IT Security Vulnerability Analysis Specialist (x2)

Our government security client requires the professional services of two (2) Senior IT Security Vulnerability Analysis (VA) Specialists to perform and conduct technical security in-depth testing activities related to vulnerability assessment and penetration testing to validate the architectural integrity of government systems at the network, application, and host level in various environments. This contract begins in the winter and will last for up to 5 years. 

The Contractor must validate the architectural integrity of the system through the testing process by:

a) Testing external remote access vulnerabilities in Operating Systems, devices, and their supporting services by connecting to different zones and profiling each system, device, and service within the zone;

b) Assessing security exposures resulting from weak security zone and architectural controls by reviewing the architecture against best practices and, where

weaknesses are suspect, validating those gaps by active testing; and

c) Providing a full analysis report on vulnerabilities found, their severity, and possible corrective actions.

The Network-level VA is conducted by connecting to each zone in the infrastructure from an external point of presence, including the Public Zone (i.e., Internet) and performing scans to discover active hosts in each zone. When performing the scan from the Internet, the contractor will employ infrastructure using either a CSE cloud subscription or CSE infrastructure. The methodology that will be used will be white box testing.

IP address ranges for each zone, including the Public-facing IP's, will be provided, precluding any need to discover the range of IP addresses using other means. The results of this testing must also measure the effectiveness of border controls (i.e., firewall and router rules) to this form of discovery. Host discovery testing is determined by the network services published by the infrastructure.

For the External VA, each active host must then be probed to estimate its operating system and to identify hosted TCP and UDP services along with their respective versions. In addition, UDP-based clients can be executed against each active system to confirm the UDP port scan results. Vulnerability scanning tools must then be executed against each active external host to identify vulnerabilities in each host's services and Operating Systems.

For the Internal VA, from the set of active hosts discovered during the initial scan, a subset will be proposed by the Contractor and selected by the Technical Authority that provide exemplars of the typical servers in the CSE environment. In particular, internal databases holding client information must be on this list of exemplars. Each of these exemplar systems must be probed to estimate its operating system and to identify hosted TCP and UDP services along with their respective versions. In addition, UDP based clients can be executed against each active system to confirm the UDP port scan results. Vulnerability scanning tools must then be executed against each active external host to identify vulnerabilities in each host's services and Operating System.

Perform testing for Man in the Middle (MitM) attacks by attempting either ARP cache poisoning, DNS poisoning, CAM flooding, etc. as well as testing the VLAN security (e.g., test the safeguards against VLAN island hopping}.

Communications Security Establishment

Following the VA scanning, secondary external testing of the vulnerability scanner results must be conducted to eliminate false positives from the reporting.

This information can then be used to confirm the network service-based vulnerabilities by correlating the data with historical experience in addition to data published by online vulnerability services. Any high-risk vulnerabilities discovered during this activity will be reported immediately along with suggested mitigation strategies.

The internal Network Vulnerability Analysis must be performed onsite at CSE offices by connecting a CSE issued laptop containing a Vulnerability Assessment tool kit to relevant zones in the network infrastructure. Data collected during this activity must be protected in accordance with CSE policies while it is used for analysis and reporting. After completion of the engagement, all data must be destroyed according to CSE electronic data destruction standards.

4.2 Host-level VA

This activity will conduct a VA of the internet facing systems used by CSE. Consider representative systems used by CSE such as various versions of MS Windows, UNIX/Linux, web server applications, SQL and Oracle server databases. The VA must evaluate the controls implemented on each of these hosts relative to best practices used in the industry and provide mitigation strategies where gaps are identified. The testing will include a password assessment. CSE will provide access to hosts for testing, including temporary credentials for automated scanning utilities using white box testing methodologies.

4.3 Active Directory VA

This activity will conduct a VA of the Windows Active Directory user/group structure as well as security controls enforced through Group Policy Objects (GPO’s). This VA will confirm that the appropriate policies are being enforced and the user/group structure is consistent with the design and provide mitigation strategy where issues are identified. CSE will provide the contractor with policy documentation as well as access to representative Active Directory servers with temporary domain credentials for active testing and data collection using credentialed VA scans.

4.4 Cloud VA testing

The Contractor must validate the integrity of the interaction between public cloud-based applications and their on-premises components. Working within the policies and procedures of the cloud service provider, the Contractor shall develop a plan outlining cloud VA testing activities required to validate the integrity of the data path between the cloud and on-premises applications. The Contractor shall review the plan with the TA prior to commencing the test activity and shall provide a full analysis report on vulnerabilities found and possible mitigation strategies and resolutions.

Must have 

• 10 years of experience in Vulnerability Analysis
• Security certification in penetration testing (e.g. OSWE, OSED, SANS-GWAPT, SANS-GPEN, SANS-GIAC, SANS-GXPN) 
• Prior experience providing guidance to executives within the security and intelligence field.
• Experience assessing the access control, auditing, authentication, encryption, integrity of IT systems, Network Infrastructure and Cloud Services