InformationSecurity

InterviewQuestions
HomeStudyInformationSecurityInterviewQuestions

38

14

BeforeYouStart
GeneralQuestions
NetworkSecurity
ApplicationSecurity
Corporate/Risk

TheOnionModel
TheRoleplayingModel
InnovationQuestions
[ForoverallInfoSeccareeradvice,besuretocheckoutmy
newarticletitled:HowtoBuildaSuccessfulInformation
SecurityCareer]
Whatfollowsisalistofquestionsforuseinvettingcandidatesfor
positionsinInformationSecurity.Manyofthequestionsaredesignedto
getthecandidatetothink,andtoarticulatethatthoughtprocessina
scenariowherepreparationwasnotpossible.Observingthesetypesof
responsesisoftenasimportantastheactualanswers.

Ivemixedtechnicalquestionswiththosethataremoretheoryand
opinionbased,andtheyarealsomixedintermsofdifficulty.Theyare
alsogenerallyseparatedintocategories,andanumberoftrickquestions
areincluded.Thegoalofsuchquestionsistoexposeglaringtechnical
weaknessthatwillmanifestlaterintheworkplace,nottobecute.Ialso
includewitheachquestionafewwordsonexpected/common
responses.

BeforeYouStart
Itsbeenshownfairlyconclusively,byGoogleandothers,thatfancy

technicalquestionsespeciallythoseofthehowmanyjellybeansfitin
acartypedonotpredictemployeesuccess.

Readthatpartagain.
Theydontpredictsuccess.Googleshowedthisbygoingbackover
yearsofinterviewdataandmappingittohowthoseemployeesended
updoingonthejob.Theresult?Peoplewhoacedthosetypesof
questionsdidntdoanybetterthanthosewhodidpoorlyonthem.

Insum,thesetypesofpetquestionstendtomakeinterviewersfeel
smart,andlittleelse.Irelyonthedatamorethanmyanecdotes,butas
someonewhosgivenmany,manytechnicalinterviews,Icantellyou
thatthisisconsistentwithmyexperience.
Wehavepeoplewhoareabsoluterockstarsthateffectivelyfailedat
thesequestions,andwehavepeoplewhocrushedthemandfloundered
onthejob.Thelessonhereisnottoavoidanysortofespecially
technicalquestions:Itsthatyouneedtobecautiousofthetendencyto
fetishizecertainquestionsorcertaintypesofquestions.Itwillonlyhurt
you.

Now,ontothequestions.

General
Areopensourceprojectsmoreorless
securethanproprietaryones?
Theanswertothisquestionisoftenverytellingaboutagivencandidate.
Itshows1)whetherornottheyknowwhattheyretalkingaboutinterms
ofdevelopment,and2)itreallyillustratesthematurityoftheindividual(a
commonthemeamongmyquestions).Mymaingoalhereistogetthem
toshowmeprosandconsforeach.IfIjustgetthemanyeyes
regurgitationthenIllknowhesreadSlashdotandnotmuchelse.Andif
IjustgetthepeopleinChinacanputanythinginthekernelroutine
thenIllknowhesnotsogoodatlookingatthecompletepicture.

Theidealanswerinvolvesthesizeoftheproject,howmanydevelopers
areworkingonit(andwhattheirbackgroundsare),andmostimportantly
qualitycontrol.Inshort,theresnowaytotellthequalityofaproject
simplybyknowingthatitseitheropensourceorproprietary.Thereare
manyexamplesofhorriblyinsecureapplicationsthatcamefromboth
camps.

HowdoyouchangeyourDNSsettingsin

Linux/Windows?
Hereyourelookingforaquickcomebackforanypositionthatwill
involvesystemadministration(seesystemsecurity).Iftheydontknow
howtochangetheirDNSserverinthetwomostpopularoperating
systemsintheworld,thenyourelikelyworkingwithsomeoneveryjunior
orotherwisehighlyabstractedfromtherealworld.

