The worst manifestations violating these principles are things like:
Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, were looking for recognition and basic understanding herenot a full, expert level dissertation on the subject. Adjust expectations according to the position youre hiring for.
This is a trick question, as it can use lots of options, depending on the tool. Then you move on.
The key here is that they need to factor in all layers: Ethernet, IP, DNS, ICMP/UDP, etc. And they need to consider round-trip times. What youre looking for is a realization that this is the way to approach it, and an attempt to knock it out. A bad answer is the look of WTF on the fact of the interviewee.
, not of filtering. Imagine that both you and the candidate are both amazing, and the only thing youre doing is seeing if you are good fit for each other.
At the top tier of technical security roles you may want someone who is capable of designing as well as understanding. In these cases you can also ask questions about design flaws, how they would improve a given protocol, etc.
Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired answer: when an attacker gets a victims browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. A victim just loading that page could potentially get logged out from , and their browser would have made the action, not them (since browsers load all IMG tags automatically).
and/or what are some ways its been attacked in the past?
As a hiring organization, be cautious of any interviewer that has an ego or attitude. The odds of you getting any good data from them is low. The name of the game is reducing bias, and that type has a lot of it.
Block-based encryption algorithms work on a block of cleartext at a time, and are best used for situations where you know how large the message will be, e.g., for a file. Stream ciphers work on single units of cleartext, such as a bit or a byte, and theyre best used when youre not sure how long the message will be.
Diffie Hellman, RSA, EC, El Gamal, DSAC
What is a skill you wish you had but dont yet have?
The ideal answer involves the size of the project, how many developers are working on it (and what their backgrounds are), and most importantly quality control. In short, theres no way to tell the quality of a project simply by knowing that its either open-source or proprietary. There are many examples of horribly insecure applications that came from both camps.
This is a big one. What I look for is one of two approaches; the first is the ber-lockdown approach, i.e. To control access to information as much as possible, sir! While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what Im looking for. A much better answer in my view is something along the lines of, To help the organization succeed.
I have had these questions asked to me on numerous interviews. Its quite humorous when they find out theyre reading from my website.
For more onhiringoverall, I recommend doing a good amount of research. Most important to learn, as I talked about above, is the limitations of interviews. Use other data available to you whenever possible, and above everything else: Be extremely cautious of anyone who thinks they can spot the one because theyre good at it..
Always try to combine any interview with a work sample, and/or great reference data.
I look for people to realize that companies dont actually care as much about security as they claim tootherwise wed have a very good remediation percentage. Instead we have a ton of unfixed things and more tests being performed. A variation of this is something like:
All we want to see here is if the color drains from the persons face. If they panic then we not only know theyre not a programmer (not necessarily bad), but that hes afraid of programming (bad). I know its controversial, but I think that any high-level security person needs at least some programming skills. They dont need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.
Their list isnt key here (unless its bad); the key is to not get panic.
transmission, which would you do first, and why?
Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they get that far, make sure they can elaborate on the actual difference, which is that one requires you to have key material beforehand (RSA), while the other does not (DH). Blank stares are undesirable.
EBC just does a one-to-one lookup for encryption, without using an IV, which makes it fairly easy to attack using a chosen-plaintext attack. CBC uses an IV for the first block and then propagates the XOR of the previous block onto subsequent ones. The difference in resultscan be remarkable.
A standard question type. All were looking for here is to see if they pay attention to the industry leaders, and to possibly glean some more insight into how they approach security. If they name a bunch of hackers/criminals thatll tell you one thing, and if they name a few of the pioneers thatll say another. If they dont know anyone in Security, well consider closely what position youre hiring them for. Hopefully it isnt a senior position.
A key question you should be asking yourself with these types of questions is whether its something they should know off the top of their head, or if its something they should be able to research quickly and find out. If its the latter, then why are we asking them to recite it from memory? Thats the old style of interviewing, and it is not effective in predicting real-world success.
Look for people who get this, and are ok with the challenge.
method of building a shared secret over a public medium?
Other good responses include those around using solid, dependable frameworks, and not building your own.
Here youre looking for a quick comeback for any position that will involve system administration (see system security). If they dont know how to change their DNS server in the two most popular operating systems in the world, then youre likely working with someone very junior or otherwise highly abstracted from the real world.
How are you working to get that skill?
Every Sunday I put out a curated list of the best stories in infosec, technology, and humans to over 20K people.
have just plugged in my network cable. How many packets must leave my NIC in
Input Validation and Output Sanitization, with focus on the latter.
CREATED: MARCH 2007 UPDATED: JULY 2018
Created: June 28, 2008 Updated: July 28, 2018
An IV is used to initiate encryption by providing an addition (third) input in addition to the cleartext and the key. In general you want IVs that are random and unpredictable, which are used only once for each message. The goal is to ensure that two messages encrypted with the same key do not result in the same ciphertext.
An Information Security Metrics Primer
Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security world.
Which key is used for which function?
Look for discussion of account lockouts, IP restrictions, fail2ban, commercial versions thereof, etc.
What are the differences, and when would you use one vs. the other?
Their list isnt key here (unless its bad); the key is to not get panic.
Both are true, of course; the key is to hear what they have to say on the matter.
If they dont know the answer immediately its ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didnt know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: Compress then encrypt. If you encrypt first youll have nothing but random data to work with, which will destroy any potential benefit from compression.
This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding-a realization that security is there for the company and not the other way around.
Look for a thorough answer regarding overall password attacks and how rainbow tables make them faster.
A trick question, to be sure, but an important one. If they start throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesnt work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols.
It doesnt, of course. Not natively. Good answers are things like cookies, but the best answer is that cookies are a hack to make up for the fact that HTTP doesnt do it itself.
They get this right, so you go to the next level.
Diffie-Hellman. And if they get that right you can follow-up with the next one.
Why did you choose to approach it the way you did vs. (list alternatives)
From there they continue to troubleshooting/investigating until they solve the problem or you discontinue the exercise due to frustration or pity.
Its important to note with these questions that you could have a superstar analyst who knows nothing about these matters while someone who is at this level would make a poor forensic expert. Its all about matching skills to roles.
Sadly this knowledge is not yet understood by most interviewers and HR departments, which are still doing these things like theyre canon.
Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again, the main thing youre looking for is for them not to panic. The object here should be identifying absolute beginners and/or having fun with people who know how silly the question is.
You encrypt with the other persons public key, and you sign with your own private. If they confuse the two, dont put them in charge of your PKI project.
The key point people usually miss is that each packet thats sent out doesnt go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. Thats incorrect. It actually keeps sending packets to the final destination; the only change is the TTL thats used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.
CSRF attacks, what would you look for?
If you could have the perfect job and the perfect manager, what would that look like? What you do day to day, and what kind of projects would you have?
Look for a conversation about weak ciphers, vulnerabilities like Heartbleed, BEAST, etc. Its not necessarily crucial that they remember every themed vulnerability and the exact specifics, but they should know what the issue was, why it was a problem, and what the fix was.
Were looking for conversations about Perfect Secrecy here, threats to encrypted data, etc.
Another option for going to increasing depth, is to role-play with the candidate. You present them a problem, and they have to troubleshoot. I had one of these during an interview and it was quite valuable.
Look for a smile like they caught you in the cookie jar. If theyre confused, then this role should be for an extremely junior position.
Another way to take that, however, is to say that the threats (in terms of vectors) will always remain the same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying defense-in-depth based on threat modeling in addition to just keeping ourselves up to date.
This used to say home lab, but now that extends to the cloud as well.
How to Build a Successful Career in Cybersecurity
What are the primary design flaws in HTTP, and how would you improve it?
If theyre familiar with infosec shops of any size, theyll know that DNS requests are a treasure when it comes to malware indicators.
My Response to Sam Harris on the Apple Encryption Debate
when someone visits a secure website.
What follows is a list of techniques for vetting candidates in Information Security (InfoSec / Cybersecurity). The list and approach has evolved over the years, as I think it should, and I think it represents a good balance between technical content and the philosophy around desired answers.
Man-in-the-middle, as neither side is authenticated.
How to Build a Successful Cybersecurity Career
An example of this would be starting with:
So with all that being said, here are my current favorite questions to ask if I have limited time.
The questions above are fairly straightforward. They are, generally, negative filters, i.e. theyre designed to excluded candidates for having glaring weaknesses. If you are dealing with a more advanced candidate then one approach I recommend taking is that of the onion model.
Trick question here. And the goal is not to be cute. If you cant wait to smash someone with this then you should not be interviewing people. Its to identify people whove not been in the industry for any measure of time.
You would tell them, for example, that theyve been called in to help a client whos received a call from their ISP stating that one or more computers on their network have been compromised. And its their job to fix it. They are now at the client site and are free to talk to you as the client (interviewing them), or to ask you as the controller of the environment, e.g. I sniff the external connection using tcpdump on port 80. Do I see any connections to IP 184.108.40.206. And you can then say yes or no, etc.
Humans are bad at interviewing because we are full of biases. Youre bad at it. Im bad at it. Everyones bad at it. And the more you know thisand work to guard against itthe better (or at least less bad) youll be.
What is likely to be the primary protocol used for the Internet of Things in 10 years?
Standard stuff here: single key vs. two keys, etc, etc.
As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as youd like, but keep in mind that there are a few different schools on this. Just look for solid answers that are self-consistent.
Puzzle questions that dont apply to the real world
Look for a discussion of security by obscurity and the pros and cons of being visible vs. not. Basically anything intelligent in terms of discussion. There can be many signs of maturity or immaturity in this answer.
This could be asked as a final phase of a multi-step protocol question that perhaps starts with the famous, What happens when I go to Google.com?
Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isnt primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.
What do you think the most important technology is right now?
The Onion Model of interviewing starts at the surface level and then dives deeper and deeperoften to a point that the candidate cannot go. This is terrifically revealing, as it shows not only where a candidates knowledge stops, but also how they deal with not knowing something.
what would your priorities be? Imagine you start on day one with no knowledge of the environment.
and you often perform both encryption and signing functions.
Etc. Its deeper and deeper exploration of a single question. Heres a similar option for the end-phase of such a question.
Look for the standard responses, with the client sendinghelowith ciphers, server responding with a public key and picking a cipher, agreement on a shared key, etc. But then dive deeper into the questions below.
The answer youre looking for here is that TLS is a must for the entire site at this point, and that there are very few situations where you shouldnt insist on encryption.
One component of this cannot be overstated: Using this method allows you to dive into the onion in different ways, so even candidates who have read this list, for example, will not have perfect answers even if you ask the same question.
Also beware that any interviewee who is extremely nervous is not performing their best. As an interviewer, your job should be to get them relaxed enough to perform the way they will at work, and to reduce any tension thats preventing that from happening.
Good answers here are anything that shows you the person is a computer/technology/security enthusiast and not just someone looking for a paycheck. So if shes got multiple systems running multiple operating systems youre probably in good shape. What you dont want to hear is, I get enough computers when Im at work Ive yet to meet a serious security guy who doesnt have a considerable home networkor at least access to one, even if its not at home.
Fortune 500 company due to the previous guy being fired for incompetence,
If you could re-design TCP, what would you fix?
whats more important to focus on: threats or vulnerabilities?
Both. Have them talk through how each are used. The key (sorry) is that they understand the initial exchange is done using asymmetric and that bulk data encryption requires speed and therefore symmetric algorithms.
Every Sunday I put out a list of the most interesting stories in infosec, technology, and humans. Over 20K subscribers.
