Cybersecurity Interview Series
Security Operations Interviews
There is not really a LeetCode or HackerRank equivalent for Cybersecurity interviews to prep with.
However, there is a collection of knowledge out there that we can use to help us be prepared for interviews in this field.
Below we will go over what could be on an interview for a Security Operations role (not meant to be exhaustive).
I will give a brief possible response on each and leave room for you to fill in the rest. This is meant to be a guide for Security Interviews but not a replacement for researching and preparation.
Explain the difference in a vulnerability, risk and threat.
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat.
Threat: Any circumstance or event with the potential to adversely impact operations, assets, or individuals, through a system via unauthorized access, destruction, disclosure, modification of information.
Risk: the level of adverse impact on operations, company assets, or individuals resulting from the impact of a threat and the likelihood of that threat occurring.
(src: NIST)
This can also be summed up through the story of the 3 little pigs. More on that later..
Do you have any projects that we can reference?
If you have any projects to show, ensure you prep it before the interview.
This is where you can show your Github, blog you’re writing, or personal portfolio website. Having something here will definitely look good to potential employers as it shows you are putting in some work behind the scenes.
Explain 2FA.
Two-factor authentication (2FA) is an extra layer of security used to ensure that people trying to gain access to an online account are who they say they are.
First, a user will enter their username and a password. Then, they will be required to provide another piece of information. (something they know, something they have, or something they are).
Give examples of 2FA and why certain 2nd factors are stronger than others.
Could you share some endpoint security tool categories?
AntiVirus
EDR
DLP
Be prepared to explain each of these above.
What is the CIA triad?
The three letters in "CIA triad" stand for Confidentiality, Integrity, and Availability. The CIA triad is a commonly used model that forms the basis for the development of security systems.
Confidentiality: Confidentiality involves the efforts to ensure data is kept secret or private. A key component of maintaining confidentiality is ensuring that people without proper authorization are prevented from accessing important assets. Use Case: encryption at rest.
Integrity: Integrity involves making sure your data is trustworthy and free from tampering. The integrity of your data is maintained only if the data is authentic and accurate. Use Case: hashing.
Availability: Systems, networks, and applications must function as they should and when they should. Individuals with access to specific information must be able to access it when they need to.
Use Case: S3 Backups.
What is AAA?
We’re not talking insurance here.
AAA within Cybersecurity stands for Authentication, Authorization, and Accounting.
Authentication: Authentication involves a user providing information about who they are. Users present login credentials that affirm they are who they claim.
Authorization: Authorization follows authentication. During authorization, a user can be granted privileges to access certain areas of a network or system.
Accounting: Accounting keeps track of user activity while users are logged in to a network by tracking information such as how long they were logged in, their IP address, and the different services they accessed. (Fortinet)
This concept can be summed up with an analogy of getting into a venue or a club. More on that later..
What is MITRE ATT&CK?
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. This knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, government, and in the cybersecurity product and service community.
For what it’s worth, it is the de facto standard used at tech companies.
(MITRE ATT&CK)
Now this is the MITRE ATT&CK color coded to show a heatmap for progress in alert coverage.
You can see the level of detail MITRE provides into an attack landscape
What is the Cyber Kill Chain?
Developed by Lockheed Martin, the Cyber Kill Chain® framework is a model for the identification and prevention of cyber intrusion activity. The model identifies what adversaries must complete in order to achieve their objective.
The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures. (Lockheed Martin)
The differences between the two go greater than this and will get a future post.
What is SIEM?
Security information and event management (SIEM) is a security solution that provides the real time logging of events in an environment. The actual purpose for event logging is to detect security threats.
SIEM products have a number of features. The ones that interest SOC, DART and SecOps folks are: filtering the data that they collect and ability to create alerts for any suspicious events. (LetsDefend)
We know preparing for a security operations interview can be a daunting task, but having a clear understanding of fundamental concepts such as the ones outlined above will help in landing that opportunity.
These are just some questions you can be asked in a Cybersecurity interview, geared towards Security Operations roles. In a future post, we will go over scenarios in depth that can be covered in interviews. These will be more geared towards mid-level roles.
For the next issue, we will discuss some of the above mentioned concepts and dive deeper with examples we already know.