SUMMARY:

• I have been working in IT for over twenty - two years. In IT Security for fifteen of those years.
• I’ve studied the nature and sources of web application and database vulnerabilities, how to identify and exploit them; Knowledge of the nature and sources network and host application vulnerabilities
• Knowledge of the nature and sources of computer viral infestations.
• Develop and present educational programs and workshops.
• Assist clients in remediating vulnerabilities on their network or web application.
• Maintain and modify data and physical security guidelines and procedures.
• Work effectively with peers and cross-functionally within the organization.
• Install, troubleshoot, and maintain information security software and software enhancements.
• I stay current with technological developments/trends in the area of expertise.
• Vast knowledge of computer security issues, requirements, and trends.
• Develop policy and procedure documentation and identify, then eliminate computer system intrusions and security breaches.
• Devise solutions to computer virus problems.
• Understand firewall and VPN solutions.
• Design secure networks, conducting network and security audits.

SKILLS SUMMARY:

• Proficiency in utilization of information security tools such as NeXpose, Retina, Webinspect, Netcat, cURL, Nessus, Kismet, Airsnort, NMAP, Ethereal, Web Inspect and Nikto, Metasploit, Canvas, Backtrack Disto and manual techniques to exploit vulnerabilities in the OWASP top 10 including but not limited to cross-site scripting, SQL injections, session hijacking, and buffer overflows to obtain controlled access to target systems.
• Too many tools to list these days, I find the proper tool for the situation.
• Ability to perform network traffic forensic analysis, utilizing packet capturing software, to isolate malicious network behavior, inappropriate network use or identification of insecure network protocols
• 10+ year’s hands-on experience in one or more of the following Operating Systems: Windows Server NT/2000-12, Linux, and UNIX
• A diverse skill base in both Information Systems and Information Security which address organizational structure and administration practices, system development and maintenance procedures, system software and hardware controls, security and access controls, computer operations, environmental protection, and detection, and backup and recovery procedures
• Attack and Penetration experience in testing of Internet infrastructure and Web-based applications utilizing manual and automated tools
• Knowledge of information system architecture and security controls (i.e. firewall and border router configurations, operating systems configurations, wireless architectures, databases, specialized appliances and information security policies and procedures)
• Payment Card Industry (PCI) project experience
• HIPAA Project experience

AREAS OF KNOWLEDGE:

• IT Audits, Penetration Testing, Vulnerability assessments for regulatory compliance.
• Amap, Nmap, Nessus, Nikto, SQLix, Retina, cURL, Paros, Burp Suite, Web scarab, Spike, Achilles "fault injection", TamperIE, Whax, Backtrack 2-4, Knoppix STD, Netcat, Watch fire’s AppScan, SPI Dynamics' Web Inspect, Application Security AppDetective, Whisker and many other tools.
• Knowledge of databases, and web applications and how to test and identify vulnerabilities and exploit them.
• HTML, ASP, PHP, XML, CSS, SOAP, Perl, JavaScript, VBScript
• Windows XP, NT 4.0, Workstation, Server, and Terminal editions, 2000, 2003 Professional and Advanced Server, Exchange 5.5, and 2000 and 2003, SQL 7.0, 2000 and 2005, IIS 4.0, 5.0, and 6.0, Front page, Interdev 6.0, Visual Studio 6.0
• Linux / Solaris, FreeBSD
• Citrix MetaFrame 1.8,
• Ethernet, Token Ring, LAN, WAN, Intranets, Internets, Extranets, VPN, RAS, RSA Secure ID
• Cisco PIX, Checkpoint, Sonicwall
• Cisco, Nortel routers, switches, and extranets, Nortel PBX with Meridian Mail, Avaya VOIP
• Norton Ghost 7.0, 2003, 2004 Enterprise Edition, Symantec Client Security, and Antivirus Technology Architect.
• Novell Netware 3.x, 4.x, 5.x, GroupWise, ZEN works

PROFESSIONAL EXPERIENCE:

Confidential

Senior Information Security Consultant

Responsibilities:

• General system/service reconnaissance activities
• System/service fingerprinting and identification
• Identifying and validating system/service vulnerabilities
• Attempting to exploit vulnerabilities to support identification and development of risk profiling and rating of vulnerabilities and threats
• Create detailed documentation, timelines and rules-of-engagement artifacts for all testing
• Create detailed remediation plans and risk mitigation strategies for vulnerabilities to be incorporated into agency procedures
• Create and present reports and other artifacts (as well as presentations and training materials) on the vulnerability assessment and penetration testing processes and routines to support Agency, State and Federal security and privacy compliance goals and requirements

Confidential

Penetration Tester/Security Architect /Consultant

Responsibilities:

• General system/service reconnaissance activities
• System/service fingerprinting and identification
• Identifying and validating system/service vulnerabilities
• Attempting to exploit vulnerabilities to support identification and development of risk profiling and rating of vulnerabilities and threats
• Create detailed documentation, timelines and rules-of-engagement artifacts for all testing
• Create detailed remediation plans and risk mitigation strategies for vulnerabilities to be incorporated into agency procedures
• Create and present reports and other artifacts (as well as presentations and training materials) on the vulnerability assessment and penetration testing processes and routines to support Agency, State and Federal security and privacy compliance goals and requirements

Confidential

Penetration Tester / Principal, Sr. Security Engineer

Responsibilities:

• I run InfoSec for all CA on Demand products and sit on a Change Advisory Board reviewing and approving daily changes to the global environment.
• I Deployed Alert logic Log Manager across the global organization
• I Deployed Nexpose vulnerability scanning across the global organization
• Worked with development teams to in corporate Nexpose scans into the provisioning process through the API.
• Initiated the use of Metasploit for vulnerability validation across the organization
• Perform network and web application penetration testing for product releases.
• Perform quarterly internal audits for compliance.
• Review vulnerability reports create tickets for remediation by infrastructure and respective service manager.
• Educate the service managers and developers about various web application vulnerabilities and demonstrate how to exploit them to illustrate the risk.
• Educate the service managers and developers about the risk of a particular vulnerability.
• Recommend remediation steps to resolve various vulnerabilities identified in the environments.
• Review and maintain security for the Cloud environments. Azure, Centurylink, and AWS.
• Work with the developers to provide a better understanding of the vulnerabilities. Work with developers and infrastructure engineers on how to resolve the vulnerabilities.
• Manage IAM for 3 AD domains which required two-factor authentication for access.
• Manage a global deployment of Alert logic IDS and Log Management devices
• Monitor Alerts and lead incident response within the On Demand Products
• Participated in development and implementation of information security policies and procedures; recommended hardware, software, security guidelines, and safe practices for corporate SAAS wide computing and networking systems.
• Advised on requirements for setting up a FedRamp compliant environment and worked with Infrastructure and other teams to set up a FedRamp ready environment.

Confidential

Penetration Tester / Sr. Security Engineer

Responsibilities:

• Deploy Alert logic Threat Manager across the global organization
• Perform network and web application penetration testing.
• Review DDI vulnerability reports and address the issues with the service managers.
• Perform quarterly internal audits for compliance.

Confidential

Information Security Analyst

Responsibilities:

• My contract position involved the configuration of Imperva Secure Sphere devices and tuning the signatures for web application attacks.
• Monitoring the Alerts and classifying the incoming traffic.

Confidential

Information Security Analyst

Responsibilities:

• My contract was a deployment of Nessus within the environment for PCI compliance.
• Design Vulnerability Management Program
• Design and implement Nessus Security Center configuration and setup.
• Create scan policy templates, Create scan templates
• Setup CIS Benchmark baseline policies for hardening hosts
• Ensure scans and audits were running as properly scheduled.
• Pass of knowledge to internal Restoration Hardware staff.

Confidential

Director of Technical Services

Responsibilities:

• Perform internal and external network and web application penetration tests and vulnerability assessments.
• Job Responsibilities:
• Oversee and conduct vulnerability assessments and penetration testing/ethical hacking
• Oversee and conduct social engineering testing
• Oversee on-site senior consultants engaged in internal penetration testing and vulnerability assessments.
• Oversee and perform the review and analysis of security vulnerability data to identify applicability and false positives
• Prepare and distribute security assessment reports to customers
• Research and develop testing tools, techniques, and process improvements
• Perform additional incidental duties as assigned
• Identified 0-day authentication bypass vulnerability in opLynx Central opLYNX Remote runs on a mobile computer mounted in the operator’s vehicle. It allows display and updating of daily run data and service request management.
• OpLYNX Central is a web-based application that allows management-level review and reporting. It can also handle data entry and revisions - offering all the functionality of opLYNX Remote. Central’s administrative functions will transfer and update site/run data between itself and the mobile units.

Confidential

Penetration Tester

Responsibilities:

• Oversee and conduct vulnerability assessments and penetration testing/ethical hacking
• Oversee and perform the review and analysis of security vulnerability data to identify applicability and false positives
• Prepare and distribute security assessment reports to customers
• Research and develop testing tools, techniques, and process improvements
• Perform additional incidental duties as assigned

Confidential

Compliance Specialist

Responsibilities:

• Oversee and conduct vulnerability assessments and penetration testing/ethical hacking
• Oversee and perform the review and analysis of security vulnerability data to identify applicability and false positives
• Prepare and distribute security assessment reports to customers
• Research and develop testing tools, techniques, and process improvements
• Perform additional incidental duties as assigned

Confidential

Sr. Associate - Consultant

Responsibilities:

• Oversee and conduct vulnerability assessments and penetration testing/ethical hacking
• Oversee and perform the review and analysis of security vulnerability data to identify applicability and false positives
• Prepare and distribute security assessment reports to customers
• Research and develop testing tools, techniques, and process improvements
• Perform additional incidental duties as assigned

Confidential

Certified Information Systems Security Consultant

Responsibilities:

• Worked with the consulting group as an expert consulting on information security migration projects.
• Reviewed the project charters and related documentation to make sure the designs meet the bank’s policies and standards.
• Recommended alternative solutions to maintain compliance.
• When compliance was not possible, documented this information in their audit exceptions database for follow-up audits related to the exceptions.

Confidential, Santa Clara, California

Information Systems Security Consultant

Responsibilities:

• Provided a Power Point presentation regarding security and information security for the Confidential project as part of the green initiative and presented to the stakeholders of the project as well as answered questions regarding security policy and possible solutions for the project’s challenges.
• Tested for SQL injection both error based and blind, Cross site scripting, Persistent Cross-site scripting, remote file includes vulnerabilities, session hijacking, and full database exploitation.
• Proficient in Nmap, Nessus, Nikto, Amap, Netcat, cURL, Burp proxy, Paros Proxy, SQLix, Tamper IE, and other tools and utilities to identify and verify the existence of both network and web application vulnerabilities.
• Assisted enterprise sales as a subject matter expert in closing sales for the Mcafee Secure daily scanning service for PCI compliance.
• Monitored various industry mailing lists such as full disclosure, pentest, Bugtraq, focus ms, focus Linux, focus apple for cutting edge releases of new vulnerabilities disclosed to the community.
• Trained to follow the OSSTMM and OWASP methodologies when performing engagements.

Confidential, San Francisco, California

Sr. Security Engineer / Auditor

Responsibilities:

• Participated in development and implementation of information security policies and procedures; recommended hardware, software, security guidelines, and safe practices for corporate-wide computing and networking systems.
• Made recommendations for resolution of incidents of a security breach, to include system intrusions and abuse.
• Investigated and identified solutions to viral infestation and damage; administered the antiviral program, and worked with peers to select and coordinate the support of virus protection software for common platforms in use across the organization.
• Developed, facilitated, and presented information security awareness and security training within the organization as required.
• Reviewed and updated data security practices within the organization; tested for exposures to ensure adherence to guidelines and procedures, and worked with CIO and Network Manager to implement remedial measures as appropriate.
• Participated in special projects concerning information security, including testing and implementation of security software enhancements, scheduled SAS70, and other internal or external audits or projects as required.
• I maintain a broad knowledge of state-of-the-art technology, equipment, and systems.
• Ensure strict confidentiality of client and corporate information.
• Established regular schedule for auditing and monitoring of System and Network security; reports results and recommendations to CIO and Network Manager.
• Provided Production Support during business hours and is available for non-business hour production support as required.
• Worked effectively with peers in All Departments: Networking, Security, Development, and System Administration.
• Assisted in Disaster Recovery and Scalability planning as required.
• Submitted bi-weekly timesheets to the COO, CIO, and Network Manager.
• Performed miscellaneous job-related duties as assigned.