Information Security Officer Interview Preparation Guide
Download PDF

Information Security Officer related Frequently Asked Questions in various Information Security Professional job interviews by interviewer. The set of questions here ensures that you offer a perfect answer posed to you. So get preparation for your new job hunting

95 Information Security Professional Questions and Answers:

1 :: Do you know what is the 80/20 rule of networking?

80/20 is a thumb rule used for describing IP networks, in which 80% of all traffic should remain local while 20% is routed towards a remote network.

2 :: What is security Essentials (GSEC)?

It declares that candidate is expert in handling basic security issues- it is the basic certification in security

3 :: Explain me what’s more secure, SSL or HTTPS?

Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they’re confused, then this should be for an extremely junior position.

5 :: Tell me what port does ping work over?

A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols.

7 :: Do you know what’s the difference between HTTP and HTML?

Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again, the main thing you’re looking for is for him not to panic.

8 :: Explain what is the primary reason most companies haven’t fixed their vulnerabilities?

This is a bit of a pet question for me, and I look for people to realize that companies don’t actually care as much about security as they claim to–otherwise we’d have a very good remediation percentage. Instead we have a ton of unfixed things and more tests being performed.

Look for people who get this, and are ok with the challenge.

9 :: Tell us what project that you have built are you most proud of?

For some people, this would be the first computer they ever built, or the first time they modified a game console, or the first program they wrote, the list can go on and on. In my case, that would be a project for work that I was working on for years. It started out as an Excel spreadsheet that the Engineering department were using to keep track of their AutoCAD drawings, and ended up evolving through a couple hundred static HTML pages, an Access Database and frontend, and finally to a full on web application running in MySQL and PHP. This simple little thing ended up becoming an entire website with dedicated Engineering, Sales and Quality web apps used by the company globally, which just goes to show you you never know where something might lead.

10 :: Do you know what is XSS?

Cross-site scripting, the nightmare of Javascript. Because Javascript can run pages locally on the client system as opposed to running everything on the server side, this can cause headaches for a programmer if variables can be changed directly on the client’s webpage. There are a number of ways to protect against this, the easiest of which is input validation.

11 :: Tell me what is data protection in transit vs data protection at rest?

When data is protected while it is just sitting there in its database or on its hard drive- it can be considered at rest. On the other hand, while it is going from server to client it is in-transit. Many servers do one or the other- protected SQL databases, VPN connections, etc, however there are not many that do both primarily because of the extra drain on resources. It is still a good practice to do both however, even if it does take a bit longer.

12 :: Do you know what is the CIA triangle?

Confidentiality, Integrity, Availability. As close to a ‘code’ for Information Security as it is possible to get, it is the boiled down essence of InfoSec. Confidentiality- keeping data secure. Integrity- keeping data intact. Availability- keeping data accessible.

13 :: Do you know what is social engineering?

“Social engineering” refers to the use of humans as an attack vector to compromise a system. It involves fooling or otherwise manipulating human personnel into revealing information or performing actions on the attacker’s behalf. Social engineering is known to be a very effective attack strategy, since even the strongest security system can be compromised by a single poor decision. In some cases, highly secure systems that cannot be penetrated by computer or cryptographic means, can be compromised by simply calling a member of the target organization on the phone and impersonating a colleague or IT professional.

14 :: Tell me is there any difference between Information Security and IT Security? If yes, please explain the difference?

Yes. Information Security and IT Security are both different terms often used interchangeably. IT Security focuses on purely technical controls (like implementing antivirus, firewall, hardening systems etc) while Information Security is more wider term which implies securing “information” as an asset be it in any form. (ex shredding of paper documents to prevent dumpster driving etc). So IT security can be considered as a subset of Information Security.

15 :: Do you know what is residual risk?

I’m going to let Ed Norton answer this one: “A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don’t do one.” Residual Risk is what is left over after you perform everything that is cost-effective to increase security, but to go further than that is a waste of resources. Residual risk is what the company is willing to live with as a gamble in the hopes that it won’t happen.

16 :: Tell me what is the role of information security analyst?

From small to large companies role of information security analyst includes:

☛ Implementing security measures to protect computer systems, data and networks
☛ Keep himself up-to-date with on the latest intelligence which includes hackers techniques as well
☛ Preventing data loss and service interruptions
☛ Testing of data processing system and performing risk assessments
☛ Installing various security software like firewalls, data encryption and other security measures
☛ Recommending security enhancements and purchases
☛ Planning, testing and implementing network disaster plans
☛ Staff training on information and network security procedures

17 :: What is certified Security Leadership?

It declares the certification of management abilities and the skills that is required to lead the security team

18 :: Tell us can you describe rainbow tables?

Look for a thorough answer regarding overall password attacks and how rainbow tables make them faster.

19 :: Tell me why is DNS monitoring important?

If they’re familiar with infosec shops of any size, they’ll know that DNS requests are a treasure when it comes to malware indicators.

20 :: Tell me what are the various ways to handle account brute forcing?

Look for discussion of account lockouts, IP restrictions, fail2ban, etc.