1. Tell me what is salting, and why is it used?

You purposely want to give the question without context. If they know what salting is just by name, they've either studied well or have actually been exposed to this stuff for a while.

2. Explain me what's the difference between a threat, vulnerability, and a risk?

As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you'd like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent.

3. Please explain what is your experience with developing business metrics?

Keep your response brief, like you would for “Tell me about yourself,” but outline important experience you've had in this area.

By keeping your response brief, it can open up the conversation to be more like a dialogue about the employer's business metrics rather than a Q&A

4. Do you know what's the goal of information security within an organization?

This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I'm looking for. A much better answer in my view is something along the lines of, “To help the organization succeed.”

This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding--a realization that security is there for the company and not the other way around.

5. Tell me how does one defend against CSRF?

Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we're looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you're hiring for.

6. Explain me if I started my career as an IT auditor, where might it lead?

As with most careers, it is difficult to predict where they will lead. Certainly it is common for CISA's in public accounting firms to move into line management. Other possibilities are to move to industry and become an internal auditor, IT risk or IT security manager, or a CIO.

7. Explain me where do you get your security news from?

Here I'm looking to see how in tune they are with the security community. Answers I'm looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don't really matter. What does matter is that he doesn't respond with, “I go to the CNET website.”, or, “I wait until someone tells me about events.”. It's these types of answers that will tell you he's likely not on top of things.

8. Explain me what's the difference between stored and reflected XSS?

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim's browser when the results are returned from the site.

9. Explain me a time when you made a mistake on the job?

Early in my career, I made a mistake on a report and denied a client their claim on the grounds that the car accident appeared to be a result of their negligence as opposed to the negligence of the other party. I found out later that I was too quick to make that decision. I had not spoken to the police first, who later informed me that the evidence I was looking at was taken after the vehicles had been moved from the scene. They showed me photographs of the vehicle immediately after it had happened, which clearly showed the other party was at fault. I was too quick on the draw, and I learned that every case requires due diligence.

10. Explain me what is your role within the month-end close process?

Being able to articulate your functionality and responsibility and specifics related to how you go about the end-of-the-month close at your current or most recent firm is a very important piece, be able to sum up every bullet point on your resume, mentioning highlights and focusing on accomplishments.

Download Interview PDF

11. Tell me what's more secure, SSL or HTTPS?

Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they're confused, then this should be for an extremely junior position.

12. Explain me how do you feel your job as a government auditor differs from that of a private sector auditor?

First of all, there is a sense of working for the public good as a government auditor. I've also served as a private auditor and did many internal audits to ensure the business was in sound financial health. This served an important function in helping the business stay afloat, but it didn't necessarily involve an entire population. There is a kind of sacred trust in dealing with public money, and perhaps, a greater propensity of some non-profits or government agencies, to lose track of money, because it is being provided. A government audit requires a certain amount of discipline in investigating whether funds earmarked for one purpose were used properly. Elections have been won and lost based on the use of public funds, so it is vital to our public life as citizens.

13. Suppose if you had to both encrypt and compress data during transmission, which would you do first, and why?

If they don't know the answer immediately it's ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn't know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you'll have nothing but random data to work with, which will destroy any potential benefit from compression.

14. Explain me how do you minimize the risk for errors in your work?

As an accountant, you are held to a high standard and the margin for error is tiny. Small mistakes can lead to large financial issues.

“Respond to this question by describing any times you've caught errors before submitting work,”. “Emphasize the importance of checking your work and establishing checks and balances within a team.”

15. Tell us what are the advantages offered by bug bounty programs over normal testing practices?

You should hear coverage of many testers vs. one, in centralization, focus on rare bugs, etc.

16. As a government auditor, your responsibility is to ensure the proper use of public funds. What do you look for as an indication that a non-profit or government agency is spending as it should?

A government auditor has to be particularly careful when auditing a non-profit, because after all, it does concern public funds. Just like any other business, a non-profit has to spend responsibly, but there might be more of a temptation to waste money than in the private sector. Basically, auditing a non-profit, like other businesses, involves ensuring that everything makes sense and the records are up-to-date and accurate. Large expenditures have to be looked at carefully, and one has to be sure that funds earmarked for one purpose, such as building, aren't used for other purposes. This involves looking at the solicited and unsolicited designated funds and making sure the categories remain distinct.

17. Tell me in addition to auditing non-profits on behalf of the government, you also assist these organizations with internal audits. How do you vary your approach in these cases?

When I work as an auditor investigating the use of funds on behalf of the government, my role is to evaluate the records to ensure compliance and detect irregularities. In this role, I feel that I am approaching the organization from the outside and am making sure everything is in order. When I do an internal audit, as many non-profits should do on an annual basis, I am working with the company in an advisory role to ensure compliance, and at the same time, empowering the non-profit to improve its financial health and to thrive. In this sense, I'm cooperating with the company as well as evaluating its records.

18. Explain a time when you took the lead on implementation or were proactive?

Hiring managers are hoping to hire accountants and auditors who have the foresight to address any potential issues that may arise before the situation blows up and becomes reactionary.

When you're asked accounting questions, focus on any recommendations you've made to higher-ups, and processes or procedures that you implemented, Think about how you've done your job in a proactive sense rather than a reactionary sense.

Especially controllers and CFO-level candidates must be prepared to answer, ‘Have you implemented any processes or procedures?' and talk them through that

19. Explain me about a time you had a difficult conversation with a manager or colleague in another department?

As an auditor or accountant, you might spot reporting issues that may require difficult conversations with colleagues.

With this question, the hiring manager is trying to understand how you would handle these types of situations

20. Role-specific System Auditor Job Interview Questions:

☛ What's the purpose of network encryption?
☛ What's the most common software problem you face? How do you resolve it?
☛ Are you familiar with server virtualization? Tell us about any experience you have using tools like VMware or VirtualBox.
☛ What are the biggest flaws of cloud applications?
☛ What kinds of internal systems do you audit more frequently? Why?

21. Managerial System Auditor Job Interview Questions:

☛ What is ISO 27001 and why should a company adopt it?
☛ Please describe step-by-step how you would prepare and perform an audit of any given system.
☛ What is a “RISK”, how can it be measured and what actions can be taken to treat it?
☛ Please describe the steps to be taken by a company implementing an ISMS framework
☛ Why did you become (CISSP/CISA) certified?
☛ During an audit, an interviewee is not disclosing the information being requested. How would you overcome this situation?
☛ Within the PCI-DSS sphere, what is a compensating control?
☛ Who is the ultimate responsible to classify a company's information: the Infosec Team or the information owner?
☛ Please describe the process of evaluating and analysing risks.
☛ What actions would you take to change end user behavior towards InfoSec?
☛ How do you ensure a secure software development? What are the best practices to be followed?

22. Behavioral System Auditor Job Interview Questions:

☛ What resources do you use to keep up-to-date with engineering trends (e.g. forums, websites and books?)
☛ What's your biggest challenge explaining technical details to a non-technical audience? Do you prefer to write a manual or deliver a presentation? Why?
☛ Have you ever worked in a stressful environment where you had to audit various IT systems on tight deadlines? If so, how did you work under deadlines while also meeting quality standards?
☛ How have you helped improve a system's efficiency in your current or previous position?

23. Technical System Auditor Job Interview Questions:

☛ What's the difference between a router, a bridge, a hub and a switch?
☛ Please explain how the SSL protocol works.
☛ What is a Syn Flood attack, and how to prevent it?
☛ Your network has been infected by malware. Please walk me through the process of cleaning up the environment.
☛ What kind of authentication does AD use?
☛ What's the difference between a Proxy and a Firewall?
☛ What is Cross-Site Scripting and how can it be prevented?
☛ What's the difference between symmetric and asymmetric encryption?
☛ What's the difference between encryption and hashing?
☛ Why should I use server certificates on my e-commerce website?
☛ What's port scanning and how does it work?
☛ Please explain how asymmetric encryption works
☛ Can a server certificate prevent SQL injection attacks against your system? Please explain.
☛ Do you have a home lab? If so, how do you use it to perfect your skills.
☛ What is a Man In The Middle attack?
☛ Take me through the process of pen testing a system.
☛ What is vulnerability test and how do you perform it?
☛ What are the latest threats you foresee for the near future?
☛ How would you harden a Windows Server? What about a Linux Server?
☛ What do you understand by layered security approach?
☛ What's the better approach setting up a firewall: dropping or rejecting unwanted packets and why?
☛ Please detail 802.1x security vs. 802.11 security (don't confuse the protocols).
☛ What is stateful packet inspection?
☛ What is NAT and how does it work?
☛ What is a buffer overflow?
☛ What are the most common application security flaws?
☛ What is a false positive?

