This article throws light on how the interviewers select a candidate by listing some common network security interview questions.
Network Security Interview
While I am presenting some common network security interview questions here, I also stress on the factor that interviewers look at how you answer a question rather than what you answer. The most important thing while attending a network security interview is NOT to panic at any question. The interviewers look for the ability to tackle security issues. This, they decide by presenting tricky questions that involve thinking. Let us see some such common network security interview questions.
1. How to you keep yourself updated on network security -or- Where do you get updates on security?
This type of question is meant to see the interest of the candidate in keeping abreast in the field of network security. If the candidate puts up a blank face, it is time to call next candidate. One can specify “news alerts” or any website(s) s/he checks out for latest information about security.
2. If you need to encrypt and compress data for transmission, how would you achieve it?
The candidate may start explaining what is data encryption, how s/he would encrypt the data and then compress it for transmission. However, the actual answer would be to explain how to compress and then talk about encryption. Encrypting compressed data often leads to loss of data.
3. What factors would you consider before deploying a web intrusion detection system?
An open question, the interviewer is trying to assess the knowledge of candidate in different fields associated with web intrusion. These include: SSL; HTTP protocol; logging; alert mechanism; and signature update policies.
4. What is Cross site scripting?
Though the answer is straightforward, most candidates are unaware of the term. One of the most important security issues, cross scripting refers to phishing attempts by a website that employs a java script that leads to deploying a malware without the knowledge of user.
5. How does the HTTP handle state?
6. In context of public key encryption, if you are using both signature and encryption features, what key will you use for encryption and which one will you use for signing?
Answer is simple. One would always sign using their key so the public key is used for encryption. Most of the candidates tend to name public key for both signing and encryption. They miss out the point that public key encryption also includes a private key.
7. What type of network do you use at home?
Again, this question is employed to assess the skills and networking background of candidates. “I don’t have a network at home but I have handled networks at so and so places” is better than saying “sorry, I don’t have a network at home”. The latter would send out a signal that the candidate never had exposure to networks.
8. What is Cross Site Request Forgery and how to defend against it?
The question can also be in two parts, in which case, candidates without knowledge of CSRF would get lost. If asked combined, candidates can guess that cross site request forgery is something that relates to malicious scripting with phishing intentions. The question may also be framed as “what is cross site request”. In this case, candidates cannot even guess that it is something malicious as the word ‘forgery’ is not there.
9. Name the port used by PING.
Always remember that PING does not use any port. As PING is based upon layer 3 protocol, it never uses any computer port. A simple variation of the question could be: Does PING use UDP? Or Does PING use TCP? Again remember that UDP and TCP are layer 4 protocols and PING has nothing to do with them.
10. Security Life Cycle.
It can be phrased in many ways: what comes first – vulnerability or threat? How do you design a system with some options given? The candidate needs to answer these questions using his/her own experience and opinions. The objective is how best the candidate can explain what you asked.
These are just some of the network security interview questions that are meant to give you an idea of how a security interview goes. If you wish to share your experience or wish to add anything, please feel free to share using comments box.