Cybersecurity Quiz โ 40 Questions
In a world where cybercrime damages are projected to reach $10.5 trillion annually by 2025, how cyber-safe are you? These 40 questions cover threats, defence, privacy, and safe digital habits that everyone โ not just IT professionals โ needs to know.
๐ What's Inside
Why Cybersecurity Awareness Matters
India reported over 13.9 lakh cybersecurity incidents in 2022 alone, according to CERT-In. From UPI fraud and phishing emails to ransomware attacks on hospitals and government systems, no one is immune. Yet most people use weak passwords, click suspicious links, and share personal information freely on social media.
Cybersecurity is not just an IT department's job โ it is everyone's responsibility. The weakest link in any security system is the human element. This quiz tests your knowledge of the threats, tools, and habits that keep you safe in the digital world.
Round 1: Threats & Attacks
Understanding the threats is the first step to defending against them. This round covers the most common and dangerous cyber attacks โ from phishing and ransomware to zero-day exploits and supply chain compromises.
Q1. What is phishing?
โ Answer: A cyber attack that uses fraudulent emails, messages, or websites to trick people into revealing sensitive information
Phishing is the #1 cyber attack vector, responsible for over 80% of breaches. Attackers impersonate trusted entities (banks, tech companies, government agencies) to steal credentials, credit card numbers, or personal data. In India, UPI fraud and bank phishing via SMS ("Your KYC is expiring, click here") are extremely common. Always verify URLs and never click suspicious links.
Q2. What is malware?
โ Answer: Malicious software designed to damage, disrupt, or gain unauthorised access to computer systems
Malware is an umbrella term that includes viruses (self-replicating code), worms (spread across networks), trojans (disguised as legitimate software), ransomware (encrypts files for ransom), spyware (secretly monitors activity), and adware (unwanted advertisements). Global malware attacks exceeded 5.5 billion in 2022. Antivirus software, regular updates, and cautious downloading habits are key defences.
Q3. What is ransomware?
โ Answer: A type of malware that encrypts a victim's files and demands payment (ransom) for the decryption key
Ransomware attacks have become a multi-billion dollar criminal enterprise. The WannaCry attack (2017) infected 230,000+ computers across 150 countries. The Colonial Pipeline attack (2021) shut down the largest US fuel pipeline. AIIMS Delhi was hit by ransomware in 2022, disrupting hospital services for weeks. Paying the ransom is discouraged as it funds criminal operations and does not guarantee file recovery.
Q4. What is social engineering?
โ Answer: Psychological manipulation techniques used to trick people into making security mistakes or revealing confidential information
Social engineering exploits human psychology rather than technical vulnerabilities. Techniques include phishing (fake emails), pretexting (creating a false scenario), baiting (leaving infected USB drives), tailgating (following authorised personnel into restricted areas), and quid pro quo (offering something in exchange for information). Kevin Mitnick, once the FBI's most-wanted hacker, said he primarily used social engineering, not technical hacking.
Q5. What is a DDoS attack?
โ Answer: Distributed Denial of Service โ an attack that floods a website or server with massive traffic from multiple sources to make it unavailable
DDoS attacks use "botnets" โ networks of compromised computers (sometimes millions) that simultaneously send requests to a target server, overwhelming its capacity. The largest recorded DDoS attack peaked at 3.47 Tbps (2022). DDoS attacks are used for extortion, competitive sabotage, and political activism. Cloudflare and Akamai provide DDoS protection services.
Q6. What is a zero-day vulnerability?
โ Answer: A software security flaw that is unknown to the vendor and has no available patch โ attackers can exploit it before it is fixed
"Zero-day" means the vendor has had zero days to fix the vulnerability. These are extremely valuable โ governments and hacking groups pay millions for zero-day exploits. The Stuxnet worm (discovered 2010) used four zero-day exploits to sabotage Iran's nuclear centrifuges, in what is considered the first known cyber weapon. Bug bounty programs incentivise researchers to report zero-days responsibly.
Q7. What is a supply chain attack?
โ Answer: A cyber attack that targets less-secure elements in a supply chain to compromise a larger, more secure organisation
Instead of attacking a well-defended target directly, hackers compromise a trusted vendor, software library, or update mechanism. The SolarWinds attack (2020) inserted malware into a routine software update, compromising 18,000+ organisations including US government agencies. The Log4j vulnerability (2021) affected millions of systems because the open-source library was embedded in countless products.
Q8. What is the difference between a virus and a worm?
