Vulnerability Assessment and Penetration Testers

Employer
Secured Cyber
Location
Washington, DC
Posted
Jul 17, 2017
Closes
Jul 17, 2017
Function
Accountant, IT
Hours
Full Time
Job Description Secured Cyber is aggressively recruiting for several open positions at the Federal Bureau of Investigations (FBI) in Washington DC The positions are for Vulnerability Assessors to support the Vulnerability Assessment Team (VAT)and for Security Test Engineers to perform Penetration testing in support of the Security Assessment Team (SAT). These are direct hire positions with Secured Cyber. BASIC REQUIREMENTS: - Must have current SSBI and eligible for Top Secret/SCI. - Positions require: 6+ years of IT experience w/Bachelors or 10+ years w/Associates - Vulnerability Assessment Engineers also require at least one certification in the following: CISSP, GIAC, GCIA or GCIH (or higher) - Penetration Test Engineers also require at least TWO certifications in the following: CISSP, OSCP, CISA, GPEN, GWAPT, CEH (or higher). Please note, we are recruiting for 2 different labor categories with more details below ( Security Test Engineers (aka PenTesters) and Vulnerability Assessment Engineers ): Security Test Engineers (aka PenTesters): Seeking an energetic, results-driven, experienced Security Assessor / Penetration Test Engineer to work on the FBI Security Assessment Team (SAT) and appropriately contribute to the daily workload of a highly-skilled and diverse group of security assessment testers. Must be able to work under pressure and possess excellent oral and written communication and time-management skills. Candidate should possess a thorough technical proficiency with common commercial and/or open source vulnerability assessment tools and the techniques used for evaluating operating systems, networking devices, databases and web applications. Successful candidates must be able to quickly master new technology / software for the purposes of evaluating or subverting the security functionality of the technology / software, and should be comfortable researching and understanding a wide variety of existing and emerging technologies. Candidates should have a broad knowledge of security best practices, security solutions, and methodologies for conducting advanced security assessments, to include manual assessments and malicious user testing. The successful candidate must be familiar with the use and operation of security tools such as, but not limited to: - Port, Protocol, and Service enumeration using tools such as NMap, Masscan, Unicornscan; - Operating System vulnerability assessment tools such as: Tenable Nessus/SecurityCenter and Nexpose; - Web Application testing: BurpSuite, ZAP, Nikto, Dirbuster, SQLMap, HP WebInspect, App Scan; - Database: Application Security, AppDetective and IBM Gardium; and - Penetration Testing: Penetration testing Linux-distros (eg Backbox and Matriux Linux); and - Networking background: experience with Cisco or Juniper firewalls, routers, and switches. Candidate should also have: - Strong understanding of NIST Special Publications 800-37, 800-53, and 800-118; - Understanding of vulnerability assessment and penetration testing methodologies; - Intermediate to advanced understanding of networking protocols and operating systems (windows and UNIX-based); - Understanding of OWASP Top 10; - Ability to manually assess the security posture of system or application (eg testing a web application for Cross-site scripting); - Mainframes (z/OS); - Cross-Domain Solutions; - Programming and Scripting Languages (eg C++, Python, Java, .NET, and JavaScript); - Virtualization Technologies; SAT ensures that a comprehensive vulnerability assessment and validation of the effectiveness of security controls identified in the IS security control matrix is performed. The security projects undertaken by the Security Assessment Team (SAT) can vary widely in complexity and duration but typically require two weeks planning, two weeks on site, and two weeks to analyze information and report findings, though months-long assessments have occurred on occasion. The level of effort and number of security assessors required for each assessment is based on the criticality of the system, technology, and schedule. Security assessments are covered within the FBI's Security Assessment and Authorization (SAA) policy. The SAA Policy Guide also describes documentation required for testing. The SAT will work within the technical capabilities of the team and in accordance with the Policy Guide. Automated and manual testing techniques are used to identify vulnerabilities. SAT members also: - Perform IS penetration testing as directed; - Ensure that SOPs are updated and followed accordingly; - Ensure that the SAT Lab is configured and maintained, to include hardware (server and laptop) and software inventories, server and VMWare configuration management, patching, etc. - Support all IA SAA activities throughout the SAA process and ensure that all documentation is developed and maintained; - Perform compliance assessments and test new systems; - Develop Plan of Actions & Mitigations as needed; - Implement and maintain an effective