Professional Documents
Culture Documents
Information Security Interview Questions
Information Security Interview Questions
InterviewQuestions
HomeStudyInformationSecurityInterviewQuestions
38
14
BeforeYouStart
GeneralQuestions
NetworkSecurity
ApplicationSecurity
Corporate/Risk
TheOnionModel
TheRoleplayingModel
InnovationQuestions
[ForoverallInfoSeccareeradvice,besuretocheckoutmy
newarticletitled:HowtoBuildaSuccessfulInformation
SecurityCareer]
Whatfollowsisalistofquestionsforuseinvettingcandidatesfor
positionsinInformationSecurity.Manyofthequestionsaredesignedto
getthecandidatetothink,andtoarticulatethatthoughtprocessina
scenariowherepreparationwasnotpossible.Observingthesetypesof
responsesisoftenasimportantastheactualanswers.
Ivemixedtechnicalquestionswiththosethataremoretheoryand
opinionbased,andtheyarealsomixedintermsofdifficulty.Theyare
alsogenerallyseparatedintocategories,andanumberoftrickquestions
areincluded.Thegoalofsuchquestionsistoexposeglaringtechnical
weaknessthatwillmanifestlaterintheworkplace,nottobecute.Ialso
includewitheachquestionafewwordsonexpected/common
responses.
BeforeYouStart
Itsbeenshownfairlyconclusively,byGoogleandothers,thatfancy
technicalquestionsespeciallythoseofthehowmanyjellybeansfitin
acartypedonotpredictemployeesuccess.
Readthatpartagain.
Theydontpredictsuccess.Googleshowedthisbygoingbackover
yearsofinterviewdataandmappingittohowthoseemployeesended
updoingonthejob.Theresult?Peoplewhoacedthosetypesof
questionsdidntdoanybetterthanthosewhodidpoorlyonthem.
Insum,thesetypesofpetquestionstendtomakeinterviewersfeel
smart,andlittleelse.Irelyonthedatamorethanmyanecdotes,butas
someonewhosgivenmany,manytechnicalinterviews,Icantellyou
thatthisisconsistentwithmyexperience.
Wehavepeoplewhoareabsoluterockstarsthateffectivelyfailedat
thesequestions,andwehavepeoplewhocrushedthemandfloundered
onthejob.Thelessonhereisnottoavoidanysortofespecially
technicalquestions:Itsthatyouneedtobecautiousofthetendencyto
fetishizecertainquestionsorcertaintypesofquestions.Itwillonlyhurt
you.
Now,ontothequestions.
General
Areopensourceprojectsmoreorless
securethanproprietaryones?
Theanswertothisquestionisoftenverytellingaboutagivencandidate.
Itshows1)whetherornottheyknowwhattheyretalkingaboutinterms
ofdevelopment,and2)itreallyillustratesthematurityoftheindividual(a
commonthemeamongmyquestions).Mymaingoalhereistogetthem
toshowmeprosandconsforeach.IfIjustgetthemanyeyes
regurgitationthenIllknowhesreadSlashdotandnotmuchelse.Andif
IjustgetthepeopleinChinacanputanythinginthekernelroutine
thenIllknowhesnotsogoodatlookingatthecompletepicture.
Theidealanswerinvolvesthesizeoftheproject,howmanydevelopers
areworkingonit(andwhattheirbackgroundsare),andmostimportantly
qualitycontrol.Inshort,theresnowaytotellthequalityofaproject
simplybyknowingthatitseitheropensourceorproprietary.Thereare
manyexamplesofhorriblyinsecureapplicationsthatcamefromboth
camps.
HowdoyouchangeyourDNSsettingsin
Linux/Windows?
Hereyourelookingforaquickcomebackforanypositionthatwill
involvesystemadministration(seesystemsecurity).Iftheydontknow
howtochangetheirDNSserverinthetwomostpopularoperating
systemsintheworld,thenyourelikelyworkingwithsomeoneveryjunior
orotherwisehighlyabstractedfromtherealworld.
Whatsthedifferencebetweenencoding,
encryption,andhashing?
