Information Security Officer Interview Preparation Guide

Download PDF

It doesn’t, of course. Not natively. Good answers are things like “cookies”, but the best answer is that cookies are a hack to make up for the fact that HTTP doesn’t do it itself.

You purposely want to give the question without context. If they know what salting is just by name, they’ve either studied well or have actually been exposed to this stuff for a while.

Their list isn’t key here (unless it’s bad); the key is to not get panic.

You’d be amazed at how many security people don’t know even the basics of this immensely important topic. We’re looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser.

Their list isn’t key here (unless it’s bad); the key is to not get panic.

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.

Look for a discussion of security by obscurity and the pros and cons of being visible vs. not. There can be many signs of maturity or immaturity in this answer.

While it may sound odd, it is possible to access Active Directory from a non-Windows system. Active Directory uses an implementation of the SMB protocol, which can be accessed from a Linux or Mac system by using the Samba program. Depending on the version, this can allow for share access, printing, and even Active Directory membership.

Here you’re looking for a quick comeback for any position that will involve system administration (see system security). If they don’t know how to change their DNS server in the two most popular operating systems in the world, then you’re likely working with someone very junior or otherwise highly abstracted from the real world.

Nothing shows you how to break and fix things more than a test environment, and for most people that means their home network. Whether its a Windows laptop with a wireless generic router and a phone all the way up to 14 Linux Workstations, an Active Directory Domain Controller, a dedicated Firewall appliance and a net-attached toaster – as long as you are learning and fiddling with it, that’s what matters.

Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for.

This particular question can lead into a major philosophical debate about freedom of information, and if something is implemented in a deliberately broken way it isn’t actually breaking into it, etc etc. The one I’ve heard the most is the classic Jedi example – same tools, different ideologies. Personally, with the people I know that have worked on both sides of the line it comes down to this – the difference between a Black Hat and a White Hat is who is signing the check..

Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they get that far, make sure they can elaborate on the actual difference, which is that one requires you to have key material beforehand (RSA), while the other does not (DH). Blank stares are undesirable.

SSH (TCP port 22) is a secure connection used on many different systems and dedicated appliances. Routers, Switches, SFTP servers and unsecure programs being tunnelled through this port all can be used to help harden a connection against eavesdropping. Despite the fact that most times when you hear about somebody ‘SSHing’ into a box it involves Linux, the SSH protocol itself is actually implemented on a wide variety of systems – though not by default on most Windows systems. Programs like PuTTY, Filezilla and others have Windows ports available, which allow Windows users the same ease-of-use connectivity to these devices as do Linux users.

Good answers here are anything that shows you he’s a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he’s got multiple systems running multiple operating systems you’re probably in good shape. What you don’t want to hear is, “I get enough computers when I’m at work…” I’ve yet to meet a serious security guy who doesn’t have a considerable home network–or at least access to one, even if it’s not at home.

Something they know (password), something they have (token), and something they are (biometrics). Two-factor authentication often times uses a password and token setup, although in some cases this can be a PIN and thumbprint.

POST is one of the best tools available when a system will not boot. Normally through the use of either display LEDs in more modern systems, or traditionally through audio tones, these specific codes can tell you what the system doesn’t like about its current setup. Because of how rare these events can be, unless you are on a tech bench day in and day out, reference materials such as the Motherboard manual and your search engine of choice can be tremendous assets. Just remember to make sure that everything is seated correctly, you have at least the minimum required components to boot, and most importantly that you have all of your connections on the correct pins.

Error messages oftentimes giveaway what the server is running, and many times if the website administrator has not set up custom error pages for every site, it can give it away as simply as just entering a known bad address. Other times, just using telnet can be enough to see how it responds. Never underestimate the amount of information that can be gained by not getting the right answer but by asking the right questions.

It seems like we can’t go more than a few days anymore without hearing about a major breach, which on the surface would make it seem that more people and places are being hacked than ever before (which to be honest is true). However, it also shows that detection and reporting of attacks is improving per requirements of both government entities and insurance companies. As a result, the public and security professionals are both better informed as to what they can do to help protect themselves and watch out for falsified charges on their accounts. Keeping up to date on these matters is vital for anyone interested in Information Security.

Here I’m looking to see how in tune they are with the security community. Answers I’m looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don’t really matter. What does matter is that he doesn’t respond with, “I go to the CNET website.”, or, “I wait until someone tells me about events.”. It’s these types of answers that will tell you he’s likely not on top of things.

Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security world.

SSL is identity verification, not hard data encryption. It is designed to be able to prove that the person you are talking to on the other end is who they say they are. SSL and its big brother TLS are both used almost everyone online, but the problem is because of this it is a huge target and is mainly attacked via its implementation (The Heartbleed bug for example) and its known methodology. As a result, SSL can be stripped in certain circumstances, so additional protections for data-in-transit and data-at-rest are very good ideas.

A lot of people would say that they are the same thing, and in a sense they would be right. However, one is a potential problem while the other is an active problem. Think of it like this: You have a shed with a broken lock where it won’t latch properly. In some areas such as major cities, that would be a major problem that needs to be resolved immediately, while in others like rural areas its more of a nuisance that can be fixed when you get around to it. In both scenarios it would be a vulnerability, while the major cities shed would be an example of an exploit – there are people in the area, actively exploiting a known problem.

This is a doozy, and there are an enormous number of opinions for this question. Many think they are the worst thing that ever happened to the world, while others praise their existence. In the realm of security, they can be the source of extreme data leaks if handled in their default configurations. It is possible to lock down permissions on social networking sites, but in some cases this isn’t enough due to the fact that the backend is not sufficiently secured. This also doesn’t help if somebody else’s profile that you have on your list gets compromised. Keeping important data away from these kinds of sites is a top priority, and only connecting with those you trust is also extremely helpful.

As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you’d like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent.