Top 37 Information Security Audits Interview Questions You Must Prepare 29.Mar.2024

When data is protected while it is just sitting there in its database or on its hard drive- it can be considered at rest. On the other hand, while it is going from server to client it is in-trit. Many servers do one or the other- protected SQL databases, VPN connections, etc, however there are not many that do both primarily because of the extra drain on resources. It is still a good practice to do both however, even if it does take a bit longer.

Salt at its most fundamental level is random data. When a properly protected password system receives a new password, it will create a hashed value for that password, create a new random salt value, and then store that combined value in its database. This helps defend against dictionary attacks and known hash attacks.

For example, if a user uses the same password on two different systems, if they used the same hashing algorithm, they could end up with the same hash value. However, if even one of the systems uses salt with its hashes, the values will be different.

POST is one of the best tools available when a system will not boot. Normally through the use of either display LEDs in more modern systems, or traditionally through audio tones, these specific codes can tell you what the system doesn’t like about its current setup. Because of how rare these events can be, unless you are on a tech bench day in and day out, reference materials such as the Motherboard manual and your search engine of choice can be tremendous assets. Just remember to make sure that everything is seated correctly, you have at least the minimum required components to boot, and most importantly that you have all of your connections on the correct pins.

When you press delete on a file, it doesn’t actually go anywhere. A bit on the file is flipped telling the operating system that that file is no longer needed and it can be overwritten as is required.

Until that happens, the file can still be restored no matter if it’s in a Recycling Bin or not. There are ways around this, such as using File Shredders and disk wipers, but both of these take quite a bit of time to finish their jobs to a reasonable degree.

If data is on physical media such as a diskette, cd or even paper, there are shredders, pulverizers and destroyers that can turn plastic and paper into confetti. For hard disks however, that becomes a bit more tricky.

Most locations will turn to a two-fold method for ensuring a disk’s destruction by first using a specially made disc wiping program, taking apart the hard drive, removing the platters, scratching them up beyond recognition and then degaussing them with a high-powered magnet. This ensures that the data cannot be recovered through conventional me.

It seems like we can’t go more than a few days anymore without hearing about a major breach, which on the surface would make it seem that more people and places are being hacked than ever before (which to be honest is true). However, it also shows that detection and reporting of attacks is improving per requirements of both government entities and insurance companies.

As a result, the public and security professionals are both better informed as to what they can do to help protect themselves and watch out for falsified charges on their accounts. Keeping up to date on these matters is vital for anyone interested in Information Security.

Far and away is a false negative. A false positive is annoying, but easily dealt with – calling a legitimate piece of traffic bad. A false negative however is a piece of malicious traffic being let through without incident – definitely bad.

Information Protection is just what it sounds like- protecting information through the use of Encryption, Security software and other methods designed to keep it safe. Information Assurance on the other hand deals more with keeping the data reliable – RAID configurations, backups, non-repudiation techniques, etc.

This is a doozy, and there are an enormous number of opinions for this question. Many think they are the worst thing that ever happened to the world, while others praise their existence.

In the realm of security, they can be the source of extreme data leaks if handled in their default configurations. It is possible to lock down permissions on social networking sites, but in some cases this isn’t enough due to the fact that the backend is not sufficiently secured.

This also doesn’t help if somebody else’s profile that you have on your list gets compromised. Keeping important data away from these kinds of sites is a top priority, and only connecting with those you trust is also extremely helpful.

Sticky ports are one of the network admin’s best friends and worst headaches. They allow you to set up your network so that each port on a switch only permits one (or a number that you specify) computer to connect on that port by locking it to a particular MAC address. If any other computer plugs into that port, the port shuts down and you receive a call that they can’t connect anymore.

If you were the one that originally ran all the network connections then this isn’t a big issue, and likewise if it is a predictable pattern then it also isn’t an issue. However if you’re working in a hand-me-down network where chaos is the norm then you might end up spending a while toning out exactly what they are connecting to.

Tracert or traceroute, depending on the operating system, allows you to see exactly what routers you touch as you move along the chain of connections to your final destination.

However, if you end up with a problem where you can’t connect or can’t ping your final destination, a tracert can help in that regard as you can tell exactly where the chain of connections stop. With this information, you can contact the correct people – whether it be your own firewall, your ISP, your destination’s ISP or somewhere in the middle.

I’m going to let Ed Norton wer this one: “A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X.

If X is less than the cost of a recall, we don’t do one.” Residual Risk is what is left over after you perform everything that is cost-effective to increase security, but to go further than that is a waste of resources. Residual risk is what the company is willing to live with as a gamble in the hopes that it won’t happen.

When keeping track of data or equipment for use in legal proceedings, it needs to remain in a pristine state. Therefore, documenting exactly who has had access to what for how long is vital when dealing with this situation.

Any compromise in the data can lead to legal issues for the parties involved and can lead to a mistrial or contempt depending on the scenario.