These questions separate good technical people from top technical people, and I imagine less than 1% of those in infosec would even attempt to answer any of these.
Some questions are borderline gotcha, or core knowledge that can be googled, and these tend to function mare more like proxies for experience. Be willing to constantly evaluate your questions (including these below) to make sure they are not based on pet, gotcha, puzzle, or pressure.
The June 2017 update was a rewrite based on an evolving view of technical interviews. Check out the Philosophy section above to learn about that evolution.
Feel free tocontact meif you have any comments on the questions, or if you have an ideas for additions.
Forward Secrecy is a system that uses ephemeral session keys to do the actual encryption of TLS data so that even if the servers private key were to be compromised, an attacker could not use it to decrypt captured data that had been sent to that server in the past.
Tell me about a project you worked on in the past that you really enjoyed.
The answer to this question is often very telling about a given candidate. It shows 1) whether or not they know what theyre talking about in terms of development, and 2) it really illustrates the maturity of the individual (a common theme among my questions). My main goal here is to get them to show me pros and cons for each. If I just get the many eyes regurgitation then Ill know hes read Slashdot and not much else. And if I just get the people in China can put anything in the kernel routine then Ill know hes not so good at looking at the complete picture.
Ideally youll hear inquiry into whats meant by dangerous. Does that mean more likely to attack you, or more dangerous when they do?
Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victims browser when the results are returned from the site.
This is a fun one, as it requires them to set some ground rules. Desired answers are things like, Did we already implement nonces?, or, That depends on whether we already have controls in place Undesired answers are things like checking referrer headers, or wild panic.
This one is opinion-based, and we all have opinions. Focus on the quality of the argument put forth rather than whether or not they chose the same as you, necessarily. My answer to this is that vulnerabilities should usually be the main focus since we in the corporate world usually have little control over the threats.
If you had to get rid of a layer of the OSI model, which would it be?
high traffic website where performance is a consideration?
We dont need a list here; were looking for the basics. Where is the important data? Who interacts with it? Network diagrams. Visibility touch points. Ingress and egress filtering. Previous vulnerability assessments. Whats being logged an audited? Etc. The key is to see that they could quickly prioritize, in just a few seconds, what would be the most important things to learn in an unknown situation.
You should hear coverage of many testers vs. one, incentivization, focus on rare bugs, etc.
Bias is a major problem in interviewing, and its likely that someone with a steadfast belief in his or her interview brilliance is doing harm to your organization by introducing bad candidates. When possible, do what Google did:explore the data. Look at how candidates did in interviews relative to how they did on the job. Wherever you have mismatches you have a problem with your process.
Pressure environments that melt people into 10% of what they are normally
Pet questions that filter for people like the interviewer
You purposely want to give the question without context. If they know what salting is just by name, theyve either studied well or have actually been exposed to this stuff for a while.
Here Im looking to see how in tune they are with the security community. Answers Im looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources dont really matter. What does matter is that he doesnt respond with, I go to the CNET website., or, I wait until someone tells me about events.. Its these types of answers that will tell you hes likely not on top of things.
decrypt all previous content sent to that server?
Here are my First Principles of interviewing in general:
You can ask infinite variations of these, of course. Asking for three options instead of one, or asking them to rank the results, etc.
The goal of interviewing should be to extract the best from the candidate, not to trick them, make them uncomfortable, or otherwise keep them from shining.
This is a fairly technical question but its an important concept to understand. Its not natively a security question really, but it shows you whether or not they like to understand how things work, which is crucial for an Infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions.
Answers here can vary widely; you want to see them cover the basics: encryption, DNS rotation, the use of common protocols, obscuring the heartbeat, the mechanism for providing updates, etc. Again, poor answers are things like, I dont make them; I stop them.
What is the one feature you would add to DNS to improve it the most?
Here isan articleabout Google revealing the ineffectiveness of their brainteaser questions.