Q. What is ISO/IEC 27001?

Ans: ISO/IEC 27001 is an international standard widely adopted by different countries to secure IT assets by providing security controls based on industry best practices. 27001 is published by ISO and the International Electrotechnical Commission (IEC). This standard provides recommendations for implementing an Information Security Management System (ISMS) irrespective of the size of an organization.

Q. What is a full name of ISO 27001?

Ans: Full name is “ISO/IEC 27001:2013-Information technology — Security techniques — Information security management systems — Requirements”.

Q. What is content of ISO 27001?

Ans: ISO/IEC 27001 standard includes 13 objectives. It provides recommendations and guidance on structure, risk assessment, and access control policy, security related to staff, and compliance.

Q. Which standard guides on Risk Management?

Ans: Two standards ISO 27005 (Information technology — Security techniques — Information security risk management) and ISO 31000 (Risk management — Principles and guidelines) available related to risk management.

Q. What is Information Control Management System (ISMS)?

Ans: An ISMS is a collection of following items to secure information assets from any type of attack that fails CIA principle.

• Policies
• Procedures
• Guidelines
• Associated Resources and Activities

Q. What are the objectives for implementation of ISO 27001?

Ans: Below are the list of objectives for implementation of ISO 27001:

• assurance to secure assets against threats
• provoding framework for providing risks
• improve controls on environment
• provide legal and regulatory compliance

Q. What are the differences between ISO 27001 and GDPR?

Ans:

Q. Explain ISMS family of standards.

Ans:

The post ISO 27001 (ISMS) Interview Questions & Answers first appeared on All About Testing.

Q. List out tools that may be used for web application security.

Ans: There are many tools available that we can use for application security. Burp Suite is the most popular one. In addition, other tools including OWASP ZAP, Acunetix, and HCL Appscan may be used for web application security.

Q. Why Burp Suite is so popular among security professionals?

Ans: Burp Suite is extremely popular among security professionals because of the numerous tools available in the same solution. I am listing out important features available in Burp Suite:

• Automatic Application Vulnerability Scanner
• Support manual application security assessment by providing Proxy, Intruder, Repeater, Sequencer Comparer, Logger, etc.

Q. How can you use Repeater in the assessment of web application security?

Ans: Repeater is the most used feature while assessing the security of web applications manually. It helps in modifying and resending individual requests and provides an option of tampering to find security issues by observing the server’s response.

To move the request under the Repeater tab, just right-click on the request available under the Proxy tab and select Send to Repeater option.

Q. How can you use Intruder in the assessment of web application security?

Ans: Intruder functionality in Burp Suite can be used to fuzz different parameters with payloads in individual requests. You can configure the positions also of payloads in the requests.

Q. What are the main differences with respect to security features between Burp Suite Community Edition and Burp Suite Professional?

Ans:

Q. Have you used BApp extension Autorize?

Ans: Autorize is a BApp extension that can be used for the assessment of authorization vulnerabilities of web applications. It automates the manual task and provides results in red, green, and yellow colors.

Q. Which compliances are supported by the tool Burp Suite?

Ans: Burp Suite satisfies the range of requirements, from PCI DSS, HIPAA, NIST 800-53, OWASP Top 10, GDPR, etc.

Q. How to initiate automatic web application security assessment by using Burp Suite?

Ans: You can initiate a new scan by clicking on New scan. Enter the testing URL on the text field and configure login if available.

The post Burp Suite Interview Questions & Answers first appeared on All About Testing.

Q. What is Cyber security?

Ans: Cyber security is defined as a method of protection of the IT system from any breach of Confidentiality, Integrity, and Availability (CIA triad).

Q. What is a Security event?

Ans: Any incident (related be security) detected by the security engineer or by security appliance by the method of analyzing logs or by doing correlation. Examples: login to an application, collection of logs, etc. are examples of security events.

Q. What is a Security Incident?

Ans: Any security event that may have the potential of damaging the confidentiality, integrity, and availability of the IT system is called a security incident. An example of a security incident is detecting a trial of different passwords on the application for the same user (brute force).

Q. What are the differences between compliance and security?

Ans:

Q. What is Privacy?

Ans: Privacy determines how personal information is used by third-party organizations.

Q. What are security operational controls?

Ans: An operational control covers the following points:

• training schedule
• firewall configuration
• server configuration
• backup configuration

Q. List out OWASP’s Top 10 vulnerabilities.

Ans: Owasp is a non-profit organization that help in improving the security of web applications by publishing the top 10 security issues found in web application. Below is the OWASP Top 10 – 2017 issues released by OWASP:

Q. What is encryption?

Ans: Encryption is a process of converting information into unreadable data by using different algorithms. Encryption helps in securing information even when it is acquired by an attacker.

Q. What is GDPR?

Ans: GDPR stands for General Data Protection Regulation. This European standard takes care of the data of European residents. It also imposes hefty fines if companies are not able to comply with this standard.

Q. What is NIST?

Ans: NIST is a US government organization that publishes documents related to computer security that includes cryptography, authentication, etc.

Q. What is Threat Model?

Ans: A threat model is a process of identifying potential weaknesses in IT software. It includes critical asset identification, possible threats, possible attacks, mitigation techniques, remediation etc.

The post Most Asked Cyber Security Interview Questions & Answers first appeared on All About Testing.

Below is the list of Top Kubernetes Security Interview Questions that may be asked in interviews.

Q. What is Kubernetes?

Ans: Kubernetes is an open-source container orchestration engine for managing deployment, scaling, and management of container applications.

