But that doesn’t mean job interviews are easy. As a security leader with an impressive list of certifications, David O’Berry expects analysts to know the ins and outs of networking and operating systems. He also looks for resourceful professionals who use their insatiable curiosity to stay one step ahead of hackers and cybercrooks.
“I don’t need someone to check off items on a to-do list or sit on the sidelines,” says O’Berry, worldwide technical strategist for security software provider McAfee. “I don’t care whether they’re 65 or a 14 year-old-rock star. I need someone who can think outside the box.”
We asked O’Berry to share some of the questions he asks during job interviews.
What’s the most interesting project you’ve worked on in the last six months?
- What Most People Say: “I worked on a biometric authentication project which helped me expand my foundational skill set.”
- What You Should Say: “I analyzed the effectiveness of a biometric-based remote user authentication scheme using smart cards. Using a range of assumptions, my analysis revealed weaknesses that would allow hackers to intercept messages between the user and the server or thwart security schemes. I recommended enhancements that remedied most of the issues. The project was groundbreaking because it elevated everything we did as an organization.”
- Why You Should Say It: It paints a picture for the interviewer and highlights your analytical prowess by walking them though every step in the analysis process, O’Berry says. If you need to improve your story-telling skills, he recommends Peter Gruber’s book Tell to Win.
Explain the difference between local and network authentication and walk me through the authentication process.
- What Most People Say: “I’m not sure what the differences are, but I know there’s a file that authenticates the user name and password when someone logs on.”
- What You Should Say: “A database authenticates the user’s name and password when they aren’t connecting to a network. A Windows network uses active directory authentication. Let me walk you through the steps in the process, including the use of SAML, X.500 directory service and its components.”
- Why You Should Say It: To identify vulnerabilities, a security analyst must understand each step in the authentication process, how it manages identities and unites distributed resources.
“I want to see how far you can go in describing the start-up process,” O’Berry says. “Competent analysts don’t use buzzwords. They demonstrate an in-depth understanding of each step, each mechanism and object as well as the authentication framework.”
Without using semantics, tell me how a computer boots up.
- What Most Candidates Say: “You push the button and a splash screen pops up.”
- What You Should Say: “Here’s an overview of the chain of events and the tasks that are carried out during a general booting sequence. When you hit the power button, the CPU pins are reset and registers are set to specific value. Then, the CPU jumps to address of BIOS (0xFFFF0),” etc.
- Why You Should Say It: Security analysts need to understand computers and networking to find their vulnerabilities. O’Berry says he won’t hire anyone who can’t describe the chain of events that takes place behind the logo of Windows XP/Vista/7 or Linux.
We’re looking to implement a new security event manager. Describe your approach.
- What Most Candidates Say: “I would review logs to spot anomalies that could be problematic.”
- What You Should Say: “Since the heart of security information and event management is correlation, I would conduct high-performance, real-time analysis and multi-dimensional correlation by creating a procedure to pull disparate streams of information into the event manager.”
- Why You Should Say It: It’s impossible to review logs in a large organization, according to O’Berry. The preferred answer exhibits the fundamental skills and outside-the-box thinking he’s looking for.