Interview Questions

Question 1

General guidelines for password hygiene and recommendations: what makes a password strong, how can we estimate the complexity of the password

Answer 1

Minimum length of the passwords should be enforced by the application. Passwords shorter than 8 characters are considered to be weak (NIST)
Complexity - different types of characters, length

Password entropy is a measure of the strength and randomness of a password. It quantifies the number of possible combinations and the level of unpredictability of the characters used in a password. To calculate password entropy, you can follow these general steps:

Determine the character set: Start by identifying the character set used in the password. It typically includes uppercase letters, lowercase letters, digits, and special characters. Assign a value to each character set.

Count the number of possible characters: Calculate the total number of characters in the character set. For example, if the character set includes 26 uppercase letters, 26 lowercase letters, 10 digits, and 32 special characters, the total number of possible characters would be 26 + 26 + 10 + 32 = 94.

Calculate the password length: Determine the length of the password. The longer the password, the higher the entropy.

Compute the entropy: The formula to calculate password entropy is typically:

Entropy = log2(number of possible characters) * password length

The log2 function ensures that the entropy is measured in bits, which is the most common unit for measuring entropy.

For example, let’s say you have a password that consists of 10 characters randomly chosen from a character set of 94 possible characters. The entropy calculation would be:

Entropy = log2(94) * 10 ≈ 6.55 * 10 ≈ 65.5 bits

A higher entropy value indicates a stronger and more secure password, as it implies a larger search space for an attacker trying to guess the password through brute force or other methods. It is generally recommended to use passwords with high entropy to enhance security.

Question 2

How do you stay up to date with industry trends and modern research in one of the fastest evolving technical fields(cybersecurity) that exists?

Answer 2

Hackernews
SANS Newsbites
This Week in Security by Zach Whittiker
Anonymous sub-reddit

Question 3

Can you talk about a technically challenging project you worked on?

Answer 3

Abuse Filters (still used at DigitalOcean)
Onfido (first major project, customer-facing)
Security Scorecard

Question 4

What is the difference between a threat, a vulnerability, and a risk?

Answer 4

Threat = a type of danger manifested in a threat actor
Vulnerability = weakness in hardware, software, personnel or procedures, which may be exploited by threat actors in order to achieve their goals.

Risk = threat x vulnerability. How likely a threat agent is to successfully exploit a vulnerability.

Question 5

How do you keep your data protected?

Answer 5

Strong passwords
Two-factor authentication
Full-disk encryption
Limit IoT devices - basically are weak endpoints and collect and sell your data
Google home
Alexa
Cloud flare WARP
Use a VPN - I have my own self-hosted VPN on DigitalOcean
Disable password login
Disable root access via SSH
Created a new user - to not have to login as root
Set up a firewall using ufw
Allow ssh only from certain ip addresses

Question 6

Can you talk about the SolarWinds attack?

Answer 6

This was a supply chain attack that also was a part of the breach that affected FireEye where some of their hacking tools were stolen as part of a sophisticated attack. It also affected major government organizations and companies. The hacker group is believed to be affiliated with the Russian government.
The attacker compromised the infrastructure of SolarWinds. They produce a network and applications monitoring platform called Orion. They then used their access to produce and distribute trojanized updates to the software’s users.

Question 7

How do you prevent supply chain attacks?

Answer 7

Assess Risk Beforehand:

Assess your third party providers
Have them fill out a security questionnaire

Preventative:
Set up monitoring for the service
Include the supply chain in incident response plans
Threat modeling
Asset management
Least privilege - zero trust

Acting if there is a Vuln:
Patching
Be aware of vulnerabilities that come out

Question 8

What are your first three steps when securing a Linux server?

Answer 8

1. Update your server. apt-get update. Any old vulnerable packages will get updated.
2. Disable root access via SSH.
3. Enable firewall - ufw
4. Install fail2ban - Fail2ban is an application that examines server logs looking for repeated or automated attacks.

Question 9

Are open-source projects more or less secure than proprietary ones?

Answer 9

It depends.
How often is the open-source project kept up-to-date? Who’s worked on it? What are the backgrounds of the people who have worked on it?

There’s no real way to know. Insecure apps have been made that have been open-source and proprietary.

No security in obscurity.

Question 10

What kind of systems do you have at home or in the cloud to tinker with?

Answer 10

Pwngatchi
Flipper Zero
My own self-hosted VPN in DigitalOcean

Question 11

What are the advantages offered by bug bounty programs over normal testing practices?

Answer 11

Many sets of eyes looking at your systems.
Continuous testing as opposed to quarterly or semi-annually.

Question 12

What do you think about BYOD (bring your own device)?

Answer 12

Have an endpoint management system. Like Google at Cloudflare - password complexity requirements, auto-update, etc.

Question 13

What is a side-channel attack (Spectre and Meltdown)?

Answer 13

Is an attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is implemented, rather than flaws in the design of the protocol or algorithm itself.
For example, timing information, power consumption, sound, etc.
A cache side-channel attack works by monitoring security critical operations such as AES T-table entry or modular exponentiation or multiplication or memory accesses. The attacker can then recover the secret key depending on the accesses made or not made by the victon, which allows them to deduce the encryption key. It does not create a fault in the ongoing cryptographic operation and is invisible to the victim.
Meltdown and Spectre were two CPU vulnerabilities in 2017. They used cache based side channel to allow an attacker to leak memory contents of other processes and the operating system itself.

Question 14

How do you protect your home wireless access point?

