.
    • The Manager writes events to the Database as they stream into the system.
    • It simultaneously processes them through the correlation engine, which evaluates each event with network model and vulnerability information to develop real-time threat summaries.   

    61 . In arcsight which tools are comes under SEM and SIM 


    ESM and Express BoX is under SIM. Logger is SEM  

    62 . What is the difference between active list & session list ? Need some clarity.


    • Active lists are configurable tables that collect specified fields of event data to enable cross-referencing during correlation.
    • Active lists serve as a community bulletin board for tracking specific event data over long periods (days or weeks) so it can be available on demand for correlation.
    • Session: Its used to monitor Login and Logout information 

    63 . Whether auto-ticketing capability is available in arcsight.   



    64 . How is Encryption different from Hashing?


    • Both Encryption and Hashing are used to convert readable data into an unreadable format.
    • The difference is that the encrypted data can be converted back to original data by the process of decryption but the hashed data cannot be converted back to original data.

    65 . What is a Firewall and why is it used?


    • A Firewall is a network security system set on the boundaries of the system/network that monitors and controls network traffic.
    • Firewalls are mainly used to protect the system/network from viruses, worms, malware, etc.
    • Firewalls can also be to prevent remote access and content filtering.

    66 . What is the difference between VA(Vulnerability Assessment) and PT(Penetration Testing)?


    • Vulnerability Assessment is the process of finding flaws on the target.
    • Here, the organization knows that their system/network has flaws or weaknesses and want to find these flaws and prioritize the flaws for fixing.
    • Penetration Testing is the process of finding vulnerabilities on the target. In this case, the organization would have set up all the security measures they could think of and would want to test if there is any other way that their system/network can be hacked.

    67 . What is a three-way handshake?


    A three-way handshake is a method used in a TCP/IP network to create a connection between a host and a client. It’s called a three-way handshake because it is a three-step method in which the client and server exchanges packets. The three steps are as follows.

    • The client sends a SYN(Synchronize) packet to the server check if the server is up or has open ports
    • The server sends SYN-ACK packet to the client if it has open ports
    • The client acknowledges this and sends an ACK(Acknowledgment) packet back to the server

    68 . What are the response codes that can be received from a Web Application?


    • Informational responses
    • Success
    • Redirection
    • Client-side error
    • Server-side error

    69 . What is traceroute? Why is it used?


    • Traceroute is a tool that shows the path of a packet.
    • It lists all the points (mainly routers) that the packet passes through.
    • This is used mostly when the packet is not reaching its destination.
    • Traceroute is used to check where the connection stops or breaks to identify the point of failure.

    70 . What is the difference between HIDS and NIDS?


    • HIDS(Host IDS) and NIDS(Network IDS) are both Intrusion Detection Systems and work for the same purpose i.e., to detect the intrusions.
    • The only difference is that the HIDS is set up on a particular host/device.
    • It monitors the traffic of a particular device and suspicious system activities.
    • On the other hand, NIDS is set up on a network. It monitors traffic of all device of the network.
    Arcsight Sample Resumes! Download & Edit, Get Noticed by Top Employers! Download

    71 . What are the steps to set up a firewall?


    Following are the steps to set up a firewall.

    • Username/password. modify the default password for a firewall device
    • Remote administration. Disable the feature of the remote administration
    • Port forwarding. Configure appropriate port forwarding for certain applications to work properly, such as a web server or FTP server
    • DHCP server. Installing a firewall on a network with an existing DHCP server will cause conflict unless the firewall’s DHCP is disabled
    • Logging. To troubleshoot firewall issues or potential attacks, ensure that logging is enabled and understand how to view logs
    • Policies. You should have solid security policies in place and make sure that the firewall is configured to enforce those policies.

    72 . Explain SSL Encryption


    • SSL(Secure Sockets Layer) is the industry-standard security technology creating encrypted connections between Web Server and a Browser.
    • This is used to maintain data privacy and to protect the information in online transactions. The steps for establishing an SSL connection is as follows.
    • A browser tries to connect to the web server secured with SSL
    • The browser sends a copy of its SSL certificate to the browser
    • The browser checks if the SSL certificate is trustworthy or not. If it is trustworthy, then the browser sends a message to the web server requesting to establish an encrypted connection
    • The web server sends an acknowledgment to start an SSL encrypted connection
    • SSL encrypted communication takes place between the browser and the web server

    73 . What steps will you take to secure a server?


