Comments on: 10 Questions To Ask During An Information Security Interview

By: Max

Max — Fri, 07 Nov 2008 01:57:28 +0000

these questions sound very basic.... for jr security position.

what questions you would ask for pentester/sr sec analyst position?

thanks Max

By: James

James — Sun, 19 Oct 2008 03:13:11 +0000

You say, “As weak as the CISSP is as a security certification…”

This cert seems to be der rigeur in the industry for any security position. Almost all the jobs I apply for say it is desirable, required, or you must get certified within 6 months of hire. Why do you have such a low opinion of it? And, if it’s so weak, why do they all want you to have it?

By: ash

ash — Tue, 26 Aug 2008 14:04:16 +0000

Nice compilation of questions….!!

By: knight

knight — Mon, 14 Jul 2008 05:23:05 +0000

Where are the answers to all the questions?

By: Define Panic Attack

Define Panic Attack — Fri, 21 Mar 2008 21:26:29 +0000

Define Panic Attack...

This article sounds well, but how everything is related together?...

By: Darby Weaver

Darby Weaver — Sat, 13 Jan 2007 10:13:41 +0000

Hmmm...

Interesting - I got the Compression vs. Encryption question in the terms of asking about how IPSec is handled once.

I used to get the home computer question.

But after I explain my home lab setup and some of the machines I keep around that run from Linux Appliances, Cobalt RAQ Appliances with CentOS and Solaris, or my Solaris Pizza Box that I installed Red Hat 6.0 on or just my run of the mill PC's with any various OS or some of my favorite tools.

Then we have the Cisco and other vendors gear. I stop after the eyes start to glaze, unless they want to know where I get my bogon lists from or where I find my latest 0-Day Exploits from and how I have acquired so many tools of the trade...

Hmmm...

Well, you know...

How are things going?

Did you ever decide to use Cisco Gear? Get your CCNA yet?

Are you in Orlando this week at SANS?

Later

By: Waleed Alrodhan - Information Security Blog

Waleed Alrodhan - Information Security Blog — Tue, 09 Jan 2007 23:43:08 +0000

[...]

By: Daniel

Daniel — Tue, 09 Jan 2007 15:59:23 +0000

Nice ones, Michael. For the crypto one I usually as them to describe exactly what happens when you send a message that's both signed and encrypted using PGP -- specifically relating to the cryptography. What I look for in the response is the not-so-well-known fact that the message is actually not encrypted with the other person's public key.

...wait for it...

Instead, the message is encrypted with a randomly generated SYMMETRIC key, and that key is encrypted using their public key. They then decrypt the symmetric key, and use that to read the encrypted message. Which directly illustrates the positives and negatives of both. You wouldn't want to use asymmetric cryptography to encrypt a very large message due to the time cost, so symmetric cryptography is used instead.

By: Michael S Black

Michael S Black — Tue, 09 Jan 2007 13:51:06 +0000

Here is a few we use:

Define non-repudiation and give a real world example.

What would you do with a Rainbow Table?

What is a downstream liability?

What is the difference between symmetric and asymmetric cryptography?

By: Cybercrime Law

Cybercrime Law — Tue, 09 Jan 2007 00:46:15 +0000

10 Questions To Ask During An Information Security Interview...

Daniel Miessler has compiled a list of 10 questions that should be asked of a candidate for a security (or even any IT position.) Although not perfect, this list should provide a good starting point for an employer trying to understand whether the cand...

By: Philip

Philip — Mon, 08 Jan 2007 12:16:18 +0000

Wow. Some of these are good. When I came to the interview for my current job, my boss had about 15 sheets of questions that are standard. I cannot remember them all now, but I was so nervous. We ended up hiring a guy who was straight out of college and has no Linux experience (he had heard of it before). It is really hurting. We have had to teach about the world all over again. He really doesn’t know that much about the deep parts of Windows.

By: Wonk

Wonk — Mon, 08 Jan 2007 12:09:26 +0000

I think one could also argue for number 2 that encrypting before compressing would tend to reduce the possibility of known plaintext attacks. But, as you say, there’s not any point in compressing data once it’s been encrypted.

By: Dave

Dave — Mon, 08 Jan 2007 03:10:47 +0000

"Don’t forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge."

Well said.

My favorite interview bonus question is "how many fire alarm levers did we pass on the way here?"

I'd hire someone who got every technical question wrong but answered that one even in the ball park.

-Dave

By: Arik

Arik — Mon, 08 Jan 2007 01:18:20 +0000

I was once asked which is stronger - RSA with a 8192 bit key or AES with 128 bit key

Don't forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge.

-- Arik