4 Interview Questions for Security Analysts

Recent data breaches involving Target, Michael’s and Neiman Marcus are adding fuel to the fire for security analysts.

Dice Interview Qs IconBut that doesn’t mean job interviews are easy. As a security leader with an impressive list of certifications, David O’Berry expects analysts to know the ins and outs of networking and operating systems. He also looks for resourceful professionals who use their insatiable curiosity to stay one step ahead of hackers and cybercrooks.

“I don’t need someone to check off items on a to-do list or sit on the sidelines,” says O’Berry, worldwide technical strategist for security software provider McAfee. “I don’t care whether they’re 65 or a 14 year-old-rock star. I need someone who can think outside the box.”

We asked O’Berry to share some of the questions he asks during job interviews.

What’s the most interesting project you’ve worked on in the last six months?

  • What Most People Say: “I worked on a biometric authentication project which helped me expand my foundational skill set.”
  • What You Should Say: “I analyzed the effectiveness of a biometric-based remote user authentication scheme using smart cards. Using a range of assumptions, my analysis revealed weaknesses that would allow hackers to intercept messages between the user and the server or thwart security schemes. I recommended enhancements that remedied most of the issues. The project was groundbreaking because it elevated everything we did as an organization.”
  • Why You Should Say It: It paints a picture for the interviewer and highlights your analytical prowess by walking them though every step in the analysis process, O’Berry says. If you need to improve your story-telling skills, he recommends Peter Gruber’s book Tell to Win.

Explain the difference between local and network authentication and walk me through the authentication process.

  • What Most People Say: “I’m not sure what the differences are, but I know there’s a file that authenticates the user name and password when someone logs on.”
  • What You Should Say: “A database authenticates the user’s name and password when they aren’t connecting to a network. A Windows network uses active directory authentication. Let me walk you through the steps in the process, including the use of SAML, X.500 directory service and its components.”
  • Why You Should Say It: To identify vulnerabilities, a security analyst must understand each step in the authentication process, how it manages identities and unites distributed resources.

“I want to see how far you can go in describing the start-up process,” O’Berry says. “Competent analysts don’t use buzzwords. They demonstrate an in-depth understanding of each step, each mechanism and object as well as the authentication framework.”

Without using semantics, tell me how a computer boots up.

  • What Most Candidates Say: “You push the button and a splash screen pops up.”
  • What You Should Say: “Here’s an overview of the chain of events and the tasks that are carried out during a general booting sequence. When you hit the power button, the CPU pins are reset and registers are set to specific value. Then, the CPU jumps to address of BIOS (0xFFFF0),” etc.
  • Why You Should Say It: Security analysts need to understand computers and networking to find their vulnerabilities. O’Berry says he won’t hire anyone who can’t describe the chain of events that takes place behind the logo of Windows XP/Vista/7 or Linux.

We’re looking to implement a new security event manager. Describe your approach.

  • What Most Candidates Say: “I would review logs to spot anomalies that could be problematic.”
  • What You Should Say: “Since the heart of security information and event management is correlation, I would conduct high-performance, real-time analysis and multi-dimensional correlation by creating a procedure to pull disparate streams of information into the event manager.”
  • Why You Should Say It: It’s impossible to review logs in a large organization, according to O’Berry. The preferred answer exhibits the fundamental skills and outside-the-box thinking he’s looking for.

Comments

  1. BY Darian Dunn says:

    These are interesting questions. I am an out of the box problem solver, but I would fail these questions. I also wouldn’t want the person who can answer these questions.

    1. I can’t talk about the most interesting projects I have worked on in the last 6 months. I signed a non-disclosure agreement. I can tell you about the normal stuff. I can tell you about the boring meetings, but the interesting stuff. No, that is off limits.
    2. This isn’t a bad question. It will definitely separate the idiots from the techs. Although I can describe the benefits negatives, I would fail this question at a technical level because I haven’t looked at the differences between Windows and x.500 in a while.
    3. If you have been working with this recently, this would be a great question. For those of us who haven’t been fixing machine which refuse to boot or trying to stick a wedge in to hack a system….
    4. This is actually a very good question, but I disagree with the answer. The first thing I want to know is, how many clients? Then, how much data from each client? Then how long do we need to keep it (company policy, compliance requirements)? Do we have a 24×7 help desk? We will tie it into our IDS/IPS? We will properly size the SAN. We will pick a product and procure it through your procurement process. We will setup the alerts. I will move on to other projects and answer questions from the 24×7 help desk techs.

    I find I get the best candidates with a different set of questions.
    1. Tell me about yourself? This tells me so much about a person.
    2. Tell me how you learn? Hands on, Book, Audio,…..something else?
    3. Then I pick something I know from the resume and I ask a couple questions about it. I may do this on several items. This separates the liars and the people who know what to put on the resume from those that can do the work.
    4. If the position has a specific tool or technology I will ask about this. This is actually the least important question. I assume if I have someone with a good personality and the ability to learn, knowledge of the specific app/product isn’t important. They will learn it. Do the job and we will move on to the next project/product.

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>