1. Tell me what is salting, and why is it used?

You purposely want to give the question without context. If they know what salting is just by name, they've either studied well or have actually been exposed to this stuff for a while.

2. Explain me what's the difference between a threat, vulnerability, and a risk?

As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you'd like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent.

3. Please explain what is your experience with developing business metrics?

Keep your response brief, like you would for “Tell me about yourself,” but outline important experience you've had in this area.

By keeping your response brief, it can open up the conversation to be more like a dialogue about the employer's business metrics rather than a Q&A

4. Do you know what's the goal of information security within an organization?

This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I'm looking for. A much better answer in my view is something along the lines of, “To help the organization succeed.”

This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding--a realization that security is there for the company and not the other way around.

5. Tell me how does one defend against CSRF?

Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we're looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you're hiring for.

6. Explain me if I started my career as an IT auditor, where might it lead?

As with most careers, it is difficult to predict where they will lead. Certainly it is common for CISA's in public accounting firms to move into line management. Other possibilities are to move to industry and become an internal auditor, IT risk or IT security manager, or a CIO.

7. Explain me where do you get your security news from?

Here I'm looking to see how in tune they are with the security community. Answers I'm looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don't really matter. What does matter is that he doesn't respond with, “I go to the CNET website.”, or, “I wait until someone tells me about events.”. It's these types of answers that will tell you he's likely not on top of things.

8. Explain me what's the difference between stored and reflected XSS?

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim's browser when the results are returned from the site.

9. Explain me a time when you made a mistake on the job?

Early in my career, I made a mistake on a report and denied a client their claim on the grounds that the car accident appeared to be a result of their negligence as opposed to the negligence of the other party. I found out later that I was too quick to make that decision. I had not spoken to the police first, who later informed me that the evidence I was looking at was taken after the vehicles had been moved from the scene. They showed me photographs of the vehicle immediately after it had happened, which clearly showed the other party was at fault. I was too quick on the draw, and I learned that every case requires due diligence.

10. Explain me what is your role within the month-end close process?

Being able to articulate your functionality and responsibility and specifics related to how you go about the end-of-the-month close at your current or most recent firm is a very important piece, be able to sum up every bullet point on your resume, mentioning highlights and focusing on accomplishments.

Download Interview PDF

11. Tell me what's more secure, SSL or HTTPS?

Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they're confused, then this should be for an extremely junior position.

12. Explain me how do you feel your job as a government auditor differs from that of a private sector auditor?

First of all, there is a sense of working for the public good as a government auditor. I've also served as a private auditor and did many internal audits to ensure the business was in sound financial health. This served an important function in helping the business stay afloat, but it didn't necessarily involve an entire population. There is a kind of sacred trust in dealing with public money, and perhaps, a greater propensity of some non-profits or government agencies, to lose track of money, because it is being provided. A government audit requires a certain amount of discipline in investigating whether funds earmarked for one purpose were used properly. Elections have been won and lost based on the use of public funds, so it is vital to our public life as citizens.

13. Suppose if you had to both encrypt and compress data during transmission, which would you do first, and why?

If they don't know the answer immediately it's ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn't know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you'll have nothing but random data to work with, which will destroy any potential benefit from compression.

14. Explain me how do you minimize the risk for errors in your work?

As an accountant, you are held to a high standard and the margin for error is tiny. Small mistakes can lead to large financial issues.

“Respond to this question by describing any times you've caught errors before submitting work,”. “Emphasize the importance of checking your work and establishing checks and balances within a team.”

15. Tell us what are the advantages offered by bug bounty programs over normal testing practices?

You should hear coverage of many testers vs. one, in centralization, focus on rare bugs, etc.

16. As a government auditor, your responsibility is to ensure the proper use of public funds. What do you look for as an indication that a non-profit or government agency is spending as it should?

A government auditor has to be particularly careful when auditing a non-profit, because after all, it does concern public funds. Just like any other business, a non-profit has to spend responsibly, but there might be more of a temptation to waste money than in the private sector. Basically, auditing a non-profit, like other businesses, involves ensuring that everything makes sense and the records are up-to-date and accurate. Large expenditures have to be looked at carefully, and one has to be sure that funds earmarked for one purpose, such as building, aren't used for other purposes. This involves looking at the solicited and unsolicited designated funds and making sure the categories remain distinct.

