Information Security Professional

80/20 is a thumb rule used for describing IP networks, in which 80% of all traffic should remain local while 20% is routed towards a remote network.

It declares that candidate is expert in handling basic security issues- it is the basic certification in security

Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they’re confused, then this should be for an extremely junior position.

Standard stuff here: single key vs. two keys, etc, etc.

A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols.

Man-in-the-middle, as neither side is authenticated.

Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again, the main thing you’re looking for is for him not to panic.

This is a bit of a pet question for me, and I look for people to realize that companies don’t actually care as much about security as they claim to–otherwise we’d have a very good remediation percentage. Instead we have a ton of unfixed things and more tests being performed.

Look for people who get this, and are ok with the challenge.

Cross-site scripting, the nightmare of Javascript. Because Javascript can run pages locally on the client system as opposed to running everything on the server side, this can cause headaches for a programmer if variables can be changed directly on the client’s webpage. There are a number of ways to protect against this, the easiest of which is input validation.

When data is protected while it is just sitting there in its database or on its hard drive- it can be considered at rest. On the other hand, while it is going from server to client it is in-transit. Many servers do one or the other- protected SQL databases, VPN connections, etc, however there are not many that do both primarily because of the extra drain on resources. It is still a good practice to do both however, even if it does take a bit longer.

Confidentiality, Integrity, Availability. As close to a ‘code’ for Information Security as it is possible to get, it is the boiled down essence of InfoSec. Confidentiality- keeping data secure. Integrity- keeping data intact. Availability- keeping data accessible.

“Social engineering” refers to the use of humans as an attack vector to compromise a system. It involves fooling or otherwise manipulating human personnel into revealing information or performing actions on the attacker’s behalf. Social engineering is known to be a very effective attack strategy, since even the strongest security system can be compromised by a single poor decision. In some cases, highly secure systems that cannot be penetrated by computer or cryptographic means, can be compromised by simply calling a member of the target organization on the phone and impersonating a colleague or IT professional.

Yes. Information Security and IT Security are both different terms often used interchangeably. IT Security focuses on purely technical controls (like implementing antivirus, firewall, hardening systems etc) while Information Security is more wider term which implies securing “information” as an asset be it in any form. (ex shredding of paper documents to prevent dumpster driving etc). So IT security can be considered as a subset of Information Security.

It declares the certification of management abilities and the skills that is required to lead the security team

Look for a thorough answer regarding overall password attacks and how rainbow tables make them faster.

If they’re familiar with infosec shops of any size, they’ll know that DNS requests are a treasure when it comes to malware indicators.

Look for discussion of account lockouts, IP restrictions, fail2ban, etc.