System Auditor

Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they’re confused, then this should be for an extremely junior position.

If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.

You should hear coverage of many testers vs. one, in centralization, focus on rare bugs, etc.

As an accountant, you are held to a high standard and the margin for error is tiny. Small mistakes can lead to large financial issues.

“Respond to this question by describing any times you’ve caught errors before submitting work,”. “Emphasize the importance of checking your work and establishing checks and balances within a team.”

As with most careers, it is difficult to predict where they will lead. Certainly it is common for CISA’s in public accounting firms to move into line management. Other possibilities are to move to industry and become an internal auditor, IT risk or IT security manager, or a CIO.

Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for.

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.

Here I’m looking to see how in tune they are with the security community. Answers I’m looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don’t really matter. What does matter is that he doesn’t respond with, “I go to the CNET website.”, or, “I wait until someone tells me about events.”. It’s these types of answers that will tell you he’s likely not on top of things.

Early in my career, I made a mistake on a report and denied a client their claim on the grounds that the car accident appeared to be a result of their negligence as opposed to the negligence of the other party. I found out later that I was too quick to make that decision. I had not spoken to the police first, who later informed me that the evidence I was looking at was taken after the vehicles had been moved from the scene. They showed me photographs of the vehicle immediately after it had happened, which clearly showed the other party was at fault. I was too quick on the draw, and I learned that every case requires due diligence.

As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you’d like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent.

Keep your response brief, like you would for “Tell me about yourself,” but outline important experience you’ve had in this area.

By keeping your response brief, it can open up the conversation to be more like a dialogue about the employer’s business metrics rather than a Q&A

You purposely want to give the question without context. If they know what salting is just by name, they’ve either studied well or have actually been exposed to this stuff for a while.