Intern Interview: Cyber Safety and Security
Omar Hill is Chegg’s security engineering intern for summer 2020.
Chegg: Hi, Omar! Thanks for taking the time to talk to us today. To start, we’d love to learn a little about your background and what first attracted you to security engineering.
Omar: Sounds good! Well, I’m an incoming fourth-year student at the University of Cincinnati, majoring in Information Security with a Computer Science minor. I was first attracted to Information Security in my senior year of high school, after watching and doing a project on the documentary “Zero Days,” which is a documentary about a computer worm developed by the U.S. and Israel to destroy Iranian nuclear centrifuges.
After that, I declared my major and have been involved with Information Security-focused events, clubs, and organizations ever since.
C: What do you do as an intern at Chegg?
O: My primary project this summer has been building a securely configured template to secure our cloud computing environment. The template will be used to ensure new cloud instances are created securely. I also have been working on automating closing unnecessary ports in our cloud environment, which is like closing open windows in a house. I also shadow my colleagues to find security vulnerabilities in production code—and lots more!
C: With more remote workers, there are more opportunities for fraud. How can students tell if they’re dealing with a scam job posting or a phishing attempt?
O: I have a few tips:
- NEVER click directly on the link for a website in the email. Simply type the name of the website into your browser.
- Beware of urgent-sounding subject lines and attachments, especially with an uncommon file extension, such as .exe or .ps1. Unfortunately, phishing attacks have grown far more sophisticated and although blatant indicators of a phish, such as incorrect grammar, are still in use, they’re used far less than they were just a few years ago.
- For scam job postings, indicators would be the “employer” seeking sensitive personal information very early into the process (before an interview), such as your SSN or driver’s license information. Also, don’t trust anyone who asks you to wire money or cash a check.
- Further indicators are a non-business email address and lack of public information about the company.
C: What’s your number one piece of advice for students who want to keep their personal information safe while searching for and applying to internships online?
O: When searching and applying for internships, either do it through the company’s portal or through a legitimate third party site, such as Chegg Internships or LinkedIn. Additionally, when creating accounts, be sure to use a password manager to avoid password re-use. Re-using a password for a job site may not seem like a big deal, but oftentimes that is the same password you use for your bank, FAFSA, or email account.
C: As we discussed, more and more roles are going remote these days. Interviews used to be a good opportunity for applicants to connect with employers in person, but now most interviews are through video. How can interviewees protect themselves throughout the interview process?
O: Make sure to use legitimate video software for interviews (Zoom, Microsoft Teams, Cisco WebEx, Google Meet) and ensure recording is off (unless you’ve discussed it with the interviewer in advance). Virtual backgrounds can conceal your information in case you have any awards, diplomas, or other personal content on the wall. If you must interview in a public place, seek a quiet room to protect your information from potential eavesdropping.
C: Finalizing the hiring process often requires you to submit banking information, your SSN, and other personal information. What tools can students use to share this information safely?
O: The biggest thing here wouldn’t necessarily be a tool, but security concerns about the network you’re submitting your information on. If it is a private network (i.e., a home network), be sure that the password is strong and unique (8+ characters, with a mix of uppercase, lowercase, symbols, and numbers).
For a public network, since attackers can sniff your network traffic, you should either wait until you reach a private network or connect to it with a paid, personal VPN, which is a secured, private internet space that only you can access.
C: As more jobs go virtual, do you have any specific security advice for applicants?
O: Similar to the question above, ensure you’re on a secure network; if not, use a paid VPN provider (they’re very affordable). I like NordVPN for people who aren’t as technical, and OpenVPN for those that can configure their own VPN. Free providers often either bombard you with ads or sell your information, usually both. Also, ensure you’re on the correct website and do not share more information than you need to.
C: What should students do if they suspect a job is fraudulent or they’re the target of a phishing attack?
O: In a professional environment like school or work, there’s usually a button in the email where you can report the phish. I know Chegg Internships has one at the bottom of every listing.
C: We do! Here’s a screenshot for our readers. What about sites that don’t have a direct button?
O: If not, look for the IT/Security page for their reporting policy. In a personal environment, never click directly on a link of a website. Type the name of the website into your browser.
C: Do you have any other security resources you’d like to share?
O: I’d recommend using a password manager (I would recommend Lastpass), which stores passwords in a central repository instead of insecurely storing passwords in notepads or sticky notes. Also, the use of two-factor authentication, specifically software token software, such as Authy and Google Authenticator, which serves as a second form of authentication. Lastly, haveibeenpwned, which is a website that checks if your email has been used in a data breach.
C: Thank you so much for sharing your expertise with us today, Omar. To wrap things up: What’s your advice for students who are interested in getting into security engineering?
O: Create information security-related personal projects, such as projects centered around encryption, injection vulnerabilities, password generators, and more. You can learn a lot about the cybersecurity basics by watching CrashCourse’s Youtube videos.
Also, try attending information security conferences and CTF (capture the flag) events, or join a cybersecurity club at your school. They’re open to people of various skill levels and are very welcoming. I also recommend networking with security professionals, gaining experience in other areas of engineering, and then interning in a security role. This is vital because if you don’t understand certain technologies, you won’t be able to secure them.
Omar’s favorite cybersecurity resources
CrashCourse videos on cybersecurity basics:
Additional articles on starting a cybersecurity career: