Cybersecurity Interviews
Cybersecurity Interviews Series Part l
I’m bringing back the interview series.
If you’ve read my previous writing on this topic, you’ll know that I’ve mentioned there’s not really a LeetCode or HackerRank equivalent for Cybersecurity interviews to prep with. Meaning, there’s not really a site that has resources earmarked for potential interviewing candidates.
Now, this is not saying Software Engineering interviews are easier or less daunting, simply pointing out the fact that the resources available are currently not at parity.
There is a collection of knowledge out there that we can use to help us be prepared for Security interviews in the field, it’s just a bit more disjointed.
Combine that with a tough job market, makes it imperative to have a plan and be prepared.
Here we will go over what could be asked on an interview for a Security Operations or Detection & Response role (not meant to be exhaustive)
I will give a brief possible response for each and leave room for you to fill in the rest.
Note: This is meant to be a guide for Security Interviews but NOT a replacement for individual research and preparation.
Now, let’s get into it.
Explain the difference in a vulnerability, risk and threat.
What you want to do here is define each and then give examples for each. Diving in on any follow up questions.
In a nutshell these 3 concepts and principles can be outlined as the following.
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat.
Risk: the level of adverse impact on operations, company assets, or individuals resulting from the impact of a threat and the likelihood of that threat occurring.
(src: NIST)
Threat: Any circumstance or event with the potential to adversely impact operations, assets, or individuals, through unauthorized access, destruction, modification, or disclosure of information.
This also can be summed up through the story of the 3 little pigs. More on that here.
Explain 2FA.
Two-factor authentication (2FA), also known as multi-factor authentication (MFA) is an extra layer of security used to ensure that people trying to gain access to an online account are who they say they are.
Being able to explain Multi-factor authentication, and which options are stronger than others is what you would need for a question like this.
For example…
First, a user will enter their username and password.
Then, they will provide another piece of information. (something they know, something they have, or something they are).
You would then give examples of 2FA and why certain 2nd factors are stronger.
Explain the AAA Framework
We’re not talking insurance here.
AAA within Cybersecurity stands for Authentication, Authorization, and Accounting. These work together to control access to data.
In an interview, you would outline the AAA framework, and give use cases for each.
Authentication: Authentication (AuthN) involves a user providing information about who they are, i.e. users present login credentials that state they are who they claim.
Use Case: MFA
Authorization: Authorization (AuthZ) follows authentication. During authorization, a user can be granted privileges to access certain areas of a network or system via access control lists (ACL’s).
Use Case: ACL’s
Accounting: Accounting keeps track of user activity while users are logged in to a network by tracking information such as their session length, their IP address, and the different services they accessed.
Use Case: SSO Logs
Another question that will test depth of knowledge here could be on how to implement all of these together.
Analogy
This concept can be summed up with an analogy of getting into a venue or a club.
For example, say you are looking to get into an exclusive venue. You dressed up nice, you get the idea.
You wait in line to get let in, and finally reach the front of the line. The security bouncer asks for your ID. This is authentication. To prove you are who you say you are.
From here, the bouncer either lets you in or not based off of a list or some other criteria. You are granted certain privileges, such as entering the venue. Even then, there might be certain areas that are restricted access.
This is authorization.
Finally, there are security cameras at the entrance door, and several inside.
This is Accounting. Certain user activity is logged, such as timestamps of entering and exiting the venue.
This framework and mental model of thinking within Cybersecurity: Authentication, Authorization, and Accounting is paramount to think big picture, and from there be able to zoom into the details.
Following the analogy, having Single-Sign On setup through an Identity Provider allows users to login, this is authentication, A.K.A. authN.
Having ACLs for different groups, and posture checks allows for granular access control. This is authorization, A.K.A authZ.
Having logging setup for critical systems and flowing in some centralized manner, allows for an audit trail and tools for investigation if needed.
This is accounting.
What is the CIA triad?
The three letters in "CIA triad" stand for Confidentiality, Integrity, and Availability.
For this concept, you would outline the definition of the CIA triad, explain each, and give a use case for each.
The CIA triad is a commonly used framework that forms the basis for the development of security systems.
Confidentiality: Confidentiality involves the efforts to ensure data is kept private. Ensuring that people without proper authorization are prevented from accessing important assets.
Use Case: encryption at rest.
Integrity: Data integrity means ensuring your data is trustworthy and free from tampering. The integrity is maintained only if the data is authentic and in its original state.
Use Case: hashing.
Availability: Systems, networks, and applications must function as they’re intended to. Individuals with access to information must be able to access it when they need to.
Use Case: S3 Backups, DNS.
How would you use MITRE ATT&CK?
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. This knowledge base is used as a foundation for the development of threat models and methodologies in the private sector, government, and in the Cybersecurity community.
For what it’s worth, it is the de facto standard used at tech companies.
(MITRE ATT&CK)
Of course there are other frameworks that can be used, but we’re going with this for the purposes of the interview scenario.
This is the MITRE ATT&CK color coded to show a heatmap for progress in alert coverage. Fun fact: I’ve worked on projects around this, and will probably write a future post on this.
Another cool thing about this is that they have matrixes for every OS, Mobile OS, most Cloud providers, and are constantly staying up to date with the advances of Cybersecurity.
There’s also MITRE D3fend for countermeasures to attacks.
You will want to be familiar with MITRE ATT&CK and how you would use it on the job.
Do you have any projects that we can reference?
If you have any projects to show, ensure you prep discussing this before the interview.
This is where you can show your Github, the blog you’re writing, or personal portfolio website. Ideas for this could be
your documentation learning a new tool
talking about your home lab
your CTF write-ups
The main objective here is to have somewhere people can reference your work and your learnings, basically “showing your work” back in Math class.
Having something here will definitely look good to potential employers as it shows you are putting in the work behind the scenes. It’s walking the walk.
Conclusion
I know preparing for an interview can be a daunting task, but having a clear understanding of fundamental concepts such as the ones outlined above will help in landing that opportunity.
These are just some of the questions you can be asked in a Cybersecurity interview, geared towards Security Operations roles.
In a future post, we will go over scenarios in depth that can be covered in interviews, including technical interviews.
See you in the next one.
Great post as always. Thanks