Vital System Auditor Interview Preparation Guide

Download PDF

You purposely want to give the question without context. If they know what salting is just by name, they’ve either studied well or have actually been exposed to this stuff for a while.

As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you’d like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent.

Keep your response brief, like you would for “Tell me about yourself,” but outline important experience you’ve had in this area.

By keeping your response brief, it can open up the conversation to be more like a dialogue about the employer’s business metrics rather than a Q&A

This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I’m looking for. A much better answer in my view is something along the lines of, “To help the organization succeed.”

This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding—-a realization that security is there for the company and not the other way around.

Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for.

As with most careers, it is difficult to predict where they will lead. Certainly it is common for CISA’s in public accounting firms to move into line management. Other possibilities are to move to industry and become an internal auditor, IT risk or IT security manager, or a CIO.

Here I’m looking to see how in tune they are with the security community. Answers I’m looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don’t really matter. What does matter is that he doesn’t respond with, “I go to the CNET website.”, or, “I wait until someone tells me about events.”. It’s these types of answers that will tell you he’s likely not on top of things.

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.

Early in my career, I made a mistake on a report and denied a client their claim on the grounds that the car accident appeared to be a result of their negligence as opposed to the negligence of the other party. I found out later that I was too quick to make that decision. I had not spoken to the police first, who later informed me that the evidence I was looking at was taken after the vehicles had been moved from the scene. They showed me photographs of the vehicle immediately after it had happened, which clearly showed the other party was at fault. I was too quick on the draw, and I learned that every case requires due diligence.

Being able to articulate your functionality and responsibility and specifics related to how you go about the end-of-the-month close at your current or most recent firm is a very important piece, be able to sum up every bullet point on your resume, mentioning highlights and focusing on accomplishments.

Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they’re confused, then this should be for an extremely junior position.

First of all, there is a sense of working for the public good as a government auditor. I’ve also served as a private auditor and did many internal audits to ensure the business was in sound financial health. This served an important function in helping the business stay afloat, but it didn’t necessarily involve an entire population. There is a kind of sacred trust in dealing with public money, and perhaps, a greater propensity of some non-profits or government agencies, to lose track of money, because it is being provided. A government audit requires a certain amount of discipline in investigating whether funds earmarked for one purpose were used properly. Elections have been won and lost based on the use of public funds, so it is vital to our public life as citizens.

If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.

As an accountant, you are held to a high standard and the margin for error is tiny. Small mistakes can lead to large financial issues.

“Respond to this question by describing any times you’ve caught errors before submitting work,”. “Emphasize the importance of checking your work and establishing checks and balances within a team.”

You should hear coverage of many testers vs. one, in centralization, focus on rare bugs, etc.

A government auditor has to be particularly careful when auditing a non-profit, because after all, it does concern public funds. Just like any other business, a non-profit has to spend responsibly, but there might be more of a temptation to waste money than in the private sector. Basically, auditing a non-profit, like other businesses, involves ensuring that everything makes sense and the records are up-to-date and accurate. Large expenditures have to be looked at carefully, and one has to be sure that funds earmarked for one purpose, such as building, aren’t used for other purposes. This involves looking at the solicited and unsolicited designated funds and making sure the categories remain distinct.

When I work as an auditor investigating the use of funds on behalf of the government, my role is to evaluate the records to ensure compliance and detect irregularities. In this role, I feel that I am approaching the organization from the outside and am making sure everything is in order. When I do an internal audit, as many non-profits should do on an annual basis, I am working with the company in an advisory role to ensure compliance, and at the same time, empowering the non-profit to improve its financial health and to thrive. In this sense, I’m cooperating with the company as well as evaluating its records.

Hiring managers are hoping to hire accountants and auditors who have the foresight to address any potential issues that may arise before the situation blows up and becomes reactionary.

When you’re asked accounting questions, focus on any recommendations you’ve made to higher-ups, and processes or procedures that you implemented, Think about how you’ve done your job in a proactive sense rather than a reactionary sense.

Especially controllers and CFO-level candidates must be prepared to answer, ‘Have you implemented any processes or procedures?’ and talk them through that

As an auditor or accountant, you might spot reporting issues that may require difficult conversations with colleagues.

With this question, the hiring manager is trying to understand how you would handle these types of situations

☛ What’s the purpose of network encryption?
☛ What’s the most common software problem you face? How do you resolve it?
☛ Are you familiar with server virtualization? Tell us about any experience you have using tools like VMware or VirtualBox.
☛ What are the biggest flaws of cloud applications?
☛ What kinds of internal systems do you audit more frequently? Why?

☛ What is ISO 27001 and why should a company adopt it?
☛ Please describe step-by-step how you would prepare and perform an audit of any given system.
☛ What is a “RISK”, how can it be measured and what actions can be taken to treat it?
☛ Please describe the steps to be taken by a company implementing an ISMS framework
☛ Why did you become (CISSP/CISA) certified?
☛ During an audit, an interviewee is not disclosing the information being requested. How would you overcome this situation?
☛ Within the PCI-DSS sphere, what is a compensating control?
☛ Who is the ultimate responsible to classify a company’s information: the Infosec Team or the information owner?
☛ Please describe the process of evaluating and analysing risks.
☛ What actions would you take to change end user behavior towards InfoSec?
☛ How do you ensure a secure software development? What are the best practices to be followed?

☛ What resources do you use to keep up-to-date with engineering trends (e.g. forums, websites and books?)
☛ What’s your biggest challenge explaining technical details to a non-technical audience? Do you prefer to write a manual or deliver a presentation? Why?
☛ Have you ever worked in a stressful environment where you had to audit various IT systems on tight deadlines? If so, how did you work under deadlines while also meeting quality standards?
☛ How have you helped improve a system’s efficiency in your current or previous position?

☛ What’s the difference between a router, a bridge, a hub and a switch?
☛ Please explain how the SSL protocol works.
☛ What is a Syn Flood attack, and how to prevent it?
☛ Your network has been infected by malware. Please walk me through the process of cleaning up the environment.
☛ What kind of authentication does AD use?
☛ What’s the difference between a Proxy and a Firewall?
☛ What is Cross-Site Scripting and how can it be prevented?
☛ What’s the difference between symmetric and asymmetric encryption?
☛ What’s the difference between encryption and hashing?
☛ Why should I use server certificates on my e-commerce website?
☛ What’s port scanning and how does it work?
☛ Please explain how asymmetric encryption works
☛ Can a server certificate prevent SQL injection attacks against your system? Please explain.
☛ Do you have a home lab? If so, how do you use it to perfect your skills.
☛ What is a Man In The Middle attack?
☛ Take me through the process of pen testing a system.
☛ What is vulnerability test and how do you perform it?
☛ What are the latest threats you foresee for the near future?
☛ How would you harden a Windows Server? What about a Linux Server?
☛ What do you understand by layered security approach?
☛ What’s the better approach setting up a firewall: dropping or rejecting unwanted packets and why?
☛ Please detail 802.1x security vs. 802.11 security (don’t confuse the protocols).
☛ What is stateful packet inspection?
☛ What is NAT and how does it work?
☛ What is a buffer overflow?
☛ What are the most common application security flaws?
☛ What is a false positive?

☛ What measurements would you take to protect an internal network from external threats?
☛ What would you do if the system crashed after a change you implemented?
☛ If you spotted a minor bug in an application, would you try to fix it yourself or mention it to the engineering team?
☛ What policies would you create to ensure our employees properly use technological resources?
☛ You uncover a number of security risks in a high-profile client’s network, but know that the CTO will not take the news well and may terminate your firm’s contract. How do you report the results of your audit?

Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn’t primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.