17. Tell me in addition to auditing non-profits on behalf of the government, you also assist these organizations with internal audits. How do you vary your approach in these cases?

When I work as an auditor investigating the use of funds on behalf of the government, my role is to evaluate the records to ensure compliance and detect irregularities. In this role, I feel that I am approaching the organization from the outside and am making sure everything is in order. When I do an internal audit, as many non-profits should do on an annual basis, I am working with the company in an advisory role to ensure compliance, and at the same time, empowering the non-profit to improve its financial health and to thrive. In this sense, I'm cooperating with the company as well as evaluating its records.

18. Explain a time when you took the lead on implementation or were proactive?

Hiring managers are hoping to hire accountants and auditors who have the foresight to address any potential issues that may arise before the situation blows up and becomes reactionary.

When you're asked accounting questions, focus on any recommendations you've made to higher-ups, and processes or procedures that you implemented, Think about how you've done your job in a proactive sense rather than a reactionary sense.

Especially controllers and CFO-level candidates must be prepared to answer, ‘Have you implemented any processes or procedures?' and talk them through that

19. Explain me about a time you had a difficult conversation with a manager or colleague in another department?

As an auditor or accountant, you might spot reporting issues that may require difficult conversations with colleagues.

With this question, the hiring manager is trying to understand how you would handle these types of situations

20. Role-specific System Auditor Job Interview Questions:

☛ What's the purpose of network encryption?
☛ What's the most common software problem you face? How do you resolve it?
☛ Are you familiar with server virtualization? Tell us about any experience you have using tools like VMware or VirtualBox.
☛ What are the biggest flaws of cloud applications?
☛ What kinds of internal systems do you audit more frequently? Why?

21. Managerial System Auditor Job Interview Questions:

☛ What is ISO 27001 and why should a company adopt it?
☛ Please describe step-by-step how you would prepare and perform an audit of any given system.
☛ What is a “RISK”, how can it be measured and what actions can be taken to treat it?
☛ Please describe the steps to be taken by a company implementing an ISMS framework
☛ Why did you become (CISSP/CISA) certified?
☛ During an audit, an interviewee is not disclosing the information being requested. How would you overcome this situation?
☛ Within the PCI-DSS sphere, what is a compensating control?
☛ Who is the ultimate responsible to classify a company's information: the Infosec Team or the information owner?
☛ Please describe the process of evaluating and analysing risks.
☛ What actions would you take to change end user behavior towards InfoSec?
☛ How do you ensure a secure software development? What are the best practices to be followed?

22. Behavioral System Auditor Job Interview Questions:

☛ What resources do you use to keep up-to-date with engineering trends (e.g. forums, websites and books?)
☛ What's your biggest challenge explaining technical details to a non-technical audience? Do you prefer to write a manual or deliver a presentation? Why?
☛ Have you ever worked in a stressful environment where you had to audit various IT systems on tight deadlines? If so, how did you work under deadlines while also meeting quality standards?
☛ How have you helped improve a system's efficiency in your current or previous position?

23. Technical System Auditor Job Interview Questions:

☛ What's the difference between a router, a bridge, a hub and a switch?
☛ Please explain how the SSL protocol works.
☛ What is a Syn Flood attack, and how to prevent it?
☛ Your network has been infected by malware. Please walk me through the process of cleaning up the environment.
☛ What kind of authentication does AD use?
☛ What's the difference between a Proxy and a Firewall?
☛ What is Cross-Site Scripting and how can it be prevented?
☛ What's the difference between symmetric and asymmetric encryption?
☛ What's the difference between encryption and hashing?
☛ Why should I use server certificates on my e-commerce website?
☛ What's port scanning and how does it work?
☛ Please explain how asymmetric encryption works
☛ Can a server certificate prevent SQL injection attacks against your system? Please explain.
☛ Do you have a home lab? If so, how do you use it to perfect your skills.
☛ What is a Man In The Middle attack?
☛ Take me through the process of pen testing a system.
☛ What is vulnerability test and how do you perform it?
☛ What are the latest threats you foresee for the near future?
☛ How would you harden a Windows Server? What about a Linux Server?
☛ What do you understand by layered security approach?
☛ What's the better approach setting up a firewall: dropping or rejecting unwanted packets and why?
☛ Please detail 802.1x security vs. 802.11 security (don't confuse the protocols).
☛ What is stateful packet inspection?
☛ What is NAT and how does it work?
☛ What is a buffer overflow?
☛ What are the most common application security flaws?
☛ What is a false positive?

24. Operational and Situational System Auditor Job Interview Questions:

☛ What measurements would you take to protect an internal network from external threats?
☛ What would you do if the system crashed after a change you implemented?
☛ If you spotted a minor bug in an application, would you try to fix it yourself or mention it to the engineering team?
☛ What policies would you create to ensure our employees properly use technological resources?
☛ You uncover a number of security risks in a high-profile client's network, but know that the CTO will not take the news well and may terminate your firm's contract. How do you report the results of your audit?

Download Interview PDF

25. Please explain what's the difference between encoding, encryption, and hashing?

Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn't primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.

26. Explain in public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?

You encrypt with the other person's public key, and you sign with your own private. If they confuse the two, don't put them in charge of your PKI project.

27. Tell us what is the primary reason most companies haven't fixed their vulnerabilities?

This is a bit of a pet question for me, and I look for people to realize that companies don't actually care as much about security as they claim to–otherwise we'd have a very good remediation percentage. Instead we have a ton of unfixed things and more tests being performed.

Look for people who get this, and are ok with the challenge.

28. Explain me are you comfortable being a witness in the event criminal prosecution occurs?

I would definitely be comfortable serving as a witness. I have done it a few times before, and on all occasions, I have been able to do that while not allowing other cases fall to the wayside. I communicate with law enforcement thoroughly so that I know exactly how much time will be expected of me in court, and then I coordinate with my boss about getting time off. There are always additional cases for me to review, so if need be, I would be willing to work during an evening or on a weekend to ensure everything gets finished promptly.

29. Tell me are you capable of handling repetitive tasks without dropping the ball on any of them?

I have been doing this kind of work for over 10 years, so I feel more than prepared to handle the minutiae of the job. I honestly rarely get bored with the tasks of an auditor because every case that comes in is different to some capacity, so there is always something to be doing.

30. Tell me what methods have you used for estimating bad debt?

This question can open a conversation about the ways you've approached this routine process with previous employers.

Your answer can reveal the level of understanding of the methods most commonly used and could open a dialogue about how the company you are interviewing with handles this

31. Explain me which enterprise resource planning (ERP) systems have you used?

Most professionals, especially those with experience working for medium to large organizations, should have an answer for this. You must be master of Excel. A response might include any of the following: Hyperion, Microsoft Dynamics GP or Oracle Enterprise Manager.

For entry-level candidates, it's an opportunity to turn this into a discussion of finance certifications and future training possibilities.

32. Tell me in terms of culture, what environment do you see yourself succeeding in?

Some hiring managers are looking for a candidate who works well in a team, others for someone who works well independently, but all the better if you can demonstrate that you can do both.

You have to understand the particular role to highlight how you would perform, because hiring managers want a candidate to be the right fit. A lot of it is what value can you add to the business beyond technical skills.

33. Explain me who do you look up to within the field of Information Security? Why?

A standard question type. All we're looking for here is to see if they pay attention to the industry leaders, and to possibly glean some more insight into how they approach security. If they name a bunch of hackers/criminals that'll tell you one thing, and if they name a few of the pioneers that'll say another. If they don't know anyone in Security, we'll consider closely what position you're hiring them for. Hopefully it isn't a junior position.

34. Tell me if you were a site administrator looking for incoming CSRF attacks, what would you look for?

This is a fun one, as it requires them to set some ground rules. Desired answers are things like, “Did we already implement nonces?”, or, “That depends on whether we already have controls in place…” Undesired answers are things like checking referrer headers, or wild panic.

35. Do you know what is an IT auditor? What do they do?

An IT auditor is an audit professional with special MIS knowledge who works with companies to assess the risks associated with their IT applications and then determines if the company has adequate controls in place to manage that risk. IT auditors may work for a public accounting firm (external audit) or for the company itself (internal audit).