SR CYBER SECURITY ANALYST / PENETRATION TESTER

Overview

Remote
Depends on Experience
Contract - W2
100% Travel

Skills

CVSS
Penetration tests

Job Details

SR CYBER SECURITY ANALYST / PENETRATION TESTER
Contract duration: Long Term
REMOTE Travel as required
C2C
Direct Client
Job Description:
  • The ideal candidate will have a security mindset and the ability to think outside the box, contributing to a team of highly motivated and skilled information security practitioners
  • A minimum of 7 years of demonstrated ability in two or more of the following: application security, network security, or platform/OS security in engineering, architecture or consulting capacity
  • A minimum of 7years of penetration testing or ethical hacking either for a consultancy or a large enterprise
  • Therefore, the ability to speak in both technical and business terms is crucial; meaning as subject matter expert, the candidate should be able to articulate information security requirements and risks in business language
  • Excellent analytical skills to compliment strong written and verbal communication skills
  • Excellent interpersonal, motivational, organizational, persuasive and project management skills
  • Ability to think outside the box and to 'think evil.' Capable of conducting pentests on applications, systems and network utilizing proven/formal processes and industry standards
Detailed Job Responsibilities:
Internet Assessment
  • The Consultant will perform a timeboxed non-stealth attack and penetration assessment of Client s Internet-facing systems. Using tools to scan provided address ranges to identify live hosts, running services, and potential vulnerabilities associated with those services, the Consultant will then attempt to penetrate the systems.
  • Testing activities will be timeboxed (limited) to one (1) week to begin on a mutually agreed date preferably to begin before March 31, 2025and cannot impact business activities or must be scheduled during non-peak hours. CLIENT will advise of non-peak hours.
  • Penetration tests may include both automated and manual techniques.
  • The Consultant will not attempt to avoid detection during testing.
  • The Consultant will not attempt exploitation activities associated with, or known to cause, denial of service conditions.
Intranet Assessment
  • The Consultant will perform a timeboxed (time limited) non-stealth attack and penetration testing of the internal network, servers, workstations, and other network devices available through Client s internal network.
  • The Consultant and CLIENT will determine an acceptable assessment methodology and technical requirements to complete the assessment. The objectives will be identifying security vulnerabilities, compromising internal hosts, escalating privileges, and demonstrating access to high value targets.
  • Testing activities will be timeboxed (limited) to two (2) weeks beginning immediately after or concurrently with the Internet assessment and cannot impact business activities or must be scheduled during non-peak hours. CLIENT will advise of non-peak hours.
Website Assessment
  • The Consultant will perform a timeboxed non-stealth attack and penetration assessment on their websites
  • After scanning the identified websites and potential vulnerabilities, the Consultant will then attempt to penetrate the sites.
  • Testing activities will be timeboxed (limited) to one (1) week to begin immediately following or concurrent with the Internet Assessment.
  • Penetration tests may include both automated and manual techniques.
  • The Consultant will not attempt to avoid detection during testing.
  • The Consultant will not attempt exploitation activities associated with, or known to cause, denial of service conditions.
  • Testing activities will be timeboxed (limited) to one (1) week beginning no sooner than May 1 (there is a web project that must be completed first) and cannot impact business activities or must be scheduled during non-peak hours. CLIENT will advise of non-peak hours.
Reporting & Final Review
  • The Consultant will provide a detailed report after testing is completed.
  • The report will include a synopsis and graphical illustrations of the critical and high rating findings and proposed recommendations to improve overall security posture in alignment with NIST standards.
  • Additionally, the Consultant will describe their approach and detailed information including:
  • Detailed description of the vulnerability and its implications,
  • The asset(s) affected by the vulnerability, and
  • A recommended approach of how to reduce or eliminate the exposures inherent in the vulnerability.
  • The Consultant will assign evaluation ratings to the report findings based on the Common Vulnerability Scoring System (CVSS).
  • The Consultant will host a walkthrough of the findings for discussion with CLIENT.
  • The final report will be provided to CLIENT through a secure, encrypted method mutually agreed upon by both parties.
  • At the close of the engagement when CLIENT has confirmed receipt of all reports and data, the Consultant will destroy all CLIENT data from their servers and systems.
Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.