How to prove the utility of an infosec interviewee in four questions
I like to hire infosec geeks that I can get along with. What this means in practical terms is that I need a way to see through your resume (which never seems to contain people’s alternate identity information) to who you really are as a practitioner, what sort of philosophy you have towards information security, and how easily I’ll be able to manage you.
To that end, I’ve got a list of only 4 questions that I use to determine “fit”. These questions are the only ones I really need to ask since there are HR people (who I get along with well – cough cough) who can take care of making sure that if you say you’re a CISSP, you’re actually a CISSP.
In no particular order here’s the questions I ask and the sorts of answers I expect. If I’ve interviewed you, you’ll probably now figure out who I am 🙂
1/ What is the hostname of your computer / essid of your wifi
This tells me if you love computers / get the hacker culture (know thine enemy), or if you see computers as a collection of parts which does not deserve a unique name.
Examples of good answers: hephaestus, neo, glitch, pieceofcrap, please_steal_my_signal, plausible_deniability
Examples of bad answers: consumerpc_67242, Bob’s Computer, livingroom, linksys
2/ Which infosec event/conference do you think is the *one* you need to attend each year
This tells me which school of thought in infosec you adhere to – even more than your resume can.
Examples of good answers: Blackhat, DEFCON, CanSecWest, Shmoocon
Examples of bad answers: RSA, SANS, Learning Tree
3/ You’re doing a walk around and notice an iPod plugged into a laptop – what do you do
This is peripherally related to #2, but tells me whether you will be manageable or not – can you do things “our way” or are you fanatical.
Examples of good answers: What does the Infosec Policy have to say? Does the employee seem to have any other risky behaviours (browser open to F*ckedcompany.com)?
Examples of bad answers: Take away the iPod and cable and then report the user to their manager.
(What is the point of worrying about it – *they take the laptop home every night and it’s got a 120gb HD*)
4/ You’ve been asked by HR to take a copy of an outgoing employees computer – what do you do
If you don’t start out your answer by asking about evidence requirements you’re not getting hired.
Examples of good answers: Do we have EnCase? I’d like to have you also with me to ensure that we’ve got a good chain of custody.
Examples of bad answers: I read somewhere that you can use a Linux thing to copy disks. I could get one of the windows admins to ghost the box.
What is interesting is that these 4 questions work for almost all situations – both when you’re looking for a progressive lateral thinker (like I am right now) and when you’re looking for someone who is best described as a “policy wonk” (apologies to the 3 policy wonks I know who are not also members of the AIPWWNGI (Association of Infosec People Who Will Never Get It). Try it – you might find your next good infosec person based on these questions.
And if you now recognize that I interviewed you – I’d like to apologize for being such a dick. I don’t actually have much to do with the hiring process.
[tags]interviewing, resume, getting the job, hiring techniques, information security professionals, ranting[/tags]
LOL! Sweet.I ran similar questions on our new guy. He passed.
🙂
My computer’s name is Rosie and my iPod, Carnie – what does that say about me?
I like this aspect of the interview process. From a potential interview point of view, it’s much more interesting when one is able to stray from the typical “where do you see yourself in 5 years” crap. Not to mention that when an interview is a bit more personal in style, the applicant has a better idea how they did in the interview as well. In an environment where teamwork is crucial, the chemistry among members is crucial.
Great article this week!
This is a cool test. I know one engineer who would ask perspective employees to describe their home network, which is something along the same lines.
#1–I use SquirrelNet as an essid (as in, “nobody here but us squirrels”), and my old WEP passphrase used to be “W3lcum2H4xx0rz” or something similar–I’ve since passed it on to WPA, so it’s been a couple of years.
Now the funny thing is, I set up a wifi AP in Afghanistan against all general orders to the contrary, and I used SquirrelNet there, too.
#2–Shmoocon, it’s even in my back yard. I didn’t go this year, I feel so cheap.
#3–Borrow the iPod for a day and copy all their songs. We all use thumb drives and external USB drives anyway, so what’s the big deal? Now if I worked at MicroSoft, I would report them to the anti-ipod gestapo. =)
#4–Do you have probably cause? We have the laptop so it’s not like the data will go away overnight. If you’re suspecting illegal activities, then we need to get the police/FBI/$foo involved (FBI has jurisdiction over all my employees laptops because we have SSI and other sensitive information on them). I would rather that they do it because it provides a better chain-of-custody, and if they have a real cybercrimes division, they have the forensics equipment (write-blocks, forensics stations, and software) and people to run it. For the record, if I had to do it myself, I would use DD and make both a MD5 and SHA checksum for evidence purposes, but that’s just me.
@Harvey,
I don’t know if the change in style is good, but interviews like this tend to be a group affair and several of the other group members were a little shocked at the questions and answers. By the third interview, they were content to let me go ahead with the questions and paid as much attention to these questions as to the more usual “so – can you describe a situation in which you were the team leader”.
@rybolov
Your answers look good –
#1 – honestly, anything other than “linksys” or the name of the company is an improvement for essids. I do wonder about the hostname thing though 🙂
#2 – expresses interest in what’s new. I pointed out to Dave at RSA that it seemed there was a 2 year lag between the “hacker” conferences, RSA and SANS. What I saw demo’d 2 years ago at BH was a product at RSA this year and in 2 years will be a best practice from SANS. Choose where you want to be on the curve.
#3 – a perfectly sane response. It goes back to the simple question — who are the bad guys we’re trying to protect against. In most industries, you can’t actually *not* hire the bad guy — he’s smart enough to get hired as a clerk rather than a technologist. You focus on detection and compensation rather than fragile prevention controls.
#4 – I see that you’ve looked at NIST 800-61. Please go to the top of the class. although, I’m going to have to dock you marks for not suggesting ddrescue (captures all blocks, does not fail when encountering bad block) – do it twice with the same technique – and use all of MD5, SHA-1, SHA-256 hashes… I don’t know of a co-collision between MD5 and SHA-1, but I know that I can build a MD5 collision and I know that we’re months away from self-generated SHA-1 collisions. Unfortunately, getting the police involved may prove difficult until and unless the issue is over (roughly) $500,000 worth of loss or ridiculously public. They have limited resources and catching/prosecuting successfully a child pornographer is a better resource spend than catching/prosecuting successfully a white collar criminal — it’s just economics — and frankly, as a member of society, I’d rather spend the money paying the guys who run forensics on child porn machines… I don’t care how much they make… it’s too little.
1/ What is the hostname of your computer / essid of your wifi
My hostname of my compute is halon. I love the stuff because I see myself as a fire suppressant.
My essid is none at the moment as I have turned off my WAP until I can throw it into a DMZ that will route directly past the rest of my gear to the internet. Right now I don’t need Wifi and thus am not willing to accept the risk. My house is wired from top to bottom with Cat V in the walls to wall plates where I just plug in. Just picked up a CISCO 1900 for the new core and will be taking the D-link offline for more advanced routing on my HOMELAN.
When my, and if, I turn my WAP back on I don’t publish the essid and run in quiet mode. (Nice try at social engineering!) I also don’t use WEP as I run with WPA PSK. I use a 64 character alpha numerical sudo random gereated key. I get this key from http://www.grc.com/password. Steve Gibson from Spinright and Shieldsup! fame says he has a very good generator. I like that the server just keeps spitting out keys all day and night with NO input from the user. I also love his pod casts for the morsels of good info. Leo (his counter on the show) I think tries to balance Steve out for the rest of the humans out there.
2/ Which infosec event/conference do you think is the *one* you need to attend each year
I feel like sh#t for never having gone to a Shmoocon when it was in my back yard. I just moved out west and there aren’t any big CONs in my town. However Vagas is a cheap flight away but with hotel and everything it would still cost a bunch to go to DEFCON. The local DC303 guys go there and to the CONs in the BAY Area. With money tight and no local CONs I’m on the fence. But to give you an idea of where I am at I have let my ISSA membership lapse with no plans to renew.