When you see something day in and day out, even if it shocks you at first, you tend to get used to it. This me that if you see somebody that pokes around day after day, month after month, you might get used to the fact that he’s just curious. You let your guard down, and don’t react as quickly to possible threats.

On the other hand, say for example you have an annoyed employee that is soon to be fired and wants to show his soon to be former employer that he can bring them down, so he sells his still active credentials and card-key to a local group that specializes in white-collar crime. Still other infiltrators dress up as delivery people and wander around aimlessly in office buildings, getting information off of post-it notes and papers lying around.

External threats do not have access to near this level of information about the company, and more often than not do not get in as far as somebody that spent 20 bucks on a knock-off UPS uniform.

Error messages oftentimes giveaway what the server is running, and many times if the website administrator has not set up custom error pages for every site, it can give it away as simply as just entering a known bad address. Other times, just using telnet can be enough to see how it responds. Never underestimate the amount of information that can be gained by not getting the right wer but by asking the right questions.

You might have guessed that this level is very much about forming opinions and drawing conclusions, and you’d be right – this one is an especially loaded question.

Like any major group without a central leader, they seem to be mostly chaotic, at times seeming like a force for good, while at others causing havoc for innocents. Choose your words very carefully here, as it could be a dealbreaker.

Another opinion question, and as usual a lot of different potential wers. The baseline for these though would be three key elements: An anti-malware application, a remote wipe utility, and full-disk encryption.

Almost all modern mobile devices regardless of manufacturer have anti-malware and remote wipe available for them, and very few systems now do not come with full-disk encryption available as an option directly within the OS.

You would be amazed how often this happens, even more so in the current BYOD environment. Still, the easiest way out of this one is to contact your manager again and have them give a yay or nay.

This puts the authority and decision where it needs to be, and gives you assistance if the department needs to push back. Stress can be a real killer in position where you have to say ‘no’ to people that don’t like hearing it, so passing the buck can be a friend.

SSL is identity verification, not hard data encryption. It is designed to be able to prove that the person you are talking to on the other end is who they say they are. SSL and its big brother TLS are both used almost everyone online, but the problem is because of this it is a huge target and is mainly attacked via its implementation (The Heartbleed bug for example) and its known methodology. As a result, SSL can be stripped in certain circumstances, so additional protections for data-in-trit and data-at-rest are very good ideas.

Confidentiality, Integrity, Availability. As close to a ‘code’ for Information Security as it is possible to get, it is the boiled down essence of InfoSec. Confidentiality- keeping data secure. Integrity- keeping data intact. Availability- keeping data accessible.

While it may sound odd, it is possible to access Active Directory from a non-Windows system. Active Directory uses an implementation of the SMB protocol, which can be accessed from a Linux or Mac system by using the Samba program. Depending on the version, this can allow for share access, printing, and even Active Directory membership.

Infiltration is the method by which you enter or smuggle elements into a location. Exfiltration is just the opposite: getting sensitive information or objects out of a location without being discovered.

In an environment with high security, this can be extremely difficult but not impossible. Again we turn to our friends in the fake delivery uniforms wandering around the building, and see that yes there are ways to get in and out without a lot of issues.

Yet another opinion question. Closed-source is a typical commercially developed program. You receive an executable file which runs and does its job without the ability to look far under the hood. Open-source however provides the source code to be able to inspect everything it does, as well as be able to make changes yourself and recompile the code. Both have arguments for and against them, most have to do with audits and accountability.

Closed-source advocates claim that open-source causes issues because everybody can see exactly how it works and exploit weaknesses in the program. Open-source counter saying that because closed-source programs don’t provide ways to fully check them out, its difficult to find and troubleshoot issues in the programs beyond a certain level.

A lot of people would say that they are the same thing, and in a sense they would be right. However, one is a potential problem while the other is an active problem. Think of it like this: You have a shed with a broken lock where it won’t latch properly. In some areas such as major cities, that would be a major problem that needs to be resolved immediately, while in others like rural areas its more of a nuisance that can be fixed when you get around to it. In both scenarios it would be a vulnerability, while the major cities shed would be an example of an exploit – there are people in the area, actively exploiting a known problem.

The three-way handshake is a cornerstone of the TCP suite:

SYN, SYN/ACK, ACK. SYN is the outgoing connection request from client to server. ACK is the acknowledgement of the server back to the client, saying that yes I hear you, let’s open a connection. SYN/ACK is the final connection, and allows the two to speak.

The problem is that this can be used as a very basic type of Denial of Service Attack. The client opens up the SYN connection, the server responds with the SYN/ACK, but then the client sends another SYN. The server treats this as a new connection request and keeps the previous connection open. As this is repeated over and over many times very quickly, the server quickly becomes saturated with a huge number of connection requests, eventually overloading its ability to connect to legitimate users.

For me at least, this one is easy- getting my CISSP. I studied for months, did every possible thing I could to improve my recall and asked for anybody and everybody to help ask questions and modify them in ways to make me try to think around corners.

Everybody has at least one thing that they are proud of, and while this and the next question may be the same wer, all that matters is showing that you are willing to move forward and willing to be self-motivated.

Both acronyms are Intrusion Detection Systems, however the first is a Host Intrusion Detection System whereas the second is a Network Intrusion Detection System. An HIDS runs as a background utility in the same as an anti-virus program for instance, while a Network Intrusion Detection System sniffs packets as they go across the network looking for things that aren’t quite ordinary. Both systems have two basic variants: signature based and anomaly based.

Signature based is very much like an anti-virus system, looking for known values of known ‘bad things’, while anomaly looks more for network traffic that doesn’t fit the usual pattern of the network. This requires a bit more time to get a good baseline, but in the long term can be better on the uptake for custom attacks.

While BIOS itself has been superseded by UEFI, most systems still follow the same configuration for how they keep the settings in storage. Since BIOS itself is a pre-boot system, it has its own storage mechanism for its settings and preferences. In the classic scenario, simply popping out the CMOS (complementary metal-oxide-semiconductor) battery will be enough to have the memory storing these settings lose its power supply, and as a result it will lose its settings. Other times, you need to use a jumper or a physical switch on the motherboard. Still other times you need to actually remove the memory itself from the device and reprogram it in order to wipe it out. The simplest way by far however is this: if the BIOS has come from the factory with a default password enabled, try ‘password’.

Windows local accounts have a great deal of baggage tied to them, running back a long long way to keep compatibility for user accounts. If you are a user of passwords longer than 13 characters, you may have seen the message referring to this fact. However, Active Directory accounts have a great deal of security tied onto them, not the least of which is that the system actually doing the authenticating is not the one you are usually sitting at when you are a regular user.

Breaking into a Windows system if you have physical access is actually not that difficult at all, as there are quite a few dedicated utilities for just such a purpose, however that is beyond the scope of what we’ll be getting into here.

For some people, this would be the first computer they ever built, or the first time they modified a game console, or the first program they wrote, the list can go on and on.

In my case, that would be a project for work that I was working on for years. It started out as an Excel spreadsheet that the Engineering department were using to keep track of their AutoCAD drawings, and ended up evolving through a couple hundred static HTML pages, an Access Database and frontend, and finally to a full on web application running in MySQL and PHP.

This simple little thing ended up becoming an entire website with dedicated Engineering, Sales and Quality web apps used by the company globally, which just goes to show you you never know where something might lead.

There are a couple of different ways to do this, but the most like scenario you will run into is this: What you would want to do is setup a network-based installer capable of network-booting via PXE (if you’ve ever seen this during your system boot and wondering what it was for, tada).

Environments that have very large numbers of systems more often than not have the capability of pushing out images via the network. This reduces the amount of hands-on time that is required on each system, and keeps the installs more consistent.

SSH (TCP port 22) is a secure connection used on many different systems and dedicated appliances. Routers, Switches, SFTP servers and unsecure programs being tunnelled through this port all can be used to help harden a connection against eavesdropping.

Despite the fact that most times when you hear about somebody ‘SSHing’ into a box it involves Linux, the SSH protocol itself is actually implemented on a wide variety of systems – though not by default on most Windows systems. Programs like PuTTY, Filezilla and others have Windows ports available, which allow Windows users the same ease-of-use connectivity to these devices as do Linux users.

Much like getting a fresh set of eyes on a problem, sometimes you have people that don’t want to see or don’t want to admit to an issue. Bringing in extra help as an audit can really help eliminate problems that your team isn’t able to resolve on their own. Granted they may cost a small fortune, but they are extremely good at what they do.

A Linux admin account (root) has many powers that are not permitted for standard users. That being said, it is not always necessary to log all the way off and log back in as root in order to do these tasks.

For example, if you have ever used the ‘run as admin’ command in Windows, then you will know the basic concept behind ‘sudo’ or ‘superuser (root) do’ for whatever it is you want it to do. It’s a very simple and elegant method for reducing the amount of time you need to be logged in as a privileged user. The more time a user spends with enhanced permissions, the more likely it is that something is going to go wrong – whether accidentally or intentionally.

Something they know (password), something they have (token), and something they are (biometrics). Two-factor authentication often times uses a password and token setup, although in some cases this can be a PIN and thumbprint.

Nothing shows you how to break and fix things more than a test environment, and for most people that me their home network. Whether its a Windows laptop with a wireless generic router and a phone all the way up to 14 Linux Workstations, an Active Directory Domain Controller, a dedicated Firewall appliance and a net-attached toaster – as long as you are learning and fiddling with it, that’s what matters.

Cross-site scripting, the nightmare of Javascript. Because Javascript can run pages locally on the client system as opposed to running everything on the server side, this can cause headaches for a programmer if variables can be changed directly on the client’s webpage. There are a number of ways to protect against this, the easiest of which is input validation.