Security auditors are an essential part of modern businesses. They help to facilitate and manage security changes in an organization, identify security threats and act as a valuable security resource for your IT systems and teams. Not all security auditor roles are internal ones, which means that many security auditors work at a consultancy that visits client locations. This is an exciting aspect of the job for many people, as it exposes them to a variety of different environments, and it keeps things interesting. A solution that works for one company may not be feasible for another, which means that you will always be learning and designing policies that are applicable to specific clients and stakeholders.
This series of interview questions looks at some fundamental aspects of a security auditor’s role and how an interviewer might question them. The role designations have been divided into three separate categories ranked by level of difficulty, based on experience and qualifications.
The questions are not in order, and some questions might be more advanced than the ones that you are expecting on the day of the interview. For this reason, it’s a good idea for you to familiarize yourself with all 30 of these questions, just to prepare yourself. Try to dedicate some thought to your answers ahead of time, so that you have a basic framework to build on when you are actually sitting in front of your interviewers on the big day.
Junior Security Auditor Questions
These questions are fairly straightforward and are what you could possibly expect in an entry-level or learnership level of interview. If you are at this level then you might have some practical experience in the field, or in a similar field of IT. You should be familiar with basic security auditing principles and be comfortable with basic IT technologies and methodologies.
1. Why do companies need security audits?
All companies need to understand what their current security posture is. Everything from password standards to file-sharing and security hierarchies need to be assessed and reviewed from time to time, regardless of the business size or type. Security audits help business owners by identifying weak points and attack vectors. When acted upon, the results and recommendations that come out of a security audit will strengthen and help to make the business stronger and more efficient.
This question is a warm-up to the rest of the interview, which will help you to show the interviewers that you know what the benefits and positive effects of security audits are.
2. How do you measure a client system’s vulnerabilities?
There are many metrics that you can measure an IT system’s vulnerabilities by and just as many avenues that can be exploited by potential intruders and hackers. An initial assessment needs to be completed before any work can be done. This assessment will contain all of the necessary applications, services, staff and network credentials that are needed for an assessment to be conducted. From there, a full picture of the network, its applications and its users can be built.
This question seeks to find out how much you know about site assessments, threat assessments and general site surveys. You can expect to find similar questions to this in an interview, with special focus on your understanding of the expectation of your job role.
3. What tools can be used for assessing the security posture of an organization?
If you ask ten different security auditors what their favorite tools are, you will receive ten different answers. Identify the most relevant tools that you use on a daily basis and why you find them to be useful.
4. What is ACL software?
ACL stands for Access Control List, and it gives security auditors a quick overview of which users have access to which resources on the network and within the systems of the organization. This makes it especially useful when a security auditor needs to quickly check the current permissions of a system as they relate to user access.
The interviewer is wanting to establish how familiar you are with ACL systems and if you know what to look for when auditing user permissions on a system or networked environment. ACL is a very important aspect of security auditing, so you should be familiar with what they are and how they work.
5. Do you know what virtualization is? Have you used it before?
You need to know what virtualization is and how it works if you hope to work as a security auditor. There are many reasons why you would want to use virtualization, but the main ones are for security and convenience. You can virtualize an existing physical computer and have it start up in a virtual environment, which is especially useful when you need to analyze a system but can’t directly affect operations by taking it offline. You can create virtual machines and run them in secure networks that are locked down so that there is no way they can connect to the Internet or distribute any malware and viruses during your analysis.
This question will test your knowledge of VMs and whether you have ever used them before. You might find that the questions are more vendor-specific, so if you only have experience with VMWare then you should look at alternatives such as Hyper-V and Xen and familiarize yourself with them.
6. Why is virtualization useful in your role?
By asking this question, your interviewers are looking to gauge your understanding of how virtual environments work and why you would want to use them while conducting security audits. There are many scenarios where a virtual machine makes more sense to use than a physical one. If you need to work in a completely isolated environment, then using a VM with no connectivity to the rest of the network is a really secure option. Converting a physical machine to a virtual one means that you can perform destructive scans and tasks on the target computer without risking data loss or damage to the original.
The interviewers are looking to find out how experienced you are with VMs and if you know what their usefulness would be in your day-to-day work, if any. While a security auditor might not use VMs every day, it is definitely worth your while to have a working knowledge of VMs and how to use them. You might find yourself conducting audits of these environments, as they are very popular as an on-premise solution for companies big and small.
7. How do you measure a client system’s vulnerabilities?
There are many different ways of conducting a site survey. These are defined by many factors, but most will depend on the process that has been set out for you by your company. The basics of performing a vulnerability assessment are set out before you even go to site to begin work.
First you need to establish a project scope, which tells you what you are looking for and where you will be looking. The next item is your intended goal: What are you hoping to achieve during this assessment? Next, you need to specify your team. Who will you need to have working with you and what are their special skills?
Once you are on-site, you can start documenting the systems that are in place and look at their external-facing vulnerabilities via the Internet. Find out what is visible through scans and look at any potential vulnerabilities that an attacker might be able to use to gain access. From there you can start looking at applying well-known tools that exploit weaknesses on the local network, as well as general security checks such as password strength and frequency of password changes.
After all of these avenues have been tested and documented, you can start making recommendations and compiling a report. All of your findings will go into the final report and will be looked at when you discuss the findings with your client.
You don’t have to go into full details about what the process is, but you will need to show the interviewers that you are familiar with the process. Remember that not everyone holds the same standards or uses the same methods, so be sure to explain in general terms where possible. If the interviewers want more details, then you can get more specific.
8. You’ve found a software glitch — how do you proceed?
Discoveries like this are often noted and then added into the findings document which gets given to the client at the end of the vulnerability assessment. If the vulnerability is severe enough to warrant immediate attention, then you can communicate this to the client and ask them how they would like to proceed. It is not up to you to correct these flaws in security; you need to make sure that the current state of the environment is documented and preserved so that the client can take the necessary actions when they see fit.
While it is tempting to fix every bug and update every outdated computer that you come across, you are not on-site to do that kind of work. During a threat assessment, your primary goal is to document and compile information. There are IT personnel that are responsible for all of these elements, and if they are not maintaining the environment to a healthy standard then the report needs to show this so that it can be corrected. If you fix every glitch that you come across, then there would be no need for remedial action. Worse still, you could fix an issue on the network and then unintentionally break another system. It is best to leave the actual repairs and remedial action to those that are appointed by yourself or the client after the scope of the assessment has been properly looked at.
9. How do you get users to follow security guidelines?
This is a difficult question in many ways. The first reason for this is that it is almost impossible to compel people to follow best practice guidelines and security advice. All you can really do is make the recommendations and hope that management follows through with whatever corrective action they have in store for those that transgress the security recommendations the final report sets out.
10. What challenges are you looking for in this role?
As a relatively inexperienced security auditor, you are looking to get as much real-world exposure to business systems and auditing experience as possible. You are looking to work with teams of people that are passionate about what they do, and you hope to learn from them. You are looking to challenge yourself and put your skills to good use while learning as much as you can about how to properly audit and conduct yourself during projects.
If you have any additional challenges that you are looking forward to taking on, then be sure to mention those as well. You want to make this a personal answer, as it shows how much this kind of work means to you as well as what your perceptions are of the role. And you might have goals that you wish to accomplish that the role simply doesn’t offer. This is a good time to find out all of these facts, as you want to push yourself and grow in any new position that you take up professionally during the course of your career.
Intermediate Security Auditor Questions
This level of interview questions normally involves a little more detail on the technical front, as well as more details on the on-site auditing aspect of the work. Candidates that sit in for this level of interview will generally have a few years of experience coupled with a few certifications. The goal of these interview questions is to find out how proficient you are at performing on-site security audits, and if you are able to work as part of a team as well as on your own when necessary.
11. What steps do you follow leading up to an audit?
If the interviewers are looking for details, then you can elaborate on your own process as much as you want. There are a few key points that an interviewer is normally looking for, and these are based on the specifics of the role that they are seeking to fill. Keep your answers as on-point and relevant during the interview as you can in order to tick as many boxes as possible. If more detail is required, then go into as much about your own methods as they will allow.
Include your pre-assessment components in your audit lead-up events. Also include things such as documentation, defining scope and outcome objectives, as well as the timeline, estimated time required and the resources that you need to take into consideration when getting an investigation started.
12. What steps do you follow after an audit?
The standard operating procedures that you follow will differ from company to company, but the events that follow after an audit are generally reviews and report compilations. All of the data that has been collected in the security audit needs to be compiled into readable and organized content.
Sometimes you need to create more than one single report because the contents of each one will be worded differently depending on who the recipient is going to be. Executives will generally receive a report that is in plain non-technical terms but explains the operational and financial impact in terms that most management and executive figures are familiar with. The technical reports are generally prepared for the technical executives and management, although some organizations have technical capabilities in multiple departments. Each report is different, and each company’s requirements will differ from site to site.
If you are able to show the interviewers that you understand how a standard report is generated, then you demonstrate your ability to follow a uniform methodology that yields consistent results. This is generally what they are looking for, but you should also reiterate that you understand the dynamic nature of businesses and that each organization has its own requirements and expectations from a security audit. Don’t be afraid to show off your adaptability when dealing with audit reports and assessment documentation.
13. What system types found within a client network would you audit more often?
Typically any system or network that has financial or operational significance will be audited more often than standard user equipment like laptops or computers. A financial system will be subject to its own audits and checks at set intervals, while actual security audits will be carried out as often as necessary to ensure that there are no malicious activities being carried out against the system and company. If you are working in an environment that develops their own tools and software, then those servers should be monitored closely and audited at set intervals that are decided by the stakeholders and executives of the organization.
This question seeks to find out how you prioritize systems that need to be audited. How you arrive at your explanation will largely be determined by the kinds of work you have done in the past, especially relating to on-site security audits. Make sure that you rationalize your explanation and go into detail when you need to.
14. Why would you need to encrypt traffic on a network?
Encryption helps to safeguard the transmission of sensitive data, as it cannot be read by outside parties. Encryption makes sure that only the intended recipients are given access to this information, which makes the communication channel secure.
This is a basic technical question; you can expect many similar questions that ask for fundamental security explanations. This helps the interviewer understand what level of knowledge you have.
15. What resources do you use to stay up to date with information security trends?
There are plenty of really good online resources that you can list; just be sure that you actually visit these sites and that you are familiar with the content. A very popular website for security related information and in-depth analysis is OWASP (Open Web Application Security Project). Many online exploits are discussed there, and it is very valuable as a resource. The Top Ten Project is especially useful.
The interviewers want to know what kind of knowledge you have and how you keep yourself updated. There are literally hundreds of other examples of information security sources out there, so choose your favorite and talk about some of the reasons why you enjoy their content.
16. What does your home network look like?
Most people that are studying for specific IT certifications or looking to practice specific techniques will have either physical or virtual networking equipment and computers. Why would you want to have a home setup that simulates a production network? Simulating an attack or trying to patch a known vulnerability would be two reasons to have a home lab/network active in your home, and it is a good way to practice.
This question gets asked a lot, especially in cybersecurity-related roles. The basic idea behind the question is that if you have decent hardware and setup capabilities for studying, learning and practicing, then you are more likely to have an active interest or passion about the security auditing work that you undertake. Studying further also shows that you want to better your position in the industry, which will be in your favor as well.
17. What is salting and what is it used for?
Salting is a cryptographic technique that makes a password more difficult to crack. Random characters are added to a password and then hashed together with the password, creating an encrypted password. The password is much more difficult to crack for potential hackers because of the random nature of the salted data.
Although the main job requirement of a security auditor is to make findings for reports, there is a lot of practical security knowledge that they must have in order to be effective in their role. Understanding security processes and the way that they are implemented is essential.
18. A system crashes after your recommendations are deployed — what do you do?
Whenever a change recommendation is made by a security agency, there are normally contingency plans put into place. If any virtual machines are due to be patched or upgraded, then snapshots and backups must be made ahead of time so that they can be restored quickly if there are any resulting failures from the remediation activities. The changes might even be applied to a snapshot or clone of the system in question, so that if any issues come up, they do not affect the production environment.
Interviewers who want to know how much practical experience you have might ask you questions like this. This is a great opportunity to let them know what you would do when faced with such a scenario, or even better, if you have actual examples of issues of the scenarios that they pose to you.
19. What is an internal audit?
An internal audit is an audit that is conducted by an auditor who is part of the organization. They answer to management and follow procedures and audit guidelines that have been set out by the company. These audits are important because they reveal irregularities and security issues at set intervals.
In fact, most security issues are handled internally if a company has the necessary resources. External auditors are normally only brought in to confirm a suspicious finding or to perform tasks that the internal auditors might not be equipped to deal with.
20. What is the most common cause of security breaches in your experience?
Everyone will have their own experience out in the field, so if you have any personal anecdotes that you wish to add to the interview, then by all means do. Generally speaking, however, human error is normally the primary cause of security incidents and lapses in information security. Weak passwords, poor file permission management and even social engineering all add up to cause lapses in security.
Senior/Advanced Security Auditor Questions
Senior security auditors are professionals that have been in the industry for five to 10 years and possess a lot of practical and theoretical knowledge on how systems work, how they are compromised and how they are best protected. Some senior security auditors have been a part of a larger team and have taken on management and leadership roles and are probably looking to fill a position as either a technical lead or as a manager or advisor to a department. Professionals that are at this level of skill are valuable assets to a company, as their hands-on experience and practical knowledge can save a lot of time and money during an audit or investigation.
21. How do you decide on the scope of an investigation prior to getting started?
The main areas that need to be concentrated on are the items that the client is concerned about. Perhaps they suspect a breach on a specific system and the system logs need to be checked, or they might suspect data leakage. There are so many different scenarios that will require the intervention and investigation of a security auditor that it is not easy to specify where the scope of each one would begin. Each investigation is different, even though they may share similarities in vulnerabilities and scope.
The main point that you need to get across is that the investigation and the specified outcome requirements will determine the scope and areas of interest to the investigator. The scope will be defined before you start, so any items that need to be added to the scope will be discussed before the proceedings on-site will begin.
22. Do you have any examples where a change or suggestion that you have made directly affected your company/client in a positive way?
There will be times when simple problems cause big issues in an organization. Methodical investigation helps to reveal things such as poorly-configured storage devices, open networks and infected computers. Making recommendations to fix only a few of these issues would have the potential to make a big difference, let alone fixing all of them.
Share your positive experiences that you have from working on-site at your company or at your client’s business locations. Keep your experiences relevant to the question being asked and go ino as much detail as you can so that the benefits of your actions are clearly articulated.
23. Have you ever managed a team before?
This is an important question if you are applying for a position that has team lead prospects. If you don’t have any experience with leading a team, then you should at least have managerial experience in a related field or a lot of experience as a security auditor that you can apply to the role that you are applying for. You need to have a solid understanding of how the entire auditing process unfolds from beginning to end, and how to compile reports and findings as you come across them during the course of your investigations.
24. How are Windows auditing and Linux auditing different?
There are some similarities between the two operating systems in the way that they retain records and hold clues about what has been happening, both locally and on the network.
Windows machines hold their records primarily in the event manager, so finding failed processes and events that shed light on suspicious behavior are very easy to find. Certain applications will also leave log records, either in the event manager or as standalone log files that need to be located and analyzed independently by the auditor.
Linux systems use log files as a primary source of data record-keeping. Because of this, investigators will find themselves scouring through many thousands of different log files as they try to get to the bottom of an investigation. Text manipulation commands such as grep will come in handy, especially when there are lots of text variables that need to be sorted through.
There are many other differences that you can bring up in the interview if you are asked. However, the basics should be enough to illustrate your practical knowledge of the difference between the two operating systems. How your auditing process is affected by each of these operating systems will depend on the findings that you are pursuing, so be sure to ask follow-up questions so that you know that you are answering the specifics of their questions.
25. What is the difference between hashing, encoding and encryption?
The easiest way to explain the difference between the three is to think of them in their most basic form.
Encryption uses a series of keys which are used when encrypting and decrypting data. The keys perform changes to unencrypted data by applying cyphers. You can think of encryption as being used to secure sensitive information.
Encoding uses an algorithm that scrambles the data so that it cannot be read except by other clients that have the same cipher. Encoding is used in cases where you need to protect data and to verify its fidelity so that there is no corruption or loss in data.
Hashing is achieved by generating a randomized number from a string of text. Hashing is useful for verifying data, such as big downloads.
26. What are weaknesses in remote cloud solutions?
Cloud vendors generally provide a very good service because they are incentivized to make sure that their environment is always up to date and patched. Where things get difficult from an auditing perspective is that sometimes a virtual machine in the cloud might be located on the same host; that means there is a risk that if the client has stringent auditing requirements, then this could be flagged as a possible issue.
The other problem with using a cloud provider is that you do not actually know what the hosting facility is like or how secure it is unless you have actually met with a company representative in person and gone to the hosting site. This is why only reputable vendors should be used, where the location and security of the site can be verified and visited if necessary.
Auditing hosted machines can be a challenge if they are not deployed correctly or adequately in line with the standards set out by the company that is responsible for maintaining these machines. You need to make sure that the interviewer understands that you are aware of these challenges and know how to make the proper recommendations if the cloud setup is found to be insufficient.
27. What mistakes have you made as a security auditor and how have you learned from them?
These kinds of questions are always tricky. It is generally advised that the faults that you bring up are minor enough to have caused no major problems, while having them significant enough to warrant reflection, making them a useful learning experience that you have benefited from.
Think about some of the challenges that you have faced when mistakes were made. Remember how you dealt with them and specify the corrective steps that you took to resolve the issue. The fact that you were able to correct the issue and learn from it normally goes a long way in an interview, so try to keep things as detailed or as compressed as the interviewer encourages you to.
28. How do you get information from unwilling clients?
Everyone has their own management styles and coping mechanisms, so nobody is expecting you to have a one-size-fits-all answer to such a question. Instead, think about the process that you normally follow when you find that things are not proceeding as well as you would like while you are conducting an audit. There is generally a chain of command at each of the sites or departments that you visit, so if a user is unable or unwilling to assist you with the information that you require, then the person that is further up the management chain needs to be informed.
You can generally do this until you get right to the top of the management structure within a company. If things escalate that far, then it means that there is usually some kind of systemic issue within the organization, which should be raising concern. If an auditor is unable to complete the work that has been agreed upon because of a lack of cooperation, then the terms of the audit need to be renegotiated by the management structures so that the audit can be handed over to another company or carried out properly and with the full cooperation of the company in question.
These are loose guidelines, because all companies have their own set of escalation policies that they follow when trying to get uncooperative people to assist with audits. Be sure to relay your own personal experience to the interviewers, as they are likely to be curious about how you have dealt with such a situation before and what steps you personally took to resolve it.
29. What questions do you ask before implementing a new tool or strategy?
Before implementing any changes or fixes, you need to make sure that what you are doing will fix the issues that have been identified and improve the situation of the system to a state that is better than the one that you found it in. If you have doubts about the fix, then you need to discuss the matter further with all stakeholders before you proceed any further.
The interviewer wants to know how you follow through with recommendations from an audit. Showing critical thinking skills at this stage of an audit could mean the difference between deploying a potentially bad solution and recalculating the way forward, especially if you have any doubts or second thoughts about what the remedial action entails.
30. What are some current OWASP top 10 vulnerabilities?
Injection, cross-site scripting and insecure deserialization are some of the most critical OWASP vulnerabilities that they have identified for the past few years.
If a code audit reveals that there is insecure deserialization within an application, then there needs to be urgent updates to the code to ensure that this security glitch is fixed ASAP, especially if the application is currently deployed.
Injection occurs when an Internet-facing Web application accepts strings of text that are executed as commands. Certain formats of commands have been shown to give attackers administrative access to databases and systems where this vulnerability has been successfully exploited.
Insecure deserialization is a vulnerability that can be exploited by an analyst or an attacker. This is managed by intercepting internal code from an application and changing bits of data. This can be done to elevate their permissions, giving them control of a target machine or application.
How deep your audits go will depend on the level of security auditing that you do. The interviewer will generally steer you towards the direction of the role’s requirements, but you might find yourself talking about more advanced threats such as these if the interviewer sees fit to do so.
Becoming a security auditor requires attention to detail and a systematic approach to record-keeping. You will need to look at the bigger picture whenever you are conducting a security audit as you slowly build up the reports and presentations that your clients need you to put together for them.
Interviewing for such a demanding job is difficult, but certainly not impossible. Simply focus on going through practice questions like these and do your homework on the answers that you would most likely give during the course of a real interview. The questions that we have put together are a good start.
Remember that the more questions you practice with, the more chance you have of carrying yourself confidently in the interview. There are many more questions that you can practice with than these thirty examples! We recommend that you take a look at Skillset.com, which has more than a hundred thousand practice questions related to various certifications. The list of cert-related questions includes is vast, with PMP, CISSP, CEH, CHFI, Network+ and Security+ being just a few examples of what you can expect to find before your next big interview.
Stay focused, relax and good luck!