security program; - Ensure that all FISMA requirements and documented and submitted on schedule; and - Initiate, with approval from the FBI PM or Team Lead, any corrective measures when vulnerabilities are discovered. Vulnerability Assessment Engineers : Seeking an energetic, results-driven, experienced Vulnerability Assessor to work on the FBI Vulnerability Assessment Team (VAT) and appropriately contribute to the daily workload of a highly-skilled and diverse group of security assessment testers. Must be able to work under pressure and possess excellent oral and written communication and time-management skills. Candidate should possess a thorough technical proficiency with common commercial and/or open source vulnerability assessment tools and the techniques used for evaluating operating systems, networking devices, databases and web applications. Successful candidates must be able to quickly master new technology / software for the purposes of evaluating or subverting the security functionality of the technology / software, and should be comfortable researching and understanding a wide variety of existing and emerging technologies. Candidates should have a broad knowledge of security best practices, security solutions, and methodologies for conducting advanced security assessments, to include manual assessments and malicious user testing. The successful candidate must have mid-level experience with at least 3 of the applications listed below: - Agiliance Risk Vision (Governance, Risk and Compliance (GRC) Application); - Application Security, AppDetective; - Application Security, Db Protect; - Cenzic Hailstorm; - HP WebInspect; - Tenable Nessus Vulnerability Scanner; - Tenable Security Center; and - NMAP ** Note: VAT members must be Tenable certified within 6 months of award or have a minimum of 3 years senior-level experience in Tenable Nessus and Security Center. It is strongly preferred that the candidate has Tenable as one of the 3 application experiences Candidate should also have: - Strong understanding of NIST Special Publications 800-37, 800-53, and 800-118; VAT ensures that a comprehensive vulnerability assessment and validation of the effectiveness of security controls identified in the IS security control matrix is performed. VAT personnel are responsible for continuous vulnerability scans across four enclaves (~125 information systems and/or applications that are either networked or stand-alone). This number varies +/- 5% annually. VAT serves as the central coordination point for all network system vulnerability assessments, audits, and related studies conducted on FBI information systems. VAT is tasked with the following: - Perform quarterly vulnerability scans and analysis of scans of FBI enterprise systems and applications; - Conduct vulnerability and/or compliance assessments; - Ensure that SOPs are updated and followed accordingly; - Support compliance activities for information systems and applications being accredited through the FBI C&A process; - Support RiskVision Team in integrating automated capability to capture vulnerability scan results; and - Support all IA SAA activities throughout the SAA process and ensure that all documentation is developed and maintained. VAT members also: - Perform IS penetration testing as directed; - Ensure that SOPs are updated and followed accordingly; - Ensure that the SAT Lab is configured and maintained, to include hardware (server and laptop) and software inventories, server and VMWare configuration management, patching, etc.; - Support all IA SAA activities throughout the SAA process and ensure that all documentation is developed and maintained; - Perform compliance assessments and test new systems; - Develop Plan of Actions & Mitigations as needed; - Implement and maintain an effective security program; - Ensure that all FISMA requirements and documented and submitted on schedule; and - Initiate, with approval from the FBI PM or Team Lead, any corrective measures when vulnerabilities are discovered; - Maintain the inventory and software baseline of systems/software used to scan non-enterprise information systems and application; - Support the security posture of the FBI through analysis of vulnerabilities of systems that host critical information. This may include evaluating underlying vulnerabilities within Unix-like environments; - Use of Risk Vision to generate a Security Assessment Plan and Security Assessment Report; - Monitor and evaluate a system's compliance with IT security, resilience and dependability requirements; - Provide an accurate technical evaluation of the software application, system, or network, documenting the security posture, capabilities and vulnerabilities against relevant information assurance policies; - Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to the ISSM, ISSO, and System Owner to correct deviations; - Assist in refinement of FBIs SAA processes and procedures, and continuous monitoring tools/products to mirror changes in government IA policy; - Analyze continuous monitoring results to confirm that the level of risk within acceptable limits for the software application, network or system.