I interview and screen Security Engineers and Architects a few times a year. 30 years in the field. I think these answers suffer just a a bit from being disorganized or overly technical focus in mentioning specific details (e.g. showing off or geeking out about minutia). This may be fine for distinguishing yourself at the entry level but maybe not the best path forward. What I look for in an answer is more of an organized response, and a basic communication skill to consider the audience (interviewer) may not have your same skillset, or interest. Don't try and baffle anyone with BS (even if it is accurate). Examples of personal experience is fine but you have to connect it to the overall answer. You could ask if they want the most technical answer (for example, explaining to a peer) or a more general answer (say for a technical manager but not expert on this topic). Have you heard the saying "if you can't explain it to a child, you don't really understand it". Talking to people outside of your skill bubble is an important skill to demonstrate. LISTEN to the questions. ASK for clarification. CONSIDER if they want to be wowed with buzzwords and minutia or not. It is OKAY to think for 5 seconds before you answer. Internet- better answer for a "manager", for example: The most important thing to understand is that it is based on all the computers, networks, and data centers agreeing to standardize and use specific network technologies and protocols. Those are TCP/IP, DNS, and some Routing Protocols. This unlocks the inter-operability globally. There were many local and regional networks before the Internet, and often they were proprietary and could not communicate with each other (or did only in a limited fashion). So understanding that standardization opened the interoperability is helpful and gives us these steps: Then there are basically five tricks that get resolved here: 1. Network Address resolution (DNS), 2. Routing across the globe (BGP, etc.), 3. Application level session (e.g. browser and webserver in sync on TCP/IP port 443 and your source port), 4. Encryption across that connection (TLS+ starts assymetric and then goes symmetric), 5. Authentication and Authorization (login, MFA, permissions, etc.). You can spend 30 seconds on each of those tricks. Use some analogies for examples like (1) sending a letter to someone you have to know their address for the envelope. "Consider the problem this way... You can't just write "Grandma" on the envelope, but you only typed "wikipedia" into the browser... so DNS answers that problem and here is how." (2) Your postal carrier does not know how to get to Grandma's house... but they know the "next step" e.g. get it to the local post office, which knows the "next step" and so on. That is how the letter will travel many miles based on "next step" rules. For the network we use the term "next hop". Here is how ISP's do that... (3) Your PC and the webserver are likely running dozens of programs, processes, and connections running, lots of data to keep track of. This HTTP request has to get sorted so each side knows which application and which data to link it to. Example is calling a hospital and knowing the extension of the party you are calling, extension 443 webserver please. Webserver, this is Patient (source port) 25123, and so on. Now the applications on each side are in sync and actual conversation can happen. (i.e. you understand the problem and how the technology solves for it) etc. Now, if you want me to spend 5 minutes (or 60) talking deep technical about any part of that overall picture, tell me and I will. I just did that off the top of my head, and it should show. The interview is a chance for you to show that. I am not interviewing for someone who has memorized how RSA works under the hood. If you can explain Diffie Hellman in 30 seconds and it is clear, great... I don't need 5 minutes about it, but can you give me the context of why I care? What problem does that address? You will get plenty of "canned" questions and an HR person that asks "tell me more" when they don't understand the answers... they just want to see if you can provide some coherent answer. So figure out quickly your interviewer skillset and what they want. (that is it's own demonstration of problem solving) Just my personal opinion, worth what you paid for it.
This is such a typical managerial response. The fact of the matter is, this guy works in offensive sec at Google. If your filtering process would have passed on this guy, your process sucks. There's a weird authoritative dynamic that comes with interviewing which is why it is such a horrible way to select employees. Sure there are a lot of people that just bomb questions, but for those that don't it all comes down to "Do I like how this person answered my questions?" which again is just a terrible way to decide if someone is fit for a role. An interviewer is just as capable of believing a "wrong" answer is the optimal one, which is why they need to be as open to the idea that their answers are wrong as the interviewee should be. That's engineering. An engineering interview should be much more collaborative, where you discuss and debate which is the best possible path to a desired solution. You always need to always be open to the idea that there is a better solution, because there often is. I'm not sure where the arrogance in this field comes from, but security seems to attract a lot of "my way or the highway" types, and the only way to pass an interview is to guess correctly what the security manager wants to hear, i.e. their way. That's not engineering. My advice to everyone trying to get a role in security is look at this video and then this hiring manager's response. There was nothing in the interviewee's answer to suggest he would not be more than capable of whatever roll he was interviewing for. If you miss a question in an interview, you then know that is an area you need to study up on. If you get the right answer but you get one of these "Well that's not how I would have answered it" or whatever types, just ignore it. Seriously, their feedback is worthless; it's just going to make you more unsure and more self conscious of your answers going forward. If you get rejected for a role after nailing every answer, just roll your eyes and move on to the next one. Do that again and again until you get an offer and don't look back.
Thank you for this this makes a lot of sense. I’m coming into the field of Network Engineer in about 1 to 2 years of experience and can use any book recommendations for a CCNA/P
Awsome really amazing, I'm a Cybersecurity Analyst, and to be honest, I'm not that good with Programming! but after seeing the video I'm really motivated and now I have a strong reason to improve my programming knowledge.
That’s a very detailed and thorough answer. Maybe more than what’s asked. I would try to limit the uhs and ums because that’s what recruiters/hiring managers pay attention to. You could very much making up things, but someone who is confident, will more than likely not say um and uhs as much. Might come out a bit not as much. What I do is answer in a clear concise method. If the one interviewing asks me for more clarity im more than happy to elaborate!
This looks like a memorisation test. I'd rather talk about advantages of EC over RSA for example. Or the reason behind hybrid encryption schemes ... After a job interview like like I'd lose any interest in the job offer
Its was an very impressive Networking Engineering interview and not a security one. I heard nothing about daemons, ipa...numerous points of security that have nothing to do networking.
Fundamentals are often overlooked. A good interviewer would most likely focus on how well someone knows their fundamentals, so I think this was a great interview!
Hey Outside Vibes! Don't worry, feeling nervous before a technical interview is completely normal. To help you prepare, we recommend visiting www.tryexponent.com/questions to view some common technical interview questions. This resource should give you a better idea of what to expect and how to approach your answers. Good luck with your interview!
Hi MF! Defanging (or more specifically, URL defanging) is the process of making a URL non-clickable (e.g. replacing http with hxxp, encasing "." in brackets). This is to prevent malicious clickable URLs. Hope this helps!
why explaining that much , why he not going to explain short answer. is that is needed to give that much brief answer. can anyone answer to my question
As a 10 year network engineer, he didnt really answer the first question. He didn't touch on the usage of ARP, Internal and External Routing, and NAT, things that in my opinion are critical to routing from point A to B and back.
nor did he mention that the first places the browser looks up for the domain address are the browser and OS cache, and after that it reaches out usually to the ISP DNS resolver. Neither did he talk about the three-way tcp connection that the computer would innitiate with the server, nor the http packages or anything else important. I wish they had rehearsed this a bit so people wouldnt do badly on interviews.
We get these questions from real-life hiring managers and security engineering managers. These questions should be close to what you'll hear in the real world.
I agree I would have said something along the lines of the internet being an interconnected web of computers that communicate between each other through isp's and other hosts
I think he answered great. He explained hardwares involved in a machine, DNS resolution with the help of servers and 3 way Handshake perfectly after which the browser starts rendering server response. It was a well build answer. 👏
@@adhishrikothiyal.dreamz That is kind of a limited perspective though, e.g. "how a browser works" it doesn't cover the Internet more broadly. Which may be fine, depending on what the interviewer is looking for. Being a long-time network and web SME I laughed though. I would rank that about 35 out of 100.
I interview and screen Security Engineers and Architects a few times a year. 30 years in the field.
I think these answers suffer just a a bit from being disorganized or overly technical focus in mentioning specific details (e.g. showing off or geeking out about minutia). This may be fine for distinguishing yourself at the entry level but maybe not the best path forward.
What I look for in an answer is more of an organized response, and a basic communication skill to consider the audience (interviewer) may not have your same skillset, or interest. Don't try and baffle anyone with BS (even if it is accurate). Examples of personal experience is fine but you have to connect it to the overall answer.
You could ask if they want the most technical answer (for example, explaining to a peer) or a more general answer (say for a technical manager but not expert on this topic). Have you heard the saying "if you can't explain it to a child, you don't really understand it". Talking to people outside of your skill bubble is an important skill to demonstrate.
LISTEN to the questions. ASK for clarification. CONSIDER if they want to be wowed with buzzwords and minutia or not. It is OKAY to think for 5 seconds before you answer.
Internet- better answer for a "manager", for example:
The most important thing to understand is that it is based on all the computers, networks, and data centers agreeing to standardize and use specific network technologies and protocols. Those are TCP/IP, DNS, and some Routing Protocols. This unlocks the inter-operability globally. There were many local and regional networks before the Internet, and often they were proprietary and could not communicate with each other (or did only in a limited fashion). So understanding that standardization opened the interoperability is helpful and gives us these steps:
Then there are basically five tricks that get resolved here:
1. Network Address resolution (DNS),
2. Routing across the globe (BGP, etc.),
3. Application level session (e.g. browser and webserver in sync on TCP/IP port 443 and your source port),
4. Encryption across that connection (TLS+ starts assymetric and then goes symmetric),
5. Authentication and Authorization (login, MFA, permissions, etc.).
You can spend 30 seconds on each of those tricks. Use some analogies for examples like (1) sending a letter to someone you have to know their address for the envelope. "Consider the problem this way... You can't just write "Grandma" on the envelope, but you only typed "wikipedia" into the browser... so DNS answers that problem and here is how."
(2) Your postal carrier does not know how to get to Grandma's house... but they know the "next step" e.g. get it to the local post office, which knows the "next step" and so on. That is how the letter will travel many miles based on "next step" rules. For the network we use the term "next hop". Here is how ISP's do that...
(3) Your PC and the webserver are likely running dozens of programs, processes, and connections running, lots of data to keep track of. This HTTP request has to get sorted so each side knows which application and which data to link it to. Example is calling a hospital and knowing the extension of the party you are calling, extension 443 webserver please. Webserver, this is Patient (source port) 25123, and so on. Now the applications on each side are in sync and actual conversation can happen. (i.e. you understand the problem and how the technology solves for it)
etc.
Now, if you want me to spend 5 minutes (or 60) talking deep technical about any part of that overall picture, tell me and I will. I just did that off the top of my head, and it should show. The interview is a chance for you to show that.
I am not interviewing for someone who has memorized how RSA works under the hood. If you can explain Diffie Hellman in 30 seconds and it is clear, great... I don't need 5 minutes about it, but can you give me the context of why I care? What problem does that address?
You will get plenty of "canned" questions and an HR person that asks "tell me more" when they don't understand the answers... they just want to see if you can provide some coherent answer. So figure out quickly your interviewer skillset and what they want. (that is it's own demonstration of problem solving)
Just my personal opinion, worth what you paid for it.
Hey John, thank you so much for taking the time to share your thoughts! Really insightful!
Thank you you give me hope
Thank you for this. I'm considering swapping career fields and currently studying for my CompTIA Security + Cert
This is such a typical managerial response. The fact of the matter is, this guy works in offensive sec at Google. If your filtering process would have passed on this guy, your process sucks.
There's a weird authoritative dynamic that comes with interviewing which is why it is such a horrible way to select employees. Sure there are a lot of people that just bomb questions, but for those that don't it all comes down to "Do I like how this person answered my questions?" which again is just a terrible way to decide if someone is fit for a role.
An interviewer is just as capable of believing a "wrong" answer is the optimal one, which is why they need to be as open to the idea that their answers are wrong as the interviewee should be. That's engineering. An engineering interview should be much more collaborative, where you discuss and debate which is the best possible path to a desired solution. You always need to always be open to the idea that there is a better solution, because there often is.
I'm not sure where the arrogance in this field comes from, but security seems to attract a lot of "my way or the highway" types, and the only way to pass an interview is to guess correctly what the security manager wants to hear, i.e. their way. That's not engineering. My advice to everyone trying to get a role in security is look at this video and then this hiring manager's response. There was nothing in the interviewee's answer to suggest he would not be more than capable of whatever roll he was interviewing for. If you miss a question in an interview, you then know that is an area you need to study up on. If you get the right answer but you get one of these "Well that's not how I would have answered it" or whatever types, just ignore it. Seriously, their feedback is worthless; it's just going to make you more unsure and more self conscious of your answers going forward. If you get rejected for a role after nailing every answer, just roll your eyes and move on to the next one. Do that again and again until you get an offer and don't look back.
Thank you for this this makes a lot of sense. I’m coming into the field of Network Engineer in about 1 to 2 years of experience and can use any book recommendations for a CCNA/P
Need more of these, sadly not much security interview experience-related content is available compare to a software developer interview.
Awsome really amazing, I'm a Cybersecurity Analyst, and to be honest, I'm not that good with Programming! but after seeing the video I'm really motivated and now I have a strong reason to improve my programming knowledge.
These are the exact question I was asked for a sec eng job. Although i was not ready, i definitely learned something out of it!
Glad to hear it helped!
How abt the coding question?
The way he explained everything that was super clear I'm still trying to get in as a sec engineer hope will get the chance as soon as possible
Thanks for watching! Don't forget to like and subscribe, and go here for 10% off our full software engineering interview course: bit.ly/38ZXXtw
That’s a very detailed and thorough answer. Maybe more than what’s asked. I would try to limit the uhs and ums because that’s what recruiters/hiring managers pay attention to. You could very much making up things, but someone who is confident, will more than likely not say um and uhs as much. Might come out a bit not as much. What I do is answer in a clear concise method. If the one interviewing asks me for more clarity im more than happy to elaborate!
Hey corpuzone, thanks for the feedback!
This is a phenomenal video! I wish you could interview for me
This looks like a memorisation test.
I'd rather talk about advantages of EC over RSA for example. Or the reason behind hybrid encryption schemes ...
After a job interview like like I'd lose any interest in the job offer
Great content.
But this was more of a networking engineer interview rather than a security one.
Its was an very impressive Networking Engineering interview and not a security one. I heard nothing about daemons, ipa...numerous points of security that have nothing to do networking.
These are basics that are asked in general first round of interview for a lot of security roles.
So not just for network sec egg.
Fundamentals are often overlooked. A good interviewer would most likely focus on how well someone knows their fundamentals, so I think this was a great interview!
Would you include PCI DSS in your courses? Also in demand is path to becoming an ISA or QSA. Thanks
Very Useful Content👏
Thanks for sharing I was wondering if google test the cybersecurity skill using a CTF or a website to validate the skills.
very a helpfull video, I will use a white Board for explain how a handshak between the server and the client works !
This guy is awesome. Hired!
We agree!
I have my technical interview on Monday and this video makes me feel like I’m going to totally bomb. 😢
Hey Outside Vibes! Don't worry, feeling nervous before a technical interview is completely normal. To help you prepare, we recommend visiting www.tryexponent.com/questions to view some common technical interview questions. This resource should give you a better idea of what to expect and how to approach your answers. Good luck with your interview!
Is DSA required as a Cybersecurity or is DSA questions asked in interview?
no
I’m trying for proxy I’m 10th pass only can I survive
Another set of Advanced interview questions here
ua-cam.com/video/Z70BLVAuniQ/v-deo.htmlsi=z6rj_FNHcnVav1i_
not really sure what "defang" means in this case..Someone can articulate? Thanks
Hi MF! Defanging (or more specifically, URL defanging) is the process of making a URL non-clickable (e.g. replacing http with hxxp, encasing "." in brackets). This is to prevent malicious clickable URLs. Hope this helps!
why explaining that much , why he not going to explain short answer. is that is needed to give that much brief answer. can anyone answer to my question
Is he reading a response to the internet question?
As a 10 year network engineer, he didnt really answer the first question.
He didn't touch on the usage of ARP, Internal and External Routing, and NAT, things that in my opinion are critical to routing from point A to B and back.
and osi model
nor did he mention that the first places the browser looks up for the domain address are the browser and OS cache, and after that it reaches out usually to the ISP DNS resolver. Neither did he talk about the three-way tcp connection that the computer would innitiate with the server, nor the http packages or anything else important. I wish they had rehearsed this a bit so people wouldnt do badly on interviews.
I dont know if this would be a rea life job interview.
We get these questions from real-life hiring managers and security engineering managers. These questions should be close to what you'll hear in the real world.
It actually can be. Most of the questions in this are the ones asked in actual security roles.
PS: I am a security engineer
What are these question. This is basically asking him if he is an encyclopedia. Where are the critical thinking
日本人?
What a load of technobabble BS, I'm a cissp and this put me to sleep. Keep is simple please. no interviewer deep dives into ssl handshakes
Terrible answer on how the internet works.
I agree I would have said something along the lines of the internet being an interconnected web of computers that communicate between each other through isp's and other hosts
I think he answered great. He explained hardwares involved in a machine, DNS resolution with the help of servers and 3 way Handshake perfectly after which the browser starts rendering server response. It was a well build answer. 👏
@@adhishrikothiyal.dreamz That is kind of a limited perspective though, e.g. "how a browser works" it doesn't cover the Internet more broadly. Which may be fine, depending on what the interviewer is looking for. Being a long-time network and web SME I laughed though. I would rank that about 35 out of 100.
@@johnbrown4200 Hey John as a security engineer this is exactly the expected answer.
But a very good one on SSL handshake😉