Shades of Gray Security

Objective

Results focused, high performing, energetic Information Security Engineer with ten years of database, software, and systems architecture experience seeking career with large organization to grow within the company. Expertise in web hosting systems, penetration testing, vulnerability scanning, network management, and firewall installation and maintenance. Committed to negotiating with department managers to coordinate efforts to meet the bottom line and drive toward the strategic direction of the business.

Skills and Abilities

Security

Windows security, Linux security, Compliance Auditing, FDIC, FFIEC, GBLA, HIPAA, SOX, PCI, COBIT, ITIL, NIST, DISA, ISO/IEC, Network penetration testing, Application penetration testing, Ethical hacking, Reverse engineering, Social engineering, IDS, IPS, Security Audit, Risk Assessment, Nessus, McAfee Vulnerability Manager (Foundstone), Nmap, SSL, SSH, Snort, Sourcefire, McAfee Network Security Platform (Intrushield), Policy review and building.

Operating Systems, Web Servers, and Networking

Microsoft Windows (all), UNIX, Linux, VAX/VMS, Sun Solaris, Free BSD, Mac OS 9/X, MS IIS 5 and IIS 6, Apache, JRun J2EE Server, ColdFusion MX, Windows and Linux Networking, OSI model, Linux-based firewalls, SonicWall firewalls, Cisco PIX firewalls, Wireless, Active Directory.

Project Management and Planning Tools and Methodologies

MS Visual SourceSafe, MS Visio 2003, MS Projects 2003, CVS, RCS, make, ant, ORM Diagramming, ER Diagramming, UML Modeling.

Other Software

MS Office 2007, OpenOffice.org, Norton Anti-Virus, McAfee Anti-Virus.

Other Skills

Excellent communication skills.
Fast learning, analytical thinker with excellent ability to multi-task.
Honest, hard working, goal-oriented, dependable, and a team player.

Experience

The Shaw Group – Sr. IT Security Specialist, October 2008 – July 2009

*** OCCUPATION DETAILS CENSORED AT REQUEST OF CHIEF COMPLIANCE OFFICER***

Description from their job posting:

• Looking for a strong security person to manage hacking, monitor the network, work with MS Active Directory and Cisco firewalls, and and investigate security incidents.
• Skills required: MS Active Directory, Windows Security, Cisco Firewalls, Source Fire, IPS, Macafee [sic] Antivirus, Recreating hacks, Ethical hacking, Systems hacking, Network hacking, IDS, Penetration Testing, Security Assessments.
• Must be VERY hands-on with security, getting into the nitty [sic] gritty with routers and switches, debugging, finding problems, and creating solutions, strong strategic and tactical security planning skills.
• Must know how to recreate a hack or stop it when it is happening, have knowledge of ethical hacking, and experience with hacking both on the systems and networking side.
• Responsibilities will include host and network IDS monitoring, maintenance of IDS, vulnerability scanning, and threat management. This position desires forensics expertise to investigate security incidents on production networks and managed service offerings. The Security Engineer should have the necessary expertise and job experience to work effectively with his/her peers in the design, analysis, maintenance, monitoring and hardening of production network systems.

Trace Security – Lead Application Penetration Test Engineer, Sr. Vulnerability Analyst, February 2007 – July 2008

• Promoted in six months from Security Engineer to Sr. Vulnerability Analyst and Lead Application Penetration Test Engineer.
• Successfully performed advanced penetration test of Sequoia electronic voting machines for the Louisiana Secretary of State involving reverse engineering of firmware resulting in complete compromise of machines.
• Reverse engineered virus recovered from forensics department during engagement with Shaw resulting in discovery of virus intent and home base call back, China.
• Performed forensics and complete penetration test of ICF web application systems after compromise by complex Chinese attack. Discovered additional attack vectors and alerted them of potential new fronts of attack.
• Ensured security of Farmers Insurance online application for tracking litigation.
• Successfully passed PCI requirements testing for vendor certification for web application testing.
• Performed IT audits, risk assessments, comprehensive security assessments, external penetration tests, internal penetration tests, application penetration tests, security training, and social engineering assessments for hundreds of clients primarily in the finance industry. Typical client networks were a mixture of Linux and Windows servers with Windows clients using Active Directory and Cisco network devices. Tested client IDS/IPS systems by attempting to evade detection during penetration tests.
• Tested clients in various industries to ensure their compliance with standards and regulators.
• Defeated security systems and eluded intrusion detection systems of banks, credit unions, medical companies, and insurance companies, documented the procedures used, and instructed and consulted clients remediating the discovered vulnerabilities.
• Conducted email phishing attacks against clients too test their employees’ susceptibility to this method of attack.
• Using disguises and bluffing techniques, talked my way into high security areas such as bank server farms and vaults, in order to test the employees’ susceptibility to social engineering attacks.
• Designed materials and trained staff on application penetration techniques.
• Developed tools used by staff to detect vulnerabilities in operating systems, hardware, and applications.

