Interview questions for, or to ask, infosec candidates
/Interviews for a security engineer or SOC analyst position can be stressful as quite a few will include in-depth technical questions. If you aren’t able to commit a lot of various technical information to memory or are new to the field, it is quite easy to become stressed out since you have no idea what questions will be asked. I’ve helped quite a few people prepare for infosec interviews and I wanted to make a post to help others prepare as well. I will provide a large number of questions an infosec professional may be asked, but fair warning...I’m not going to provide the answers to the questions. The main reason I’m not including the answers is researching to find the answers will provide you with a great learning opportunity. I’ve learned quite a bit by writing down all the questions I was asked during an interview after it was over then researching to see what the answer should have been. I can attest that this really is a great way to learn different topics in the infosec field. This post will also provide questions infosec professionals and hiring managers can use when interviewing candidates. The questions will vary for a variety of different roles, so an interviewer or interviewee would need to pick and choose the appropriate questions based on the role/job duties. The list contains a mixture of technical questions as well as personality type questions.
Note: If you are an interviewer looking for questions to ask candidates, you can skip the next 2 paragraphs and start at the list of sources or the statement of where the questions begin.
One thing to keep in mind when you are being asked technical questions in an interview, don’t panic. Most interviewers, at least that I know, do not expect a candidate, regardless of what level they are interviewing for, to know all of the answers they are being asked. Now of course that depends. Some people do expect people to know certain answers for the position they are interviewing for or if the interviewer is asking very easy questions they may expect a candidate to know all of those. However, a lot of interviewers will ask easy questions, then ask harder questions to see how deep a candidate’s experience level and knowledge go. At that point, they are just gauging to see how much training/assistance you may need to be successful. If you are a great fit for their team personality wise and have demonstrated you are willing and able to learn, they are mainly gauging how much training you will need. For example, I’ve been on interviews where they ask you to “go through a problem” where they keep moving the finish line to see how deep your experience and knowledge goes. They may give you a scenario stating a server isn’t sending log files to a SIEM and ask you what would you check. You may start out by saying make sure the server can connect to the SIEM through the firewall. They will answer it can connect, so that isn’t the problem. You may then provide another answer, to which they once again say that isn’t it. You provide yet another possibility, to which they once again say that isn’t the answer. All of your options may be valid problems/solutions, but they are moving the finish line to see just how much experience you have with these types of issues. Hopefully that makes sense.
Another thing to remember is Infosec is a BIG field, so it is almost impossible to know every aspect of every position...especially if you are new to the field. So if you don’t know something, don’t fret. Others may miss the same question or they may miss a question you were able to answer. I always tell people, just be yourself and be honest. If you don’t know something, just say you don’t know but will look it up or can learn it. Most interviewers I know would rather have someone say I don’t know something rather than guess and state it as fact. So all of that to say, don’t get upset or flustered if you aren’t able to answer something during an interview. When you leave the interview write the question(s) down and research to see what the answer would have been. That way, you will be able to answer it the next time you are asked.
If you want to see other tips for interviewing, read my post on “What not to do in a job interview.”
The questions in the list below have come from a variety of sources to include:
Actual interview questions I’ve been asked myself in interviews
Questions we have asked candidates we have interviewed at the various companies I’ve worked for
Other infosec professionals I network with
Blog posts I’ve read over the years
>List of questions begin here<
Questions every interviewee must be able to concisely relay for every interview
What do you do in your current role? or what is a typical day/week like in your current role?
What makes you right for this role? (focus on your experiences and strengths in relation to the duties of the role you are interviewing for)
(A similar question to above) What can you offer that no one else could? (again focus on your strengths and experiences in relation to the duties of the role you are interviewing for)
What do you like or dislike about your current role?
Why are you looking to make a move from your current role/company?
Tell me about your biggest mistake and what you learned from it.
Where do you see yourself in 5 or 10 years?
Where do you see your career going or where do you want to see your career going?
What gives you purpose or what is your sense of purpose? (try to keep your answer related to the position, company you are interviewing, the security field or your career experience)
Organizations often go through a lot of changes. How do you deal with big changes within an organization?
Questions to determine a candidate’s passion and ability to learn on their own
How do you stay up on current security news? or How do you get your security news? or What sources do you follow to keep current with the latest infosec news, trends, tools, etc.?
Who do you look up to in the security field?
What does your home network look like?
Do you do any career related study or training at home? If so, what sort of environment do you have for personal development?
If the company purchased a new product or software you have never had experience with and you were tasked to run the project to deploy it, how would you handle that assuming the company couldn’t afford to send you to training for it?
What would you do first after learning a new tool or piece of software was being purchased for your team to install/use?
Personality/job experience questions
What personal achievement are you most proud of?
What professional achievement are you most proud of?
What project have you managed that you are most proud of?
Describe a time you overcame a hard situation or difficult project?
Describe a time when you failed to overcome a hard situation or a project didn’t go as planned?
What motivates you to come to work every day or what motivates you to do your best while at work?
What are the 2 or 3 things you disliked most about your past 2 positions and/or companies?
Do you have any project lead or project management experience? If so, explain.
Illustrate a time you had to troubleshoot something difficult and how you resolved it?
If I asked your current manager or team members what your best attributes or strengths are, what would they say?
If I asked your current manager or team member what your biggest weakness was, what would they say?
How do you handle difficult team members?
Describe a time you disagreed with your manager and what you did to overcome it? or Have you ever had difficulty working with a manager?
How do you handle stress and/or pressure?
How do you handle difficult or irate customers?
Let’s say you pitched an idea to senior management and they shrugged you off saying it wasn’t important, what would you do next?
Give me an example of a time you were a self-starter.
Tell me about one of your most challenging projects and what you did to make it successful.
Tell me how you saved a project from being a failure.
Provide an example of how you are team oriented, inclusive, or team focused.
Describe a time you made a mistake and what you learned from it?
How do you juggle multiple tasks with different priorities?
How do you handle shifting priorities?
Various thought provoking/opinion questions (no real answers, just ways to see how someone thinks)
If you were to join a cyber security super team, what part would you play or what would you be the subject matter expert in? (i.e. vulnerability management, endpoint protection, border protection, governance, security awareness training, etc.)
Name at least 2 security controls you think are necessary for an organization.
What is more important in your opinion, threats or vulnerabilities?
What is your favorite open source project?
What security tool have you used or heard of that you think we may not have heard of?
If you had to create your own malware, what/who would you target, how would you target them, what vulnerabilities would you exploit, etc.. Be as evil as you want, this is only hypothetical.
Do you think iPhone or Android is more secure and why?
What do you think is better or more secure, open source or closed source software?
What do you think is the biggest benefit and downside to open source software?
What do you think is the biggest benefit and downside to closed source software?
Name something in the security field, such as a process, piece of software, or tool, you have heard of, have never used or have very little experience with, but would like to learn more about.
What is the weakest link in security or security a network/company?
What do you think is the biggest or most common attack surface for organizations?
What is your favorite programming language?
What got you interested in a career in infosec?
What are your career aspirations? or What are your ambitions for your career?
Can you tell me about any recent vulnerabilities you found interesting and why?
List some factors in software or hardware that can cause vulnerabilities?
What do you like least and most about the industry?
Business operations questions
If the service desk said the CEO needed to access a site that is normally blocked, say Dropbox, for business purposes what would you do?
If the service desk said someone in HR wasn’t able to access a site that is normally blocked, say Dropbox, for business reasons, what would you do?
If you heard on the news, social media, from a friend, etc. that a malware outbreak was spreading (i.e. WannaCry), what would you do in relation to the organization/business?
Let’s say the infrastructure manager asked you to look in the firewall to determine if one of their workers were watching videos a lot or doing non-work related activities, what would you do?
Do you think the change management process is helpful or a hindrance and why?
Do you think security should be able to bypass the change management process? (If so in why and in what instances?) (If not, why?)
If there was an issue with the firewall, IPS, etc. and no one else in security was around to assist, how would you handle that or what would you do first?
Incident response questions/scenarios
What are some indicators of compromise?
If you get an alert from the MSSP or SIEM regarding a server being probed about a vulnerability (say for SMB), how would you handle that?
If you see an alert in the SIEM or firewall you have never seen before and everyone else in security is out of the office, what would you do or how would you handle that?
A user has received an email from a colleague asking for help with a task, but when they mentioned the email to the sender in person, the sender said they never sent the email...how would you analyze the email to determine if it is legitimate (there was no link to click on or attachment)?
A user forwarded you an email with a strange attachment...what would you do?
A member of the service desk said a user sent them an email with a strange attachment which they opened, what would you do?
A user forwarded you an email and said they clicked on the link in the email which appeared to be suspicious, what would you do?
How would you analyze a hash value to see if it was malicious or safe?
How would you analyze an IP address to see if it was malicious or safe?
How would you analyze a URL to see if it was malicious or safe?
What is the difference between static and dynamic analysis? Can you name a tool for each type?
There is a known malicious phishing campaign underway against your company (say a credential harvesting email), how would you mitigate/handle the threat?
What tools could you use to determine if a Microsoft Office file was malicious?
What tools could you use to determine if a pdf file contained macros?
A user fell victim to a credential harvesting email, what would you advise them to do?
An endpoint has been flagged as being potentially infected, how would you handle this?
What tools can you use to determine what processes are running on a system?
Various technical questions
Name some well-known ports?
What are some ways you would harden/secure a mobile device?
What is the difference between a threat, vulnerability and risk?
What is the difference between a vulnerability and an exploit?
A vulnerability is discovered and known to the public. How would you go about verifying if the vulnerability exists within your environment?
What are some of the biggest warning signs of a phishing email?
What is a hash value?
What is a salted hash and why are they used?
How did WannaCry or NotPetya spread?
What is the difference between WannaCry and NotPetya?
What is the difference between symmetric and asymmetric cryptography?
Name 1 asymmetric cryptography implementation.
What is the difference between MD5 and Base64?
Explain Diffie-Hellman
What is the difference between authentication and authorization?
Name 3 types of authentication? or what are 3 ways to authenticate a person?
Name 2 or more web application vulnerabilities.
Explain how cross site scripting works? How could you combat this?
Explain how cross-site request forgery works? How could you combat this?
Describe a SQL injection.
Can you explain the difference between encoding, hashing and encryption?
What is AES? Why is AES 256 better than AES 128?
How does PKI work?
What does a Certificate Authority (CA) do?
What is the role of a Registration Authority?
How would you describe a man-in-the-middle attack?
Can you name a piece of security/networking equipment that can act as a man-in-the-middle and why/how?
If you had to encrypt and compress data before transmission, which would you do first and why?
How would you unobfuscate something? or If something was obfuscated, how would you reverse it?
How can you obfuscate something?
Can you name some HTTP codes?
How does a buffer overflow attack work?
Networking questions
What is the difference between a filtered port and a closed port?
Does TLS use symmetric or asymmetric encryption?
What port does telnet work on? (hint, this is a trick question and it isn’t just port 23)
What port does ping work on?
What is the difference between ping and traceroute?
How does traceroute work and why would it be used?
When you type a website into your browser, what happens?
If you attempt to reach a certain website and are unable to, what could be the problem or what would you troubleshoot first?
How would a domain bet translated into a routable public IP address?
What is DNS and how does it work?
Why is monitoring DNS important?
Can you explain the difference between public and private IP address ranges? (this is one everyone should definitely study and be familiar with)
If a popular website/company was blocking the IP address for your organization, what IP address would you give them and how would you determine what that IP address is?
What is a MAC address and how is it used in network communications?
How many bits are in a MAC address?
What OSI layer does a MAC address operate/function at?
What OSI layer does an IP operate/function at?
When a packet travels through a network, what changes per hop? (hint, the IP or MAC address)
Can you explain the purpose of ARP?
Can you explain the purpose or common use of NAT?
At a high level, how would you describe the differences between TCP and UDP?
What is the TCP 3-way handshake?
What is the purpose of a router in a network?
What is a common use case for a switch in a network?
Can you describe a common solution for isolating hosts and other systems on a network?
How does VPN work?
What are some of the common methods of reducing the likelihood of DoS attacks?
How does a syn flood attack work?
What does a subnet mask dictate?
How would you troubleshoot a network connectivity issue?
If you are trying to determine if a server is up and ping is blocked, what is another way to test to see if the server is up or if the port in question is open?
Firewall specific questions
If you had to create a rule in the firewall to allow someone, especially someone in upper management, to access a website that is normally not permitted, say DropBox, for business purposes, what type of rule would you create and how would you manage that access?
(Another way to ask the question above) Let’s say your manager, HR, Legal, compliance, etc. gave you permission to let the CEO have access to a blocked site, what would you do in the firewall to allow that access?
Have you managed a firewall before? If so, which brands? What is your favorite brand and why?
Can you talk a little about SSL decryption? What is it and why is it important to implement?
What is the difference between a stateful and stateless firewall?
System administration/coding questions
What is grep?
What are regular expressions?
If you had a file with 2000 lines and wanted to get a name out of that list, what would you do? What regular expressions or code would you use?
How would you cut 1000 lines of code into five 200 line files?
What is the difference between /etc/passwd and /etc/shadow?
Where would you find the log of authenticated SSH users on Linux?
How would you identify which port a particular service is listening locally on Linux or Windows?
Can you name some common services often found on a Linux server? How could you exploit these services?
Can you name some common services often found on a Windows server? How could you exploit these services?
Could you list some common tools used for enumerating or attacking a Windows environment?
Could you list some common tools used for enumerating or attacking a Linux environment?
If a Linux server was running a service only listening on its localhost, how could you access that service from a remote computer?
Where are hashed passwords for Linux user account commonly stored on the operating system?
Where are windows local user account hashes common stored?
VI or emacs?
What are the first 3 steps when securing/hardening a server?
How would you log in to Active Directory from a Linux or Max workstation?
What are some commands you could use to determine disk usage on a Linux/Unix machine?
What information is stored in an inode?
What is the difference between paging and swapping?
Management questions
How do you motivate employees?
How do you handle unmotivated employees?
What would you attempt to accomplish in the first 30, 60, and 90 days?
Long/extensive/complex questions
If you are familiar with the CIA triangle/triad, could you give us a basic description of each factor, a common attack that could be used to compromise each as well as one safeguard/mitigation for each.
Name all layers of the OSI model, then name 1 vulnerability and 1 safeguard/mitigation for each layer.
Describe the OSI model, then explain what happens at each layer when you attempt to go to a website. Also, what happens at each layer in regards to a secure website.
Questions to ease tension and conclude interview / Can be used to get a feel for someone’s personality
What is your favorite TV show or movie of all time and why is it your favorite?
What is your favorite character of all time (could be from a movie, book, TV show, video game, etc.) and why?
What are your hobbies outside of information security?
If you could only go to 1 restaurant the rest of your life, what would it be?
If you could only eat 1 type of food the rest of your life, what would it be?
If you could only use 1 seasoning the rest of your life to put on food, what would it be?
If the zombie apocalypse broke out, what 3 items would you take with you?
In closing, although this is a long list of questions, there are still plenty more questions that could be asked during infosec interviews. Remember to jot down as many as you can remember once an interview is over so you can do some research and learn more about the topic you missed. That way you will know how to answer that question in the future or it could be something you can use when studying for a certification.