The First Question I Ask When Interviewing Someone For A Security Role

A Guide To Learning How Well A Candidate Understands Security

The first question I ask someone in an interview for a cybersecurity position is, “What type of cellphone do you use?” The candidate’s answer can provide a deep insight into their security mindset regarding the importance of patching in managing security vulnerabilities. Additionally, it tells me a lot about their attitude regarding the importance of privacy.

As a consultant, I have seen many interview styles. The one thing I have learned is that it is rare for an interviewer to ask questions which probe my understanding of security. Interviews tend to come in three flavors: How have you solved a given problem in the past? How would you configure a given tool to solve a particular problem? Or, tell us about your previous experience (As though they hadn’t bothered to read my résumé!).

Maybe one in twenty interviewers will probe my actual knowledge of security. And, let’s face it: If you’re hiring someone for a security role — and, especially a senior-level role — you should expect them to have a solid understanding of security fundamentals.

I suspect the reason more interviewers don’t probe deeply into a candidate’s security mindset and their grasp of the fundamentals, is that the interviewer doesn’t know how to ask those questions. That is, most people interviewing candidates for a security position, either have no idea how to ask conceptual security questions, or lack in-depth knowledge of the fundamentals.

That’s the reason for this blog post.

Interestingly, I find candidates either kill my interview or fail it miserably. There is rarely a candidate who falls in-between. Those who kill the interview quite often tell me it’s the best interview they’ve ever had. Those who flunk it usually react with either, “Well, I just memorized that stuff for the XYZ certification exam, and I haven’t used it ever since,” or “I don’t understand what a lot of your questions have to do with security.”

For the benefit of those who flunk the interview, I always go back and explain why I asked each question and what it taught me about their knowledge of security. That is, if the candidate doesn’t withdraw during the interview process.

For those who pass, I leave it up to other interviewers to cover the domain-specific interview questions. If a candidate aces my interview, I have no doubts they could successfully fill most any security role in an organization.

Interview Approach

My objective in an interview is to determine if a candidate understands security and privacy at a fundamental level. My interviews are not academic or theoretical; they are strictly practical. I want to learn if a candidate has a security-oriented mindset and whether they grasp fundamental security concepts. Many of my questions also probe whether the candidate has only a peripheral knowledge of a given security topic, or has an in-depth understanding of it.

Several of my questions concern how they apply security and privacy in their personal life. That tells me whether they understand topics such as: patch management, security vulnerability risks, information disclosure, location tracking, and privacy.

Then, I move on to a wide mix of technical security questions. I have a pool of about fifty questions that cover a range of security topics that I would expect any candidate to understand thoroughly. Beginning in the next section, I will give some example questions and expected answers, along with an explanation of why I think those questions are important.

Now, a couple of points about interviewing:

• Move quickly through your questions. These are all questions a qualified junior-level candidate should be able to answer with little to no thought. Don’t give your candidates time to look up answers on Wikipedia! If a candidate hesitates for more than a few seconds, move on to the next question.
• Jump around between topics. That will show you how fast a candidate can “switch gears” in their thought processes. Security moves quickly, and you want candidates who can mentally multitask to solve complex security problems crossing multiple security domains.

So, let’s go through some sample questions I use to interview security candidates.

In these sample questions, I will present a question, and either my expected answer and a brief explanation of that answer; or, I will provide a reference that answers the question. Yes, most answers probably deserve a more in-depth explanation than what I present here, but my objective is to present a short article, not write a book on the topic.

My Opening Questions

I always begin with the cellphone question, then follow it up with a technical question. Since most security roles require some understanding of network security, I usually ask a very basic networking-related question.

Regardless of the security role, I always ask the same first question: What type of cellphone do you use?

My expected answer is: An iPhone.

No, I’m not an Apple bigot. But, if the candidate answers anything other than iPhone, or “dumb flip phone,” it tells me that the candidate does not understand security and privacy. Why? Because of all the major cellphone vendors, only Apple pushes out timely vulnerability patches and enforces app privacy rules both in its app store and on its devices.

Unless the security role has no network security aspect to it, my second question is always: How many layers are in the Internet Protocol stack?

The only correct answer to this question is: Four.

Invariably, most candidates will answer “seven.” This tells me that they’ve simply memorized incorrect information to pass some certification exam. I’ll also accept “five” as an answer, provided the candidate can name the layers and includes “Physical” as its lowest layer. For the full explanation of this question and its correct answers, please see my blog post, The Internet Is Not A Seven Layer Network.

Does the candidate apply security principals to their personal life?

Randomly throw these questions into the mix. By understanding how the candidate applies security and privacy principals to their personal life, you can gain insight into both the depth of their understanding and how seriously they take security and privacy. After all, if they don’t care about security and privacy in their personal life, why should you expect them to care about it at work?

Question: What browser do you use?

Best answers: Brave or Tor.

Acceptable answers: Firefox (or variants, such as Cliqz) or Safari.

Marginal answers: Chrome or Opera.

Bad answers: Edge, Internet Explorer, Yandex.

Comment: This question explores candidates understanding of privacy. Several studies have ranked the privacy of various browsers. There are few disagreements as to which browsers offer the most privacy and which offer the least, although most current surveys rank Brave the highest. Any candidate choosing a “bad answer” browser clearly has a serious lack of privacy knowledge.

Question: What is your primary search engine?

Best answers: DuckDuckGo, Start Page, Qwant.

Bad answers: Google, Bing, Yahoo.

Comment: Again, this question explores privacy. The “best answers” ensure your searches are not tracked. The “bad answers” are sucking up every crumb of information they can find about you. Yes, there are other search engines, but the above are the major ones in each category.

Question: What messaging apps do you use?

Best answers: Signal, OTR Jabber/XMPP, Ricochet.

Acceptable answers: WebEx, Wire, Wickr/WickrMe, iMessage, FaceTime.

Marginal answers: WhatsApp, Telegram.

Bad Answers: Just about everything else.

Comment: This is another privacy question, but it also explores the candidate’s understanding of end-to-end encryption and their willingness to trust questionable vendors.

Question: Do you use LinkedIn, Facebook, Twitter, or any other social media?

Best answer: No, but I do have placeholder accounts to prevent someone from establishing a bogus account in my name.

Comment: Again, privacy is the primary issue here. But, LinkedIn is also a serious security threat to any organization which allows employees to have LinkedIn profiles. I discuss LinkedIn in more detail in the blog entry, LinkedIn Is A Security Threat To Your Organization.

Question: What email service do you use?

Best answers: Protonmail, Start Mail, Hushmail.

Good answer: iCloud.

Bad answers: Any “free” email service, such as: Gmail, Hotmail, Outlook, Yahoo; Or, any email service provided by your ISP or cellphone carrier, such as: Comcast, Verizon, AT&T.

Comment: There’s a lot of acceptable answers that are email services that respect your privacy. Using any “free” email service shows that the candidate does not understand the ramifications of all of their communications being monitored by an untrustable third-party, where you are their product.

Does the candidate understand fundamental security concepts?

Although I group questions by topic here, I mix up the order when interviewing, rarely asking two questions in a row on the same topic.

Security Threats and Defenses

The answers to all these questions can be found in the blog post, What Are The Fundamental Services Provided By Security? Hint: CIA Is Not The Answer. All these questions probe the candidate’s understanding of the most basic security concepts.

Question: What are the fundamental services provided by security?

Question: What security threats does authenticity defend against?

Question: What cryptographic defenses are used against security integrity threats?

Question: What security threat or threats do digital signatures defend against?

Question: What are the differences between authenticity and integrity?

Question: What is the difference between Denial of Service and Denial of Access?

Authentication

The full answers to all these questions can be found in the blog posts, There Are Only Two Ways to Authenticate, and You Should Never Change Your Password. I will provide summary answers here.

Note: Most candidates will have been taught that there are three ways to authenticate. For years, security researchers have disagreed, stating that biometrics are not an authenticator. Since 2015, when NIST first released the draft of their update to SP 800–63, they have officially agreed with that assertion. However, many certification exams have not updated to these latest industry best practices. Thus, this section tests both a candidate’s fundamental security knowledge and whether they keep current with changes to industry best practices.

Question: What technology is used to strengthen defenses against password’s weaknesses?

Answer: Two-Factor Authentication (TFA)

Comment: Checks candidate’s knowledge of TFA. Multi-Factor Authentication (MFA) is also an acceptable answer.

Question: What are the conceptual methods by which a user can be authenticated (that is, “What you…”)?

Answer: What you know, and What you have.

Comment: Determines if a candidate is up-to-date on current industry best practices.

Question: What is the difference between probabilistic and deterministic authentication measures

Answer: Deterministic always returns the same results for any given input; probabilistic does not.

Comment: Determines if a candidate understands the concepts behind authentication.

Question: What are the two characteristics required of any authenticator?

Answer: Revocable and deterministic.

Comment: Determines if a candidate understands the concepts behind authentication.

Question: Under what circumstances can biometrics be used as an authenticator?

Answer: As a second factor to a “What you have” authenticator.

Comment: Determines if a candidate is up-to-date on current industry best practices.

Question: What constitutes a good password?

