This is my personal preparation notes for security engineering roles (or any cybersecurity roles for that matter). I get these questions from variety of sources around the internet. I try to answer in my own words.
If you are preparing for the same role, just remember - don't memorize. That's how I'm approaching it. If I'm completely lost on a question, I won't even bother putting it down here.
I contemplated doing one for software engineering but found that the easiest way to prepare for it is just to live and breath algorithm analysis. That and there is just way too many resources for becoming a software engineer and not enough for security engineer.
I admit, it's tough for sure, like drinking from a fire hydrant. On top of that, having to practice my social skills and interviewing skills...
Disclaimer to employers, I will not reveal any actual interview questions. Any interview questions here are ones I found on the internet (such as on glassdoor).
Questions (and Answers)
- "What is \r?" Carriage return. It'll move the cursor back to position 0. Different from \n which will return cursor back to position 0 on the next line. Apparently useful for older devices. This is ridiculous. Useful but ridiculous. Imagine a 10 minute lesson on \n...
- "Describe in detail how traceroute works." This command does what it sounds like, it traces routes. It tells you the time it takes to get from one hop (or node) to the next. It tells you about the device (like identity and latency) that it hops to.
- "How would you go about securing a web server?" This is an "in general" answer. Remove unnecessary services. Remove unused applications. Close off remote access. Separate environments, for example, production, testing and development. Watch for who has what permissions and privileges. Regularly install stable patches and security patches. Audit often. Regularly red team and blue team the web server. Continue to be educated (personally or team).
- "Write a function to determine if an input is a power of 2." Look at the binary of the powers of 2. For example, 00000000 is 0, 00000001 is 1, 00000010 is 2, 000000100 is 4, etc. Then build cases. For example, if the input number is an odd number or not a number, return an error. No need to check. Write a function or use something built-in that converts the input number to binary. Then compare. An alternative is to keep dividing by 2 until it gets to 1. This is probably better as it's easier. The idea is the same with figuring out if there is a negative involved. You just keep multiplying. As usual, if it's an odd number, don't even bother.
- "Describe a TCP handshake." This is what a typical handshake session look like:
Client --SYN--> Server
Client <--ACK/SYN-- Server
Client --ACK--> Server
The question that usually follows is, "why?" The answer is because we want to ensure that the packets are actually delivered. To avoid the handshakes, just use UDP. So, the transactions require some explanation. First the client sends a SYN and gives a sequence number to the server. The server ACK (acknowledges) the sequence number and then does the same, generate and sends a sequence number to the client. The client then acknowledges and sends the ACK packet to the server.
- "What is buffer overflow?" A buffer overflow is a class of attack where the program goes out of bound of what's allocated for the memory space. Typically this'll crash the program.
- "What are common web vulnerabilities." SQL injection, XSS, poor (or no) security configuration, social engineering (not sure if count but viable attack surface), unvalidated redirects, unvalidated forwards.
- "What is the opposite function of malloc() in C?" free()
- "What Unix function lets a socket receive connections?" listen()
- "How many bytes are necessary to store a MAC address?" 6 in binary; 12 in hexadecimal (17 with delimiters)
- "Sort the time taken by: CPU register read, disk seek, context switch, system memory read." CPU register read, system memory read, context switch, disk seek. From fastest to slowest. Hint, context switch is a problem for microkernels.
- "What is a Linux inode?" I actually agree with the answer that it's a "a unique file identifier for any given file system." Not sure why the insistence on metadata. From here, it suggests that it's interchangeable. So, you can also say that "an inode is metadata of the data." I worry that answering this based on the first thing that comes up to my mind will penalize me.
- "What Linux function takes a path and returns an inode?" stat(), fstat(), lstat(), fstatat(); stat for status, fstat for file descriptor status, lstat for symbolic link status, fstatat for status relative to a directory file descriptor
- "What is the name of the KILL signal?" Terminate? I would've gone for SIGKILL and the signal code if I remember that as well (9). Also not sure why the answer is wrong.
- "Why Quicksort is the best sorting method?" It's not. It has a O(n^2). In practice, I agree that: ""big-O" ignores data storage latencies, topology, volume, available memory, and even the computational cost of every CPU instructions involved in a given implementation – instead, it merely counts the number of algorithmic operations! Big-O can be a valuable indication when designing algorithms but the best performing and scaling solution depends on the particular constraints of any specific problem and environment."
- "There's an array of 10,000 16-bit values, how do you count the bits most efficiently?" Then ... I think they wanted a hash table? I suppose the correct answer is a hash table. Not sure what's wrong with that person's answer though. I can't deny that you can use hash table for just about everything including this problem.
- "What is the type of the packets exchanged to establish a TCP connection?" SYN, SYN-ACK and ACK (synchronize and acknowledge)
- "Explain CSRF." CSRF is short for cross site request forgery. The best way to think of it is as "session riding." The attacker takes advantage of the authenticated user.
- "Explain same origin policy." It's a policy that dictates that the site and the following site come from the same origin. It's dictated by URI scheme, host name and port number. It tries to prevent the attacker from taking advantage of that site's DOM (Document Object Model). As an example, http://siferaseph.com is different from https://www.siferaseph.com.
|mov src, dest
|add src, dest
|sub src, dest