Cracking the infosec interview for fun and profit – how not to suck and get $$ hired $$

There are many people with different backgrounds approaching the world of Information Security and trying to land a job in this field:  software developers, sysadmins, network engineers, IT technicians, even people whose formal education and previous job don’t have anything to do with Infosec. Nowadays there aren’t strict requirements in terms of education for being an Information Security Professional, everyone who puts a lot of efforts in it can succeed, anyway obviously having a degree in computer science and a master degree in cyber security would certainly help. If you don’t have a degree under your belt, but you have some relevant certifications or you simply think you are good and can demonstrate your skills for doing this job, then you are welcome.

get-hired-infographic

HAVE A SOLID TECHNICAL BACKGROUND

ACADEMIA

If you have time and money getting a bachelor degree in Computer Science and a Master’s degree or Phd in Computer Security is certainly worth it and it will stand out in your resume.

SELF STUDY

Even if you couldn’t study computer science and security at university don’t worry because you aren’t certainly alone. I recommend you to read an article I wrote about the prerequisites for learning penetration testing. There are many valuable resources available online for free, so you have no excuses for stopping what you are doing and start learning. Checkout the Open Source Society University curriculum in Computer Science that you can find on github which lists MOOC courses developed by some of the most prestigious universities. Also have a look at the awesome-pentest list, still on github.

GAIN PRACTICAL SKILLS

Being able to understand and discuss with other security professionals about security threats, testing methodologies, tools, remediations and so on is important but you don’t just need to read, write and speak, you need to actually be able to perform a penetration test. You need to hack like hackers do, although in a systematic and organized way. Hacking devices and networks that don’t belong to you without a formal consent is illegal, that’s why you’ll need to setup your own testing lab.

You will need one or more computers, a virtualization software like VMWare or VirtualBox, images of different operating systems that you would like to test, including vulnerable by design operating systems like metasploitable, metasploitable 2 or many others that you can find on vulnhub.com . You’ll also need a pentest environment, it can be your own customized distro or popular distros like Kali Linux, Backbox Linux, BlackArch and so on. You may want to test also multiple network configurations, firewalls, intrusion detection systems, although this is optional, but it will make things more realistic when attacking highly secure environments. Here you can find a simple and clear guide by Offensive Security on how to setup a penetration testing lab.

If you want to sharpen your skills about web app penetration testing I recommend you to try DVWA, WebGoat or others. You can find a long list here: https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main . There are online apps, offline apps, virtual machines or ISOs. You’ll usually need a LAMP or LEMP stack in order to run the apps. If you don’t want to waste your time and hack immediately, then I recommend you to try the Hack.me project by eLearnSecurity where you can find find many vulnerable apps or upload yours and test them in a sandboxed environment.

Another awesome way to sharpen your skills is participating to CTFs. You can find an extensive list of upcoming and past CTFs on CTFtime.org . If you are interested in write ups you can find them on https://ctftime.org/writeups , https://github.com/ctfs or https://ctf-team.vulnhub.com.

SHOW YOUR PASSION

If you are like me and you spend at least 6 hours a day hacking around or you employ all your limited free time for this when you get home after your part time/full time job then you are really interested in infosec and you are on the right track. It is known that hackers hack at night, anyway especially if you have got a job, consider getting enough sleep and get some fresh air at least 1-2 days a week 😀 Hang out with friends, have fun, relax and free your mind, you’ll study better. Coffee helps as well. Please do yourself a favor and don’t drink instant coffee but a beloved espresso. Yes I’m a proud Italian in case you didn’t know it. Hacking can be challenging, stressing, painful, time and energy consuming, but make sure to have a smile on your face when talking about infosec with your friends or potential employers. It can be a tough job but you need to be happy after all, otherwise maybe it’s not the job for you or your work environment isn’t that great. Nobody forbids you to change and take a break, but if you were born as a hacker  you’ll die as a hacker.

COLLABORATE TO OPEN SOURCE PROJECTS

Collaborating to open source projects is very useful for multiple reasons:

1. being part of the open source community
2. actually help the author of a tool to further develop it
3. being able to read the code and learn by example
4. being able to fork a project and edit it or implement it in your own tool
5. learn how git or other versioning tools work
6. learn how to write an effective documentation
7. showcase your open source tools or commits to existing projects

For a list of projects you can contribute to you can have a look directly at https://github.com, http://sectools.org , http://www.toolswatch.org or http://www.kitploit.com for example.

EARN HANDS ON INFOSEC CERTIFICATIONS

Now this is a controversial topic. Someone will tell you that certifications are completely useless, someone will tell you they are a must have, I believe the truth lies somewhere in the middle.

Certifications hardly guarantee expertise even because in order to be competent in something you’ll need both theoretical and practical skills + preferably a number of years of work experience. Anyway certifications can be good for testing your skills especially if you self study and if you don’t have a degree and relevant work experience, they may still allow you to be considered for a job interview. As I said before, having a certification doesn’t guarantee expertise, someone who isn’t certified could be still better than someone who isn’t, anyway getting certified doesn’t hurt (unless you consider your pocket maybe), does it?

What kind of certifications should I have?

My answer is it is better to have a few highly recognized certifications focused on security rather than a lot of certifications that are more generic. You don’t want to be an IT technician, a sysadmin, a network engineer, a software developer, hey you want to be a penetration tester, so the certifications you hold should be focused on demonstrating your skills at vulnerability assessment, exploitation and post exploitation, evaluation of risks and reporting. It’s easier said than done. I would suggest you to skip certifications whose exams are based on multiple choice questions: you may as well memorize all the answers or anyway they test your knowledge but not your practical skills that are equally if not more important. I don’t recommend getting entry level certifications like Comptia Security+ or CEH, well better than nothing, but don’t expect them to be taken in high consideration (although oddly enough they are recognized for some government/DoD jobs). If you want to get a certification I recommend OSCP and OSCE by Offensive Security or eCPPT Gold by eLearnSecurity. The exams required in order to get these certifications are hands on, therefore you need to apply in practice what you learnt in theory and practiced in the labs. Offensive Security also offer OSWP for wireless penetration testing, OSEE for Windows exploitation and OSWE for web app pentesting. eLearnSecurity on the other hand also offers eCRE for reverse engineering, eMAPT for mobile application penetration testing, eNDP for network defense, eWDP for web defense, eWPT and eWPTX for web app pentesting. If you feel that eCPPT is too hard for you, you can also consider going for eJPT first in order to lay the necessary foundations about computer security.

If you are in the UK it is also recommended to get CREST certified by taking an hands on exam at an approved testing center. Remember to bring your own computer and you’ll be asked to leave your hard disk there in order to be erased after the exam session. There isn’t an official course for preparing to take the CREST exam but there is a syllabus and some suggested books and approved third party courses. Recently who holds OSCP is able to get CREST certified by paying a fee and doing a smaller test.

GIAC certifications are also highly regarded although there is an open book exam and multiple choice questions, not really as hands on as the aforementioned certifications. SANS Institute is the GIAC’s preferred partner for exam preparation, live, self study, online and on-demand courses are available. They are generally expensive so not every individual is willing to take them and pay the fee out of his pocket but infosec companies often provide a sponsorship for those who want to get certified. There are many GIAC certifications, for a full list I advise you to check the official website, I’ll just mention the 3 most common ones that are GSEC (security essentials – entry level), GPEN (penetration testing) and GWAPT (web app penetration testing).

CISSP by ISC2 is also worth getting, anyway it is more aimed at forging infosec managers than penetration testers. If you take a look at the syllabus you’ll notice that there is a wide list of topics that you need to know but not so in depth. The CISSP exam tests one’s competence in the 8 domains of the CISSP CBK, which cover: Security and Risk Management; Asset Security; Security Engineering; Communications and Network Security; Identity and Access Management; Security Assessment and Testing; Security Operations; Software Development Security. Candidates must have a minimum of 5 years cumulative paid full-time work experience in two or more of the 8 domains of the (ISC)² CISSP CBK®. Candidates may receive a one year experience waiver with a 4-year college degree, or regional equivalent or additional credential from the (ISC)² approved list, thus requiring four years of direct full-time professional security work experience in 2 or more of the 8 domains of the CISSP CBK. Don’t have the experience? Become an Associate of (ISC)² by successfully passing the CISSP exam. You’ll have 6 years to earn your experience to become a CISSP.

 CREATE YOUR OWN PROJECTS, METHODOLOGIES AND TOOLS

You can take inspiration by existing projects, methodologies and tools to create your own!

You can create a local group of people interested in infosec and have regular meetups, you can create a local chapter of a well established not for profit computer security association, you can gather people and create your own security conference! Dream big and keep moving! Some of these things require time, experience and a lot of efforts, anyway do as much as you can to contribute to the infosec community.

Do you think there are new security threats and attack vectors and they isn’t a standardized testing methodology yet? You can contribute to big projects like OSSTMM and OWASP or create your own!

Do you have an amazing idea for a tool and unfortunately it isn’t available anywhere because nobody developed it? Why don’t you do it?! It’s an incredible occasion to sharpen your coding skills, meet new friends (contributors), give back to the infosec community and get noted by potential employers.

START YOUR OWN SECURITY BLOG

You read a lot, don’t you? Keeping up to date with the new infosec trends and discoveries should be your daily task. There are specialized websites, companies’ blogs and also valuable personal blogs that can enrich your knowledge. If you discover something new or you are particularly gifted at explaining things, why don’t you start your security blog? Other people can learn from you and by teaching you can reinforce your own knowledge. Did you do a particular research recently? Did you develop a new tool? Nobody will know about it if you keep it secret. Create a security blog and share it with the world! You never know, you could get the attention of potential employers as well. It’s both a personal passion and an investment.

NETWORK WITH THE PROS

Ok you are great, nobody doubts that, but getting to know other people working in the same field can be very useful and beneficial. There are several ways to meet other people. Maybe you can meet someone who is collaborating to the same project or open source tool. Another possibility is that one of participating to conferences, expos, meetings, hackathons and CTFs. Besides don’t neglect social networks. Many people use Facebook but mostly for personal use (anyway if you use it you can like my page https://www.facebook.com/thepentestguru/), instead there are a lot of infosec people who use Twitter for sharing actual infosec stuff so make sure to use it. You can follow my personal feed @Fabiothebest89 and pentest guru’s feed @pentestguru. Besides there is a new social network created right for connecting infosec professionals, check it out in case you don’t know it yet: https://www.peerlyst.com. This is my profile: https://www.peerlyst.com/users/fabio-baroni.

Now I will list a series of security conferences that I recommend you to attend if you can:

• DEF CON – An annual hacker convention in Las Vegas
• Black Hat – An annual security conference in Las Vegas
• BSides – A framework for organising and holding security conferences
• CCC – An annual meeting of the international hacker scene in Germany
• DerbyCon – An annual hacker conference based in Louisville
• PhreakNIC – A technology conference held annually in middle Tennessee
• ShmooCon – An annual US east coast hacker convention
• CarolinaCon – An infosec conference, held annually in North Carolina
• HOPE – A conference series sponsored by the hacker magazine 2600
• SummerCon – One of the oldest hacker conventions, held during Summer
• Hack.lu – An annual conference held in Luxembourg
• HITB – Deep-knowledge security conference held in Malaysia and The Netherlands
• Troopers – Annual international IT Security event with workshops held in Heidelberg, Germany
• Hack3rCon – An annual US hacker conference
• ThotCon – An annual US hacker conference held in Chicago
• LayerOne – An annual US security conference held every spring in Los Angeles
• DeepSec – Security Conference in Vienna, Austria
• SkyDogCon – A technology conference in Nashville
• SECUINSIDE – Security Conference in Seoul
• DefCamp – Largest Security Conference in Eastern Europe, held anually in Bucharest, Romania
• AppSecUSA – An annual conference organised by OWASP
• BruCON – An annual security conference in Belgium
• Infosecurity Europe – Europe’s number one information security event, held in London, UK
• Nullcon – An annual conference in Delhi and Goa, India
• RSA Conference USA – An annual security conference in San Francisco, California, USA
• Swiss Cyber Storm – An annual security conference in Lucerne, Switzerland
• Virus Bulletin Conference – An annual conference going to be held in Denver, USA for 2016
• Ekoparty – Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina
• 44Con – Annual Security Conference held in London

PREPARE FOR THE INTERVIEW

When preparing for an interview you should review the penetration testing methodologies, practice in your pentesting lab and think about the questions the interviewer may ask you. This depends on a number of factors. Make sure to read carefully the job description. Try to get in touch with the recruiter/interviewer prior to the interview and ask info if necessary. Is it a junior or senior pentesting role? Will you be a trainee or will you have to manage other people? Will it be office or home based? Will you be part of a red team or blue team of the hiring company or will it be a consultancy job that requires you to travel to multiple companies? You should reflect on all these things. If you are a senior information security professional I’m sure you’ll have done at least some interview and you’ll be familiar about what the interviewer normally asks or you may have been an interviewer yourself for a junior role, but if you are just starting I’m sure you’ll appreciate some guidance. I’ll write here some questions that you may hear so that you can prepare yourself prior to the interview, avoid to fall into some traps and succeed.

NETWORK SECURITY

• Are open-source projects more or less secure than proprietary ones?
• How do you change your DNS settings in Linux/Windows?
• What’s the difference between encoding, encryption, and hashing?
• What’s more secure, SSL or HTTPS?
• Can you describe rainbow tables?
• What is salting, and why is it used?
• Who do you look up to within the field of Information Security? Why?
• Where do you get your security news from?
• If you had to both encrypt and compress data during transmission, which would you do first, and why?
• What’s the difference between symmetric and public-key cryptography?
• In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?
• What kind of network do you have at home?
• What are the advantages offered by bug bounty programs over normal testing practices?
• What are your first three steps when securing a Linux server?
• What are your first three steps when securing a Windows server?
• Who’s more dangerous to an organization, insiders or outsiders?
• Why is DNS monitoring important?
• What port does ping work over? 😀
• Do you prefer filtered ports or closed ports on your firewall?
• How exactly does traceroute/tracert work at the protocol level?
• What are Linux’s strengths and weaknesses vs. Windows?
• Cryptographically speaking, what is the main method of building a shared secret over a public medium?
• What’s the difference between Diffie-Hellman and RSA?
• What kind of attack is a standard Diffie-Hellman exchange vulnerable to?

APPLICATION SECURITY

• Describe the last program or script that you wrote. What problem did it solve?
• How would you implement a secure login field on a high traffic website where performance is a consideration?
• What are the various ways to handle account brute forcing?
• What is Cross-Site Request Forgery?
• How does one defend against CSRF?
• If you were a site administrator looking for incoming CSRF attacks, what would you look for?
• What’s the difference between HTTP and HTML?
• How does HTTP handle state?
• What exactly is Cross Site Scripting?
• What’s the difference between stored and reflected XSS?
• What are the common defenses against XSS?

CORPORATE/RISK

• What is the primary reason most companies haven’t fixed their vulnerabilities?
• What’s the goal of information security within an organization?
• What’s the difference between a threat, vulnerability, and a risk?
• If you were to start a job as head engineer or CSO at a Fortune 500 company due to the previous guy being fired for incompetence, what would your priorities be? [Imagine you start on day one with no knowledge of the environment]
• As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities?

Are you tired yet? If yes, go catch some sleep, otherwise be prepared to read other questions. I don’t want you to come and tell me that you weren’t prepared for the interview 😀

• What is the biggest threat facing web applications in your experience?
• What does RSA stand for?
• What conferences do you routinely attend?
• How do you create SSL certificate, generically speaking?
• What is meterpreter?
• With regard to forensics, what is physically different about how the platters are used in a 3.5″ and a 2.5″ HDD?
• What’s the difference between a router, a bridge, a hub and a switch?
• What’s port scanning and how does it work?
• Can we perform VA remotely?
• What experience do you have with Data Loss Prevention (DLP)?
• Give me an example of when you thought outside of the box. How did it help your employer?
• What is a spyware?
• Is NT susceptible to flood attacks?
• How does HTTP handle state?
• What is DES?
• What is DNS Hijacking?
• What is LDAP?
• What are DCO and HPA?
• Are there limitations of Intrusion Detection Signatures?
• Please explain how asymmetric encryption works
• How do you determine when to update virus protection systems?
• What is Stuxnet?
• What is Wireshark?
• What do you see as challenges to successfully deploying/monitoring web intrusion detection?
• What ports must I enable to let NBT (NetBios over TCP/IP) through my firewall?
• Are server-side includes insecure?
• What’s the difference between a threat, a vulnerability and a risk?
• What are IDA and/or Olly?
• What is the difference between stored and reflected XSS?
• What is NMAP?
• What is NAT and how does it work?
• What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog?
• Have you hacked any system?
• Your network as been infected by malware. Please walk me through the process of cleaning up the environment.
• What is PCI compliance testing?
• What is %3C in HTML encoding?

Now go out there and rock! Let me know how it goes 🙂

Author: Fabio Baroni   Date: 2016-04-07 13:59:25