Q. Which product is similar to Kubernetes?

Ans: Docker Swarm is similar to Kubernetes. Remember, Kubernetes is used to manage multiple Dockers, and it helps deploy, scale, and manage it.

Q. Are containers inherently secure? Yes or No.

Ans: Yes or No both. If containers are securely configured, it is secure otherwise not.

Q. How to secure Kubernetes Dashboard?

Ans: Kubernetes Dashboard (GUI) is used to manage container applications. Following are some methods to secure the Kubernetes dashboard:

• Access Kubernetes dashboard only in the local network
• Grant low privileges to the service account of the dashboard
• Turn on Role-based access control (RBAC) 
• Grant access to dashboard based on principle of least privilege

Q. Where are you deploying containers most?

Ans: Listing out in decreasing order:

• Public Cloud
• Private Cloud
• Hybrid Cloud
• Others

Q. List out differences between Kubernetes and Docker Swarm.

Ans: Kubernetes and Docker Swarm both are used to manage dockers. Below are the differences between Kubernetes and Docker Swarm:

Q. Mention methods/requirements for securing containers.

Ans: Below are some methods/requirements for securing containers:

• Ensuring the use of golden images on container hosts by using security policies and guidelines. Apply updates and patches consistently and securely.
• Implementation of Role-Based Access Control (RBAC) based on the principle of least privilege. It is recommended to create a service account for applications on a need basis.
• Implement data encryption in transit within and between clusters. It is recommended to use trusted root certificates for external interfaces (e.g. API server). If possible, integrate auto-renew and auto-issuance features.
• Security Scanning while in runtime and at rest. Implement scanners into CI/CD pipeline.
• Regular monitoring of the security posture of the platform and regularly audit network traffic, security, and performance logs.
• Implement network segmentation and access control. It is recommended to use the CNI plugin to control ingress and egress to clusters and namespaces. Consider protocol-specific policies to secure applications.
• Implement effective secret management practices.

Q. What are the components of the control plane?

Ans: Components of the control plane are used to make decisions about the cluster and its events. Following are the components of the control plane:

• kube-apiserver
• etcd
• kube-scheduler
• kube-controller-manager
• cloud-controller-manager

Q. What are the components of a node?

Ans: Node components running on each node and help in maintaining running pods. It also provides a Kubernetes runtime environment. Following are the components of the node:

• kubelet
• kube-proxy
• container runtime

Q. List out methods to secure Kubernetes hosts.

Ans: Methods are similar to the traditional way of securing hosts available in data centers.

• Always update OS with the latest patches
• Use CIS and other security benchmarks to harden OS
• Implement firewall rules
• Implement other security measures for environmental security

Q. List out methods to secure Kubernetes components.

Ans: Methods for securing Kubernetes components:

• Never allow or minimize direct access to Kubernetes nodes. It is recommended to use kubectl exec which helps in accessing the container environment and mitigates direct access of hosts.
• Allow only authorized personnel to access Kubernetes API
• Use secure API communication by enabling TLS
• Implement role-based access control for API authorization
• Not expose dashboard on internet
• Restrict access to the Kubelet
• etcd store sensitive information such as secrets. It is recommended to restrict access to etcd.

The post Top Kubernetes Security Interview Questions first appeared on All About Testing.

Currently, many tools are available to analyze firmware security, such as Firmware Modification Kit, Angr binary analysis framework, Binwalk, ByteSweep, Binary Analysis Tool, Firmadyne, Firmwalker, Firmware Analysis Comparison Toolkit, etc.

Here, in this article, we will see the Top 10 Security Firmware Security Vulnerabilities found in IT devices.

(1) Unsupported core components

Updating and patching of IT devices help in mitigating known vulnerabilities. But sometimes, firmware updates may not support core components, which may negatively affect reliability and stability or result in data loss. Test it before any patch installation. Revert it if not supported and inform the manufacturer in forums.

(2) Sensitive URL disclosure

Sometimes sensitive URL is hardcoded in the source code of firmware. These URLs may leak sensitive data if exposed, which may risk the security of IT devices.

(3) Backdoor accounts

This vulnerability is a result of the ignorance of administrators. Backdoor accounts are helpful for admin users to forget their passwords. In that instance, a backdoor account helps reaccess admin accounts and acts as super admin. But if bad people know those backdoor accounts, the security of IT devices has been compromised. Hence, it is recommended that IT devices should not have any backdoor account that acts as a superuser. If required, proper authentication and log trail should be implemented to mitigate the risk of the account.

(4) Out-of-date core components

As time passes, security researchers are more interested in finding vulnerabilities in the IT devices available in the market. Manufacturers releases patches for those vulnerabilities to secure them. If patch installation not happens, it may be exploited by bad people. Hence, it is always recommended to patch IT devices released by manufacturers.

Interview Questions on IoT Security

(5) Hardcoded or easy to guess credentials

This vulnerability is easy to mitigate but hits it very hard if found by hackers. The administrator tends to give default username and password or easily guessable credentials for convenience if found by bad people, results in total compromise of the device. One of the bad practices to store credentials in code is that it compromises the whole set of IT devices. It is recommended not to store passwords or hashes in code.

(6) Sensitive information disclosure

This vulnerability again raises a significant risk to the security of the whole ecosystem. Sensitive information may be social security details, private information, etc.

(7) Admin web interface concerns

All web application related vulnerabilities applicable here. Check for issues by go web vulnerability scanner to identify who set of security issues. Also check for usage of vulnerable services (web, ssh, tftp, etc.) on IT device.

(8) Expired and/or self-signed certificates

Usage of expired and/or self-signed certificates raises a significant risk in the security of IT devices. If an attacker somehow accesses the network, the attacker can spoof the identity of the victim. On the usage of an expired certificate, transactions no longer secure by SSL/TLS. An attacker may intercept the traffic and extract sensitive information from users.

OWASP Mobile Top 10

(9) Same certificate used on multiple devices

Usage of the same certificate used on multiple devices raises a significant risk in IT devices’ security. If private is compromised, the whole set of devices are at risk. It is recommended to use the different certificates on devices.

(10) Encryption key exposure

Cryptographic mechanisms are responsible for the confidentiality and integrity of IT devices. But if encryption keys are exposed in any way, the whole security is gone.

Conclusion

Firmware security is one of the critical aspects of the security of IT devices. It is recommended to follow best practices released by manufacturers and different security communities while configuring IT devices.

The post Top 10 Firmware Security Vulnerabilities first appeared on All About Testing.

Q1. List out Critical API Security Risks.

Ans: I am listing out the ten most critical security risks as mentioned in OWASP API Security Top 10 2019:

1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfiguration
8. Injection
9. Improper Assets Management
10. Insufficient Logging & Monitoring

Q2. What types of security issues come under the category of Injection?

Ans: All types of Web Injection flaws such as SQL, NoSQL, Command Injection, etc., come under the category of Injection issues of API. Similar to the web, hackers execute the commands by tricking the interpreter and accessing unauthorized data.

Q3. What are the methods available to prevent Injection flaws of API?

Ans: Below is the list of methods available to mitigate the risk of Injection flaws while implementing API:

• Validate any user input data and accepts the only permissible type of user input data
• Use safe API
• Implement brute force mitigation techniques
• Limit the number of output entries while accessing data via API.
• Escape and Sanitize user-provided special characters if not required.

Q4. What types of security issues come under the category of Broken User Authentication?

Ans: Incorrectly and insecure way of implemented authentication mechanisms comes under the category of Broken User Authentication. Examples are allowing usage of weak passwords, allowing unsigned/weakly signed JWT tokens, usage of weak encryption keys, no implemented technique to mitigate brute force attacks, usage of auth tokens and passwords in the URL, etc.

Check Application Security Interview Questions

Q5. What is Mass Assignment security risk?

Ans: This type of risk allows hackers to edit details that are not allowed by the system in normal scenarios if implemented incorrectly manner. For example, an e-commerce application allows changing the address of delivery. If somehow the hacker is able to change the wallet balance in-app, that is allowed only to the administrator.

Q6. List out mitigation techniques of Mass Assignment.

Ans: Mitigation techniques such as the correct implementation of least privilege i.e. allowing the user to edit only those fields that are allowed by the administrator, usage of built-in features to blacklist properties, etc.

Q7. What type of security issues comes under security misconfigurations?

Ans: This issue is similar to web application security. I am listing out possible security issues that come under the category of security misconfigurations.

• Non-implementation of Transport Layer Security (TLS)
• Missing security headers
• Missing Cross-Origin Resource Sharing (CORS) policy
• Missing latest security patches
• Errors providing excessive information
• lack of security hardening

Q8. List out security issues related to Insufficient Logging & Monitoring.

Ans:

• Log integrity is not guaranteed by the network administrator
• Monitoring of logs not happening periodically
• Logs are not available
• API-related infrastructure not monitored

Network Security Interview Question and Answers

Q9. What is Improper Assets Management?

Ans: This category address issues related to the usage of old versions/unpatched API.

Q10. How can we mitigate the risks of Insufficient Logging & Monitoring?

Ans: I am listing out the list of security events that must be logged:

• Log all failed authentication attempts.
• Logs should be defined using a correct format and based on input, the information should be provided
• A central log server should be available.
• Periodic backup of logs is mandatory.
• Check to handle logs and ensure integrity.
• Check the mechanism of monitoring the infrastructure, network, and API functioning.

Q11. What tools are required to test the security of web API?

Ans: Postman and Fiddler, both tools are used to check the security vulnerabilities of web API.

The post Most Asked API Security Interview Questions & Answers first appeared on All About Testing.

Q. List out IoT OWASP Top 10 2018 vulnerabilities.

Ans: Below is the list of IoT OWASP Top 10 vulnerabilities:

1. Weak, Guessable, or Hardcoded Passwords
2. Insecure Network Services
3. Insecure Ecosystem Interfaces
4. Lack of Secure Update Mechanism
5. Use of Insecure or Outdated Components
6. Insufficient Privacy Protection
7. Insecure Data Transfer and Storage
8. Lack of Device Management
9. Insecure Default Settings
10. Lack of Physical Hardening

Q. How can we find vulnerabilities of the most prevalent vulnerability of weak, guessable, or hardcoded passwords?

Ans: While configuring IoT devices, administrators/users tend not to change the default or easily guessable password for convenience. Also, most of IoT devices have backdoors to access them via root passwords.

Most of the attacks happen because the administrator/user has not changed the default password.

Attackers easily brute force to guess the correct password of the IoT device if the account lockout mechanism is not implemented.