3/ You’re doing a walk around and notice an iPod plugged into a laptop – what do you do
Sadly where I am at now, I can’t do anything, not even unplug that dam thing. Employees have flat out removable 250 GB hard drives attached to the issued laptop and copy files freely off Active Directory shares and then take those (portable) external hard drives out of the building with sensitive data. I’ve raised this issue only to have the “funding” card thrown in my face.
It comes down to one thing, priorities, and what the company feels it can get away with (aka cost based risk management). The sad truth of where we are at as information security professions is being the defenders. We not only defend the organizations from external attacks but more frequently from the stupidity of the very employees that are on the inside.
Users of all rank, including executives who you would think would know better by now, have the expectation that they can do, no should be, able to do anything with no consequences. Itunes? Sure no problem! Forget how much bandwidth and system resources you are gobbling up! A former roommate of my said that the impact of ITunes alone cost millions to resolve because users where storing downloaded content on mapped AD shares.
It gets worse for us when those very people who are doing so are the kids of the execs who run the company. Effectively what is the point of having a policy in place if “exceptions” are allowed to that policy? In critical cases yes exceptions are needed but all too often abused.
So I would not be so much worried about the Ipod. The Ipod is just the physical manifestation of larger problems such as, a lack of security awareness, personnel training, lack of USB port security, and the need to audit the users account and system policies that allowed the user to connect the dam thing in the first place. (Note: I love my Ipod but would never plug it into the network! One thing you missed is thumb drives?!?# What about those little buggers? I have two of those and together have about 6 gigs of space.)
4/ You’ve been asked by HR to take a copy of an outgoing employees computer – what do you do
First, what the H#ll is HR doing asking for that? In my mind the CISO, ISSO, CIO, CEO or someone way higher should be submitting that request in writing in conjunction with an active investigation. My standard practice once an employee is “outdocked” or “exit interviewed” under normal circumstances would be to immediately remove all rights and privileges. Then terminate all accounts, VPN and external RDP first!
This question shows, and more importantly speaks to, the greater issue that too many companies have of not breeding cultures of security from the ground up throughout the entire company. Where I am at now anyone can pretty much buy anything on their own and plug it in. And forget forensic capability! I really think we need to get back to square one with solid, and endorsed policies from the CEO (and or Board), before we can start to go after people. Without that we don’t have a legal leg to stand on let alone funding for event management, HD capture, or even one or two folks to call the incident response team!
BTW – Just my two cents but tools are only part of a solution. I think that folks who claim to be infosec that push tools and thus push people onto the hamster wheel of pain are only glorified sales reps who don’t get it or are to ashamed to admit how little they know. I’ll come right out and admit what I don’t know and what I do.
How the h@ll am I supposed to grow if I think I know it all?
@Halon73
Good answers to the first two.
#3 – I think you’re missing the point. Let me try again. Why do you perceive that a group of fragile preventative fixes (disable USB, etc.) would be more or less useful than explaining to someone what the criminal charges for corporate espionage look like? Educate them, don’t squeeze them, make them your allies on the front lines.
#4 – I can see that you’re not used to large organizations. HR will come to the infosec staff with a question like that – usually with someone from legal in tow. Your boss may or may not be allowed to know details. Sometimes you can’t have it in writing. How’s your moral compass doing?
Agreed that tools are only a part of the problem. The real solution is education and integration. We’ll get there… but only if we’re perceived as key business partners… are you up for that?
#1 – hostname: unknown, literally “unknown” or “noname” or similar; essid: usually “Free Public WiFi” or “Free Internet Access” (special note: i never use 802.11a/b/g except using openciphers hardware during a vulnerability assessment)
#2 – 2006 – current: owasp; 1999 – 2005: toorcon; 1993 – 1998: defcon
#3 – hack the ipod firmware, load linux and python on the ipod, steal the memory from the laptop over firewire, run prtk accelerated with tableau against the memory dump, then root the laptop (sala’s if win, single user mode if linux/bsd/mac), dd the entire disk, prtk+tableau the disk image, and then reinstall it with centos 5 using grsecurity and madwifi patches, then see answer #1 usually performed at answer #2
#4 – see answer #3