🛡️ Cybersecurity
Complete Study Notes for Government, Banking, SSC, UPSC, Railway & Other Competitive Exams
📚 62 MCQs with Answers 📊 All Important Tables 🇮🇳 Indian Laws & Initiatives ⚡ Quick Revision
1. What is Cybersecurity? — The CIA Triad
Cybersecurity is the practice of protecting computers, networks, programs, and data from unauthorized access, damage, or attacks.
C
Confidentiality
Only authorized people can access data
Example: Encrypting bank details
Example: Encrypting bank details
I
Integrity
Data is accurate & not tampered with
Example: Digital signatures
Example: Digital signatures
A
Availability
Systems accessible when needed
Example: No downtime in banks
Example: No downtime in banks
⭐ Exam Tip: CIA Triad is the most frequently asked concept in Banking, SSC, Government & UPSC exams. A DDoS attack violates Availability. Data tampering violates Integrity. Eavesdropping violates Confidentiality.
2. Types of Malware (Malicious Software)
| Malware Type | What It Does | Key Example |
|---|---|---|
| 🔴 Virus | Attaches to files; spreads when file is opened | Infects .exe files |
| 🪱 Worm | Self-replicates across networks WITHOUT user action | ILOVEYOU Worm (2000) |
| 🐴 Trojan Horse | Disguised as legitimate software; hides malware | Fake antivirus programs |
| 🔒 Ransomware | Encrypts files; demands payment to unlock | WannaCry (2017) |
| 🕵️ Spyware | Secretly monitors & steals user activity | Keyloggers, banking trojans |
| 📢 Adware | Shows unwanted ads; may carry spyware | Pop-up advertising software |
| 🫥 Rootkit | Hides itself; gives attacker admin/root access | Stealthy system backdoors |
| 🤖 Botnet | Network of infected computers controlled remotely | Used in DDoS attacks |
| ⌨️ Keylogger | Records every keystroke (passwords, chats) | Banking credential theft |
| 💣 Logic Bomb | Malicious code triggered at a specific time/event | Activates on a certain date |
⭐ Exam Tip: Worm spreads automatically (no user action). Virus needs a host file. Trojan hides as legitimate software. Ransomware encrypts and demands ransom — WannaCry is the most exam-asked example.
3. Phishing & Social Engineering Attacks
| Attack Name | Method / Target | Medium |
|---|---|---|
| Phishing | Fake emails to steal credentials from general users | |
| Spear Phishing | Targeted phishing at a specific person or org | |
| Whaling | Phishing targeting top executives — CEO, CFO, MD | |
| Smishing | Phishing via fake SMS / text messages | 📱 SMS |
| Vishing | Phishing via fake phone calls (voice) | 📞 Phone |
| Pretexting | Attacker creates a fake story/scenario to extract info | Any |
| Baiting | Leaving infected USB drives in public places | 🖥️ Physical |
| Quid Pro Quo | Offering fake “help” in exchange for sensitive info | Phone/Online |
| Tailgating | Entering restricted area by following authorized person | 🚪 Physical |
| Shoulder Surfing | Watching someone type passwords in public | 👀 Physical |
⭐ Memory Trick: Smishing = SMS | Vishing = Voice | Whaling = Wealthiest (CEOs) | Spear = Specific person
4. Network & Web Attacks
| Attack | What Happens |
|---|---|
| DoS (Denial of Service) | Overloads server from one source → website goes down |
| DDoS (Distributed DoS) | Same as DoS but from thousands of machines (botnet) — harder to block |
| MITM (Man-in-the-Middle) | Attacker secretly intercepts & alters communication between two parties |
| SQL Injection | Injects malicious SQL code into database via web form inputs |
| XSS (Cross-Site Scripting) | Injects malicious scripts into web pages viewed by other users |
| CSRF | Tricks logged-in users into performing unintended actions on a website |
| DNS Spoofing | Redirects users to fake/malicious websites via DNS manipulation |
| Zero-Day Exploit | Attacks a vulnerability before a patch exists — most dangerous |
| Brute Force | Trying all possible passwords until correct one is found |
| Rainbow Table Attack | Uses pre-computed hash values to crack passwords quickly |
| Drive-by Download | Malware downloaded automatically just by visiting a website |
| Credential Stuffing | Uses leaked credentials from one site to break into other sites |
5. Cyber Defense Measures & Security Tools
| Tool / Control | Full Form | What It Does |
|---|---|---|
| Firewall | — | Blocks/allows network traffic based on security rules |
| Antivirus / Anti-malware | — | Detects and removes malicious software |
| Encryption | — | Converts data to unreadable form; only authorized can decode |
| VPN | Virtual Private Network | Creates encrypted tunnel over public internet |
| IDS | Intrusion Detection System | Detects suspicious activity and alerts (does not block) |
| IPS | Intrusion Prevention System | Detects AND blocks threats in real-time |
| DLP | Data Loss Prevention | Prevents unauthorized data transfer or leakage |
| SIEM | Security Info & Event Management | Collects, correlates & analyzes security logs |
| WAF | Web Application Firewall | Protects web apps from SQL Injection, XSS etc. |
| EDR | Endpoint Detection & Response | Monitors & responds to threats on individual devices |
| Honeypot | — | Decoy system to attract & study attacker behavior |
| SOC | Security Operations Center | 24/7 team monitoring security events & responding to incidents |
| MFA | Multi-Factor Authentication | Password + OTP + Biometric = stronger login security |
🔐 Access Control Models
| Model | Full Form | How Access is Decided |
|---|---|---|
| DAC | Discretionary Access Control | Data owner decides who gets access |
| MAC | Mandatory Access Control | System enforces access based on security labels |
| RBAC | Role-Based Access Control | Access based on user’s job role — most common in exams |
| ABAC | Attribute-Based Access Control | Access based on user attributes, time, location etc. |
⭐ Exam Tip: IDS only detects. IPS detects + blocks. RBAC = access by role. Honeypot = decoy/trap for attackers.
6. Cryptography & Encryption
| Type | Keys Used | Speed | Examples | Used For |
|---|---|---|---|---|
| Symmetric | Same key for encrypt & decrypt | ⚡ Fast | AES, DES, 3DES | Bulk data encryption |
| Asymmetric | Public key encrypts; Private key decrypts | 🐢 Slower | RSA, ECC | Key exchange, digital signatures |
| Hashing | One-way — cannot be decrypted | ⚡⚡ Very Fast | SHA-256, MD5 | Data integrity verification |
| Term | What It Means / Why Important |
|---|---|
| AES | Advanced Encryption Standard — most widely used symmetric cipher today |
| RSA | Most common asymmetric algorithm — used for key exchange & digital signatures |
| SHA-256 | Secure Hash Algorithm — used for data integrity. Output = 256-bit hash |
| MD5 | Outdated hash — vulnerable to collisions; do not use for security |
| SSL/TLS | Protocols that secure internet connections → enable HTTPS |
| HTTPS | HTTP over TLS — Port 443 — secure web browsing |
| Digital Signature | Verifies sender identity and document integrity using asymmetric keys |
| PKI | Public Key Infrastructure — system to manage digital certificates |
| CA | Certificate Authority — issues and verifies digital certificates |
⭐ Exam Tip: AES = Symmetric (fast) | RSA = Asymmetric (key exchange) | HTTPS = Port 443 | MD5 = Weak/Deprecated | SHA-256 = Integrity
7. Types of Hackers
| Hacker Type | Description | Legal? |
|---|---|---|
| 🤍 White Hat | Ethical hackers who find & report vulnerabilities legally | Legal |
| 🖤 Black Hat | Criminal hackers who exploit systems for personal gain | Illegal |
| 🩶 Grey Hat | Hack without permission but may report flaws (not purely malicious) | Unclear |
| 👶 Script Kiddie | Use ready-made tools without deep technical knowledge | Illegal |
| ✊ Hacktivist | Hack for social/political causes (e.g., Anonymous group) | Illegal |
| 🏠 Insider Threat | Employees/contractors who misuse their internal access | Illegal |
| 🔴 Red Hat | Aggressively fight black-hat hackers using offensive methods | Varies |
| 🔵 Blue Hat | External security testers invited before a product launch | Legal |
| 🏛️ State-Sponsored | Government-backed hackers targeting other nations | Controversial |
8. Indian Cybersecurity Laws
Information Technology (IT) Act, 2000 — Main law governing cybercrime and electronic governance in India
| Section | Provision | Exam Priority |
|---|---|---|
| Sec 43 | Unauthorized access, downloading, copying or extracting data | HIGH |
| Sec 65 | Tampering with computer source code | MEDIUM |
| Sec 66 | Hacking & computer-related offences | HIGH |
| Sec 66A | Sending offensive messages online — struck down by Supreme Court in 2015 (Shreya Singhal case) | HIGH |
| Sec 66C | Identity theft (including Aadhaar misuse) | HIGH |
| Sec 66D | Online cheating / phishing using computer | HIGH |
| Sec 66E | Violation of privacy — capturing/publishing private images | MEDIUM |
| Sec 66F | Cyber Terrorism — Punishment: Life Imprisonment | HIGH ⭐ |
| Sec 67 | Publishing obscene material online | MEDIUM |
| Sec 69A | Government power to block websites | HIGH ⭐ |
| Sec 70 | Protected Systems (critical infrastructure) | MEDIUM |
| Sec 70B | CERT-In designated as National Nodal Agency | HIGH ⭐ |
Digital Personal Data Protection Act (DPDPA), 2023 — India’s dedicated data privacy law
- Data Principal = the individual whose data is collected
- Data Fiduciary = entity that processes personal data
- Consent required before processing personal data
- Data Breach Reporting is mandatory to CERT-In
- Right to erase data / right to correct inaccurate data
- Penalties up to ₹250 crore for serious violations
⭐ Exam Tip: Section 66F = Cyber Terrorism (Life Imprisonment) | Section 69A = Block Websites | Section 70B = CERT-In as National Nodal Agency | Section 66A = STRUCK DOWN in 2015
9. Indian Cybersecurity Organizations & Initiatives
📌 Key Organizations
| Organization | Full Form | Role |
|---|---|---|
| CERT-In | Computer Emergency Response Team – India | National agency for cyber incident response; issues advisories (under MeitY) |
| NCIIPC | National Critical Information Infrastructure Protection Centre | Protects critical sectors: power, banking, telecom, transport (under NTRO) |
| I4C | Indian Cyber Crime Coordination Centre | Coordinates response to cybercrime (under Ministry of Home Affairs) |
| DSCI | Data Security Council of India | Industry body set up by NASSCOM for data protection practices |
| NIC | National Informatics Centre | Provides IT infrastructure to Government of India |
| NTRO | National Technical Research Organisation | Technical intelligence including the cyber domain |
🚀 Key Schemes & Initiatives
| Initiative | Details |
|---|---|
| National Cyber Security Policy (NCSP) 2013 | India’s first comprehensive cyber protection policy |
| National Cyber Security Strategy 2020 | Updated strategy for strengthening India’s cyber ecosystem |
| Cyber Surakshit Bharat | MeitY initiative for cybersecurity awareness among govt officials |
| CyberDost | MHA social media initiative for public cyber safety awareness |
| National Cybercrime Reporting Portal | www.cybercrime.gov.in — report online crimes here |
| Cybercrime Helpline | 1930 — national cybercrime helpline number |
| Digital India | Broad e-governance initiative with cyber safety as a component |
Must Remember: Cybercrime Helpline = 1930 | Report at = cybercrime.gov.in | CERT-In under MeitY | NCIIPC under NTRO | I4C under MHA | DSCI founded by NASSCOM
10. Important Cybersecurity Terms
| Term | Simple Definition |
|---|---|
| Vulnerability | A weakness in a system that can be exploited by an attacker |
| Threat | A potential source of harm to a system or network |
| Risk | Probability that a threat will exploit a vulnerability (= Threat × Vulnerability) |
| Exploit | A code or technique used to take advantage of a vulnerability |
| Patch | A software update that fixes a known vulnerability |
| Zero-Day | Vulnerability unknown to the vendor; exploited before any patch exists |
| APT | Advanced Persistent Threat — long-term targeted attack by skilled adversaries |
| CVE | Common Vulnerabilities and Exposures — standardized ID for known vulnerabilities |
| CVSS | Common Vulnerability Scoring System — scores vulnerability severity 0–10 |
| Botnet | Network of infected computers controlled remotely by an attacker |
| Dark Web | Hidden internet accessed via Tor browser; used for illegal activity |
| Deepfake | AI-generated fake video/audio used for fraud or misinformation |
| Steganography | Hiding secret data inside ordinary files (images, audio) |
| Sandbox | Isolated environment to safely run and test suspicious code |
| Red Team | Offensive security team — simulates real attacker behavior |
| Blue Team | Defensive security team — protects against attacks |
| OSINT | Open Source Intelligence — gathering info from public sources |
| DMZ | Demilitarized Zone — buffer network between internet and internal systems |
| Firewall DMZ | Area where public-facing servers (web, mail) are placed, isolated from internal network |
11. Important Ports, Standards & Emerging Trends
🔌 Important Port Numbers (Frequently Asked)
80
HTTP
TCP
443
HTTPS ⭐
Secure
22
SSH ⭐
Encrypted
21
FTP
Insecure
23
Telnet
Insecure
25
SMTP (Email)
TCP
53
DNS
UDP/TCP
110
POP3
Email
3389
RDP
Remote
📐 Key Frameworks & Standards
| Standard | What It Covers |
|---|---|
| ISO/IEC 27001 | International standard for Information Security Management Systems (ISMS) |
| NIST Framework | 5 steps: Identify → Protect → Detect → Respond → Recover |
| PCI DSS | Payment Card Industry Data Security Standard — for card payment security |
| GDPR | EU’s General Data Protection Regulation — strongest data privacy law globally |
🚀 Emerging Trends (High Exam Probability)
🤖 AI in Cybersecurity
- AI used to create smarter malware & phishing
- AI also used for threat detection & anomaly identification
- Deepfakes powered by AI for fraud
🔒 Ransomware-as-a-Service
- Cybercriminals rent ransomware tools to others
- WannaCry (2017) infected 150+ countries
- Regular backups = best defense
🔗 Supply Chain Attacks
- Target software vendors to attack their clients
- SolarWinds attack (2020) is the famous example
- Affects thousands of organizations at once
🛡️ Zero Trust Security
- “Never trust, always verify”
- No implicit trust even inside the network
- Verify every user, device, request
12. Quick Revision Cheat Sheet
CIA TriadConfidentiality · Integrity · Availability
Main Cyber LawIT Act, 2000
Cyber TerrorismIT Act Sec 66F → Life Imprisonment
Website BlockingIT Act Sec 69A
CERT-InSection 70B — National Nodal Agency (under MeitY)
Data Privacy LawDPDPA, 2023
Cybercrime Helpline📞 1930
Report Cybercrime🌐 cybercrime.gov.in
NCIIPCProtects critical infrastructure (under NTRO)
I4CCybercrime coordination (under MHA)
DSCI Founded byNASSCOM
NCSP First PolicyNational Cyber Security Policy — 2013
Symmetric EncryptionAES — same key, fast
Asymmetric EncryptionRSA — public + private keys
HTTPS Port443 ⭐ (HTTP = 80)
SSH Port22 (Telnet = 23, insecure)
Zero-DayNo patch exists yet — most dangerous
WannaCry (2017)Famous ransomware — 150+ countries
SolarWinds (2020)Famous supply chain attack
Sec 66A Struck DownShreya Singhal case — Supreme Court 2015
Phishing via SMSSmishing
Phishing via VoiceVishing
Phishing targeting CEOWhaling
Zero Trust Principle“Never trust, always verify”
NIST FrameworkIdentify → Protect → Detect → Respond → Recover
ISO/IEC 27001Global info security management standard
MD5Weak / Deprecated hash — avoid for security
IDS vs IPSIDS = Detect only | IPS = Detect + Block
White Hat HackerEthical hacker — legal
MFAMulti-Factor Authentication (most secure login)
Practice MCQs — With Answers & Explanations
62 questions organized by topic. Green options = correct answer. Read explanations to understand why — not just what.
🎯 Section A — CIA Triad & Basic Concepts
1What does “CIA” in the CIA Triad stand for?
