IT Security Question

8/8/2019 IT Security Question

1/12

Are open-source projects more or less secure than

proprietary ones?

The answer to this question is often very telling about a

given candidate. It shows 1 whether or not they !now

what they"re tal!ing about in terms of development# and

$ it really illustrates the maturity of the individual %a

common theme among my questions. &y main goalhere is to get them to show me pros and cons for each.

If I just get the 'many eyes( regurgitation then I"ll !now

he"s read )lashdot and not much else. And if I just get

the 'people in *hina can put anything in the !ernel(

routine then I"ll !now he"s not so good at loo!ing at the

complete picture.

The ideal answer involves the si+e of the project# how

many developers are wor!ing on it %and what their

bac!grounds are# and most importantly , quality

control. In short# there"s no way to tell the quality of a

project simply by !nowing that it"s either open-source

or proprietary. There are many eamples of horribly

insecure applications that came from both camps.

ow do you change your /0) settings in

inu23indows?

ere you"re loo!ing for a quic! comebac! for any

position that will involve system administration %see

system security. If they don"t !now how to change

their /0) server in the two most popular operating

systems in the world# then you"re li!ely wor!ing with

someone very junior or otherwise highly abstracted

from the real world.

3hat"s the difference between encoding# encryption#and hashing?

4ncoding is designed to protect the integrity of data as

it crosses networ!s and systems# i.e. to !eep its

original message upon arriving# and it isn"t primarily a

security function. It is easily reversible because the

system for encoding is almost necessarily and by

definition in wide use. 4ncryption is designed purely for

confidentiality and is reversible only if you have the


2/12

appropriate !ey2!eys. 3ith hashing the operation is one-

way %non-reversible# and the output is of a fied length

that is usually much smaller than the input.

3hat"s more secure# )) or TT5)?

Tric! question6 these are not mutually eclusive. oo!

for a smile li!e they caught you in the coo!ie jar. If

they"re confused# then this should be for an etremely junior position.

*an you describe rainbow tables?

oo! for a thorough answer regarding overall password

attac!s and how rainbow tables ma!e them faster.

3hat is salting# and why is it used?

7ou purposely want to give the question without

contet. If they !now what salting is just by name#

they"ve either studied well or have actually been

eposed to this stuff for a while.

3ho do you loo! up to within the field of Information

)ecurity? 3hy?

A standard question type. All we"re loo!ing for here is

to see if they pay attention to the industry leaders# and

to possibly glean some more insight into how they

approach security. If they name a bunch of

hac!ers2criminals that"ll tell you one thing# and if they

name a few of the pioneers that"ll say another. If they

don"t !now anyone in )ecurity# we"ll consider closely

what position you"re hiring them for. opefully it isn"t a

junior position.

3here do you get your security news from?

ere I"m loo!ing to see how in tune they are with the

security community. Answers I"m loo!ing for includethings li!e Team *ymru# 8eddit# Twitter# etc. The eact

sources don"t really matter. 3hat does matter is that he

doesn"t respond with# 'I go to the *04T website.(# or# 'I

wait until someone tells me about events.(. It"s these

types of answers that will tell you he"s li!ely not on top

of things.

If you had to both encrypt and compress data during

transmission# which would you do first# and why?


3/12

If they don"t !now the answer immediately it"s o!. The

!ey is how they react. /o they panic# or do they enjoy

the challenge and thin! through it? I was as!ed this

question during an interview at *isco. I told the

interviewer that I didn"t !now the answer but that I

needed just a few seconds to figure it out. I thought out

loud and within 19 seconds gave him my answer6'*ompress then encrypt. If you encrypt first you"ll have

nothing but random data to wor! with# which will

destroy any potential benefit from compression.

3hat"s the difference between symmetric and public-

!ey cryptography

)tandard stuff here6 single !ey vs. two !eys# etc# etc.

In public-!ey cryptography you have a public and a

private !ey# and you often perform both encryption and

signing functions. 3hich !ey is used for which function?

7ou encrypt with the other person"s public !ey# and you

sign with your own private. If they confuse the two#

don"t put them in charge of your 5:I project.

3hat !ind of networ! do you have at home?

;ood answers here are anything that shows you he"s a

computer2technology2security enthusiast and not just

someone loo!ing for a paychec!. )o if he"s got multiple

systems running multiple operating systems you"re

probably in good shape. 3hat you don"t want to hear is#

'I get enough computers when I"m at wor!


4/12

3indows server?

Their list isn"t !ey here %unless it"s bad> the !ey is to

not get panic.

3ho"s more dangerous to an organi+ation# insiders or

outsiders?

Ideally you"ll hear inquiry into what"s meant by

'dangerous(. /oes that mean more li!ely to attac! you#or more dangerous when they do?

3hy is /0) monitoring important?

If they"re familiar with infosec shops of any si+e# they"ll

!now that /0) requests are a treasure when it comes

to malware indicators.

0etwor! )ecurity

3hat port does ping wor! over?

A tric! question# to be sure# but an important one. If he

starts throwing out port numbers you may want to

immediately move to the net candidate. int6 I*&5 is a

layer protocol %it doesn"t wor! over a port A good

variation of this question is to as! whether ping uses

T*5 or @/5. An answer of either is a fail# as those are

layer protocols.

/o you prefer filtered ports or closed ports on your

firewall?

oo! for a discussion of security by obscurity and the

pros and cons of being visible vs. not. There can be

many signs of maturity or immaturity in this answer.

ow eactly does traceroute2tracert wor! at the

protocol level?

This is a fairly technical question but it"s an important

concept to understand. It"s not natively a 'security(question really# but it shows you whether or not they

li!e to understand how things wor!# which is crucial for

an Infosec professional. If they get it right you can

lighten up and offer etra credit for the difference

between inu and 3indows versions.

The !ey point people usually miss is that each pac!et

that"s sent out doesn"t go to a different place. &any

people thin! that it first sends a pac!et to the first hop#


5/12

gets a time. Then it sends a pac!et to the second hop#

gets a time# and !eeps going until it gets done. That"s

incorrect. It actually !eeps sending pac!ets to the final

destination> the only change is the TT that"s used. The

etra credit is the fact that 3indows uses I*&5 by

default while inu uses @/5.

3hat are inu"s strengths and wea!nesses vs.3indows?

oo! for biases. /oes he absolutely hate 3indows and

refuse to wor! with it? This is a sign of an immature

hobbyist who will cause you problems in the future. Is

he a 3indows fanboy who hates inu with a passion?

If so just than! him for his time and show him out. inu

is everywhere in the security world.

*ryptographically spea!ing# what is the main method of

building a shared secret over a public medium?

/iffie-ellman. And if they get that right you can follow-

up with the net one.

3hat"s the difference between /iffie-ellman and 8)A?

/iffie-ellman is a !ey-echange protocol# and 8)A is

an encryption2signing protocol. If they get that far#

ma!e sure they can elaborate on the actual difference#

which is that one requires you to have !ey material

beforehand %8)A# while the other does not %/. Blan!

stares are undesirable.

3hat !ind of attac! is a standard /iffie-ellman

echange vulnerable to?

&an-in-the-middle# as neither side is authenticated.

Application )ecurity

/escribe the last program or script that you wrote.3hat problem did it solve?

All we want to see here is if the color drains from the

guy"s face. If he panics then we not only !now he"s not

a programmer %not necessarily bad# but that he"s afraid

of programming %bad. I !now it"s controversial# but I

thin! that any high-level security guy needs some

programming s!ills. They don"t need to be a ;od at it#

but they need to understand the concepts and at least


6/12

be able to muddle through some scripting when

required.

ow would you implement a secure login field on a high

traffic website where performance is a consideration?

