IT/Information Security Interview Questions

Dear readers,

As you might know, I’ve finalized my relocation to Australia last week. After roughly 2 years getting prepared and waiting for the Skilled Migrant visa to be granted, my patience has paid off and I say with authority that this is a land of opportunities! The Information Security market is heated right now, and I’ve attended 7 interviews during my first 3 days in Sydney. Hopefully I’ll get myself a job very soon!

But since I’ve been going through the interview process for several positions with different requirements (Infosec Auditor, Security engineer, Security Manager and so on), and now that you know how to deal with the HR interview, I’ve decided to share with you some of the Information Security questions I’ve been asked so far, plus some I’ve researched on Internet. The purpose of this article is to aid during your preparation for an interview (regardless whether you are a senior professional going for your first managerial role or just starting your Infosec career), and my plan is to update it on a regular basis with further questions I’ll be asked and also hoping to get some feedback from you. Hopefully after some time this article will become a solid repository for IT/Information Security interview questions.

The questions are not following the order they were asked. I have roughly divided them into major topics but further organization will be necessary.

Please note: I won’t publish the answers, since the aim of this article is to give you inspiration to research and learn something new, or just refresh your knowledge.

Technical


- What’s the difference between a router, a bridge, a hub and a switch?
- Please explain how the SSL protocol works.
- What is a Syn Flood attack, and how to prevent it?
- Your network has been infected by malware. Please walk me through the process of cleaning up the environment.
- What kind of authentication does AD use?
- What’s the difference between a Proxy and a Firewall?
- What is Cross-Site Scripting and how can it be prevented?
- What’s the difference between symmetric and asymmetric encryption?
- What’s the difference between encryption and hashing?
- Why should I use server certificates on my e-commerce website?
- What’s port scanning and how does it work?
- Please explain how asymmetric encryption works
- Can a server certificate prevent SQL injection attacks against your system? Please explain.
- Do you have a home lab? If so, how do you use it to perfect your skills.
- What is a Man In The Middle attack?
- Take me through the process of pen testing a system.
- What is vulnerability test and how do you perform it?
- What are the latest threats you foresee for the near future?
- How would you harden a Windows Server? What about a Linux Server?
- What do you understand by layered security approach?
- What’s the better approach setting up a firewall: dropping or rejecting unwanted packets and why?
- Please detail 802.1x security vs. 802.11 security (don’t confuse the protocols).
- What is stateful packet inspection?
- What is NAT and how does it work?
- What is a buffer overflow?
- What are the most common application security flaws?
- What is a false positive?

Managerial

- What is ISO 27001 and why should a company adopt it?
- Please describe step-by-step how you would prepare and perform an audit of any given system.
- What is a “RISK”, how can it be measured and what actions can be taken to treat it?
- Please describe the steps to be taken by a company implementing an ISMS framework
- Why did you become (CISSP/CISA) certified?
- During an audit, an interviewee is not disclosing the information being requested. How would you overcome this situation?
- Within the PCI-DSS sphere, what is a compensating control?
- Who is the ultimate responsible to classify a company’s information: the Infosec Team or the information owner?
- Please describe the process of evaluating and analysing risks.
- What actions would you take to change end user behavior towards InfoSec?
- How do you ensure a secure software development? What are the best practices to be followed?

…and more to come!

I’m putting the questions down as they were asked to the best of my memory. I invite you all to share some of the questions you’ve been asked during your IT/Information Security Interviews so it can help those out there looking for a job after several years without attending an interview.

-Adriano.

Filed Under: ArticlesFrom me to youMy career

Tags:

RSSComments (32)

Leave a Reply | Trackback URL

  1. Rangel says:

    Very nice this article! I from Brazil and I work as Security Officer in na Internet company. I´ve took CISSP certification and for 7 years I´ve prepared with certifications, postgraduation and I developed experience in great companies. The away in infosec is a challenge, but anymore can be achive yoour objetive.

    Now, I would like to work abroad and I am studying English na Spanish cause I wish work in USA in na investimento bank.

    Thank you

    Rangel Rodrigues

  2. Chakri says:

    Some more questions.

    *How does NAC work?
    *What is the difference between SOX compliance and ISO 27001?

  3. vivek mishea says:

    can any one tell me the security perspective of tcp/ip.what is there in tcp/ip which make it more secure.

  4. Daniel says:

    i found this and the other blog posts to be very interesting, i am about to graduate from School with a BS in infosec. the whole”chicken and egg” scenario struck a chord.thanks and i will keep watching for more.
    Thanks,
    Daniel

  5. Anuradha says:

    I have attempted interview for infosec mgr
    I have been asked following questions.

    1)Can we perform VA remotely?
    2)If we want to launch any new product or services in the market how will you perform risk assessment
    3)How will u implement BCP
    4)How will u take approval from management to implement security control.
    5)How will you communicate VA and PT report to higher management

    Anu

  6. Arun says:

    Really great work.. Thanks. Keep doing good work so many needy people will get benifit of your work.Like me :-)

  7. Goli says:

    I was asked these questions:

    - what is CSRF attack?
    - what is the difference of pen testing and vulnerability assessment?
    - what is the security implication of using mobile devices for enterprises?
    - what security threats the social networking sites bring to enterprises?
    - How do you convince the managers at the client company that they need to adhere to some security standards or best practices?

  8. Riyaz says:

    Very informative, keep up the good work Folks….

  9. Samarth says:

    Hi,

    I am student of Information security. One day when I was preparing for jobs interview I came across your articles. These are very helpful and knowledgeable for some one in this field. Thanks for sharing your experience.
    Keep up the good work.

    Samarth Sharma

  10. Samarth says:

    Hi,

    I am student of Information security. One day when I was preparing for jobs interview I came across your articles. These are very helpful and knowledgeable for some one in this field. Thanks for hiring for experience.
    Keep up the good work.

    Samarth Sharma

  11. varun says:

    really a good blog
    Thnks so much

  12. Jeff says:

    Description of a TCP 3-way Handshake:
    the three-way (or 3-step) handshake occurs:

    1. SYN: The active open is performed by the client sending a SYN to the server. It sets the segment’s sequence number to a random value A.
    2. SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number (A + 1), and the sequence number that the server chooses for the packet is another random number, B.
    3. ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A + 1, and the acknowledgement number is set to one more than the received sequence number i.e. B + 1.

    At this point, both the client and server have received an acknowledgment of the connection.

  13. Unemployed Guy says:

    Thanks for the post Adriano, I think I came across this site just on time!

    I REALLY HAVE A QUESTION) I am going to have an Interview with a COO over the phone with a InfoSec company!!!!!!! I have no idea how the phone interview with a hiring manager would convey my qualification? Can someone help??

    I hope someone can answer my question
    ——————————————————————————————————————————————

    @Mark: I found your questions very interesting and I totally agree with you, “Your question covers a broad spectrum in the area of Networking/ Security” I personally would answer it in scenario format.

    In my career I’ve interviewed handful of Tire 1 and 2 Desktop Support personnel. What I used and will always ask are

    1) Would you please explain what happens when computer user hit the browser and type http://www.google.com”, or
    2) would you please explain as much detail as you can what will happen when you hit the Send button on your email”

    • varun says:

      the 1st question was asked by Microsoft Interview in 1st round and i some how tried to explain him .
      really superb question

  14. saravanan says:

    As the name says TCP 3 Way Handshake is a process of securely accessing a network connection between a Host machine and a Server for reliable connectivity.
    this can be done by sending TCP SYN (synchronize) request from a Host machine to a remote server
    the server in return will send back SYN ACK packet and wait for ACK packet from the sender
    once the ACK packet is received by the server the connection is established.

  15. Mark says:

    After a few “softball” questions, like “describe TCP 3-way handshake”, “describe OSI Model”, and “PID for init (linux)”, I generally use a compund question that really helps me understand that level of understanding a candidate has with Infosec (question set provided to me by one of my Mentors…thanks Dave).

    This 3 part question can only be useful if the “OSI Model” question is answered correctly. If not, the interview is pretty much over.

    Question 1 of 3:
    What’s the difference between vulnerability and mitigation? (sounds simple enough, but it gets better).

    Question 2 of 3:
    Give me an example of a vulnerability at each layer of the OSI reference model.

    Question 3 of 3:
    Give me a type of mitigation for each of the vulnerabilities you have just provided.

    I have rarely come across an individual who can handle these questions off the top of their head. I’ve been in this industry for over 10 years and I have to sit down and think about them carefully. The point is to observe how the candidate can deduce the correct responses and show their depth across the OSI layers. As each layer delves into various areas of infrastructure and applications, this knowledge really shows someone’s “chops” in the industry.

    I never expect someone to knock them out, but obviously the more responses provided the more rounded the candidate is.

    Mark

  16. Joya says:

    Thanks for the post.

    Check out this website for the largest Collection of HR Interview Questions and Answers

    Human Resource Interview Questions and Answers

    Thanks
    Joya

  17. Hina says:

    I’ve been just gone through your blog.. Really nice effort!!!

  18. [...] that you know how to get to the interview and answer tricky questions from HR and the technical ones, finally it’s time to negotiate your package. If you are reading this article from your [...]

  19. Anonymous says:

    I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the great work Look forward to reading more from you in the future.

  20. Just what I was looking for. I was searching for Web Hosting and Hosting related articles for our blog regarding SSL Certificates, when I found this post on Google. This is exactly what I was looking for. I’ve saved this post for future reference :-) Nice comments – Thanks

  21. Papa_K says:

    I thought I was the only one who saw some issues with this list. In my experience and it’s only been with Gov agencies no one ever asks those questions because they don’t know the answers to them. Also there are so many different methods to some of these are they just trying to see how well you can stand on your feet or are they really wanting to know how you would do something?

    Also the encryption questions are in my eyes duplicated.

    Here’s one that I found unnerving. ‘What kind of authentication does AD use?’

    I don’t use AD here so I would have to say I have no idea. I would think that since AD is a MS solution that it would be a two factor authentication based on MS NT hashing method.

    But that’s just my guess.

  22. Very informative article Adriano! But Rodo yours is practical :) too good

  23. Daniel says:

    Hi,

    Very interesting reading, and I find quite funny see how many of the questions you have written down match the ones I use when I interview new candidates :)

    A few more questions that may help you assessing the person´s skills
    - If I dump a windows system password and I get the last bytes with the characters “AAD3B435B51404EE” , which information could you give mw:

    – a) Operating system
    – b) Version
    – c) Hashing / Encryption password scheme being used?
    – d) Password length?

    - What does this text string suggests you ? 1%20%4F%52%201%3d1

    - It is possible ina UNIX system determine the creation date of a file? (This is a very funny question to ask when the candidate says he has forensic skills)

    a) Yes, through atime
    b) Yes, through ctime
    c) Yes, through mtime
    d) No, it’s not possible

    - Could you explain what the acronyms ASLR, DEP, NX or Safe SEH mean?

    And a ver important one:

    - Which IT and security blogs do you follow? (This shows how much proactive a candidate is in keeping up-to-date with latest trends)

    Good luck in your Australia adventure!

    Regs,

    Daniel

  24. imran says:

    Very nice of you to put this list together. It is a good effort towards helping your InfoSec followers. Thanks!

  25. Rodo says:

    Hi;
    My experience with “technical” interviews was this:

    Q. Please, tell me what´s the best security solution, from your point of view.
    A. To protect what?
    Q. It doesn’t matter, does it?
    A. I guess so; can you please give me more details?
    Q. Please, just tell me where and how many firewalls would you put in?
    A. Again, what do you want to protect? Maybe a firewalls is a good start, but not the only solution.
    Q. Ok, what else do you put in? An antivirus gateway?
    A. Hard to say; if I don’t know what I want to protect and from who….
    Q. Ok, we’ll call you..

    And in another interview, they were looking for a free consultant hour “let’s say, for example, we’re facing this issue, this are the FW, router, etc. configurations, this is what we had done so far….. what would you do if you were working with us? Because we don’t have more ideas.”

  26. Social comments and analytics for this post…

    This post was mentioned on Twitter by MyInfosecJob: IT/Information Security Interview Questions http://bit.ly/9GfViw

  27. PRAJUL says:

    HI
    I have done ccna,ceh,rhce certifications and i find it very difficult to get in to information security side like penetration tester or as an ethical hacker.I also have around 2 yrs of technical support experience in virus and spyware support. can anyone guide or help me to find jobs in penetration testing …..
    pls help…
    thanks in advance

    • What says:

      You going to have to broaden your horizon to find jobs in this area. Meaning, you are probably going to have to relocate some place different. You will notice in some cities security jobs are focus on governing verses technical type of security jobs. Incident Response is usually the technical side of security.

  28. Glenn says:

    Hi

    I find another good one is the following:

    Please describe a TCP 3-Way Handshake.

    I am amazed at some of the answers I have received over this but it is a good one as it will provide me with a better understanding of the person’s technical experience with TCP/UDP and being able to follow traffic patterns.

    Glenn

Leave a Reply