Upload
syeda-ashifa-ashrafi-papia
View
216
Download
0
Embed Size (px)
Citation preview
8/8/2019 IT Security Question
1/12
Are open-source projects more or less secure than
proprietary ones?
The answer to this question is often very telling about a
given candidate. It shows 1 whether or not they !now
what they"re tal!ing about in terms of development# and
$ it really illustrates the maturity of the individual %a
common theme among my questions. &y main goalhere is to get them to show me pros and cons for each.
If I just get the 'many eyes( regurgitation then I"ll !now
he"s read )lashdot and not much else. And if I just get
the 'people in *hina can put anything in the !ernel(
routine then I"ll !now he"s not so good at loo!ing at the
complete picture.
The ideal answer involves the si+e of the project# how
many developers are wor!ing on it %and what their
bac!grounds are# and most importantly , quality
control. In short# there"s no way to tell the quality of a
project simply by !nowing that it"s either open-source
or proprietary. There are many eamples of horribly
insecure applications that came from both camps.
ow do you change your /0) settings in
inu23indows?
ere you"re loo!ing for a quic! comebac! for any
position that will involve system administration %see
system security. If they don"t !now how to change
their /0) server in the two most popular operating
systems in the world# then you"re li!ely wor!ing with
someone very junior or otherwise highly abstracted
from the real world.
3hat"s the difference between encoding# encryption#and hashing?
4ncoding is designed to protect the integrity of data as
it crosses networ!s and systems# i.e. to !eep its
original message upon arriving# and it isn"t primarily a
security function. It is easily reversible because the
system for encoding is almost necessarily and by
definition in wide use. 4ncryption is designed purely for
confidentiality and is reversible only if you have the
8/8/2019 IT Security Question
2/12
appropriate !ey2!eys. 3ith hashing the operation is one-
way %non-reversible# and the output is of a fied length
that is usually much smaller than the input.
3hat"s more secure# )) or TT5)?
Tric! question6 these are not mutually eclusive. oo!
for a smile li!e they caught you in the coo!ie jar. If
they"re confused# then this should be for an etremely junior position.
*an you describe rainbow tables?
oo! for a thorough answer regarding overall password
attac!s and how rainbow tables ma!e them faster.
3hat is salting# and why is it used?
7ou purposely want to give the question without
contet. If they !now what salting is just by name#
they"ve either studied well or have actually been
eposed to this stuff for a while.
3ho do you loo! up to within the field of Information
)ecurity? 3hy?
A standard question type. All we"re loo!ing for here is
to see if they pay attention to the industry leaders# and
to possibly glean some more insight into how they
approach security. If they name a bunch of
hac!ers2criminals that"ll tell you one thing# and if they
name a few of the pioneers that"ll say another. If they
don"t !now anyone in )ecurity# we"ll consider closely
what position you"re hiring them for. opefully it isn"t a
junior position.
3here do you get your security news from?
ere I"m loo!ing to see how in tune they are with the
security community. Answers I"m loo!ing for includethings li!e Team *ymru# 8eddit# Twitter# etc. The eact
sources don"t really matter. 3hat does matter is that he
doesn"t respond with# 'I go to the *04T website.(# or# 'I
wait until someone tells me about events.(. It"s these
types of answers that will tell you he"s li!ely not on top
of things.
If you had to both encrypt and compress data during
transmission# which would you do first# and why?
8/8/2019 IT Security Question
3/12
If they don"t !now the answer immediately it"s o!. The
!ey is how they react. /o they panic# or do they enjoy
the challenge and thin! through it? I was as!ed this
question during an interview at *isco. I told the
interviewer that I didn"t !now the answer but that I
needed just a few seconds to figure it out. I thought out
loud and within 19 seconds gave him my answer6'*ompress then encrypt. If you encrypt first you"ll have
nothing but random data to wor! with# which will
destroy any potential benefit from compression.
3hat"s the difference between symmetric and public-
!ey cryptography
)tandard stuff here6 single !ey vs. two !eys# etc# etc.
