Tuesday, October 28, 2008

Infosec Interview Questions (part II)

Back in March I posted an article formulating my premise for conducting interviews on forward. If, kind reader, you find this page before sitting down with an interview with me please mention this article for brownie points. With that said, some questions as well as the bloom's taxonomy reasoning applied to them in order to pinpoint an individuals level of skillset.

  • What's the Syntax to [scp|xcopy|robocopy|md5|net]?
  • Where do you get your infosec news from?
  • Please list the 7 layers of the OSI model.
  • What is the goal of infosec within a company such as this?
  • What's the difference between a risk and a threat?
  • Which layer in the OSI model do you care about most as a security analyst? Why?
  • Please describe the methodology/model for [incident response|e-discovery|forensics|network analysis|vulnerability management]
  • Hand printout of a series of characters; have individual create a regex based on a set requirement
  • scenario: DNS reqest and 10 RRs are returned and TTL is < 300; what does this suggest?


  • At the deepest technical level describe how [802.11b|dns|kerberos|a network tap|a dll|a hard disk] works. please point out security weaknesses or implications while you go.
  • Where do you think security will be in 5 years as a [practice|industry|concept]?
  • any sort of role play interaction

It should be reiterated that these are a subset of questions to determine security knowledge; they should be combined with other probing questions on ethics, personality, workmanship, etc.

Tuesday, October 14, 2008

My SIRT Taxonomy

I have a three day course on SIRT starting tomorrow. I went ahead and created my own braindump of SIRT process breakdown on what's critical to a organization-wide SIRT team. Some of this I've had in my notes for awhile, other is stuff that's off-top of mind.
At the top of the hierarchy is "Response Program". That breaks down into roughly six components depending on how you break it down. Those are, in no specific order: Training & Awareness, Evidence Retention & Documentation, Management & Committee, Response, Detect, Escalate & Communicate. Lets break it down further:

Training & Awareness. Three components: Training of the staff to understand their part in these six components. Communication Campaigns in order to keep these individuals up to speed on changes, training, or simply to keep awareness high. Finally, Drills on a consistent basis. These drills may be paper-based, table top, or live fire.

Evidence Retention & Documentation. This includes a process for keeping Chain of Custody (and it's verification) as well as other Evidence Handling procedures such as storage or destruction. Finally; any documentation that must exist to satisfy any regulations, laws, audits, etc that need completed. Indeed, an audit of such procedures should be done on a regular basis to verify conformance with the procedure as well as best practice.

Management and/or Committee. The designation of an organization-wide membership of members who are responsible for three items: Providing the overall leadership and direction of the SIRT capabilities, Governance or oversight that such capabilities are mature, capable, practiced and ready when necessary, and finally the ability to grant the authority necessary for a SIRT to do what is needed in face of both certain and uncertain times.

Response. I see response as containing three key components (as outlined in NIST 800-61) which include containing a threat, eradicating the threat (and mitigation of vulnerabilities to prevent it in the future) as well as recovery into normal operations and further monitoring controls to confirm the threat has indeed been eradicated.

Detect. I keep the detect separate from response component; this is probably personal preference but I believe it allows for more accountability and focus on making sure all detection capabilities are in place. Detect focuses on processes targeted at the Identification, Validation, and Escalation of an event into an incident.

Escalate & Communicate. Three key areas: Triage/escalation protocols, contact lists, and definition of roles.

I'll add and subtract from these thoughts in followup posts after I complete the course.