Q. What type of issues comes under Insecure Ecosystem Interfaces?

Ans: Any vulnerable web interface, mobile, cloud interface, or API may be a component of insecure ecosystem interfaces. Below is the list of issues that may be found under this category:

• Authentication issue while accessing sensitive data
• Server certificates not validated by the device
• Security updates not installed
• Leaking API keys

Q. What are the possible test cases of the secure update mechanism of IoT devices?

Ans: I am listing out possible test cases to test the update mechanisms of IoT devices:

• Check for firmware validation while updating
• Check for mechanisms to prevent rollback to the previous version
• Check for delivery of firmware is encrypted or not
• Check for vulnerabilities in the updated firmware

Q. What are the possible attacks on IoT devices?

Ans: I am listing out possible attacks on IoT devices:

Physical attacks: These types of attacks are possible only after compromising the physical security of IoT devices. Attackers can temper IoT devices and extract different components, data, and code that reside in them.

Network Attacks: Distributed Denial of Service (DDoS) attacks are the type of network attacks. This attack starves all the resources of IoT devices.

Cloning: The attacker clone the IoT device by using RFID attacks (due to poor authentication) and replaces it with a genuine device.

Encryption attack: The attacker employed side-channel attacks to extract keys of cryptographic algorithms.

Q. What are the activities involved in the security testing of IoT products?

Ans: List of activities involved in security testing of IoT products:

• Threat modeling of IoT product
• Firmware security
• Review of encryption used in IoT product
• Code review
• Privacy review
• Protocol fuzzing
• Network traffic analysis
• API Testing
• Penetration testing

Q. List out some tools used for IoT security.

Ans: Tools used for IoT security as mentioned below:

The post IoT Security Interview Questions & Answers first appeared on All About Testing.

Here we have discussed the Nmap interview question asked by cybersecurity experts in the interview. Big companies do ask these Nmap questions to check the basic understanding of Nmap. Click Here to know which tool is better – Nmap or Nessus as both are used for vulnerability scanning.

Q1. Write a ping scan command in Nmap.

Ans: 

$nmap -sn <target>

Q2. Write a Nmap command to scan targets from a file.

Ans:

$nmap -iL <target-file>

<target-file> indicates the list of IP

$cat <target-file> 
   192.168.1.1 
   192.168.1.10-100

Q3. How to write Nmap commands for specific ports and services?

Ans:

$nmap -p80,443 <target> 

#Scan ports 1 to 1000
$nmap -p1-1000 <target> 

#Scan all ports
$nmap -p- <target> 

$nmap -p snmp <target> 

#using wildcard
$nmap -p snmp* <target>

Q4. How to scan a target using default scripts?

Ans:

nmap -sC <target>

-sC option runs default scripts against the target

Q5. How to scan a target using a TCP SYN scan? List out advantages for the same.

Ans:

$nmap -sS -p1-100 <target>

Advantages of TCP SYN scan: fast, hard to detect by the victim

Q6. How can you contribute to the Nmap community?

Ans: You can upload more signatures and fingerprints on URL https://nmap.org/cgi-bin/submit.cgi?

Q7. How to scan a target from a specific interface?

Ans: Although the selection of interface automatically, you can forcefully assign a specific interface also by using the below command.

#nmap -e <interface> <target>

Click here for Nmap cheatsheet

Q8. How to scan a target using a UDP scan? List out advantages for the same.

Ans:

$nmap -sU -sS --host-timeout -p1-100 <target>

--host-timeout option allows skipping slow hosts

Q9. How to write a Nmap script to scan a target for service detection?

Ans:

$ nmap -sV <target>

Q10. How to exclude specific IPs from the range of IP or the whole subnet of IP?

Ans:

$nmap --exclude-file <target-file> 192.168.1.1/16

Q11. Write nmap query for OS detection.

Ans:

$ nmap -O <target>

$nmap -O --osscan-guess <target> 

$nmap -O --osscan-limit <target>

$nmap -O -v <target>

-v option use for verbose mode

--osscan-guess option forces Nmap to guess OS

--osscan-limit option give results for OS if meet by ideal condition

Click here for Information Security Interview Questions

Q12. How to write a Nmap script to scan the target for version detection?

Ans:

$nmap -sV --version-intensity [0-9] <target>

0 indicates low intensity and 9 indicates high intensity.

Q13. Explain the Aggresive Detection command in Nmap.

Ans: Aggresive Detection command enables OS detection (-O), script scanning (-sC), version detection (-sV),  and traceroute (--traceroute)

$nmap -A <target>

Q14.How do you update the Nmap script database on your local computer?

Ans: 

$nmap --script-updatedb

Q15. Write the Nmap script for the ping scan using UDP.

Ans:

$nmap -sn -PU scanme.nmap.org

Q16. How to write a Nmap script to spoof the Mac Address of the attacker?

Ans:

$ nmap -sn -PR --spoof-mac <mac address> <target>

Q17. Write the Nmap command to scan the IPv6 target.

Ans: 

$ nmap -6 -O <target>
$ nmap -6 -sT <target>

Q18. Write a Nmap command to extract whois information.

Ans:

$nmap -sn --script whois-* <target>

Q19. Write a command to print a summary while sending and receiving every packet.

Ans: This command is useful in understanding how Nmap works.

#nmap --packet-trace -n -sn <target>

Q20. List out command options of Nmap for Firewall/IDS Evasion and Spoofing.

Ans:

Q21. Is Nmap a vulnerability scanner?

Ans: Nmap is widely used by security analysts as a port scanner. Although, there are many options available to scan basic vulnerabilities by using Nmap.

Q22. Is it illegal to use Nmap?

Ans: Any active scanning security tool must be used by taking written permission from the asset owner. Hence, It is highly recommended to use Nmap by taking appropriate permission from the legitimate owner.

Q23. Is it OK to scan public websites using Nmap like Google, or Yahoo?

Ans: No, any resource must be scanned after taking appropriate approvals in written form. If you participate in the bug bounty of any specific program, it is the responsibility of the bug bounty hunter to read all rules before participation.

Q24. Is Nmap similar to Wireshark?

Ans: Nmap is basically a port scanner that identifies open ports. While Wireshark is a protocol analyzer that helps security engineers to read the structure of different packets.

Q25. Is it possible to scan the IPs of the internal network?

Ans: Nmap tool can scan any IP which is available via the network. Internal IP or private IP may be scanned by connecting the network via VPN or physically connecting the network.

The post Most Asked Nmap Interview Questions Asked by Big Companies [Updated 2023] first appeared on All About Testing.

Q1. What are the different authentication and encryption mechanisms available in Fortigate Firewall?

Ans: I am listing below methods in order of strength for authentication and encryption:

• WPA2 – Enterprise 802.1x/EAP (Personal pre-shared key of 8-63  characters)
• WPA – Enterprise 802.1x/EAP (Personal pre-shared key of 8-63 characters)
• WEP128 (26 Hexadecimal digit key)
• WEP64 (10 Hexadecimal digit key)
• None

It is advisable to use WPA2, which is the strongest method for authentication and encryption.

Q.2 Mention some points while configuring the network.

Ans:

• Don’t leave the backdoor to access the firewall.
• Prepare a network diagram consisting of IP addressing, cabling, and network devices.

Q3. What is the command to power off the FortiGate unit via CLI?

Ans: To power off the FortiGate unit

execute shutdown

Q4. What are the points that should be considered while installing/mounting a Fortinet firewall (hardware) in the rack?

Ans: Below are the points of consideration while mounting a firewall:

• The room temperature should be in the range of ambient temperature defined by the Original Equipment Manufacturer (OEM)
• Reliable earthing mechanism
• Adequate airflow is provided for safe operation
• Adequate precautions for overcurrent and supply wiring

Q5. What is Security Fabric?

Ans: Security Fabric is a security solution to detect, monitor, block, and remediate cyber-attacks.

Q6. What are the steps that should take before each upgrade of firmware of the Fortinet firewall?

Ans:

Step 1: Back up and store old configuration.

Step 2: Back up a copy of the old firmware executable. This is for the worst-case scenario. If something bad happens, you have an option of rollback.

Step 3: Read the NOTE released by the manufacturer. It may contain useful information related to bug fixation, performance, etc.

Step 4: Upgrade.

Q7.  Mention the steps for backing up the FortiGate configuration via GUI.

Ans. Dashboard -> select Backup in System Information widget -> select drive for storing -> Encrypt configuration file –> Enter a password and select Backup –> save the configuration file

Q8. What is the backup configuration file format in the Fortinet firewall?

Ans: The configuration file will have a .conf extension.

Q9. How do you take a backup of the configuration of a Fortinet firewall?

Ans: You can use below CLI commands for backup configuration:

execute backup config management-station <comment>

execute backup config usb <filename-backup> [<password-backup>]

For FTP

execute backup config ftp <filename-backup> <ftp_server> [<port>] [<username>] [<password>]

For TFTP

execute backup config tftp <filename-backup> <tftp_servers> <password>

Q10. How to disable administrative access from the internet?

Ans: You can disable administrative access from the outside world via GUI and CLI.

via CLI:

config system interface
edit <external-interface>
unset allowaccess
end

via GUI:

Network -> Interfaces, edit external interface and disable five protocols: HTTPS, PING, HTTP, SSH, and TELNET under Administrative Access.

Q11. How to maintain short login timeouts while accessing the FortiGate firewall?

Ans: Below command can be used to shorten the login timeouts:

config system global
set admintimeout 5
end

Click here for more Firewall Interview Questions

Q12. How can you send logs to FortiAnalyzer/FortiManager in an encrypted format by using GUI?

Ans: Select Log & Report > Log Settings and configure Remote Logging to FortiAnalyzer/FortiManager (select Encrypt log transmission).

Q13. Write the CLI command to disable auto USB installation.

Ans: Below is the CLI code snippet to disable USB installation

config system auto-install
set auto-install-config disable
set auto-install-image disable
end

Q14. How does Fortinet provide support in case of any difficulty faced by a network administrator?

Ans: You can access the “Customer Service & Support” page on the Fortinet portal. The following options are available to resolve any issue:

• Knowledge Base
• Fortinet Document Library
• Training & Certification
• Fortinet Video Library
• Discussion Forums
• Contact Support

Q15. What is the FGCP cluster?

Ans: FGCP stands for FortiGate Clustering Protocol. It is a proprietary High Availability (HA) solution provided by Fortinet. Fortigate HA solution consists of a minimum of two firewalls configured for high-availability operation.

Q16. How can we configure FortiOS to turn on global strong encryption?

Ans: Global strong encryption means allowing only strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS, SSH, and  SSL/TLS.  We can use the below command to configure FortiOS:

config sys global
set strong-crypto enable
end

The post Basic Interview Questions FortiGate Firewall first appeared on All About Testing.

Ans: Virtualization is a concept in which dozen of different machines (such as a server, storage device, network device, etc.) for different purposes can be installed on one piece of hardware. It also helps in providing different machines for confidentiality, integrity, and availability by using secure configurations. Generally, a virtualization manager is used for managing different machines.

