DISQUS

Arik · 2 years ago

I was once asked which is stronger - RSA with a 8192 bit key or AES with 128 bit key

Don't forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge.

-- Arik

Dave · 2 years ago

"Don’t forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge."

Well said.

My favorite interview bonus question is "how many fire alarm levers did we pass on the way here?"

I'd hire someone who got every technical question wrong but answered that one even in the ball park.

-Dave

Wonk · 2 years ago

I think one could also argue for number 2 that encrypting before compressing would tend to reduce the possibility of known plaintext attacks. But, as you say, there's not any point in compressing data once it's been encrypted.

Philip · 2 years ago

Wow. Some of these are good. When I came to the interview for my current job, my boss had about 15 sheets of questions that are standard. I cannot remember them all now, but I was so nervous. We ended up hiring a guy who was straight out of college and has no Linux experience (he had heard of it before). It is really hurting. We have had to teach about the world all over again. He really doesn't know that much about the deep parts of Windows.

Michael S Black · 2 years ago

Here is a few we use:

Define non-repudiation and give a real world example.

What would you do with a Rainbow Table?

What is a downstream liability?

What is the difference between symmetric and asymmetric cryptography?

Daniel · 2 years ago

Nice ones, Michael. For the crypto one I usually as them to describe exactly what happens when you send a message that's both signed and encrypted using PGP -- specifically relating to the cryptography. What I look for in the response is the not-so-well-known fact that the message is actually not encrypted with the other person's public key.

...wait for it...

Instead, the message is encrypted with a randomly generated SYMMETRIC key, and *that* key is encrypted using their public key. They then decrypt the symmetric key, and use that to read the encrypted message. Which directly illustrates the positives and negatives of both. You wouldn't want to use asymmetric cryptography to encrypt a very large message due to the time cost, so symmetric cryptography is used instead.

Darby Weaver · 2 years ago

Hmmm...

Interesting - I got the Compression vs. Encryption question in the terms of asking about how IPSec is handled once.

I used to get the home computer question.


But after I explain my home lab setup and some of the machines I keep around that run from Linux Appliances, Cobalt RAQ Appliances with CentOS and Solaris, or my Solaris Pizza Box that I installed Red Hat 6.0 on or just my run of the mill PC's with any various OS or some of my favorite tools.

Then we have the Cisco and other vendors gear. I stop after the eyes start to glaze, unless they want to know where I get my bogon lists from or where I find my latest 0-Day Exploits from and how I have acquired so many tools of the trade...

Hmmm...

Well, you know...

How are things going?

Did you ever decide to use Cisco Gear? Get your CCNA yet?

Are you in Orlando this week at SANS?

Later

knight · 1 year ago

Where are the answers to all the questions?

ash · 1 year ago

Nice compilation of questions....!!

James · 1 year ago

You say, "As weak as the CISSP is as a security certification..."

This cert seems to be der rigeur in the industry for any security position. Almost all the jobs I apply for say it is desirable, required, or you must get certified within 6 months of hire. Why do you have such a low opinion of it? And, if it's so weak, why do they all want you to have it?

Max · 1 year ago

these questions sound very basic.... for jr security position.

what questions you would ask for pentester/sr sec analyst position?

thanks
Max