Dropsafe

by Alec Muffett

HELP: Advice to a new graduate applying for a job in Pentesting & Security, first interview

So a friend’s just graduated with a first in Comp Sci, has a historical interest in Linux and security, and has a job interview coming up soon… and I’ve been asked to provide some feedback and advice.

This is a bit tricky since I’m an oddball case, but I’ll share a few ideas and throw it open to suggestions.

Early last year I interviewed for a colourful company which led to an argument in the second-round interview and thence to the most popular Reddit thread that I’ve ever created – but which also means that any useful advice amongst the comment threads is lost amongst the noise of opinion and imperious ranting; but there are a few nuggets in there worth reading.

I’ll split the remainder of my advice into three chunks:

presentation

Look healthy: drink plenty of water the day before, get plenty of sleep for the previous two days, and make sure you’re not going to be rushed to find clothes on the morning of the interview – lay them all out the day before, too, such that you still get to bed before 10pm.

Dress: in the City you’re allowed one personal touch – but it tends not to be piercings, so if you’ve got more than two ear-rings (F) or one (M) then lose the rest of them for the day. Everything else should be conservative but interesting. Invisible makeup where relevant.

The point is they’re hiring you and you don’t want to swamp that signal. The principle of least surprise is at play, here. Regrettable but true.

Bags: Don’t overload yourself with crap; one medium size bag.

Equipment: Take a clean notepad and pen, just in case you want to make notes of something they say – but you could always ask them to e-mail you the details.

Switch your phone completely OFF when you get on site.

expectation

Expect to be asked questions, and understand that you are actually allowed to interpret them, ask for clarification, rephrase them (to some extent) and to bend the rules with the connivance of the interviewer.

Engage with your interviewer.

If you were interviewing for me then I would make your life hell because I would be getting you to critique various network protocols and sysadmin tasks; so (exhibiting my age) I would say something like:

“What’s wrong with NFS?”

…and if you can answer, fine; but if not, don’t say “I don’t know”; instead something more like:

“That’s Network File System? I’ve never had a chance to use it, but if it’s anything like SMB/Samba then I could talk about those sorts of problem instead. Would that be relevant?”

They may throw a programming or operations problem at you, they may ask you to talk about crypto; when you can’t talk about specific implementations then ask the interviewer for more information, treat it like one of them more interesting tutorials you’ve ever attended, and don’t be afraid to engage with the person rather than being judicially cross-examined by them.

For all you know they will be your boss, eventually. Treat it like a working relationship from the outset.

negotiation

Under no circumstances say yes to the job on the day, nor should you be the one to offer a salary figure – you are currently not competent to judge your own worth.

So: Salaries? Benefits? Pensions? Compensation packages?

Frankly I’ll be surprised if they raise the matter at a first interview, but you are permitted (expected?) to ask them what sort of “benefits” (if any) they offer with the position.

Often it depends on the role, eg: contract positions may not have much in the way of benefits at all.

If the matter of money comes up, let me repeat: you are currently not competent to judge your own worth; the proper relationship of the employee to the employer is that they are compensating you for doing work for them, that they are fortunate to have you – so think of it as them trying to seduce you, rather than doing you a favour.

If they press you for a figure then respond that you are “still looking around to establish my net worth” – or something; but pressing you would be a bad sign.

If they just flat-out name a figure then retain a poker face and do not accept on the day; just say that you have to consult with your other half, or something. Smile on the inside, look pleasant on the outside.

I’ll post this now, invite other readers to correct me, and add more into the comments.

Comments

8 responses to “HELP: Advice to a new graduate applying for a job in Pentesting & Security, first interview”

  1. admin

    jewellery: probably best to keep that down to a pendant and a ring, at max. Again, it’s a matter of outcomes, what you want to achieve.

    Reply
  2. Max Allan

    Might be stating the obvious but :
    Research the company. When you know what they do in dau to day work, find out about it. Don’t just look at corporate website, look for employee posts on forums. If you find joe.bloggs@employer.com asking about flaws on NFS go find some. And try to figure out what tools they use for testing. Etc.

    Reply
  3. Carole

    avoid strong perfumes/colognes or eating anything that will cause bad breath. Wear anti-perspirant. In other words, don’t be noisome!

    Reply
    1. admin

      Back to the seduction metaphor, yes Carole? 🙂

      Reply
  4. Max Allan

    And do the same with the job description. As a grad you have no real experience but you can make some. Get virtualbox install old versions of windows, Linux and some testing tools and break the boxes. If the JD says red hat, attack red hat. If it says nmap, make sure you’ve nmapped something and used all the options and found some vulns.
    A lot of pen testing is documenting results. Make sure anything they see is well presented.
    Make sure your personal blog Facebook twitter etc all make you look like a pro geek rather than a drunkard stoodent. If you haven’t got twitter etc. get some and start putting sec related tweets up!

    Reply
    1. admin

      Mmm… point taken, Max, but I would avoid astroturfing at such short notice. Would look fake.

      That said, in this case a refresher of all the online security training that’s been done would be a good thing, not least so you can talk about having done it knowledgeably.

      Reply
  5. C3

    BTW- I would never ask about benefits in the first interview, even if they offer you a job.
    If they haven’t offered a role. it distracts the from your talents and value proposition. If they have offered you a role, see Alec’s advice above. You can ask them about benefits as part of the follow-up to show that you’re smart and are looking at the total picture.

    Reply
  6. Jonathan C

    If you are going for a pen test role specifically, make sure you understand toolsets
    1) NMAP
    2) metasploit (at least be able to explain how to sploit MS08-067 as an example)
    3) burpsuite will win you friends in most shops

    Talk about things like OWASP, OSSTMM from a position of knowledge.

    Basic consulting skills – most pen test shops are full of nerds who cannot write reports or communicate with customers. Some are realising that the cost of support staff to cover this lack is killing their profit margin, others are slowly going out of business.

    Be prepared to answer “No problem” to the question “Can you be security cleared”

    SOME knowledge of a basic pen test engagement process would impress the interviewers (how to scope it, what the lifecycle of the test is, how to report it).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts