Whats the difference between symmetric and public-key cryptographyStandard stuff heresingle key vs. two keys, etc, etc.In public-key cryptography you have a public and a private key, and you oftenperform both encryption and signing functions. Which key is used for whichfunction?You encrypt with the other persons public key, and you sign with your ownprivate. If they confuse the two, dont put them in charge of your PKI project.What kind of network do you have at home?Good answers here are anything that shows you hes acomputer/technology/security enthusiast and not just someone looking for apaycheck. So if hes got multiple systems running multiple operating systemsyoure probably in good shape. What you dont want to hear is, I get enoughcomputers when Im at work.. Ive yet to meet a serious security guy whodoesnt have a considerable home network.What is Cross-Site Request Forgery?Not knowing this is more forgivable than not knowing what XSS is, but only forjunior positions. Desired answer: when an attacker gets a victims browser tomake requests, ideally with their credentials included, without their knowing. Asolid example of this is when an IMG tag points to a URL associated with anaction, e.g. http://foo.com/logout/. A victim just loading that page couldpotentially get logged out from foo.com, and their browser would have made theaction, not them (since browsers load all IMG tags automatically).How does one defend against CSRF?Nonces required by the server for each page or each request is an accepted,albeit not foolproof, method. Again, were looking for recognition and basicunderstanding herenot a full, expert level dissertation on the subject. Adjustexpectations according to the position youre hiring for.What port does ping work over?A trick question, to be sure, but an important one. If he starts throwing outport numbers you may want to immediately move to the next candidate. Hint: ICMPis a layer 3 protocol (it doesnt work over a port) A good variation of thisquestion is to ask whether ping uses TCP or UDP. An answer of either is a fail,as those are layer 4 protocols.How exactly does traceroute/tracert work at the protocol level?This is a fairly technical question but its an important concept to understand.Its not natively a security question really, but it shows you whether or notthey like to understand how things work, which is crucial for an Infosecprofessional. If they get it right you can lighten up and offer extra credit forthe difference between Linux and Windows versions.The key point people usually miss is that each packet thats sent out doesnt goto a different place. Many people think that it first sends a packet to thefirst hop, gets a time. Then it sends a packet to the second hop, gets a time,and keeps going until it gets done. Thats incorrect. It actually keeps sendingpackets to the final destination; the only change is the TTL thats used. Theextra credit is the fact that Windows uses ICMP by default while Linux uses UDP.If you were to start a job as head engineer or CSO at a Fortune 500 company dueto the previous guy being fired for incompetence, what would your priorities be?[Imagine you start on day one with no knowledge of the environment]We dont need a list here; were looking for the basics. Where is the importantdata? Who interacts with it? Network diagrams. Visibility touch points. Ingressand egress filtering. Previous vulnerability assessments. Whats being logged anaudited? Etc. The key is to see that they could quickly prioritize, in just afew seconds, what would be the most important things to learn in an unknownsituation.As a corporate Information Security professional, whats more important to focus
on: threats or vulnerabilities?This one is opinion-based, and we all have opinions. Focus on the quality of theargument put forth rather than whether or not they they chose the same as you,necessarily. My answer to this is that vulnerabilities should usually be themain focus since we in the corporate world usually have little control over thethreats.Another way to take that, however, is to say that the threats (in terms ofvectors) will always remain the same, and that the vulnerabilities we are fixingare only the known ones. Therefore we should be applying defense-in-depth basedon threat modeling in addition to just keeping ourselves up to date.Both are true, of course; the key is to hear what they have to say on thematter.Describe the last program or script that you wrote. What problem did it solve?All we want to see here is if the color drains from the guys face. If he panicsthen we not only know hes not a programmer (not necessarily bad), but that hesafraid of programming (bad). I know its controversial, but I think that anyhigh-level security guy needs some programming skills. They dont need to be aGod at it, but they need to understand the concepts and at least be able tomuddle through some scripting when required.What are Linuxs strengths and weaknesses vs. Windows?Look for biases. Does he absolutely hate Windows and refuse to work with it?This is a sign of an immature hobbyist who will cause you problems in thefuture. Is he a Windows fanboy who hates Linux with a passion? If so just thankhim for his time and show him out. Linux is everywhere in the security world.Whats the difference between a threat, vulnerability, and a risk?As weak as the CISSP is as a security certification it does teach some goodconcepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (andbeing able to differentiate them) is important for a security professional. Askas many of these as youd like, but keep in mind that there are a few differingschools on this. Just look for solid answers that are self-consistent.Cryptographically speaking, what is the main method of building a shared secretover a public medium?Diffie-Hellman. And if they get that right you can follow-up with the next one.Whats the difference between Diffie-Hellman and RSA?Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signingprotocol. If they get that far, make sure they can elaborate on the actualdifference, which is that one requeres you to have key material beforehand(RSA), while the other does not (DH). Blank stares are undesirable.What kind of attack is a standard Diffie-Hellman exchange vulnerable to?Man-in-the-middle, as neither side is authenticated.Whats the goal of information security within an organization?This is a big one. What I look for is one of two approaches; the first is theüber-lockdown approach, i.e. To control access to information as much aspossible, sir! While admirable, this again shows a bit of immaturity. Notreally in a bad way, just not quite what Im looking for. A much better answerin my view is something along the lines of, To help the organization succeed.This type of response shows that the individual understands that business isthere to make money, and that we are there to help them do that. It is this sortof perspective that I think represents the highest level of securityunderstanding-a realization that security is there for the company and not theother way around.Are open-source projects more or less secure than proprietary ones?The answer to this question is often very telling about a given candidate. It
shows 1) whether or not they know what theyre talking about in terms ofdevelopment, and 2) it really illustrates the maturity of the individual (acommon theme among my questions). My main goal here is to get them to show mepros and cons for each. If I just get the many eyes regurgitation then Illknow hes read Slashdot and not much else. And if I just get the people inChina can put anything in the kernel routine then Ill know hes not so good atlooking at the complete picture.The ideal answer involves the size of the project, how many developers areworking on it (and what their backgrounds are), and most importantly qualitycontrol. In short, theres no way to tell the quality of a project simply byknowing that its either open-source or proprietary. There are many examples ofhorribly insecure applications that came from both camps.Whats the difference between encoding, encryption, and hashing?Encoding is designed to protect the integrity of data as it crosses networks andsystems, i.e. to keep its original message upon arriving, and it isnt primarilya security function. It is easily reversible because the system for encoding isalmost necessarily and by definition in wide use. Encryption is designed purelyfor confidentiality and is reversible only if you have the appropriate key/keys.With hashing the operation is one-way (non-reversible), and the output is of afixed length that is usually much smaller than the input.Who do you look up to within the field of Information Security? Why?A standard question type. All were looking for here is to see if they payattention to the industry leaders, and to possibly glean some more insight intohow they approach security. If they name a bunch of hackers/criminals thatlltell you one thing, and if they name a few of the pioneers thatll say another.If they dont know anyone in Security, wellconsider closely what positionyoure hiring them for. Hopefully its a junior position.AdvancedOk, now for some more advanced questions: If Im on my laptop, here inside my company, and I have just plugged in mynetwork cable. How many packets must leave my NIC in order to complete atraceroute to twitter.com? The key here is that they need to factor in all layers: Ethernet, IP, DNS,ICMP/UDP, etc. And they need to consider round-trip times. What youre lookingfor is a realization that this is the way to approach it, and an attempt toknock it out. A bad answer is the look of WTF on the fact of the interviewee. How would you build the ultimate botnet? Answers here can vary widely; you want to see them cover the basics:encryption, DNS rotation, the use of common protocols, obscuring the heartbeat,the mechanism for providing updates, etc. Again, poor answers are things like,I dont make them; I stop them.Bonus: Scenario Role-PlayFor special situations you may want to do the ultimate interview question. Thisis a role-played scenario, where the candidate is a consultant and you controlthe environment. I had one of these during an interview and it was quitevaluable.So you tell them, for example, that theyve been called in to help a clientwhos received a call from their ISP stating that one or more computers on theirnetwork have been compromised. And its their job to fix it. They are now at theclient site and are free to talk to you as the client (interviewing them), or toask you as the controller of the environment, e.g. I sniff the externalconnection using tcpdump on port 80. Do I see any connections to IP 220.127.116.11?
And you can then say yes or no, etc.From there they continue to troubleshooting/investigating until they solve theproblem or you discontinue the exercise due to frustration or pity.Feel free to contact me if you have any comments on the questions, or if youhave an ideas for additions.::Top A tcpdump Tutorial Tech Hiring Lessons Learned A lsof Introduction A git Primer A Security-focused HTTP Primer Vulnerability Assessment vs. Penetration Test WebAppSec Testing Resources Infosec Interview QuestionsPopular What You Learned in School About Airplane Flight Was Probably Wrong 10 Things Everyone Should Know About the Middle East The find Command The lsof Command Security and Obscurity RevisitedInformation Security / Technology My Preferred Definition of Information Security The Diffie-Hellman Protocol Differences in SYN Packets The Birthday Attack Explained Mac vs. PC Security in One Sentence A UNIX/Linux Permissions Refresher Cross Site Scripting Explained A tar Reference A Security/Obscurity Experiment Expect More Human-Based Infosec Attacks CISSPs Do Need to be Technical The Under-appreciated Danger of Password Reset Mechanisms Encoding vs. Encryption An lsof Tutorial The Nmap/Dshield Trick Using Splunk as a Syslog Server Thinking Through Subnetting Explaining Network PortsPolitics Free Will and Determinism as the Core of Political Disagreement Conservatives are Leave it to Beaver, Liberals are Star Trek Socialism and Anarchy On CFR/NWO Conspiracies The Worst Mistake People Make in Political Arguments How to Debate an IdiotPhilosophy & Religion
An Atheist Debate Reference Meaning is an Illusion The Best Response to "Atheists are arrogant". The Only Class That Matters Free Will: Absolute vs. Practical A Simplified Argument Against Free Will Happiness: Creation vs. Collection Want: A Disease Based in Low Self-Esteem How to See If Your Morality Comes from God Outrageous Beliefs Are Not Equal to Claims They Are False Was the Last Time Your Last? How I Became an Atheist A Letter to Religious Moderates Philosophy, Science, and Religion: Three Ways of Learning About the WorldTechnology & Science Building a Lifestream Interface Thoughts on the Future of the IT Field The Steam, Water, and Ice of Modern Communications Social Media as a Personal API Could You Prove Evolution? How to Pronounce "Linux" My Only Shot at Immortality How to Pronounce "Ubuntu" Does Acceleration Depend More on Horsepower or Torque? The Craziest Thing Youll Ever Learn about Pi How to Pronounce "OS X" How to Pronounce "Rijndael"Culture & Society Lifecasting and Society Please Submit Your Own Content to Social Media Sites The Bimbo and the Caveman Is it Wrong to Have Children? The Quality Of a Society Socialism and AnarchyMiscellaneous A Coffee PrimerArguments Evolution is True Free Will: Two-lever Argument more...Projects Content Extraction Ideas Vocabulary An Atheist Debate Reference Concepts more...Collections Quotes Jokes Grammar Movies
Twitter Trickle-down (Supply Side) Economics is a Liberal Fiscal Policy |http://t.co/II8Jl2mG #politics Theres Something to Fear in Both Obama and Romney | http://t.co/ZH53GL7J#politics Worldwide Visual Flight Tracking Information | http://t.co/OOEZVCPi Facebook doesnt even feel like an app anymore. Its more like the nationalroad system, or the electricity grid. Its just there. The VMware site is a fustercluck. The process of upgrading from ESXi tovSphere 5 couldnt be more convoluted if they put a team on it. "If you vote against Obama because he cant get stuff done, its likesaying, This guy cant cure cancer, so Im gonna vote for cancer."What Im Reading The Quotable Hitchens Game of Thrones: Book 2 How the Mind Works Class: A Guide Through the American Status System Web Application Hackers Handbook, Second Edition Arguably (Christopher Hitchens) Lord of the Flies Lying (Sam Harris)Favorite Books and Essays The Ethics of Belief, William Clifford The America the Banana Republic Why The Future Doesnt Need Us, Bill Joy What I Believe, Bertrand Russell The Moral Landscape, Sam Harris God is Not Great, Christopher Hitchens 1984, George OrwellTop Blog Categories Politics Technology Information Security Philosophy Humor Religion Programming System Administration Education Culture Atheism Music Writing Geek Health AppleInputs Overcoming Bias The Last Psychiatrist The Big Questions Less Wrong Arts & Letters Daily Scott Adams Gene Expression
AZSpot NPRs Intelligence2 Philosophy, et cetera Meteuphoric Roissy in DC Freakonomics Blog Will Wilkinson The Rational Optimist Cosmic Variance Practical Ethics Barking Up the Wrong Tree Reddit* Hacker News Arts & Letters DailyDaniel Miessler | 1999-2012 | Share AlikePowered by Linode