|
Questions For Interviewing Your Next Security Engineer
By Dan Morrill
Expert Author
Article Date: 2007-08-21
This is going to be completely biased in favor of a security engineer that is not tightly wound around military grade information security for everyone at all times.
Most interview questions are really about both sides being on their best behavior, with the candidate that is looking for a job, and a company that is looking for someone who is capable of working miracles with little or nothing to perform the trick with. These are also biased in favor of people who can get along with people, and to find out how flexible the interviewee is in terms of thinking outside the box. Those are the biases inherent in these interview questions.
1. Someone wants to test out a new product that works on a wireless network, how would you advise them to test out the product?
a. This will give the interviewer a really good idea on how well wireless security is known by the candidate as well as how much they are willing to work with the business to test the new product. If they come up with a clean segregated network to test on that does not touch the main corporate network, or links to the internet in a DMZ type situation, that is promising. If they ask for a Faraday Cage, you might not have a winner here.
2. The business team has developed this brand new web site that you just tested and found a number of XSS errors in, how would you handle that?
a. This will let the interviewer know if the candidate has any idea about web security and development. If they offer to work with the developers to solve the issue you have a good candidate, if the candidate says it is the developer's problem, and that they cannot help them or the business, then this might not be the candidate for you.
3. This is a standard security question, everyone is going to ask this one, "Design a secure network" but you can add some spins on it to see how the candidate thinks, like design a secure network between two offices that is also optimized or has QoS for various protocols.
a. This leading question should start an interesting conversation about how to link two offices together, how to secure things at the protocol stack, and how to best implement a VPN solution. You do this kind of work with your trusted trading partners every day, your new security person should know how to do this. If they do, then you have a winner, if they don't then you don't.
4. Ask them their Blog URL
a. First of all if they have a blog then you need to know what they blog about, if they blog about tech that means they live, eat and breath this stuff, and that is good. If they are slamming on their co-workers, families, friends, or general how they pulled one over on someone, this might not be the person for you.
5. What is your MySpace page
a. You have to ask this one for the same reason that you ask what their blog URL is, do they meet the needs of the company, or are they a lush in training?
6. What papers have you written?
a. The answer to this is the same as the blog, if they don't blog, and they don't write, and they don't have a MySpace page, ask them what they are reading in the news, are they staying up on the technology, if not, you might not have a winner here.
7. What is the secret sauce to a Cisco command?
a. This will let you know if they have any hands on with a Cisco device at all, this can be important depending on what the security engineer will be doing. I am not going to give this away, ask your network or security person, they should be able to answer this one.
8. What do you think of Teams?
a. This is the ultimate people question; if they say they like teams, ask them why. If they say they like people, ask them why, what is it that drives their relationships with others. This opens up a whole line of questioning about how well they like people, how well they can train others, and their viewpoints on working with others. You really do want a social person or at least a person sociable enough for the company.
9. Pick a headline
a. Find out if they are up on today's news in information security, a fun one is "what is the alert con out at SANS today". Are they in touch with the current situation. Don't make the headline too obscure.
10. Ask them what their favorite security web sites are
a. You should at least hear one you already read, if not check them out (write them down) and see what they are like, are they deep geek techno security, or are they fluff fox news kind of stuff.
11. Hand them a security scan of a network and ask them to interpret it.
a. This is always good to see if they know what they are looking at, and can derive information from it
12. Hand them a web site security scan and ask them to interpret it
a. This is always good to see if they know what they are looking at, and can derive information from it
13. Show them a security policy from the company, and ask how they would enforce it
a. This is always good, you find out what kind of leader they are, do they intend on teaching and enforcement, or do they go right to punitive damages
14. Show them a hack attack against something, down to the packet level, and ask what they would do. You have to hand them the entire attack, not just snippets of info.
a. Same as for 11 and 12, find out what they know and can they interpret information well enough to be of use to the employer
15. What is their dream information security job?
a. This is always good to find out how ambitious they are, where they see themselves in a while, and determine to see if there is a good fit between the job and the candidate.
Those are my favorite interview questions for an information security position at my company. Hope this helps during your next interview process.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
|