24. Operational and Situational System Auditor Job Interview Questions:

☛ What measurements would you take to protect an internal network from external threats?
☛ What would you do if the system crashed after a change you implemented?
☛ If you spotted a minor bug in an application, would you try to fix it yourself or mention it to the engineering team?
☛ What policies would you create to ensure our employees properly use technological resources?
☛ You uncover a number of security risks in a high-profile client's network, but know that the CTO will not take the news well and may terminate your firm's contract. How do you report the results of your audit?

25. Please explain what's the difference between encoding, encryption, and hashing?

Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn't primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.

Download Interview PDF

26. Explain in public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?

You encrypt with the other person's public key, and you sign with your own private. If they confuse the two, don't put them in charge of your PKI project.

27. Tell us what is the primary reason most companies haven't fixed their vulnerabilities?

This is a bit of a pet question for me, and I look for people to realize that companies don't actually care as much about security as they claim to–otherwise we'd have a very good remediation percentage. Instead we have a ton of unfixed things and more tests being performed.

Look for people who get this, and are ok with the challenge.

28. Explain me are you comfortable being a witness in the event criminal prosecution occurs?

I would definitely be comfortable serving as a witness. I have done it a few times before, and on all occasions, I have been able to do that while not allowing other cases fall to the wayside. I communicate with law enforcement thoroughly so that I know exactly how much time will be expected of me in court, and then I coordinate with my boss about getting time off. There are always additional cases for me to review, so if need be, I would be willing to work during an evening or on a weekend to ensure everything gets finished promptly.

29. Tell me are you capable of handling repetitive tasks without dropping the ball on any of them?

I have been doing this kind of work for over 10 years, so I feel more than prepared to handle the minutiae of the job. I honestly rarely get bored with the tasks of an auditor because every case that comes in is different to some capacity, so there is always something to be doing.

30. Tell me what methods have you used for estimating bad debt?

This question can open a conversation about the ways you've approached this routine process with previous employers.

Your answer can reveal the level of understanding of the methods most commonly used and could open a dialogue about how the company you are interviewing with handles this

31. Explain me which enterprise resource planning (ERP) systems have you used?

Most professionals, especially those with experience working for medium to large organizations, should have an answer for this. You must be master of Excel. A response might include any of the following: Hyperion, Microsoft Dynamics GP or Oracle Enterprise Manager.

For entry-level candidates, it's an opportunity to turn this into a discussion of finance certifications and future training possibilities.

32. Tell me in terms of culture, what environment do you see yourself succeeding in?

Some hiring managers are looking for a candidate who works well in a team, others for someone who works well independently, but all the better if you can demonstrate that you can do both.

You have to understand the particular role to highlight how you would perform, because hiring managers want a candidate to be the right fit. A lot of it is what value can you add to the business beyond technical skills.

33. Explain me who do you look up to within the field of Information Security? Why?

A standard question type. All we're looking for here is to see if they pay attention to the industry leaders, and to possibly glean some more insight into how they approach security. If they name a bunch of hackers/criminals that'll tell you one thing, and if they name a few of the pioneers that'll say another. If they don't know anyone in Security, we'll consider closely what position you're hiring them for. Hopefully it isn't a junior position.

34. Tell me if you were a site administrator looking for incoming CSRF attacks, what would you look for?

This is a fun one, as it requires them to set some ground rules. Desired answers are things like, “Did we already implement nonces?”, or, “That depends on whether we already have controls in place…” Undesired answers are things like checking referrer headers, or wild panic.

35. Do you know what is an IT auditor? What do they do?

An IT auditor is an audit professional with special MIS knowledge who works with companies to assess the risks associated with their IT applications and then determines if the company has adequate controls in place to manage that risk. IT auditors may work for a public accounting firm (external audit) or for the company itself (internal audit).

36. Tell us what are your long-term career goals?

I am interested in finding a position where I can refine my accounting skills in my work with government agencies and non-profits. I feel there is a particular benefit to society in my work as a government auditor, and I would like to continue making that contribution.

37. Explain me are you comfortable traveling to meet clients?

I am certainly comfortable traveling in order to acquire information to process a claim. However, if need be, then I also feel perfectly comfortable talking to people over the phone to gather more material.

38. Explain the essence in accounting, and a small mistake can be costly. How do you ensure that details are accurate?

Every accountant needs to be detail-oriented, but what else is needed is the discipline to check again. I always double check to ensure everything is in order. In addition, having technical savvy helps, and I stay current with the newest software and apps that makes tracking details and finding irregularities easier.

