# Technical Interview Prep - 06 / 29 / 2020 ## Question 1: What’s more secure: SSL, TLS, or HTTPS? ### Point of the Question: - To show that you know the differences/similarities between SSL, TLS and HTTPS, giving definition of the 3 - Making sure you know the concept of security within these concepts ### Things to Avoid: - Trick Question! - Make sure you're not going into the minutiae of TLS/SSL works (TLS handshake, certificate authorities) - TLS/SSL is used as part of the HTTPS to encrypt data in transit. ### Solid Answer: - TLS is the more secure protocol, a more improved version of SSL - HTTPS > HTTP, HTTPS is a more secure protocol - TLS/SSL are PART of HTTPS. HTTPS uses TLS/SSL protocol to encrypt data in traffic and thereby providing security - HTTPS / TLS/SSL don't really fit in to a particular OSI model layer. They are within the top upper layers, such as application or presentation layer. - Resource: https://security.stackexchange.com/questions/93333/what-layer-is-tls/93338#93338 ### Possible Follow Ups: - Can you tell me more about the application of the OSI model? - Can you tell me more about how the HTTPS works over the application layer? ## Question 2: What’s the goal of information security within an organization? ### Point of the Question: - To see if the individual understands that businesses are there for profitting, making money, and serving clients. This question is to see how you see the info sec community within the company. ### Things to Avoid: - don't define by information security is, employees already know this. They want to see your perspective on what a company's security does for the company. ### Solid Answer: - helping the organization accomplish their goals, stay up, and be available to their customers without compromising any of the client's information. - help the company keep the data of the clients protected/trusted. ### Possible Follow-Ups: - giving examples of different scenarios of security within the company, asking you to explain how it pertains to security perspective - CIA / AAA ## Question 3: As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities? ### Point of the Question: - opinion based question, they want to see your knowledge on both threat and vulnerabilities, and see how well you can articulate your opinion. ### Things to Avoid: - don't start defining threats vs. vulnerabilities. They are going under the impression you already know what these are, and want to see a deeper understanding of how these pertain to an organization/security model. ### Solid Answer: - Vulnerabilities should be the main focus, because you can actually control this, internally within the organization. Whereas threats, cannot be controlled. - On the other hand, threats should be the main focus because: - you can PLAN for them, make changes inside the org to secure against threats - vunerabilities = a lot of unknown around it, so knowing the threat vectors can be more time efficient - OR, you have to take both into account, looking at RISK (threats x vuln) - prioritizing things that are high risk, addressing them first ### Possible Follow-Ups: - They might ask you to give them an example scenario of what threats/vulnerabilities/risks are. - Maybe you can follow up with them about the company's priorities when it comes to threats vs. vuln, if the conversation opens up and is flowing! ## Question 4: Where do you get your security news from? ### Point of the Question: - see whether the applicant is in tune / up to date in the security industry, knowing about the market, and diff threat vectors / vulnerabilities out there ### Things to Avoid: - don't just say you go to a news website like WSJ, NYTimes, CNET... they want to see that you're taking proactive measures to get security news and you're seeking out for them! ### Solid Answers: - reddit - twitter - podcasts - krebs on security - zdnet - threatpost - the daily swig ### Possible Follow-Ups: - What is an interesting security news that you came across recently?