Posts Tagged ‘ application security ’

Senior Security Professionals – GRC – Anywhere USA – Fortune 10

cisspJob Area: Information Security Consulting

Title: Senior Consultant

Experience: 5-8 yrs in Information security

Location: Anywhere in USA

Travel: (mostly in region – mix of onsite and remote )

AT&T Security Solutions is a division of AT&T (a Fortune Global Top 10 company). AT&T is looking for an

information security practitioner with technical experience for the position of a Senior Consultant

located in the continental US to be a part of a dynamic team of experienced security professionals with

varied experiences. Candidate must be skilled in Secure Infrastructure Services such as secure network

architecture design, implementation, device configuration review, and secure architecture reviews.

AT&T Security Consulting clients range from some of the largest companies in the world to small

businesses requiring security consulting expertise.

Job Duties:

Key functions of this role will be to work on network security and architecture trusted advisor

engagements for our customers involving segmentation and optimization, DDoS mitigation, firewall

migration/optimization, detailed assessment and next-generation design recommendations. Manual

and automated configuration analysis for security weaknesses in firewalls, routers, switches, servers

(Windows, Unix/Linux), IDS/IDP, Databases, and other platforms as well as VoIP infrastructures will also

be required. Successful candidates will have demonstrated experience in network security consulting

and will have an understanding of network level risk assessments with the ability to write objective,

detailed reports explaining security issues. A background in Network Architecture and Engineering is

required. Technical knowledge and experience with configuration review tools such as Nessus, Nipper,

AlgoSec Firewall Analyzer, Tufin SecureTrack or NetBrain as well as Unix/Linux scripting (php, perl, shell,

etc.) will be given preference.

Requirements:

 Bachelors degree in Computer Science or related fields, Masters Degree preferred

 A minimum of four years of Information Security consulting with mid to advanced level

infrastructure security design experience required

 Very good understanding of security operations & management in a large customer environment

 Knowledge of Linux, UNIX, Windows (including Active Directory) and other operating systems

 Knowledge of popular databases such as MSSQL, Oracle, and MySQL

 Knowledge of VoIP infrastructures

 Ability to write customized scripts using at least two of bash, Perl, PHP, Python preferred

 Must possess strong network device implementation/integration and troubleshooting skills

 Must be able to demonstrate in-depth expertise with multiple network device and firewall

platforms, including at least 3 of the following:

o Palo Alto

o Fortinet

o Cisco ASA

o Cisco IOS and NX-OS routers/switches

o Check Point

o Juniper Netscreen

o Juniper SRX

 Must be a flexible team player, hard-working, and posses excellent communication and customer-

facing skills

 Must be self-directed, able to manage solo projects or participate as part of a larger team

 Strong report writing skills and ability to explain complex security issues to customers in a formal

presentation format required

 Must be able to interact confidently with all levels of technical and management client teams

 One Security certification such as CISSP, CISA, CISM, PCI QSA, CEH, SANS GSEC, etc., is required and

willingness to pursue further certification preferred.

 Ability to travel 50%-75%, mostly within region, must possess drivers’ license

Technical Skills

 Knowledge and experience with risk and compliance projects dealing with a variety of regulatory

and voluntary compliance standards such as: PCI-DSS, ISO 27000 series, federal and state security

and privacy regulations, HIPAA/HITECH, HiTrust, GLBA, SOX 404,etc. preferred

 Strong technical problem / resolution skills required

 Knowledge and experience with technical network and host-based security required.

 Mid to advanced level infrastructure or security design capabilities for environments that include 10

to 20 security devices, processes or applications.

 Mid to advanced level systems administration (UNIX/Linux, Windows, or database)

 Mid to advanced level network administration (firewalls, IDS/IPS, network architecture)

 Mid to advanced level knowledge of one or more of the following preferred:

o Vulnerability scanning

o Application development

o Policy development

o Forensics

o Security event monitoring

o routing/switching, including BGP, OSPF,v2/3 RIPv2 & EIGRP

Additional Requirements

 Knowledge and experience with risk and compliance assessments

 SCADA / Control systems network experience a plus

 Bi-lingual candidates a plus

App Sec – Senior Consultant – Anywhere USA

Roznos Enterprises LogoJob Area: Information Security Consulting

Title: Senior Consultant (Intermediate-level)

Experience: 3-6 yrs in Information security

Location: Eastern US

Travel:  ( Mix of onsite and remote )

 

Security Clearance: Beneficial, But Not Required

Job Description:

AT&T Consulting Solutions is a wholly owned subsidiary of AT&T (a Fortune Global Top 10 company).

AT&T is looking for a sharp penetration tester for the position of a Senior Consultant located anywhere

in the US to be a part of a dynamic team of experienced security professionals with varied experiences.

AT&T consulting clients range from some of the largest networks in the world to small businesses

requiring security consulting expertise.

Job Duties:

Perform network penetration tests for AT&T’s customers’ Internet-accessible and internal applications

and networks. A knowledge of wireless penetration testing and web application development security

strongly desired. Secure Code Review skills a great plus! The candidate should have a deep

understanding of TCP/IP, network discovery, DNS enumeration, vulnerability scanning, exploitation

methods and privilege escalation. The candidate should also have an excellent grasp of web application

exploitation and the OWASP list. The candidate must be able to write objective, detailed reports

explaining security issues.

Requirements:

 Bachelors degree or higher, Masters Degree preferred.

 Information Security experience of a minimum of three years

 Knowledge of Linux, UNIX, Windows and other operating systems

 Knowledge of popular databases such as MSSQL, Oracle, and MySQL

 Deep Knowledge of TCP/IP, network protocols, firewall evasion, ethical hacking, routing

protocols

 Experience in evading IDS/IPS, access control lists

 Experience with Nmap, Nessus/Qualys, Metasploit, Paros, Kismet, aircrack-ng, etc.

 Ability to write customized scripts using at least two of bash, Perl, Ruby, Python

 Knowledge of C/C++, Java, C#, etc would be beneficial

 Ability to travel 50%-75%, must possess drivers’ license

 Strong report writing skills and ability to explain complex security issues to customers

 Must be a flexible team player, hard-working, excellent communication and customer-facing

skills

 Security certifications such as CISSP, CEH, SANS GSEC, etc. preferred

 PCI DSS experience preferred

Technical Skills

 Strong technical problem / resolution skills

 Mid to advanced level infrastructure or security design capabilities for environments that include 10

to 20 security devices, processes or applications.

 Mid to advanced level systems administration (UNIX/Linux, Windows, or mainframe)

 Knowledge with different application architectures and platforms, their development challenges,

their control configurations, and their inherent security strengths and weaknesses (e.g., ColdFusion,

J2EE, .Net)

 Mid to advanced level network administration (firewalls, IDS/IPS, network architecture)

 Advanced level of methods and knowledge of three or more of the following:

o Vulnerability scanning

o Penetration testing (network, system and application)

o Application Security

o Code Review

o Forensics

o Security event monitoring

 Vendor certification or demonstrable in-depth technical expertise with at least three major security

solution

o Examples Only: Symantec, McAfee, VeriSign, Juniper, Checkpoint, Cisco, Arcsite, Tripwire,

o Demonstrable experience includes being able to gather customer requirements, design a

etc.

solution, specify a build of materials, implement, tune/optimize, maintain or troubleshoot at

an architecture component level for an existing solution

Additional Requirements

 Knowledge and experience with risk and compliance assessments

 Bi-lingual candidates a plus

Pen test – threat modeling/review – Contract – San Francisco

sqs logo

 

Description of Services: SQS will perform threat modeling and security architecture reviews. The tasks will be based upon clients methodologies and requirements in order to conduct said reviews.

 

Threat Modelling

Threat modelling is a structured approach for analyzing the security of an application and enables the identification and quantification of security risks associated with applications or solutions. Threat modelling is typically performed early within the SDLC with its purpose being to identify threats and potential vulnerabilities within an application through the review of application design and specification documentation to identify controls for inclusion as security requirements in the development of the application.

Our approach to Threat Modelling is modularized and iterative which enables it to be used within Waterfall and Agile development approaches. This is to allow for elements of the Threat Modelling process to be performed as the supporting information for the application becomes available.

Our standard Threat Modelling Process contains the following steps:

• Understand and Modelling the Application

? Determine the Security Objectives of the Information/Application

? Identify the Information Data Flows

? Identify the User Roles

? Identify the Trust Boundaries

? Identify Entry and Exit Points

? Identify Authentication and Authorization Decision Points

? Identify Threats

• Develop Security User Stories or Abuse Cases

? Use STRIDE or DREAD as appropriate to rank threats

? Identify Potential Controls

? Develop risk mitigation strategy

 

Each of the above steps are documented as they are carried out and the resulting document is the threat model for the application which can be used to support design decisions

Security Architecture and Design Review

A Security Architecture and Design Review (SADR) is a structured method for reviewing the security of a system architecture at multiple levels and provide practical remediation actions to ensure maximum system security. This is performed throughout the design and implementation of a system comprised of multiple computer systems interconnected via a network.

SQS performs SADR’s to ensure that the underlying infrastructure of specific systems are secure. This includes three levels of analysis each intended to address security from the logical almost ethereal level all the way down to the hardware level.

Security Requirements Assessment

A Security Requirements Assessment is performed to ensure the system adheres to the security requirements put forth in the early stages of system development. It is intended to ensure there are no glaring security gaps in the design of the system. To perform a Security Requirements Assessment, SQS will require information such as architecture diagrams and documentation describing the intended workflow of a system, as well as the roles of its users. The following are the three key phases that will be conducted during the Security Requirements Assessment.

Security Requirements and Design Documentation

SQS will require any and all documentation pertaining to the requirements and design of the Page 3 of7

 

system. This includes, but is not limited to:

• Use case documentation

• Technical specifications

• Developer notes

• Administration and user manuals

• Deployment and maintenance manuals

• Network diagrams

• Existing Data Flow Diagrams

• System design diagrams

• Interconnections within the system

• Connections with external systems and networks

• Data storage mechanisms

 

Interview stakeholders and developers

In order to cover the gap in the available information and put the existing documentation in context, SQS will interview all of the project stake holders as well as available project managers and a small sampling of developers. All questions are derived from the existing information and should be answered honestly to the best of the interviewed ability. Contradictions and inconsistencies will only lengthen the process and might require re-interviewing. The estimated timeframe for this phase is dependent upon the number of personnel required to be interviewed. Ideally this step only requires a couple of days to achieve.

Analysis

SQS security architects will collate, normalize and analyze the compiled information.

Infrastructure Configuration Review

An Infrastructure Configuration Review is performed in order to maximize the security of the physical system. This process utilizes the results of the Security Requirements Assessment to guide SQS security architects in the review of physical configurations of the target system(s).

System documentation and network diagrams

SQS security architects will require any and all documentation pertaining to the hardware and software used to make up the physical system. This includes, but is not limited to:

? Administration and user manuals

? Network diagrams

? Interconnections within the system

? Connections with external systems and networks

 

Interview stakeholders and administrators

In order to cover the gap in the available information and put the existing documentation in context, SQS will interview all of the network stake holders as well as available system administrators. All questions are derived from the existing information and should be answered honestly to the best of the interviewed ability. Contradictions and inconsistencies will only lengthen the process and might require re-interviewing.

Individual system configurations

In order to provide a detailed and in depth review of not only the entire system but of the individual components of the system, detailed configuration descriptions or actual configuration files are required for every piece of hardware and software used in the system. Each of these configurations will be reviewed in detail against the existing security requirements, industry Page 4 of 7

 

standards and best practices.

Analysis

SQS security architects will analyze the documentation and configuration files provided. Each of the configurations will be reviewed in detail against the existing security requirements, industry standards and best practices. SQS uses various configuration guides, checklists and standards published by NIST, SANS and other reputable security organizations to perform the review.

Infrastructure Penetration Test

This is the last step in the SADR and is intended to leverage the customer network in certain real life scenarios based on the information gathered in the previous steps. This provides additional evidence for a customer that the system(s) can withstand an attack from both internal and external adversaries.

Preparation

At this point in the SADR a wealth of information has been gathered on the target system(s). As Infrastructure Penetration Tests are frequently performed on live deployments, a scope will be defined. The scope identifies the systems that are to be tested as well as limits on types of tests to be performed. If applicable, SQS will review architecture diagram, placement of servers, network segregation, and VLAN usage, etc.

The exact scope of a penetration test is agreed during the planning and initiation phase but in general the aims of each penetration test will be to assess the security of internal and external infrastructure and to provide assurance over the security configuration of the in-scope systems. In some cases, the penetration phase will provide access to previously inaccessible hosts or networks, and in these cases, the test team will move on to test the newly-visible infrastructure, beginning again with the network mapping phase. In this sense, the sequence of test execution can become recursive. At all times, the test team will take care to avoid infrastructure that is out of scope, and will not exploit vulnerabilities that may have adverse effects on live services without prior consultation with the designated technical contact.

1. Public Information Discovery

2. Public-Facing Address Confirmation

3. Network Mapping Phase

4. Vulnerability Mapping Phase

5. Penetration Phase

 

SQS will then attempt to gain access to CLIENT’s network by leveraging the vulnerabilities and weaknesses discovered to a point where we are in a position to compromise information or the integrity of your network. SQS may use vulnerability scanning tools to scan the target network and systems with all its varying configurations of hardware and software, but while these scanners can perform the bulk of the scanning, manual verification is necessary to eliminate false positives, expand the scope, and to discover the data flow in and out of the network. Manual testing refers to a person or persons at the computer using creativity, experience, and ingenuity to test the target network in view of penetrating the network using SQS’ own techniques.

Manual verification is carried out using combinations of the tools listed previously, in addition to proprietary tools and simple clients such as those for Terminal Services, HTTP servers, MS-SQL, CIFS file shares, NFS exports, NIS, LDAP servers. Network configuration issues are not normally exploited as this can lead to network failure. However, should exploitation be desired, this is accomplished using tools such as Zebra and hping.

 

Exploitation of common host-based vulnerabilities is facilitated by the use of frameworks such as metasploit and canvas, whilst on-host data gathering is achieved by tools such as cachedump, lsadump and pwdump in conjunction with proprietary tools that are essentially batch files or shell scripts wrapping system tools such as the Windows net command and standard UNIX shell utilities. These techniques are considered aggressive, and will not be used on hosts providing live services without the permission of the technical contact.

Deliverables

SQS will provide the following deliverables to CLIENT:

? Weekly status updates

? Preliminary report

? Final report