10

So, the title basically says it all. I would really like to hear out some of the more experienced friends here with their answers for this.

  • Should it revolve around the ability to verbally explain attacks at a non-technical\technical level?

  • Should it focus on network, system and web app attacks? Social engineering? Attack vectors?

  • Should it revolve around countermeasures to attack?

I am not asking for "the whole enchilada" here, but just for a sort of framework one should have in mind when getting ready for job interviews in that field.

Franko
  • 1,530
  • 5
  • 18
  • 30
  • 5
    {sarc}Well the best method would be to hack in and retrieve their interview questions. Then you will be prepared for exactly what they will ask.{/sarc} – Zoredache Feb 01 '13 at 02:18

2 Answers2

16

In my experience these are my following observations:

Should it revolve around the ability to verbally explain attacks at a non-technical\technical level?

Yes. Absolutely it should involve a technical level. Non-technical explainations are a bonus, you will, as a pen-tester be involved in meetings with people who know nothing about what you're doing and will get angry if you don't explain it simply. The kinds of people who usually hire pen-testers however realise that usually you get one or the other (people skills vs technical skills). If you can demonstrate both, you are way ahead of the competition.

Should it focus on network, system and web app attacks? Social engineering? Attack vectors?

The only attack that probably won't be questioned (largely because it rarely comes up in pen-testing jobs) is Social engineering (note, stuff like phishing attacks and the like may come up). A good interviewer will ask you a number of technical questions, and also provide you with a workstation to demonstrate some attacks, these can include basic Web-app exploitation as well as system/network exploitation. Things like SQLi, XSS etc should be known from memory.

Should it revolve around countermeasures to attack?

Not necessarily. However being able to demonstrate such knowledge should usually go hand-in-hand if you understand the attacks in depth.

A useful snippet from pentesterlabs blog is below explaining (how at least one professional tester conducts interviews):

Before the interview (or even before you read the resume), it's good to have a basic opinion on someone's skills... I wrote a simple website with 20 questions to get a quick feeling of who I'm talking to.

The questions are simple but allow to detect people with no security knowledge. Below are 2 of the 20 questions so you can see what I'm talking about:

unmd5 is the PHP function used to retrieve the clear text of a md5 ? True/False
Windows passwords are stored in C:\Windows\System32\drivers\etc\shadow ? True/False

If someone passes this test, the real technical interview can start.

As always, you will have the normal security questions (I guarantee most security companies ask for these):

explain a tcp handshake
how Windows passwords are stored?
what is a cookie?
opinion on disclosure?

From my experience, I think it's better to ask people to explain things than just to ask them what it's. You can really see what level of understanding people have of a problem...

For example, with Cross Site Scripting, you can have the following responses:

"it's a problem of filtering and it allows an attacker to inject script in the page"
"it's a problem of filtering and an attacker can display/run arbitrary code in victims' browser"
"it's a problem of output encoding and can be used to inject Javascript or HTML in the page sent back to victims"
...

That way, you're able to see if the person really understands what's going on and how he will be able to explain it to someone else.

You need to have 2 types of questions:

questions based on memory: "what port is used by X", "what nmap options do you used"
questions based on reflection: "how will you solve that problem"

I also have my favorite set of questions:

"You're going to PentesterLab's website, explain what happens...", that way you can see someone's knowledge of TCP/IP, DNS, HTTP, SSL,

... "What is the last cool thing you learned/read", that way you can see what people are interested by and where they at

After this test, another interview is setup with hands-on test (only if the person did good enough obviously), it's currently the web application of the exercise "From SQL injection to shell" and it's used to see how people think and behave with a computer.

You can see a lot of different things:

what people use for desktop
how fast someone is with his computer
how people solve a problem
if people bring a working laptop (yes it happened, someone came to an interview with a broken gentoo...)
learn from people: sometime people show you cool tricks you didn't think of
...

Obviously, not everyone (actually only one person did it without any help so far) knows how to exploit a SQL injection manually (why do you think I created PentesterLab). But during the test, we help people and show how things work to see how they can learn new things and incorporate information into their way of thinking.

Source: pentesterlabs Related reading: pentesterlabs how to get your first job

Hope that helps!

NULLZ
  • 11,426
  • 17
  • 77
  • 111
  • The '20 Questions' are what PenTester labs use as part of an application process i believe. As a result they wouldn't want to publish the full list. Louis runs a twitter bot called PNTSTR or something similar that asks such questions every week. Worth checking out if you use twitter. – NULLZ Feb 03 '13 at 05:18
-1

it depends on the skills and experience of the person interviewing you.

Do your homework on them and then base your responses according to their level.

Matthew
  • 11
  • 1