Vulnerability Assessor/Penetration Tester
|Reference # :||20-00724||Title :||Vulnerability Assessor/Penetration Tester|
|Location :||Florence, KY|
|Position Type :||Contract|
|Experience Level :||Start Date / End Date :||07/06/2020 / 07/05/2021|
Our client, a leading global financial services company, has approximately 200 million customer accounts and does business in more than 140 countries. They provide consumers, corporations, governments and institutions with financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, and wealth management.
Vulnerability Assessor/Penetration Tester
This role is for an Vulnerability Assessor/Penetration Tester who will focus on ATMs and related infrastructure, hardware and applications.
This role is highly technical, and candidates must possess a solid understanding of information security. The tester must understand applications, networking and various operating systems, along with tools and frameworks, and they must maintain a high level of rigor to stay up-to-date with advancements in technology while also retaining knowledge of older systems and applications that may still be in use in the enterprise.
The tester must constantly search for system and application weaknesses to exploit, but they are also expected to maintain a level of professionalism at all times. The position must collaborate with others on the team for remediation and additional validation, as well as contribute to other collaborative approaches driven by the team strategy.
While some automated tools will be leveraged, the tester must realize this is not solely a point-and-click role, but requires hands-on expertise with a variety tools to simulate attacker tactics, techniques and procedures (TTPs). The tester will participate in visible and announced assessments for new and existing services, infrastructure and applications to help the team identify weaknesses before an attacker does.
Essential Job Duties
- Work with teammates to consistently learn and share advanced skills and foster team excellence.
- Document and formally report testing initiatives, along with remediation recommendations and validation.
- Conduct tactical assessments that require expertise in application security (web and mobile), physical methods, lateral movement, threat analysis, internal and external network architecture and a wide array of commercial and bring-your-own (BYO) products.
- Develop and maintain tools and scripts used in penetration-testing team processes.
- Train offensive and defensive colleagues on new TTPs and mentor junior teammates.
- Regularly research and learn new TTPs in public and closed forums, and work with teammates to assess risk and implement and validate controls as necessary.
- Arrange and provide support to business units launching new technology applications and services to verify that new products/offerings are not at risk of compromise or information leakage.
- Perform other duties as assigned.
Skills and Experience
- At least 3 years' experience in information security administration, offensive tactics, vulnerability assessment and penetration testing, especially as related to ATM and related infrastructure, hardware and applications.
- Proficient in scripting languages such as Python, PowerShell, Bash and Ruby.
- Competent with testing frameworks and tools such as Burp Suite, Metasploit, Cobalt Strike, Kali Linux, Nessus, PowerShell Empire and AutoSploit.
- Experience conducting vulnerability assessments and penetration-testing engagements as a consultant or within a previous role in a professional organization.
- Strong operating system knowledge across *nix, Windows and Mac; proficient with networking protocols.
- Familiarity with defensive and monitoring technologies such intrusion prevention/detection systems (IPS/IDS), security information and event management systems (SIEMs), firewalls, endpoint protection (EPP) and endpoint detection/response (EDR) tools, as well as user and entity behavior analytics (UEBA).
- Understanding of OWASP, the MITRE Telecommunication&CK framework and the software development lifecycle (SDLC).
- Proven trustworthiness and history of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating well.
- Self-starter requiring minimal supervision.
- Excellence in communicating business risk and remediation requirements from assessments.
- Analytical and problem-solving mindset.
- Highly organized and efficient.
- Demonstrated strategic and tactical thinking, along with decision-making skills and business acumen.
- Bachelor's degree in computer science (preferred), information assurance, MIS or related field, or equivalent.
- At least 3 years of related experience required
- Preferably, one or more of the following: OSCP, OSCE, GPEN, GWAPT.
Please see our complete list of jobs at: