Just this morning, I published a new article at TechRepublic’s IT Security Weblog. I’m basically the “headliner” there, a twice-a-week columnist of sorts pondering the imponderables of information security as they apply to professional computer geeks and the world at large. In the terms used by the TechRepublic staff, I’m the “IT Security blog host”. If that’s a topic of interest to you, you might want to swing by and see what I have to say. Take note of the fact that though I’m the “host” (kind of a misnomer, but whatever), mine is far from the only name to appear in a byline. Examine each article for its author before assuming I wrote it. I maintain a mostly up to date list of IT Security articles I’ve written for TechRepublic, if you’re interested.

Anyway . . . this new article, How do you interview security experts?, takes on the question of what sort of questions one should ask a candidate for a security focused job. In addition to what I said there, however, I felt like offering the world a bonus example interview question here at SOB.

This question isn’t just for candidates for a security focused job, however. This is basically for any IT job candidate at all. Anyone with any degree of responsibility for the smooth operation of your IT infrastructure at all should have at least the most rudimentary understanding of computer security, and this question is something I would consider a must-ask for any IT job interview.

Unfortunately, the formula for this question kinda flies in the face of the advice I give in the article: it’s the sort of question that has a “right answer”. On the other hand, I wouldn’t just reject a candidate out of hand because (s)he gave a different answer. As suggested in the article, if I get an answer that disagrees with what I expect as a “right answer”, I would explain the answer I expected and ask why the candidate’s answer differed.

Without further ado, the question is:

What do you do if you discover your personal computer at home was compromised by malware or a malicious security cracker?

The “perfect answer” is something like:

I’ve never had to deal with that state of affairs on my own computer, but as I’ve done when helping others, I would probably just make sure my backups were up to date, ensure there’s no sign of infection or compromise in the backups, then nuke and pave the system, followed by restoring important data from backups. There’s just no way to be certain, once a system has been compromised, that there’s no further infection or compromise after cleaning up the known problem.

The otherwise “right answer” would be much the same, but perhaps without having actually done the above when helping others, or with personal experience involving the candidate’s own computer as an example of a compromised system in the past (hopefully not often).

Other variants on this approach surely exist, such as restoring the system to a previous known good state from a disk image maintained on another computer that has not been compromised. Keep an open mind for different ways of solving the same problem of uncertainty that the system can be cleaned up after infection; a candidate’s answer may not seem the same as yours at first blush, but may achieve exactly the same end result — or at least a security-conscious approximation. For instance, I wouldn’t necessarily exclude a candidate for failing to keep regular backups, as long as (s)he knows that’s a failure and mentions some reason that (s)he doesn’t regularly back up the system that I could reasonably expect would not translate to similar failures on the job. I knew an excellent accounting clerk who couldn’t manage her own finances worth a damn, after all; she knew exactly what she was doing wrong with her personal finances, and didn’t suffer the same failures professionally, which is sorta the point.

Assuming a wrong answer, like “I’d run some malware and rootkit cleaners to make sure the infection is gone,” I’d have to ask about why the answer wasn’t what I expected — maybe with something like this:

I would have expected you to say you would wipe the system and reinstall, in case the infections or intrusions you detected were merely the tip of a mostly undetectable iceberg. Do you think it is possible to be sure the computer is really clean of all security compromises?

If the candidate is not being interviewed for a specifically security focused position, an answer like “Oh, I hadn’t thought of that. Of course, now that you mention it, that’s what I’d do,” might be acceptable. This suggests not disagreement, but simply that the candidate had not had occasion to think the matter through completely, and is willing to change his or her approach when exposed to new information.

A candidate with a rigid and obstinately wrong approach is a bit more worrisome, on the other hand. If a candidate’s answer was something like “Oh, I personally own licenses for a full suite of Symantec security and recovery tools. I’d be able to clean it up, no problem!” I’d be tempted to say “Thanks for your time, but I don’t think you’ll be a good fit for our organization,” and show him or her to the door right then and there. Depending on how desperate I was for candidates, I might give one more chance to correct the problem by prodding a little more, but at that point the candidate may become suspicious that (s)he is answering incorrectly and change the answer just to try to get the job without actually believing what’s coming out of his or her mouth. In this case, I would definitely focus more on the “why” of any further answers rather than the “what”, because that’s the kind of answer that’s more difficult to convincingly fake.