✅ Answer: B The CIA Triad is the foundation of cybersecurity. Confidentiality = restrict access | Integrity = ensure accuracy | Availability = ensure access when needed.
2A DDoS attack that shuts down a website violates which CIA Triad principle?
✅ Answer: C DDoS (Distributed Denial of Service) makes the website unavailable to legitimate users, directly violating the Availability principle.
3Which CIA Triad principle is violated when a hacker tampers with financial records?
✅ Answer: B Integrity ensures data is accurate and unmodified. Tampering with records violates integrity. Digital signatures and hashing protect integrity.
🦠 Section B — Malware & Attack Types
4Which malware encrypts user files and demands payment to restore access?
✅ Answer: C Ransomware encrypts victim’s data and demands ransom (usually in cryptocurrency). WannaCry (2017) is the most famous example, affecting 150+ countries.
5Which malware spreads across networks automatically WITHOUT any user action?
✅ Answer: B Worms self-replicate and spread automatically. Unlike viruses, they do NOT need to attach to a host file or require user action.
6The WannaCry cyberattack (2017) is an example of:
✅ Answer: C WannaCry was a global ransomware attack that exploited a Windows vulnerability (EternalBlue) and infected 200,000+ computers in 150 countries.
7Which attack involves an attacker secretly intercepting communication between two parties?
✅ Answer: C In MITM attacks, the attacker inserts themselves between two communicating parties and can eavesdrop or alter messages without their knowledge.
8What is a Zero-Day vulnerability?
✅ Answer: C Zero-Day means the vendor has “zero days” to fix it — they may not even know it exists. These are extremely dangerous as no defense is available yet.
9A DDoS attack uses which of the following to flood a target with traffic?
✅ Answer: B DDoS = Distributed Denial of Service. It uses a botnet (network of compromised computers) to overwhelm a target from multiple sources simultaneously.
10Which attack injects malicious code into a website’s database through input fields?
✅ Answer: C SQL Injection manipulates database queries through unsanitized user inputs in web forms. Parameterized queries / prepared statements prevent this attack.
🎣 Section C — Phishing & Social Engineering
11What is Phishing?
✅ Answer: B Phishing uses deceptive emails that mimic legitimate organizations (banks, government) to steal login credentials or financial information.
12Phishing targeted specifically at CEO or CFO of an organization is called:
✅ Answer: B Whaling targets the “big fish” — senior executives (CEO, CFO, Director). The term comes from targeting the largest targets, just like whale hunting.
13Which of the following is NOT a type of phishing?
✅ Answer: D Shimming is a payment card fraud technique (tampers with chip cards) — it is NOT a phishing variant. The others are all phishing types.
14Phishing carried out via fake SMS messages is called:
✅ Answer: B Smishing = SMS + Phishing. Attackers send fake text messages claiming to be from banks, TRAI, or government to steal information.
15An attacker leaves infected USB drives in a company’s parking lot. This social engineering technique is called:
✅ Answer: C Baiting exploits human curiosity. Infected USB drives are left in visible places hoping employees will plug them in, installing malware automatically.
⚖️ Section D — Indian Cybersecurity Laws
16Which Indian law primarily deals with cybercrime and electronic governance?
✅ Answer: A The Information Technology Act, 2000 is the primary legislation governing cybercrime, electronic commerce, and digital signatures in India.
17Which section of the IT Act deals with Cyber Terrorism?
✅ Answer: C Section 66F covers Cyber Terrorism with punishment up to Life Imprisonment. It is one of the most serious provisions in the IT Act.
18Which section of the IT Act empowers the government to block websites?
✅ Answer: D Section 69A empowers the government to block online content/websites in the interest of national security, public order, or decency.
19Section 70B of the IT Act designates which organization as the National Nodal Agency?
✅ Answer: C CERT-In (Computer Emergency Response Team – India) is designated as the National Nodal Agency under Section 70B of the IT Act, 2000.
20Which IT Act section was struck down by the Supreme Court in 2015 for violating freedom of speech?
✅ Answer: B In the landmark Shreya Singhal vs Union of India (2015) case, the Supreme Court struck down Section 66A (offensive online messages) as unconstitutional for violating Article 19(1)(a).
