IT Security Analyst Penetration Testing

Job Description

Position is responsible for working as team member to complete all aspects of application/network penetration test, risk assessment and other security activities as assigned to the Red Team. This position will involve working closely with development and projects teams to ensure that internal, secure development processes are adhered to and applications produced by the process are free from security vulnerabilities. Position will also be responsible for providing guidance and general application and infrastructure security consultancy with regard to development best practices, prevention and remediation of application and infrastructure vulnerabilities.

Responsibilities

This position reports to the IT Security Manager, GRC and is a key position within the IT Security group which is responsible for protecting the Confidentiality, Integrity and Availability of Citco data and resources.

Principal Accountabilities

Technical Expectations/Professional Practices:

• Penetration Tester responsible for providing comprehensive security testing and remediation recommendations for internal engagements.
• Interfacing with security/IT staff and business customers to evaluate security posture of projects and formulate test plans and engagement timelines.
• Complete testing engagements, document results using approved report formats and track complete remediation of security risks identified.
• Perform manual validation of results from automated/semi-automated tests
• Perform manual penetration test activities as needed.
• Complete social engineering and physical on-site assessments as directed
• Utilize network mapping, host enumeration and scanning tools when necessary
• Complete project work accurately and within deadlines as required.
• Complete analysis and draw comprehensive conclusions of overall system risk, making recommendations for remediation strategy.
• Coordinate with internal colleagues to follow up on vulnerability remediation.
• Develop and maintain effective working relationships with clients and other team members.
• Gain and maintain a working knowledge of the Security Products and Services
• Continually review and enhance existing knowledge of threat analysis and investigations of common product sets and technologies
• Support and encourage information sharing with other team personnel.
• Participate in providing mentoring support and guidance to team members to help grow skills and capabilities.
• Be passionate about information security and conduct research on current security topics.
  
  

• Ability to work independently with or without direction and or supervision.
• Portray professional demeanor. Calmness and clarity of thought under pressure and ability to maintain confidentiality.
• Strong written and verbal communication skills.
• Strong conceptual thinking and communication skills - the ability to conceptualize complex business and technical requirements of a given compliance or regulatory mandate into actionable approaches.
• Demonstrate flexibility and adaptability in approach to work.
• Accept responsibility and personal accountability.
• Maintain good attendance and punctuality.
• Demonstrate use of professional judgment on the job.
• Maintain a tidy desk and work environment.
• Ability to maintain the goals and culture of the organization.
  
  

• A bachelors degree information systems or other related field; or equivalent work experience.
• Professional security certifications such as SANS GPEN or WAPT are a plus
• Demonstrate a self-directed approach to learning new technologies in the field; pursue professional development.
• Strong technical acumen in securing software and hardware
• Knowledge of Penetration testing tools and testing methodologies
• Analysis of operating system, application and network architectures to identify security vulnerabilities
• Extensive knowledge and experience of operating systems and distributions.
• Windows Server and Desktop Network and domain administration, enumeration and exploitation
• Understanding of the TCP/IP protocol stack and many other protocols, such as routing protocols through to web services
• Knowledge of security issues related to many common databases including MySQL, MSSQL, MySQL and Oracle
• Working knowledge of application testing tools and techniques such as XSS and SQL injection
• Scripting and programming skills are not necessarily required but are preferred
• Collaborates across security groups to ensure comprehensive risk discovery and remediation
• Manages personal work engagements to meet project timelines
• Participates in group training and skill improvement
• Previous experience with BURP Suite, IBM AppScan and Core Impact a plus