Information Security Fundamentals

Unpacking the Interview: Information Security Fundamentals

Companies are dealing with a massive uptick in cyberattack vectors — the second quarter of 2020 alone saw massive spikes in Powershell and mobile malware attacks, while familiar threats such as phishing continue to plague corporations' email accounts.

The result is an infosec landscape that requires the skill and insight of trained and certified information security professionals. There's a growing demand for talented cybersecurity experts from front-line incident response personnel to SOC analysts, security consultants, and CISOs — and not enough supply.

But this doesn't mean companies are willing to settle for less; with data breaches potentially tied to substantive revenue and reputation damage, enterprises must ensure they hire the right people with the right skills for the right job.

For IT professionals looking to crack into the cybersecurity career market, this speaks to the need for reliable and robust information security fundamentals training and certifications. Also, it highlights the need to prepare for common interview questions and ensure all this hard work is accurately reflected during the hiring process.

Hard Target

Malicious actors are constantly changing their tactics. From repurposing tools designed for vulnerability scanning to leverage old-school attacks on Microsoft Word and even distribute as-a-service malware solutions, attackers are looking for the simplest, least-detectable entry points into corporate systems. And when one entry point is sealed, fixed, or blocked, they attempt to switch to another simply.

For companies, this creates the problem of hard targets — cybercriminals are hard to pin down and even harder to stop over time. As a result, it takes a specific type of IT professional to pursue an information security career. Not only are these experts passionate about their work, but they're willing to think outside the box when it comes to detecting potential problems and tracking down intrusion efforts — and the right interview questions can help companies find their infosec best-fit.

Question 1: What is SSL? Why does it matter, and what are its limitations?

Expect some type of acronym-based question in any infosec-related interview. It might not be SSL — it could be about XSS scripting, DDoS attacks, or the shift to SD-WAN solutions — but it's invariably part of the experience.

In this call, SSL is a secure sockets layer and is a widely-used form of identify verification. Transport layer security (TLS) is the updated form of this approach but is often still referred to as SSL. The HTTPS designation in URLs appears when websites are using SSL protocols for security, but it's worth noting that SSL isn't enough in isolation; companies must also deploy robust encryption methods to ensure data is protected.

Question 2: What Role Does Infosec Play in the Enterprise Ecosystem?

Effective IT environment defense now requires infosec deployments that are an integral part of end-to-end enterprise ecosystems. This is because infosec isn't a single solution or system — instead, it's a set of processes and practices designed to secure corporate assets at scale.

Here, interviewers are more concerned with assessing the candidate's ability to apply infosec knowledge to evolving needs than ensuring they know the ins-and-outs of technical specifications. For example, consider the push for improved identity and access management (IAM) using multifactor (MFA). While implementation at the end-user level is relatively straightforward, infosec pros must also account for the impact across data services, cloud solutions, and operational partners to determine the best deployment strategy.

Question 3: Open or closed source?

Infosec interview questions now trend toward the theoretical[1]. In many cases, these are opinion questions —they have no right answer but instead, require candidates to articulate an intelligent defense.

In the open/closed source debate, there are positives and negatives on both sides. Closed source code is typically developed by large commercial software providers and delivers key functionality without the need — or ability — to modify information under the hood. This offers both benefits and drawbacks: Code is easy to implement but may not offer the same degree of customization can't be customized to meet evolving demands.

Open-source options, meanwhile, allow IT pros to modify code and create custom-built software solutions that deliver specific enterprise outcomes. Detractors of open source code say this visibility makes it easier for attackers to understand and compromise operations, while proponents argue that increased scrutiny improves overall defense.[2]

Cost and support are also critical concerns. While closed source solutions are naturally more expensive to purchase up-front, they often include a host of commonly-used enterprise functions that help streamline deployment. Open-source options come with lower costs but also require more effort to ensure they're operationally effective. When it comes to supporting meanwhile, closed source solutions often come with the option for automatic updates. At the same time, IT teams must rely on active development communities to implement new open-source iterations.

Here, there's no "right" answer — instead, infosec pros simply need to offer a data-driven case for their personal preference.

Cultivating Cybersecurity Careers

Information security is now a wide-open now wide-open field with many multiple career paths and potential opportunities. While interview questions vary significantly depending on the expertise and experience required for specific positions, cultivating any cybersecurity career starts in the same place: information security fundamentals. From hands-on lab and scenario experience to the knowledge necessary for entry-level certifications such as CompTIA Security+ or more advanced qualifications such as CEH[3], actionable infosec knowledge is key to long-term cybersecurity career success.

In my experience, both being interviewed and conducting interviews, questions are trending across the levels. Many (perhaps even most) organizations realize that if the candidate can answer questions like this, they can be taught the explicit steps/tasks/processes the company has in place.

Cost and support/updates need to be part of the answer.

CEH is not a fundamental-level certification.