The necessary skills to participate in the interview of the Security Information Department. Don't panic if these phenomena occur in the workplace. If you want to work hard to climb up, you must be fully prepared. Learning to communicate with different people is a compulsory course in the workplace. The workplace will not believe in tears. I'll show you the necessary skills for an interview with the Security Information Department.
Skills of participating in the interview of securities information department 1 1. What is network security?
Network security is the practice of protecting systems, networks and programs from digital attacks. These attacks are usually aimed at accessing, changing or destroying sensitive information: extorting money from users or interrupting normal business processes,
2. How to defend against cyber attacks?
Successful network security methods can protect computers, networks, programs or data at multiple levels to ensure security. In an organization, people, processes and technologies must complement each other: in order to effectively defend against cyber attacks.
3. What's the difference between closed-source and open-source programs?
Closed source is a typical commercial development program. You will receive an executable file that can run and complete its work, but it cannot be viewed remotely. However, the source code provided by open source can check everything it has done, and can change and recompile the code itself.
4. Which is better?
There are reasons for and against both, most of which are related to audit and accountability. Closed-source advocates claim that open source will cause problems because everyone can see exactly how it works and take advantage of weaknesses in the program. Open source counters show that it is difficult to find and solve problems beyond a certain level in programs because closed source programs teach a way to check them completely.
5. What is SSL?
SSI。 Is a standard security technology used to create encrypted links between servers and clients (usually Web servers and Web browsers).
6. What are the differences between threats, vulnerabilities and risks?
Threat-anything that can intentionally or unintentionally exploit a vulnerability to acquire, destroy or destroy assets. We are trying to guard against threats.
Vulnerability-A weakness or loophole in a security program that may be exploited by threats to gain unauthorized access to assets. Vulnerability is a weakness or gap in our protection work.
Risk-the possibility that the asset cloud will be lost, damaged or destroyed due to vulnerability threats. Risk is the intersection of threats and vulnerabilities.
7. How do you report risks?
Risks can be reported, but they need to be evaluated first. There are two ways of risk assessment: quantitative analysis and qualitative analysis. This method will cater to technical and business personnel. Business people can see the possible digital loss, while technicians will see the impact and frequency. Depending on the audience, risks can be assessed and reported.
8. What is a firewall?
A firewall is a part of a computer system or network, designed to prevent unauthorized access and allow external communication.
9. What is 9.CSS (CrossSiteScripting)?
Cross-site scripts are usually transformed into injection attacks from client code, in which the attacker has all the rights to execute scripts, which can be malicious, Web applications or legitimate websites. You can usually see this type of attack, in which a Web application takes advantage of uncoded or unverified user input within the generated output range.
10. Why is SSL not enough for encryption?
SSL is authentication, not hard data encryption. The purpose is to prove that the person you are talking to at the other end is who they say. SSL。 TLS is almost always used on the internet, but the problem is that it is a giant's goal, mainly through its implementation and its known methods to attack. Therefore, in some cases, SSL can be stripped, so it is a very good idea to protect the data in transmission and static data.
Is it safer between 1 1.SSL and HTTPS?
SSL (Secure Sockets Layer) is a protocol that can realize secure conversation between two or more parties through the Internet. HTTPS (Hypertext Transfer Protocol Security) is a combination of HITP and SSL, which can provide you with a more secure encrypted browsing experience. SSL is more secure than HTTP.
12. What is the difference between encryption and hashing?
Encryption is reversible, while hashing is irreversible. Using rainbow table can crack hash, but it is irreversible. Encryption ensures confidentiality while hashing ensures integrity.
13. What's the difference between symmetric encryption and asymmetric encryption?
Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses different keys for encryption and decryption. Symmetry is usually much faster, but the key needs to be transmitted over an unencrypted channel. On the other hand, asymmetry is safer but slower. Therefore, the mixing method should be preferred. Use asymmetric encryption to set the channel, and then use symmetric process to send data.
