1- What are your daily news checks?
It seems like we can’t go more than a
few days anymore without hearing about a major breach, which on the surface
would make it seem that more people and places are being hacked than ever
before (which to be honest is true). However, it also shows that detection and
reporting of attacks is improving per requirements of both government entities
and insurance companies. As a result, the public and security professionals are
both better informed as to what they can do to help protect themselves and
watch out for falsified charges on their accounts. Keeping up to date on these
matters is vital for anyone interested in Information Security.
2- What do you have on your home
network?
Nothing shows you how to break and fix
things more than a test environment, and for most people that means their home
network. Whether its a Windows laptop with a wireless generic router and a
phone all the way up to 14 Linux Workstations, an Active Directory Domain
Controller, a dedicated Firewall appliance and a net-attached toaster – as long
as you are learning and fiddling with it, that’s what matters.
3- What personal achievement are you
most proud of?
For me at least, this one is easy-
getting my CISSP. I studied for months, did every possible thing I could to
improve my recall and asked for anybody and everybody to help ask questions and
modify them in ways to make me try to think around corners. Everybody has at
least one thing that they are proud of, and while this and the next question
may be the same answer, all that matters is showing that you are willing to
move forward and willing to be self-motivated.
4- What project that you have built
are you most proud of?
For some people, this would be the
first computer they ever built, or the first time they modified a game console,
or the first program they wrote, the list can go on and on. In my case, that
would be a project for work that I was working on for years. It started out as
an Excel spreadsheet that the Engineering department were using to keep track
of their AutoCAD drawings, and ended up evolving through a couple hundred
static HTML pages, an Access Database and frontend, and finally to a full on
web application running in MySQL and PHP. This simple little thing ended up
becoming an entire website with dedicated Engineering, Sales and Quality web
apps used by the company globally, which just goes to show you you never know
where something might lead.
5- How would traceroute help you find
out where a breakdown in communication is?
Tracert or traceroute, depending on
the operating system, allows you to see exactly what routers you touch as you
move along the chain of connections to your final destination. However, if you
end up with a problem where you can’t connect or can’t ping your final
destination, a tracert can help in that regard as you can tell exactly where
the chain of connections stop. With this information, you can contact the
correct people – whether it be your own firewall, your ISP, your destination’s
ISP or somewhere in the middle.
6- Why would you want to use SSH from
a Windows pc?
SSH (TCP port 22) is a secure
connection used on many different systems and dedicated appliances. Routers,
Switches, SFTP servers and unsecure programs being tunnelled through this port
all can be used to help harden a connection against eavesdropping. Despite the
fact that most times when you hear about somebody ‘SSHing’ into a box it
involves Linux, the SSH protocol itself is actually implemented on a wide
variety of systems – though not by default on most Windows systems. Programs
like PuTTY, Filezilla and others have Windows ports available, which allow
Windows users the same ease-of-use connectivity to these devices as do Linux
users.
7- What’s the difference between
Symmetric and Asymmetric encryption?
To boil down an extremely complicated
topic into a few short words, Symmetric encryption uses the same key to encrypt
and decrypt, while Asymmetric uses different keys for encryption and
decryption. Symmetric is usually much faster, but is difficult to implement
most times due to the fact that you would have to transfer the key over an
unencrypted channel. Therefore many times an Asymmetric connection will be
established first, then send creates the Symmetric connection. This leads us
into the next topic…
8- What is SSL and why is it not
enough when it comes to encryption?
SSL is identity verification, not hard
data encryption. It is designed to be able to prove that the person you are
talking to on the other end is who they say they are. SSL and its big brother
TLS are both used almost everyone online, but the problem is because of this it
is a huge target and is mainly attacked via its implementation (The Heartbleed bug
for example) and its known methodology. As a result, SSL can be stripped in
certain circumstances, so additional protections for data-in-transit and
data-at-rest are very good ideas.
9- How would you find out what a POST
code means?
POST is one of the best tools
available when a system will not boot. Normally through the use of either
display LEDs in more modern systems, or traditionally through audio tones,
these specific codes can tell you what the system doesn’t like about its
current setup. Because of how rare these events can be, unless you are on a
tech bench day in and day out, reference materials such as the Motherboard
manual and your search engine of choice can be tremendous assets. Just remember
to make sure that everything is seated correctly, you have at least the minimum
required components to boot, and most importantly that you have all of your
connections on the correct pins.
10- What is the difference between a
Black Hat and a White Hat?
