Senior Consultant Cybersecurity and Pentest
Deloitte's Enterprise Risk Services has a risk-based approach, experienced professionals, comprehensive methodologies, and technical resources for serving our client in the areas of cyber security, IT and internal audit, risk management, and compliance. We are constantly looking for experienced security professionals, with experience across a range of information security disciplines.
In the role of Senior Consultant, you would participate in the research, analysis, design, testing and implementation of medium to complex computer network security/protection technologies for our clients' information and network systems and applications. This position reports to the Senior Manager of Cyber Security Team, and works closely with our client's teams in their internal information security programs.
The ideal candidate for this position is a professional ethical penetration tester that can perform relevant threat modeling on the clients designated ToE, and masters and executes the techniques of attackers to identify vulnerabilities, validate them, and associate them with the severity rating by deriving impact. This candidate must be able to utilize hacking tools and modify or create proof of concept exploits. He or she is passionate about security, keeps up to date on core tools, techniques and tactics, and furthers their knowledge every day.
The position requires at least a BS in Computer Science, Information Security, Information Technology, or Computer Engineering or a related degree plus at least one year of targeted experience in computer network security, including application attack and defense, web services, operating system security, privacy, storage network security or malicious application analysis.
- Conduct threat modeling and attack modeling on the clients' designated targets of evaluation;
- Plan pentest engagements and assess effort and stages according to internal Deloitte methodology;
- Conduct hardware, mobile, and wireless security assessments;
- Conduct infrastructure and server, desktop and web-based application penetration tests;
- Write PoC exploit code for vulnerabilities the team has discovered;
- Thoroughly document exploit chain/proof of concept scenarios for client consumption and internal knowledgebase;
- Conduct social engineering assessments;
- Document the findings according to internal Deloitte methodology and principles;
- Analyze and summarize the findings in clear and actionable reports;
- Develop custom penetration testing tools;
- Conduct research in cyber security.
- Directly or indirectly managing junior staff that includes training, coaching and delegating to them.
- University degree – preferably ASE - CSIE, UB - Mathematics & Informatics, or Polytechnic Universitp>
- Hands-on experience in at least one of the following: security testing, web application development/testing, system administration, networking, software development;
- Able to express your findings in very good technical and business English (oral and written);
- Any of OSCP, OSCE, GPEN, GXPN or equivalent certification;
- Fluency in written/spoken English;
- At least 1-3 years relevant work experience in penetration testing engagements;
- Good knowledge of one of the main testing methodologies, e.g. OSSTMM, and familiarity with OWASP testing methodology;
- Workable familiarity with critical security controls and their validation, e.g. SANS top20, and with OWASP security controls and their validation;
- Very good familiarity with Windows and Linux operating systems;
- Good knowledge of Metasploit or similar exploitation frameworks, and familiarity with Kali Linux pentest tools;
- Practical hands-on experience with one of Nessus/Nexpose/CoreImpact/
- Practical hands-on experience with one of Cobalt Strike / Empire / PowerSploit or similar;
- Working experience with Burp Suite, ZAP Proxy or similar;
- Ability for basic read/write in C/C++/Java;
- Programming experience in Python, PHP, Perl, Ruby, .NET or other interpreted or compiled languages;
- Knowledge of exploitation techniques.
Nice to have:
- Some knowledge of fuzzing, reverse engineering and exploit development
- Some knowledge of malware analysis
- Some knowledge of cryptanalysis, cryptographic flaws
- Solid networking skills, recognized certifications;
- Proof of experience in playing in CTF challenges and/or cyber exercises;
- GitHub repository of own developed tools or starred projects;
- security blog or list of online security resources (websites, RSS feeds, twitter lists);
- SCADA / industrial systems management or security experience.
Requisition code: PT_15_02_2017
See Inside the Office of Deloitte
One of the largest professional services organizations in the U.S., Deloitte delivers innovative solutions to the complex business problems facing companies around the world. Deloitte offers rewarding careers in four businesses—audit, tax, consulting, and financial advisory. Widely recognized for its inclusion initiatives, Deloitte is committed to building a workplace environment that allows people from all generations, ethnicities, and cultures to be their authentic selves.
Back to top