Answer 14

1. Change the default credentials.
2. Use strong encryption - WPA2 or WPA3
3. Set a strong Wi-Fi- password.
4. Change the network name - makes it harder for attackers to determine what type of router you have.
5. Disable remote management
6. Keep router firmware up-to-date
7. Enable a firewall - built-in
8. Enable MAC address filtering
9. Disable guest network if not needed
10. 1.1.1.1 - DNS Resolver. Supports DNSSEC. Does not track user’s DNS records unlike ISPs.

Question 15

How do you convince developers when they refuse to accept your security recommendations? How do you reach common ground?

Answer 15

SLAs
Escalation
Compromise
Help them out - come up with a solution
Tickets
Explain the risk

Question 16

What is an airgap?

Answer 16

An airgap is a physical or logical separation between systems/networks. It helps to prevent unauthorized access or data transfer between systems.

Physical isolation - no direct connection. Used for highly secure environments.
Logical Separation - the systems may exist on the same physical infrastructure but are separated by security mechanisms such as firewalls, network segmentation, or virtualization.

Bypass - removable media. Exploiting vulnerabilities in connected systems.

Question 17

Kubernetes Security

Answer 17

Use TLS for all API traffic
Set up authentication for the API. Use a simple certificate or bearer token. Or use an OIDC or LDAP server to divide users into groups.
Authenticate clients for the API via certificates or use service users.
Set up RBAC according to least privilege.
Enable kubelet authentication. By default kubelets do not need to auth into the API endpoints.
Set resource limits.
Set pod security policies to limit what privileges containers run with.
Restrict access to etcd. This is the equivalent to acquiring root access.
Enable audit logging.
Encrypt secrets at rest (the resources in etcd).
Restrict cloud metadata access. By default these are accessible by pods running on an instance.
Restrict network access like per node firewalls
Control network access to sensitive ports

Use namespaces to isolate resources

Use only authorized images in your environment
- use a container registry and vulnerability scanner
- once the image is built, scan it for vulnerabilities
- use distro-less images (contain less packages compared to other images)

Question 18

What are your favorite security assessment tools?

Answer 18

Kali Linux
Metasploit
Nmap
Directory enumeration tools
Burp Suite

Question 19

What is SIEM and how does it work?

Answer 19

SIEM stands for Security Information and Event Management. It provides real-time analysis of alerts generated by applications and network hardware. The SIEM matches events against rules and analytics engines and indexes to detect and analyze advanced threats using globally gathered data. Provides a track record of activity within their IT environment by providing data analysis, event correlation, aggregation, reporting and log management.
Custom dashboards
Integration with other products
Collects logs from other applications, devices, and brings it into a centralized platform. It then sorts the data into categories like failed login or malware. It generates an alert if it identifies a threat.
Data aggregation: gathering vast amounts of data from various applications and databases into one place.
Data normalization: SIEM allows for all the disparate data to be compared, correlated and analyzed.
Data analysis/security event correlation: Determining potential signs of a data breach, threat, attack or vulnerability.

Question 20

How do you prevent DNS spoofing and how do you secure a DNS?

Answer 20

This is a type of attack that diverts traffic away from legitimate servers towards fake ones.
How DNS lookup works:
Your browser and OS attempt to recall the IP address attached to the domain name. If visited previously, the IP address can be recalled from the local cache.
If the destination IP is unknown, the process continues.
The OS queries the resolving name server for IP addresses. The query starts the search through a chain of servers to find the matching IP for the domain.
The resolver will find and deliver the IP address to the OS, which passes it back to the web browser.
DNS Spoofing is when a threat mimics legitimate server destinations to redirect a domain’s traffic. Victims will end up on malicious sites.

Exploitation:
DNS server hijack - attacker reconfigures the server to direct all requesting users to a malicious site. Once a fraudulent DNS entry is injected onto the DNS server, any IP request for the spoofed domain will result in the fake site.
Spam - users click on emails that infect your computer and poison your DNS cache

Question 21

What is a VPN?

Answer 21

VPN stands for Virtual Private Network. It is used to create a safe and encrypted connection. When you use a VPN, the data from the client is sent to a point in the VPN where it is encrypted and then sent through the internet to another point. At this point, the data is decrypted and sent to the server. When the server sends a response, the response is sent to a point in the VPN where it is encrypted and this encrypted data is sent to another point in the VPN where it is decrypted. And finally, the decrypted data is sent to the client. The whole point of using a VPN is to ensure encrypted data transfer.

Question 22

What is endpoint security?

Answer 22

An endpoint is any device that connects to the corporate network from outside its firewall.
Anti-virus
EDR
Threat Hunting
Endpoint Configuration Management

Question 23

Explain SAST vs DAST.

Answer 23

A SAST scan scans source code. It takes a look at the code and looks for vulnerable code.
A DAST scan acts against an application like a web application. It crawls the application, and tries various inputs/requests against the application to see if it can exploit the application. It attempts to try exploits against the application.

Question 24

What is code signing?

Answer 24

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process uses a cryptographic hash to validate authenticity and integrity.

Question 25

Forgot password system

Answer 25

1. use url tokens for simplest and fastest solution
   - single use and expire
   - stored securely
   - randomly generated
   - passed in the url query string
   - send via email
2. bruteforce protection
   - CAPTCHA
3. Send the user a pin

Question 26

Network Segmentation

Answer 26

1. Frontend
   - balancer
   - application layer firewall
   - web server
   - cache
2. Middleware
   - web applications that implement the logic of the information system
   - authorization services
   - analytics
   - message queues
   - stream processing platform
3. Backend
   - database
   - LDAP directory
   - file server
   - storage of cryptographic keys