Answer: A long string of at least 8 random characters, or preferably a passphrase of at least 8 words.

Comment: Determines if a candidate is up-to-date on current industry best practices.

Question: How often should you change your password?

Answer: Only when there is evidence of compromise (including local password cracking).

Comment: Determines if a candidate is up-to-date on current industry best practices.

Question: What are acceptable sources of second authenticators?

Answer: Hardware security tokens and authentication apps.

Comment: Determines if a candidate is up-to-date on current industry best practices.

Question: How should passwords be stored on a computer?

Answer: Passwords should never be stored; only salted hashes of passwords should be stored.

Comment: Determines if candidate has even a basic understanding of password security.

Question: What complexity requirements should all passwords meet?

Answer: Only the following:

1. Consists of only ASCII and Unicode characters;
2. A minimum length of 8 characters, with a maximum length not less than 64 characters; and
3. It cannot be a known bad password (a password previously cracked or disclosed).

There should be no other complexity requirements.

Comment: Determines if a candidate is up-to-date on current industry best practices.

Question: When is it appropriate to use knowledge-based authenticators (e.g., Where were you born? Mother’s maiden name? etc.)?

Answer: Never. They are too easy to guess.

Comment: Determines if a candidate is up-to-date on current industry best practices.

Question: When is it appropriate to use SMS or email as a second authenticator?

Answer: Never. It is too easy to hijack the messages, thus defeating two-factor authentication.

Comment: Determines if a candidate is up-to-date on current industry best practices.

Cryptography

I don’t have any current or pending blog posts on this topic, so I will provide brief correct answers to these questions. This also tends to be most candidates’ weakest area, so I don’t ask a lot of questions unless their job will involve using cryptography.

Question: What is the difference between symmetric and asymmetric keys?

Answer: A symmetric key is a secret key sourced from a random number, and both the sender and the recipient must know that key.
An asymmetric key is a key-pair generated from large (usually prime) numbers. One key is secret (private key), and the other key is public. One key (either key) is used to encrypt, and the other key is used to decrypt.

Comment: Determines if a candidate understands the difference between symmetric and asymmetric cryptography.

Question: What is the maximum length of data which can be encrypted by: A symmetric key? An asymmetric key?

Answer: In general, there is no limit for data length limit for symmetric encryption, as the data is divided into blocks (size depends on algorithm), which are then encrypted.
For asymmetric encryption, the maximum length of data encryptable varies by algorithm, but is always less than the asymmetric key size. For example, for RSA, the maximum length is 11 bytes less than the key length. Thus, for a 2048-bit RSA key, the maximum length of data it can encrypt is 245 bytes.

Comment: Determines if a candidate’s understanding of cryptography has any depth.

Question: Explain the process to create a digital certificate.

Answer: Minimal acceptable overly-simplified answer:

1. Generate a public/private key pair.
2. Create a certificate signing request (CSR) for the public key.
3. Send CSR to a certificate authority (CA), who will create the digital certificate by signing CSR’s public key with the CA’s signing certificate.
4. The CA then returns the created certificate with it’s supporting certificate chain.

Comment: Determines if a candidate understands how digital certificates are created.

Question: What is a cryptographic hash function?

Answer: An algorithm that takes a variable-length input and generates a fixed-length output where it is not possible to determine the original input value knowing only the output value.

Comment: Determines if a candidate understands what is a hash.

Question: What is an HMAC?

Short Answer: A keyed hash.

Better Answer: A message authentication code that is based upon a hash function and a shared secret key.

Comment: Determines if a candidate understands message authentication codes.

Network Security

I don’t have any current or pending blog posts on this topic, so I will provide brief correct answers to these questions. This is an area where every security practitioner should have quite in-depth knowledge.

Question: What is nmap?

Answer: Minimal acceptable answer: An application that performs network discovery; and identifies open, closed, and filtered ports on hosts; and determines device type and its operating system.

Comment: A candidate with any knowledge of network security should know what “nmap” is.

Question: If I send a packet to a closed IPv4 UDP port, what response should I expect to receive?

Answer: ICMP 3/3 (Destination unreachable, port unreachable) if the port is unfiltered, or no response if it is filtered.

Comment: Checks candidate’s knowledge of the UDP protocol.

Question: If I send a packet to a closed IPv4 TCP port, what response should I expect to receive?

Answer: TCP RST (reset) if the port is unfiltered, or no response if it is filtered.

Comment: Checks candidate’s knowledge of the TCP protocol.

Question: If I send a TCP SYN packet to an open and unfiltered TCP port, what response should I expect to receive?

Answer: TCP SYN-ACK (to which I would respond with a TCP ACK packet)

Comment: Checks candidate’s knowledge of the TCP handshake.

Question: What is the BGP protocol, and what is its fundamental weakness as commonly implemented?

Answer: The Border Gateway Protocol specifies routing for Autonomous System Numbers (ASN). Its weakness is that the routes are not signed, which can lead to route hijacking or Denial of Access.

Comment: Checks candidate’s understanding of how routes are established on large networks, such as the Internet. Note: Denial of Service is also acceptable instead of Denial of Access.

Question: What are the most common VPN protocols, and which one is badly broken?

Answer: PPTP is badly broken and should never be used. The most common VPN protocols are: OpenVPN, Wireguard, and IPSec (specifically, L2TP/IPSec and IKEv2/IPSec). Other common VPN protocols are: TLS, SSH, and MS-SSTP.

Comment: Checks candidate’s understanding of VPNs. If they fail to mention Wireguard, it means that they are not up-to-date with the latest VPN technologies. (Because of its speed and security, Wireguard is rapidly becoming the most widely used protocol.)

Question: What are the types of firewalls (e.g., packet filter)?

Answer: Packet filter, stateful inspection, application gateway

Comment: Checks candidate’s understanding of firewalls. If the candidate responds with, “network-based and host-based,” remind them that you’re seeking the types of filtering they do, not the firewall’s location. If they add either “proxy,” or “NAT/PAT” to their list, then they are showing they don’t actually understand the purpose of firewalls or how a firewall functions.

Question: A set of rules that determine if a firewall is to permit or deny network traffic is called what?

Answer: Access Control List (ACL).

Comment: Checks if a candidate has any understanding of how firewalls are configured.

Question: I am streaming video from Netflix. What is the MAC address of the packets arriving from Netflix?

Answer: The MAC address will be the MAC address of the LAN side of the default gateway for the LAN.

Comment: Checks candidate’s understanding of Link-layer network routing. If they answer with the name of a device (router, firewall, WiFi, etc.), then they understand the concept but did not state it in general terms.

More Advanced Security Topics

The questions in this section go a little beyond the basics. Most experienced candidates should be able to answer the questions in this section.

Hardware Security

Questions in this section are about how to secure devices. They are general knowledge and apply to everything from computers and peripherals to embedded systems and IoT devices. Every experienced security candidate should be able to answer them.

Question: How do you securely erase an SSD or a flash drive?

Answer: You can’t. That’s why the drives must be encrypted.

Comment: This question probes how well a candidate understands flash-memory devices. Some candidates will answer “Using the manufacturer’s erase utility” or something to that effect. That’s the standard answer some certification exams expect. However, the candidate should understand that it is not an adequate solution, and the only real solution is drive encryption.

Question: What is the difference between a secure boot and a verified (trusted) boot?

Answer: Secure boot verifies the first stage boot loader before releasing the processor from reset, and verified boot always trusts the first stage of the boot loader.

Comment: This question checks the candidate’s understanding of how processors boot. A more detailed answer involving more than the first stage of booting may be given, but the critical aspect of this question is the first stage of the boot process.

Question: What are the “negative rings” in the Intel architecture, and for what are they used?

Answer: Ring -1: Hypervisor; Ring -2: SMM (System Management Mode); Ring -3: Management Engine.

Comment: Whether or not the candidate is familiar with “Ring -3” is the critical point of this question. If they lack that knowledge, then they are unfamiliar with an entire class of attacks against Intel processors.

Question: Why is the “Branch Prediction” architecture common in all modern processors a security risk?

Answer: Because it has been found that branch prediction enables several different side-channel attacks that leak information from otherwise inaccessible memory.

Comment: This question determines whether the candidate is familiar with a large class of processor-level vulnerabilities that have been identified in the past five-plus years.

Application Security

These questions check the candidate’s knowledge of application security fundamentals. If they have not worked in application security, they may not be familiar with some of these topics.

Question: Name at least half of the OWASP Top Ten vulnerabilities.

Answer: As of the date of this blog entry’s publication, the OWASP list is:

• Code Injection (Injection)
• Broken Authentication
• Broken Access Control
• Broken Confidentiality Controls (Sensitive Data Exposure)
• Cross-Site Scripting
• Misconfigurations (Security Misconfigurations)
• Insufficient Logging and Monitoring
• Using Known Vulnerable Software (Using Components with Known Vulnerabilities)
• Broken Handling of References in XML (XML External Entities)
• Insecure Deserialization

Answers from older lists include:

• Broken Session Management
• Insecure Direct Object References
• Cross-Site Request Forgery (CSRF)
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Insufficient Transport Layer Protection
• Unvalidated Redirects and Forwards
• Missing Function-Level Access Controls

Comment: The names in parenthesis are the formal names in the OWASP list. The names I have used in the list are what most practitioners call the vulnerabilities. I would expect any candidate with software development or application security to know the first five. Candidates who are not current may include entries from older top ten lists (which are all still valid vulnerabilities, just no longer in the top ten). For a detailed explanation and the current OWASP list, see OWASP Top Ten. Older lists include OWASP 2010 and OWASP 2013.

Question: Give three examples of injection attacks against applications.

Answers: SQL, NoSQL, LDAP, XML, Command

Comment: Injection attacks are one of the most widespread web application attacks. Any security practitioner should be aware of at least two or three types of injection attacks. “Script” is an acceptable answer instead of “Command.”

Question: What does a static analysis tool do?

Answer: Inspects code (source code or object code, depending upon the tool) for potential vulnerabilities.

Comment: All candidates should know this, as static analysis is a critical step in software security verification.

Question: What does a dynamic analysis tool do?

Answer: Tests a program’s execution against known vulnerabilities.

Comment: All candidates should know this, as dynamic analysis is a critical step in software security verification.

Question: What is fuzzing?

Answer: Tests a program’s handling of random inputs.

Comment: Most candidates should know this, as fuzz testing is a critical step in software security. But, it is often a step skipped, as it requires specialized skills to both set up the test and to analyze the results.

Question: What is Threat Modeling?

Answer: A formal approach to analyzing systems for potential vulnerabilities and classifying the risks associated with those vulnerabilities.

Comment: All candidates, regardless of experience level, should have some idea what threat modeling is and how it can increase security.

Question: Explain how a stack overflow attack takes control of a computer.

Answer: The attack overwrites EIP (instruction pointer) to jump to code injected onto the stack.

Comment: Most security practitioners should know how to answer this question, although they may not state the answer so succinctly. Anyone claiming penetration testing experience must be able to answer this question, as this is a common means of software exploitation. Note: The key point here is to overwrite EIP to jump to executable code.

Question: What are two widely-deployed software defenses against stack overflow attacks?

Answer: ASLR and canaries.

Comment: Anyone claiming any software security or operating systems security must know about ASLR (Address Space Layout Randomization). If they claim software security experience, they should know about canaries. There are many different implementations for canaries, such as stackguard. If a canary implementation name is given in the answer, ask what the type of protection offered by that feature is (canaries should be the answer).

Question: What capability does Intel architecture processors provide in hardware to prevent the execution of code written to the stack?

Answer: NX or ND bit

Comment: Anyone claiming operating systems or hardware security experience should know this. In the Microsoft world, enabling this hardware feature is known as Data Execution Prevention (DEP).

Physical Security

Any security practitioner who claims penetration testing experience should be able to answer these questions.

Question: How can you open a padlock for which you have forgotten the combination?

Answer: Padlock shim.

Question: Explain how a bump key works.

Answer: A bump of a “bump key” (a key with 999 bittings) causes the pins to bounce, and slight pressure on the key causes the pins to lock in place and allows you to open the lock.

Question: What is a well-known attack against security doors which have a motion detector sensor which unlocks the doors on the inside?

A: Spray a can of compressed air upside down through the crack between doors. The mist formed will often trigger an unlock.

Summary

At some point during the interview process, a candidate for a cybersecurity role should be screened for an adequate understanding of the basic principals of the field. Domain-specific knowledge also needs to be covered, but an understanding of the candidate’s grasp of the basics should come first.

I often provide screeners with questions like these (without answers) to screen the candidate. I have the interviewer record the answers which I review later. Even screeners with no security background will usually be able to quickly determine whether or not a candidate knows security or is faking it.

Cybersecurity is filled with too many practitioners who lack basic knowledge. It’s perhaps one of the leading reasons we have so many breaches: If those responsible for security don’t know all they should know to do their job, they’re going to leave gaping holes which even a script-kiddie can exploit.

Interview carefully and thoroughly! Candidates shouldn’t be expected to know everything, but they should at least know the fundamentals.

Fell free to plagiarize my questions for use in your organization. But, you are not free to republish them elsewhere without advanced written permission.

Please check out my Blog Introduction and Index to find other postings about what we are doing wrong in security and how we need to fix it.

About The Blogger

Featured Image

Credit: Photo by Maranda Vandergriff on Unsplash.

Revision History

• Updated 2020/04/20 to correct three answers: Added “XML” and “Script” to types of injection attacks. Clarified that asymmetric keys are generated from “large (usually prime) numbers” (previously said “large random numbers”). Corrected SMM to be “System Management Mode” instead of “System Management Module.”