Cybersecurity - Senior Consultant - Iot Security Testing

Ernst & Young LLP Mclean , VA 22107

Posted 7 days ago

In a rapidly changing IT environment, clients from all industries look to us for trusted solutions for their increasingly complex risks and vulnerabilities. As a member of our Next Generation Security Operations and Response (NGSOR) team you'll be right at the heart of that goal, helping clients gain insight and context to their cyber threats and assessing, improving, and building security operations in order to mitigate these threats. You'll get to use your technical and business skills in order to help us drive this mission and have an impact on cyber security at a global level.

The opportunity

You'll work alongside respected industry professionals, learning about and using the latest tools and techniques to identify and overcome some of the most relevant and pressing security issues in the world. It's a highly specialized area, where you'll learn highly sought-after technical skills, all while developing your relationship management abilities - often by working directly on-site with our clients.

What to expect

Our security professionals possess diverse industry knowledge, along with unique technical expertise and specialized skills. The team stays highly relevant by researching and discovering the newest security vulnerabilities, attending and speaking at top security conferences around the world, and sharing knowledge on a variety of topics with key industry groups. The team frequently provides thought leadership and information exchanges through traditional and less conventional communications channels such as speaking at conferences, publishing white papers and blogging.

As part of our Penetration Testing team, you'll identify potential threats and vulnerabilities in connected product/IoT/embedded devices.

Our professionals work together in planning, pursuing, delivering and managing engagements to assess, improve, build, and in some cases operate integrated security operations for our clients.

Your key responsibilities

  • Execute connected product/IoT/embedded device security assessments to identify vulnerabilities and exploit them

  • Conduct security research and devise new attack techniques against connected products

  • Develop custom hardware / scripts to assist in compromising connected product devices.

  • Analyze, disassemble, reverse engineer and exploit connected product.

  • Solve challenging technical problems and devise creative solutions.

  • Perform in-depth analysis of test results and create report that describes findings, exploitation procedures, risks and recommendations.

  • Convey complex technical security concepts to technical and non-technical audiences.

  • Strong analysis skills and attention to detail.

  • Strong written and verbal communication skills with the ability to interact with senior management, technical teams, and key client stake holders.

To qualify for the role, you must have

  • A minimum of 5 years of work experience in penetration testing connected product/IoT/embedded devices or related experience with hardware hacking.

  • Experience with vulnerability assessment and penetration testing of commercial, consumer, and industrial IoT solutions.

  • Ability to perform end-to-end connected product security testing (chip to cloud) including hardware device, device firmware, communications including (i.e. protocols, wireless), supporting mobile applications, back-end infrastructure, API and cloud services.

  • Familiarity and understanding of OWASP IoT top 10 vulnerabilities.

  • Experience with soldering / desoldering hardware components and extraction of embedded device flash chips.

  • Experience with firmware extraction techniques including man-in-the-middle network attacks, memory access attacks, firmware upgrade attacks, and using hardware debugging interfaces such as JTAG, UART, SPI, I2C, USB, and NAND flash chip reader.

  • Experience with firmware extraction, firmware reverse engineering, analysis and identification of security vulnerabilities.

  • Proficiency with software debugging tools such as, Binary Ninja, gdb, Ghidra, IDA Pro, or Radare2, to analyze device software and firmware.

  • Experience with developing custom shell code to exploit embedded device firmware.

  • Experience with intercepting and attacking low power Radio Frequency (RF) communication protocols such as Z-Wave, Zigbee, and BLE; using hardware and software tools such spectrum analyzer, Software Defined Radio (SDR), HackRF and Gqrx.

  • Experience with intercepting and testing communication protocols including MQTT, CoAP, 6LowPan, LWM2M etc using software tools such as Scapy, mitmproxy, tcpdump and Wireshark.

  • Experience with performing bus spying, tampering, spoofing and injection testing techniques.

  • Willingness and ability to travel domestically and internationally to meet client needs; estimated 50% travel required annually.

Ideally, you'll also have

  • Strong understanding of embedded systems architecture and circuit design.

  • Proficiency with hardware description languages such as VHDL or Verilog.

  • Understanding and proficiency with Linux and Unix operating systems.

  • Deep understanding of embedded systems architecture and disassembly / assembly of microprocessors code such as ARM, AVR, MIPS, or x86.

  • Experience with exploiting side-channel attacks against connected product including power, timing, and fault injection techniques using hardware tools such as the Chip Whisperer.

  • Proficiency with performing device monitoring and analysis using logic analyzer hardware tools such as Saleae Logic Pro or Open Workbench Logic Sniffer.

