Job Title: Penetration Testing Lead
Posted by: K2 Group, Inc. on Aug 27, 2020
Location:
Washington , DC 20032Job Description:
**This is currently a contingent opportunity.**
The Penetration Testing Lead of the ATO NAS security posture will provide detailed analysis of identification of application, system, and network vulnerabilities; gaps in IT security governance; assessment of patching methodologies; current network security capabilities; and potential existing security incidents. Penetration testing will be within the scope of ATO, NAS accessible hosts residing in the security boundary of the Agency network environments.
Performance shall include:
Network Management and Out of Band segments that provide network communications and services to publicly accessible hosts.
Provide Network, System, and Application penetration testing support following the guidelines delineated in National Institute Standards and Technology (NIST) Special Publication (SP) 800-115, “Technical Guide to Information Security Testing and Assessment,” and must be in accordance with Federal Information Processing Standards (FIPS) and National Institute Standards and Technology (NIST) System Authorization requirements and guidance.
Assessment and reporting will be based on the NIST 800-53 low, moderate, and high security controls, Federal Information Processing Standard, (FIPS-199), FAA Order 1370.121, and other applicable government standard and policies.
Perform penetration testing of FAA systems. The objectives of the penetration testing task are to:
Discover new or existing software, firmware, hardware, and system vulnerabilities
Determine the impact of those vulnerabilities
Identify strategies to mitigate the potential impact of specific vulnerabilities
Lower risk exposure across the NAS.
For each Penetration Test, testing lead must:
Develop Rules of Engagement (ROE) with the system owner and ACG to ensure that all parties understand and agree with the scope of the penetration test effort as documented in the Penetration Test Plan (CDRL 0013)
Plan for the test
Perform the test
Document the results of the test in the Penetration Test Report (CDRL 0014). This includes, but is not limited to:
Describing any deviations from the rules of engagement or test plan
Describing the attack vector(s) test and threat model(s) followed during testing
Identifying any vulnerabilities exposed and describing how they can be exploited to gain access to NAS systems
Documenting overall results for inclusion in the Penetration Test Report (PTR)
Developing briefings to support POAM development and remediation activities
Confirming that previously identified vulnerability findings have been remediated and are no longer a risk (if applicable)
If requested, the lead must also provide FAA leadership with recommended remediation actions to lower overall risk exposure.
Use standard penetration testing tools approved by the FAA
Must not circumvent access controls and privilege escalation
During penetration testing, the lead must not delete any live data or perform any Denial of Service attacks. Additionally, the Contractor must make every attempt to not disrupt operations (if applicable).
Assess the potential impact and risk to the system, associated systems, and/or network infrastructure.
Assess the potential for damage to the system, associated systems and/or network infrastructure
Document any system modifications made during the exploit that effect the target system(s) baseline configuration
Document the changes as artifacts for vulnerability assessment and for normalizing the system back to configuration baseline post penetration testing.
Assess the ability of the attacker to leverage the system for access to additional systems and networks. This includes:
An inventory of all applications, data storage devices and systems, and identification and authentication measures, made available to the FAA upon request.
An inventory of all agency hardware and its operating systems and network management systems made available to the FAA upon request.
Network Exploitation in a multi-vendor environment to include but not limited to: wireless technologies, network routers (Layer 3), network switches (Layer 2), firewalls, IDS/IPS’s, and Cloud services.
Support Regression Penetration Testing to validate patches, fixes, and configuration changes made to the system, network, or web application under test mitigate the identified discrepancy or vulnerability identified in the original Penetration Test. All Regression Testing must be documented by amending or appending the original Penetration Test Report (CDRL 0014).
Support Red Teaming and/or Blue Teaming exercises. All Red Teaming and Blue Teaming Exercise must be conducted in a simulated environment or in an environment as directed by the FAA.
Degree:
Bachelor’s Degree in Cyber Security, Computer Science, Information Technology, Engineering, Mathematics, or Physics.
Level I: Minimum of 15 Years of relevant experience; in lieu of a Bachelor’s Degree 20+ years of experience and a current industry level certification
Level II: Minimum of 10 Years of relevant experience; in lieu of a Bachelor’s Degree 15+ years of experience
Level III: Minimum of 5 Years of relevant experience; in lieu of a Bachelor’s Degree 10+ years of experience
Certifications:
If performing Risk Assessments; minimum of two (2) of the following certifications or equivalent:
* Certified Information Systems Security Professional (CISSP)
* GIAC Certified Enterprise Defender (GCED)
* CompTIA Advanced Security Practitioner (CASP)
* Certified Information Systems Auditor (CISA)?
Security Clearance:
Current and active SECRET security clearance
The Penetration Testing Lead of the ATO NAS security posture will provide detailed analysis of identification of application, system, and network vulnerabilities; gaps in IT security governance; assessment of patching methodologies; current network security capabilities; and potential existing security incidents. Penetration testing will be within the scope of ATO, NAS accessible hosts residing in the security boundary of the Agency network environments.
Performance shall include:
Network Management and Out of Band segments that provide network communications and services to publicly accessible hosts.
Provide Network, System, and Application penetration testing support following the guidelines delineated in National Institute Standards and Technology (NIST) Special Publication (SP) 800-115, “Technical Guide to Information Security Testing and Assessment,” and must be in accordance with Federal Information Processing Standards (FIPS) and National Institute Standards and Technology (NIST) System Authorization requirements and guidance.
Assessment and reporting will be based on the NIST 800-53 low, moderate, and high security controls, Federal Information Processing Standard, (FIPS-199), FAA Order 1370.121, and other applicable government standard and policies.
Perform penetration testing of FAA systems. The objectives of the penetration testing task are to:
Discover new or existing software, firmware, hardware, and system vulnerabilities
Determine the impact of those vulnerabilities
Identify strategies to mitigate the potential impact of specific vulnerabilities
Lower risk exposure across the NAS.
For each Penetration Test, testing lead must:
Develop Rules of Engagement (ROE) with the system owner and ACG to ensure that all parties understand and agree with the scope of the penetration test effort as documented in the Penetration Test Plan (CDRL 0013)
Plan for the test
Perform the test
Document the results of the test in the Penetration Test Report (CDRL 0014). This includes, but is not limited to:
Describing any deviations from the rules of engagement or test plan
Describing the attack vector(s) test and threat model(s) followed during testing
Identifying any vulnerabilities exposed and describing how they can be exploited to gain access to NAS systems
Documenting overall results for inclusion in the Penetration Test Report (PTR)
Developing briefings to support POAM development and remediation activities
Confirming that previously identified vulnerability findings have been remediated and are no longer a risk (if applicable)
If requested, the lead must also provide FAA leadership with recommended remediation actions to lower overall risk exposure.
Use standard penetration testing tools approved by the FAA
Must not circumvent access controls and privilege escalation
During penetration testing, the lead must not delete any live data or perform any Denial of Service attacks. Additionally, the Contractor must make every attempt to not disrupt operations (if applicable).
Assess the potential impact and risk to the system, associated systems, and/or network infrastructure.
Assess the potential for damage to the system, associated systems and/or network infrastructure
Document any system modifications made during the exploit that effect the target system(s) baseline configuration
Document the changes as artifacts for vulnerability assessment and for normalizing the system back to configuration baseline post penetration testing.
Assess the ability of the attacker to leverage the system for access to additional systems and networks. This includes:
An inventory of all applications, data storage devices and systems, and identification and authentication measures, made available to the FAA upon request.
An inventory of all agency hardware and its operating systems and network management systems made available to the FAA upon request.
Network Exploitation in a multi-vendor environment to include but not limited to: wireless technologies, network routers (Layer 3), network switches (Layer 2), firewalls, IDS/IPS’s, and Cloud services.
Support Regression Penetration Testing to validate patches, fixes, and configuration changes made to the system, network, or web application under test mitigate the identified discrepancy or vulnerability identified in the original Penetration Test. All Regression Testing must be documented by amending or appending the original Penetration Test Report (CDRL 0014).
Support Red Teaming and/or Blue Teaming exercises. All Red Teaming and Blue Teaming Exercise must be conducted in a simulated environment or in an environment as directed by the FAA.
Degree:
Bachelor’s Degree in Cyber Security, Computer Science, Information Technology, Engineering, Mathematics, or Physics.
Level I: Minimum of 15 Years of relevant experience; in lieu of a Bachelor’s Degree 20+ years of experience and a current industry level certification
Level II: Minimum of 10 Years of relevant experience; in lieu of a Bachelor’s Degree 15+ years of experience
Level III: Minimum of 5 Years of relevant experience; in lieu of a Bachelor’s Degree 10+ years of experience
Certifications:
If performing Risk Assessments; minimum of two (2) of the following certifications or equivalent:
* Certified Information Systems Security Professional (CISSP)
* GIAC Certified Enterprise Defender (GCED)
* CompTIA Advanced Security Practitioner (CASP)
* Certified Information Systems Auditor (CISA)?
Security Clearance:
Current and active SECRET security clearance
Education Level:
Bachelors degree or higher
Pay Rate:
Commensurate with experience
Security Clearance:
Top secret
Travel Requirements:
None
Sign Up to Apply to this position
(if you already have a CGO account, just press the button below)
About K2 Group, Inc.
The DNA of our firm is rooted in the Counter Terrorism and Intelligence Communities. We understand the threats posed and the requirements needed to defeat them. From information security to infrastructure protection - we offer the analysis, technical and operational support needed to accomplish even the most challenging missions. K2 Group delivers the knowledge and experience demanded to support the full life cycle of security mission requirements - anytime, anywhere.
Please visit this employer's Public Profile to see more jobs offered by K2 Group, Inc.