14. What's the difference between UDP and TCP?
They are all protocols for sending data packets through the Internet, and they are all based on Internet protocols. TCP stands for Transmission Control Protocol, which is more commonly used. It numbers the packets it sends to ensure that the receiver receives them. UDP stands for user datagram protocol. Although its operation is similar to TCP, it does not use the checking function of TCP, which will speed up the process but reduce its reliability.
15. What's the difference between a black hat and a white hat?
Black hat hacker, referred to as "black hat", is a type of hacker concerned by mass media. Black hat hackers violate computer security for personal interests (such as stealing credit card numbers or obtaining personal data to sell to identity thieves) or pure malice (such as creating botnets and using botnets to carry out DDOS attacks on websites they don't like).
White hat hacker is the antonym of black hat hacker. They are experts in sabotaging ethical hackers's computer security system. They use their abilities for good, moral and legal purposes, not bad, immoral and criminal days.
Tips for interviewing in the Security Information Department II. Necessary skills for participating in the interview of security information department
With more and more qualified information security professionals, the competition for interviews is becoming more and more fierce. For this reason, a person's interview performance will ultimately determine the result. Overestimating your interview skills or underestimating your competitors may lead to disaster, but proper preparation determines two different results of hiring or not. Before you attend an interview for an information security position, here are some guidelines to help you better prepare for these interviews.
Understand which information security issues threaten the company. When a company decides to increase information security personnel, it may be because it finds that its current workforce is understaffed, or it is facing brand-new business challenges and needs a certain professional level to deal with it. Find out why the company wants to recruit people before the interview, so that job seekers can show their experience in the field of employers.
In many cases, this information can be determined by studying the information security of the potential employer's industry. For example, retailers may pay attention to data security standards in the payment card industry, health care organizations must pay attention to HIPAA and protect medical records, and technology companies need expertise in security software development. It is also a good idea to read the latest news of the company, even the annual report released to investors, to collect events that emphasize information security-related issues. Even an enterprise marketing manual can help determine how safety becomes a selling point.
Take the job description as a guide, but don't take it as truth. Before interviewing for an information security position, what a candidate needs to know most may be a description of the position. Job descriptions provide good guidance for job seekers, but they often fail to convey what employers really want. There are many reasons why the job description of information security is the only criterion for preparing for an interview.
First of all, it is not clear who wrote the job description. Many times, job descriptions are drafted by hiring managers and written by human resources personnel. Just like in many communication processes, some elements are "lost in communication". Therefore, the information in the job description is sometimes misleading, which makes candidates emphasize information security skills that are not related to the interview team. In addition, relying on job descriptions often inadvertently limits the preparation of candidates, thus limiting the information security topics mentioned in the description. Because job descriptions often change with time, the current job descriptions may be out of date and the demand for information security skills has also changed.
Finally, the job description will generally list the required information security skills, but it will not help the interviewer in terms of company culture. Many times, if candidates interview according to the job description, their response seems scripted and mechanical, and they can't show their enthusiasm. Passion is regarded as a necessary condition for most information security leadership positions.
Know the person who interviewed you. When interviewing for information security leadership positions, the interview team may be composed of many different board members. These interviews are all about finding candidates who can make their jobs easier. For them, it will be a decisive factor to know how information security involves their specific professional fields and how the experience as an information security expert can help solve their special problems. It is important for candidates to know as much as possible about the interviewer and their roles before the interview.
First, get an interview schedule before the interview, usually provided by human resources or recruiters. Use the interview schedule to understand the interviewer's position and try to determine how you will interact with them in the information security position you are applying for. In addition, it is also a good idea to use Google to search for interviewers or view their resumes. Doing these homework helps to understand their background, interests, working hours in the company and other information. Generally speaking, all this information will help you to answer their questions better in the interview, and also allow you to connect your experience in information security with their specific needs more closely.
Review the professional skills listed on your resume. During the interview, the interviewer will test the interviewer's knowledge of information security in technology. Most likely, the interviewer will refer to the candidate's resume and investigate the technical problems related to the skills listed in the resume. Generally speaking, if professional skills are listed on the resume, it will often become the key question of the interviewer. Before attending the information security job interview, please make sure that you have reviewed your resume and are ready to answer questions about your professional skills. If you can find out the past technical manuals and study guides before the interview and give them a tutorial, it will certainly not hurt the interview.
Generally speaking, the interview process is tense. Fully preparing for the interview and following the suggestions listed above can help you stay calm and give you extra confidence. Show self-confidence, let the interviewer concentrate on the interview better, leave a good impression on the other side, and increase the possibility of boarding the next wonderful stage.
Skills of participating in the interview of securities information department 3 1. What is salt chop suey?
Salt is the most basic random data. When a properly protected password system receives a new password, it will create a hash value for the password, create a new random salt value, and then store the combined value in its database. This helps prevent dictionary attacks and known hash attacks. For example, if users use Xiang Si's password on two different systems, and if users use the same hash algorithm, they may eventually get the same song column value. However, even if a system uses a common hash salt, its value is different.
2. What is data protection in transmission and data protection in stillness?
When data is only protected on the database or hard disk, it can be considered as static. On the other hand, from the server to the client, in the transmission. Many servers execute one or more protected SQL databases, V P N connections, etc. , but not many servers perform two tasks at the same time, mainly because of the extra resources consumed. However, both are good practices, even if it takes longer.
3. What is the difference between vulnerability and exploitation?
Vulnerability is the defect of a system or some software in the system, which can provide attackers with a way to bypass the security infrastructure of the host operating system or the software itself. It is not an open door, but a weakness that can be exploited when attacked.
Vulnerability utilization refers to a practical method of trying to turn a vulnerability (weakness) into a system. Therefore, the vulnerability can be used to turn it into a feasible method to attack the system.
4. Information protection sounds like protecting information by using encryption, security software and other methods to ensure the security of information. On the other hand, information guarantee is more about maintaining the reliability of data-RAID configuration, backup, undeniable technology and so on.
5. What is exudation?
Infiltration is how you import or smuggle elements into a place. Seepage is just the opposite: sensitive information or objects are obtained from a bit without being discovered. In a high-security environment, this may be very difficult, but it is not impossible.
6. What is a chain of custody?
Chain of custody refers to documents and/or written records arranged in chronological order, showing custody, custody, control and handover. Analyze and process evidence, whether physical or electronic.
7. What is the simple way to configure the network only? Is the computer logged into a specific jack?
Sticky port is one of the best friends of network administrators and one of the most troublesome problems. They allow you to set up the network so that only one computer (or the number you specify) per port on the switch is allowed to connect to that port by locking a specific MAC address. If any other computer plugs into the port, the port will be closed and you will receive calls that they can no longer connect to. If you are the first person to run all the network connections, then this is not a big problem. Similarly, if it is predictable, then it is not a problem. However, if you work in an artificial network where chaos is normal, you may end up spending some time knowing exactly what they are connected to.
8. What is a tracking route?
Traceroute or tracert can help you to see where the communication failure occurred. It shows the router you touch when you move to the final destination. If a place is not connected, it depends on where it happens.
9. What's the difference between software testing and penetration testing?
Software testing only focuses on the function of the software, not the security aspect. Penetration testing will help identify and solve security vulnerabilities.
10. Use appropriate disinfectants to prevent cross-site scripting attacks. Web developers must pay attention to the gateways they receive information, and these gateways must act as a barrier to malicious files. Some software or applications can be used to do this, such as XSSMe of firefox and DomSnitch of GoogleChrome.
1 1, Saling is the process of extending the password length by using some special characters:
12, what's the use of salting out?
If you are easy to use simple or ordinary words as passwords, using salting can make your password stronger and harder to crack.
13. What is a security configuration error?
Security misconfiguration is a vulnerability. An attacker can use the configuration of the device/application/network to attack. This can be as simple as leaving the default username/password unchanged, or too simple for a device account.
14, what's the difference between VA and PT?
Vulnerability assessment is a method to find application/network vulnerabilities, while penetration testing is a practice to find exploitable vulnerabilities, just as attackers do. VA is like traveling on the ground, and PT is digging for its gold.