Introduction
This blog covers important multiple-choice cybersecurity questions (MCQs) for interviews, certifications, and real-world knowledge. Topics include eBPF, SIEM, SOAR, NIST frameworks, and Incident Response.
Cybersecurity MCQs with Answers
Question 1
Why is eBPF favored over traditional kernel modules for enhancing security and observability in modern systems?
Options:
- It can execute arbitrary code in the kernel without restrictions.
- It enables dynamic, verified, and safe code execution without modifying the kernel.
- It avoids sandboxing, improving systemwide access.
- It relies on external user-space tools for packet inspection.
Answer:
It enables dynamic, verified, and safe code execution without modifying the kernel.
Question 2
What is a key difference between SOAR and SIEM systems?
Options:
- SOAR focuses on collecting log data from multiple sources.
- SIEM automatically executes predefined workflows during incident response.
- SOAR uses orchestration and automation to respond to alerts, while SIEM focuses on threat detection and alerting.
- SIEM systems are less complex to implement than SOAR systems.
Answer:
SOAR uses orchestration and automation to respond to alerts, while SIEM focuses on threat detection and alerting.
Question 3
Which of the following best describes a primary benefit of implementing a SOAR solution in a security operations center?
Options:
- It eliminates the need for human analysts.
- It provides real-time log analysis.
- It replaces SIEM systems.
- It automates routine responses and allows analysts to focus on complex threats.
Answer:
It automates routine responses and allows analysts to focus on complex threats.
Question 4
Why might an organization choose to combine elements from multiple risk management frameworks?
Options:
- Reduce cybersecurity staff cost
- Delay compliance
- Create a tailored plan aligned with needs
- Avoid processes
Answer:
To create a tailored plan that aligns with specific organizational needs.
Question 5
Which statement correctly explains compensating controls?
Options:
- Must always exceed original control
- Can be ignored later
- Should meet intent and provide similar assurance
- Only used to reduce costs
Answer:
Compensating controls should meet the intent of the original control and provide similar assurance.
Question 6
What is a key distinction between NIST RMF and CSF?
Options:
- RMF for infra, CSF mandatory
- RMF service strategy
- RMF compliance-driven, CSF voluntary
- Same frameworks
Answer:
RMF is compliance-driven for federal agencies; CSF is a voluntary guide.
Question 7
What is the goal of post-incident activities?
Options:
- Configure firewall
- Isolate systems
- Evaluate cost
- Document findings and improve security
Answer:
Document findings, improve security posture, and reduce future risk.
Question 8
Which team coordinates incident response?
Options:
- SOC
- CSIRT
- Helpdesk
- Risk committee
Answer:
Computer Security Incident Response Team (CSIRT)
Question 9
Which framework provides incident handling guidance in the US?
Options:
- NIST SP 800-61
- ISO 27005
- ITIL
- ISO 27035
Answer:
NIST SP 800-61
SIEM, Observability & eBPF
Question 10
Why is event correlation important in SIEM?
Options:
- One event monitored
- Identifies related attack patterns
- Removes analyst need
- Only stores logs
Answer:
It identifies related events indicating sophisticated attacks.
Question 11
Why is eBPF powerful in containers?
Options:
- Requires privileged mode
- Replaces monitoring tools
- Kernel-level monitoring without container agents
- Needs kernel recompilation
Answer:
It allows kernel-level monitoring without deploying agents.
Question 12
Monitoring vs Observability?
Options:
- Monitoring alerts, observability explains root cause
- Monitoring predicts
- Dashboard vs automation
- Different domains
Answer:
Monitoring alerts teams to issues, while observability diagnoses root cause.
Question 13
What is Full-Stack Observability?
Options:
- Code monitoring tool
- Cloud-only insight
- End-to-end monitoring across all layers
- On-prem dashboard
Answer:
Capability to monitor and optimize entire IT environment.
Question 14
Advantage of SIEM over separate tools?
Options:
- Removes firewalls
- Independent tools
- Unified data and centralized management
- Restricts integration
Answer:
Unified data sharing and a single point of management.
Risk & Controls
Question 15
First step in risk management?
Options:
- Mitigation
- Identification
- Assessment
- Communication
Answer:
Risk Identification
Question 16
When should compensating controls be used?
Options:
- Replace all controls
- No policies exist
- Simplify network
- When primary control not feasible
Answer:
When limitations prevent implementing primary control.
Question 17
Not valid purpose of compensating controls?
Options:
- Reduce breach risk
- Compliance support
- Simplify access
- Protect legacy systems
Answer:
To simplify network access for all employees.
Question 18
Example of compensating control (no encryption)?
Options:
- Archive logs
- Enhanced monitoring
- Ignore classification
- Antivirus
Answer:
Using enhanced monitoring to detect unauthorized access.
Incident Response Lifecycle
Question 19
When are compromised accounts reset?
Options:
- Containment
- Recovery
- Preparation
- Post-incident
Answer:
Containment Phase
Question 20
Activity in analysis phase?
Options:
- Root cause and impact analysis
- Notify stakeholders
- Recovery deployment
- Rebuild systems
Answer:
Root cause analysis and impact assessment.
Question 21
Goal of post-incident phase?
Options:
- Configure systems
- Isolate devices
- Cost evaluation
- Improve future security
Answer:
Improve security and prevent recurrence.
Question 22
Purpose of recovery phase?
Options:
- Legal assessment
- Containment
- Remove malware
- Restore systems securely
Answer:
Restore systems to normal operations and ensure security.