Q. Mention types of virtualization.

Ans:

• Data Virtualization
• Desktop Virtualization
• Operating System Virtualization
• Storage Virtualization
• Server Virtualization
• Network Virtualization
• Application Virtualization

Q. What are the benefits of virtualization?

Ans: 

• Flexibility – can be moved frequently without much overhead
• Consolidation of workload – easily managed by virtualization manager, e.g., Hypervisor
• Efficiency – reduce wastage of resources, mobility helps in load balance across hosts
• Secure and faster provisioning of resources

Q. What is Data Virtualization?

Ans: It is a concept of analyzing the data and presenting it in a more informational format without worrying about the sources and format of data. Sources may be Packaged apps, RDBMS, Excel & flat files, Big data, XML docs, Cloud data, Web services, IoT data, etc.

Q. What are the examples of Containerization?

Ans: Docker and Kubernetes are popular examples of containerization.

Q. What is the difference between virtual machines and containers?

Ans: Virtual Machine(VM) is an emulator for hosting desktops, web servers, database servers, network devices, etc. It felicitates the installation of different virtual IT machines on the same bare metal.

Containers are useful for deploying software applications. It isolates the environment for many applications for running, deploying, and testing by using the same physical resources. It specifically uses the same host operating system.

Q. What is Hypervisor?

Ans: Hypervisor is an IT system that is used to create and manage virtual machines. It is the middle layer between the hardware and virtual machines.

Q. What are the types of hypervisors available in the market?

Ans: There are two types of Hypervisors:

• Type 1 hypervisors: Hardware, Bare metal type. The virtualization manager is installed directly on the hardware to manage different virtual machines (VMs).
• Type 2 hypervisors: Virtualization manager installed on another host OS to manage virtual machines.

Q.  What is QEMU?

Ans: QEMU is a generic and open source machine emulator. It can be used as an alternative to VMWare.

Q. What is Desktop Virtualization?

Ans: As the name suggests, desktop virtualization is the technology in which users access personalized desktops on any computer in a network.  Virtualized desktops are installed on the central server instead of personal hardware.

Q. What is Docker?

Ans: Docker is an open-source technology that helps in developing and running applications, and it isolates the application from the host infrastructure.

Q. Mention hypervisor is available in Linux.

Ans: Xen Project & Red Hat’s Kernel-based Virtual Machine (KVM): both are open-source.

The post Top Virtualization Interview Questions [Updated 2023] first appeared on All About Testing.

Q1. What is Embedded System ?

Ans: Embedded system is a programmed hardware device and is basically constructed to solve one type of specific problem and has only limited resources such as RAM, I/O console, etc. available based on the requirements of such problem. In simple terms, here, requirements/specific problems dictate the characteristics of an embedded system.

Q2. What are the practical examples of embedded systems in airplane?

Ans: In Airplane, numerous embedded systems are used for different purposes, such as maintain oxygen level inside the airplane, determine the weather condition, altitude, location, orientation, speed, fuel indicator, autopilot feature, etc. These features significantly help the pilot by reducing the workload and prevent any other human error.

Q3. What are the other applications of embedded systems?

Ans: Other embedded systems applications include Robotics, Security Devices, Access Control (e.g., RFID), Home Appliances, Automobiles, Manufacturing Industries, Nuclear Power Plants, etc.

Q4. What are the constraints of embedded systems employed in airplane?

Ans:Below are the some constrains:

• Security: It should be secure. Nobody can access the control system of an airplane without proper privileges. Passengers cannot interfere with/access any control system, which may cause problems for pilots.
• Reliability: It should be reliable. 0.0000000000001% of error in any sensor output also may result in numerous accidents and human life loss. Ideally, the probability of mistake/wrong results by the embedded systems employed in airplanes should be zero.

Q5. Is Internet of Things (IoT) devices also example of embedded systems?

Ans: Yes, IoT devices also consider as a example of embedded systems.

Q6. What should be the characteristics of IoT devices?

Ans: We are listing some characteristics of IoT devices:

• run on very little energy (energy efficient)
• difficult reverse engineering
• secure from unauthenticated physical and logical access
• reliable: always function correctly without error
• data segregation by using machine learning algorithms
• reactive in nature (waits for some input, then gives output)

Q7. What is the basic system model of embedded system?

Ans: Basic system model constituents are inputs (given by sensors), computation involved by processing elements (based on inputs), and resultant output (by actuators).

Q8. How can we measure overall efficiency of embedded system?

Ans: Overall efficiency of embedded system based on the following factors:

• Energy efficiency: It is a simple measure of specific work performed by the system against the process’s energy consumed. Example: Processor’s energy efficiency is the number of instructions executed per joule of energy.
• Code Size: Lines of code (code size)  used for programming embedded systems are kept in the system. So, code should occupy minimal space, and at the same time, it should be secure.
• Portability: the embedded system should be portable and not occupy more space depends on the application
• Cost: It should be cost-effective
• Real-time constraint: It should meet real-time constraints such as quality output within very little time, less prone to error, etc.

Q9. What are the different phases of development of embedded systems?

Ans: Below are the different phases of development of embedded systems:

1. Idea: Development of embedded system starts with an answer/idea of some specific problem.
2. Specification: Many mind-storming sessions happen during this phase to collect the specification that solves the problem. It ends with the listing of hardware and software components required for the development of the system.
3. Repository: While development, the repository has been created for proper versioning control (to roll back if something wrong happens).
4. Iteration: Internal Testing and redevelopment based on test case results until the development team satisfies the system.
5. Evaluation: Evaluation may be done by an internal or external team based on specifications developed in the initial phase.
6. Validation: Validation is generally audit by an external team to confirm the efficiency of an embedded system.
7. Optimization: Based on the results in different phases, optimization has been done to increase an embedded system’s efficiency.

