Common Interview Questions

So… You've passed the initial application and landed yourself a technical interview. Below is a list of questions that are commonly found in technical interviews.

No two interviews will be the same, so use this as a guide rather than a definitive answer for what to expect. Different job roles (e.g. SOC analyst vs pentester vs malware analyst) will also have different questions. The companies where the questions are seen and the answers to the questions aren't listed (that would be too easy!).

Some questions you may be asked

  • Describe three of the most common ways an external attacker today might attempt to gain access to a network.

  • You just got put in charge of a network after the last sysadmin was fired. What steps would you take to protect the network?

  • A user forwards you a suspected phishing email. How do you respond and handle it?

  • What are the primary reason NOT to upload targeted malware to VT?

  • Do you have a home network/lab? What do you play with on it? Any side tech projects?

  • What got you interested in infosec?

  • What is the difference between symmetric and asymmetric cryptography?

  • What's the difference between encoding, encryption, hashing and obfuscation?

  • What percentage of malware in the wild do you think AV can detect?

  • How would you bypass a network IDS?

  • A trusted source gives you a 10GB PCAP to analyse. Something bad is in it. What is your methodology for finding it?

  • How would you secure an endpoint in an enterprise?

  • What do you believe are the biggest threats to an enterprise network?

  • Not a question, but make sure you understand subnetting.

  • A user opens a browser, types into the URL bar and hits enter. What happens?

  • Describe the layers of the OSI model.

  • What does ARP do?

  • How does NAT work?

  • How does DNS work?

  • How does traceroute work?

  • What are some parts of a HTTP header and why is it important as a security analyst?

  • What are some parts of TCP/IP header? (They might ask about flags specifically)

  • What port does ICMP (ping) run on? (Trick question!)

  • What's the difference between TCP and UDP?

  • What's the sequence for establishing a TCP connection?

  • What's the sequence for terminating a TCP connection?

  • Why are TCP sequence numbers random?

  • What is SQL injection and how does it work?

  • How would you mitigate SQL injection?

  • What is cross-site scripting?

  • How would you mitigate cross-site scripting?

  • What is the difference between data protection in transit and data protection at-rest?

Some tasks you may be asked to do

You may either be asked to do these tasks at a face-to-face interview, over Skype with screen-sharing enabled or fully independently.

  • Demonstrate SQL injection/XSS on a known-vulnerable web app

  • 24 hours access to a known-vulnerable web app for security assessment, then 24 hours to write a report on findings

  • Demonstrate attacking a known-vulnerable computer (e.g. exploiting MS17-010 for a remote shell)

  • Write code (usually in a language of your choice on a computer, on paper or on a whiteboard)

  • Configure a piece of software and do a presentation on the configuration and usage (e.g. Splunk)

Some other useful talking points

These all show you have a legitimate interest in the subject

  • Projects you have done/are doing

  • Your homelab

  • Your past (relevant) experience (e.g. an internship/volunteering)

  • Conferences/hackathons/CTF's you've attended

Last updated