10 Questions To Ask During An Information Security Interview

I was once asked which is stronger – RSA with a 8192 bit key or AES with 128 bit key

Don’t forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge.

– Arik

“Don’t forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge.”

Well said.

My favorite interview bonus question is “how many fire alarm levers did we pass on the way here?”

I’d hire someone who got every technical question wrong but answered that one even in the ball park.

-Dave

I think one could also argue for number 2 that encrypting before compressing would tend to reduce the possibility of known plaintext attacks. But, as you say, there’s not any point in compressing data once it’s been encrypted.

Wow. Some of these are good. When I came to the interview for my current job, my boss had about 15 sheets of questions that are standard. I cannot remember them all now, but I was so nervous. We ended up hiring a guy who was straight out of college and has no Linux experience (he had heard of it before). It is really hurting. We have had to teach about the world all over again. He really doesn’t know that much about the deep parts of Windows.

10 Questions To Ask During An Information Security Interview…

Daniel Miessler has compiled a list of 10 questions that should be asked of a candidate for a security (or even any IT position.) Although not perfect, this list should provide a good starting point for an employer trying to understand whether the cand…

Here is a few we use:

Define non-repudiation and give a real world example.

What would you do with a Rainbow Table?

What is a downstream liability?

What is the difference between symmetric and asymmetric cryptography?

Nice ones, Michael. For the crypto one I usually as them to describe exactly what happens when you send a message that’s both signed and encrypted using PGP — specifically relating to the cryptography. What I look for in the response is the not-so-well-known fact that the message is actually not encrypted with the other person’s public key.

…wait for it…

Instead, the message is encrypted with a randomly generated SYMMETRIC key, and that key is encrypted using their public key. They then decrypt the symmetric key, and use that to read the encrypted message. Which directly illustrates the positives and negatives of both. You wouldn’t want to use asymmetric cryptography to encrypt a very large message due to the time cost, so symmetric cryptography is used instead.

[...]

Hmmm…

Interesting – I got the Compression vs. Encryption question in the terms of asking about how IPSec is handled once.

I used to get the home computer question.

But after I explain my home lab setup and some of the machines I keep around that run from Linux Appliances, Cobalt RAQ Appliances with CentOS and Solaris, or my Solaris Pizza Box that I installed Red Hat 6.0 on or just my run of the mill PC’s with any various OS or some of my favorite tools.

Then we have the Cisco and other vendors gear. I stop after the eyes start to glaze, unless they want to know where I get my bogon lists from or where I find my latest 0-Day Exploits from and how I have acquired so many tools of the trade…

Hmmm…

Well, you know…

How are things going?

Did you ever decide to use Cisco Gear? Get your CCNA yet?

Are you in Orlando this week at SANS?

Later

Define Panic Attack…

This article sounds well, but how everything is related together?…

Where are the answers to all the questions?

Nice compilation of questions….!!

You say, “As weak as the CISSP is as a security certification…”

This cert seems to be der rigeur in the industry for any security position. Almost all the jobs I apply for say it is desirable, required, or you must get certified within 6 months of hire. Why do you have such a low opinion of it? And, if it’s so weak, why do they all want you to have it?

these questions sound very basic…. for jr security position.

what questions you would ask for pentester/sr sec analyst position?

thanks Max

that was a great help for me!
i remember once they asked me a very general Q, what is the difference between sym. and asym. cryptography ?
and why did you choose security to be your track ..

thank you :)

that was a great help for me!
i remember once they asked me a very general Q, what is the difference between sym. and asym. cryptography ?
and why did you choose security to be your track ..

thank you :)

Email Content Security…

Keep ‘em coming :)…

Excellent! Great article, I already saved it to my favourite,

Excellent! Great article, I already saved it to my favourite,

which are information security knowledge sites

Hello Everyone,
I have an Interview with mclaren for Information Security & Compliance analyst.
Need to prepare some presentation…I am very nervous. Can anyone please guide me how to prepare below topic will be asked in Interview, suggestion is welcome -
·Practical experience in administering one or more security technologies / solutions, such as; Firewalls (Checkpoint/ASA preferred), WSUS, MessageLabs, Malware (McAfee/eTrust preferred)

·Hands-on experience or managing or administering one or more of the following technologies; Unix/Linux, Microsoft Windows Server Operating Systems, Microsoft Windows Client Operating Systems, Microsoft Active Directory, Cisco Networking