  • Presented at an industry recognized information security event such as DEFCON or participated in CTFs such as IoT village CTF.

  • Deep understanding and experience of fuzzing techniques to discover and exploit identified vulnerabilities.

  • Updated and familiarized with the latest exploits and security trends in connected products.

  • Knowledge of attacking cryptographic protocols including Public Key cryptography.

  • Understanding of hardware, firmware, IoT communication protocols, network, application, API security and popular attacks vectors against IoT devices.

  • An understanding of web-based application vulnerabilities. (OWASP Top 10)

  • Experience testing API, cloud environments, mobile applications, and web applications.

  • Any one of the following certifications: OSWE, OSWP, OSCE, OSEE, GXPN, GWAPT, GMOB.

What we look for

We're interested in intellectually curious people with a genuine passion for cyber security. With your specialization in attack and penetration testing, we'll turn to you to speak up with innovative new ideas that could make a lasting difference not only to us - but also to the industry as a whole. If you have the confidence in both your presentation and technical abilities to grow into a leading expert here, this is the role for you.

What working at EY offers

We offer a competitive compensation package where you'll be rewarded based on your performance and recognized for the value you bring to our business. In addition, our Total Rewards package includes medical and dental coverage, both pension and 401(k) plans, a minimum of three weeks of vacation plus 10 observed holidays and three paid personal days, and a range of programs and benefits designed to support your physical, financial and social wellbeing.

Plus, we offer

  • Support, coaching and feedback from some of the most engaging colleagues around

  • Opportunities to develop new skills and progress your career

  • The freedom and flexibility to handle your role in a way that's right for you

  • A rewards package tailored to your unique needs

About EY

As a global leader in assurance, tax, transaction and advisory services, we're using the finance products, expertise and systems we've developed to build a better working world. That starts with a culture that believes in giving you the training, opportunities and creative freedom to make things better. Whenever you join, however long you stay, the exceptional EY experience lasts a lifetime. And with a commitment to hiring and developing the most passionate people, we'll make our ambition to be the best employer by 2020 a reality.

Join us in building a better working world. Apply today.

EY provides equal employment opportunities to applicants and employees without regard to race, color, religion, age, sex, sexual orientation, gender identity/expression, national origin, protected veteran status, disability status, or any other legally protected basis, in accordance with applicable law.

icon no score

See how you match
to the job

Find your dream job anywhere
with the LiveCareer app.
Mobile App Icon
Download the
LiveCareer app and find
your dream job anywhere
App Store Icon Google Play Icon

Boost your job search productivity with our
free Chrome Extension!

lc_apply_tool GET EXTENSION

Similar Jobs

Want to see jobs matched to your resume? Upload One Now! Remove
Senior Associate Controls Testing Specialist (Controls Testing Team)

Capital One

Posted 1 week ago

VIEW JOBS 1/8/2021 12:00:00 AM 2021-04-08T00:00 McLean 1 (19050), United States of America, McLean, Virginia Senior Associate - Controls Testing Specialist (Controls Testing Team): The Risk Management Risk Office - Centralized Testing Team is seeking an experienced, highly motivated Controls Assessment and Testing specialist with a strong proven audit mind-set when it comes to testing a control. The ideal candidate will have good organizational and communication skills. A proven background in evaluation of requirements compared to existing process and control coverage as well as the ability to identify gaps and solutions for gap closure. This role involves understanding of requirements, controls, and corrective actions review and evaluation. In addition, the ideal candidate will be able to identify key controls, design test plans and steps for testing technology controls, and compose clear and concise grounding for findings. This will be a challenging role in a dynamic and fast-paced environment requiring ability to multi-task and prioritize assignments appropriately. Responsibilities Include: * Perform assessment analysis of requirements and controls to existing processes * Ability to develop and execute testing and reporting procedures * Ability to understand and communicate complex processes and alignment to policy/regulatory requirements * Establish and maintain good client relations during testing engagements * Strong ability to create and deliver verbal and written communications between business partners Basic Qualifications: * Bachelor's degree or military experience * At least 2 years of experience in audit, controls testing, or requirements management Preferred Qualifications: * Masters degree in Information Technology or Computer Science * Ability to effectively communicate findings to stakeholders * Deep understanding of risks and ability to communicate and evaluate the appropriateness of mitigating activities * Experience auditing internal controls At this time, Capital One will not sponsor a new applicant for employment authorization for this position. Capital One Mclean VA

Cybersecurity - Senior Consultant - Iot Security Testing

Ernst & Young LLP