+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 41
  1. Senior Member YFZblu's Avatar
    Join Date
    Nov 2011
    Posts
    1,423

    Certifications
    A+, N+, S+, CCNA, CCNA:Sec, GSEC, GCIH, GCFE
    #1

    Default Security Analyst Interview - Some of what you need to know:

    Hey all,

    Security is such a hot topic here in terms of getting in, certs, knowledge, etc. that I thought I would create a thread on my most recent interview for a Security Analyst position. This is for what they call an 'L1' interview; for those who may have little or no experience in security but have shown interest/understanding of security and bring knowledge to the table that would be useful in a security environment - or in my case having even a little experience gets me calls for new infosec jobs all the time.

    In my case I have a small amount of experience working in a SOC doing network log analysis (SIEM), proxy changes, and firewall changes. Here are some of what was asked of me in an interview I had last week:

    -First and foremost, Linux. It's everywhere in infosec as many of you know. I won't get too specific on this, but definitely dig in and learn Linux.

    -Incident Response methodologies - Which IR methodology do you subscribe to, and please explain it. Can certain steps of your IR methodology be skipped or combined? Give examples.

    -Name some infosec conferences you have attended. What security blogs do you review? Where do you get your security news? Who do you look up to in security and why?

    -TCP/IP - What is TCP/IP? Explain how TCP works and be as detailed as possible. How does that differ from UDP? Explain from end-to-end how DNS works. Name as many protocols and their corresponding ports as you can. What is the difference between active and passive FTP, and how is it relevant to a stateful firewall? What is the difference between a stateful firewall and a packet-filtering firewall? What is the difference between IDS and IPS? Explain how each one might have an advantage over the other. As you can see, questions evolve from other questions, and the interview was very dynamic in the sense that new questions also stemmed from some of the answers I gave.

    -Behavioral / point of view / maturity questions - One might be told that Company A wants to "downgrade" from Windows to Linux and asked how to go about doing that. These types of questions are geared toward weeding out the fanboys who cannot rise above their lust for a certain technology to admit that all platforms have advantages. Event if you don't truly believe all platforms have advantages it is vital to accept that the business runs the show, not the security department and sometimes we don't always get what we want.

    -Experience questions: The interviewers handed me a piece of paper with a log on it. I was asked what kind of log it was and to analyze what it was telling me. From there, I was asked to make determinations about this traffic and explain exactly how I got to those conclusions. The reason I call this an "experience" question is because if one has never seen that type of log in their life, they may have no idea what it was or how to approach it. This is where manufacturing experience comes into play - setup different types of logging at home, review it, analyze it, etc. That way if you have never worked in security and someone hands you that log you can at least begin to assess what's going on. We do it for Cisco with our labs and the same holds true here. Examples of this are firewall logs, proxy, windows logging, linux.

    -Code: I said this in a post the other day - Do yourselves a huge favor and learn to script and at least learn to read some code. I put it off forever and it is biting me in the butt. I'm basically drinking from the firehose trying to get up to speed. Much like the Linux thing I won't get too detailed about why/how, just learn it.

    -Last but not least know what you claim to know. This applies to all jobs of course, but do not put anything on your resume that you cannot defend in detail with specific examples. This interviewer did an excellent job of attempting to weed out any BS. If I didn't know something, I flat out said I didn't know it. In cases like that showcase your resourcefulness and demonstrate how you go about finding the right answer. If you bomb an interview because you were asked a ton of application security questions, when you never claimed to know appsec in the first place, move on without dwelling on it - IMO that is a bad interview setup by people who did not properly match candidates with the job responsibilities.

    There was much more to this interview, it was basically rapid fire for an hour and a half. I did want to put a high level overview out there of what I see / what is expected of me as an L1 in security. This is my perspective as a relative newb in security and I'm sure the more tenured and knowledgeable security people here will disagree with some things or maybe have more to add. I hope this helps some of you.
    Last edited by YFZblu; 06-14-2013 at 06:19 PM.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Nov 2012
    Location
    Montreal
    Posts
    589

    Certifications
    OSCP, CEH, SSCP, EJPT, CCNA:Security, CCNA:R&S, MCSA:W2K8, Linux+, LPIC-1, SCLA
    #2
    WOW! Thanks a lot, hopefully this will help me in the future!
    Reply With Quote Quote  

  4. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #3
    Good post. I sometimes perform the role of the technical interviewer for infosec roles and I agree with the content. I look for biases, approach/logic to different subjects, and (what I perceive as) honesty/transparency in the candidate's self-assessment of his/her abilities. Security staff tend to have direct access to a lot of sensitive information so determining the character of the individual as well as the hard skill set are big factors.
    Reply With Quote Quote  

  5. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,779

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #4
    Great insight man. I see the question "how do I get into InfoSec" pop up all the time and this is golden. Thanks for sharing.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Apr 2011
    Location
    DMV
    Posts
    214
    #5
    Dude,
    I actually printed this out for my coworkers. Good job!
    Reply With Quote Quote  

  7. Senior Member YFZblu's Avatar
    Join Date
    Nov 2011
    Posts
    1,423

    Certifications
    A+, N+, S+, CCNA, CCNA:Sec, GSEC, GCIH, GCFE
    #6
    Quote Originally Posted by docrice View Post
    Good post. I sometimes perform the role of the technical interviewer for infosec roles and I agree with the content. I look for biases, approach/logic to different subjects, and (what I perceive as) honesty/transparency in the candidate's self-assessment of his/her abilities. Security staff tend to have direct access to a lot of sensitive information so determining the character of the individual as well as the hard skill set are big factors.
    Thanks - That's another good point regarding sensitive information and I would like to expand on that because it could certainly come up in an interview. Think about why it might be importation to act with discretion from both a technical standpoint and a non-technical standpoint. A couple of stories on that:

    Non-technical standpoint: Where I work we use an internal ticketing system only the Security people have access to for documentation, and an "external" ticketing system which is used by the entire organization for when Security needs to interface / send a request to admins or local technologists. If a VP gets caught performing unscrupulous activities (bittorrent, pr0n, etc) it is in the organizations best interest to keep it private for a variety of reasons. Of course there are times when an organization is legally bound to disclose, but that's a different story.

    Technical reasons: We don't want too many hands in the cookie jar when something goes down. Unfortunately my security team's leadership did not define a small group to be part of the Incident Response team where I work. So when something big happened, a security manager reached out to an admin, who told another admin, who told an entire NOC, who told the data center operations team, and suddenly we have 60+ people on a bridge call and everyone is asking "who, what, when, where, why" questions. This was extremely unproductive during an Incident because people began to go rougue, started unknowingly destroying evidence, and generally creating a massive cluster of fail.
    Last edited by YFZblu; 06-14-2013 at 08:53 PM.
    Reply With Quote Quote  

  8. Member Bill3rdshift's Avatar
    Join Date
    Aug 2012
    Location
    Tampa, FL
    Posts
    36

    Certifications
    JOAT
    #7
    Agree fully, excellent post my fellow security enthusiast The interviews seems to be very methodical and if one prepares properly, the candidate should have a leg up on the competition. IMO the time spent preparing will pay dividends and should exude confidence.

    I bought and used this IT Security Interviews Exposed book: IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job: Chris Butler, Russ Rogers, Mason Ferratt, Greg Miles, Ed Fuller, Chris Hurley, Rob Cameron, Brian Kirouac: 9780471779872: Amazon.com: Books

    It's not the best security book but it's affordable. It gave me a guideline so-to-speak to follow and keep focused. The information in the book is straight forward security technologies and such. They could have went more in depth but for $20 it should do the trick.

