Assist with penetration testing and vulnerability assessments of information systems and IT infrastructure across the enterprise. Assist with assessment planning, identify high level characteristics of assessment targets, define testing scope, conduct risk analysis and threat assessments, identify testing resources and constraints, and work with team members to develop test plans. Research and identify emerging threats. Utilize pen testing tools and manual testing techniques to identify and exploit vulnerabilities. Assist with recommendations for mitigation and remediation of identified vulnerabilities. Prepare and written reports to system owners.
The successful candidate will have a strong technical understanding of security vulnerabilities, exploitation methods and associated risks for many technology areas. Knowledge of programming and scripting languages (C, C++, C#, VBScript, Perl, Python), authentication and authorization mechanisms, and network protocols required. Experience with pen testing tools and techniques required. Knowledge and application of attacker perspective and methodologies desired. Operational and strategic experience with red team tactics desired. Knowledge of techniques used by root kits, viruses, and malware desired.
Competencies
General
[ + ] Continuous Learning
Usually seeks and uses feedback from own work group members, direct supervisor, and occasionally members of others work groups and other sources of information to identify appropriate areas for learning. Generally identifies and participates in appropriate learning activities (e.g., courses, reading, self-study, coaching, experiential learning) that help fulfill learning needs. Participates in learning activities in a way that makes the most of the learning experience (e.g., takes notes, asks questions, critically analyzes information, keeps on-the-job application in mind, does required tasks). Puts new knowledge, understanding, or skill to practical use on the job; furthers learning through trial and error. Occasionally places self in unfamiliar or uncomfortable situations in order to ask questions and learn.
[ + ] Follow-Up
Generally builds due dates into assignments and task delegations; communicates milestones and expected results. Asks questions of fellow work group members and occasionally of other interorganizational employees to obtain relevant information; schedules meetings to review progress and share information; gets feedback on results from those directly involved. Meets formally with fellow work group members and occasionally other interorganizational employees to review the results of an assignment, project, or delegated task.
[ + ] Innovation
Generally identifies assumptions in the way problems or situations of moderate scope and complexity are defined or presented. Sees alternative ways to view or define problems; is not constrained by the thoughts or approaches of work group members or inter-organizational employees. Generally draws upon multiple and diverse sources (individuals, disciplines, bodies of knowledge) for ideas and inspiration. Combines ideas in unique ways or makes connections between disparate ideas; explores different lines of thought. Views situations from multiple perspectives; brainstorms multiple approaches/solutions. Examines some potential solutions and evaluates each before accepting any; targets important areas for innovation and develops solutions that address meaningful issues in own and other work areas.
Technical
[ + ] Cyber Sys Threat & Enviroment
Basic – General ability to identify susceptibility, survivability, and vulnerability (S/V) of the systems, subsystems and delivery mechanisms, based on the knowledge of characteristics and capabilities of threats (e.g. protocol exploits, identity spoofing, malware injection techniques, application layer vulnerabilities).
Preferred – Complete ability to identify susceptibility, survivability, and vulnerability (S/V) of the systems, subsystems and delivery mechanisms, based on the knowledge of characteristics and capabilities of threats (e.g. protocol exploits, identity spoofing, malware injection techniques, application layer vulnerabilities).
[ + ] Hardware/Software Development
Basic – General knowledge of programming languages (e.g., C#, Java, Java 2 Enterprise and Mobile Editions (J2EE, J2ME), C++, Visual Basic, C, Assembly, Ladder Logic, Numerical Control (NC) Programming, Matlab). Knowledge of computing equipment and its operating systems (e.g., Windows, Unix, Linux). General knowledge of software development and testing tools (e.g., editors, compilers, linkers, desktop simulations, configuration management tools, requirements management tools) capability and usage. General ability to apply knowledge of database engines to the design of databases and reporting structures. General ability to integrate hardware and software components into a functional system. Knowledge of software testing and usability theory. General knowledge of testing, usability practices. General ability to write and execute test scripts and perform usability analyses.
Preferred – Complete knowledge of programming languages (e.g., C#, Java, Java 2 Enterprise and Mobile Editions (J2EE, J2ME), C++, Visual Basic, C, Assembly, Ladder Logic, Numerical Control (NC) Programming, Matlab). Complete knowledge of communications, networking, and protocols (e.g., Transport Control Protocol/Internet Protocol (TCP/IP), File Transfer Protocol (FTP), Extensible Mark-up Language (XML), Wireless Access Protocol (WAP)). Complete knowledge of computing equipment and its operating systems (e.g., Windows, Unix, Linux). Complete knowledge of software development and testing tools (e.g., editors, compilers, linkers, desktop simulations, configuration management tools, requirements management tools) capability and usage. Complete ability to apply knowledge of database engines to the design of databases and reporting structures. Complete Ability to integrate hardware and software components into a functional system. Knowledge of software testing and usability theory. Complete knowledge of testing, usability practices. Complete ability to write and execute test scripts and perform usability analyses.
[ + ] Network Systems
Basic – General knowledge of network communication concepts, principles and architectures, associated with network planning, design, integration and maintenance. End-to-end knowledge of network transport technologies, systems, environments, services, protocols, performance monitoring and diagnostic analysis.
Preferred – Complete knowledge of network communication concepts, principles and architectures, associated with network planning, design, integration and maintenance. End-to-end knowledge of network transport technologies, systems, environments, services, protocols, performance monitoring and diagnostic analysis.
[ + ] Penetration Testing
Basic – General ability to perform penetration testing; conduct footprinting, enumeration and reconnaissance; identify and exploit vulnerabilities in networks and systems using manual testing, exploitation, privilege escalation and evasion techniques.
Preferred – Complete ability to perform penetration testing; conduct footprinting, enumeration and reconnaissance; identify and exploit vulnerabilities in networks and systems using manual testing, exploitation, privilege escalation and evasion techniques.
[ + ] Technical Communication
Basic – Presents ideas clearly and is able to answer questions effectively. Uses guidance to communicate with customers, partners and suppliers
Preferred – Presents well thought-out ideas and is prepared to discuss them effectively. Does detailed technical coordination with partners, suppliers and customers. Effectively communicates in cross-functional settings and management briefings. Documents technical processes and methods.
[ + ] Vulnerability Assessments
Basic – General ability to perform technical evaluation and analysis of computing systems and infrastructure to identify underlying security vulnerabilities; communicate vulnerabilities, threats, resulting risk and recommended remediation to system owners. Ability to safeguard sensitive information.
Preferred – Complete ability to perform technical evaluation and analysis of computing systems and infrastructure to identify underlying security vulnerabilities; communicate vulnerabilities, threats, resulting risk and recommended remediation to system owners. Ability to safeguard sensitive information.
Basic Qualifications For Consideration
Do you have course and/or work related experience conducting penetration testing on IT systems and infrastructure?
Typical Education/Experience
Level 2 – Technical bachelor’s degree and typically 2 or more years’ related work experience or a Master’s degree or an equivalent combination of education and experience. A technical degree is defined as any four year degree, or greater, in a mathematic, scientific or information technology field of study.
Level 3 – Technical bachelor’s degree and typically 5 or more years’ related work experience or a Master’s degree with typically 3 or more years’ or a PhD degree or an equivalent combination of education and experience. A technical degree is defined as any four year degree, or greater, in a mathematic, scientific or information technology field of study.
Other Job related information
Position allows for some telecommuting work.
Business Unit Engineering Ops & Tech
Division Information Technology
Program Information Security
Job Type Non-Management
Experience Level Career/Experienced
US Person Status Required? Yes
Closing Date: 04/30/2014 about closing dates