Monday, 18 April 2016

Information Security Interview Questions

The  number of Information Security related jobs are growing extensively…. There is a huge requirement for skilled InfoSec professionals across the globe.. the jobs positions are available for freshers, experienced guys and top management (typically CISO etc)… This post is my attempt to collect typical InfoSec interview question and answers to help those looking out opportunities in this field… I’ll keep on updating the questions regularly.. You can also share/contribute any questions you might have faced during your InfoSec interviews….
Category I: General Security Concepts / Network Security / OS Security
1) Is there any difference between Information Security and IT Security? If yes, please explain the difference.
Ans– Yes. Information Security and IT Security are both different terms often used interchangeably. IT Security focuses on purely technical controls (like implementing antivirus, firewall, hardening systems etc) while Information Security is more wider term which implies securing “information” as an asset be it in any form. (ex shredding of paper documents to prevent dumpster driving etc). So IT security can be considered as a subset of Information Security.
2) What is the difference between Encoding, Encryption and Hashing?
Ans– At a very high level, all these 3 terms might appear to be similar and people often confuse between them. But each of the technique is distinct and has different use case. The purpose of encoding is to transform data so that it can be properly (and safely) consumed by a different type of system, e.g. binary data being sent over email, or viewing special characters on a web page. The goal is not to keep information secret, but rather to ensure that it’s able to be properly consumed. It does not require a key as the only thing required to decode it is the algorithm that was used to encode it. Examples: ASCIIUnicodeURL EncodingBase64. The purpose of encryption is to transform data in order to keep it secret from others. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. Examples: AESBlowfishRSA. The purpose of hashing is to take arbitrary input and produce a fixed-length string that has the following attributes:
  1. The same input will always produce the same output.
  2. Multiple disparate inputs should not produce the same output.
  3. It should not be possible to go from the output to the input.
  4. Any modification of a given input should result in drastic change to the hash.
Examples- MD5, SHA1, SHA2 etc. Hashing is often used in computer forensics to verify integrity of the digital evidence.
3) What is the difference between proxy, firewall, IDS and IPS?
proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Firewall is basically meant for network traffic control/filtering mainly at layer-3. It allows/denies packets and connections based on certain pre-defined rules. IDS- Intrusion Detection System is an application which tries to detect intrusion attempts based on attack signature database it has. IPS- Intrusion Prevention System detects the intrusion (like IDS) and goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based on rules)
Examples:
  1. proxy – Squid
  2. Firewall- IPTables, CISCO Pix, ZoneAlarm
  3. IDS- SNORT
  4. IPS- IBM Proventia
4) How does asymmetric encryption work?
5) How does SSL work? Are you aware about some of the latest vulnerabilities that were found in SSL implementation?
6) What is port scanning? What are the countermeasures to prevent it?
7) What is Man in Middle attack? Can it be prevented?
8) What is the difference between false positive and false negative?
9) Explain the term ‘Defense in depth’.
10) What do you mean by stateful inspection by a firewall?
11) What is DMZ? Which systems should be placed in DMZ? What are common security precautions for DMZ systems?
12) What is DLP? How does it work?
13) In what scenario, AD authentication should be used?
14) Is SSH completely secured? If not, can it be hardened more?
15) What is Virtualization? What are the security risks in it?
16) What do you mean by ‘BYOD’ ? Explain security concerns related with it.
17) What are the different layers of OSI model? Can you list 1 vulnerability corresponding to each of the OSI layer?
18) What are honeypots?
19) Tell about any of the major security incident that happened recently.
20) How do you keep yourself updated with latest trends in Information Security?
Ans: I refer to various security news sites , blogs etc (Like thehackernews, Rapid7 blog etc) Also I am subscribed to various online security magazines like Pentest magazine, HackInsight etc and I surf through the archives of various security conferences held worldwide.
21) Which OS do you feel is more secure? Linux or Windows?
Ans: No OS is secured unless and until its administrator is smart enough to secure it. Though Windows has more publicly found security issues, it can still be hardened appropriately. Its all about perception and having right sense of security. Linux definitely provides robust security, however a mis-configured Linux box could really pose a big threat to security.
