5 Information Security Interview Questions Designed To Trick You
Author: Naomi Buckwalter
Source: https://www.linkedin.com/pulse/5-information-security-interview-questions-designed-trick-buckwalter/
Source: https://www.linkedin.com/pulse/5-information-security-interview-questions-designed-trick-buckwalter/
Acing your next Information Security job interview might come down to knowing how to answer these five tricky questions.
Information Security hiring managers are a tricky lot. We are forever looking for ways to test our candidates' knowledge - after all, Information Security covers a lot of domains! From network security to application penetration testing, and to all the governance, risk, and compliance in between, we know we have our work cut out for us when it comes to interviewing potential hires.
Information Security hiring managers are a tricky lot - We are forever looking for ways to test our candidates' knowledge.There are several interview questions in particular that can easily separate those new to the industry from the more seasoned veterans. Here are five commonly-asked Information Security interview questions designed to trick candidates:
1. What do you like to do in your spare time (tell me about yourself)?
No, I don't want to hear about your side business of selling leggings, or the number of times you've gone skydiving. I want to hear that you spend your free time learning all you can about security; from playing with open-source tools, to watching webinars, reading technical books, and writing blog posts. Bonus points to those who have built home/cloud labs and are super proud of the things they've done with it. Talk about that! Go crazy. Let your interviewer hear your passion for security.
2. Can there be "too much security"?
This question is my favorite, because even the most senior architects and engineers can get it wrong. The answer is YES, THERE CAN BE TOO MUCH SECURITY. Information Security is a service to the business. It is meant to be an enabler, not a detractor, of business efficiency. If the business cannot function because security policies are too strict, then there's a problem. Security acts in the best interest of the business - implement as much security as required for the business to operate securely, and everyone goes home happy. Information Security should align its objectives with the objectives of the business. Only then can there be a true partnership between security and its stakeholders.
Can there be too much security? Yes! If the business cannot function because security policies are too strict, then there's a problem.
3. What is better, open source software or paid licenses?
This one is a classic. I like to hear the answer "it depends". Open source software can be great for its transparency and built-in community of users, but as open-source projects get older, core contributors might move onto different projects. Pull requests build up, bugs don't get fixed, and the project languishes by the wayside. The hot open-source project from one year can be a thorn in your side the next. Enterprise-licensed software, on the other hand, might be closed-source and less transparent, but it almost always comes with a dedicated support team and a budget for fixing technical debt and bugs. So, depending on what you need the software to do, you can choose between open-source or paid - just know the inherent risks for both. You get what you pay for, as the saying goes.
4. What is the best hashing algorithm for encrypting web traffic?
If you saw the trick in this question, good for you. Hashing can't be used to encrypt web traffic at all. After all, hashing is one-way (meaning, once hashed, it can't be "un-hashed" or decrypted) and is used to verify the integrity and authenticity of a message; a common use-case is the hashing of passwords. On the other hand, encryption of web traffic maintains the confidentiality of a message (meaning, the message gets decrypted when it reaches its final destination). If your interviewer asks you this question, answer quickly, but then talk about what else you might know about cryptography and encryption protocols. Talk about asymmetric key algorithms like RSA and Elliptic Curve, and how a 1,024-bit RSA key is the same as a 160-bit Elliptic Curve key. Draw a diagram of the Diffie-Hellman key exchange. Go ahead. Nerd out. Your interviewer will be duly impressed.
5. What port does ping use?
This one got me once in an interview, which is why I'm including it in this list. A ping message is sent via the Internet Control Message Protocol (ICMP), which doesn't use ports! If you are asked this question, you should automatically tie this into the OSI model. Talk about how ICMP operates at the Network Layer (Layer 3 of the OSI Model), whereas protocols like TCP and UDP operate at the Transport Layer (Layer 4). Talk all the way up to Layer 7 (the Application Layer) - and explain how the layers tie together using data encapsulation. At this point, if you have established a good rapport with your interviewer, go ahead and tell the "UDP joke" ("Did you hear the UDP joke? I'll tell you, but I don't care if you get it." - chuckle chuckle). Trust me, they'll love it.
That's all for now! Stay tuned for more Information Security interview tips and tricks. Best of luck in your job hunting adventure!
Keep on keeping on,
Naomi
Naomi Buckwalter, CISSP, is the Director of Information Security for an industry-leading marketing automation software firm.
Information Security hiring managers are a tricky lot - We are forever looking for ways to test our candidates' knowledge.There are several interview questions in particular that can easily separate those new to the industry from the more seasoned veterans. Here are five commonly-asked Information Security interview questions designed to trick candidates:
1. What do you like to do in your spare time (tell me about yourself)?
No, I don't want to hear about your side business of selling leggings, or the number of times you've gone skydiving. I want to hear that you spend your free time learning all you can about security; from playing with open-source tools, to watching webinars, reading technical books, and writing blog posts. Bonus points to those who have built home/cloud labs and are super proud of the things they've done with it. Talk about that! Go crazy. Let your interviewer hear your passion for security.
2. Can there be "too much security"?
This question is my favorite, because even the most senior architects and engineers can get it wrong. The answer is YES, THERE CAN BE TOO MUCH SECURITY. Information Security is a service to the business. It is meant to be an enabler, not a detractor, of business efficiency. If the business cannot function because security policies are too strict, then there's a problem. Security acts in the best interest of the business - implement as much security as required for the business to operate securely, and everyone goes home happy. Information Security should align its objectives with the objectives of the business. Only then can there be a true partnership between security and its stakeholders.
Can there be too much security? Yes! If the business cannot function because security policies are too strict, then there's a problem.
3. What is better, open source software or paid licenses?
This one is a classic. I like to hear the answer "it depends". Open source software can be great for its transparency and built-in community of users, but as open-source projects get older, core contributors might move onto different projects. Pull requests build up, bugs don't get fixed, and the project languishes by the wayside. The hot open-source project from one year can be a thorn in your side the next. Enterprise-licensed software, on the other hand, might be closed-source and less transparent, but it almost always comes with a dedicated support team and a budget for fixing technical debt and bugs. So, depending on what you need the software to do, you can choose between open-source or paid - just know the inherent risks for both. You get what you pay for, as the saying goes.
4. What is the best hashing algorithm for encrypting web traffic?
If you saw the trick in this question, good for you. Hashing can't be used to encrypt web traffic at all. After all, hashing is one-way (meaning, once hashed, it can't be "un-hashed" or decrypted) and is used to verify the integrity and authenticity of a message; a common use-case is the hashing of passwords. On the other hand, encryption of web traffic maintains the confidentiality of a message (meaning, the message gets decrypted when it reaches its final destination). If your interviewer asks you this question, answer quickly, but then talk about what else you might know about cryptography and encryption protocols. Talk about asymmetric key algorithms like RSA and Elliptic Curve, and how a 1,024-bit RSA key is the same as a 160-bit Elliptic Curve key. Draw a diagram of the Diffie-Hellman key exchange. Go ahead. Nerd out. Your interviewer will be duly impressed.
5. What port does ping use?
This one got me once in an interview, which is why I'm including it in this list. A ping message is sent via the Internet Control Message Protocol (ICMP), which doesn't use ports! If you are asked this question, you should automatically tie this into the OSI model. Talk about how ICMP operates at the Network Layer (Layer 3 of the OSI Model), whereas protocols like TCP and UDP operate at the Transport Layer (Layer 4). Talk all the way up to Layer 7 (the Application Layer) - and explain how the layers tie together using data encapsulation. At this point, if you have established a good rapport with your interviewer, go ahead and tell the "UDP joke" ("Did you hear the UDP joke? I'll tell you, but I don't care if you get it." - chuckle chuckle). Trust me, they'll love it.
That's all for now! Stay tuned for more Information Security interview tips and tricks. Best of luck in your job hunting adventure!
Keep on keeping on,
Naomi
Naomi Buckwalter, CISSP, is the Director of Information Security for an industry-leading marketing automation software firm.
© 2021. This work is licensed under a CC BY-SA 4.0 license