The first question I ask someone in an interview for a cybersecurity position is, “What type of cellphone do you use?” The candidate’s answer can provide a deep insight into their security mindset regarding the importance of patching in managing security vulnerabilities. Additionally, it tells me a lot about their attitude regarding the importance of privacy.

我在面试中向某人询问网络安全职位的第一个问题是：“您使用哪种类型的手机？” 候选人的答案可以使他们深入了解有关修补程序在管理安全漏洞中的重要性的安全思想。 此外，它还告诉我很多有关他们对隐私重要性的态度。

As a consultant, I have seen many interview styles. The one thing I have learned is that it is rare for an interviewer to ask questions which probe my understanding of security. Interviews tend to come in three flavors: How have you solved a given problem in the past? How would you configure a given tool to solve a particular problem? Or, tell us about your previous experience (As though they hadn’t bothered to read my résumé!).

作为顾问，我见过许多面试风格。 我了解到的一件事是，面试官很少会提出能够探究我对安全性理解的问题。 面试通常有以下三种方式：您过去如何解决给定的问题？ 您将如何配置给定的工具来解决特定问题？ 或者，告诉我们您以前的经历(好像他们没有花心阅读我的简历！)。

Maybe one in twenty interviewers will probe my actual knowledge of security. And, let’s face it: If you’re hiring someone for a security role — and, especially a senior-level role — you should expect them to have a solid understanding of security fundamentals.

也许二十个面试官中有一个会探究我对安全性的实际了解。 而且，让我们面对现实：如果您要雇用某人担任安全角色-尤其是高级职位-您应该期望他们对安全基础知识有扎实的了解。

I suspect the reason more interviewers don’t probe deeply into a candidate’s security mindset and their grasp of the fundamentals, is that the interviewer doesn’t know how to ask those questions. That is, most people interviewing candidates for a security position, either have no idea how to ask conceptual security questions, or lack in-depth knowledge of the fundamentals.

我怀疑更多面试官没有深入探究候选人的安全心态和对基本面的理解的原因是，面试官不知道如何提出这些问题。 也就是说，大多数面试安全职位候选人的人要么不知道如何提出概念性的安全问题，要么对基础知识缺乏深入的了解。

That’s the reason for this blog post.

这就是这篇博客文章的原因。

Interestingly, I find candidates either kill my interview or fail it miserably. There is rarely a candidate who falls in-between. Those who kill the interview quite often tell me it’s the best interview they’ve ever had. Those who flunk it usually react with either, “Well, I just memorized that stuff for the XYZ certification exam, and I haven’t used it ever since,” or “I don’t understand what a lot of your questions have to do with security.”

有趣的是，我发现候选人要么杀死了我的面试，要么惨遭失败。 很少有候选人介于两者之间。 那些杀死面试的人经常告诉我这是他们有史以来最好的面试。 那些不满意的人通常会做出以下React：“嗯，我刚刚为XYZ认证考试记住了这些东西，从那以后我就再也没有使用它了”，或者“我不明白您的很多问题需要做什么安全。”

For the benefit of those who flunk the interview, I always go back and explain why I asked each question and what it taught me about their knowledge of security. That is, if the candidate doesn’t withdraw during the interview process.

为了使面试不及格的人受益，我总是回头解释为什么我问每个问题以及它对我的安全知识有什么启发。 也就是说，如果候选人在面试过程中没有退出。

For those who pass, I leave it up to other interviewers to cover the domain-specific interview questions. If a candidate aces my interview, I have no doubts they could successfully fill most any security role in an organization.

对于那些通过的人，我留给其他面试官来解决特定领域的面试问题。 如果候选人能接受我的面试，我毫不怀疑他们可以成功地担当组织中的大多数安全职务。

面试方式 (Interview Approach)

My objective in an interview is to determine if a candidate understands security and privacy at a fundamental level. My interviews are not academic or theoretical; they are strictly practical. I want to learn if a candidate has a security-oriented mindset and whether they grasp fundamental security concepts. Many of my questions also probe whether the candidate has only a peripheral knowledge of a given security topic, or has an in-depth understanding of it.

我在面试中的目的是确定候选人是否基本了解安全和隐私。 我的采访不是学术性的，也不是理论性的； 它们严格实用。 我想了解候选人是否具有面向安全的思维方式，以及他们是否掌握基本的安全概念。 我的许多问题还探讨了候选人是否仅对给定安全主题具有外围知识，或者对该主题有深入的了解。

Several of my questions concern how they apply security and privacy in their personal life. That tells me whether they understand topics such as: patch management, security vulnerability risks, information disclosure, location tracking, and privacy.

我的几个问题涉及他们如何在个人生活中应用安全和隐私。 这告诉我他们是否了解以下主题：补丁程序管理，安全漏洞风险，信息泄露，位置跟踪和隐私。

Then, I move on to a wide mix of technical security questions. I have a pool of about fifty questions that cover a range of security topics that I would expect any candidate to understand thoroughly. Beginning in the next section, I will give some example questions and expected answers, along with an explanation of why I think those questions are important.

然后，我继续讨论各种技术安全问题。 我有大约五十个问题，涉及一系列安全主题，我希望任何候选人都可以全面理解。 从下一节开始，我将给出一些示例问题和预期答案，并解释为什么我认为这些问题很重要。

Now, a couple of points about interviewing:

现在，有关面试的几点要点：

• Move quickly through your questions. These are all questions a qualified junior-level candidate should be able to answer with little to no thought. Don’t give your candidates time to look up answers on Wikipedia! If a candidate hesitates for more than a few seconds, move on to the next question.