22) Explain in brief, Multi Factor authentication.
23) Explain in short how Kerberos works.
24) How to harden a Windows Machine?
25) How to harden a Linux Machine?
26) How can you prevent DOS/DDOS attack?
27) What is a 0-Day Vulnerability? Can it be prevented?
28) What is the biggest difference between Windows OS and Linux OS?
29) Can an IDS be used to prevent intrusions? (Ans is yes, ex- SNORT, one of the open source IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS)
30) Explain any type of Wi-Fi Attack and how to prevent it.
31) What is SIEM? Why it is useful?
32) What is rainbow attack? Is there a way to prevent it?
33) Explain the difference between hub, switch and router.
34) What do you mean by reverse shell in Linux?
35) Explain file ACL’s (permissions) in Linux. What is the use of sticky bit?
36) What is NAT and PAT? Explain difference between them and how do they work.
37) Comment on security concerns in Cloud Computing.
38) What is the use of ‘salt’ in reference to passwords? Are there any limitations of using it?
39) What is single sign-on? What are security risks with it?
Category II: VA/PT
1) What is the difference between Vulnerability Assessment and Penetration Testing? Which one needs to be performed first?
2) What are the steps to perform VA/PT?
3) What precautions are required to be taken while performing VA/PT?
4) With whom would you share the findings of VA/PT and how would you convey the risk of the findings effectively so that mitigation can be initiated immediately?
5) What tools do you normally use for VA and PT? Which tool you find the best and why?
6) What all should be included in report of VA/PT assessment?
7) Is it possible to hack into a system without using any tool? If yes, how would you do it? (Manually?)
8) How can you identify whether a remote machine is a Windows Machine or Linux Machine?
9) What is the difference between active and passive information gathering? (give 1 example of each)
10) How does sniffing works? Explain how can you sniff into a network. Can sniffing attack be prevented and how?
11) What would you do if nmap port scans are blocked by network security administrator? How would you gather host information in such case?
12) What are the different components of metasploit? Explain client side exploits/attacks.
Category III: Web Application Security
1) Why is Web Application Security Important?
2) “Making the website HTTPS would make it secure” share your comments on this.
3) What are cookies? What security threat do they pose?
4) What is SQL Injection attack? What are its types?
5) What are the ways to prevent SQL Injection?
6) What is XSS attack? What are its types?
7) What are the ways to prevent XSS attacks?
8) What is CSRF? How to prevent it?
9) What are the top 5 Web Application Vulnerabilities you know?
10) Explain any case wherein you found some critical web application vulnerability and you also provided solution to fix the same.
11) How would you mitigate vulnerabilities in a legacy application where much of code change is not feasible?
12) What tools do you use for performing Web Application security testing?
13) What are common security threats in Web Services and how do you test them?
14) What is the difference between White Box Application Security testing and Blackbox Application Security testing?
15) Do you have hands on knowledge of source code review? Give any example of vulnerability/bug you found during source code review.
16) What standards do you refer for Web Application Security and related vulnerabilities?
17) What are the most important steps you would recommend to secure your new web server?
18) Will L-3 firewall be useful in protecting the web application against common attacks? If yes, then to what extent?
19) What is Directory Listing? What is its impact? How to prevent it?
20) Can you explain any 2 vulnerabilities occurring due to poor session management?
21) Where should be the Web Server and Database server placed in network for optimal security?
21) Is there any risk when conducting Application Security testing on production instance?
Ans: Ideally, Application Security testing should never be performed on production instance. Automated scanners can insert, modify or even delete data from the target application. This could be a big risk. So the testing should be carried out on test instance which should contain exact replica of the application code running on production instance. If at all you have to test on production instance, its owner must take responsibility (in writing) of any data loss that may occur after testing.
22) How would you investigate or trace any security incident which occurred due to exploitation of some vulnerability in your web application?
23) Please explain how would you test a mobile application for security vulnerabilities?
24) Explain about Database Security. What are common controls for securing Databases.
25) How would you convince the developer to fix the vulnerabilities you found in the Web Application?
Ans: It is a normal human mentality not to accept our mistakes. Same applies in this case. No developer would easily accept that code written by him has serious security bugs. So, you have to demonstrate him the vulnerability you discovered with proper PoC. And explain him the severity and impact if the vulnerability gets exploited. You have to be polite while explaining and not get into arguments.
26) How does HTTP handles state?
Ans: HTTP is a stateless protocol.
27) How do you identify that an application is vulnerable to blind SQL Injection attack?
28) What is clickjacking and how do you prevent it?
29) What are the top 5 Mobile Application security threats?
30) At which stage of SDLC should the security controls be applied?
Category IV: Risk Management/ Compliance/ Security Frameworks
1) What is Risk Assessment and Risk Management? Are they same?
2) What are the standards available for Risk Management?
3) What are the types of Risks?
4) What are the possible ways to treat the risk?
5) What is the difference between threat, vulnerability , exploit and risk?
5) What is residual risk? Can it be eliminated?
6) What is ISO 27001? Why an organization should adopt it?
7) What is the difference between ISO 27001 and ISO 27002?
8) What is PCI-DSS? Is there any similarity between PCI-DSS and ISO27001?
9) What type of organizations are required to be compliant with PCI-DSS?
10) What is the difference between a standard, policy, procedure?
11) What would you do to make security program / initiative successful in the organization?
12) How would you convince the senior management to invest in certain security initiative?
13) How much would you ideally spend on securing a Windows Server? (This is a very generic question, but would really test whether the candidate is clear with the basics like asset value, impact analysis etc)
14) What is the difference between technical controls and procedural controls? (give 1 example of each)
15) Explain high level steps for initiating and implementing ISO27001.
Category V: Strategic / Scenario Based Questions
1) Please comment: Which one would be more securely built? Open Source software or Commercial/Proprietary software?
2) Whom do you get inspired from in the field of Information Security?
3) How many packets would travel from a laptop if a user initiates a traceroute to facebook.com?
4) Consider a scenario, the network has become extremely slow, there are many escalations coming to service desk, what would you do a as security professional? Do you see a possibility of any security threat in this? How would you face this situation?
5) Suppose business team wants to launch an application or urgent basis, but you know its vulnerable to some critical attacks, what would you do in such case? Should business requirement be given priority or security should be the priority?
6) What are the latest trends in Information Security?
7) Is Internet Banking really safe and secure? What are your views on this?
8) Where do you see yourself (in which role/position) after 3-4 years?
9) Should social networking websites (like facebook) be allowed or blocked? Justify with proper reason.
10) Anonymous hackers are hacking into some critical infrastructure around the world. Can you comment on how would they be doing this?
11) Have you heard about stuxnet? Explain your views on it and how could  it have been prevented?
Category VI: Computer Forensics/Laws
1) What do you mean by checksum? What are the popular algorithms for calculating checksums? What is its significance in computer forensics?
2) Describe steganography, its types and how to detect it?
3) What do you mean by file carving?
4) What is meant by bit stream image? Why it is important in forensics?
5) What is swap space? What is its relevance in forensics? What is page file?
6) Explain high level steps for seizing a live computer system.
7) What are the main challenges in computer forensics?
8) What is file shredding?
Ans: File Shredding is a technique used to securely erase/wipe or destroy the file (logical or physical) in such a way that it cannot be re-constructed to derive its original meaning.
9) Can data be recovered after shredding is performed?
10) What are the famous tools used in computer forensics?
11) What hardware is necessary for performing computer forensics?
12) What care should be taken while packaging the seized evidence?
13) What is slack space?
14) List few situations wherein lost data cannot be recovered.
Ans: If the data is stored on magnetic media, and that media comes in contact with very strong magnetic field then it may result in permanent loss of data. If data is on the disk is over-written more then 30 times, it may get in unrecoverable state. If the media is physically destroyed like completely burnt or turned into fine powder then it won’t be possible to recover the data.
15) How would you traced a spoofed email sent from spoofed IP address?

No comments:

Post a Comment