    I also use Hacking exposed 6 and the college book for security +. Good luck to future interviewee's

    Again, great thread!!
    Last edited by Bill3rdshift; 06-15-2013 at 07:03 AM.
    Reply With Quote Quote  

  9. Netzwerksicherheit Master Of Puppets's Avatar
    Join Date
    Jan 2013
    Location
    /dev/null
    Posts
    1,175

    Certifications
    CCNA R&S, CCNA Security, CCNP R&S, CCNP Security
    #8
    Great post!This is the first time that I'm congratulating someone on something other than getting a job/cert but..Congrats!IMHO, you got everything spot on, I don't know how we can disagree with you. While there may be some stuff that can be added, what you shared is true and I think it will be useful to many people.All of these and more happened to me when I was applying for my job. I had a little trouble with the logs because, frankly, I never took the time to deal with them. The total lack of real world security experience almost cost me the job so I had to think outside the box. Here in this industry that matters quite a lot, if you ask me. So to compensate I took a risk - I asked if I can take out my laptop and show them exactly why they needed me. A little more than an hour later I was getting introduced to the security staff and was given my first task - to show them what they did wrong The moral of the story is that sometimes the experience barrier may seem to tough to break but if you have the skills there is a way(the hardest thing was getting an interview in the first place). Following the great things in this post, you should be able to get the ball rolling.
    Reply With Quote Quote  

  10. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #9
    I second the IT Security Interviews Exposed book (mine is actually about five feet away from me at the moment). I went through that book within a day some years back. It's a good overview. Certainly not deep, but it does cover a lot of points employers might look at.

    I just wanted to add a little more to the thread since I understand the desire to get into the seemingly fancy-sexy world of digital "cyber" security with all the talk about vulnerability assessments, intrusion detection, firewall evasion, traffic interception, social engineering, penetration testing, risk analysis, incident response, malware eradication, target reconnaissance, disk forensics, advanced persistent threats, next-generation prevention systems, and whatever other meaningless marketing-speak that's deployed as verbal spam at conferences like RSA in order to impress CIOs who will recommend their IT managers to buy the latest PacketPewPew Appliance which will identify/contain/eradicate the threat agent.

    While I don't speak for the profession nor the industry since I'm just another guy on the front lines, I will say that if you like the subject matter, this stuff can be both fun and frustrating. It's frustrating because it's 1) high maintenance, 2) you'll never get it perfect, 3) sometimes the work can be enormously tedious, 4) there are never enough hours in the day, and 5) many people, including management, will never really "get it" except for the purposes of regulatory compliance and therefore general support for your efforts might be lacking.

    As a network security engineer for a company in the information security industry, I'll say that the life can potentially be very fast-paced, demanding of perfection, and yet will always default to some degree of less-than-perfect compromise. Infosec is typically tasked with many corporate secrets and responsibilities that if not handled properly means damage to a business' brand and thus market position. To the business you're just another line-item expense unless you're in a consultant type of role which helps the organization profit. There's never a trophy waiting for you. Just more work. But that's okay if you love this stuff and don't mind constantly putting in the effort to stay up on the world developments around you.

    This is why interviews for security positions can involve a lot of heavy scrutiny while a large magnifying glass scrolls over your person. Your skills, ability to adapt, comfort zones, awareness of self-biases, personal interests, social interaction, communication abilities, presentation quality, career hopes, and ultimately trust in character all factor in. While technical skills are important, someone's candidness and honesty is perhaps even more important. Your objective sense is crucial.

    When I conduct interviews, my questions are sometimes simple ... but not easy. They're designed to invoke discussion so I can see how someone thinks, the kinds of assumptions which are made, the approach one takes to solve a problem, and how they react when they hit a brick wall. I've done interviews on my own that lasted over an hour, perhaps two and the time flew by.

    At the end of the day, often times specific technical skills can be trained. Character flaws or other mental limitations, however, cannot. We security people can be an impatient bunch and very scrutinizing for a good reason - we have to trust you if we're going to work with you. That's why going through the ringer in an infosec interview can involve a lot of pressure. If you don't know something, just admit it. There's nothing wrong with it. No one knows everything and it becomes a question of how motivated you are and how well you can deliver.

    And don't brag about certifications. We won't always give you the same level of credibility as you might hope.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #10
    @docrice - great points and I wanted to add on as well.

    Quote Originally Posted by docrice View Post
    .... many people, including management, will never really "get it" except for the purposes of regulatory compliance and therefore general support for your efforts might be lacking...
    Well... I can assure you that I get it. It largely depends on the industry that the company operate in. For regulated entities, it's not just about regulatory compliance but there are some business drivers such as reputational damage and competitive advantage as well. In the EU and US, at least, the risk of not having an adequate information security and risk management program can be a death-toll for the business.

    Quote Originally Posted by docrice View Post
    ... always default to some degree of less-than-perfect compromise....
    That's an important trait that I would expect hiring managers look for - it's not always about having the right solution or control to be applied to a security problem. But it's about understanding the business context and having the judgement to apply appropriate risk response measures. Too often, I come across eager but very technically competent security professionals that want to deploy some control or remediate some security issue understanding if it will actually reduce the threat.

    There is always a level of risk that a business is willing to accept. Otherwise, the activity should not be conducted. When interviewing, there will always be soft questions which are scenario based.

    Quote Originally Posted by docrice View Post
    ... And don't brag about certifications. We won't always give you the same level of credibility as you might hope.
    I couldn't agree more. I think in the company that I work at, we are probably 50/50 in terms of people with zero certifications that work in security.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Sep 2013
    Location
    Southern California
    Posts
    156

    Certifications
    CISSP-ISSEP, CRISC, MCSA
    #11
    This is good stuff. As someone who's been involved in interviews for 3 years I have two things to add.

    1. Read and reread the description of the job so that you can somewhat guess what type of questions you'll get based on the environment you're going into. Is it DOD DIACAP, SOX, GLB, NIST, etc...

    2. When they ask you when security should be implemented (ie SDLC) always say - at the beginning. This doesn't mean it will be, but it will be a battle never won completely and continually fought.
    Reply With Quote Quote  

  13. Junior Member GreenHornet's Avatar
    Join Date
    Oct 2013
    Location
    Atlanta
    Posts
    25

    Certifications
    Expired CCNA, Expired CCNA-Security, ACE (Palo Alto), CEH
    #12
    I just ordered this book from amazon. I've been trying to get hired working in security type job role. It's been difficult for me since I don't have any experience working in a soc environment, and I have some basic linux skills. That's why I dedicated at least 2 months to researching specific job roles focusing on their requirements, experience, required skills, description (job role), which cities were in demand for them, and salary. In 2014 I decided to focus on Network Security Analyst job role.
    Reply With Quote Quote  

  14. Senior Member White Wizard's Avatar
    Join Date
    Sep 2013
    Location
    KY
    Posts
    173

    Certifications
    A+, S+, CCENT, CCNA
    #13
    WOW.

    Is this kind of questioning common for infosec jobs in an interview?

    Most of what you said I could answer solely off my Security+ knowledge.

    Was this a government position? Wondering if government infosec jobs have tougher interviews to weed out candidates.
    Reply With Quote Quote  

  15. Senior Member YFZblu's Avatar
    Join Date
    Nov 2011
    Posts
    1,423

    Certifications
    A+, N+, S+, CCNA, CCNA:Sec, GSEC, GCIH, GCFE
    #14
    Not a government job - This was for a large financial firm.
    Reply With Quote Quote  

  16. Netzwerksicherheit Master Of Puppets's Avatar
    Join Date
    Jan 2013
    Location
    /dev/null
    Posts
    1,175

    Certifications
    CCNA R&S, CCNA Security, CCNP R&S, CCNP Security
    #15
    Again - in my experience showing them your skills with projects/work/whatever you have on the spot does the trick. This way there is no bullshitting and your true level becomes clear. That applies to the highly technical interviews.
    Reply With Quote Quote  

  17. Senior Member geek4god's Avatar
    Join Date
    Aug 2010
    Posts
    186

    Certifications
    CCENT Network+ Security+ MCDST Mitel 5000 Mitel MCD
    #16
    You mention coding/scripting a couple times. I assume bash for Linux do you see PowerShell being used from a security standpoint on the windows side? Python seems to be the default language for security would you agree with that or are you/would you recommend another language. Is there a Linux distro that is more popular than others?
    Reply With Quote Quote  