  快速解决您的问题。 这些都是合格的初中级候选人应该能够几乎不加思索地回答的问题。 不要给应聘者时间来在Wikipedia上查找答案！ 如果候选人犹豫了几秒钟，请继续下一个问题。

• Jump around between topics. That will show you how fast a candidate can “switch gears” in their thought processes. Security moves quickly, and you want candidates who can mentally multitask to solve complex security problems crossing multiple security domains.
  在主题之间跳转。 这将向您显示候选人在思考过程中可以“切换齿轮”的速度。 安全性快速发展，您希望能够在心理上执行多任务的候选人能够解决跨越多个安全域的复杂安全性问题。

So, let’s go through some sample questions I use to interview security candidates.

因此，让我们看一下我用来采访安全候选人的一些示例问题。

In these sample questions, I will present a question, and either my expected answer and a brief explanation of that answer; or, I will provide a reference that answers the question. Yes, most answers probably deserve a more in-depth explanation than what I present here, but my objective is to present a short article, not write a book on the topic.

在这些示例问题中，我将提出一个问题，以及我的预期答案和对该答案的简要说明； 或者，我将提供回答该问题的参考。 是的，大多数答案可能都应该比我在这里提供的更深入的解释，但是我的目标是提出一篇简短的文章，而不是写一本关于该主题的书。

我的开题 (My Opening Questions)

I always begin with the cellphone question, then follow it up with a technical question. Since most security roles require some understanding of network security, I usually ask a very basic networking-related question.

我总是从手机问题开始，然后再提出技术问题。 由于大多数安全角色都需要对网络安全有所了解，因此我通常会提出一个非常基本的与网络相关的问题。

Regardless of the security role, I always ask the same first question: What type of cellphone do you use?

不管安全角色如何， 我总是会问同样的第一个问题：您使用哪种类型的手机？

My expected answer is: An iPhone.

我的预期答案是：iPhone。

No, I’m not an Apple bigot. But, if the candidate answers anything other than iPhone, or “dumb flip phone,” it tells me that the candidate does not understand security and privacy. Why? Because of all the major cellphone vendors, only Apple pushes out timely vulnerability patches and enforces app privacy rules both in its app store and on its devices.

不，我不是Apple顽固派。 但是，如果考生回答的电话不是iPhone或“笨拙的翻盖手机”，则说明考生不了解安全和隐私。 为什么？ 由于所有主要的手机供应商，只有Apple会及时发布漏洞补丁程序，并在其应用商店和设备上实施应用隐私规则。

Unless the security role has no network security aspect to it, my second question is always: How many layers are in the Internet Protocol stack?

除非安全角色没有网络安全方面的内容，否则我的第二个问题始终是：Internet协议栈中有几层？

The only correct answer to this question is: Four.

这个问题的唯一正确答案是：四。

Invariably, most candidates will answer “seven.” This tells me that they’ve simply memorized incorrect information to pass some certification exam. I’ll also accept “five” as an answer, provided the candidate can name the layers and includes “Physical” as its lowest layer. For the full explanation of this question and its correct answers, please see my blog post, The Internet Is Not A Seven Layer Network.

通常，大多数候选人都会回答“七”。 这告诉我，他们只是记住不正确的信息以通过一些认证考试。 我也将接受“五”作为答案，只要候选人可以命名各层并将“物理”作为其最低层即可。 有关此问题及其正确答案的完整说明，请参阅我的博客文章Internet不是七层网络 。

候选人是否将安全负责人应用于他们的个人生活？ (Does the candidate apply security principals to their personal life?)

Randomly throw these questions into the mix. By understanding how the candidate applies security and privacy principals to their personal life, you can gain insight into both the depth of their understanding and how seriously they take security and privacy. After all, if they don’t care about security and privacy in their personal life, why should you expect them to care about it at work?

随机将这些问题混在一起。 通过了解候选人如何将安全和隐私原则应用于他们的个人生活，您可以洞悉他们的理解深度以及他们对安全和隐私的重视程度。 毕竟，如果他们不在乎自己的生活中的安全性和隐私，那么为什么要让他们在工作中关心它呢？

Question: What browser do you use?

问题：您使用什么浏览器？

Best answers: Brave or Tor.

最佳答案：勇敢或or。

Acceptable answers: Firefox (or variants, such as Cliqz) or Safari.

可接受的答案：Firefox(或变体，例如Cliqz)或Safari。

Marginal answers: Chrome or Opera.

边际答案：Chrome或Opera。

Bad answers: Edge, Internet Explorer, Yandex.

错误答案：Edge，Internet Explorer，Yandex。

Comment: This question explores candidates understanding of privacy. Several studies have ranked the privacy of various browsers. There are few disagreements as to which browsers offer the most privacy and which offer the least, although most current surveys rank Brave the highest. Any candidate choosing a “bad answer” browser clearly has a serious lack of privacy knowledge.

评论：这个问题探讨了候选人对隐私的理解。 多项研究对各种浏览器的隐私进行了排名。 关于哪种浏览器提供最多的隐私，哪种浏览器提供的隐私最少，尽管当前大多数调查都将“勇敢”列为最高，但几乎没有分歧。 选择“错误答案”浏览器的任何候选人显然都严重缺乏隐私知识。

Question: What is your primary search engine?

问题：您的主要搜索引擎是什么？

Best answers: DuckDuckGo, Start Page, Qwant.

最佳答案：DuckDuckGo，起始页，Qwant。

Bad answers: Google, Bing, Yahoo.

错误答案：Google，Bing，Yahoo。

Comment: Again, this question explores privacy. The “best answers” ensure your searches are not tracked. The “bad answers” are sucking up every crumb of information they can find about you. Yes, there are other search engines, but the above are the major ones in each category.

评论：同样，这个问题探讨了隐私。 “最佳答案”可确保不会跟踪您的搜索。 “错误的答案”正在吸收他们可以找到的有关您的所有信息。 是的，还有其他搜索引擎，但是以上是每个类别中的主要搜索引擎。

Question: What messaging apps do you use?

问题：您使用哪些消息传递应用程序？

Best answers: Signal, OTR Jabber/XMPP, Ricochet.

最佳答案：Signal，OTR Jabber / XMPP，Ricochet。

Acceptable answers: WebEx, Wire, Wickr/WickrMe, iMessage, FaceTime.

可接受的答案：WebEx，Wire，Wickr / WickrMe，iMessage，FaceTime。

Marginal answers: WhatsApp, Telegram.

边际答案：WhatsApp，电报。

Bad Answers: Just about everything else.

错误答案：几乎所有其他内容。

Comment: This is another privacy question, but it also explores the candidate’s understanding of end-to-end encryption and their willingness to trust questionable vendors.

评论：这是另一个隐私问题，但它也探讨了候选人对端到端加密的理解以及他们对可疑供应商的信任的意愿。

Question: Do you use LinkedIn, Facebook, Twitter, or any other social media?

问题：您是否使用LinkedIn，Facebook，Twitter或任何其他社交媒体？

Best answer: No, but I do have placeholder accounts to prevent someone from establishing a bogus account in my name.

最佳答案：不，但我确实有占位符帐户，以防止某人以我的名义建立虚假帐户。

Comment: Again, privacy is the primary issue here. But, LinkedIn is also a serious security threat to any organization which allows employees to have LinkedIn profiles. I discuss LinkedIn in more detail in the blog entry, LinkedIn Is A Security Threat To Your Organization.

评论：同样，隐私是这里的主要问题。 但是，LinkedIn对任何允许员工拥有LinkedIn资料的组织都构成严重的安全威胁。 我将在博客条目LinkedIn对您的组织构成安全威胁中更详细地讨论LinkedIn。

Question: What email service do you use?

问题：您使用什么电子邮件服务？

Best answers: Protonmail, Start Mail, Hushmail.

最佳答案：Protonmail，启动邮件，Hushmail。

Good answer: iCloud.

好的答案：iCloud。

Bad answers: Any “free” email service, such as: Gmail, Hotmail, Outlook, Yahoo; Or, any email service provided by your ISP or cellphone carrier, such as: Comcast, Verizon, AT&T.

错误答案：任何“免费”电子邮件服务，例如：Gmail，Hotmail，Outlook，Yahoo； 或者，您的ISP或手机运营商提供的任何电子邮件服务，例如：Comcast，Verizon，AT＆T。

Comment: There’s a lot of acceptable answers that are email services that respect your privacy. Using any “free” email service shows that the candidate does not understand the ramifications of all of their communications being monitored by an untrustable third-party, where you are their product.

评论：有很多可接受的答案是尊重您隐私的电子邮件服务。 使用任何“免费”电子邮件服务表明，候选人不理解由untrustable第三方， 你 在哪里， 他们的产品被监控全部的通讯所带来的后果。

候选人是否了解基本的安全概念？ (Does the candidate understand fundamental security concepts?)

Although I group questions by topic here, I mix up the order when interviewing, rarely asking two questions in a row on the same topic.

尽管我在这里按主题对问题进行分组，但我在面试时会把顺序混合在一起，很少在同一主题上连续问两个问题。

安全威胁与防御 (Security Threats and Defenses)

The answers to all these questions can be found in the blog post, What Are The Fundamental Services Provided By Security? Hint: CIA Is Not The Answer. All these questions probe the candidate’s understanding of the most basic security concepts.

所有这些问题的答案都可以在博客文章“安全提供的基本服务是什么？”中找到。 提示：中央情报局不是答案 。 所有这些问题都探究了候选人对最基本安全概念的理解。

Question: What are the fundamental services provided by security?

问题：安全性提供哪些基本服务？

Question: What security threats does authenticity defend against?

问题：真实性可防御哪些安全威胁？

Question: What cryptographic defenses are used against security integrity threats?

问题：针对安全完整性威胁使用了哪些加密防御措施？

Question: What security threat or threats do digital signatures defend against?

问题：数字签名可防御哪些安全威胁？

Question: What are the differences between authenticity and integrity?

问题：真实性和完整性之间有什么区别？

Question: What is the difference between Denial of Service and Denial of Access?

问题：拒绝服务和拒绝访问有什么区别？

认证方式 (Authentication)

The full answers to all these questions can be found in the blog posts, There Are Only Two Ways to Authenticate, and You Should Never Change Your Password. I will provide summary answers here.

所有这些问题的完整答案都可以在博客文章中找到， 只有两种验证方式 ，并且永远不要更改密码 。 我将在此处提供简要答案。

Note: Most candidates will have been taught that there are three ways to authenticate. For years, security researchers have disagreed, stating that biometrics are not an authenticator. Since 2015, when NIST first released the draft of their update to SP 800–63, they have officially agreed with that assertion. However, many certification exams have not updated to these latest industry best practices. Thus, this section tests both a candidate’s fundamental security knowledge and whether they keep current with changes to industry best practices.

注意：大多数候选人将被告知有三种认证方式。 多年来，安全研究人员一直不同意，指出生物识别技术不是身份验证者。 自2015年NIST首次发布其SP 800-63更新草案以来，他们已正式同意该主张。 但是，许多认证考试尚未更新为这些最新的行业最佳实践。 因此，本节既测试候选人的基本安全知识，又测试他们是否紧跟行业最佳实践的变化。

Question: What technology is used to strengthen defenses against password’s weaknesses?

问题：使用什么技术来加强针对密码弱点的防御？

Answer: Two-Factor Authentication (TFA)

答案：两方面验证(TFA)

Comment: Checks candidate’s knowledge of TFA. Multi-Factor Authentication (MFA) is also an acceptable answer.

评论：检查候选人对TFA的了解。 多重身份验证(MFA)也是可以接受的答案。

Question: What are the conceptual methods by which a user can be authenticated (that is, “What you…”)?

问题：可以通过哪些概念上的方法对用户进行身份验证(即“您……”)？

Answer: What you know, and What you have.

答：您知道什么，拥有什么。

Comment: Determines if a candidate is up-to-date on current industry best practices.

评论：确定候选人是否是最新的当前行业最佳实践。

Question: What is the difference between probabilistic and deterministic authentication measures

问题：概率验证和确定性验证措施有什么区别

Answer: Deterministic always returns the same results for any given input; probabilistic does not.

答：确定性对于任何给定的输入总是返回相同的结果。 概率没有。

Comment: Determines if a candidate understands the concepts behind authentication.

注释：确定候选人是否理解身份验证背后的概念。

Question: What are the two characteristics required of any authenticator?

问题：任何身份验证器需要具备两个特征？

Answer: Revocable and deterministic.

答：是可撤销的和确定性的。

Comment: Determines if a candidate understands the concepts behind authentication.

注释：确定候选人是否理解身份验证背后的概念。

Question: Under what circumstances can biometrics be used as an authenticator?

问题：在什么情况下可以将生物识别技术用作身份验证器？

Answer: As a second factor to a “What you have” authenticator.

答：作为“您拥有的”身份验证器的第二个因素。

Comment: Determines if a candidate is up-to-date on current industry best practices.

评论：确定候选人是否是最新的当前行业最佳实践。

Question: What constitutes a good password?

问题：什么是好的密码？

Answer: A long string of at least 8 random characters, or preferably a passphrase of at least 8 words.

答：至少8个随机字符的长字符串，或者最好是至少8个单词的密码。

Comment: Determines if a candidate is up-to-date on current industry best practices.

评论：确定候选人是否是最新的当前行业最佳实践。

Question: How often should you change your password?

问题：您应该多久更改一次密码？

Answer: Only when there is evidence of compromise (including local password cracking).

答：仅在有妥协迹象(包括本地密码破解)的情况下。

Comment: Determines if a candidate is up-to-date on current industry best practices.

评论：确定候选人是否是最新的当前行业最佳实践。

Question: What are acceptable sources of second authenticators?

问题：第二认证者的可接受来源是什么？

Answer: Hardware security tokens and authentication apps.

答：硬件安全令牌和身份验证应用程序。

Comment: Determines if a candidate is up-to-date on current industry best practices.

评论：确定候选人是否是最新的当前行业最佳实践。

Question: How should passwords be stored on a computer?

问题：密码应如何存储在计算机上？

Answer: Passwords should never be stored; only salted hashes of passwords should be stored.

答：永远不要存储密码。 仅应存储密码的哈希哈希。

Comment: Determines if candidate has even a basic understanding of password security.

注释：确定候选人是否对密码安全性有基本的了解。

Question: What complexity requirements should all passwords meet?

问题：所有密码都应满足什么复杂性要求？

Answer: Only the following:

答：只有以下几点：

1. Consists of only ASCII and Unicode characters;
   仅由ASCII和Unicode字符组成；
2. A minimum length of 8 characters, with a maximum length not less than 64 characters; and
   最小长度为8个字符，最大长度不少于64个字符； 和
3. It cannot be a known bad password (a password previously cracked or disclosed).
   它不能是已知的错误密码(先前已破解或泄露的密码)。

There should be no other complexity requirements.

不应该有其他的复杂性要求。

Comment: Determines if a candidate is up-to-date on current industry best practices.

评论：确定候选人是否是最新的当前行业最佳实践。

Question: When is it appropriate to use knowledge-based authenticators (e.g., Where were you born? Mother’s maiden name? etc.)?

问题：什么时候使用基于知识的身份验证器(例如，您在哪里出生？母亲的娘家姓？等等)？

Answer: Never. They are too easy to guess.

答：从不。 他们太容易猜到了。

Comment: Determines if a candidate is up-to-date on current industry best practices.

评论：确定候选人是否是最新的当前行业最佳实践。

Question: When is it appropriate to use SMS or email as a second authenticator?

问题：什么时候使用SMS或电子邮件作为第二个身份验证器？

Answer: Never. It is too easy to hijack the messages, thus defeating two-factor authentication.

答：从不。 劫持消息太容易了，从而破坏了双重身份验证。

Comment: Determines if a candidate is up-to-date on current industry best practices.

评论：确定候选人是否是最新的当前行业最佳实践。

密码学 (Cryptography)

I don’t have any current or pending blog posts on this topic, so I will provide brief correct answers to these questions. This also tends to be most candidates’ weakest area, so I don’t ask a lot of questions unless their job will involve using cryptography.

我没有有关此主题的任何当前或尚待解决的博客文章，因此我将为这些问题提供简短的正确答案。 这也往往是大多数候选人最薄弱的地方，因此除非他们的工作涉及使用密码学，否则我不会提出很多问题。

Question: What is the difference between symmetric and asymmetric keys?

问题：对称密钥和非对称密钥有什么区别？

Answer: A symmetric key is a secret key sourced from a random number, and both the sender and the recipient must know that key. An asymmetric key is a key-pair generated from large (usually prime) numbers. One key is secret (private key), and the other key is public. One key (either key) is used to encrypt, and the other key is used to decrypt.

答案：对称密钥是源自随机数的秘密密钥，发送者和接收者都必须知道该密钥。 非对称密钥是由大(通常是素数)数字生成的密钥对。 一个密钥是秘密(私有密钥)，另一个密钥是公开密钥。 一个密钥(一个密钥)用于加密，另一个密钥用于解密。

Comment: Determines if a candidate understands the difference between symmetric and asymmetric cryptography.

评论：确定候选人是否了解对称和非对称密码学之间的区别。

Question: What is the maximum length of data which can be encrypted by: A symmetric key? An asymmetric key?

问题：可以通过以下方式加密的最大数据长度：对称密钥？ 非对称密钥？

Answer: In general, there is no limit for data length limit for symmetric encryption, as the data is divided into blocks (size depends on algorithm), which are then encrypted. For asymmetric encryption, the maximum length of data encryptable varies by algorithm, but is always less than the asymmetric key size. For example, for RSA, the maximum length is 11 bytes less than the key length. Thus, for a 2048-bit RSA key, the maximum length of data it can encrypt is 245 bytes.

答：通常，对称加密没有数据长度限制，因为数据被分为块(大小取决于算法)，然后进行加密。 对于非对称加密，可加密数据的最大长度因算法而异，但始终小于非对称密钥大小。 例如，对于RSA，最大长度比密钥长度小11个字节。 因此，对于2048位RSA密钥，它可以加密的最大数据长度为245个字节。

Comment: Determines if a candidate’s understanding of cryptography has any depth.

评论：确定候选人对密码学的理解是否有深度。

Question: Explain the process to create a digital certificate.

问题：解释创建数字证书的过程。

Answer: Minimal acceptable overly-simplified answer:

答案：可接受的过度简化的答案：

1. Generate a public/private key pair.
   生成一个公钥/私钥对。
2. Create a certificate signing request (CSR) for the public key.
   为公钥创建证书签名请求(CSR)。
3. Send CSR to a certificate authority (CA), who will create the digital certificate by signing CSR’s public key with the CA’s signing certificate.
   将CSR发送到证书颁发机构(CA)，后者将通过使用CA的签名证书对CSR的公钥进行签名来创建数字证书。
4. The CA then returns the created certificate with it’s supporting certificate chain.
   然后，CA返回创建的证书及其支持的证书链。

Comment: Determines if a candidate understands how digital certificates are created.

注释：确定候选人是否了解如何创建数字证书。

Question: What is a cryptographic hash function?

问题：什么是密码哈希函数？

Answer: An algorithm that takes a variable-length input and generates a fixed-length output where it is not possible to determine the original input value knowing only the output value.

答：一种算法，它采用可变长度的输入并生成固定长度的输出，在这种算法中，无法仅知道输出值就无法确定原始输入值。

Comment: Determines if a candidate understands what is a hash.

注释：确定候选人是否理解什么是哈希。

Question: What is an HMAC?

问题：什么是HMAC？

Short Answer: A keyed hash.

简短答案：密钥哈希。

Better Answer: A message authentication code that is based upon a hash function and a shared secret key.

更好的答案：基于哈希函数和共享密钥的消息身份验证代码。

Comment: Determines if a candidate understands message authentication codes.

注释：确定候选人是否理解消息身份验证代码。

网络安全 (Network Security)

I don’t have any current or pending blog posts on this topic, so I will provide brief correct answers to these questions. This is an area where every security practitioner should have quite in-depth knowledge.

我没有关于此主题的任何当前或悬而未决的博客文章，因此我将为这些问题提供简短的正确答案。 这是每个安全从业人员都应该具有相当深入知识的领域。

Question: What is nmap?

问题：什么是nmap？

Answer: Minimal acceptable answer: An application that performs network discovery; and identifies open, closed, and filtered ports on hosts; and determines device type and its operating system.

答案：可接受的最小答案：执行网络发现的应用程序； 并标识主机上的打开，关闭和筛选的端口； 并确定设备类型及其操作系统。

Comment: A candidate with any knowledge of network security should know what “nmap” is.

评论：对网络安全有任何了解的候选人应该知道什么是“ nmap”。

Question: If I send a packet to a closed IPv4 UDP port, what response should I expect to receive?

问题：如果将数据包发送到封闭的IPv4 UDP端口，我应该收到什么响应？

Answer: ICMP 3/3 (Destination unreachable, port unreachable) if the port is unfiltered, or no response if it is filtered.

答案：如果端口未过滤，则为ICMP 3/3(目标不可达，端口不可达)，如果已过滤，则无响应。

Comment: Checks candidate’s knowledge of the UDP protocol.

注释：检查候选人对UDP协议的了解。

Question: If I send a packet to a closed IPv4 TCP port, what response should I expect to receive?

问题：如果将数据包发送到封闭的IPv4 TCP端口，我应该收到什么响应？

Answer: TCP RST (reset) if the port is unfiltered, or no response if it is filtered.

答案：如果未过滤端口，则为TCP RST(重置)；如果已过滤，则无响应。

Comment: Checks candidate’s knowledge of the TCP protocol.

注释：检查候选人对TCP协议的了解。

Question: If I send a TCP SYN packet to an open and unfiltered TCP port, what response should I expect to receive?

问题：如果我将TCP SYN数据包发送到未过滤的开放TCP端口，我应该收到什么响应？

Answer: TCP SYN-ACK (to which I would respond with a TCP ACK packet)

答：TCP SYN-ACK(我将以TCP ACK数据包作为响应)

Comment: Checks candidate’s knowledge of the TCP handshake.

注释：检查候选人对TCP握手的了解。

Question: What is the BGP protocol, and what is its fundamental weakness as commonly implemented?

问题：什么是BGP协议？通常实现的基本缺点是什么？

Answer: The Border Gateway Protocol specifies routing for Autonomous System Numbers (ASN). Its weakness is that the routes are not signed, which can lead to route hijacking or Denial of Access.

答：边界网关协议指定自治系统号(ASN)的路由。 其缺点是路由未签名，这可能导致路由劫持或拒绝访问。

Comment: Checks candidate’s understanding of how routes are established on large networks, such as the Internet. Note: Denial of Service is also acceptable instead of Denial of Access.

评论：检查候选人对如何在大型网络(如Internet)上建立路由的理解。 注意：拒绝服务也可以代替拒绝访问。

Question: What are the most common VPN protocols, and which one is badly broken?

问题：最常见的VPN协议是什么，哪个协议坏了？

Answer: PPTP is badly broken and should never be used. The most common VPN protocols are: OpenVPN, Wireguard, and IPSec (specifically, L2TP/IPSec and IKEv2/IPSec). Other common VPN protocols are: TLS, SSH, and MS-SSTP.

答：PPTP严重损坏，切勿使用。 最常见的VPN协议是：OpenVPN，Wireguard和IPSec(特别是L2TP / IPSec和IKEv2 / IPSec)。 其他常见的VPN协议是：TLS，SSH和MS-SSTP。

Comment: Checks candidate’s understanding of VPNs. If they fail to mention Wireguard, it means that they are not up-to-date with the latest VPN technologies. (Because of its speed and security, Wireguard is rapidly becoming the most widely used protocol.)

评论：检查候选人对VPN的理解。 如果他们没有提到Wireguard，则意味着他们不是最新的VPN技术。 (由于其速度和安全性，WireguardSwift成为使用最广泛的协议。)

Question: What are the types of firewalls (e.g., packet filter)?

问：防火墙有哪些类型(例如，数据包筛选器)？

Answer: Packet filter, stateful inspection, application gateway

答：数据包过滤器，状态检查，应用程序网关

Comment: Checks candidate’s understanding of firewalls. If the candidate responds with, “network-based and host-based,” remind them that you’re seeking the types of filtering they do, not the firewall’s location. If they add either “proxy,” or “NAT/PAT” to their list, then they are showing they don’t actually understand the purpose of firewalls or how a firewall functions.

评论：检查候选人对防火墙的了解。 如果候选人回答“基于网络和基于主机”，请提醒他们您正在寻找他们要执行的过滤类型，而不是防火墙的位置。 如果他们在列表中添加“代理”或“ NAT / PAT”，则表明他们实际上并不了解防火墙的用途或防火墙的功能。

Question: A set of rules that determine if a firewall is to permit or deny network traffic is called what?

问题：确定防火墙是允许还是拒绝网络流量的一组规则称为什么？

Answer: Access Control List (ACL).

答：访问控制列表(ACL)。

Comment: Checks if a candidate has any understanding of how firewalls are configured.

注释：检查候选人是否对防火墙的配置有任何了解。

Question: I am streaming video from Netflix. What is the MAC address of the packets arriving from Netflix?

问题：我正在从Netflix流式传输视频。 来自Netflix的数据包的MAC地址是什么？

Answer: The MAC address will be the MAC address of the LAN side of the default gateway for the LAN.

答：MAC地址将是LAN默认网关的LAN端的MAC地址。

Comment: Checks candidate’s understanding of Link-layer network routing. If they answer with the name of a device (router, firewall, WiFi, etc.), then they understand the concept but did not state it in general terms.

注释：检查候选人对链路层网络路由的理解。 如果他们回答设备名称(路由器，防火墙，WiFi等)，则他们理解该概念，但未以一般术语进行陈述。

更多高级安全主题 (More Advanced Security Topics)

The questions in this section go a little beyond the basics. Most experienced candidates should be able to answer the questions in this section.

本节中的问题超出了基础知识的范围。 最有经验的候选人应该能够回答本节中的问题。

硬体安全性 (Hardware Security)

Questions in this section are about how to secure devices. They are general knowledge and apply to everything from computers and peripherals to embedded systems and IoT devices. Every experienced security candidate should be able to answer them.

本节中的问题与如何保护设备有关。 它们是常识，适用于从计算机和外围设备到嵌入式系统和IoT设备的所有内容。 每个有经验的安全候选人都应该能够回答他们。

Question: How do you securely erase an SSD or a flash drive?

问题：如何安全擦除SSD或闪存驱动器？

Answer: You can’t. That’s why the drives must be encrypted.

答：不能。 因此，必须对驱动器进行加密。

Comment: This question probes how well a candidate understands flash-memory devices. Some candidates will answer “Using the manufacturer’s erase utility” or something to that effect. That’s the standard answer some certification exams expect. However, the candidate should understand that it is not an adequate solution, and the only real solution is drive encryption.

评论：这个问题探讨了候选人对闪存设备的理解程度。 一些候选人会回答“使用制造商的擦除工具”或类似的答案。 这是一些认证考试所期望的标准答案。 但是，候选人应了解这不是一个适当的解决方案，唯一真正的解决方案是驱动器加密。

Question: What is the difference between a secure boot and a verified (trusted) boot?

问题：安全启动和验证(可信)启动有什么区别？

Answer: Secure boot verifies the first stage boot loader before releasing the processor from reset, and verified boot always trusts the first stage of the boot loader.

答案：安全启动会在从复位释放处理器之前验证第一阶段的引导加载程序，并且经过验证的引导始终会信任引导加载程序的第一阶段。

Comment: This question checks the candidate’s understanding of how processors boot. A more detailed answer involving more than the first stage of booting may be given, but the critical aspect of this question is the first stage of the boot process.

评论：此问题检查候选人对处理器启动方式的了解。 可能会给出比引导的第一阶段更多的更详细的答案，但是这个问题的关键方面是引导过程的第一阶段。

Question: What are the “negative rings” in the Intel architecture, and for what are they used?

问题：英特尔架构中的“负环”是什么，它们有什么用？

Answer: Ring -1: Hypervisor; Ring -2: SMM (System Management Mode); Ring -3: Management Engine.

答案：环-1：管理程序； 环-2：SMM(系统管理模式)； 环-3：管理引擎。

Comment: Whether or not the candidate is familiar with “Ring -3” is the critical point of this question. If they lack that knowledge, then they are unfamiliar with an entire class of attacks against Intel processors.

评论：候选人是否熟悉“ Ring -3”是这个问题的关键。 如果他们缺乏这些知识，那么他们将不熟悉针对英特尔处理器的整个攻击类别。

Question: Why is the “Branch Prediction” architecture common in all modern processors a security risk?

问题：为什么在所有现代处理器中常见的“分支预测”架构会带来安全风险？

Answer: Because it has been found that branch prediction enables several different side-channel attacks that leak information from otherwise inaccessible memory.

答案：因为已经发现分支预测会启用几种不同的旁通道攻击，这些攻击会从原本无法访问的内存中泄漏信息。

Comment: This question determines whether the candidate is familiar with a large class of processor-level vulnerabilities that have been identified in the past five-plus years.

评论：该问题确定候选人是否熟悉过去五年多来发现的一大类处理器级漏洞。

应用安全 (Application Security)

These questions check the candidate’s knowledge of application security fundamentals. If they have not worked in application security, they may not be familiar with some of these topics.

这些问题检查了候选人对应用程序安全基础知识的了解。 如果他们没有在应用程序安全方面工作，他们可能不熟悉其中的某些主题。

Question: Name at least half of the OWASP Top Ten vulnerabilities.

问题：至少列出OWASP十大漏洞的一半。

Answer: As of the date of this blog entry’s publication, the OWASP list is:

答：截至本博客条目发布之日，OWASP列表为：

• Code Injection (Injection)
  代码注入(注入)
• Broken Authentication
  认证失败
• Broken Access Control
  存取控制中断
• Broken Confidentiality Controls (Sensitive Data Exposure)
  机密控制失灵(敏感数据暴露)
• Cross-Site Scripting
  跨站脚本
• Misconfigurations (Security Misconfigurations)
  错误配置(安全性错误配置)
• Insufficient Logging and Monitoring
  日志和监控不足
• Using Known Vulnerable Software (Using Components with Known Vulnerabilities)
  使用已知漏洞软件(使用具有已知漏洞的组件)
• Broken Handling of References in XML (XML External Entities)
  XML(XML外部实体)中引用的损坏处理
• Insecure Deserialization
  不安全的反序列化

Answers from older lists include:

来自较旧列表的答案包括：

• Broken Session Management
  会话管理中断
• Insecure Direct Object References
  不安全的直接对象引用
• Cross-Site Request Forgery (CSRF)
  跨站请求伪造(CSRF)
• Insecure Cryptographic Storage
  不安全的密码存储
• Failure to Restrict URL Access
  无法限制URL访问
• Insufficient Transport Layer Protection
  传输层保护不足
• Unvalidated Redirects and Forwards
  未经验证的重定向和转发
• Missing Function-Level Access Controls
  缺少功能级别的访问控制

Comment: The names in parenthesis are the formal names in the OWASP list. The names I have used in the list are what most practitioners call the vulnerabilities. I would expect any candidate with software development or application security to know the first five. Candidates who are not current may include entries from older top ten lists (which are all still valid vulnerabilities, just no longer in the top ten). For a detailed explanation and the current OWASP list, see OWASP Top Ten. Older lists include OWASP 2010 and OWASP 2013.

注释：括号中的名称是OWASP列表中的形式名称。 我在列表中使用的名称是大多数从业人员称为漏洞的名称。 我希望任何具有软件开发或应用程序安全性的候选人都知道前五个。 不是最新的候选人可能包括来自前十大列表的条目(这些列表仍然是有效漏洞，只是不再位于前十名中)。 有关详细说明和当前的OWASP列表，请参阅OWASP十佳 。 较早的列表包括OWASP 2010和OWASP 2013 。

Question: Give three examples of injection attacks against applications.

问题：举三个对应用程序进行注入攻击的示例。

Answers: SQL, NoSQL, LDAP, XML, Command

答案：SQL，NoSQL，LDAP，XML，命令

Comment: Injection attacks are one of the most widespread web application attacks. Any security practitioner should be aware of at least two or three types of injection attacks. “Script” is an acceptable answer instead of “Command.”

评论：注入攻击是最广泛的Web应用程序攻击之一。 任何安全从业人员都应该意识到至少两种或三种类型的注入攻击。 “脚本”是可接受的答案，而不是“命令”。

Question: What does a static analysis tool do?

问题：静态分析工具有什么作用？

Answer: Inspects code (source code or object code, depending upon the tool) for potential vulnerabilities.

答：检查代码(源代码或目标代码，具体取决于工具)是否存在潜在漏洞。

Comment: All candidates should know this, as static analysis is a critical step in software security verification.

评论：所有候选人都应该知道这一点，因为静态分析是软件安全验证中的关键步骤。

Question: What does a dynamic analysis tool do?

问题：动态分析工具有什么作用？

Answer: Tests a program’s execution against known vulnerabilities.

答：针对已知漏洞测试程序的执行。

Comment: All candidates should know this, as dynamic analysis is a critical step in software security verification.

评论：所有候选人都应该知道这一点，因为动态分析是软件安全验证中的关键步骤。

Question: What is fuzzing?

问题：什么是起毛？

Answer: Tests a program’s handling of random inputs.

答：测试程序对随机输入的处理。

Comment: Most candidates should know this, as fuzz testing is a critical step in software security. But, it is often a step skipped, as it requires specialized skills to both set up the test and to analyze the results.

评论：大多数候选人都应该知道这一点，因为模糊测试是软件安全性的关键步骤。 但是，通常跳过这一步，因为它需要专门的技能来设置测试和分析结果。

Question: What is Threat Modeling?

问题：什么是威胁建模？

Answer: A formal approach to analyzing systems for potential vulnerabilities and classifying the risks associated with those vulnerabilities.

答：一种分析系统中潜在漏洞并对与这些漏洞相关的风险进行分类的正式方法。

Comment: All candidates, regardless of experience level, should have some idea what threat modeling is and how it can increase security.

评论：无论经验水平如何，所有候选人都应该对什么是威胁建模及其如何提高安全性有所了解。

Question: Explain how a stack overflow attack takes control of a computer.

问题：解释堆栈溢出攻击如何控制计算机。

Answer: The attack overwrites EIP (instruction pointer) to jump to code injected onto the stack.

答：攻击会覆盖EIP(指令指针)以跳转到注入到堆栈中的代码。

Comment: Most security practitioners should know how to answer this question, although they may not state the answer so succinctly. Anyone claiming penetration testing experience must be able to answer this question, as this is a common means of software exploitation. Note: The key point here is to overwrite EIP to jump to executable code.

