Recent breaches have highlighted the need for talented pen-tester technologists with the ability to assess vulnerabilities long before they are under attack.
What it takes
Hands-on experience with reverse engineering, packet-level programming and knowledge of digital forensics. Expertise in identifying vulnerabilities and understanding what it takes to “break” a system is critical. The ability to approach a system creatively and solve complex problems, paired with stellar documentation and communication skills.
Compensation
Junior level roles start around $90K, with senior levels often earning $130K to $150K – sometimes higher.
Available Postings
- Ability to identify systemic security issues based on the analysis of vulnerability and configuration data
- Knowledge of application vulnerabilities
- Knowledge of content development
- Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools
- Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution, etc.)
- Knowledge of different operational threat environments (e.g., first generation [script kiddies], second generation [non- nation state sponsored], and third generation [nation state sponsored])
- Knowledge of general attack stages (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks, etc.)
- Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol (TCP) and Internet Protocol (IP), Open System Interconnection Model (OSI), Information Technology Infrastructure Library, v3 (ITIL))
- Knowledge of IA principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation)
- Knowledge of interpreted and compiled computer languages
- Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not be used standard IT) for safety, performance, and reliability
- Knowledge of network access, identity and access management (e.g., public key infrastructure, PKI)
- Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services
- Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of Defense-in-Depth)
- Knowledge of penetration testing principles, tools, and techniques (e.g., metasploit, neosploit, etc.)
- Knowledge of programming language structures and logic
- Knowledge of relevant laws, policies, procedures, or governance as they relate to work that may impact critical infrastructure
- Knowledge of system and application security threats and vulnerabilities
- Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, PL/SQL and injections, race conditions, covert channel, replay, return-oriented attacks, and malicious code)
- Knowledge of systems diagnostic tools and fault identification techniques
- Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities
- Skill in applying host/network access controls (e.g., access control list)
- Skill in assessing the robustness of security systems and designs
- Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems
- Skill in detecting host and network-based intrusions via intrusion detection technologies (e.g., Snort)
- Skill in evaluating the trustworthiness of the supplier and/or product
- Skill in mimicking threat behaviors
- Skill in performing damage assessments
- Skill in performing packet-level analysis (e.g., Wireshark, tcpdump, etc.)
- Skill in the use of penetration testing tools and techniques
- Skill in the use of social engineering techniques
- Skill in using network analysis tools to identify vulnerabilities
Source: Domini Clark, principal, executive and technical recruitment, Blackmere
This was originally published in the March 2015 Issue of SCMagazine