Stupid Human Tricks: Security Job Interviews

One of my frustrations over the years has been around interviewing candidates for security jobs. I recently had a doozy when a candidate asked “what do you guys do?” Starring blankly at the phone I had to fight to maintain my composure. I then started mentally thumbing through years of absurd responses from candidates.

I decided to ask the community to share their favourite security job interview question answers and wow…did that ever garner a response.

Opening statement on Twitter “I’m compiling a list of things NOT to say in an interview for a security job. Got any good ones?”

Here are 50(ish) responses in no particular order.

Enjoy!

1. I’m a thought leader
2. “What was this position again?”
3. “Does the workplace anti-drug policy apply to drugs I make myself?”
4. asking someone on the interview panel “hey so why did you leave your last gig???”
5. “Who is that bitch in the picture behind your desk, the one next to the picture of those three ugly kids.”
6. Sharepoint
7. I use [OSX/Linux] so I’m secure.
8. “How can it be secure if anyone can see the source?”
9. “Why wouldn’t you just use Telnet for that?”
10. “IT guys are dumb”; “Developers are dumb” “they expected me to work at 9pm…”
11. “when nobody is looking I change the homepage to meatspin”
12. “This one time when I hacked _ …”
13. Q: Describe a TCP handshake. A: I can’t. NB: self declared network expert
14. Yeah, I’ve already been in your systems and, whew, I gotta say, you really need help.
15. “I don’t do documentation”
16. I only use Cisco security devices, because security begins with trusting yr vendor, and everyone
    trusts CSCO (Look at their stock!)
17. If an app has Common Criteria certification, you know it’s secure
18. “I broke into x, y and z sites”
19. You know, I hacked your company’s network once. Made a fortune off of the credit card data.
20. I had someone interview for a management position with a book full of documents created for previous employer
21. This job can be done by monkeys. Yes, I actually heard that one from a candidate.
22. “There’s this thing called APT.”
23. Do you want my Facebook username and password now?
24. “I know this guy Greg Evans who can be contacted for referral if needed”
25. I use the same password everywhere
26. “Admin for everybody works best.”
27. “I think Facebook’s handling for privacy matters is the bomb.”
28. mentioning a CISSP at all or citing military experience and having zero actual security experience
29. …and that guy with my name, yeah, that wasn’t me selling those secrets to China.
30. don’t speak of known security issues or problems in your existing org, if you’ll cheat on them, you’ll cheat on them
31. “Auditing? Naw, I’m not into the whole ‘logging’ thing.”
32. What do you mean compliance != security?
33. Gave a guy a scenario to work through once, dude got mad, lost his temper, described people in the situation as idiots, etc.
34. “Will this position look good as I’m interviewing for my next gig?”
35. I make sure to use a complex alphanumeric+special 8+ characters password for all critical systems: passw0rd!
36. Turn to the CTO (Jeremiah Grossman) and ask, “What do you do here?”
37. “I don’t think you’ve got anything a criminal would want”
38. “Why infosec? One word: misanthropy. BTW, can I telecommute?”
39. “everything I learned about security I learned from the compliance manager at my previous Job”
40. “In my last job I used Nexxus a lot”
41. do you have flexible office hours? I usually work from my home office lab, can you pay for my internet?
42. “Sorry I’m late. I misplaced the printout of the email setting up the interview.”
43. “Why, yes, An*nym*us *was* my idea…”
44. Lulzsec, that was also my idea.
45. I’m perfect for security, because I love telling people NO!
46. “Can I connect my {insert droid phone brand} to your network?”
47. “home labs are for geeks, that’s just pointless”
48. How would you describe diversity? >I eat lots of Chinese and Italian foods. >Could u elaborate more? > They all taste great. #real
49. “I’m just applying for the job so I can keep getting my unemployment check.” (true story)
50. “This is a 9-5 gig, right?”
51. “I just read SANS Newsbites and that’s pretty much how I keep up with everything in infosec”
52. Worst was clothing, not comment. Kid showed up wearing a “Bart Simpson, underachiever and proud of it” t-shirt for interview.
53. All of my past bosses were assholes, I hope you aren’t. (paraphrasing actual interview)

…and the winner in my books


54. Yes. I was security lead at Sony in 2010 and 2011

I received over 250 responses. Thanks everyone for contributing. Got more? Feel free to leave a comment.

🙂

(Image used under CC from Ced)