Encodingisdesignedtoprotecttheintegrityofdataasitcrosses
networksandsystems,i.e.tokeepitsoriginalmessageuponarriving,
anditisntprimarilyasecurityfunction.Itiseasilyreversiblebecausethe
systemforencodingisalmostnecessarilyandbydefinitioninwideuse.
Encryptionisdesignedpurelyforconfidentialityandisreversibleonlyif
youhavetheappropriatekey/keys.Withhashingtheoperationisone
way(nonreversible),andtheoutputisofafixedlengththatisusually
muchsmallerthantheinput.
Whatsmoresecure,SSLorHTTPS?
Trickquestion:thesearenotmutuallyexclusive.Lookforasmilelike
theycaughtyouinthecookiejar.Iftheyreconfused,thenthisshouldbe
foranextremelyjuniorposition.
Canyoudescriberainbowtables?
Lookforathoroughanswerregardingoverallpasswordattacksandhow
rainbowtablesmakethemfaster.
Whatissalting,andwhyisitused?
Youpurposelywanttogivethequestionwithoutcontext.Iftheyknow
whatsaltingisjustbyname,theyveeitherstudiedwellorhaveactually
beenexposedtothisstuffforawhile.
Whodoyoulookuptowithinthefieldof
InformationSecurity?Why?
Astandardquestiontype.Allwerelookingforhereistoseeiftheypay
attentiontotheindustryleaders,andtopossiblygleansomemore
insightintohowtheyapproachsecurity.Iftheynameabunchof
hackers/criminalsthatlltellyouonething,andiftheynameafewofthe
pioneersthatllsayanother.IftheydontknowanyoneinSecurity,well
considercloselywhatpositionyourehiringthemfor.Hopefullyitisnta
juniorposition.
Wheredoyougetyoursecuritynews
from?
HereImlookingtoseehowintunetheyarewiththesecurity
community.AnswersImlookingforincludethingslikeTeamCymru,
Reddit,Twitter,etc.Theexactsourcesdontreallymatter.Whatdoes
matteristhathedoesntrespondwith,IgototheCNETwebsite.,or,I
waituntilsomeonetellsmeaboutevents..Itsthesetypesofanswers
thatwilltellyouheslikelynotontopofthings.
Ifyouhadtobothencryptandcompress
dataduringtransmission,whichwould
youdofirst,andwhy?
Iftheydontknowtheanswerimmediatelyitsok.Thekeyishowthey
react.Dotheypanic,ordotheyenjoythechallengeandthinkthroughit?
IwasaskedthisquestionduringaninterviewatCisco.Itoldthe
interviewerthatIdidntknowtheanswerbutthatIneededjustafew
secondstofigureitout.Ithoughtoutloudandwithin10secondsgave
himmyanswer:Compressthenencrypt.Ifyouencryptfirstyoullhave
nothingbutrandomdatatoworkwith,whichwilldestroyanypotential
benefitfromcompression.
Whatsthedifferencebetweensymmetric
andpublickeycryptography
Standardstuffhere:singlekeyvs.twokeys,etc,etc.
Inpublickeycryptographyyouhavea
publicandaprivatekey,andyouoften
performbothencryptionandsigning
functions.Whichkeyisusedforwhich
function?
Youencryptwiththeotherpersonspublickey,andyousignwithyour
ownprivate.Iftheyconfusethetwo,dontputtheminchargeofyourPKI
project.
Whatkindofnetworkdoyouhaveat
home?
Goodanswershereareanythingthatshowsyouhesa
computer/technology/securityenthusiastandnotjustsomeonelooking
forapaycheck.Soifhesgotmultiplesystemsrunningmultiple
operatingsystemsyoureprobablyingoodshape.Whatyoudontwant
tohearis,IgetenoughcomputerswhenImatworkIveyettomeet
aserioussecurityguywhodoesnthaveaconsiderablehomenetwork
oratleastaccesstoone,evenifitsnotathome.
Whataretheadvantagesofferedbybug
bountyprogramsovernormaltesting
practices?
Youshouldhearcoverageofmanytestersvs.one,incentivization,focus
onrarebugs,etc.
Whatareyourfirstthreestepswhen
securingaLinuxserver?
Theirlistisntkeyhere(unlessitsbad)thekeyistonotgetpanic.
Whatareyourfirstthreestepswhen
securingaWindowsserver?
Theirlistisntkeyhere(unlessitsbad)thekeyistonotgetpanic.
Whosmoredangeroustoan
organization,insidersoroutsiders?
Ideallyyoullhearinquiryintowhatsmeantbydangerous.Doesthat
meanmorelikelytoattackyou,ormoredangerouswhentheydo?
WhyisDNSmonitoringimportant?
Iftheyrefamiliarwithinfosecshopsofanysize,theyllknowthatDNS
requestsareatreasurewhenitcomestomalwareindicators.
NetworkSecurity
Whatportdoespingworkover?
Atrickquestion,tobesure,butanimportantone.Ifhestartsthrowing
outportnumbersyoumaywanttoimmediatelymovetothenext
candidate.Hint:ICMPisalayer3protocol(itdoesntworkoveraport)A
goodvariationofthisquestionistoaskwhetherpingusesTCPorUDP.
Ananswerofeitherisafail,asthosearelayer4protocols.
Doyoupreferfilteredportsorclosed
portsonyourfirewall?
Lookforadiscussionofsecuritybyobscurityandtheprosandconsof
beingvisiblevs.not.Therecanbemanysignsofmaturityorimmaturity
inthisanswer.
Howexactlydoestraceroute/tracertwork
attheprotocollevel?
Thisisafairlytechnicalquestionbutitsanimportantconceptto
understand.Itsnotnativelyasecurityquestionreally,butitshowsyou
whetherornottheyliketounderstandhowthingswork,whichiscrucial
foranInfosecprofessional.Iftheygetitrightyoucanlightenupand
offerextracreditforthedifferencebetweenLinuxandWindows
versions.
Thekeypointpeopleusuallymissisthateachpacketthatssentout
doesntgotoadifferentplace.Manypeoplethinkthatitfirstsendsa
packettothefirsthop,getsatime.Thenitsendsapackettothesecond
hop,getsatime,andkeepsgoinguntilitgetsdone.Thatsincorrect.It
actuallykeepssendingpacketstothefinaldestinationtheonlychange
istheTTLthatsused.TheextracreditisthefactthatWindowsuses
ICMPbydefaultwhileLinuxusesUDP.
WhatareLinuxsstrengthsand
weaknessesvs.Windows?
Lookforbiases.DoesheabsolutelyhateWindowsandrefusetowork
withit?Thisisasignofanimmaturehobbyistwhowillcauseyou
problemsinthefuture.IsheaWindowsfanboywhohatesLinuxwitha
passion?Ifsojustthankhimforhistimeandshowhimout.Linuxis
everywhereinthesecurityworld.
Cryptographicallyspeaking,whatisthe
mainmethodofbuildingasharedsecret
overapublicmedium?
DiffieHellman.Andiftheygetthatrightyoucanfollowupwiththenext
one.
WhatsthedifferencebetweenDiffie
HellmanandRSA?
DiffieHellmanisakeyexchangeprotocol,andRSAisan
encryption/signingprotocol.Iftheygetthatfar,makesuretheycan
elaborateontheactualdifference,whichisthatonerequiresyoutohave
keymaterialbeforehand(RSA),whiletheotherdoesnot(DH).Blank
staresareundesirable.
WhatkindofattackisastandardDiffie
Hellmanexchangevulnerableto?
Maninthemiddle,asneithersideisauthenticated.
ApplicationSecurity
Describethelastprogramorscriptthat
youwrote.Whatproblemdiditsolve?
Allwewanttoseehereisifthecolordrainsfromtheguysface.Ifhe
panicsthenwenotonlyknowhesnotaprogrammer(notnecessarily
bad),butthathesafraidofprogramming(bad).Iknowitscontroversial,
butIthinkthatanyhighlevelsecurityguyneedssomeprogramming
skills.TheydontneedtobeaGodatit,buttheyneedtounderstandthe
conceptsandatleastbeabletomuddlethroughsomescriptingwhen
required.
Howwouldyouimplementasecurelogin
fieldonahightrafficwebsitewhere
performanceisaconsideration?
