INFORMATION SECURITY INTERVIEW QUESTIONS
General
Are open-source projects more or less secure than proprietary ones?
The answer to this question is often very telling about a given candidate. It shows 1) whether or
not they know what they’re talking about in terms of development, and 2) it really illustrates the
maturity of the individual (a common theme among my questions). My main goal here is to get
them to show me pros and cons for each. If I just get the “many eyes” regurgitation then I’ll
know he’s read Slashdot and not much else. And if I just get the “people in China can put
anything in the kernel” routine then I’ll know he’s not so good at looking at the complete picture.
The ideal answer involves the size of the project, how many developers are working on it (and
what their backgrounds are), and most importantly — quality control. In short, there’s no way to
tell the quality of a project simply by knowing that it’s either open-source or proprietary. There
are many examples of horribly insecure applications that came from both camps.
How do you change your DNS settings in Linux/Windows?
Here you're looking for a quick comeback for any position that will involve system
administration (see system security). If they don't know how to change their DNS server in the
two most popular operating systems in the world, then you're likely working with someone very
junior or otherwise highly abstracted from the real world.
What’s the difference between encoding, encryption, and hashing?
Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to
keep its original message upon arriving, and it isn't primarily a security function. It is easily
reversible because the system for encoding is almost necessarily and by definition in wide use.
Encryption is designed purely for confidentiality and is reversible only if you have the
appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is
of a fixed length that is usually much smaller than the input.
Who do you look up to within the field of Information Security? Why?
A standard question type. All we're looking for here is to see if they pay attention to the industry
leaders, and to possibly glean some more insight into how they approach security. If they name a
bunch of hackers/criminals that'll tell you one thing, and if they name a few of the pioneers that'll
say another. If they don't know anyone in Security, we'll consider closely what position you're
hiring them for. Hopefully it isn't a junior position.
Where do you get your security news from?
Here I’m looking to see how in tune they are with the security community. Answers I’m looking
for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don’t really matter.
What does matter is that he doesn't respond with, “I go to the CNET website.”, or, "I wait until
someone tells me about events.". It’s these types of answers that will tell you he’s likely not on
top of things.
If you had to both encrypt and compress data during transmission, which would you do first, and
why?
If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or
do they enjoy the challenge and think through it? I was asked this question during an interview at
Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to
figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then
encrypt. If you encrypt first you’ll have nothing but random data to work with, which will
destroy any potential benefit from compression.
What's the difference between symmetric and public-key cryptography
