101 IT Security Interview Questionsposted by John Spacey, January 11, 2013
The following IT security interview questions are at the architectural level. They may be of use for interviewing:
☑ Security Architects
☑ Security Specialists (e.g. Network Security Administrators)
☑ IT Executives
☑ Enterprise Architects
☑ IT Managers
☑ Solution Architects
The questions range greatly in difficulty and should be tailored to each role.
Basic Concepts1. What is information security and how is it achieved?
2. What are the core principles of information security?
3. What is non-repudiation (as it applies to IT security)?
4. What is the relationship between information security and data availability?
5. What is a security policy and why do we need one?
6. What is the difference between logical and physical security? Can you give an example of both?
7. Is there an acceptable level of risk?
8. How do you measure risk? Can you give an example of a specific metric that measures information security risk?
9. Can you give me an example of risk trade-offs (e.g. risk vs cost)?
10. What are the most common types of attack that threaten enterprise data security?
11. What is the difference between a threat and a vulnerability?
12. Can you give me an example of common security vulnerabilities?
13. Are you familiar with any security management frameworks such as ISO/IEC 27002?
14. Can you briefly discuss the role of information security in each phase of the software development lifecycle?
15. Can you describe the role of security operations in the enterprise?
16. What is incident management?
17. What is business continuity management? How does it relate to security?
18. What is a security control?
19. What are the different types of security control?
20. Can you describe the information lifecycle? How do you ensure information security at each phase?
21. What is Information Security Governance?
22. What are your professional values? Why are professional ethics important in the information security field?
Security Audits and Testing23. What is an IT security audit?
24. How do you test information security?
25. What is the difference between black box and white box penetration testing?
26. What is a vulnerability scan?
27. What is captured in a security assessment plan (security test plan)?
Access Control28. What is the difference between authentication and authorization?
29. What types of information can be used for authentication?
30. What is role-based access control?
31. What is meant by the term "least privilege"?
32. What is two-factor authentication? Does it require special hardware?
Security Architecture33. Why are open standards important to security solutions?
34. How do you balance demands from different stakeholders who have conflicting requirements?
35. What is layered security architecture? Is it a good approach? Why?
36. Have you designed security measures that span overlapping information domains? Can you give me a brief overview of the solution?
37. How do you ensure that a design anticipates human error?
38. How do you ensure that a design achieves regulatory compliance?
39. What is capability-based security? Have you incorporated this pattern into your designs? How?
40. Can you give me a few examples of security architecture requirements?
41. Who typically owns security architecture requirements and what stakeholders contribute?
42. What special security challenges does SOA present?
43. What security challenges do unified communications present?
44. Do you take a different approach to security architecture for a COTS vs a custom solution?
45. Have you architected a security solution that involved SaaS components? What challenges did you face?
46. Have you worked on a project in which stakeholders choose to accept identified security risks that worried you? How did you handle the situation?
Network47. What is a firewall?
48. Besides firewalls, what other devices are used to enforce network boundaries?
49. What is the role of network boundaries in information security?
50. What does a intrusion detection system do? How does it do it?
51. What is a honeypot? What type of attack does it defend against?
52. What technologies and approaches are used to secure information and services deployed on cloud computing infrastructure?
53. What information security challenges are faced in a cloud computing environment?
54. How does packet filtering work?
55. Can you give me an overview of IP multicast?
56. Can you explain the difference between a packet filtering firewall and a application layer firewall?
57. What are the layers of the OSI model?
Security Leadership58. How do you ensure that solution architects develop secure solutions?
59. What training do solution architects need to have in regards to IT security? What about developers?
60. How do you sell the value of IT security initiatives to executive management?
61. How do you ensure that a solution continues to be resilient in the face of evolving threats?
62. How do you avoid implementing overly complex or unnecessary security mechanisms?
63. Have you been involved with the governance of information security? What was your role? What did you accomplish?
64. Can you describe the laws and regulations that have a significant impact to information security at our organization?
65. What is the relationship between information security and privacy laws?
66. What is security level management?
67. How do you ensure that security management is transparent and measurable?
68. Can you outline the typical responsibilities of a Chief Security Officer (CSO)?
69. Can you give me an example of some emerging trends in information security that you're keeping an eye on?
Experience70. Have you developed an incident response plan?
71. Have you been involved in supporting incident investigations? What was your role? What was the outcome?
72. Have you performed a risk analysis and evaluation? How did you go about it? What stakeholders did you involve?
73. Have you performed a threat assessment? What factors did you consider?
74. Have you performed a vulnerability assessment? What types of vulnerabilities are most difficult to identify?
75. In the context of a vulnerability assessment, how do you calculate the probability that a vulnerability will be exploited?
76. Can you give me an example of a time you identified and implemented controls to mitigate a risk? How did you evaluate the controls?
77. How do you stay up-to-date with technology? For example, how do you keep up with new information security threats?
Cryptography78. How does the SSL Protocol work?
79. What is the difference between symmetric-key cryptography and public-key cryptography?
80. Can you give me an overview of how public-key cryptography works?
81. What is the difference between the encryption standards AES and DES?
82. What is the role of digital certificates in encryption?
83. What encryption mechanisms would you recommend to an organization that wants to encrypt its outgoing emails?
84. Can you give me an overview of IPsec? What is its purpose?
85. Does IPsec replace the need for SSL?
Security Incident Management86. What are the components of ITIL incident management?
87. If our organization experienced a major security incident, what steps should we take to manage the incident?
88. Can you describe the responsibilities of an incident manager?
Threats89. In your opinion, what are the top five information security threats facing an organization such as ours?
90. What is a man-in-the-middle attack?
91. Can you give me an example of cross-site scripting?
92. What is SQL injection? How is it prevented?
93. What is a buffer overflow?
94. What is clickjacking?
Vulnerabilities95. What is a insecure direct object reference? Why is it a problem?
96. Why is it important to validate redirects and forwards?
97. What are some common security vulnerabilities at the information storage level?
98. What are some common security vulnerabilities at the transport level?
99. How can improper error handling expose security vulnerabilities? How?
Physical Security Integration100. Can you give me a few examples of physical security integration?
101. What is social engineering? How common is it?
102. How would you secure an office environment? What about a data center?
This article is part of the ongoing series: how to win your next job.
More interview questions can be found here.
If you're looking for a big list of skills broken down by profession and skill for your resume, you've come to the right place.|
The simplest (and often most effective) interview strategy of all is to ask the interviewer exactly what she's hoping you'll ask.|
Think your job can't be automated — think again.|
The following verbs are relevant to Information Technology and tend to be effective. Try them out in your resume, deliverables, presentations and emails.|