Whatsthedifferencebetweenencoding,
encryption,andhashing?
Encodingisdesignedtoprotecttheintegrityofdataasitcrosses
networksandsystems,i.e.tokeepitsoriginalmessageuponarriving,
anditisntprimarilyasecurityfunction.Itiseasilyreversiblebecausethe
systemforencodingisalmostnecessarilyandbydefinitioninwideuse.
Encryptionisdesignedpurelyforconfidentialityandisreversibleonlyif
youhavetheappropriatekey/keys.Withhashingtheoperationisone
way(nonreversible),andtheoutputisofafixedlengththatisusually
muchsmallerthantheinput.

Whatsmoresecure,SSLorHTTPS?

Trickquestion:thesearenotmutuallyexclusive.Lookforasmilelike
theycaughtyouinthecookiejar.Iftheyreconfused,thenthisshouldbe
foranextremelyjuniorposition.

Canyoudescriberainbowtables?
Lookforathoroughanswerregardingoverallpasswordattacksandhow
rainbowtablesmakethemfaster.

Whatissalting,andwhyisitused?
Youpurposelywanttogivethequestionwithoutcontext.Iftheyknow
whatsaltingisjustbyname,theyveeitherstudiedwellorhaveactually
beenexposedtothisstuffforawhile.

Whodoyoulookuptowithinthefieldof
InformationSecurity?Why?
Astandardquestiontype.Allwerelookingforhereistoseeiftheypay
attentiontotheindustryleaders,andtopossiblygleansomemore

insightintohowtheyapproachsecurity.Iftheynameabunchof
hackers/criminalsthatlltellyouonething,andiftheynameafewofthe
pioneersthatllsayanother.IftheydontknowanyoneinSecurity,well
considercloselywhatpositionyourehiringthemfor.Hopefullyitisnta
juniorposition.

Wheredoyougetyoursecuritynews
from?
HereImlookingtoseehowintunetheyarewiththesecurity
community.AnswersImlookingforincludethingslikeTeamCymru,
Reddit,Twitter,etc.Theexactsourcesdontreallymatter.Whatdoes
matteristhathedoesntrespondwith,IgototheCNETwebsite.,or,I
waituntilsomeonetellsmeaboutevents..Itsthesetypesofanswers
thatwilltellyouheslikelynotontopofthings.

Ifyouhadtobothencryptandcompress
dataduringtransmission,whichwould
youdofirst,andwhy?
Iftheydontknowtheanswerimmediatelyitsok.Thekeyishowthey

react.Dotheypanic,ordotheyenjoythechallengeandthinkthroughit?
IwasaskedthisquestionduringaninterviewatCisco.Itoldthe
interviewerthatIdidntknowtheanswerbutthatIneededjustafew
secondstofigureitout.Ithoughtoutloudandwithin10secondsgave
himmyanswer:Compressthenencrypt.Ifyouencryptfirstyoullhave
nothingbutrandomdatatoworkwith,whichwilldestroyanypotential
benefitfromcompression.

Whatsthedifferencebetweensymmetric
andpublickeycryptography
Standardstuffhere:singlekeyvs.twokeys,etc,etc.

Inpublickeycryptographyyouhavea
publicandaprivatekey,andyouoften
performbothencryptionandsigning
functions.Whichkeyisusedforwhich
function?
Youencryptwiththeotherpersonspublickey,andyousignwithyour

ownprivate.Iftheyconfusethetwo,dontputtheminchargeofyourPKI
project.

Whatkindofnetworkdoyouhaveat
home?
Goodanswershereareanythingthatshowsyouhesa
computer/technology/securityenthusiastandnotjustsomeonelooking
forapaycheck.Soifhesgotmultiplesystemsrunningmultiple
operatingsystemsyoureprobablyingoodshape.Whatyoudontwant
tohearis,IgetenoughcomputerswhenImatworkIveyettomeet
aserioussecurityguywhodoesnthaveaconsiderablehomenetwork
oratleastaccesstoone,evenifitsnotathome.

Whataretheadvantagesofferedbybug
bountyprogramsovernormaltesting
practices?
Youshouldhearcoverageofmanytestersvs.one,incentivization,focus
onrarebugs,etc.

Whatareyourfirstthreestepswhen
securingaLinuxserver?
Theirlistisntkeyhere(unlessitsbad)thekeyistonotgetpanic.

Whatareyourfirstthreestepswhen
securingaWindowsserver?
Theirlistisntkeyhere(unlessitsbad)thekeyistonotgetpanic.

Whosmoredangeroustoan
organization,insidersoroutsiders?
Ideallyyoullhearinquiryintowhatsmeantbydangerous.Doesthat
meanmorelikelytoattackyou,ormoredangerouswhentheydo?

WhyisDNSmonitoringimportant?

Iftheyrefamiliarwithinfosecshopsofanysize,theyllknowthatDNS
requestsareatreasurewhenitcomestomalwareindicators.

NetworkSecurity
Whatportdoespingworkover?
Atrickquestion,tobesure,butanimportantone.Ifhestartsthrowing
outportnumbersyoumaywanttoimmediatelymovetothenext
candidate.Hint:ICMPisalayer3protocol(itdoesntworkoveraport)A
goodvariationofthisquestionistoaskwhetherpingusesTCPorUDP.
Ananswerofeitherisafail,asthosearelayer4protocols.

Doyoupreferfilteredportsorclosed
portsonyourfirewall?
Lookforadiscussionofsecuritybyobscurityandtheprosandconsof
beingvisiblevs.not.Therecanbemanysignsofmaturityorimmaturity
inthisanswer.

Howexactlydoestraceroute/tracertwork
attheprotocollevel?
Thisisafairlytechnicalquestionbutitsanimportantconceptto
understand.Itsnotnativelyasecurityquestionreally,butitshowsyou
whetherornottheyliketounderstandhowthingswork,whichiscrucial
foranInfosecprofessional.Iftheygetitrightyoucanlightenupand
offerextracreditforthedifferencebetweenLinuxandWindows
versions.

Thekeypointpeopleusuallymissisthateachpacketthatssentout
doesntgotoadifferentplace.Manypeoplethinkthatitfirstsendsa
packettothefirsthop,getsatime.Thenitsendsapackettothesecond
hop,getsatime,andkeepsgoinguntilitgetsdone.Thatsincorrect.It
actuallykeepssendingpacketstothefinaldestinationtheonlychange
istheTTLthatsused.TheextracreditisthefactthatWindowsuses
ICMPbydefaultwhileLinuxusesUDP.

WhatareLinuxsstrengthsand
weaknessesvs.Windows?
Lookforbiases.DoesheabsolutelyhateWindowsandrefusetowork

withit?Thisisasignofanimmaturehobbyistwhowillcauseyou
problemsinthefuture.IsheaWindowsfanboywhohatesLinuxwitha
passion?Ifsojustthankhimforhistimeandshowhimout.Linuxis
everywhereinthesecurityworld.

Cryptographicallyspeaking,whatisthe
mainmethodofbuildingasharedsecret
overapublicmedium?
DiffieHellman.Andiftheygetthatrightyoucanfollowupwiththenext
one.

WhatsthedifferencebetweenDiffie
HellmanandRSA?
DiffieHellmanisakeyexchangeprotocol,andRSAisan
encryption/signingprotocol.Iftheygetthatfar,makesuretheycan
elaborateontheactualdifference,whichisthatonerequiresyoutohave
keymaterialbeforehand(RSA),whiletheotherdoesnot(DH).Blank
staresareundesirable.

WhatkindofattackisastandardDiffie
Hellmanexchangevulnerableto?
Maninthemiddle,asneithersideisauthenticated.

ApplicationSecurity
Describethelastprogramorscriptthat
youwrote.Whatproblemdiditsolve?
Allwewanttoseehereisifthecolordrainsfromtheguysface.Ifhe
panicsthenwenotonlyknowhesnotaprogrammer(notnecessarily
bad),butthathesafraidofprogramming(bad).Iknowitscontroversial,
butIthinkthatanyhighlevelsecurityguyneedssomeprogramming
skills.TheydontneedtobeaGodatit,buttheyneedtounderstandthe
conceptsandatleastbeabletomuddlethroughsomescriptingwhen
required.

Howwouldyouimplementasecurelogin

fieldonahightrafficwebsitewhere
performanceisaconsideration?
Werelookingforabasicunderstandingoftheissueofwantingtoserve
thefrontpageinHTTP,whileneedingtopresenttheloginformvia
HTTPs,andhowtheydrecommenddoingthat.Akeypieceofthe
answershouldcenteraroundavoidanceoftheMiTMthreatposedby
pureHTTP.Blankstaresheremeanthattheyveneverseenorheardof
thisproblem,whichmeanstheyrenotlikelytobeanythingnearpro
level.

Whatarethevariouswaystohandle
accountbruteforcing?
Lookfordiscussionofaccountlockouts,IPrestrictions,fail2ban,etc.

WhatisCrossSiteRequestForgery?
NotknowingthisismoreforgivablethannotknowingwhatXSSis,but
onlyforjuniorpositions.Desiredanswer:whenanattackergetsa

victimsbrowsertomakerequests,ideallywiththeircredentialsincluded,
withouttheirknowing.AsolidexampleofthisiswhenanIMGtagpoints
toaURLassociatedwithanaction,e.g.http://foo.com/logout/.Avictim
justloadingthatpagecouldpotentiallygetloggedoutfromfoo.com,and
theirbrowserwouldhavemadetheaction,notthem(sincebrowsers
loadallIMGtagsautomatically).

HowdoesonedefendagainstCSRF?
Noncesrequiredbytheserverforeachpageoreachrequestisan
accepted,albeitnotfoolproof,method.Again,werelookingfor
recognitionandbasicunderstandingherenotafull,expertlevel
dissertationonthesubject.Adjustexpectationsaccordingtotheposition
yourehiringfor.

Ifyouwereasiteadministratorlooking
forincomingCSRFattacks,whatwould
youlookfor?
Thisisafunone,asitrequiresthemtosetsomegroundrules.Desired
answersarethingslike,Didwealreadyimplementnonces?,or,That
dependsonwhetherwealreadyhavecontrolsinplaceUndesired

answersarethingslikecheckingreferrerheaders,orwildpanic.

WhatsthedifferencebetweenHTTPand
HTML?
Obviouslytheansweristhatoneisthenetworking/applicationprotocol
andtheotheristhemarkuplanguage,butagain,themainthingyoure
lookingforisforhimnottopanic.

HowdoesHTTPhandlestate?
Itdoesnt,ofcourse.Notnatively.Goodanswersarethingslike
cookies,butthebestansweristhatcookiesareahacktomakeupfor
thefactthatHTTPdoesntdoititself.

WhatexactlyisCrossSiteScripting?
Youdbeamazedathowmanysecuritypeopledontknoweventhe
basicsofthisimmenselyimportanttopic.Werelookingforthemtosay
anythingregardinganattackergettingavictimtorunscriptcontent

(usuallyJavaScript)withintheirbrowser.

Whatsthedifferencebetweenstoredand
reflectedXSS?
Storedisonastaticpageorpulledfromadatabaseanddisplayedtothe
userdirectly.Reflectedcomesfromtheuserintheformofarequest
(usuallyconstructedbyanattacker),andthengetsruninthevictims
browserwhentheresultsarereturnedfromthesite.

Whatarethecommondefensesagainst
XSS?
InputValidation/OutputSanitization,withfocusonthelatter.

Corporate/Risk
Whatistheprimaryreasonmost
companieshaventfixedtheir

vulnerabilities?
Thisisabitofapetquestionforme,andIlookforpeopletorealizethat
companiesdontactuallycareasmuchaboutsecurityastheyclaimto
otherwisewedhaveaverygoodremediationpercentage.Insteadwe
haveatonofunfixedthingsandmoretestsbeingperformed.

Lookforpeoplewhogetthis,andareokwiththechallenge.

Whatsthegoalofinformationsecurity
withinanorganization?
Thisisabigone.WhatIlookforisoneoftwoapproachesthefirstisthe
berlockdownapproach,i.e.Tocontrolaccesstoinformationasmuch
aspossible,sir!Whileadmirable,thisagainshowsabitofimmaturity.
Notreallyinabadway,justnotquitewhatImlookingfor.Amuchbetter
answerinmyviewissomethingalongthelinesof,Tohelpthe
organizationsucceed.
Thistypeofresponseshowsthattheindividualunderstandsthat
businessistheretomakemoney,andthatwearetheretohelpthemdo
that.ItisthissortofperspectivethatIthinkrepresentsthehighestlevel

ofsecurityunderstandingarealizationthatsecurityisthereforthe
companyandnottheotherwayaround.

Whatsthedifferencebetweenathreat,
vulnerability,andarisk?
AsweakastheCISSPisasasecuritycertificationitdoesteachsome
goodconcepts.Knowingbasicslikerisk,vulnerability,threat,exposure,
etc.(andbeingabletodifferentiatethem)isimportantforasecurity
professional.Askasmanyoftheseasyoudlike,butkeepinmindthat
thereareafewdifferingschoolsonthis.Justlookforsolidanswersthat
areselfconsistent.

Ifyouweretostartajobasheadengineer
orCSOataFortune500companydueto
thepreviousguybeingfiredfor
incompetence,whatwouldyourpriorities
be?[Imagineyoustartondayonewithno
knowledgeoftheenvironment]

Wedontneedalistherewerelookingforthebasics.Whereisthe
importantdata?Whointeractswithit?Networkdiagrams.Visibilitytouch
points.Ingressandegressfiltering.Previousvulnerabilityassessments.
Whatsbeingloggedanaudited?Etc.Thekeyistoseethattheycould
quicklyprioritize,injustafewseconds,whatwouldbethemost
importantthingstolearninanunknownsituation.

AsacorporateInformationSecurity
professional,whatsmoreimportantto
focuson:threatsorvulnerabilities?
Thisoneisopinionbased,andweallhaveopinions.Focusonthe
qualityoftheargumentputforthratherthanwhetherornottheythey
chosethesameasyou,necessarily.Myanswertothisisthat
vulnerabilitiesshouldusuallybethemainfocussinceweinthe
corporateworldusuallyhavelittlecontroloverthethreats.

Anotherwaytotakethat,however,istosaythatthethreats(intermsof
vectors)willalwaysremainthesame,andthatthevulnerabilitiesweare
fixingareonlytheknownones.Thereforeweshouldbeapplying
defenseindepthbasedonthreatmodelinginadditiontojustkeeping
ourselvesuptodate.

Botharetrue,ofcoursethekeyistohearwhattheyhavetosayonthe
matter.

TheOnionModel
Thequestionsabovearefairlystraightforward.Theyare,generally,
negativefilters,i.e.theyredesignedtoexcludedcandidatesforhaving
glaringweaknesses.Ifyouaredealingwithamoreadvancedcandidate
thenoneapproachIrecommendtakingisthatoftheonionmodel.

TheOnionModelofinterviewingstartsatthesurfacelevelandthen
divesdeeperanddeeperoftentoapointthatthecandidatecannotgo.
Thisisterrificallyrevealing,asitshowsnotonlywhereacandidates
knowledgestops,butalsohowtheydealwithnotknowingsomething.
Onecomponentofthiscannotbeoverstated:Usingthismethodallows
youtodiveintotheonionindifferentways,soevencandidateswho
havereadthislist,forexample,willnothaveperfectanswersevenifyou
askthesamequestion.

Anexampleofthiswouldbestartingwith:

Howdoestraceroutework?

Theygetthisright,soyougotothenextlevel.

Whatprotocoldoesituse?
Thisisatrickquestion,asitcanuselotsofoptions,dependingonthe
tool.Thenyoumoveon.

DescribeaUnixtraceroutehitting
google.comatallsevenlayersoftheOSI
model.
Etc.Itsdeeperanddeeperexplorationofasinglequestion.Heresa
similaroptionfortheendphaseofsuchaquestion.

IfImonmylaptop,hereinsidemy
company,andIhavejustpluggedinmy
networkcable.Howmanypacketsmust
leavemyNICinordertocompletea
traceroutetotwitter.com?

Thekeyhereisthattheyneedtofactorinalllayers:Ethernet,IP,DNS,
ICMP/UDP,etc.Andtheyneedtoconsiderroundtriptimes.Whatyoure
lookingforisarealizationthatthisisthewaytoapproachit,andan
attempttoknockitout.AbadansweristhelookofWTFonthefactof
theinterviewee.

Thiscouldbeaskedasafinalphaseofamultistepprotocolquestion
thatperhapsstartswiththefamous,WhathappenswhenIgoto
Google.com?

Howwouldyoubuildtheultimate
botnet?
Answersherecanvarywidelyyouwanttoseethemcoverthebasics:
encryption,DNSrotation,theuseofcommonprotocols,obscuringthe
heartbeat,themechanismforprovidingupdates,etc.Again,poor
answersarethingslike,IdontmakethemIstopthem.

RolePlayingasan
AlternativetotheOnion
Model

Anotheroptionforgoingtoincreasingdepth,istoroleplaywiththe
candidate.Youpresentthemaproblem,andtheyhavetotroubleshoot.I
hadoneoftheseduringaninterviewanditwasquitevaluable.

Youwouldtellthem,forexample,thattheyvebeencalledintohelpa
clientwhosreceivedacallfromtheirISPstatingthatoneormore
computersontheirnetworkhavebeencompromised.Anditstheirjobto
fixit.Theyarenowattheclientsiteandarefreetotalktoyouasthe
client(interviewingthem),ortoaskyouasthecontrollerofthe
environment,e.g.Isnifftheexternalconnectionusingtcpdumponport
80.DoIseeanyconnectionstoIP8.8.8.8.Andyoucanthensayyesor
no,etc.
Fromtheretheycontinuetotroubleshooting/investigatinguntiltheysolve
theproblemoryoudiscontinuetheexerciseduetofrustrationorpity.

InnovationQuestions
Atthetoptieroftechnicalsecurityrolesyoumaywantsomeonewhois
capableofdesigningaswellasunderstanding.Inthesecasesyoucan
alsoaskquestionsaboutdesignflaws,howtheywouldimproveagiven
protocol,etc.

Thesequestionsseparategoodtechnicalpeoplefromtoptechnical
people,andIimaginelessthan1%ofthoseininfosecwouldeven

attempttoansweranyofthese.

Hereareafewexamples:
WhataretheprimarydesignflawsinHTTP,andhowwouldyou
improveit?
IfyoucouldredesignTCP,whatwouldyoufix?
WhatistheonefeatureyouwouldaddtoDNStoimproveitthemost?
WhatislikelytobetheprimaryprotocolusedfortheInternetofThings
in10years?
IfyouhadtogetridofalayeroftheOSImodel,whichwoulditbe?

[NOTE:Youcanaskinfinitevariationsofthese,ofcourse.
Askingforthreeoptionsinsteadofone,oraskingthemto
ranktheresults,etc.]
Itsimportanttonotewiththesequestionsthatyoucouldhavea
superstaranalystwhoknowsnothingaboutthesematterswhile
someonewhoisatthislevelwouldmakeapoorforensicexpert.Itsall
aboutmatchingskillstoroles.

Conclusion

Formoreonhiringoverall,Irecommenddoingagoodamountof
research.Mostimportanttolearn,asItalkedaboutabove,isthe
limitationsofinterviews.Useotherdataavailabletoyouwhenever
possible,andaboveeverythingelse:Beextremelycautiousofanyone
whothinkstheycanspottheonebecausetheyregoodatit..

Biasisamajorproblemininterviewing,anditslikelythatsomeonewith
asteadfastbeliefinhisorherinterviewbrillianceisdoingharmtoyour
organizationbyintroducingbadcandidates.Whenpossible,dowhat
Googledid:Explorethedata.Lookathowcandidatesdidininterviews
relativetohowtheydidonthejob.Whereveryouhavemismatchesyou
haveaproblemwithyourprocess.
Feelfreetocontactmeifyouhaveanycommentsonthequestions,orif
youhaveanideasforadditions.

[Updated:June2014]

Notes
1. HereisanarticleaboutGooglerevealingthe
ineffectivenessoftheirbrainteaserquestions.
2. Asahiringorganization,becautiousofanyinterviewer

thathasanegoorattitude.Theoddsofyougettingany
gooddatafromthemislow.Thenameofthegameis
reducingbias,andthattypehasalotofit.
3. Alwaystrytocombineanyinterviewwithawork
sample,and/orgreatreferencedata.
4. Ihavehadthesequestionsaskedtomeonnumerous
interviews.Itsquitehumorouswhentheyfindout
theyrereadingfrommywebsite.