Q10. What are the different design models for the development of embedded system?

Ans: Like software development, there are different design models for developing embedded systems such as waterfall model (requirements freeze before development), iterative model (simple implementation first and later increase complexity and features in a later stage), etc.

The post Top 10 Interview Questions and Answers: Introduction to Embedded Systems (Basic) first appeared on All About Testing.

Q. What is a Blockchain?

Ans: Blockchain is a technology that helps in the peer-to-peer transfer of digital information and assets without any middlemen or intermediaries. Blockchain relied on immutable records of the distributed database. Blockchain technology is currently can be used in many applications such as finance, manufacturing, public distribution, healthcare, and other sectors.

Q. What is Bitcoin?

Ans: A person or a group of people (still suspense is there), called Satoshi Nakamoto, introduced a new digital currency called bitcoin, based on blockchain technology. Bitcoin enables people to transfer money anonymously from one point to another without any central authority (decentralized network). Please remember Bitcoin is not recognized by many countries and transaction in Bitcoins is illegal in some countries.

Q. As there is no central authority in the case of digital currency called Bitcoin, then how did Bitcoin realize trust and security among people?

Ans: Bitcoin implements a software program based on blockchain, that helps in validating, verifying, and building consensus in new infrastructure for transferring digital currency. The creation of every transaction in an immutable ledger is the basic building block of trust and security in blockchain infrastructure. Bitcoin uses cryptographic mechanisms to validate the integrity of transactions.

Q. What is a smart contract?

Ans: A smart contract is a software code and is a part of the blockchain node. The execution of smart code depends on the message which embeds in the transaction. It is used to provide conditional operations for the execution of transactions.

Q. Which language is used to write the smart contract?

Ans: Solidity is a high-level language that can be used to write the smart contract and compile it into bytecode.

Q. What is the basic structure of blockchain?

Ans: Transaction is the basic structure of the blockchain. Later, the same transaction is validated and broadcast in an immutable ledger. Many transactions form a box, and many boxes form a chain through a digital data link.

Q. What is Unspent Transaction Output (UTXO)?

Ans: UTXO is used as an input in a new transaction. It contains the following information:

• unique identifier of the transaction that created the UTXO
• Index of this UTXO in the transaction’s output list
• Value
• Optional: conditions under which output can be spent

Q. What are the advantages of blockchain technology?

Ans: Advantages:

1. It helps build trust among unknown people by ensuring the CIA triad, i.e., confidentiality, integrity, and availability.
2. Create logs of the transaction in an immutable ledger.
3. Able to send and receive money without any centralized authority (e.g., bitcoin).

Q. What is the Ethereum blockchain?

Ans: Ethereum blockchain is considered the mother of all blockchains. In 2013, Ethereum founders introduced a framework for code execution and were based on the concept of Smart Contracts.

Q. Is there any difference between Bitcoin Stack and Ethereum Stack?

Ans: Yes, the usage of smart contracts is the major difference between Bitcoin Stack and Ethereum Stack.

Q. What are the types of Blockchain networks?

Ans: Blockchain networks can be categorized into 3 types

(a) Public blockchains: This type of network can be accessed by the general public and make transactions. Bitcoin and Ethereum are two popular public blockchains.

(b) Private blockchains: As the name indicates, the only person that is allowed by network administrators is able to participate and make transactions.

(c) Consortium blockchains: It is considered a semi-decentralized network. Here, similar to the private blockchain, it also required network administrator permission, but it is controlled by many companies that operate each node on such a network.

Q. What are the Permissionless and Permissioned Blockchain?

Ans:

In a Permissionless blockchain, anyone can publish a new block. It is like a public internet where anyone can participate in a free manner.

In a Permissioned blockchain, some nodes can publish a new block. It is controlled by some nodes and restricted access. It is like a corporate intranet where only restricted people can participate in a restricted manner.

Q. What are the main components of Blockchain technology?

Ans: Main components of Blockchain technology are as follows:

• Cryptographic hash functions – method to convert any input into a unique output
• Transactions – interactions between two nodes
• Asymmetric-key cryptography
• Addresses – an alphanumeric string of characters to identify a user
• Ledgers – a collection of transactions
• Blocks – contains a cryptographic hash of the previous block, a timestamp, and transaction data

Q. What skills are required to become a blockchain developer?

Ans: To learn the development of the blockchain-based system, the following technology/concepts are required:

• Basics of Blockchain
• Cryptography concepts
• good command of at least one programming language (e.g. C++, Java, C#, Solidity, Scala, Kotlin, etc.)
• Concept of distributed ledger
• Concept of Networking

The post Top 20 Blockchain Interview Questions [Updated 2023] first appeared on All About Testing.

Q1. What is Secure Shell (SSH)?

Ans: SSH is a network protocol that helps in accessing one desktop from another desktop securely. It helps in protecting the integrity and confidentiality of data by providing a strong encryption and authentication mechanism.

Q2. Explain briefly the uses of SSH protocol in the industry.

Ans: SSH protocol is mainly used for the remote connection of computers securely. Other usages include:

1. transfer of files in a secure manner
2. issuing commands to the remote host automatically
3. OpenSSH may be used for connecting remote desktops without passwords
4. for remote monitoring of critical infrastructure securely
5. SSH protocol may use with rsync utility for backup and transferring files on computer systems.

Q3. Which cryptography technique is used by SSH?

