Computer security Interview Preparation Guide

Download PDF

A Firewall is software that blocks unauthorized users from connecting to your computer. All computers at Bank Street are protected by a firewall which is monitored and updated by CIS.

Spyware is software that is installed without your knowledge. The purpose of Spyware is to monitor your computing activities and report this data back to companies for marketing purposes. Besides being an invasion of privacy, this software can cause serious performance issues.

Most viruses travel through email or internet downloads. Never open attachments from unknown senders and be very cautious when downloading software from internet sources.

Impersonation is the ability of a thread to execute in a security context other than from that of the process that owns the thread. This enables a server to act on behalf of a client to access its own objects.

A privilege is used to control access to a service or object more strictly than is normal with discretionary access control.

Pull some random URL from a log, or show them an actual snort signature to see if they really understand what the IDS system (if they are going to be a packet head as part of their job). Most good IDS folks will be able to answer this one. My favorite example is one that everyone has seen for years now, Code Red:

GET /default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%
u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

Or my other favorite one is NetBIOS, right, unless you see a lot of winnuke anyone running a NetBIOS IDS signature on their network is looking at a mushroom cloud of activity, because windows works that way. This is a good leading question on when this signature would be used, where it would be used, and can give the interviewer a lot of good information on how the person thinks about IDS and what the IDS system is showing them. The leading part of this is that many of the windows vulnerabilities like MS06-040 should be monitored by a NetBIOS rule, and the trick is getting the interviewer down to the point where they are actually thinking about the ramifications and architectures of the rule. As an interview question this one can not be beat, but the interviewer must understand enough about how it works to keep the conversation going, otherwise the interviewer is going to get stuck really quickly if the interviewee knows what they are talking about.

An ACL is a list of ACEs.

Strong passwords are longer than six characters, contains letters and numbers and even capital letters. Of course a password is useless if you forget it, but remember that using your birth date or name makes you an easy target for hackers.

Most Spyware comes from free internet downloads such as screensavers and Peer-to-Peer programs (Kazaa, LimeWire, etc). The only way to avoid Spyware is to not install any of these malicious programs.

The best way to protect your personal computer is to install Anti-Virus and Firewall software. CIS does not support home computers however below are some helpful links to information about safeguarding your computer at home.

A firewall is basically a software program that allows you full access to the Internet and/or your network, while restricting access to your computer system from outside intrusions.

Internet users are extremely vulnerable to hackers, especially if you have cable or ADSL access to the Internet. You definitely need to protect your computer system.

Once you install a firewall, you'll be amazed at how many attempts to access your computer are blocked by your firewall.

Hackers can directly access your computer system by installing programs such as a key logger that can read every keystroke you make. This information is recorded and sent back to the hacker. Private information such as passwords and credit card numbers can easily be stolen.

A key logger is a small software program that quietly runs in the background. As these programs quite often run in DOS, you will most-likely never realize it's running. However, you can see if a key logger is running by pressing 'control' - 'alt' - 'delete' on your keyboard. This will launch a window that contains a list of all the programs currently running on your system. Review the list and watch for programs you don't recognize.

If you really want to keep your computer safe, I recommend the following:
1) Purchase a good virus program and keep it updated
2) Purchase a good firewall program and keep it updated
3) Purchase a program like Pest Patrol and keep it updated

SEM/SIM Security information management questions. If the company has a security information management system, and the interviewee is familiar with the technology already, ask them how they would build out a regex (regular expression) to filter out java script from html code for sites that use a lot of java script. The reason for asking this question, is that even if they can not answer it directly, if they know where to go, or are familiar or comfortable with regular expressions, they can cut just about any script in language of choice to filter data out of very long logs, or other systems. This is a great open door question to asking the interviewee which scripting language they like, how they would use it, and follow on conversations about scripting. The answer to the question is " /<(W*)(SCRIPT|OBJECT|PARAM|EMBED|I?FRAME)([^>]*)>/js"

Use the out put from any network security scanner, which ever network security scanner is used by the interviewer and ask the interviewee to interpret the results. What does the scanner output say, how would they use the information, and how would they break the information down for the system administrators? This lets the interviewer determine how well the interviewee can interpret and voice back the results of a security scan, and how well they can communicate. The interviewer should already have worked with the scanner, its output, and should be able to work with the interviewee to determine the finer points of the data presented.

Microsoft have an on-line database, called the software library, with program fixes for both the NT operating system as well as applications. In Microsoft lingo a patch or program fix is called service pack (SP). There are a number of service packs out, both for different versions of Windows NT as well as applications such as SNA server.

Service packs are cumulative. This means that SP2 contains all of SP1 as well as the fixes introduced in SP2. Service packs often update a great amount of code by replacing major DLLs. Since most large applications (such as back office and development components) bring their own versions of "system" DLLs, service packs has to be applied after each and every "system update", where the term "system update" is not clearly defined. Any action that replaces any component updated by a service pack or hotfix has to be followed by applying latest SP and all hotfixes. Remember that adding hardware often install new software, which may have to be updated by SP and/or hotfix.

Hot fixes are intermediate fixes released between service packs and are not considered fully regression tested, and as such not recommended by Microsoft to be applied unless one really need the feature they provide. Lately, a bunch of security problems have been solved by means of releasing hot fixes.

Another thing on the subject is language or locale. If you are running a non US version of NT, you will not be able to apply all of the hotfixes. Some of them are not language dependent, while others refuse to install on anything else but a US version. If you have the option to do so, run US version of NT at least on your servers. By doing so, you will have the option of installing a hot fix dealing with a security problem immediately when it's released and not have to wait for the next SP to appear. Not to mention that you'd have to wait for the next SP to be ported to your language, which of course may take a while, the time depending on what language you are using.

If you cannot, or do not want to, download software like this from the net, you can contact your local Microsoft representant and ask them about the service pack you need.

Visit Microsofts library of service packs or go directly to their FTP server.

SID stands for Security Identifier and is an internal value used to uniquely identify a user or a group.

A SID contain
* User and group security descriptors
* 48-bit ID authority
* Revision level
* Variable subauthority values

Access-Control Entries that is used to build Access-Control Lists (ACLs).

Each ACE contains the following information:
* A SID, that identifies the trustee. A trustee can be a user account, group account, or a logon account for a program such as a Windows NT service.
* An access mask specifying access rights controlled by the ACE.
* Flags that indicates the type of ACE and flags that determine whether other objects or containers can inherit the ACE from the primary object to which the ACL is attached.

The Security Reference Monitor is the kernel mode component that does the actual access validation, as well as audit generation.

SAM stands for Security Account Manager and is the one who maintains the security database, stored in the registry under HKLMSAM. It serves the Local Security Authority (LSA) with SIDs. The SAM maintains the user account database.

Each process has an associated access token which is used by the system to verify whether the process should be granted access to a particular object or not. The access token consists of a user SID, a list of group SIDs representing the groups the user belongs to, and a list of user rights (privileges) the user is blessed with.

Some types of viruses, such as those written in a high-level language such as Java, MS Word scripting language, Excel macros, etc, will be able to perform some tricks on a NT machine as well.

According to DR Solomon, the MS Word based concept virus spread widely in part because several companies, including Microsoft, have shipped CD-ROMs containing the virus.

Windows NT machines can be affected by other types of viruses if you use, for example, dual boot to run some other type of operating system on the same hardware, e.g. OS/2, UNIX or other version of Windows. When using a coexisting, bootable operating system, if you have a virus in effect that destroy the boot sector or something like that, your NT partition will probably be destroyed as well.

Yes. In version 3.5 and 3.51, if the administrator decide to kick a user off, then the admin has a small time window to see the content of the users current screen and desktop.

It can. Memory pages are swapped or paged to disk when an application needs physical memory. Even though the page file (see Control Panel->System->Performance->Virtual Memory) is not accessible while the system is running, it can be accessed by, for example, booting another OS.

There is a registry key that can be created so that the memory manager clears the page file when the system goes down:

HKLMSYSTEMCurrentControlSetControlSession ManagerMemoryManagementClearPageFileAtShutdown: 1

Note that the clearing of the page file only is done when the system is brought down in a controlled fashion. If the machine is just switched off or brought down in any other brute way, of course no clearing will be performed.

Microsoft recommends that you changes the name of the administrator account so that outsiders cannot guess the name.

This is of course just one of the things you can do. But unlike what some Microsoft employees believe, security does not stop there. Just changing name of administrator is to trying to protect yourself by the lowest level of security there is, security by obscurity .

It is possible to obtain the new name of the administrator by using the command
nbtstat -A <ip-address>
when the administrator is logged in on the console.

NT 4 comes with built-in support for packet filtering. It is a simple but still usable filtering function that the administrator can configure to just let some IP packets reach the actual applications running on the system.

You find configuration panel for the filtering function on "Control Panel->Network->TCP/IP->Services->Advanced->Security"

Be aware that this simple filtering mechanism is not a substitute for a real firewall since it cannot do advanced stuff like protection against ip-spoofing, etc.

Authenticode is a way to ensure users that code they download from the net has not been tampered with and gives the code an etched in ID of the software publisher. Microsoft is pushing this as a new way of getting better security into software distribution over the net.