danielmiessler.com - Latest Comments in 25 Questions to Ask During an Information Security Interview

Re: 25 Questions to Ask During an Information Security Interview

Daniel Miessler — Mon, 29 Aug 2011 17:07:15 -0000

Wow, that's scary.

Re: 25 Questions to Ask During an Information Security Interview

Security Monkey — Mon, 29 Aug 2011 13:58:55 -0000

I am witness to many interviews of infosec professionals. I've seen these exact questions (literally printed from your website) and asked VERY BADLY. It's an important point that the interviewer fully understand and be able to answer these questions. Otherwise, using them is a waste. I witnessed a developer using these questions to interview an INFOSEC management candidate. He asked the candidate the ping/port questions and the candidate answered correctly immediately - ICMP. The interviewer said "no, you have to give me a tcp or udp port number". The interviewee was clearly frustrated and rolling his eyes and trying to be polite. I eventually stepped in and told the interviewer to take a break and I'd finish the interview. Unreal!!!

Re: 25 Questions to Ask During an Information Security Interview

BuyGiftsItems — Thu, 16 Jun 2011 07:28:03 -0000

I test them in the SANS 504 class" (or at a hackers conventiuon, or I set up a disposable network at home

Car Auctions

Re: 25 Questions to Ask During an Information Security Interview

Random Nerd... — Wed, 04 May 2011 23:35:43 -0000

Create a sandbox environment.. :D

Re: 25 Questions to Ask During an Information Security Interview

Jim — Sat, 20 Nov 2010 11:45:31 -0000

Umm, I'm not a security expert (just a random unix admin), but I could answer all of those questions.

Re: 25 Questions to Ask During an Information Security Interview

Ilango Al — Sun, 03 Oct 2010 10:12:09 -0000

amazing list of questions!!!

Re: 25 Questions to Ask During an Information Security Interview

dryanhawley — Thu, 13 May 2010 16:02:55 -0000

Here is another question. "How do you keep up on hacker tools, and how do you test them?".

The lower skill level answer would be, "I don't! I swore I wouldn't associate with Hackers or use their tools when I got my CISSP!" The "better" IMO
answer would be, "I use a sacrificial lamb computer to get them off The Net"
(because a lot of hacker sites will, in fact, hack you while you get the tool).
As for testing them, the best answer(s) might be "I test them in the SANS 504 class" (or at a hackers convention, or I set up a disposable network at home (or in a detached lab) so as to not be the cause of bringing down production or personal computers. Bonus points for things like, "afterwards I do a 6 pass destructive format on my HD, including boot sectors, and reflash my BIOS from a LINUX booted OS disk, stuff like that.

Reading about them on a security site shows less enthusiasm.

"Know thy enemy"

Re: 25 Questions to Ask During an Information Security Interview

Hasib — Sat, 24 Apr 2010 15:34:12 -0000

Diffie-Hellman is a Key-agreement scheme, it is not a Key-exchange scheme.

Re: 25 Questions to Ask During an Information Security Interview

Daniel Miessler — Sun, 23 Nov 2008 17:05:59 -0000

@Curtis Thank you for that.

Re: 25 Questions to Ask During an Information Security Interview

Arik — Sun, 23 Nov 2008 16:30:15 -0000

A network analysis D&D? Ouch.

Nice list, Daniel. I think you should float all the easy questions to the top, so that you can vet the incompetent early in the process.

What I like to ask a candidate is "what are you best at? what do people come to you about when they need help?" and then drill down into the bits and bytes on that topic. That shows me if they take what they do seriously enough to have an in-depth understanding of it. Also, at some point in time my questions inevitably exceed their knowledge (I might ask about things I don't know about...) and then I expect them to tell me they don't know and will find out. If they try to BS me... NEXT!

Also as mentioned I like to ask about the bigger picture, what does it all mean from an organizational point of view.

-- Arik

Re: 25 Questions to Ask During an Information Security Interview

The Real Steve C — Fri, 21 Nov 2008 23:50:59 -0000

Nice list, lol

Re: 25 Questions to Ask During an Information Security Interview

Mark Gamache — Fri, 21 Nov 2008 12:10:03 -0000

This is great stuff! I've had to argue with seasoned security professionals about DH being subject to MITM. A great follow up on that, they they miss it, is have them whiteboard for you how it works and then watch to see how they react when you white board the key switch. If you see the light bulb go on, they may still be OK. Even professionals take the pre-established trust of a local keystore for granted.

Re: 25 Questions to Ask During an Information Security Interview

Scott — Fri, 21 Nov 2008 09:02:36 -0000

My favorite question is "Prove to me you can protect my network". Poor candidates begin speaking about technology and solutions, good candidates talk about their previous experience, and great candidates take a high level view of the issue and speak about how they will help promote change, get management on board and begin to address the true scope of this open ended question.

Re: 25 Questions to Ask During an Information Security Interview

randy — Fri, 21 Nov 2008 08:39:25 -0000

Nice list. I've weeded people out before with the ping, tracert, and http vs html questions before. Good stuff!