In public-!ey cryptography you have a public and a
private !ey# and you often perform both encryption and
signing functions. 3hich !ey is used for which function?
7ou encrypt with the other person"s public !ey# and you
sign with your own private. If they confuse the two#
don"t put them in charge of your 5:I project.
3hat !ind of networ! do you have at home?
;ood answers here are anything that shows you he"s a
computer2technology2security enthusiast and not just
someone loo!ing for a paychec!. )o if he"s got multiple
systems running multiple operating systems you"re
probably in good shape. 3hat you don"t want to hear is#
'I get enough computers when I"m at wor!
8/8/2019 IT Security Question
4/12
3indows server?
Their list isn"t !ey here %unless it"s bad> the !ey is to
not get panic.
3ho"s more dangerous to an organi+ation# insiders or
outsiders?
Ideally you"ll hear inquiry into what"s meant by
'dangerous(. /oes that mean more li!ely to attac! you#or more dangerous when they do?
3hy is /0) monitoring important?
If they"re familiar with infosec shops of any si+e# they"ll
!now that /0) requests are a treasure when it comes
to malware indicators.
0etwor! )ecurity
3hat port does ping wor! over?
A tric! question# to be sure# but an important one. If he
starts throwing out port numbers you may want to
immediately move to the net candidate. int6 I*&5 is a
layer protocol %it doesn"t wor! over a port A good
variation of this question is to as! whether ping uses
T*5 or @/5. An answer of either is a fail# as those are
layer protocols.
/o you prefer filtered ports or closed ports on your
firewall?
oo! for a discussion of security by obscurity and the
pros and cons of being visible vs. not. There can be
many signs of maturity or immaturity in this answer.
ow eactly does traceroute2tracert wor! at the
protocol level?
This is a fairly technical question but it"s an important
concept to understand. It"s not natively a 'security(question really# but it shows you whether or not they
li!e to understand how things wor!# which is crucial for
an Infosec professional. If they get it right you can
lighten up and offer etra credit for the difference
between inu and 3indows versions.
The !ey point people usually miss is that each pac!et
that"s sent out doesn"t go to a different place. &any
people thin! that it first sends a pac!et to the first hop#
8/8/2019 IT Security Question
5/12
gets a time. Then it sends a pac!et to the second hop#
gets a time# and !eeps going until it gets done. That"s
incorrect. It actually !eeps sending pac!ets to the final
destination> the only change is the TT that"s used. The
etra credit is the fact that 3indows uses I*&5 by
default while inu uses @/5.
3hat are inu"s strengths and wea!nesses vs.3indows?
oo! for biases. /oes he absolutely hate 3indows and
refuse to wor! with it? This is a sign of an immature
hobbyist who will cause you problems in the future. Is
he a 3indows fanboy who hates inu with a passion?
If so just than! him for his time and show him out. inu
is everywhere in the security world.
*ryptographically spea!ing# what is the main method of
building a shared secret over a public medium?
/iffie-ellman. And if they get that right you can follow-
up with the net one.
3hat"s the difference between /iffie-ellman and 8)A?
/iffie-ellman is a !ey-echange protocol# and 8)A is
an encryption2signing protocol. If they get that far#
ma!e sure they can elaborate on the actual difference#
which is that one requires you to have !ey material
beforehand %8)A# while the other does not %/. Blan!
stares are undesirable.
3hat !ind of attac! is a standard /iffie-ellman
echange vulnerable to?
&an-in-the-middle# as neither side is authenticated.
Application )ecurity
/escribe the last program or script that you wrote.3hat problem did it solve?
All we want to see here is if the color drains from the
guy"s face. If he panics then we not only !now he"s not
a programmer %not necessarily bad# but that he"s afraid
of programming %bad. I !now it"s controversial# but I
thin! that any high-level security guy needs some
programming s!ills. They don"t need to be a ;od at it#
but they need to understand the concepts and at least
8/8/2019 IT Security Question
6/12
be able to muddle through some scripting when
required.
ow would you implement a secure login field on a high
traffic website where performance is a consideration?
3e"re loo!ing for a basic understanding of the issue of
wanting to serve the front page in TT5# while needing
to present the login form via TT5s# and how they"drecommend doing that. A !ey piece of the answer
should center around avoidance of the &iT& threat
posed by pure TT5. Blan! stares here mean that
they"ve never seen or heard of this problem# which
means they"re not li!ely to be anything near pro level.
3hat are the various ways to handle account brute
forcing?
oo! for discussion of account loc!outs# I5 restrictions#
fail$ban# etc.
3hat is *ross-)ite 8equest Corgery?
0ot !nowing this is more forgivable than not !nowing
what D)) is# but only for junior positions. /esired
answer6 when an attac!er gets a victim"s browser to
ma!e requests# ideally with their credentials included#
without their !nowing. A solid eample of this is when
an I&; tag points to a @8 associated with an action#
e.g. http622foo.com2logout2. A victim just loading that
page could potentially get logged out from foo.com# and
their browser would have made the action# not them
%since browsers load all I&; tags automatically.
ow does one defend against *)8C?
0onces required by the server for each page or each
request is an accepted# albeit not foolproof# method.Again# we"re loo!ing for recognition and basic
understanding here=not a full# epert level dissertation
on the subject. Adjust epectations according to the
position you"re hiring for.
If you were a site administrator loo!ing for incoming
*)8C attac!s# what would you loo! for?
This is a fun one# as it requires them to set some
ground rules. /esired answers are things li!e# '/id we
8/8/2019 IT Security Question
7/12
already implement nonces?(# or# 'That depends on
whether we already have controls in place
8/8/2019 IT Security Question
8/12
performed.
oo! for people who get this# and are o! with the
challenge.
3hat"s the goal of information security within an
organi+ation?
This is a big one. 3hat I loo! for is one of two
approaches> the first is the Hber-loc!down approach#i.e. 'To control access to information as much as
possible# sir( 3hile admirable# this again shows a bit of
immaturity. 0ot really in a bad way# just not quite what
I"m loo!ing for. A much better answer in my view is
something along the lines of# 'To help the organi+ation
succeed.(
This type of response shows that the individual
understands that business is there to ma!e money# and
that we are there to help them do that. It is this sort of
perspective that I thin! represents the highest level of
security understanding,-a reali+ation that security is
there for the company and not the other way around.
3hat"s the difference between a threat# vulnerability#
and a ris!?
As wea! as the *I))5 is as a security certification it
does teach some good concepts. :nowing basics li!e
ris!# vulnerability# threat# eposure# etc. %and being able
to differentiate them is important for a security
professional. As! as many of these as you"d li!e# but
!eep in mind that there are a few differing schools on
this. Fust loo! for solid answers that are self-
consistent.
If you were to start a job as head engineer or *)E at aCortune J99 company due to the previous guy being
fired for incompetence# what would your priorities be?
KImagine you start on day one with no !nowledge of the
environmentL
3e don"t need a list here> we"re loo!ing for the basics.
3here is the important data? 3ho interacts with it?
0etwor! diagrams. Gisibility touch points. Ingress and
egress filtering. 5revious vulnerability assessments.
8/8/2019 IT Security Question
9/12
3hat"s being logged an audited? 4tc. The !ey is to see
that they could quic!ly prioriti+e# in just a few seconds#
what would be the most important things to learn in an
un!nown situation.
As a corporate Information )ecurity professional#
what"s more important to focus on6 threats or
vulnerabilities?This one is opinion-based# and we all have opinions.
Cocus on the quality of the argument put forth rather
than whether or not they they chose the same as you#
necessarily. &y answer to this is that vulnerabilities
should usually be the main focus since we in the
corporate world usually have little control over the
threats.
Another way to ta!e that# however# is to say that the
threats %in terms of vectors will always remain the
same# and that the vulnerabilities we are fiing are only
the !nown ones. Therefore we should be applying
defense-in-depth based on threat modeling in addition
to just !eeping ourselves up to date.
Both are true# of course> the !ey is to hear what they
have to say on the matter.
The Enion &odel
The questions above are fairly straightforward. They
are# generally# negative filters# i.e. they"re designed to
ecluded candidates for having glaring wea!nesses. If
you are dealing with a more advanced candidate then
one approach I recommend ta!ing is that of the onion
model.
The Enion &odel of interviewing starts at the surfacelevel and then dives deeper and deeper,often to a point
that the candidate cannot go. This is terrifically
revealing# as it shows not only where a candidate"s
!nowledge stops# but also how they deal with not
!nowing something.
Ene component of this cannot be overstated6 @sing this
method allows you to dive into the onion in different
ways# so even candidates who have read this list# for
8/8/2019 IT Security Question
10/12
eample# will not have perfect answers even if you as!
the same question.
An eample of this would be starting with6
ow does traceroute wor!?
They get this right# so you go to the net level.
3hat protocol does it use?
This is a tric! question# as it can use lots of options#depending on the tool. Then you move on.
/escribe a @ni traceroute hitting google.com at all
seven layers of the E)I model.
4tc. It"s deeper and deeper eploration of a single
question. ere"s a similar option for the end-phase of
such a question.
If I"m on my laptop# here inside my company# and I have
just plugged in my networ! cable. ow many pac!ets
must leave my 0I* in order to complete a traceroute to
twitter.com?
The !ey here is that they need to factor in all layers6
4thernet# I5# /0)# I*&52@/5# etc. And they need to
consider round-trip times. 3hat you"re loo!ing for is a
reali+ation that this is the way to approach it# and an
attempt to !noc! it out. A bad answer is the loo! of
3TC on the fact of the interviewee.
This could be as!ed as a final phase of a multi-step
protocol question that perhaps starts with the famous#
'3hat happens when I go to ;oogle.com?(
ow would you build the ultimate botnet?
Answers here can vary widely> you want to see them
cover the basics6 encryption# /0) rotation# the use of
common protocols# obscuring the heartbeat# themechanism for providing updates# etc. Again# poor
answers are things li!e# 'I don"t ma!e them> I stop
them.(
8ole-5laying as an Alternative to the Enion &odel
Another option for going to increasing depth# is to role-
play with the candidate. 7ou present them a problem#
and they have to troubleshoot. I had one of these during
an interview and it was quite valuable.
8/8/2019 IT Security Question
11/12
7ou would tell them# for eample# that they"ve been
called in to help a client who"s received a call from their
I)5 stating that one or more computers on their
networ! have been compromised. And it"s their job to
fi it. They are now at the client site and are free to tal!
to you as the client %interviewing them# or to as! you
as the controller of the environment# e.g. 'I sniff theeternal connection using tcpdump on port M9. /o I see
any connections to I5 M.M.M.M.( And you can then say
yes or no# etc.
Crom there they continue to
troubleshooting2investigating until they solve the
problem or you discontinue the eercise due to
frustration or pity.
Innovation Nuestions
At the top tier of technical security roles you may want
someone who is capable of designing as well as
understanding. In these cases you can also as!
questions about design flaws# how they would improve
a given protocol# etc.
These questions separate good technical people from
top technical people# and I imagine less than 1O of
those in infosec would even attempt to answer any of
these.
ere are a few eamples6
• 3hat are the primary design flaws in TT5# and how
would you improve it?
• If you could re-design T*5# what would you fi?
• 3hat is the one feature you would add to /0) to
improve it the most?• 3hat is li!ely to be the primary protocol used for the
Internet of Things in 19 years?
• If you had to get rid of a layer of the E)I model# which
would it be?
K 0ET46 7ou can as! infinite variations of these# of
course. As!ing for three options instead of one# or
as!ing them to ran! the results# etc. L
8/8/2019 IT Security Question
12/12
It"s important to note with these questions that you
could have a superstar analyst who !nows nothing
about these matters while someone who is at this level
would ma!e a poor forensic epert. It"s all about
matching s!ills to roles.