Comport Network Services – Contract Security Consultant, December 2005 – September 2006

• Performed Security Policy Review for CoServ Electric.
• Performed Security Audit for Bell Sports including 12 satellite locations including one office in Hong Kong which had to be performed discreetly. Was not detected by the location during the penetration. Bell Sports used primarily Cisco Routers and switches and part of the assessment was examining the configurations of those devices.
• Project Lead for Pepsico’s installation of secure wireless network at all their headquarters around the country supporting 75,000 users. The network was made entirely of Cisco products, the AP, controller, and Cisco ACS was used to authenticate with MS Active Directory.
• Project Lead for Pepsico’s upgrade from Windows XP SP1 to Windows XP SP2.

Vertical Alliance Group – Sr. Programmer Analyst, Sr. Network/Security Architect, July 2004 – July 2005

• Advised on security issues, setup Cisco PIX firewall, setup Active Directory, terminated CAT5 cables, built machines, troubleshot network problems using packet monitoring tools such as Wireshark.
• Designed password management policy.
• Stopped DOS attack and traced source of attack.
• Subject Matter Expert for encrytion protocols. Coached Network Administrator on SSL, IPSec, PPTP, SSH, and Microsoft Active Directory.
• Performed data recovery forensics on Windows XP Pro machine using live CD version of Linux.
• Performed incident response when servers became compromised. Informed management of pitiful state of security in network. No actions have been taken to rectify situation.
• Recommended by Vice President to replace outgoing IT Manager.
• Created security best practices policy.
• Created testing policy.
• Maintained Windows 2003 servers and IIS at remote location.
• Designed Flash/3D animations for use on sites and in presentations.
• Maintained and developed web applications with ASP.NET/VB.NET using Visual Studio.

Self-employed – IT Consultant, System Administrator, Network Engineer, Security Analyst, Software Architect, DBA, October 2003 – December 2006

• Planned and deployed internal network and firewalls consisting of Windows XP and 2003 systems, Linux desktops and servers, Mac OS 9 and X systems, Linksys switches and WiFi APs, and a SonicWall firewall.
• Secured networks for clients with VPN, IDS, Active Directory, WEP, WPA2, and MAC filtering.
• Troubleshot network for client in property management industry. This included the physical network, Windows networking, and networked applications.
• Consulted clients on IT needs such as hardware and software purchasing. Performed cost analysis for clients to decide the value of upgrading systems. Performed security audits for clients to test intrusion vulnerabilities.
• Setup and trained clients in Sourcefire 3D IDS system.
• Built a secure roles-based application for a client. The application’s duties include employee tracking, inventory tracking, contract maintenance, and client tracking. The application was built with ColdFusion MX 6.1, Flash MX Professional 2004 and MS SQL Server 2000. All back end interaction is handled through the use of web services built in ColdFusion, and stored procedures in SQL Server. The front end connection to the database is done through Flash MX Professional 2004’s data components.

Techniki Informatica – Sr. Software Architect, Sr. DBA, August 2001 – October 2003

• Praised by C.I.O for excellent performance in negotiating with managers and vendors while managing the technical aspects of the IT department.