โ Answer: A virus needs a host file/program to spread and requires human action; a worm self-replicates and spreads automatically across networks
Viruses attach to files (documents, executables) and spread when users share or open infected files. Worms exploit network vulnerabilities to spread autonomously without any human interaction. The ILOVEYOU virus (2000) spread via email attachments, infecting 50 million computers. The Conficker worm (2008) exploited a Windows vulnerability and infected 15 million computers automatically.
Round 2: Defence & Protection
Good cybersecurity is about building layers of defence. This round tests your knowledge of the tools, techniques, and best practices that protect your data, accounts, and networks from attack.
Q1. What is two-factor authentication (2FA)?
โ Answer: A security method requiring two different forms of verification to access an account
The two factors are typically: something you know (password) + something you have (phone OTP, authenticator app) or something you are (fingerprint, face scan). Microsoft reports that 2FA blocks 99.9% of automated attacks. Google Authenticator and Authy are popular authenticator apps. SMS-based OTPs are less secure than authenticator apps because SIM-swapping attacks can intercept SMS.
Q2. What is a VPN (Virtual Private Network)?
โ Answer: A service that encrypts your internet connection and routes it through a server in another location, hiding your IP address and online activity
VPNs protect privacy on public Wi-Fi, bypass geo-restrictions, and prevent ISPs from tracking browsing history. When you use a VPN, your data is encrypted before leaving your device, making it unreadable to anyone intercepting it. Popular VPN services include NordVPN, ExpressVPN, and ProtonVPN. Free VPNs often sell user data โ paid options are more trustworthy.
Q3. What is encryption?
โ Answer: The process of converting data into a coded format (ciphertext) that can only be read by someone with the correct decryption key
Encryption is the backbone of digital security. HTTPS (the padlock icon in your browser) uses TLS encryption to protect web traffic. WhatsApp uses end-to-end encryption (E2EE), meaning only sender and receiver can read messages โ not even WhatsApp can access them. AES-256 is the gold standard encryption algorithm, used by governments and military worldwide.
Q4. What is a firewall?
โ Answer: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules
Firewalls act as a barrier between trusted internal networks and untrusted external networks (like the internet). They can be hardware (physical devices) or software (programs on your computer). Windows Firewall and macOS Firewall are built-in software firewalls. Enterprise firewalls from companies like Palo Alto Networks and Fortinet protect corporate networks from millions of daily threats.
Q5. What is a strong password?
โ Answer: A password that is at least 12 characters long with a mix of uppercase, lowercase, numbers, and special characters, unique to each account
The most commonly used passwords (123456, password, qwerty) can be cracked in under 1 second. A 12-character password with mixed characters takes approximately 34,000 years to brute-force. Password best practices: use a unique password for every account, enable 2FA, use a password manager (Bitwarden, 1Password), and never share passwords via text or email.
Q6. What is multi-factor authentication (MFA)?
โ Answer: A security system that requires two or more independent verification methods: something you know, something you have, and/or something you are
MFA extends beyond 2FA by potentially requiring three or more factors. The three categories: Knowledge (password, PIN), Possession (phone, security key, smart card), and Inherence (fingerprint, face scan, voice recognition). Physical security keys (like YubiKey) are the strongest form of MFA โ they are resistant to phishing because they verify the website's identity before authenticating.
Q7. What is a security patch?
โ Answer: A software update released to fix a vulnerability or security flaw in an operating system, application, or firmware
Security patches are critical because they fix known vulnerabilities that hackers actively exploit. The WannaCry ransomware (2017) exploited a Windows vulnerability that Microsoft had patched two months earlier โ organisations that had not updated were devastated. Best practice: enable automatic updates on all devices, apply patches within 48 hours of release, and never use end-of-life software (like Windows 7).
Q8. What is cyber hygiene?
โ Answer: A set of practices and habits that help maintain the security and health of your digital systems and data
Good cyber hygiene includes: using strong, unique passwords with a password manager; enabling 2FA on all accounts; keeping software updated; backing up data regularly; being cautious with email links and attachments; using HTTPS websites; not oversharing personal information on social media; and reviewing app permissions on your phone. Think of it as "brushing your teeth" for digital security.
Q9. What is the principle of least privilege?
โ Answer: A security concept where users and programs are given only the minimum access rights necessary to perform their tasks
Instead of giving every employee admin access, each person gets only the permissions they need. An accountant does not need access to source code; a developer does not need access to HR records. This limits damage if an account is compromised. The principle applies to software too โ apps should request only necessary permissions (a flashlight app does not need access to your contacts).
Q10. What is a brute force attack?
โ Answer: An attack method that systematically tries every possible combination of characters until the correct password is found
A simple 6-character lowercase password has 308 million possible combinations and can be cracked in seconds. A 12-character mixed password has 95^12 (over 540 sextillion) combinations, making brute force impractical. Defence: use long passwords (12+ characters), enable account lockout after failed attempts, implement CAPTCHA, and use 2FA. Rate limiting and progressive delays also slow down brute force attacks.
Round 3: Privacy & Data Protection
In the digital age, your data is your most valuable asset. This round covers data privacy laws, encryption, digital footprints, and the measures you can take to protect your personal information online.
Q1. What is a data breach?
โ Answer: An incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by an unauthorised party
Major data breaches include Yahoo (3 billion accounts, 2013), Aadhaar (1.1 billion records exposed, 2018), Facebook (533 million users, 2021), and Domino's India (180 million orders leaked, 2021). Data breaches can expose passwords, credit card numbers, medical records, and personal information. Companies face massive fines โ Meta was fined โฌ1.2 billion under GDPR in 2023.
Q2. What is identity theft?
โ Answer: A crime where someone steals your personal information to commit fraud โ opening accounts, making purchases, or filing taxes in your name
Identity theft affects millions of people globally. In India, Aadhaar-based fraud, SIM swap scams, and stolen PAN/bank details are common forms. Warning signs include unexpected credit card charges, unfamiliar accounts on your credit report, and denied loan applications. Prevention: freeze your credit, monitor accounts regularly, use strong/unique passwords, and shred documents with personal information.
Q3. What is GDPR?
โ Answer: General Data Protection Regulation โ the European Union's comprehensive data privacy law that governs how organisations collect, store, and process personal data
GDPR (effective May 2018) gives EU citizens rights including data access, data deletion ("right to be forgotten"), data portability, and consent requirements. Violations can result in fines up to โฌ20 million or 4% of global annual turnover. India's equivalent is the Digital Personal Data Protection Act 2023 (DPDP Act), which establishes similar protections for Indian citizens.
Q4. What is end-to-end encryption (E2EE)?
โ Answer: A system where only the communicating users can read the messages โ not the service provider, ISP, or any intermediary
In E2EE, messages are encrypted on the sender's device and only decrypted on the recipient's device. Even if intercepted during transmission, the data is unreadable. WhatsApp, Signal, and iMessage use E2EE by default. E2EE is controversial โ law enforcement argues it hinders criminal investigations, while privacy advocates consider it essential for protecting fundamental rights.
Q5. What is social media privacy and why does it matter?
โ Answer: The control over what personal information you share on social media platforms and who can access it
Oversharing on social media enables identity theft, stalking, social engineering attacks, and targeted phishing. Criminals use birthdays, pet names, school names, and vacation posts to guess passwords and security questions. Best practices: set profiles to private, review tagged photos, disable location sharing, audit connected apps regularly, and never share sensitive documents or identification numbers on social media.
Q6. What is a digital footprint?
โ Answer: The trail of data you leave behind when using the internet โ every website visit, search query, social media post, and online purchase
Your digital footprint includes active data (posts, comments, emails you intentionally create) and passive data (cookies, IP addresses, browsing history collected without your knowledge). Employers, universities, and insurers increasingly review digital footprints. To minimise your footprint: use privacy-focused browsers (Brave, Firefox), clear cookies regularly, use VPNs, and periodically Google yourself to see what is publicly visible.
Round 4: Advanced Cybersecurity Concepts
Ready for expert-level questions? This round explores botnets, penetration testing, the CIA triad, honeypots, and the sophisticated techniques used by both attackers and defenders in the cyber arms race.
Q1. What is the dark web?
โ Answer: A part of the internet that is intentionally hidden from standard search engines and requires special software (like Tor) to access
The internet has three layers: Surface Web (indexed by Google, ~5%), Deep Web (behind logins โ email, banking, ~90%), and Dark Web (encrypted, anonymised, ~5%). The dark web hosts both legitimate uses (privacy activists, journalists in oppressive regimes) and illegal activities (drug markets, stolen data sales, hacking services). The Tor browser is the primary access tool.
Q2. What does HTTPS mean?
โ Answer: HyperText Transfer Protocol Secure โ a secure version of HTTP that encrypts data between your browser and the website
HTTPS uses TLS (Transport Layer Security) encryption to protect data in transit. The padlock icon in your browser indicates an HTTPS connection. Without HTTPS, data (including passwords and credit card numbers) travels in plain text and can be intercepted. Google Chrome marks HTTP sites as "Not Secure." As of 2024, over 95% of web traffic uses HTTPS.
Q3. What is a botnet?
โ Answer: A network of compromised computers (bots/zombies) controlled remotely by a cybercriminal (botmaster) to perform coordinated attacks
Botnets can include millions of infected devices โ computers, IoT devices, routers, and even smart TVs. They are used for DDoS attacks, spam campaigns, credential stuffing, and cryptocurrency mining. The Mirai botnet (2016) infected 600,000 IoT devices and took down major websites including Twitter, Netflix, and Reddit. Keeping software updated and using strong passwords on IoT devices helps prevent botnet recruitment.
Q4. What is a man-in-the-middle (MITM) attack?
โ Answer: An attack where a hacker secretly intercepts and potentially alters communication between two parties who believe they are communicating directly
MITM attacks are common on unsecured public Wi-Fi networks. The attacker positions themselves between you and the Wi-Fi router, intercepting everything you send โ login credentials, messages, banking transactions. HTTPS encryption and VPNs protect against MITM attacks. Never access banking or enter passwords on public Wi-Fi without a VPN.
Q5. What is the CIA triad in cybersecurity?
โ Answer: Confidentiality, Integrity, and Availability โ the three fundamental principles of information security
Confidentiality ensures data is accessible only to authorised users (encryption, access controls). Integrity ensures data is accurate and unaltered (checksums, digital signatures). Availability ensures systems and data are accessible when needed (redundancy, backups, DDoS protection). Every cybersecurity measure aims to protect one or more of these three principles.
Q6. What is a penetration test (pen test)?
โ Answer: An authorised simulated cyber attack performed to evaluate the security of a system and identify vulnerabilities before real attackers do
Penetration testers (ethical hackers or "white hats") use the same tools and techniques as malicious hackers, but with permission. Pen tests can target networks, web applications, mobile apps, and even physical security. Companies like HackerOne and Bugcrowd run bug bounty platforms where researchers are paid to find vulnerabilities. India has a thriving ethical hacking community.
Q7. What is IP spoofing?
โ Answer: A technique where attackers disguise their identity by modifying the source IP address in network packets to appear as a trusted source
IP spoofing is used in DDoS attacks (to hide the attacker's real IP), man-in-the-middle attacks, and to bypass IP-based access controls. It is like sending a letter with a fake return address. Network-level defences include ingress filtering, which verifies that incoming packets have legitimate source addresses. IP spoofing alone rarely gives access to data but is a component of more complex attacks.
Q8. What is biometric authentication?
โ Answer: A security method that uses unique biological characteristics โ fingerprints, facial recognition, iris scans, or voice patterns โ to verify identity
Biometrics are the "something you are" factor in authentication. India's Aadhaar system is the world's largest biometric database (1.3 billion fingerprints and iris scans). Advantages: cannot be forgotten or stolen like passwords. Disadvantages: cannot be changed if compromised (you cannot change your fingerprint), and can be spoofed (3D-printed fingerprints, deepfake faces). Best used in combination with other authentication factors.
Q9. What is a honeypot in cybersecurity?
โ Answer: A decoy system or network designed to attract and trap cyber attackers, allowing security teams to study their techniques
Honeypots look like real systems (servers, databases, networks) but are intentionally designed to be vulnerable. When attackers breach a honeypot, security teams can observe their methods, tools, and objectives without risking real systems. Honeypots help organisations understand threat landscapes and improve defences. Honeynets are networks of honeypots that simulate entire enterprise environments.
Round 5: Cyber Safety in Practice
Cybersecurity is not just for experts โ everyone needs to practice safe digital habits. This round covers real-world scams, SIM swapping, biometric security, and where to report cyber crimes in India.
Q1. What is SIM swapping?
โ Answer: A fraud technique where attackers convince a mobile carrier to transfer your phone number to a SIM card they control
Once attackers control your phone number, they can intercept OTPs, reset passwords, and access your bank accounts, email, and social media. SIM swap fraud has caused millions in losses in India. Red flags: sudden loss of mobile signal, unexpected "SIM upgrade" messages. Prevention: use authenticator apps instead of SMS for 2FA, set a SIM lock PIN with your carrier, and never share personal details over phone.
Q2. What is the difference between HTTP and HTTPS?
โ Answer: HTTP transmits data in plain text; HTTPS encrypts data using TLS/SSL for secure communication
HTTP (HyperText Transfer Protocol) was the original web protocol but sends data unencrypted โ anyone on the same network can read it. HTTPS adds TLS (Transport Layer Security) encryption, protecting data in transit. You should NEVER enter passwords, credit card numbers, or personal information on an HTTP site. Google ranks HTTPS sites higher in search results.