21India’s dedicated data privacy legislation enacted in 2023 is:
✅ Answer: C The DPDPA 2023 is India’s comprehensive data protection legislation governing how personal data is collected, stored, and processed, with penalties up to ₹250 crore.
22Which IT Act section covers Online Cheating / Phishing?
✅ Answer: C Section 66D covers cheating by impersonation using computer resources — directly applicable to phishing and online fraud.
🇮🇳 Section E — Indian Organizations & Initiatives
23What is CERT-In?
✅ Answer: B CERT-In handles cyber incident response, issues security advisories, and coordinates India’s national cybersecurity. It functions under MeitY.
24What is the national cybercrime helpline number in India?
✅ Answer: B 1930 is the dedicated national cybercrime helpline. Victims can report incidents at cybercrime.gov.in. This is frequently asked in banking and government exams.
25NCIIPC is responsible for:
✅ Answer: C NCIIPC (National Critical Information Infrastructure Protection Centre), under NTRO, protects India’s critical sectors — power grids, financial systems, telecommunications, and transport.
26I4C stands for:
✅ Answer: B I4C (Indian Cyber Crime Coordination Centre) was established by the Ministry of Home Affairs to coordinate India’s fight against cybercrime.
27CERT-In operates under which ministry?
✅ Answer: C CERT-In is under MeitY. In contrast, I4C is under MHA (Ministry of Home Affairs).
28India’s first National Cyber Security Policy was launched in:
✅ Answer: C India’s first National Cyber Security Policy (NCSP) was launched in 2013, focusing on creating a safe, secure, and resilient cyberspace for India.
29DSCI (Data Security Council of India) was set up by:
✅ Answer: C DSCI is an industry body set up by NASSCOM (India’s IT industry association) to promote data protection and cybersecurity practices.
🔐 Section F — Encryption & Network Security
30Which of the following is a Symmetric Encryption algorithm?
✅ Answer: C AES (Advanced Encryption Standard) is symmetric — the same key is used for both encryption and decryption. RSA and ECC are asymmetric algorithms.
31HTTPS uses which default port number?
✅ Answer: D HTTPS (HTTP over TLS/SSL) uses Port 443. Plain HTTP uses Port 80. This is one of the most frequently asked port numbers in exams.
32Which hashing algorithm is considered weak and deprecated for security use?
✅ Answer: C MD5 is cryptographically broken — two different inputs can produce the same hash (collision). It should not be used for security purposes today.
33Which protocol provides secure, encrypted remote access to servers?
✅ Answer: C SSH (Secure Shell) on Port 22 provides encrypted remote access. Telnet (Port 23) is insecure as it transmits data in plain text.
34What is the primary purpose of a Digital Signature?
✅ Answer: B A Digital Signature uses asymmetric cryptography to verify that a document was sent by a specific party and has not been altered in transit.
🛡️ Section G — Defense Measures & Security Tools
35What is the primary function of a Firewall?
✅ Answer: B A firewall examines incoming and outgoing network packets and blocks or allows them based on predefined security rules.
36What is the key difference between IDS and IPS?
✅ Answer: C IDS = Intrusion Detection System (alerts only). IPS = Intrusion Prevention System (detects + blocks in real-time).
37A Honeypot in cybersecurity is:
✅ Answer: B Honeypots are intentionally vulnerable fake systems. When attackers interact with them, security teams gather intelligence about attack methods and techniques.
38MFA (Multi-Factor Authentication) uses:
✅ Answer: C MFA combines: Something you KNOW (password) + Something you HAVE (OTP/token) + Something you ARE (biometric). Any two or more from different categories.
39The principle of Least Privilege means:
✅ Answer: B Least Privilege limits damage if an account is compromised by ensuring users can only access what they absolutely need for their specific role.
40RBAC stands for:
✅ Answer: B RBAC assigns access permissions based on a user’s role. Example: A bank teller has different system access than a branch manager or IT administrator.
41VPN primarily provides:
✅ Answer: B VPN (Virtual Private Network) creates an encrypted connection over the internet, masking user’s IP address and protecting data from interception.
📐 Section H — Frameworks & Standards
42Which global framework is the international standard for Information Security Management?
✅ Answer: C ISO/IEC 27001 is the globally recognized standard for establishing and maintaining an Information Security Management System (ISMS).
43The NIST Cybersecurity Framework’s five core functions are:
✅ Answer: B NIST CSF: Identify (assets/risks) → Protect (safeguards) → Detect (anomalies) → Respond (incidents) → Recover (restore services).
44PCI DSS applies to organizations that:
✅ Answer: C PCI DSS (Payment Card Industry Data Security Standard) sets mandatory security requirements for all organizations that handle credit/debit card transactions.
🚀 Section I — Emerging Trends & Advanced Topics
45The SolarWinds cyberattack (2020) is a famous example of:
✅ Answer: C In the SolarWinds attack, hackers compromised a legitimate software update to reach thousands of government and corporate clients — a textbook supply chain attack.
46Zero Trust Security is based on which principle?
✅ Answer: C Zero Trust assumes no user or device is inherently trustworthy — even inside the network. Every access request must be verified regardless of location.
47Ransomware-as-a-Service (RaaS) means:
✅ Answer: C RaaS is a criminal business model where ransomware developers lease their tools to affiliates who carry out attacks and share ransom profits.
48Which technology may potentially break current encryption standards like RSA in the future?
✅ Answer: C Quantum computers could use algorithms like Shor’s algorithm to crack RSA encryption. This is why Post-Quantum Cryptography (PQC) is being developed as a defense.
49Deepfake technology is primarily a threat because:
✅ Answer: C Deepfakes use AI to create highly convincing fake videos/audio of real people, enabling fraud, blackmail, and spreading of false information.
🔍 Section J — Important Definitions & Miscellaneous
50What is Digital Forensics?
✅ Answer: B Digital forensics recovers and analyzes data from digital devices to investigate crimes and preserve evidence in a legally admissible manner (chain of custody).
51CVE stands for:
✅ Answer: C CVE is a public database of known cybersecurity vulnerabilities. Each gets a unique ID (e.g., CVE-2021-44228 for Log4Shell). CVSS scores their severity from 0–10.
52The Dark Web is accessed using:
✅ Answer: B The Dark Web requires Tor (The Onion Router) browser, which routes traffic through multiple encrypted relays to anonymize users.
53An APT (Advanced Persistent Threat) is characterized by:
✅ Answer: B APTs are sophisticated, stealthy, long-duration attacks targeting specific high-value organizations for espionage or data theft, often backed by governments.
54Steganography is:
✅ Answer: B Steganography conceals the existence of a secret message by embedding it inside another file. Unlike encryption (hides content), steganography hides the fact that a message exists.
55Shoulder Surfing is:
✅ Answer: B Shoulder surfing is a physical social engineering technique where attackers observe victims entering PINs at ATMs, typing passwords, or viewing sensitive screens.
56SIEM is used to:
✅ Answer: C SIEM (Security Information and Event Management) aggregates logs from servers, firewalls, and applications, providing real-time threat detection and compliance reporting.
57Which of the following is the best practice for storing user passwords?
✅ Answer: D Salted hashing adds random data before hashing, preventing rainbow table attacks. bcrypt and Argon2 are designed to be slow, making brute-force attacks computationally expensive.
58Patch Management refers to:
✅ Answer: B Patch management is the systematic process of identifying, testing, and applying software patches (updates) to fix known vulnerabilities before attackers can exploit them.
59Which of the following best describes Social Engineering?
✅ Answer: B Social Engineering exploits human psychology rather than technical vulnerabilities. Phishing, pretexting, baiting, and tailgating are all social engineering techniques.
60Which of the following is an example of Biometric Authentication?
✅ Answer: C Biometrics use physical characteristics — fingerprint, face, iris, voice — falling in the “something you are” authentication category. It is the strongest form of single-factor authentication.
61Which cloud security model states that security is a shared responsibility between the cloud provider and the customer?
✅ Answer: C The Shared Responsibility Model means cloud providers secure the infrastructure (hardware, network) while customers are responsible for their data, applications, and access management.
62The WannaCry ransomware attack occurred in which year?
✅ Answer: C WannaCry struck in May 2017, exploiting a Windows vulnerability (EternalBlue) and affecting 200,000+ computers in 150+ countries, including hospitals, banks, and telecom companies.