risk

Denver & Colorado Springs Eng, Tech & Security Clearance Career Expos, Feb 16 & 17

January 25, 2016 by Bruce Brown Leave a Comment

If you are looking for a new opportunity, plan to attend the Colorado Engineering, Technology and Security Clearance

Denver & Colorado Springs Eng, Tech & Security Clearance Career Expos, Feb 16 & 17 CAREER FAIR:

Day 1: Colorado Springs Marriott/Tech Centre Dr. Feb. 16

Day 2: Hilton Garden Inn/Denver Tech Center Feb. 17

10 am– 2 pm

Meet face to face with hiring managers recruiting for experienced professionals in: Engineers (all disciplines), Test, IT, Mechanical, Defense, Scientific, Design, Risk, Cloud, Network, Cyber, Finite Element Modeling, Hardware, Electrical, Scientists, Software Developers, and Related Disciplines!

100’s of jobs are available!

All jobs require US citizenship and a minimum 2 years of Engineering or Technology industry experience on top of related degree or military background. Some jobs require active security clearance.

For advanced registration and Express Lane access, please send your resume to: Resume@ExpoExpertsllc.com Subject: Attending

Expo Experts LLC 7770 Cooper Rd Cincinnati, Oh 45242

Celeste Farmer <celeste@expoexpertsllc.com>

ETHICAL HACKER/ PEN TESTER – Keller/TX

January 20, 2016 by Bruce Brown Leave a Comment

ob Title	ETHICAL HACKER/ PEN TESTER
Project Location	Keller TX
Duration	24 months /Contract

Skills Required and Job Description:

MOI-Telephonic followed by Skype

Job Description

The Senior Ethical Hacker / Penetration Tester will be working individually and in teams. This individual will be performing penetration testing or vulnerability assessment of web application, network, wireless, code review and firewall on multi-protocol enterprise systems. This resource must have technical acumen. This resource will be a key figure in monthly software releases for the client, semiannual complete regression testing of the entire platform, as well as other testing needs that may be arise.

Duties and Responsibilities

Independence: self-managed and motivated. High energy, results driven person with strong interpersonal skills
Team oriented
Project Management: Takes responsibility for satisfaction of assigned project
Effective at speaking and collaborating with others
Effective at Technical writing and conducting vulnerability research
Effective at scoping a client’s testing effort
Good communicator to a technical audience.
Good understanding QA Methodology
Excellent communication skills and the ability to interface with more senior co-workers and leadership with confidence and clarity

Education and Training

Bachelor’s Degree in Information Technology/Computer Science or 5 years IT experience
Any of the following certifications: CISSP, GIAC, CEH certifications

Required Skills

Strong web application penetration testing experience
Experience in vulnerability identification and remediation
Knowledge of the software development lifecycle in a large enterprise environment
Programming background (C++, Perl, Python, Shell ) for tool and exploit development
Operating Systems: Windows, Linux, HP-UX, Solaris, AIX, etc.
Web Servers: IIS, Apache, Lotus Domino, Sun Java System, TC Server
Middleware software: Oracle’s WebLogic, IBM’s WebSphere, Apache Tomcat
In-depth knowledge of any proxying tools such as Paros, Burp, WebScarab, Achilles “fault injection”
Experience with any of the following commercial application scanning tools: IBM’s AppScan, HP’s WebInspect, HP’s Fortify, NTOSpider, Cenzic’s Hailstorm
Commercial database software like Application Security Inc.’s AppDetective
Experience with any open source tools such as Whisker or Nikto
WebServices technologies such as XML, SOAP, AJAX
Networking tools such as Nessus, nmap, Retina netcat
Understanding of various web application architectures
Understanding of server and client side application development
Physical and logical security audits
Logical protocol and network traffic audits
Client/Server exposure (i.e. Java, JSP, Servlet, Linux, UNIX, SQL).
Mainframe exposure (i.e. COBOL, JCL, IDMS/ADSO, CICS).
Database exposure (i.e. SQL Server, DB2).
Automation Testing Tool / frameworks exposure

Desired Skills

Experience with performing code review, wireless and firewall assessments
Solid network penetration testing experience
Technical knowledge in network security products, cryptographic suites and network/application firewalls
Experience with mobile application and operating system testing
Experience in evasion techniques to bypass firewalls and intrusion detection

Regards,

Nikunj | RG Talent Inc.

(D) 510-443-0757 Ext-142, nikunj@rgtalent.com; \ nikunj.rgtalent@gmail.com

risk mitigation

February 5, 2014 by Bruce Brown Leave a Comment

Risk mitigation can only be done by first identifying the risk. And risk identification can only be done by characterization of the assets, discovery of vulnerabilities of those assets and determination of threats and/or possible harm to that system.

So risk mitigation is based on the results of risk assessments.

Risk assessment is a 9 step process.

1) System characterization – a system is an organization asset. So the first step is to discover all the features of that system and understand why it is important.

2) Threat Identification – risk is determined by the likelihood of a threat affecting the weakness of an asset. To limit the risk (risk mitigation), a security practitioner must determine the possible threat, find the weakness and then come up with a way to protect that system.

3) Vulnerability Identification – The security practitioner (information system security officer, information system security analyst, system security engineer etc) must find the weakness of a system.

4) Security Control Analysis – The security control protecting the vulnerability is the actual risk mitigation. Analysis is determining what is needed, when and how much it will cost.

5) Likelihood determination – The importance of risk mitigation is directly proportionate to the likelihood of the threat impacting the organization and its assets vulnerabiltiy.

6) Impact Analysis – The bottom line of risk is the impact that will occur if harm should come to an asset. If the asset ceases to function, what happens to the organization? That question should drive how and why risk is mitigated.