Q3. What is keylogging?
โ Answer: Software or hardware that secretly records every keystroke made on a computer, capturing passwords, messages, and other sensitive information
Keyloggers can be software (installed via malware or trojan) or hardware (physical devices attached to keyboards). They capture everything typed โ passwords, credit card numbers, private messages. Prevention: use antivirus software, enable 2FA (even if passwords are captured, attackers cannot bypass 2FA), use virtual keyboards for banking, and regularly scan for malware.
Q4. What is cryptocurrency in the context of cybersecurity?
โ Answer: Digital currencies (like Bitcoin) that use cryptographic encryption for transactions โ also the preferred payment method for ransomware attacks
While cryptocurrencies have legitimate uses, their pseudo-anonymity makes them the preferred payment method for cybercriminals. Ransomware demands are almost always in Bitcoin or Monero. The Colonial Pipeline paid $4.4 million in Bitcoin ransom (the FBI later recovered most of it). Cryptocurrency exchanges are also prime targets โ over $3.8 billion was stolen from crypto platforms in 2022.
Q5. What is the CERT-In?
โ Answer: Indian Computer Emergency Response Team โ the national agency for handling cybersecurity incidents in India
CERT-In operates under the Ministry of Electronics and IT and is responsible for incident response, vulnerability tracking, and issuing cybersecurity advisories. In 2022, CERT-In mandated that organisations report cybersecurity incidents within 6 hours of detection and that VPN providers must maintain user logs for 5 years. CERT-In also publishes regular alerts about new threats and vulnerabilities.
Q6. What is cyber insurance?
โ Answer: Insurance policies that protect businesses and individuals against financial losses from cyber attacks, data breaches, and digital crimes
Cyber insurance typically covers data breach notification costs, forensic investigation, legal fees, business interruption, ransomware payments, and regulatory fines. As cyber attacks increase, cyber insurance has become a rapidly growing market โ projected to reach $20 billion globally by 2025. In India, companies like HDFC ERGO, ICICI Lombard, and Bajaj Allianz offer cyber insurance for businesses and individuals.
Q7. What is the Cyber Crime Helpline in India?
โ Answer: Dial 1930 or report at cybercrime.gov.in โ the National Cyber Crime Reporting Portal
India launched the 1930 helpline specifically for reporting cyber fraud, especially financial crimes like UPI fraud, online banking theft, and credit card scams. The portal (cybercrime.gov.in) allows citizens to report all types of cybercrimes including hacking, identity theft, online harassment, and child exploitation. Quick reporting (within the "golden hour" of the fraud) significantly increases the chance of recovering lost money.
Essential Cyber Safety Checklist
- Use a password manager โ Generate unique, strong passwords for every account. Bitwarden (free) and 1Password are excellent choices.
- Enable 2FA on everything โ Especially email, banking, and social media. Use an authenticator app, not SMS, where possible.
- Update all software immediately โ Enable automatic updates on your phone, computer, and router. Patches fix known vulnerabilities.
- Never click suspicious links โ Hover over links to check the real URL. If in doubt, go directly to the website by typing the address manually.
- Back up your data regularly โ Follow the 3-2-1 rule: 3 copies, 2 different media types, 1 offsite/cloud backup. This protects against ransomware.
Frequently Asked Questions
โ What is the most common type of cyber attack?
โ Phishing is the most common type of cyber attack, accounting for over 80% of reported security incidents. Phishing involves sending fraudulent emails, messages, or websites that impersonate trusted entities to trick victims into revealing passwords, credit card numbers, or personal information.
โ What is two-factor authentication (2FA)?
โ Two-factor authentication adds a second layer of security beyond your password. After entering your password, you must verify your identity through a second method โ typically an OTP sent to your phone, an authenticator app code, or biometric scan. 2FA prevents 99.9% of automated account attacks according to Microsoft.
โ How can I create a strong password?
โ A strong password should be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters. Avoid common words, birthdays, or sequential numbers. Use a unique password for every account and consider using a password manager like Bitwarden or 1Password to generate and store complex passwords.
Test More Knowledge on QuizOxa
QuizOxa offers hundreds of free questions across Science, History, Football, Geography, and General Knowledge, with real-time timers, streak bonuses, and global leaderboards.
Our editorial team researches, writes, and fact-checks every article and quiz question. We reference established scholarly, scientific, and educational sources to ensure accuracy.