This particular question can lead into
a major philosophical debate about freedom of information, and if something is
implemented in a deliberately broken way it isn’t actually breaking into it,
etc etc. The one I’ve heard the most is the classic Jedi example – same tools,
different ideologies. Personally, with the people I know that have worked on
both sides of the line it comes down to this – the difference between a Black
Hat and a White Hat is who is signing the check..
11- You need to reset a
password-protected BIOS configuration. What do you do?
While BIOS itself has been superseded
by UEFI, most systems still follow the same configuration for how they keep the
settings in storage. Since BIOS itself is a pre-boot system, it has its own
storage mechanism for its settings and preferences. In the classic scenario,
simply popping out the CMOS (complementary metal-oxide-semiconductor) battery
will be enough to have the memory storing these settings lose its power supply,
and as a result it will lose its settings. Other times, you need to use a jumper
or a physical switch on the motherboard. Still other times you need to actually
remove the memory itself from the device and reprogram it in order to wipe it
out. The simplest way by far however is this: if the BIOS has come from the
factory with a default password enabled, try ‘password’.
12- What is XSS?
Cross-site scripting, the nightmare of
Javascript. Because Javascript can run pages locally on the client system as
opposed to running everything on the server side, this can cause headaches for
a programmer if variables can be changed directly on the client’s webpage.
There are a number of ways to protect against this, the easiest of which is
input validation.
13- How would you login to Active
Directory from a Linux or Mac box?
While it may sound odd, it is possible
to access Active Directory from a non-Windows system. Active Directory uses an
implementation of the SMB protocol, which can be accessed from a Linux or Mac
system by using the Samba program. Depending on the version, this can allow for
share access, printing, and even Active Directory membership.
14- What are salted hashes?
Salt at its most fundamental level is
random data. When a properly protected password system receives a new password,
it will create a hashed value for that password, create a new random salt
value, and then store that combined value in its database. This helps defend
against dictionary attacks and known hash attacks. For example, if a user uses
the same password on two different systems, if they used the same hashing
algorithm, they could end up with the same hash value. However, if even one of
the systems uses salt with its hashes, the values will be different.
15- What do you think of social
networking sites such as Facebook and LinkedIn?
This is a doozy, and there are an
enormous number of opinions for this question. Many think they are the worst
thing that ever happened to the world, while others praise their existence. In
the realm of security, they can be the source of extreme data leaks if handled
in their default configurations. It is possible to lock down permissions on
social networking sites, but in some cases this isn’t enough due to the fact
that the backend is not sufficiently secured. This also doesn’t help if
somebody else’s profile that you have on your list gets compromised. Keeping
important data away from these kinds of sites is a top priority, and only
connecting with those you trust is also extremely helpful.
16- What are the three ways to
authenticate a person?
Something they know (password),
something they have (token), and something they are (biometrics). Two-factor
authentication often times uses a password and token setup, although in some
cases this can be a PIN and thumbprint.
17- How would you judge if a remote
server is running IIS or Apache?
Error messages oftentimes giveaway
what the server is running, and many times if the website administrator has not
set up custom error pages for every site, it can give it away as simply as just
entering a known bad address. Other times, just using telnet can be enough to
see how it responds. Never underestimate the amount of information that can be
gained by not getting the right answer but by asking the right questions.
18- What is data protection in transit
vs data protection at rest?
When data is protected while it is
just sitting there in its database or on its hard drive- it can be considered
at rest. On the other hand, while it is going from server to client it is
in-transit. Many servers do one or the other- protected SQL databases, VPN
connections, etc, however there are not many that do both primarily because of
the extra drain on resources. It is still a good practice to do both however,
even if it does take a bit longer.
19- You see a user logging in as root
to perform basic functions. Is this a problem?
A Linux admin account (root) has many
powers that are not permitted for standard users. That being said, it is not
always necessary to log all the way off and log back in as root in order to do
these tasks. For example, if you have ever used the ‘run as admin’ command in
Windows, then you will know the basic concept behind ‘sudo’ or ‘superuser
(root) do’ for whatever it is you want it to do. It’s a very simple and elegant
method for reducing the amount of time you need to be logged in as a privileged
user. The more time a user spends with enhanced permissions, the more likely it
is that something is going to go wrong – whether accidentally or intentionally.
20- How do you protect your home
Wireless Access Point?
This is another opinion question –
there are a lot of different ways to protect a Wireless Access Point: using
WPA2, not broadcasting the SSID, and using MAC address filtering are the most
popular among them. There are many other options, but in a typical home
environment, those three are the biggest.
21- What is an easy way to configure a
network to allow only a single computer to login on a particular jack?
Sticky ports are one of the network
admin’s best friends and worst headaches. They allow you to set up your network
so that each port on a switch only permits one (or a number that you specify)
computer to connect on that port by locking it to a particular MAC address. If
any other computer plugs into that port, the port shuts down and you receive a
call that they can’t connect anymore. If you were the one that originally ran
all the network connections then this isn’t a big issue, and likewise if it is
a predictable pattern then it also isn’t an issue. However if you’re working in
a hand-me-down network where chaos is the norm then you might end up spending a
while toning out exactly what they are connecting to.
22- You are remoted in to a headless
system in a remote area. You have no physical access to the hardware and you
need to perform an OS installation. What do you do?
There are a couple of different ways
to do this, but the most like scenario you will run into is this: What you
would want to do is setup a network-based installer capable of network-booting
via PXE (if you’ve ever seen this during your system boot and wondering what it
was for, tada). Environments that have very large numbers of systems more often
than not have the capability of pushing out images via the network. This
reduces the amount of hands-on time that is required on each system, and keeps
the installs more consistent.
23- On a Windows network, why is it
easier to break into a local account than an AD account?
Windows local accounts have a great
deal of baggage tied to them, running back a long long way to keep
compatibility for user accounts. If you are a user of passwords longer than 13
characters, you may have seen the message referring to this fact. However,
Active Directory accounts have a great deal of security tied onto them, not the
least of which is that the system actually doing the authenticating is not the
one you are usually sitting at when you are a regular user. Breaking into a Windows
system if you have physical access is actually not that difficult at all, as
there are quite a few dedicated utilities for just such a purpose, however that
is beyond the scope of what we’ll be getting into here.
24- What is the CIA triangle?
Confidentiality, Integrity,
Availability. As close to a ‘code’ for Information Security as it is possible
to get, it is the boiled down essence of InfoSec. Confidentiality- keeping data
secure. Integrity- keeping data intact. Availability- keeping data accessible.
25- What is the difference between an
HIDS and a NIDS?
Both acronyms are Intrusion Detection
Systems, however the first is a Host Intrusion Detection System whereas the
second is a Network Intrusion Detection System. An HIDS runs as a background
utility in the same as an anti-virus program for instance, while a Network
Intrusion Detection System sniffs packets as they go across the network looking
for things that aren’t quite ordinary. Both systems have two basic variants:
signature based and anomaly based. Signature based is very much like an
anti-virus system, looking for known values of known ‘bad things’, while
anomaly looks more for network traffic that doesn’t fit the usual pattern of
the network. This requires a bit more time to get a good baseline, but in the
long term can be better on the uptake for custom attacks.
26- You find out that there is an
active problem on your network. You can fix it, but it is out of your
jurisdiction. What do you do?
This question is a biggie. The true
answer is that you contact the person in charge of that department via email –
make sure to keep that for your records – along with CCing your manager as
well. There may be a very important reason why a system is configured in a
particular way, and locking it out could mean big trouble. Bringing up your
concerns to the responsible party is the best way to let them know that you saw
a potential problem, are letting them know about it, and covering yourself at
the same time by having a timestamp on it.
27- You are an employee for a tech
department in a non-management position. A high-level executive demands that
you break protocol and allow him to use his home laptop at work. What do you
do?
You would be amazed how often this
happens, even more so in the current BYOD environment. Still, the easiest way
out of this one is to contact your manager again and have them give a yay or
nay. This puts the authority and decision where it needs to be, and gives you
assistance if the department needs to push back. Stress can be a real killer in
position where you have to say ‘no’ to people that don’t like hearing it, so
passing the buck can be a friend.
28- What is the difference between a
vulnerability and an exploit?
A lot of people would say that they
are the same thing, and in a sense they would be right. However, one is a
potential problem while the other is an active problem. Think of it like this:
You have a shed with a broken lock where it won’t latch properly. In some areas
such as major cities, that would be a major problem that needs to be resolved
immediately, while in others like rural areas its more of a nuisance that can
be fixed when you get around to it. In both scenarios it would be a
vulnerability, while the major cities shed would be an example of an exploit –
there are people in the area, actively exploiting a known problem.
29- How would you compromise an
“Office Workstation” at a hotel?
Considering how infected these
typically are, I wouldn’t touch one with a 10ft pole. That being said, a USB
keylogger is easy to fit into the back of these systems without much notice
while an autorun program would be able to run quickly and quietly leaving
behind software to do the dirty work. In essence, it’s open season on exploits
in this type of environment.
31- What is worse in Firewall Detection, a false
negative or a false positive? And why?
Far
and away is a false negative. A false positive is annoying, but easily dealt
with – calling a legitimate piece of traffic bad. A false negative however is a
piece of malicious traffic being let through without incident – definitely bad.
32- What’s better, a red team or a blue team?
Another
opinion question, more along the lines of where your interests lie. In
penetration testing scenarios, a red team is trying to break in while a blue
team is defending. Red Teams typically are considered the ‘cooler’ of the two,
while the Blue Team is usually the more difficult. The usual rules apply like
in any defense game: the Blue Team has to be good every time, while the Red
Team only has to be good once. That’s not entirely accurate given the
complexities at work in most scenarios, but it’s close enough to explain the
idea.
33- What’s the difference between a White Box test
and a Black Box test?
Information
given by the person commissioning the test. A White Box test is one where the
pen testing team is given as much information as possible regarding the
environment, while a Black Box test is…well…a Black Box. They don’t know what’s
inside.
34- What is the difference between Information
Protection and Information Assurance?
Information
Protection is just what it sounds like- protecting information through the use
of Encryption, Security software and other methods designed to keep it safe.
Information Assurance on the other hand deals more with keeping the data
reliable – RAID configurations, backups, non-repudiation techniques, etc.
35- How would you lock down a mobile device?
Another
opinion question, and as usual a lot of different potential answers. The
baseline for these though would be three key elements: An anti-malware
application, a remote wipe utility, and full-disk encryption. Almost all modern
mobile devices regardless of manufacturer have anti-malware and remote wipe
available for them, and very few systems now do not come with full-disk
encryption available as an option directly within the OS.
36- What is the difference between closed-source and
open-source? Which is better?
Yet
another opinion question. Closed-source is a typical commercially developed
program. You receive an executable file which runs and does its job without the
ability to look far under the hood. Open-source however provides the source
code to be able to inspect everything it does, as well as be able to make
changes yourself and recompile the code. Both have arguments for and against
them, most have to do with audits and accountability. Closed-source advocates
claim that open-source causes issues because everybody can see exactly how it
works and exploit weaknesses in the program. Open-source counter saying that
because closed-source programs don’t provide ways to fully check them out, its
difficult to find and troubleshoot issues in the programs beyond a certain
level.
37- What is your opinion on hacktivist groups such
as Anonymous?
You
might have guessed that this level is very much about forming opinions and
drawing conclusions, and you’d be right – this one is an especially loaded
question. Like any major group without a central leader, they seem to be mostly
chaotic, at times seeming like a force for good, while at others causing havoc
for innocents. Choose your words very carefully here, as it could be a
dealbreaker.
38- What is the Three-way handshake? How can it be
used to create a DOS attack?
The
three-way handshake is a cornerstone of the TCP suite: SYN, SYN/ACK, ACK. SYN
is the outgoing connection request from client to server. ACK is the
acknowledgement of the server back to the client, saying that yes I hear you,
let’s open a connection. SYN/ACK is the final connection, and allows the two to
speak. The problem is that this can be used as a very basic type of Denial of
Service Attack. The client opens up the SYN connection, the server responds
with the SYN/ACK, but then the client sends another SYN. The server treats this
as a new connection request and keeps the previous connection open. As this is
repeated over and over many times very quickly, the server quickly becomes
saturated with a huge number of connection requests, eventually overloading its
ability to connect to legitimate users.
39- Why would you bring in an outside contractor to
perform a penetration test?
Much
like getting a fresh set of eyes on a problem, sometimes you have people that
don’t want to see or don’t want to admit to an issue. Bringing in extra help as
an audit can really help eliminate problems that your team isn’t able to
resolve on their own. Granted they may cost a small fortune, but they are
extremely good at what they do.
40- If you were going to break into a database-based
website, how would you do it?
And
here’s other side of the coin: learning to break into your own systems so that
you can pen test them yourself. While the exact methods are different for each
type of database server and programming language, the easiest attack vector to
test for first is an SQL injection technique. For example, if the input fields
are not sterilized, just entering a specific set of symbols into a form field
may be enough to get back data. Alternatively, depending again on how the site
is written, using a specially crafted URL may be enough to get back data as
well. Footprinting the server ahead of time can help in this task if it isn’t
one you built yourself.
41- Why are internal threats oftentimes more
successful than external threats?
When
you see something day in and day out, even if it shocks you at first, you tend
to get used to it. This means that if you see somebody that pokes around day
after day, month after month, you might get used to the fact that he’s just
curious. You let your guard down, and don’t react as quickly to possible
threats. On the other hand, say for example you have an annoyed employee that
is soon to be fired and wants to show his soon to be former employer that he
can bring them down, so he sells his still active credentials and card-key to a
local group that specializes in white-collar crime. Still other infiltrators
dress up as delivery people and wander around aimlessly in office buildings,
getting information off of post-it notes and papers lying around. External
threats do not have access to near this level of information about the company,
and more often than not do not get in as far as somebody that spent 20 bucks on
a knock-off UPS uniform.
42- What is residual risk?
I’m
going to let Ed Norton answer this one: “A new car built by my company leaves
somewhere traveling at 60 mph. The rear differential locks up. The car crashes
and burns with everyone trapped inside. Now, should we initiate a recall? Take
the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the
average out-of-court settlement, C. A times B times C equals X. If X is less than
the cost of a recall, we don’t do one.” Residual Risk is what is left over
after you perform everything that is cost-effective to increase security, but
to go further than that is a waste of resources. Residual risk is what the
company is willing to live with as a gamble in the hopes that it won’t happen.
43- Why is deleted data not truly gone when you
delete it?
When
you press delete on a file, it doesn’t actually go anywhere. A bit on the file
is flipped telling the operating system that that file is no longer needed and
it can be overwritten as is required. Until that happens, the file can still be
restored no matter if it’s in a Recycling Bin or not. There are ways around
this, such as using File Shredders and disk wipers, but both of these take
quite a bit of time to finish their jobs to a reasonable degree.
44- What is the Chain of Custody?
When
keeping track of data or equipment for use in legal proceedings, it needs to
remain in a pristine state. Therefore, documenting exactly who has had access
to what for how long is vital when dealing with this situation. Any compromise
in the data can lead to legal issues for the parties involved and can lead to a
mistrial or contempt depending on the scenario.
45- How would you permanently remove the threat of
data falling into the wrong hands?
If
data is on physical media such as a diskette, cd or even paper, there are
shredders, pulverizers and destroyers that can turn plastic and paper into
confetti. For hard disks however, that becomes a bit more tricky. Most
locations will turn to a two-fold method for ensuring a disk’s destruction by
first using a specially made disc wiping program, taking apart the hard drive,
removing the platters, scratching them up beyond recognition and then
degaussing them with a high-powered magnet. This ensures that the data cannot
be recovered through conventional means.
46- What is Exfiltration?
Infiltration
is the method by which you enter or smuggle elements into a location.
Exfiltration is just the opposite: getting sensitive information or objects out
of a location without being discovered. In an environment with high security,
this can be extremely difficult but not impossible. Again we turn to our
friends in the fake delivery uniforms wandering around the building, and see
that yes there are ways to get in and out without a lot of issues.
47- I run an SMB. I have 4 people in my entire
company and a web-based store. I don’t have the time, patience or manpower to
have a computer guy. Why should I care about exploits and computer jibberish?
This
is a classic catch-22 situation: a company doesn’t have enough money to secure
their networks, but by the same token they can’t afford a payout if they get
compromised. At the same time, they really can’t afford to have a dedicated
computer technician, let alone a security consultant. If you are able to
explain (in words that don’t make it sound like you’re just fearmongering), an
SMB will acknowledge what they need to do to keep their store secure and keep
receiving payments since following the money will tend to help move things
along.
48- I’m the CEO of a Fortune 500 company. I make
more in an afternoon than you make in a year. I don’t care about this stupid
security stuff, it just costs time and money and slows everything down. Why
should I care about this junk?
This
one is significantly harder – they are used to having people lie, cheat and
steal from them on a regular basis, and when somebody comes in saying that the
company is going to lose all this money unless you pay for this, they’re
probably going to say no. Therefore, having done your homework and having the
support of the local IT team instead of alienating them is vital. Performing
site assessments, creating executive summaries and line-by-line breakdowns of
what goes where can help them to better understand what is going to be done and
keep the project going.
49- I’m the legal council for a large corporation.
We have requirements to document assets and code changes. We have a very
limited budget for this task. How would you resolve this?
This
is actually one of the easier ones – you have an informed party, asking for
assistance to something that is important. They have money for the project
(albeit not much), but it is better than nothing. At the very bottom of the
spectrum, this could be accomplished in nothing more than Excel with a lot of
time and data entry, moving all the way up the chain to automated Network
Scanners documenting everything they find to a database and programs that
check-in and out programs with versioning and delta files. It all depends on
how big the project is, and how big the company is.
50- I’m the new guy – I used to be a coder at my old
job and my manager wants me to create some custom programs. I need domain
administrator rights for this task. My boss said its alright, and you either
give me what I need or you’re fired and he’ll find somebody that will. How do
you respond?
Unfortunately
you will run into the hardball guy at least once in your career. In this case
though, like others we have run into, it’s time to move it up the chain to the
manager. They will be able to give the yay or nay depending on exactly what the
project is and be able to take the brunt of an attack if it comes.
No comments:
Post a Comment