7) Risk Determination / Risk Identification – Based on all the data gathered you can make a pretty good risk determination. You should have defined the systems components and what data is important, made a pretty good conclusion on threat sources and likelihood of the vulnerability exploits and know exactly what kind of impact there will be if the system goes down.

8) Control Recommendation – This is where the actual RISK MITIGATION comes in. All data is gathered from the risk assessment and risk has been identified and evaluated. Risk is mitigated by applying to correct security controls.

9) Results Documentation – The mitigation of risk must be documented for future reference. Sometimes it can only be mitigated later and documented in a Plan of Action and Milestone.

Who does Mitigates the Risk:

First of all, risk cannot always be mitigated. In this cases it is documented in something called a Plan of Action and Milestone (POA&M). And sometimes risk is simple accepted because there is just nothing that can be done. The mitigation of risk is the responsibility of the system owner. The system owner will sometime have a right hand adviser on matters of security, a Chief Security Officer who is not afraid to say NO and will always give the system owner (CIO) the facts no matter how gruesome. The CSO (or equivalent) delegates risk mitigation (implementation of security controls) to security practitioners (DoD 8140 compliant professionals) who hopefully know what they are doing.

risk management association

February 5, 2014 by Bruce Brown Leave a Comment

Security Analysis and Risk Management Association (SARMA) is one of many risk management associations. SARMA is a non-profit dedicated to security practitioners that are in the business of mitigating risks from man made threats.

ISACA is another risk management association with over 100,000 constituents in 180 countries. They are the creators and proprietors of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in Risk and Information System Controls (CRISC) certifications. They also created an Risk IT Framework.

More than just a risk management association, the Information Systems Security Association (ISSA) is a non-profit international organization for information security practitioners an managers. I have been a member of this organization, and it has LOTS of great people involved in it. They have local chapters in most major cities in the U.S. They are great at bringing security professionals together to solve common issues in the industry, barter skill sets, teach new skills, train for IT certifications and promote products and services that involve risk management and/or security.

RIMS – Risk Management Society

The Risk Management Society has a vision of becoming the global leading in all aspects of risk management. A VERY tall order.

As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society™, is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 11,000 risk management professionals who are located in more than 60 countries. For more information on RIMS, visit www.RIMS.org

risk management guide

February 5, 2014 by Bruce Brown Leave a Comment

If you are looking for a risk management guide there are several references text to choose from. NIST SP 800-37, Risk Management Framework, ISO 31000:2009 Risk Management, ISACA RISK IT Framework, and ITSG-33 are all pretty good risk management guides

NIST SP 800-37, Guide for Applying the Risk Management

The US federal government uses NIST SP 800-37. The Defense Department uses DIARMF on which this site is based and DIARMF is based on NIST SP 800-37. The document is comprehensive and branches in to several other documents: NIST SP 800-39, Risk Management Security, NIST SP 800-30, Risk Assessment, NIST SP 800-53, Security controls and many others. The NIST risk management guides were developed by National Institute of Standards and Technology (NIST) in collaboration with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS).

ISO 31000:2009 Risk Management Guide

ISO 31000:2009, Risk Management is a practical guide designed for any organization. Designed by the International Organization for Standardization (ISO) 31000: 2009 offers a robust open standard for risk management framework.

ISACA RISK IT Framework

ISACA Risk IT Framework provides complete end to end guide for risk management of information technology addressing security threats exploiting asset vulnerabilities for corporations.

ITSG – IT Security Risk Management guide

Created by the Government of Canada’s, the ITSG is a IT Security Risk management guide ITSG-33 covers roles, responsibilities and activities of the Canadian risk management.

risk management wiki

February 2, 2014 by Bruce Brown Leave a Comment

Risk management (security) has many flavors of processes and standards including (but not limited too): ISO 31000, NIST Risk Management Framework 800-37, DIARMF, ISACA RISK IT Framework, ITSG-33, and PMI Risk Management (just to name a few of the most prominent English variants).

ISO 31000:2009 Risk Management Wiki

The International Organization for Standardization (ISO) has developed a standard for Risk management . Its called ISO 31000:2009, Risk management – Principles and guidelines. ISO 31000:2009 has created a system of risk management that can be applied universally to most organizations around the world. This is significant as it allows two organization from different countries to map to different risk management frameworks with 31000 as a reference.

NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems

Is the defacto Risk Management Framework of the US Federal government. Developed by National Institute of Standards and Technology (NIST) in collaboration with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS). It is the center piece for all federal organization security processes. The NIST also works on mapping the 800-37 to the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001, Information Security Management System (ISMS) and 31000.

Defense Information Assurance Risk Management Framework (DIARMF 8510)

DIARMF is based on a combination of CNSSI 1253 & NIST SP 800-37. It Applies to ALL US Defense departments. This is a big deal because in the past it was based on differing interpretations of DoD IA Certification & Accreditation Program. Since each agency and department had their own process, it was expensive, time consuming and incredibly inefficient to get critical data from one organization to another. DIARMF relies on heavy use of continuous monitoring tools pushed by FISMA 2012.

ISACA RISK IT Framework

ISACA Risk IT Framework provides complete end to end framework for managing information technology security threats exploiting asset vulnerabilities.

ITSG – IT Security Risk Management: Life cycle Approach

Issued by the Chief, Communications Security Establishment Canada (CSEC) ITSG – 33, is the Government of Canada’s response to emerging cyber threats within the available resources of the country. By applying security from the very begining of the sytems lifecycle they deal with risk management in a more intelligent and fiscally responsible way. ITSG-33 covers roles, responsibilities and activities of the Canadian risk management.

PMI Risk Management

PMI Risk Management professional is actually a certification for providing risk management.