Information Security Interview Questions

Hopefully, this is constructive criticism...<p>&quot;What port does ping work over?&quot;<p>Seriously, don&#x27;t ask trick questions in interviews. You put the candidate in the impossible position of having to correct the interviewer, and the reaction to that tells you absolutely nothing about what the candidate knows or will do in a real-world situation.<p>&quot;at least access to one, even if it&#x27;s not at home.&quot;<p>And yet, this candidate will often simply answer &quot;None&quot; because you didn&#x27;t ask about access to a network, even if the candidate maintains multiple complex networks at family members&#x27; homes.<p>&quot;Are open-source projects more or less secure than proprietary ones?&quot;<p>Don&#x27;t ask yes&#x2F;no questions if what you really want are pros and cons. Ask for pros and cons instead. Interviewing shouldn&#x27;t involve mindreading. A lot of people will respond to a question like this by stating a thesis and then defending that thesis.<p>A lot of your questions have that problem. You&#x27;re asking specific things, hoping that the interviewee will catch on and give you general answers. That seems to be testing interview skills more than anything else.

These are not IS questions, they are ITS questions. There is a very serious difference between the two.<p>ITS without IS governance, policy, and management is worthless. It is chasing <i>ménaces du jour</i>, not actually managing security.<p>Were I interviewing someone for a serious and senior IS role, I would start with social questions, asking them to describe what organizations they consider to be the most threatening in general and to businesses in my country and field specifically, and why.<p>I would describe (hypothetically, without saying so) an organization like mine (but different enough to give away little), its flaws and concerns, and ask them how they would address those flaws.<p>Were I to hire that senior IS person, I would let them build an IS organization, which would include an ITS component.<p>Without policy, governance, and management, you do not have security, you have techno farce - and your organization will remain perpetually reactive, never really knowing how secure it is, never really being able to assess risk reasonably.

&quot;Encoding is designed to protect the integrity of data as it crosses networks and systems&quot;<p>Your blog entry has encoding problem. Indeed, it protects me from reading it.

&quot;How would you implement a secure login field on a high traffic website where performance is a consideration?&quot; .... &quot;wanting to serve the front page in HTTP, while needing to present the login form via HTTPs&quot;<p>Maybe. There will still be a link on the HTTP page that takes you to a HTTPS page with a login form. Someone with MITM access could alter that link. A better way would be to serve all pages via HTTPS

Is it really true that you should compress before you encrypt? IT seems to me that the encrypted message should have the same amount of &quot;information entropy&quot; as the original message, so it should compress equally well.

This stuff is basically at the CISSP CBK level, i.e. essentially worthless except as screening questions. Maybe it&#x27;s ok as a baseline, but you really want something deeper and more relevant to your specific position.

&quot;Encoding is designed to protect the integrity of data as it crosses networks and systems&quot;<p>What?