ConvoCourses

Cyber Security Compliance and IT Jobs

risk

Denver & Colorado Springs Eng, Tech & Security Clearance Career Expos, Feb 16 & 17

by Leave a Comment

If you are looking for a new opportunity, plan to attend the Colorado Engineering, Technology and Security Clearance

Denver & Colorado Springs Eng, Tech & Security Clearance Career Expos, Feb 16 & 17 CAREER FAIR:

Day 1: Colorado Springs Marriott/Tech Centre Dr. Feb. 16

Day 2: Hilton Garden Inn/Denver Tech Center Feb. 17

10 am2 pm

 

Meet face to face with hiring managers recruiting for experienced professionals in: Engineers (all disciplines), Test, IT, Mechanical, Defense, Scientific, Design, Risk, Cloud, Network, Cyber, Finite Element Modeling, Hardware, Electrical, Scientists, Software Developers, and Related Disciplines!

 

100’s of jobs are available!

All jobs require US citizenship and a minimum 2 years of Engineering or Technology industry experience on top of related degree or military background.  Some jobs require active security clearance.

 

For advanced registration and Express Lane access, please send your resume to: Resume@ExpoExpertsllc.com Subject: Attending

Expo Experts LLC 7770 Cooper Rd Cincinnati, Oh 45242

Celeste Farmer <celeste@expoexpertsllc.com>

ETHICAL HACKER/ PEN TESTER – Keller/TX

by Leave a Comment

 

ob Title ETHICAL HACKER/ PEN TESTER
Project Location Keller TX
Duration 24 months /Contract

 
Skills Required and Job Description:

MOI-Telephonic followed by Skype

Job Description

The Senior Ethical Hacker / Penetration Tester will be working individually and in teams.  This individual will be performing penetration testing or vulnerability assessment of web application, network, wireless, code review and firewall on multi-protocol enterprise systems.  This resource must have technical acumen.  This resource will be a key figure in monthly software releases for the client, semiannual complete regression testing of the entire platform, as well as other testing needs that may be arise.

Duties and Responsibilities

  • Independence: self-managed and motivated.  High energy, results driven person with strong interpersonal skills
  • Team oriented
  • Project Management: Takes responsibility for satisfaction of assigned project
  • Effective at speaking and collaborating with others
  • Effective at Technical writing and conducting vulnerability research
  • Effective at scoping a client’s testing effort
  • Good communicator to a technical audience.
  • Good understanding QA Methodology
  • Excellent communication skills and the ability to interface with more senior co-workers and leadership with confidence and clarity

Education and Training

  • Bachelor’s Degree in Information Technology/Computer Science or 5 years IT experience
  • Any of the following certifications: CISSP, GIAC, CEH certifications

Required Skills

  • Strong web application penetration testing experience
  • Experience in vulnerability identification and remediation
  • Knowledge of the software development lifecycle in a large enterprise environment
  • Programming background (C++, Perl, Python, Shell ) for tool and exploit development
  • Operating Systems: Windows, Linux, HP-UX, Solaris, AIX, etc.
  • Web Servers: IIS, Apache, Lotus Domino, Sun Java System, TC Server
  • Middleware software: Oracle’s WebLogic, IBM’s WebSphere, Apache Tomcat
  • In-depth knowledge of any proxying tools such as Paros, Burp, WebScarab, Achilles “fault injection”
  • Experience with any of the following commercial application scanning tools: IBM’s AppScan, HP’s WebInspect, HP’s Fortify, NTOSpider, Cenzic’s Hailstorm
  • Commercial database software like Application Security Inc.’s AppDetective
  • Experience with any open source tools such as Whisker or Nikto
  • WebServices technologies such as XML, SOAP, AJAX
  • Networking tools such as Nessus, nmap, Retina netcat
  • Understanding of various web application architectures
  • Understanding of server and client side application development
  • Physical and logical security audits
  • Logical protocol and network traffic audits
  • Client/Server exposure (i.e. Java, JSP, Servlet, Linux, UNIX, SQL).
  • Mainframe exposure (i.e. COBOL, JCL, IDMS/ADSO, CICS).
  • Database exposure (i.e. SQL Server, DB2).
  • Automation Testing Tool / frameworks exposure

Desired Skills

  • Experience with performing code review, wireless and firewall assessments
  • Solid network penetration testing experience
  • Technical knowledge in network security products, cryptographic suites and network/application firewalls
  • Experience with mobile application and operating system testing
  • Experience in evasion techniques to bypass firewalls and intrusion detection

,

 

 

Regards,

Nikunj | RG Talent Inc.

(D) 510-443-0757 Ext-142nikunj@rgtalent.com; \ nikunj.rgtalent@gmail.com

risk mitigation

by Leave a Comment

Risk mitigation can only be done by first identifying the risk.  And risk identification can only be done by characterization of the assets, discovery of vulnerabilities of those assets and determination of threats and/or possible harm to that system.

So risk mitigation is based on the results of risk assessments.

Risk assessment is a 9 step process.

 

1)  System characterization – a system is an organization asset.  So the first step is to discover all the features of that system and understand why it is important.

2)  Threat Identification – risk is determined by the likelihood of a threat affecting the weakness of an asset.  To limit the risk (risk mitigation), a security practitioner must determine the possible threat, find the weakness and then come up with a way to protect that system.

3)  Vulnerability Identification – The security practitioner (information system security officer, information system security analyst, system security engineer etc) must find the weakness of a system.

4)  Security Control Analysis – The security control protecting the vulnerability is the actual risk mitigation.  Analysis is determining what is needed, when and how much it will cost.

5)  Likelihood determination – The importance of risk mitigation is directly proportionate to the likelihood of the threat impacting the organization and its assets vulnerabiltiy.

6)  Impact Analysis – The bottom line of risk is the impact that will occur if harm should come to an asset.  If the asset ceases to function, what happens to the organization?   That question should drive how and why risk is mitigated.

7)  Risk Determination / Risk Identification – Based on all the data gathered you can make a pretty good risk determination.  You should have defined the systems components and what data is important, made a pretty good conclusion on threat sources and likelihood of the vulnerability exploits and know exactly what kind of impact there will be if the system goes down.

8)  Control Recommendation – This is where the actual RISK MITIGATION comes in.  All data is gathered from the risk assessment and risk has been identified and evaluated.  Risk is mitigated by applying to correct security controls.

9)  Results Documentation – The mitigation of risk must be documented for future reference.  Sometimes it can only be mitigated later and documented in a Plan of Action and Milestone.

Who does Mitigates the Risk:

First of all, risk cannot always be mitigated.  In this cases it is documented in something called a Plan of Action and Milestone (POA&M).  And sometimes risk is simple accepted because there is just nothing that can be done.  The mitigation of risk is the responsibility of the system owner.  The system owner will sometime have a right hand adviser on matters of security, a Chief Security Officer who is not afraid to say NO and will always give the system owner (CIO) the facts no matter how gruesome.  The CSO (or equivalent) delegates risk mitigation (implementation of security controls) to security practitioners (DoD 8140 compliant professionals) who hopefully know what they are doing.

 

risk management association

by Leave a Comment

Security Analysis and Risk Management Association (SARMA) is one of many risk management associations.  SARMA is a non-profit dedicated to security practitioners that are in the business of mitigating risks from man made threats.

ISACA is another risk management association with over 100,000 constituents in 180 countries.  They are the creators and proprietors of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in Risk and Information System Controls (CRISC) certifications.  They also created an Risk IT Framework.

More than just a risk management association, the Information Systems Security Association (ISSA) is a non-profit international organization for information security practitioners an managers.  I have been a member of this organization, and it has LOTS of great people involved in it.  They have local chapters in most major cities in the U.S.  They are great at bringing security professionals together to solve common issues in the industry, barter skill sets, teach new skills, train for IT certifications and promote products and services that involve risk management and/or security.

RIMS – Risk Management Society

The Risk Management Society has a vision of becoming the global leading in all aspects of risk management.  A VERY tall order.

As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society™, is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 11,000 risk management professionals who are located in more than 60 countries. For more information on RIMS, visit www.RIMS.org

risk management guide

by Leave a Comment

If you are looking for a risk management guide there are several references text to choose from.  NIST SP 800-37, Risk Management Framework, ISO 31000:2009 Risk Management,  ISACA RISK IT Framework, and ITSG-33 are all pretty good risk management guides

NIST SP 800-37,  Guide for Applying the Risk Management 

The US federal government uses NIST SP 800-37.  The Defense Department uses DIARMF on which this site is based and DIARMF is based on NIST SP 800-37.  The document is comprehensive and branches in to several other documents:  NIST SP 800-39, Risk Management Security, NIST SP 800-30, Risk Assessment, NIST SP 800-53, Security controls and many others.  The NIST risk management guides were developed by National Institute of Standards and Technology (NIST) in collaboration with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS).

ISO 31000:2009 Risk Management Guide

ISO 31000:2009, Risk Management is a practical guide designed for any organization.  Designed by the International Organization for Standardization (ISO) 31000: 2009 offers a robust open standard for risk management framework.

 

ISACA RISK IT Framework

ISACA Risk IT Framework provides complete end to end guide for risk management of information technology addressing security threats exploiting asset vulnerabilities for corporations.

ITSG – IT Security Risk Management guide

Created by the Government of Canada’s, the ITSG is a IT Security Risk management guide ITSG-33 covers roles, responsibilities and activities of the Canadian risk management.

 

 

risk management wiki

by Leave a Comment

Risk management (security) has many flavors of processes and standards including (but not limited too): ISO 31000, NIST Risk Management Framework 800-37, DIARMF, ISACA RISK IT Framework, ITSG-33, and PMI Risk Management (just to name a few of the most prominent English variants).

ISO 31000:2009 Risk Management Wiki

 The International Organization for Standardization (ISO) has developed a standard for Risk management .  Its called ISO 31000:2009, Risk management – Principles and guidelines.   ISO 31000:2009 has created a system of risk management that can be applied universally to most organizations around the world.  This is significant as it allows two organization from different countries to map to different risk management frameworks with 31000 as a reference.

NIST Special Publication 800-37,  Guide for Applying the Risk Management Framework to Federal Information Systems

Is the defacto Risk Management Framework of the US Federal government.  Developed by National Institute of Standards and Technology (NIST) in collaboration with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS).  It is the center piece for all federal organization security processes.  The NIST also works on mapping the 800-37 to the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001, Information Security Management System (ISMS) and 31000.

Defense Information Assurance Risk Management Framework (DIARMF 8510)

DIARMF is based on a combination of CNSSI 1253 & NIST SP 800-37.  It Applies to ALL US Defense departments.  This is a big deal because in the past it was based on differing interpretations of DoD IA Certification & Accreditation Program.  Since each agency and department had their own process, it was expensive, time consuming and incredibly inefficient to get critical data from one organization to another.  DIARMF relies on heavy use of continuous monitoring tools pushed by FISMA 2012.

ISACA RISK IT Framework

ISACA Risk IT Framework provides complete end to end framework for managing information technology security threats exploiting asset vulnerabilities.

ITSG – IT Security Risk Management: Life cycle Approach

Issued by the Chief, Communications Security Establishment Canada (CSEC) ITSG – 33, is the Government of Canada’s response to emerging cyber threats  within the available resources of the country.  By applying security from the very begining of the sytems lifecycle they deal with risk management in a more intelligent and fiscally responsible way.  ITSG-33 covers roles, responsibilities and activities of the Canadian risk management.

PMI Risk Management

PMI Risk Management professional is actually a certification for providing risk management.