  18. Senior Member YFZblu's Avatar
    Join Date
    Nov 2011
    Posts
    1,423

    Certifications
    A+, N+, S+, CCNA, CCNA:Sec, GSEC, GCIH, GCFE
    #17
    Quote Originally Posted by geek4god View Post
    You mention coding/scripting a couple times. I assume bash for Linux do you see PowerShell being used from a security standpoint on the windows side? Python seems to be the default language for security would you agree with that or are you/would you recommend another language. Is there a Linux distro that is more popular than others?
    My team doesn't use Powershell, but I can see how it could be useful; especially if performing Incident Response on a large scale Windows compromise. I learned Python for automating tasks, creating things, and understanding the basic logic of writing code. I learned JavaScript to help reverse eng a lot of what we see in terms of exploit kits. But it doesn't have to be Python, Perl is a great language as well. Next up will be C, because I want to get closer to the hardware and shore up a lot of the weaknesses/dependencies I was left with by the high-level languages - and because eventually I would like to help perform some of our initial malware analysis. Reading assembly language is somewhere on the horizon I suppose, but that's not something I'm thinking about yet.

    In terms of Linux, we work on Ubuntu desktops and servers of varying *nix flavors. Start with the basics, which is all pretty generic. A year ago I started with the Linux+ material. I didn't get the cert though, I didn't feel it was necessary for me.
    Last edited by YFZblu; 01-14-2014 at 03:16 PM.
    Reply With Quote Quote  

  19. 1337sauce
    Join Date
    Jul 2011
    Location
    Ze South
    Posts
    1,539

    Certifications
    BS, Linux+, Security+, LPIC-1, MCSE Server 2012, MCSE Desktop, MCSA Server 2008, MCTS 70-[415,681], MCTS 74-409, VCA-DCV, Novell CLA/DCTS/CNS, HDI CSR
    #18
    Quote Originally Posted by White Wizard View Post
    Most of what you said I could answer solely off my Security+ knowledge.
    I'm not sure what your background/experience is beyond S+ but it is a far cry from technical Security positions...I think it's most helpful for ports and general concepts but it won't take you as far as these interviews go.
    Reply With Quote Quote  

  20. Stayed at a Holiday Inn.. the_Grinch's Avatar
    Join Date
    May 2007
    Posts
    3,828

    Certifications
    BS-CST CISSP GMON MPSC Security+ XRY 1+2+3 XAMN AAA AA CMFF
    #19
    Port numbers and the services that run on them. Haven't had a information security interview that didn't ask me what port belonged to which service.
    WIP:
    MS in Legal Studies - Drexel University
    Mobile Forensics
    Kotlin
    Python
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Oct 2012
    Location
    Lexington, KY
    Posts
    534

    Certifications
    CISSP, GMON
    #20
    Reply With Quote Quote  

  22. Member LinuxNerd's Avatar
    Join Date
    Jun 2014
    Posts
    83
    #21
    Great advice in this thread. Thanks to everybody who contributed. Another way of landing a good security gig is to code a decent program, publish some good white papers and develop relationships over time with different individuals in the security industry. If you know your stuff, you're in.
    Reply With Quote Quote  

  23. Junior Member Registered Member
    Join Date
    May 2012
    Posts
    4
    #22
    Thanks guys, ordered that InfoSec Interview book from Amazon.
    Reply With Quote Quote  

  24. Junior Member New2Network's Avatar
    Join Date
    Feb 2015
    Location
    NC
    Posts
    8

    Certifications
    CCNA, Security +
    #23
    Thanks, Ill definitely be ordering this book & researching the information on the thread. I've got 5 months in a S.O.C & will keep on researching
    Reply With Quote Quote  

  25. Senior Member alias454's Avatar
    Join Date
    Sep 2014
    Posts
    609

    Certifications
    BSIT, A+, eJPT, GSEC, VCP5-DCV
    #24
    Nice Post. What can an "L1" expect to make?
    “I do not seek answers, but rather to understand the question.”
    Reply With Quote Quote  

  26. CIO
    CIO is offline
    Senior Member CIO's Avatar
    Join Date
    Dec 2013
    Location
    Dallas, TX
    Posts
    141

    Certifications
    SSCP, CompTIA A+, CompTIA Security+
    #25
    Excellent post. Like yourself, i also placed programming and linux on the back burning now I'm playing catch-up in order to break into the security field.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks