“As a dreamer of dreams and a travelin’ man
I have chalked up many a mile
Read dozens of books about heroes and crooks
And I’ve learned much from both of their style” —Jimmy Buffet
In the last few days I’ve had the opportunity to chat with a young bright and rising techie about transitioning into the realm of InfoSec. Now this transition didn’t just crop up one afternoon while looking at statements from SallieMae related to school dept. It has been looming on the horizon for a while. The signs were evident, VMs with multiple environments for experimentation, a podcast list gone way beyond Security Now. A noble pirate friend of mine once mentioned in a class, “You never forget your first shell”… – the one you get all by your own craftiness, not following a detailed list from a blog post. I remember when my young friend sent an email announcing that he had found and exploited an entire AD infrastructure including hashes, pivots to new systems, and ex-filtration of the data. What excitement did we both share! As a disclaimer, the pwnage in question was within the approved environment of the class. But now the reality draws into view, an interview for a position is opening up to begin working within the InfoSec environment of a company. A position that offers challenge and a sense of wonderment coupled with some underlying fear.
The questions seem to come fast and furious, what will they ask? What should I be asking? How can I separate the wheat from the chaff? These questions caused me to pause, and reflect on my experience.
Based on the job description, which should be thoroughly read for what appears, and what is missing. Learn to read between the lines for what may be desired in the role without being specifically mentioned. Don’t be afraid to honestly say when you can’t answer a technical question. Sometimes you may get that same question rephrased in a way that allows you to provide more than just a sheepish grin. But what I think is the most important thing, may be what you ask the company. Not about salary, benefits, or PTO, but, about soul of the team. A wise friend once cautioned me about a role I was taking inside a company. We both knew the landscape, pitfalls, and challenges. Looking back we both laughed, when I agreed that it may have been the most miserable time in my life.
Some of the following topics you may agree with. Others may cause you to reply with malicious PDF or DOCX files linking back to a Flash embed on a compromised Tomcat server. I get it, I really do. But if nothing else I hope that maybe this will help me and potentially others, those of us with some time in InfoSec, to think about how we can impact and mentor those bright young minds coming into our sphere of influence.
When I think of what I want to know about a position these are some of the things that come to mind. In some ways, it almost seems like a social engineering experiment. It pays to be nice, and thoughtful in how you ask questions. You may not have the opportunity to ask any or all of these. But the feedback to you is critical in determining if you fit them, and they fit you. Loads of money will not make this fit any better.
Not in any particular order, criticality, or personal importance are the following.
- When you meet with the various folks during an interview what do you observe from the staff?
- Do un-attended systems appear to be locked?
Do entry to the offices, data center, etc. appear secure?
Do you see sealed shred bins?
Are the staff friendly, or are they wary?
- Do un-attended systems appear to be locked?
- I have found that asking when the last time a C-suite person got barbed up over a credential change brings up interesting responses. If they say, “never happens…”
- Either one of a few things exist. Possibly they have the best support desk in the universe. Or, the C-suite doesn’t have to change their credentials.
- This would be an interesting time to carefully ask if their multi-factor implementation was completed. If they give the sheepish grin, then some folks have been “granted special exemptions” from what policies may exist.
- And multi factor is not even on the road map.
- If you get the feeling that the policies may be open to situational interpretation based on person involved, they are.
- How did their last incident response go? For the teams that I’m part of, we treat every incident as real and use it for training. Some of these incidents (Virus\malware compromised machine to something worse) are straight out of the blue, others are drills developed from real world examples. Never let someone’s crisis go to waste. Now we don’t go stand up the entire IRT and call Mandiant, but we make sure that the perishable knowledge gets refreshed and the incident response plan is current.
- If they haven’t had an incident (real or drill) they are either have blind luck, or are blind.
- I am always curious about the leadership style of my supervisors.
- Coach or tyrant?
- My wife has the curious gift of getting a feel for how people are at their core. She has warned me on several occasions, which I ignored to my own detriment. How is your vibe with the staff? Leadership?
- What are they reading?
- I have asked how my leaders feel they relate to their staff. Do it seem genuine.
- How do they handle change management?
- I’ve fallen in love with much of the ITIL framework. Maybe you should too…
- Is the company under any regulatory governance- HIPPA, PCI-DSS, DoD, etc.
- What do they see as the greatest challenges to meeting these regulatory standards?
Seems that there should be lots more? Hopefully this may spark some discussion to further frame this topic. Yes, I know you can’t interrogate a prospective employer; however, if you practice, make nice, and seriously interested, you may be surprised on what you can discover.
“Where it all ends I can’t fathom, my friends
If I knew, I might toss out my anchor
So I’ll cruise along always searchin’ for songs
Not a lawyer, a thief or a banker”