    Secure servers use the Secure Sockets Layer (SSL) protocol for data encryption and decryption to protect data from unauthorized interception.

    Here are four simple ways to secure server.

    Step 1. Make sure you have a secure password for your root and administrator users

    Step 2. The next thing you need to do is make new users on your system. These will be the users you use to manage the system

    Step 3. Remove remote access from the default root/administrator accounts

    Step 4. The next step is to configure your firewall rules for remote access

    74 . Explain Data Leakage


    Data Leakage is an intentional or unintentional transmission of data from within the organization to an external unauthorized destination. It is the disclosure of confidential information to an unauthorized entity. Data Leakage can be divided into 3 categories based on how it happens.

    • Accidental Breach. An entity unintentionally send data to an unauthorized person due to a fault or a blunder
    • Intentional Breach. The authorized entity sends data to an unauthorized entity on purpose
    • System Hack. Hacking techniques are used to cause data leakage
    • Data Leakage can be prevented by using tools, software, and strategies known as DLP(Data Leakage Prevention) Tools.

    75 . What is a Brute Force Attack? How can you prevent it?


    Brute Force is a way of finding out the right credentials by repetitively trying all the permutations andwcombinations of possible credentials. In most cases, brute force attacks are automated where the tool/software automatically tries to login with a list of credentials. There are various ways to prevent Brute Force attacks. Some of them are.

    • Password Length. You can set a minimum length for password. The lengthier the password, the harder it is to find.
    • Password Complexity. Including different formats of characters in the password makes brute force attacks harder. Using alpha-numeric passwords along with special characters, and upper and lower case characters increase the password complexity making it difficult to be cracked.
    • Limiting Login Attempts. Set a limit on login failures. For example, you can set the limit on login failures as 3. So, when there are 3 consecutive login failures, restrict the user from logging in for some time, or send an Email or OTP to use to log in the next time. Because brute force is an automated process, limiting login attempts will break the brute force proses

    76 . What is Port Scanning? 


    Port Scanning is the technique used to identify open ports and service available on a host. Hackers use port scanning to find information that can be helpful to exploit vulnerabilities. Administrators use Port Scanning to verify the security policies of the network. Some of the common Port Scanning Techniques are.

    • Ping Scan
    • TCP Half-Open
    • TCP Connect
    • UDP
    • Stealth Scanning

    77 . What are the different layers of the OSI model?


    An OSI model is a reference model for how applications communicate over a network. The purpose of an OSI reference is to guide vendors and developers so the digital communication products and software programs can interoperate.

    Following are the OSI layers.

    • Physical Layer. Responsible for transmission of digital data from sender to receiver through the c
    • Data Link Layer. Handles the movement of data to and from the physical link. It is also responsible for encoding and decoding of data bits.
    • Network Layer. Responsible for packet forwarding and providing routing paths for network communication.
    • Transport Layer. Responsible for end-to-end communication over the network. It splits the data from the above layer and passes it to the Network Layer and then ensures that all the data has successfully reached at the receiver’s end.
    • Session Layer. Controls connection between the sender and the receiver. It is responsible for starting, ending, and managing the session and establishing, maintaining and synchronizing interaction between the sender and the receiver.
    • Presentation Layer. It deals with presenting the data in a proper format and data structure instead of sending raw datagrams or packets.
    • Application Layer. It provides an interface between the application and the network. It focuses on process-to-process communication and provides a communication interface.

    78 . What is a VPN?


    • VPN stands for Virtual Private Network. It is used to create a safe and encrypted connection.
    • When you use a VPN, the data from the client is sent to a point in the VPN where it is encrypted and then sent through the internet to another point.
    • At this point, the data is decrypted and sent to the server.
    • When the server sends a response, the response is sent to a point in the VPN where it is encrypted and this encrypted data is sent to another point in the VPN where it is decrypted.
    • And finally, the decrypted data is sent to the client. The whole point of using a VPN is to ensure encrypted data transfer.

    79 . What do you understand by Risk, Vulnerability & Threat in a network?


    • Threat. Someone with the potential to harm a system or an organization
    • Vulnerability. Weakness in a system that can be exploited by a potential hacker
    • Risk. Potential for loss or damage when threat exploits a vulnerability

    80. How can identity theft be prevented?


    Here’s what you can do to prevent identity theft.

