Security Engineering Fundamentals Knowledge Map
🔐 Encryption, Authentication & Access
1. What is a three-way handshake? A process (SYN → SYN-ACK → ACK) used by TCP to establish a reliable connection between two devices before data transfer.
2. How do cookies work? Cookies are small pieces of data stored in your browser to remember information like login sessions or preferences.
3. How do sessions work? Sessions temporarily store user data on the server to maintain state across multiple requests (e.g., staying logged in).
4. Explain how OAuth works. OAuth allows a user to grant limited access to their resources on one site to another app — without sharing passwords.
5. Explain how JWT works. JWT (JSON Web Token) is a compact, signed token used to securely transmit identity information between systems.
6. What is a PKI flow? Public Key Infrastructure manages digital certificates and keys for secure communication — using a Certificate Authority (CA) to verify identities.
7. Synchronous vs Asynchronous encryption?
Symmetric (synchronous): Same key for encryption and decryption.
Asymmetric (asynchronous): Uses public and private key pairs.
8. Describe the SSL handshake. It’s the process where a client and server exchange certificates and keys to establish an encrypted HTTPS connection.
9. How does HMAC work? It combines a secret key with a message and hashes them to verify data integrity and authenticity.
10. Why is HMAC designed that way? To ensure messages are authentic and haven’t been tampered with, even if the attacker sees the message.
11. Authentication vs Authorization?
Authentication: Verifies who you are.
Authorization: Determines what you can access.
12. Diffie-Hellman vs RSA?
Diffie-Hellman: Used for key exchange.
RSA: Used for both encryption and digital signatures.
13. How does Kerberos work? Uses a trusted third party (KDC) to issue time-limited tickets, allowing secure authentication without repeatedly sending passwords.
14. Compress then encrypt or encrypt then compress? Always compress first, then encrypt. Encryption randomizes data, making compression ineffective afterward.
15. How do I authenticate you and know you sent the message? Through digital signatures or message authentication codes (MAC/HMAC).
16. Should you encrypt all data at rest? Yes — especially sensitive or regulated data — to prevent unauthorized access.
17. What is Perfect Forward Secrecy (PFS)? A property ensuring that past encrypted sessions remain secure even if long-term keys are later compromised.
🌐 Network Security, Protocols & Logging
18. Common security-related ports and risks:
22 (SSH) – brute-force attacks → use key pairs
80 (HTTP) – unencrypted → use HTTPS
443 (HTTPS) – encrypted web traffic
53 (DNS) – spoofing → use DNSSEC
19. Which port is used for DNS? Port 53 (UDP/TCP).
20. Describe HTTPS. It’s HTTP over TLS/SSL — providing encrypted communication between browser and server.
21. Difference between HTTPS and SSL? SSL/TLS is the encryption protocol; HTTPS is HTTP that uses it for secure communication.
22. How does threat modeling work? Identifies possible threats, attack paths, and mitigations for a system before deployment.
23. What is a subnet and why useful? A subnet divides a large network into smaller segments for better security and performance.
24. What is a subnet mask? Defines which portion of an IP address identifies the network vs the host.
25. What is traceroute? A diagnostic tool showing the path packets take to reach a destination and where delays occur.
26. Network troubleshooting scenario: Visualize routers, switches, and firewalls, then use ping/traceroute/logs to identify where communication fails.
27. Cisco ASA firewall config: ACLs (Access Control Lists) define which IPs and ports are allowed, denied, or logged.
28. Explain TCP/IP concepts. TCP ensures reliable delivery; IP handles addressing and routing between hosts.
29. What is the OSI model? A 7-layer conceptual model explaining how data moves (Physical → Application layer).
30. Router vs Switch?
Router: Connects multiple networks.
Switch: Connects devices within one network.
31. Risk Management Framework (RMF): A structured process to categorize, assess, authorize, and monitor system risks.
32. How does a packet travel on same network? Through ARP (Address Resolution Protocol) — finding MAC address and sending data directly.
33. TCP vs UDP — which is more secure? TCP, as it establishes a connection and ensures delivery. UDP is faster but unreliable.
34. TCP three-way handshake: SYN → SYN-ACK → ACK — ensures both parties are ready before data exchange.
🧠 System, Application & Cloud Security
35. DNS poisoning: Corrupting DNS cache so users are redirected to malicious sites.
36. ARP spoofing: Attacker sends fake ARP messages to intercept network traffic.
37. Man-in-the-middle attack: Intercepting and possibly altering communication between two systems.
38. IDS vs IPS:
IDS: Detects suspicious traffic.
IPS: Detects and blocks it.
39. WAF (Web Application Firewall): Filters and monitors web traffic to protect against attacks like SQL injection and XSS.
40. SQL injection: Injecting malicious SQL commands into input fields to access or modify databases.
41. XSS (Cross-Site Scripting): Injecting malicious scripts into web pages that run in users’ browsers.
42. CSRF (Cross-Site Request Forgery): Tricking users into performing unintended actions (e.g., changing password) while authenticated.
43. Input validation: Ensuring user inputs are correct and safe before processing.
44. Vulnerability vs Exploit vs Payload:
Vulnerability: A weakness.
Exploit: The method to take advantage of it.
Payload: The malicious code executed after exploitation.
45. Patch management: Regularly updating software to fix vulnerabilities.
46. Least privilege: Users or systems get only the minimum access necessary.
47. Defense in depth: Multiple security layers — if one fails, others protect the system.
48. Network segmentation: Dividing networks into zones to reduce the impact of breaches.
49. Honeypot: A decoy system used to detect or distract attackers.
50. Zero Trust: No implicit trust; verify every user, device, and connection continuously.
51. MFA (Multi-Factor Authentication): Requires two or more verification methods (password + token).
52. SSO (Single Sign-On): One login grants access to multiple systems securely.
53. IAM (Identity and Access Management): Framework for managing digital identities and their access rights.
54. Separation of duties: Split responsibilities so no one person can misuse power alone.
55. Logging and monitoring: Recording and reviewing system activities to detect suspicious events.
56. SIEM: Security Information and Event Management — aggregates and analyzes logs across systems.
57. DDoS attack: Flooding a server with traffic to make it unavailable.
58. DDoS prevention: Rate limiting, load balancers, CDNs, and firewall filtering.
59. Vulnerability scan vs Pen test:
Scan: Finds weaknesses automatically.
Pen test: Actively exploits them like a hacker would.
60. System hardening: Reducing attack surface by disabling unused services and applying security settings.
61. Security baseline: The minimum set of configurations required to secure systems.
62. Encryption in transit vs at rest:
Transit: Protects data while moving.
At rest: Protects stored data.
63. Cloud shared responsibility model: Cloud providers secure infrastructure; customers secure their data and configurations.
64. Container security: Protecting applications running inside containers through image scanning and isolation.
65. Kubernetes: Orchestrates and manages multiple containers for scaling and resilience.
66. Cloud misconfiguration: Incorrect settings (like open S3 buckets) that expose data publicly.
67. IAM role vs policy:
Role: Identity with permissions.
Policy: Set of rules defining what actions are allowed.
68. EDR/XDR:
EDR: Endpoint detection and response.
XDR: Extended detection across endpoints, network, and cloud.
69. DLP (Data Loss Prevention): Prevents sensitive data from being leaked or sent outside the organization.
70. Ransomware: Malware that encrypts data and demands payment to unlock it.
71. Phishing: Deceptive messages tricking users into revealing sensitive information.
72. Social engineering: Manipulating people into giving access or information.
73. Insider threat: An internal user misusing access intentionally or accidentally.
74. Supply chain attack: Compromising a trusted vendor or software dependency to target victims.
75. Sandboxing: Running code in an isolated environment to safely test or observe it.
76. Malware vs Virus vs Worm:
Malware: Any malicious software.
Virus: Spreads by attaching to files.
Worm: Self-replicates over networks.
77. Hashing: Converting data into a fixed-size string (hash) — used for integrity checks.
78. Salt in hashing: Random value added to hashes to make them unique and resistant to precomputed attacks.
79. Digital signature: Proves authenticity and integrity using cryptographic signing.
80. Certificate pinning: Forcing an application to trust only a specific server certificate.
81. Lateral movement: When attackers move within a network after gaining initial access.
82. Privilege escalation: Gaining higher permissions than originally allowed.
83. Incident response: Steps taken to detect, contain, and recover from a cyber incident.
84. Incident response phases: Preparation → Detection → Containment → Eradication → Recovery → Lessons learned.
85. DFIR: Digital Forensics and Incident Response — investigates, analyzes, and responds to breaches.
86. Log correlation: Linking related log events from multiple systems to identify incidents.
87. SOC (Security Operations Center): A team and facility monitoring and managing security incidents.
88. Threat hunting: Proactively searching for hidden or emerging threats.
89. MITRE ATT&CK framework: A knowledge base of adversary tactics and techniques used for threat analysis and defense planning.
90. Kill chain: A model describing the stages of a cyberattack — from reconnaissance to data exfiltration.
Last updated