Assessing a cyber security candidate

I typically assess a senior cyber security candidate across 7 basic domains for a technical interview, before I actually jump into security. Sometimes, a candidate is so good in these domains that asking questions about security becomes an afterthought. A dipstick feedback of fundamentals actually helps me understand where the candidate is coming from and if he can actually leverage his technical skills in real security engagements. Since these domains are exhaustive, assessment of fundamentals will depend on the previous experience a candidate is having. For instance, I would not expect a college grad to know complete ins and outs of active directory but would expect him to know programming, scripting, linux, VM and algorithms. A SOC guy should know network security, pcap analysis, protocols, BPF/ filters, elementary scripting. An experienced pentester is supposed to know almost all of the mentioned domains. At the end of the day, YMMV.

Tools are not going to make you a hacker, always remember what Gray Fox said -
"Only a fool trusts his life to a weapon"
These domains form the bread and butter basics of any good computer security candidate and enable him to understand the cross functional world from the point of an architect, an operations analyst, an incident responder, a developer, a packer mangler or simply as an adviser.

kinda like this. No Wait! Robyn Beck/AFP/Getty Images

Depending upon the feedback of this article, I may share some good to have domains as well.

Nevertheless, here are the domains :
  1. OS Fundamentals / Software - This is a big one, without these, your attack vectors typically fall flat. Windows and Linux are mandatory. Can you setup a working environment for your own security setup from scratch? Comfortable with VMs? Docker? Jailed environments?
  2. Network/ Network Security - Routers, switches, load balancers et al, be it software of hardware. Are the concepts clear? Considering a lot of the hardware is now virtualized/ customized and is being offered as a service by big providers and every now and then an attack/ exploit emerges that leverages misconfigurations in these systems/ services - these things are important. Can you understand a Pcap? Do you understand routing ? If there is one thing studying Phenoelit early on taught me, was to understand network and routing properly. 
  3. Active Directory/ LDAP - I simply can't overstate the importance of AD/ LDAP when it comes to security. Considering how they function as the backbone for enterprise, you are bound to encounter these. Having good fundamentals around these gives you a good headstart when you actually pentest these environments.
  4. Servers/ Web services/ APIs - Servers and web application basics, how they work, are deployed and do you know how to secure them? Fundamentals are important here. You may be able to find a bug in an application, but in case you can't fix the application per se, can you secure or advise correctly about securing the environment itself? How are application headers used? Do you know how to interact with an API? Can you create your own? Do you operate any website/ webservice? How do you scale it?
  5. Programming/ Scripting - Any one programming or scripting language you are comfortable with - python/ ruby/ bash/ powershell et al. Doesn't matter what it is. Can you read code? Can you comprehend patterns? Can you write pseudocode? Do you have fundamental understanding of algorithms?
  6. Hardware - Good to have knowledge of hardware basics, you should be comfortable with atleast setting up platforms like raspberry pi, beaglebone et al. Can you identify pinouts on an unknown board? Can you read technical manuals? What is your portable platform of choice? Can you setup your own VPN environment on a raspberry pi and hook it up with your test laptop?
  7. Architecture/ Tooling - A typical question starts like this : create a full fledged network for 100 people with everything included, LAN, WAN web services, email et al. Now design for 1000 people. Now for 10 K people. Now let's break it systematically - how will you break it? What attack vectors? What if Burpsuite is not available? Can you leverage curl? How can we improve it?

These domains are absolute essentials, platforms and tools may make you a bug hunter, but a knowledge of these will make you a better one.
There you go, if you know these, you already have a healthy background into computer security basics and I wish you best of luck.

This was crossposted at Fruxlabs Team blog.


Need to say something ? Spell it out :)