http://danielrm26.disqus.com/dmiessler.com/about/enWed, 01 Apr 2009 07:14:06 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-7710810<p>that was a great help for me!<br>i remember once they asked me a very general Q, what is the difference between sym. and asym. cryptography ?<br>and why did you choose security to be your track ..</p><p>thank you :)<br></p>AliaWed, 01 Apr 2009 07:14:06 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353046<p>these questions sound very basic.... for jr security position.</p><p><br></p><p>what questions you would ask for pentester/sr sec analyst position?</p><p><br></p><p>thanks<br>Max</p>MaxThu, 06 Nov 2008 20:57:28 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353042<p>You say, "As weak as the CISSP is as a security certification..."</p><p><br></p><p>This cert seems to be der rigeur in the industry for any security position. Almost all the jobs I apply for say it is desirable, required, or you must get certified within 6 months of hire. Why do you have such a low opinion of it? And, if it's so weak, why do they all want you to have it?</p>JamesSat, 18 Oct 2008 23:13:11 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353044<p>Nice compilation of questions....!!</p>ashTue, 26 Aug 2008 10:04:16 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353041<p>Where are the answers to all the questions?</p>knightMon, 14 Jul 2008 01:23:05 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353033<p>Hmmm...</p><p>Interesting - I got the Compression vs. Encryption question in the terms of asking about how IPSec is handled once.</p><p>I used to get the home computer question.</p><p>But after I explain my home lab setup and some of the machines I keep around that run from Linux Appliances, Cobalt RAQ Appliances with CentOS and Solaris, or my Solaris Pizza Box that I installed Red Hat 6.0 on or just my run of the mill PC's with any various OS or some of my favorite tools.</p><p>Then we have the Cisco and other vendors gear. I stop after the eyes start to glaze, unless they want to know where I get my bogon lists from or where I find my latest 0-Day Exploits from and how I have acquired so many tools of the trade...</p><p>Hmmm...</p><p>Well, you know...</p><p>How are things going?</p><p>Did you ever decide to use Cisco Gear? Get your CCNA yet?</p><p>Are you in Orlando this week at SANS?</p><p>Later</p>Darby WeaverSat, 13 Jan 2007 05:13:41 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353039<p>Nice ones, Michael. For the crypto one I usually as them to describe exactly what happens when you send a message that's both signed and encrypted using PGP -- specifically relating to the cryptography. What I look for in the response is the not-so-well-known fact that the message is actually not encrypted with the other person's public key.</p><p>...wait for it...</p><p>Instead, the message is encrypted with a randomly generated SYMMETRIC key, and *that* key is encrypted using their public key. They then decrypt the symmetric key, and use that to read the encrypted message. Which directly illustrates the positives and negatives of both. You wouldn't want to use asymmetric cryptography to encrypt a very large message due to the time cost, so symmetric cryptography is used instead.</p>Daniel MiesslerTue, 09 Jan 2007 10:59:23 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353038<p>Here is a few we use:</p><p>Define non-repudiation and give a real world example.</p><p>What would you do with a Rainbow Table?</p><p>What is a downstream liability?</p><p>What is the difference between symmetric and asymmetric cryptography?</p>Michael S BlackTue, 09 Jan 2007 08:51:06 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353037<p>Wow. Some of these are good. When I came to the interview for my current job, my boss had about 15 sheets of questions that are standard. I cannot remember them all now, but I was so nervous. We ended up hiring a guy who was straight out of college and has no Linux experience (he had heard of it before). It is really hurting. We have had to teach about the world all over again. He really doesn't know that much about the deep parts of Windows.</p>PhilipMon, 08 Jan 2007 07:16:18 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353036<p>I think one could also argue for number 2 that encrypting before compressing would tend to reduce the possibility of known plaintext attacks. But, as you say, there's not any point in compressing data once it's been encrypted.</p>WonkMon, 08 Jan 2007 07:09:26 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353035<p>"Don’t forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge."</p><p>Well said.</p><p>My favorite interview bonus question is "how many fire alarm levers did we pass on the way here?"</p><p>I'd hire someone who got every technical question wrong but answered that one even in the ball park.</p><p>-Dave</p>DaveSun, 07 Jan 2007 22:10:47 -0000http://dmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview#comment-4353034<p>I was once asked which is stronger - RSA with a 8192 bit key or AES with 128 bit key</p><p>Don't forget that security is mostly an attitude, or actually a way of life, and only secondly knowledge.</p><p>-- Arik</p>arikbSun, 07 Jan 2007 20:18:20 -0000