Werelookingforabasicunderstandingoftheissueofwantingtoserve
thefrontpageinHTTP,whileneedingtopresenttheloginformvia
HTTPs,andhowtheydrecommenddoingthat.Akeypieceofthe
answershouldcenteraroundavoidanceoftheMiTMthreatposedby
pureHTTP.Blankstaresheremeanthattheyveneverseenorheardof
thisproblem,whichmeanstheyrenotlikelytobeanythingnearpro
level.
Whatarethevariouswaystohandle
accountbruteforcing?
Lookfordiscussionofaccountlockouts,IPrestrictions,fail2ban,etc.
WhatisCrossSiteRequestForgery?
NotknowingthisismoreforgivablethannotknowingwhatXSSis,but
onlyforjuniorpositions.Desiredanswer:whenanattackergetsa
victimsbrowsertomakerequests,ideallywiththeircredentialsincluded,
withouttheirknowing.AsolidexampleofthisiswhenanIMGtagpoints
toaURLassociatedwithanaction,e.g.http://foo.com/logout/.Avictim
justloadingthatpagecouldpotentiallygetloggedoutfromfoo.com,and
theirbrowserwouldhavemadetheaction,notthem(sincebrowsers
loadallIMGtagsautomatically).
HowdoesonedefendagainstCSRF?
Noncesrequiredbytheserverforeachpageoreachrequestisan
accepted,albeitnotfoolproof,method.Again,werelookingfor
recognitionandbasicunderstandingherenotafull,expertlevel
dissertationonthesubject.Adjustexpectationsaccordingtotheposition
yourehiringfor.
Ifyouwereasiteadministratorlooking
forincomingCSRFattacks,whatwould
youlookfor?
Thisisafunone,asitrequiresthemtosetsomegroundrules.Desired
answersarethingslike,Didwealreadyimplementnonces?,or,That
dependsonwhetherwealreadyhavecontrolsinplaceUndesired
answersarethingslikecheckingreferrerheaders,orwildpanic.
WhatsthedifferencebetweenHTTPand
HTML?
Obviouslytheansweristhatoneisthenetworking/applicationprotocol
andtheotheristhemarkuplanguage,butagain,themainthingyoure
lookingforisforhimnottopanic.
HowdoesHTTPhandlestate?
Itdoesnt,ofcourse.Notnatively.Goodanswersarethingslike
cookies,butthebestansweristhatcookiesareahacktomakeupfor
thefactthatHTTPdoesntdoititself.
WhatexactlyisCrossSiteScripting?
Youdbeamazedathowmanysecuritypeopledontknoweventhe
basicsofthisimmenselyimportanttopic.Werelookingforthemtosay
anythingregardinganattackergettingavictimtorunscriptcontent
(usuallyJavaScript)withintheirbrowser.
Whatsthedifferencebetweenstoredand
reflectedXSS?
Storedisonastaticpageorpulledfromadatabaseanddisplayedtothe
userdirectly.Reflectedcomesfromtheuserintheformofarequest
(usuallyconstructedbyanattacker),andthengetsruninthevictims
browserwhentheresultsarereturnedfromthesite.
Whatarethecommondefensesagainst
XSS?
InputValidation/OutputSanitization,withfocusonthelatter.
Corporate/Risk
Whatistheprimaryreasonmost
companieshaventfixedtheir
vulnerabilities?
Thisisabitofapetquestionforme,andIlookforpeopletorealizethat
companiesdontactuallycareasmuchaboutsecurityastheyclaimto
otherwisewedhaveaverygoodremediationpercentage.Insteadwe
haveatonofunfixedthingsandmoretestsbeingperformed.
Lookforpeoplewhogetthis,andareokwiththechallenge.
Whatsthegoalofinformationsecurity
withinanorganization?
Thisisabigone.WhatIlookforisoneoftwoapproachesthefirstisthe
berlockdownapproach,i.e.Tocontrolaccesstoinformationasmuch
aspossible,sir!Whileadmirable,thisagainshowsabitofimmaturity.
Notreallyinabadway,justnotquitewhatImlookingfor.Amuchbetter
answerinmyviewissomethingalongthelinesof,Tohelpthe
organizationsucceed.
Thistypeofresponseshowsthattheindividualunderstandsthat
businessistheretomakemoney,andthatwearetheretohelpthemdo
that.ItisthissortofperspectivethatIthinkrepresentsthehighestlevel
ofsecurityunderstandingarealizationthatsecurityisthereforthe
companyandnottheotherwayaround.
Whatsthedifferencebetweenathreat,
vulnerability,andarisk?
AsweakastheCISSPisasasecuritycertificationitdoesteachsome
goodconcepts.Knowingbasicslikerisk,vulnerability,threat,exposure,
etc.(andbeingabletodifferentiatethem)isimportantforasecurity
professional.Askasmanyoftheseasyoudlike,butkeepinmindthat
thereareafewdifferingschoolsonthis.Justlookforsolidanswersthat
areselfconsistent.
Ifyouweretostartajobasheadengineer
orCSOataFortune500companydueto
thepreviousguybeingfiredfor
incompetence,whatwouldyourpriorities
be?[Imagineyoustartondayonewithno
knowledgeoftheenvironment]
Wedontneedalistherewerelookingforthebasics.Whereisthe
importantdata?Whointeractswithit?Networkdiagrams.Visibilitytouch
points.Ingressandegressfiltering.Previousvulnerabilityassessments.
Whatsbeingloggedanaudited?Etc.Thekeyistoseethattheycould
quicklyprioritize,injustafewseconds,whatwouldbethemost
importantthingstolearninanunknownsituation.
AsacorporateInformationSecurity
professional,whatsmoreimportantto
focuson:threatsorvulnerabilities?
Thisoneisopinionbased,andweallhaveopinions.Focusonthe
qualityoftheargumentputforthratherthanwhetherornottheythey
chosethesameasyou,necessarily.Myanswertothisisthat
vulnerabilitiesshouldusuallybethemainfocussinceweinthe
corporateworldusuallyhavelittlecontroloverthethreats.
Anotherwaytotakethat,however,istosaythatthethreats(intermsof
vectors)willalwaysremainthesame,andthatthevulnerabilitiesweare
fixingareonlytheknownones.Thereforeweshouldbeapplying
defenseindepthbasedonthreatmodelinginadditiontojustkeeping
ourselvesuptodate.
Botharetrue,ofcoursethekeyistohearwhattheyhavetosayonthe
matter.
TheOnionModel
Thequestionsabovearefairlystraightforward.Theyare,generally,
negativefilters,i.e.theyredesignedtoexcludedcandidatesforhaving
glaringweaknesses.Ifyouaredealingwithamoreadvancedcandidate
thenoneapproachIrecommendtakingisthatoftheonionmodel.
TheOnionModelofinterviewingstartsatthesurfacelevelandthen
divesdeeperanddeeperoftentoapointthatthecandidatecannotgo.
Thisisterrificallyrevealing,asitshowsnotonlywhereacandidates
knowledgestops,butalsohowtheydealwithnotknowingsomething.
Onecomponentofthiscannotbeoverstated:Usingthismethodallows
youtodiveintotheonionindifferentways,soevencandidateswho
havereadthislist,forexample,willnothaveperfectanswersevenifyou
askthesamequestion.
Anexampleofthiswouldbestartingwith:
Howdoestraceroutework?
Theygetthisright,soyougotothenextlevel.
Whatprotocoldoesituse?
Thisisatrickquestion,asitcanuselotsofoptions,dependingonthe
tool.Thenyoumoveon.
DescribeaUnixtraceroutehitting
google.comatallsevenlayersoftheOSI
model.
Etc.Itsdeeperanddeeperexplorationofasinglequestion.Heresa
similaroptionfortheendphaseofsuchaquestion.
IfImonmylaptop,hereinsidemy
company,andIhavejustpluggedinmy
networkcable.Howmanypacketsmust
leavemyNICinordertocompletea
traceroutetotwitter.com?
Thekeyhereisthattheyneedtofactorinalllayers:Ethernet,IP,DNS,
ICMP/UDP,etc.Andtheyneedtoconsiderroundtriptimes.Whatyoure
lookingforisarealizationthatthisisthewaytoapproachit,andan
attempttoknockitout.AbadansweristhelookofWTFonthefactof
theinterviewee.
Thiscouldbeaskedasafinalphaseofamultistepprotocolquestion
thatperhapsstartswiththefamous,WhathappenswhenIgoto
Google.com?
Howwouldyoubuildtheultimate
botnet?
Answersherecanvarywidelyyouwanttoseethemcoverthebasics:
encryption,DNSrotation,theuseofcommonprotocols,obscuringthe
heartbeat,themechanismforprovidingupdates,etc.Again,poor
answersarethingslike,IdontmakethemIstopthem.
RolePlayingasan
AlternativetotheOnion
Model
Anotheroptionforgoingtoincreasingdepth,istoroleplaywiththe
candidate.Youpresentthemaproblem,andtheyhavetotroubleshoot.I
hadoneoftheseduringaninterviewanditwasquitevaluable.
Youwouldtellthem,forexample,thattheyvebeencalledintohelpa
clientwhosreceivedacallfromtheirISPstatingthatoneormore
computersontheirnetworkhavebeencompromised.Anditstheirjobto
fixit.Theyarenowattheclientsiteandarefreetotalktoyouasthe
client(interviewingthem),ortoaskyouasthecontrollerofthe
environment,e.g.Isnifftheexternalconnectionusingtcpdumponport
80.DoIseeanyconnectionstoIP8.8.8.8.Andyoucanthensayyesor
no,etc.
Fromtheretheycontinuetotroubleshooting/investigatinguntiltheysolve
theproblemoryoudiscontinuetheexerciseduetofrustrationorpity.
InnovationQuestions
Atthetoptieroftechnicalsecurityrolesyoumaywantsomeonewhois
capableofdesigningaswellasunderstanding.Inthesecasesyoucan
alsoaskquestionsaboutdesignflaws,howtheywouldimproveagiven
protocol,etc.
Thesequestionsseparategoodtechnicalpeoplefromtoptechnical
people,andIimaginelessthan1%ofthoseininfosecwouldeven
attempttoansweranyofthese.
Hereareafewexamples:
WhataretheprimarydesignflawsinHTTP,andhowwouldyou
improveit?
IfyoucouldredesignTCP,whatwouldyoufix?
WhatistheonefeatureyouwouldaddtoDNStoimproveitthemost?
WhatislikelytobetheprimaryprotocolusedfortheInternetofThings
in10years?
IfyouhadtogetridofalayeroftheOSImodel,whichwoulditbe?
[NOTE:Youcanaskinfinitevariationsofthese,ofcourse.
Askingforthreeoptionsinsteadofone,oraskingthemto
ranktheresults,etc.]
Itsimportanttonotewiththesequestionsthatyoucouldhavea
superstaranalystwhoknowsnothingaboutthesematterswhile
someonewhoisatthislevelwouldmakeapoorforensicexpert.Itsall
aboutmatchingskillstoroles.
Conclusion
Formoreonhiringoverall,Irecommenddoingagoodamountof
research.Mostimportanttolearn,asItalkedaboutabove,isthe
limitationsofinterviews.Useotherdataavailabletoyouwhenever
possible,andaboveeverythingelse:Beextremelycautiousofanyone
whothinkstheycanspottheonebecausetheyregoodatit..
Biasisamajorproblemininterviewing,anditslikelythatsomeonewith
asteadfastbeliefinhisorherinterviewbrillianceisdoingharmtoyour
organizationbyintroducingbadcandidates.Whenpossible,dowhat
Googledid:Explorethedata.Lookathowcandidatesdidininterviews
relativetohowtheydidonthejob.Whereveryouhavemismatchesyou
haveaproblemwithyourprocess.
Feelfreetocontactmeifyouhaveanycommentsonthequestions,orif
youhaveanideasforadditions.
[Updated:June2014]
Notes
1. HereisanarticleaboutGooglerevealingthe
ineffectivenessoftheirbrainteaserquestions.
2. Asahiringorganization,becautiousofanyinterviewer
thathasanegoorattitude.Theoddsofyougettingany
gooddatafromthemislow.Thenameofthegameis
reducingbias,andthattypehasalotofit.
3. Alwaystrytocombineanyinterviewwithawork
sample,and/orgreatreferencedata.
4. Ihavehadthesequestionsaskedtomeonnumerous
interviews.Itsquitehumorouswhentheyfindout
theyrereadingfrommywebsite.