3e"re loo!ing for a basic understanding of the issue of

wanting to serve the front page in TT5# while needing

to present the login form via TT5s# and how they"drecommend doing that. A !ey piece of the answer

should center around avoidance of the &iT& threat

posed by pure TT5. Blan! stares here mean that

they"ve never seen or heard of this problem# which

means they"re not li!ely to be anything near pro level.

3hat are the various ways to handle account brute

forcing?

oo! for discussion of account loc!outs# I5 restrictions#

fail$ban# etc.

3hat is *ross-)ite 8equest Corgery?

0ot !nowing this is more forgivable than not !nowing

what D)) is# but only for junior positions. /esired

answer6 when an attac!er gets a victim"s browser to

ma!e requests# ideally with their credentials included#

without their !nowing. A solid eample of this is when

an I&; tag points to a @8 associated with an action#

e.g. http622foo.com2logout2. A victim just loading that

page could potentially get logged out from foo.com# and

their browser would have made the action# not them

%since browsers load all I&; tags automatically.

ow does one defend against *)8C?

0onces required by the server for each page or each

request is an accepted# albeit not foolproof# method.Again# we"re loo!ing for recognition and basic

understanding here=not a full# epert level dissertation

on the subject. Adjust epectations according to the

position you"re hiring for.

If you were a site administrator loo!ing for incoming

*)8C attac!s# what would you loo! for?

This is a fun one# as it requires them to set some

ground rules. /esired answers are things li!e# '/id we


7/12

already implement nonces?(# or# 'That depends on

whether we already have controls in place


8/12

performed.

oo! for people who get this# and are o! with the

challenge.

3hat"s the goal of information security within an

organi+ation?

This is a big one. 3hat I loo! for is one of two

approaches> the first is the Hber-loc!down approach#i.e. 'To control access to information as much as

possible# sir( 3hile admirable# this again shows a bit of

immaturity. 0ot really in a bad way# just not quite what

I"m loo!ing for. A much better answer in my view is

something along the lines of# 'To help the organi+ation

succeed.(

This type of response shows that the individual

understands that business is there to ma!e money# and

that we are there to help them do that. It is this sort of

perspective that I thin! represents the highest level of

security understanding,-a reali+ation that security is

there for the company and not the other way around.

3hat"s the difference between a threat# vulnerability#

and a ris!?

As wea! as the *I))5 is as a security certification it

does teach some good concepts. :nowing basics li!e

ris!# vulnerability# threat# eposure# etc. %and being able

to differentiate them is important for a security

professional. As! as many of these as you"d li!e# but

!eep in mind that there are a few differing schools on

this. Fust loo! for solid answers that are self-

consistent.

If you were to start a job as head engineer or *)E at aCortune J99 company due to the previous guy being

fired for incompetence# what would your priorities be?

KImagine you start on day one with no !nowledge of the

environmentL

3e don"t need a list here> we"re loo!ing for the basics.

3here is the important data? 3ho interacts with it?

0etwor! diagrams. Gisibility touch points. Ingress and

egress filtering. 5revious vulnerability assessments.


9/12

3hat"s being logged an audited? 4tc. The !ey is to see

that they could quic!ly prioriti+e# in just a few seconds#

what would be the most important things to learn in an

un!nown situation.

As a corporate Information )ecurity professional#

what"s more important to focus on6 threats or

vulnerabilities?This one is opinion-based# and we all have opinions.

Cocus on the quality of the argument put forth rather

than whether or not they they chose the same as you#

necessarily. &y answer to this is that vulnerabilities

should usually be the main focus since we in the

corporate world usually have little control over the

threats.

Another way to ta!e that# however# is to say that the

threats %in terms of vectors will always remain the

same# and that the vulnerabilities we are fiing are only

the !nown ones. Therefore we should be applying

defense-in-depth based on threat modeling in addition

to just !eeping ourselves up to date.

Both are true# of course> the !ey is to hear what they

have to say on the matter.

The Enion &odel

The questions above are fairly straightforward. They

are# generally# negative filters# i.e. they"re designed to

ecluded candidates for having glaring wea!nesses. If

you are dealing with a more advanced candidate then

one approach I recommend ta!ing is that of the onion

model.

The Enion &odel of interviewing starts at the surfacelevel and then dives deeper and deeper,often to a point

that the candidate cannot go. This is terrifically

revealing# as it shows not only where a candidate"s

!nowledge stops# but also how they deal with not

!nowing something.

Ene component of this cannot be overstated6 @sing this

method allows you to dive into the onion in different

ways# so even candidates who have read this list# for


10/12

eample# will not have perfect answers even if you as!

the same question.

An eample of this would be starting with6

ow does traceroute wor!?

They get this right# so you go to the net level.

3hat protocol does it use?

This is a tric! question# as it can use lots of options#depending on the tool. Then you move on.

/escribe a @ni traceroute hitting google.com at all

seven layers of the E)I model.

4tc. It"s deeper and deeper eploration of a single

question. ere"s a similar option for the end-phase of

such a question.

If I"m on my laptop# here inside my company# and I have

just plugged in my networ! cable. ow many pac!ets

must leave my 0I* in order to complete a traceroute to

twitter.com?

The !ey here is that they need to factor in all layers6

4thernet# I5# /0)# I*&52@/5# etc. And they need to

consider round-trip times. 3hat you"re loo!ing for is a

reali+ation that this is the way to approach it# and an

attempt to !noc! it out. A bad answer is the loo! of

3TC on the fact of the interviewee.

This could be as!ed as a final phase of a multi-step

protocol question that perhaps starts with the famous#

'3hat happens when I go to ;oogle.com?(

ow would you build the ultimate botnet?

Answers here can vary widely> you want to see them

cover the basics6 encryption# /0) rotation# the use of

common protocols# obscuring the heartbeat# themechanism for providing updates# etc. Again# poor

answers are things li!e# 'I don"t ma!e them> I stop

them.(

8ole-5laying as an Alternative to the Enion &odel

Another option for going to increasing depth# is to role-

play with the candidate. 7ou present them a problem#

and they have to troubleshoot. I had one of these during

an interview and it was quite valuable.


11/12

7ou would tell them# for eample# that they"ve been

called in to help a client who"s received a call from their

I)5 stating that one or more computers on their

networ! have been compromised. And it"s their job to

fi it. They are now at the client site and are free to tal!

to you as the client %interviewing them# or to as! you

as the controller of the environment# e.g. 'I sniff theeternal connection using tcpdump on port M9. /o I see

any connections to I5 M.M.M.M.( And you can then say

yes or no# etc.

Crom there they continue to

troubleshooting2investigating until they solve the

problem or you discontinue the eercise due to

frustration or pity.

Innovation Nuestions

At the top tier of technical security roles you may want

someone who is capable of designing as well as

understanding. In these cases you can also as!

questions about design flaws# how they would improve

a given protocol# etc.

These questions separate good technical people from

top technical people# and I imagine less than 1O of

those in infosec would even attempt to answer any of

these.

ere are a few eamples6

• 3hat are the primary design flaws in TT5# and how

would you improve it?

• If you could re-design T*5# what would you fi?

• 3hat is the one feature you would add to /0) to

improve it the most?• 3hat is li!ely to be the primary protocol used for the

Internet of Things in 19 years?

• If you had to get rid of a layer of the E)I model# which

would it be?

K 0ET46 7ou can as! infinite variations of these# of

course. As!ing for three options instead of one# or

as!ing them to ran! the results# etc. L


12/12

It"s important to note with these questions that you

could have a superstar analyst who !nows nothing

about these matters while someone who is at this level

would ma!e a poor forensic epert. It"s all about

matching s!ills to roles.

Documents

IT Security Question