Interviewing for Information Security Internships

I'm a CyberSecurity undergraduate part of a great program called the U. S. CyberCorps Scholarship for Service. The program helps students studying in information assurance related fields with tuition aid and professional benefits, provided the student promises their expertise to aid the U. S. Federal Government. Recently (this week) the program held a job fair in Washington D. C. for the students. Over 40 agencies occupied booths at the fair/symposium. The main objective was to identify potential students and expose them to information security related positions. Even before I was selected for the program, I held a vested interest in information security. Likewise, I had some previous application/interviewing experience for information security related internships. I wanted to take some time and outline my experience, and perhaps create a quick bulleted list for those seeking assistance with finding similar internships.

During my sophomore year I applied to Microsoft as a software developer in test. At this point I had two years of programming experience with some background in information security. The application process was as follows:

  • Apply Online - Send in all your wonderful propaganda and hope you appeal to a development team's (or two) eye.
  • Phone Interview - A team lead/team expert calls and asks you a few programming/debugging related questions. This is your opportunity to wow the interviewer, make sure you know your resume and prepare for some coding or critical thinking questions.
  • In-Person Interview - Time to rock.

The Microsoft interview (and you'll find many sources online to corroborate my opinion) is intense. They support you with travel and accommodation during your time in Redmond. They also encourage you to see some attractions and have a relaxed time before and after the interview. (At this point they've tested you a bit and want to make a good impression.) Everywhere online will tell you to make sure you have snacks and dress comfortably. I dressed casual with a nice pair of slacks, button down shirt, and a sweater (it was winter time). I carried a side bag with some papers I had written and my laptop, but I didn't use either. I was interviewed by 4 members on the core kernel development team, and every time I discussed my interests in security. Every time they told me I wouldn't have much exposure to security as an intern. Their questions and discussions were all based on critical thinking, puzzle solving, and assumption breaking. I had little chance to discuss my interest and they weren't very concerned with my technology passions, simply my thinking and programming ability.

After everything was said and done (and many white boards later) I was offered a position and declined. (Boy did this anger the HR representative.) They continued to call me 15 minutes before class every night (after I told them I could not be late for class), and sometimes during class. One time I had to step of out class and they would not let me go (it was very cold outside and I remember eventually hanging up on them). Sure it's a lot of money and you can "sit and talk to great information security experts" but I already knew I liked programming. I wanted to take time while I was young and make sure information security was interesting as a profession.

Instead I took a position as a contractor for the Federal Aviation Administration as a Information Security Engineer. The interview was fairly simple. I spoke about a few of my interests, sounded really amazed when they gave an overview of their projects (and I was), and agreed to all the rudimentary tasks of being an intern. It sounded like the team hadn't had an intern in a while, and they were quite excited to have a new student. My reasons for choosing the FAA over Microsoft:

  • The team was interested in security topics not programming.
  • Tons of toys and an open selection of projects to work on.
  • I didn't have Microsoft security experts to talk with but I did have an entire team of security-savvy enthusiasts.

Most recently I've interviewed at MIT's Lincoln Labs, DISA, and for various teams at the DHS. While at MIT I encountered a strange question, "What Blogs to do you read, how do you read them, and how often?" This got me thinking, not only about the question but how different these information security related positions were from Microsoft's.  Here's a short list of commonalities and take-aways from my recent interviews:

  • If you're interested in information security then you must be reading blogs or news websites. Be able to list your favorite authors and compare them. You should be able to do the same with popular news sites too. For example, "I" feel that ThreatPost and DarkReading provide the most commentary while including subsequent resources for further investigation. (That's a loaded answer but an example.) I've mentioned SANS and spoke a bit about Darknet and seclists. I would suggest commenting every once and a while on these sites too, so you have some vivid memories to describe.
  • Mention the books you read. Not because you "like" to read security books but because you have an interest in the community. Fortunately for me, I have tons of books which I was forced to purchase for school. Know some authors, chances are they are active members in the industry, if you can link their professional work to an authorship then you're on the right track.
  • If you're in school then your best experience is most likely your information security classes. Remember those theory classes, you can tie them to your recent interests, readings, and reasons for pursing the internship you're interviewing for! While at the DHS they pointed to a class I had taken, discrete math for cryptology, and said explain this course.
  • There's tons of jargon and "in-bred" terms used by every company. Don't sit back and nod your head when the interviewer explains the team's current plans and recent accomplishments. Ask questions, clarify, if you thought something different let them know. The last thing they'll take points off for is a question. I remember listening to an explanation about blackhole security and immediately following they asked what I though. I replied "sounds awesome!" They said  "are you familiar with blackhole security?" Nope, time to look like a fool.

Keep in mind, I'm comparing an industry internship interview to government internships (interviews). After a few experiences, and speaking with a few of my cohorts, I feel these recommendations should apply generally to information security positions, government or otherwise. Also, although I've never had the chance to use them, I still think it's a great idea to bring along some papers you've authored. If you haven't written any papers then maybe you should start. Take some interesting things you've done, whether they were interesting hacks, vulnerabilities, or any information security related activity, and turn them into presentable media.

I hope this helps. :)