Ans: SSH is used symmetric, public-key cryptography and hashing technique to authenticate the client and remote computer. AES and Blowfish are the most widely used algorithm employed in securing this protocol communication.

Q4. Which default port is used by SSH? Can we change that port? If yes, how we can change the port number of SSH?

Ans: SSH is used as the default 22 port number for communication.
Yes, we can configure the port number as per our requirements.
In Ubuntu,  we need to change the default port number in the configuration file ssh_config. Navigate to /etc/ssh and edit the file with an unused port number. Save the file and restart the SSH service to take effect of the changes.

Similarly, SSH can be configured in other operating systems to change the port number in the configuration file.

Q5. How can you connect with the remote desktop with some IP? Assume you know the username and password of that machine.

Ans: Below command which may use to connect the remote desktop.
ubantu@ubuntu:~$ssh <username>@<hostname>
<username>@<hostname>’s password: <need to enter the password>

Q6. How can you run the remote commands on the target machine by using SSH?

Ans: Below command may be used to run the command on the remote machine:
ubantu@ubuntu:~$ssh <username>@<hostname> ‘command’

Q7. How can we know the installed SSH version on the machine?

Ans: Below command may be used to run the command on the remote machine:
ubantu@ubuntu:~$ssh -V

Q8. Explain the working of SSH protocol.

Ans: SSH is working on the concept of the client-server model. I am listing out the steps of connecting the client with the server via SSH protocol.

1. The client sends the request to the remote computer. You can consider the remote computer as a server here.
2. Both the client and server agree on a large prime number(also called seed value). Also, both parties agree on an encryption generator (AES, 3DES, etc.) to manipulate the seed value.
3. Both client and server generate a private key by using another prime number independently. The public key will be generated by using the private key, encryption generator, and shared prime number independently.
4. Both parties share the public key with each other. By using the public key, the client and server ensure the identity of each other by using the public key cryptography.
5. Both client and server independently use the private key, the other party’s public key, and the large shared prime number to generate the symmetric key.
6. Once a symmetric key is generated, data will be encrypted by using it.

Q9. What is the main difference between ssh and telnet?

Ans: The basic difference between telnet and ssh protocol is that telnet connects the remote host in an unencrypted way while ssh encrypts the whole connection. Remember ssh use port number 22 while telnet uses port number 23.

Q10. What is ssh-keygen?

Ans: It is a tool for creating the new public-private key pair for authentication. For generating, enter “sudo ssh-keygen”, enter a file in which to save the key and passphrase. Below is the snapshot for the same.

The post Top 10 SSH Interview Questions and Answers first appeared on All About Testing.

CGI Scripts Interview Questions & Answers

Q1. What is a CGI Script?

Ans:

• CGI stands for Common Gateway Interface.
• It is a program that runs on a web server.
• It helps in creating interactive web pages dynamically based on inputs provided by the user.
• CGI scripts can be written in any language.
• Reside in a special directory in the webserver, typically “cgi-bin”.

Q2. Which computer language is generally used to write CGI scripts? 

Ans: Remember the fact that CGI scripts can be written in any language. But CGI scripts are generally written in the:

• Perl scripts
• C/C++ programs
• Unix Scripts

Q3. What does the REQUEST_METHOD environment variable specify?

Ans: It specifies whether we are using the GET or the POST method to send data to the server.

Q4. How does the form data get accessed in POST?

Ans: As a continuous stream of bytes from standard input, the number of bytes is stored in the content length environment variable.

Q5. Why is the POST method more secure as compared to the GET method?

Ans: In the GET method, data is sent as part of the URL. Hence, browser history and logs are stored in plaintext.  While in the POST method, parameters are not stored in browser history and server logs.

Q6. How do the CGI scripts know that the form data received has been URL encoded?

Ans: CONTENT_TYPE environment variable.

Q7. What is the function of the UNIX command “finger”?

Ans: “finger” command is used to display the following information:

• Login name
• Full name
• Office location
• Phone number
• Login time
• Idle time
• Project files

Q8. List out the differences between an interpreted language and a compiled language.

Ans:

Interpreted Language	Compiled Language
An interpreted language is parsed, interpreted and executed each time on run.	First source code is compiled, then executed.
Javascript, Python	Assembler, COBOL, C/C++
Less efficient	More efficient
Interpreted language produces the result from program	Compiler produces a program written in assembly language

Q9. How does the form data get accessed in GET, and in what form?

Ans: As a continuous stream of bytes from standard input, the number of bytes is stored in the content length environment variable.

Q10. Is there any difference between the CGI script and Java?

Ans:

CGI	JAVA
The protocol used to run programs on web servers.	Java is having its own standard APIs to, run the programs on web servers.
Not very scalable and secure.	Object-oriented and secure.
Platform dependent.	Platform independent.
No provision for separation between the presentation and business logic.	Java defines the clear separation between presentation and business logic.

Q11. Why do Programmers prefer to use Perl language for CGI?

Ans: There are many reasons behind the use of Perl language for CGI but we will discuss some important points:

• As Perl is interpreted language, you can easily do debugging while programming CGI. No compilation is needed to perform each task.
• Perl is quite a good choice for doing socket programming.
• Perl decently manages strings by the mechanism of memory allocation and deallocation.
• Perl has rich functionality for pattern matching.

Q12. What is the one main disadvantage of using Perl for CGI programming?

Ans: Some web applications are meant for only speed. If you want super fast speed for your web application, you must consider programming in a compiled language like C.

The post CGI Scripts | Interview Questions & Answers first appeared on All About Testing.