100 Common Cybersecurity Questions
and Answers
This resource covers fundamental concepts, network security,
application security, and governance, risk, and compliance (GRC).
Section 1: Fundamentals and Basics (Questions 1-25)
NBR Question Answer
The CIA Triad stands for
Confidentiality, Integrity, and
What is the CIA Triad,
Availability. It is foundational because
and why is it
1 these three principles represent the core
foundational to
goals of any information security
cybersecurity?
system—protecting the state of data and
systems.
Confidentiality: Preventing
unauthorized disclosure of data.
Integrity: Ensuring data is accurate,
Define Confidentiality,
complete, and protected from
2 Integrity, and
unauthorized modification.
Availability (CIA).
Availability: Guaranteeing authorized
users have timely and uninterrupted
access to resources.
A weakness in a system's design,
implementation, or operation and
3 What is a vulnerability?
management that could be exploited to
violate the system's security policy.
A potential danger that might exploit a
vulnerability to breach security and
4 What is a threat? compromise data or systems. (e.g., a
malware attack, a disgruntled
employee).
, The likelihood of a threat exploiting a
What is a risk in the vulnerability, combined with the
5
context of security? resulting negative impact. Risk = Threat
x Vulnerability x Impact.
A Threat Actor is the person or entity
(e.g., hacker, state-sponsored group)
Explain the difference responsible for the attack. A Threat
6 between a threat actor Vector is the path or method used to
and a threat vector. deliver the attack (e.g., a malicious
email attachment, a vulnerable web
server port).
The process of converting plain text
into ciphertext to hide its meaning. The
What is encryption, and
two main types are Symmetric (using
7 what are its two main
one key for both encryption and
types?
decryption) and Asymmetric (using a
pair of public and private keys).
Symmetric (e.g., AES) is fast and uses
the same secret key for both parties.
Differentiate between Asymmetric (e.g., RSA) is slower, uses
8 symmetric and different keys (public for encrypting,
asymmetric encryption. private for decrypting), and is used for
secure key exchange and digital
signatures.
A mathematical algorithm that converts
input data into a fixed-size string of
characters (a hash value or digest). It is
What is a hash function,
9 one-way because it is computationally
and why is it one-way?
infeasible to reverse the process and
derive the original input data from the
hash.
Define Multi-Factor A security measure requiring a user to
10 Authentication (MFA) provide two or more verification factors
and list common factors. to gain access. Factors include:
, Knowledge (something you know, like
a password), Possession (something
you have, like a phone/token), and
Inherence (something you are, like a
fingerprint).
The psychological manipulation of
people into performing actions or
What is Social divulging confidential information.
11 Engineering? Give three Examples: Phishing, Pretexting
examples. (creating a fake scenario), and
Tailgating (following someone into a
restricted area).
A security concept that requires a user
or process to be granted only the
What is the principle of
12 minimum necessary authorization rights
Least Privilege?
and permissions needed to perform its
job or function.
A strategy that uses multiple layers of
security controls (physical, technical,
Explain Defense in administrative) to protect assets. If one
13
Depth. layer fails, another layer will stop the
threat, minimizing the risk of a single
point of failure.
A software flaw that is unknown to the
What is a zero-day software vendor (and for which no
14
vulnerability? official patch exists) but is actively
being exploited by attackers.
A centralized system that aggregates,
What is the role of a analyzes, and correlates log and event
Security Information data from various security devices and
15
and Event Management applications across an organization to
(SIEM) system? detect, alert on, and investigate potential
security incidents in real-time.
and Answers
This resource covers fundamental concepts, network security,
application security, and governance, risk, and compliance (GRC).
Section 1: Fundamentals and Basics (Questions 1-25)
NBR Question Answer
The CIA Triad stands for
Confidentiality, Integrity, and
What is the CIA Triad,
Availability. It is foundational because
and why is it
1 these three principles represent the core
foundational to
goals of any information security
cybersecurity?
system—protecting the state of data and
systems.
Confidentiality: Preventing
unauthorized disclosure of data.
Integrity: Ensuring data is accurate,
Define Confidentiality,
complete, and protected from
2 Integrity, and
unauthorized modification.
Availability (CIA).
Availability: Guaranteeing authorized
users have timely and uninterrupted
access to resources.
A weakness in a system's design,
implementation, or operation and
3 What is a vulnerability?
management that could be exploited to
violate the system's security policy.
A potential danger that might exploit a
vulnerability to breach security and
4 What is a threat? compromise data or systems. (e.g., a
malware attack, a disgruntled
employee).
, The likelihood of a threat exploiting a
What is a risk in the vulnerability, combined with the
5
context of security? resulting negative impact. Risk = Threat
x Vulnerability x Impact.
A Threat Actor is the person or entity
(e.g., hacker, state-sponsored group)
Explain the difference responsible for the attack. A Threat
6 between a threat actor Vector is the path or method used to
and a threat vector. deliver the attack (e.g., a malicious
email attachment, a vulnerable web
server port).
The process of converting plain text
into ciphertext to hide its meaning. The
What is encryption, and
two main types are Symmetric (using
7 what are its two main
one key for both encryption and
types?
decryption) and Asymmetric (using a
pair of public and private keys).
Symmetric (e.g., AES) is fast and uses
the same secret key for both parties.
Differentiate between Asymmetric (e.g., RSA) is slower, uses
8 symmetric and different keys (public for encrypting,
asymmetric encryption. private for decrypting), and is used for
secure key exchange and digital
signatures.
A mathematical algorithm that converts
input data into a fixed-size string of
characters (a hash value or digest). It is
What is a hash function,
9 one-way because it is computationally
and why is it one-way?
infeasible to reverse the process and
derive the original input data from the
hash.
Define Multi-Factor A security measure requiring a user to
10 Authentication (MFA) provide two or more verification factors
and list common factors. to gain access. Factors include:
, Knowledge (something you know, like
a password), Possession (something
you have, like a phone/token), and
Inherence (something you are, like a
fingerprint).
The psychological manipulation of
people into performing actions or
What is Social divulging confidential information.
11 Engineering? Give three Examples: Phishing, Pretexting
examples. (creating a fake scenario), and
Tailgating (following someone into a
restricted area).
A security concept that requires a user
or process to be granted only the
What is the principle of
12 minimum necessary authorization rights
Least Privilege?
and permissions needed to perform its
job or function.
A strategy that uses multiple layers of
security controls (physical, technical,
Explain Defense in administrative) to protect assets. If one
13
Depth. layer fails, another layer will stop the
threat, minimizing the risk of a single
point of failure.
A software flaw that is unknown to the
What is a zero-day software vendor (and for which no
14
vulnerability? official patch exists) but is actively
being exploited by attackers.
A centralized system that aggregates,
What is the role of a analyzes, and correlates log and event
Security Information data from various security devices and
15
and Event Management applications across an organization to
(SIEM) system? detect, alert on, and investigate potential
security incidents in real-time.