“Shown the ability to handle multiple tasks and consistently met . . . deliverables deadlines. . . . Ability to convert our sometimes conflicting ideas into a working model has been extremely helpful to all aspects of our company. . . . Greatly aided the corporate office in speedier resolution of billing and payroll issues. . . . Enhancements to the site from a human resources perspective have been particularly helpful with compliance, both governmental and client.” (C.I.O., Techniki Informatica)

• Installed and maintained Watchguard and SonicWall firewalls. Established VPN connections between SonicWall and Linksys SOHO firewalls and the main office.
• Maintained Cisco Switches.
• Administered Apache on Linux server and IIS 5 and IIS 6 on Windows 2000 and Windows 2003. Configured Apache server with ColdFusion MX module on Windows 2003. Installed ColdFusion 5 on Linux/Apache based systems and on Windows 2000/IIS 5 based systems.
• Reduced month-end closing time by 4 days, reduced time-to-live for new clients 99%, created increased automation to accommodate increase workload in all departments despite a 75% cutback in staffing.
• Selected over senior staff to lead development of asset management system at Techniki Informatica. Managed a team of system engineers and administrators, software developers and database administrators to create a turnkey enterprise multi-tier roles-based secure online staffing service application with multiple external interfaces to client systems. I created a user manual and technical documentation for this application. The site keeps track of all contractors, customers and jobs. It controls the entire process: contacting potential contractors and customers (CRM), data collection and resume storage and searching, interviewing, turning in timesheets, producing billing invoices. It allows for vendor partners to also do placements and recruiting through a vendor partner program. It has a fully functional calendar and tasking system comparable to any desktop planner system.

Explore Interactive. – Internet Application Developer, DBA, July 2000 – July 2001

• Saved Explore Interactive from liability lawsuits by discovering vulnerability and leading development team during the repair. Documented lessons learned and updated programmers’ methodology manual to ensure future vulnerability not exposed.
• Added a password protected section of the Associated Grocers of Baton Rouge (www.agbr.com) site that works as a bulletin board for authorized people to view.
• Lead developer of Explore Interactive’s turnkey application, DynaSite.net web application. I added some major modifications and enhancement to the system. Some features I added are a tax system to the e-commerce section, a merchant account system for credit card processing, advanced shipping, and on-the-fly domain registration. I added several reports for the e-commerce system such as a breakdown of taxes collected by local, state and federal. I setup a system to allow us to redistribute this package as an OEM system.
• Built and maintained custom sites for clients including the city of New Roads, LA, Explore Baton Rouge, Louisiana Restaurant Assoc., Shield Environmental, and Xspedius.
• Managed programming department when the Lead Programmer was not in. Praised by the CEO for the amount of productivity, leadership ability, and teamwork during the Lead Programmer’s vacations.

Amedisys Inc. – Programmer, Linux Administrator, Web Specialist,  July 1999 – July 2000

• Maintained the company’s home healthcare management software written in Clipper. Typical tasks included things such as modifying the application for HIPAA compliance, rewriting re-indexing routines, creating custom reports for users, and debugging errors found in the program.
• Saved the company thousands of dollars in penalty fees by discovering and fixing an error in the existing system.
• Maintained the company’s web sites. The public site contained general company information all written in HTML 4 specifications. The company’s internal web site was password protected for different levels of access for authorized personnel. I also hosted the company’s email on the Linux machine.

Education & Certifications

Southeastern Louisiana University, Hammond, LA.

B.S. Computer Science with Scientific Concentration, May 1999.

SANS Institute Security 560 Penetration Testing and 561 Advance Penetration Testing

Online, February 2009

GIAC Certified Penetration Tester (GPEN)

July, 2009

Presentations and Projects

Killing Bugs, a Social engineering Odyssey, 2009

Article covering an insider perspective from the daily life of a social engineer exposing weaknesses in seemingly secured organization.

http://shadesofgraysecurity.com/killing-bugs-social-engineering-odyssey/

No Firewalls for Stupid, 2009

Article analyzing a typical example of data leakage from an organization.

http://shadesofgraysecurity.com/no-firewalls-for-stupid/

Keynote Speaker, Information Security, Southeastern Louisiana University, 2004.

Topics covered included intrusion detection, penetration testing, social engineering, ethical hacking techniques, tools of the trade, system hardening, and password management.

Affiliations

INFRAGARD (FBI managed vital infrastructure guardians)

Active member since 2009

US-CERT (United States Computer Emergency Readiness Team) of Department of Homeland Security

Active member since 2009

SECATS (SE Cyber Anti-Terrorism and Security, division of INFRAGARD)

Active member since 2009

DC225 (Baton Rouge area DefCon/INFOSEC chapter)

Founder and leader since 2006.

DC214 (Dallas area Defcon/INFOSEC chapter) member.

Active member since 2004.