评论：大多数安全从业人员应该知道如何回答这个问题，尽管他们可能没有这么简洁地陈述答案。 任何声称具有渗透测试经验的人都必须能够回答这个问题，因为这是软件开发的一种常见手段。 注意：此处的关键点是覆盖EIP以跳转到可执行代码。

Question: What are two widely-deployed software defenses against stack overflow attacks?

问题：针对堆栈溢出攻击广泛采用的两种软件防御措施是什么？

Answer: ASLR and canaries.

答：ASLR和金丝雀。

Comment: Anyone claiming any software security or operating systems security must know about ASLR (Address Space Layout Randomization). If they claim software security experience, they should know about canaries. There are many different implementations for canaries, such as stackguard. If a canary implementation name is given in the answer, ask what the type of protection offered by that feature is (canaries should be the answer).

注释：主张任何软件安全性或操作系统安全性的任何人都必须了解ASLR(地址空间布局随机化)。 如果他们声称拥有软件安全经验，则应该了解金丝雀。 金丝雀有很多不同的实现，例如stackguard。 如果答案中给出了金丝雀的实现名称，请询问该功能提供的保护类型是什么(金丝雀应该是答案)。

Question: What capability does Intel architecture processors provide in hardware to prevent the execution of code written to the stack?

问：英特尔架构处理器在硬件中提供了哪些功能来阻止执行写入堆栈的代码？

Answer: NX or ND bit

答案：NX或ND位

Comment: Anyone claiming operating systems or hardware security experience should know this. In the Microsoft world, enabling this hardware feature is known as Data Execution Prevention (DEP).

注释：任何拥有操作系统或硬件安全经验的人都应该知道这一点。 在Microsoft世界中，启用此硬件功能称为数据执行保护(DEP)。

人身安全 (Physical Security)

Any security practitioner who claims penetration testing experience should be able to answer these questions.

任何声称具有渗透测试经验的安全从业人员都应该能够回答这些问题。

Question: How can you open a padlock for which you have forgotten the combination?

问题：如何打开忘记了密码的挂锁？

Answer: Padlock shim.

答：挂锁垫片。

Question: Explain how a bump key works.

问题：解释撞击键的工作原理。

Answer: A bump of a “bump key” (a key with 999 bittings) causes the pins to bounce, and slight pressure on the key causes the pins to lock in place and allows you to open the lock.

答案：碰到“撞键”(一个有999位咬合的键)会导致弹跳，而对键的轻微压力会导致弹跳锁定到位，并允许您打开锁。

Question: What is a well-known attack against security doors which have a motion detector sensor which unlocks the doors on the inside?

问题：什么是众所周知的针对防盗门的攻击，这种防盗门具有一个运动检测器传感器，可以将内部的门解锁？

A: Spray a can of compressed air upside down through the crack between doors. The mist formed will often trigger an unlock.

答：倒一罐压缩空气，穿过门之间的缝隙。 形成的雾气通常会触发解锁。

摘要 (Summary)

At some point during the interview process, a candidate for a cybersecurity role should be screened for an adequate understanding of the basic principals of the field. Domain-specific knowledge also needs to be covered, but an understanding of the candidate’s grasp of the basics should come first.

在面试过程中的某个时候，应筛选网络安全角色的候选人，以充分了解该领域的基本原理。 还需要涵盖特定领域的知识，但是首先应该了解候选人对基础知识的理解。

I often provide screeners with questions like these (without answers) to screen the candidate. I have the interviewer record the answers which I review later. Even screeners with no security background will usually be able to quickly determine whether or not a candidate knows security or is faking it.

我经常向筛选人员提供类似这样的问题(无答案)以筛选候选人。 我让面试官记录答案，以后再查看。 即使没有安全背景的筛选人员通常也可以快速确定候选人是否知道或伪造了安全性。

Cybersecurity is filled with too many practitioners who lack basic knowledge. It’s perhaps one of the leading reasons we have so many breaches: If those responsible for security don’t know all they should know to do their job, they’re going to leave gaping holes which even a script-kiddie can exploit.

网络安全中有太多缺乏基础知识的从业人员。 也许这是我们有很多漏洞的主要原因之一：如果负责安全的人员不知道自己应该做的所有事情，他们将留下巨大的漏洞，甚至脚本小子也可以利用。

Interview carefully and thoroughly! Candidates shouldn’t be expected to know everything, but they should at least know the fundamentals.

认真彻底地采访！ 不应期望候选人知道一切 ，但他们至少应该了解基本知识 。

Fell free to plagiarize my questions for use in your organization. But, you are not free to republish them elsewhere without advanced written permission.

随意to窃我的问题，以供您在组织中使用。 但是，未经高级书面许可，您不能随意将其重新发布到其他地方。

Please check out my Blog Introduction and Index to find other postings about what we are doing wrong in security and how we need to fix it.

请查看我的 博客简介和索引， 以查找有关我们在安全方面做错了什么以及我们需要如何解决的其他帖子。

About The Blogger

关于博客

特色图片 (Featured Image)

Credit: Photo by Maranda Vandergriff on Unsplash.

图片提供： Maranda Vandergriff在Unsplash上拍摄 。

修订记录 (Revision History)

• Updated 2020/04/20 to correct three answers: Added “XML” and “Script” to types of injection attacks. Clarified that asymmetric keys are generated from “large (usually prime) numbers” (previously said “large random numbers”). Corrected SMM to be “System Management Mode” instead of “System Management Module.”
  更新了2020/04/20以更正三个答案：在注入攻击的类型中添加了“ XML”和“脚本”。 阐明了非对称密钥是从“大(通常是质数)的数字”(以前称为“大随机数”)生成的。 将SMM更正为“系统管理模式”，而不是“系统管理模块”。