    • Ensure strong and unique password
    • Avoid sharing confidential information online, especially on social media
    • Shop from known and trusted websites
    • Use the latest version of the browsers
    • Install advanced malware and spyware tools
    • Use specialized security solutions against financial data
    • Always update your system and the software
    • Protect your SSN (Social Security Number)

    81 . What are black hats, white hats and grey hat hackers?


    • Black hat hackers are known for having vast knowledge about breaking into computer networks.
    • They can write malware which can be used to gain access to these systems.
    • These types of hackers misuse their skills to steal information or use the hacked system for malicious purposes. 
    • White hat hackers use their powers for good deeds and so they are also called Ethical Hackers.
    • These are mostly hired by companies as a security specialist that attempts to find and fix vulnerabilities and security holes in the systems.
    • They use their skills to help make the security better. 
    • Grey hat hackers are an amalgamation of a white hat and black hat hacker.
    • They look for system vulnerabilities without the owner’s permission.
    • If they find any vulnerabilities, they report it to the owner.
    • Unlike Black hat hackers, they do not exploit the vulnerabilities found. 

    82 . How often should you perform Patch management?


    • Patch management should be done as soon as it is released.
    • For windows, once the patch is released it should be applied to all machines, not later than one month.
    • Same goes for network devices, patch it as soon as it is released.
    • Proper patch management should be followed.

    83 . How would you reset a password-protected BIOS configuration?


    • Since BIOS is a pre-boot system it has its own storage mechanism for settings and preferences.
    • A simple way to reset is by popping out the CMOS battery so that the memory storing the settings lose its power supply and as a result, it will lose its setting.

    84 . Explain MITM attack and how to prevent it?


    • A MITM(Man-in-the-Middle) attack is a type of attack where the hacker places himself in between the communication of two parties and steal the information.
    • Suppose there are two parties A and B having a communication.
    • Then the hacker joins this communication. He impersonates as party B to A and impersonates as party A in front of B.
    • The data from both the parties are sent to the hacker and the hacker redirects the data to the destination party after stealing the data required.
    • While the two parties think that they are communicating with each other, in reality, they are communicating with the hacker.

    You can prevent MITM attack by using the following practices.

    • Use VPN
    • Use strong WEP/WPA encryption
    • Use Intrusion Detection Systems
    • Force HTTPS
    • Public Key Pair Based Authentication

    85 . Explain DDOS attack and how to prevent it?


    A DDOS(Distributed Denial of Service) attack is a cyberattack that causes the servers to refuse to provide services to genuine clients. DDOS attack can be classified into two types.

    • Flooding attacks. In this type, the hacker sends a huge amount of traffic to the server which the server can not handle. And hence, the server stops functioning. This type of attack is usually executed by using automated programs that continuously send packets to the server.
    • Crash attacks. In this type, the hackers exploit a bug on the server resulting in the system to crash and hence the server is not able to provide service to the clients.

    You can prevent DDOS attacks by using the following practices.

    • Use Anti-DDOS services
    • Configure Firewalls and Routers
    • Use Front-End Hardware
    • Use Load Balancing
    • Handle Spikes in Traffic

    86 . Explain XSS attack and how to prevent it?


    XSS(Cross-Site Scripting) is a cyberattack that enables hackers to inject malicious client-side scripts into web pages. XSS can be used to hijack sessions and steal cookies, modify DOM, remote code execution, crash the server etc.

    You can prevent XSS attacks by using the following practices.

    • Validate user inputs
    • Sanitize user inputs
    • Encode special characters
    • Use Anti-XSS services/tools
    • Use XSS  HTML Filter

    87 . What is an ARP and how does it work?


    • Address Resolution Protocol (ARP)is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network.
    • When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address.
    • The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine.
    • If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it.

    88 . What is port blocking within LAN?


    • Restricting the users from accessing a set of services within the local area network is called port blocking.
    • Stopping the source to not to access the destination node via ports. As the application works on the ports, so ports are blocked to restricts the access filling up the security holes in the network infrastructure.

    89 . What is a Botnet?


    • A Botnet is a number of devices connected to the internet where each device has one or more bots running on it.
    • The bots on the devices and malicious scripts used to hack a victim.
    • Botnets can be used to steal data, send spams and execute a DDOS attack.

    90 . What are salted hashes?


    • Salt is random data. When a properly protected password system receives a new password, it creates a hash value of that password, a random salt value, and then the combined value is stored in its database.
    • This helps to defend against dictionary attacks and known hash attacks.
    • Example: If someone uses the same password on two different systems and they are being used using the same hashing algorithm, the hash value would be same, however, if even one of the system uses salt with the hashes, the value will be different.

    91 . Explain SSL and TLS


    • SSL is meant to verify the sender’s identity but it doesn’t search for anything more than that. SSL can help you track the person you are talking to but that can also be tricked at times.
    • TLS is also an identification tool just like SSL, but it offers better security features. It provides additional protection to the data and hence SSL and TLS are often used together for better protection.

    92 . What is 2FA and how can it be implemented for public websites?


    • An extra layer of security that is known as “multi-factor authentication“.
    • Requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand – such as a physical token.
    • Authenticator apps replace the need to obtain a verification code via text, voice call or email.

    93 . What is Cognitive Cybersecurity?


    • Cognitive Cybersecurity is an application of AI technologies patterned on human thought processes to detect threats and protect physical and digital systems.
    • Self-learning security systems use data mining, pattern recognition, and natural language processing to simulate the human brain, albeit in a high-powered computer model.

    94 . Explain Phishing and how to prevent it?


    Phishing is a Cyberattack in which a hacker disguises as a trustworthy person or business and attempt to steal sensitive financial or personal information through fraudulent email or instant message.

    You can prevent Phishing attacks by using the following practices.

    • Don’t enter sensitive information in the webpages that you don’t trust
    • Verify the site’s security
    • Use Firewalls
    • Use AntiVirus Software that has Internet Security
    • Use Anti-Phishing Toolbar

    95 . Explain SQL Injection and how to prevent it?


    • SQL Injection (SQLi) is a code injection attack where an attacker manipulates the data being sent to the server to execute malicious SQL statements to control a web application’s database server, thereby accessing, modifying and deleting unauthorized data.
    • This attack is mainly used to take over database servers.

    You can prevent SQL Injection attacks by using the following practices.

    • Use prepared statements
    • Use Stored Procedures
    • Validate user input

    What port does ICMP use?

    -Trick question.

    ICMP does not use a port since it does not have a place for a port. It is encapsulated with an IP datagram only.

    96 . What is a SYN Flood?


    A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

    97 . What is a slow Denial of Service (DOS) attack?


    • In a slow DOS is that the attack tool sends an HTTP request that never finishes. 
    • As a result, each listener process never finishes its quota of MaxRequestsPerChild so that it can die. 
    • By sending a small amount of never-complete requests, Apache gladly spawns new processes/threads up to MaxClients at which point it fails to answer requests and the site is DOSed.

    98 . Look around this room and tell me what is a security risk?


    • Whiteboard had information on it.
    • Open Network jacks, with CAT 5 cables available in the room that someone can easily plug into.

    99 . What’s an example of a “find” you have found and come across?


    • Well while doing an audit I saw the HR department was submitting payroll information to the 3rd party payment processor via FTP.
    • Noticing the value of the sensitive information, I was able to speak with the 3rd party vendor and have the pay roll submission information switched to SFTP.

    100 . Tell me about a time you used a continuous process to improve an existing system?


    • (Tip#1. think about something you did in the past, and since this is a IT Security Interview, put a Security spin on it, as this is a very vague question.)
    • (Tip#2. Ivf the position you are interviewing for is a Risk and Compliance position make sure your answer has something to do with that .)
    • Micro Focus ArcSight is a cyber security product, first released in 2000, that provides big data security analytics and intelligence software for security information and event management (SIEM) and log management.
    • ArcSight is designed to help customers identify and prioritize security threats, organize and track incident response activities, and simplify audit and compliance activities.
    • ArcSight became a subsidiary of Hewlett-Packard in 2010. It was merged with Micro Focus on September 1, 2017.
    • ArcSight ESM leverages the Security Open Data Platform, whose SmartConnectors can connect to 450+ data source types to collect, aggregate, clean, and enrich your data before feeding it into your security analytics.
    • By structuring your data, ESM makes it both more useful and more cost-effective.
    • It’s also scalable, so you don’t have to worry about data growth.

    Are you looking training with Right Jobs?

    Contact Us
    Get Training Quote for Free