39. What is a CISA and is it really an international certification?

A CISA is a Certified Information System Auditor and yes, CISA's are recognized and employed all around the world.

40. Tell me how does HTTP handle state?

It doesn't, of course. Not natively. Good answers are things like “cookies”, but the best answer is that cookies are a hack to make up for the fact that HTTP doesn't do it itself.

Download Interview PDF

41. Explain me what kind of network do you have at home?

Good answers here are anything that shows you he's a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he's got multiple systems running multiple operating systems you're probably in good shape. What you don't want to hear is, “I get enough computers when I'm at work…” I've yet to meet a serious security guy who doesn't have a considerable home network–or at least access to one, even if it's not at home.

42. Explain me how do you change your DNS settings in Linux/Windows?

Here you're looking for a quick comeback for any position that will involve system administration (see system security). If they don't know how to change their DNS server in the two most popular operating systems in the world, then you're likely working with someone very junior or otherwise highly abstracted from the real world.

43. Explain a time when you helped reduce costs?

The answer to this question will tell whether you strictly stick to your accounting job duties, or whether you have gone above and beyond by identifying solutions for the greater good of the company

44. Tell me do you have experience doing/handling X, Y and Z?

There is nothing that you can't do,”. “When asked about walking through your resume, recite accomplishments that tie into the job description.

“Make notes at the top of your page or notebook as to your strengths [that are relevant] for the position,”. “You're better off to say ‘My experience is limited in XYZ but I do know ABC.' Don't give them a reason not to hire you.

If you're truly interested in a role, your enthusiasm can make up for a few skills gaps. Say you don't hit 10 out of 10 prerequisite skills or types of experience, but maybe you hit eight out of 10, which is often good enough.

On the other two, find a way to highlight elements of your background that related tangentially to overcome the missing bullet points

45. Tell us what have you done to enhance your knowledge recently?

I attended a conference last month where I learned some incredibly useful information related to handling auto insurance claims. However, I view every case that comes across my desk as a learning opportunity. Every case is different and requires a little something different than the last one. For example, I learned early on how important eyewitness testimony can be when it comes to determining a claim for an automotive accident.

46. Tell me have you been able to detect insurance fraud in the past?

It has only come up a couple times in my experience, but there have been instances where I discovered fraud in a claim. Once, someone filed an insurance claim because their car had been stolen. After working with law enforcement, we discovered the vehicle was only a few miles away. Apparently, the car owner was just trying to get some quick cash and thought this was the easiest way to get it. Criminal charges were ultimately placed against them.

47. What is ISACA?

ISACA is the international body that certifies information system auditors, security managers and other related roles.

48. Explain me what exactly is Cross Site Scripting?

You'd be amazed at how many security people don't know even the basics of this immensely important topic. We're looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser.

49. What are your first three steps when securing a Linux server?

Their list isn't key here (unless it's bad); the key is to not get panic.

50. Do you know rainbow tables?

Look for a thorough answer regarding overall password attacks and how rainbow tables make them faster.

51. Explain me are open-source projects more or less secure than proprietary ones?

The answer to this question is often very telling about a given candidate. It shows
1) whether or not they know what they're talking about in terms of development, and
2) it really illustrates the maturity of the individual (a common theme among my questions).
My main goal here is to get them to show me pros and cons for each. If I just get the “many eyes” regurgitation then I'll know he's read Slashdot and not much else. And if I just get the “people in China can put anything in the kernel” routine then I'll know he's not so good at looking at the complete picture.

The ideal answer involves the size of the project, how many developers are working on it (and what their backgrounds are), and most importantly - quality control. In short, there's no way to tell the quality of a project simply by knowing that it's either open-source or proprietary. There are many examples of horribly insecure applications that came from both camps.

52. Tell me what are you biggest weaknesses?

You can say, ‘I've never done the monthly close, SEC reporting or Sarbanes-Oxley on my own, but I've supported that,'”. All accountants and financial analysts should know their skills and shortcomings – understand your strengths and what gaps you may have, what you can or cannot do.

53. Tell me do you have knowledge of accounting standards?

First, answer whether you have knowledge of accounting standards such as Generally Accepted Accounting Principles – GAAP – and Sarbanes-Oxley,”. “Then explain the depth of your knowledge, how it applies to the role and how you stay up-to-date.

54. Explain me what type of audits have you done?

You should know how to respond to this based on the job description and whether the position requires experience doing financial audits, operational audits or something else