Cybersecurity – Senior Consultant – IoT Security Testing

Cybersecurity
– Senior Consultant
– IoT Security TestingConsultingRequisition # UNI00G0QPost Date Sep 24, 2020In a rapidly changing ITenvironment, clients from all industries look to us for trusted solutions fortheir increasingly complex risks and vulnerabilities.

As a member of our NextGeneration Security Operations and Response (NGSOR) team you’ll be right at theheart of that goal, helping clients gain insight and context to their cyberthreats and assessing, improving, and building security operations in order tomitigate these threats.

You’ll get to use your technical and business skills inorder to help us drive this mission and have an impact on cyber security at aglobal level.**The opportunity**You’ll work alongsiderespected industry professionals, learning about and using the latest tools andtechniques to identify and overcome some of the most relevant and pressingsecurity issues in the world.

It’s a highly specialized area, where you’lllearn highly sought-after technical skills, all while developing yourrelationship management abilities
– often by working directly on-site with ourclients.**What to expect**Our security professionalspossess diverse industry knowledge, along with unique technical expertise andspecialized skills.

The team stays highly relevant by researching and discoveringthe newest security vulnerabilities, attending and speaking at top securityconferences around the world, and sharing knowledge on a variety of topics withkey industry groups.

The team frequently provides thought leadership andinformation exchanges through traditional and less conventional communicationschannels such as speaking at conferences, publishing white papers and blogging.As partof our **Penetration Testing team** , you’ll identify potential threats andvulnerabilities in connected product/IoT/embedded devices.Our professionals work together in planning,pursuing, delivering and managing engagements to assess, improve, build, and insome cases operate integrated security operations for our clients.**Your key responsibilities**+ Execute connected product/IoT/embedded devicesecurity assessments to identify vulnerabilities and exploit them+ Conduct security research and devise newattack techniques against connected products+ Develop custom hardware / scripts to assistin compromising connected product devices.+ Analyze,disassemble, reverse engineer and exploit connected product.+ Solve challenging technical problems anddevise creative solutions.+ Perform in-depth analysis of test results andcreate report that describes findings, exploitation procedures, risks and recommendations.+ Conveycomplex technical security concepts to technical and non-technicalaudiences.+ Stronganalysis skills and attention to detail.+ Strong written and verbal communicationskills with the ability to interact with senior management, technical teams,and key client stake holders.**To qualify for the role, you must have**+ A minimum of 5 years of work experience in penetration testingconnectedproduct/IoT/embedded devicesor related experience with hardware hacking.+ Experiencewith vulnerability assessment and penetration testing ofcommercial, consumer, and industrial IoT solutions.+ Ability toperform end-to-end connected product security testing (chip to cloud) includinghardware device, device firmware, communications including (i.e.

protocols,wireless), supporting mobile applications, back-end infrastructure, API and cloudservices.+ Familiarityand understanding of OWASP IoT top 10 vulnerabilities.+ Experiencewith soldering / desoldering hardware components and extraction of embeddeddevice flash chips.+ Experiencewith firmware extraction techniques including man-in-the-middle network attacks,memory access attacks, firmware upgrade attacks, and using hardware debugging interfacessuch as JTAG, UART, SPI, I2C, USB, and NAND flash chip reader.+ Experiencewith firmware extraction, firmware reverse engineering, analysis and identificationof security vulnerabilities.+ Proficiency withsoftware debugging tools such as, Binary Ninja, gdb, Ghidra, IDA Pro, or Radare2,to analyze device software and firmware.+ Experience with developing custom shell code to exploitembedded device firmware.+ Experiencewith intercepting and attacking low power Radio Frequency (RF) communicationprotocols such as Z-Wave, Zigbee, and BLE; using hardware and software toolssuch spectrum analyzer, Software Defined Radio (SDR), HackRF and Gqrx.+ Experience withintercepting and testing communication protocols including MQTT, CoAP, 6LowPan,LWM2M etc using software tools such as Scapy,mitmproxy, tcpdump and Wireshark.+ Experiencewith performing bus spying, tampering, spoofing and injection testingtechniques.+ Willingnessand ability to travel domestically and internationally to meet client needs;estimated 50% travel required annually.**Ideally, you’ll also have**+ Strongunderstanding of embedded systems architecture and circuit design.+ Proficiencywith hardware description languages such asVHDL or Verilog.+ Understandingand proficiency with Linux and Unix operating systems.+ Deepunderstanding of embedded systems architecture and disassembly / assembly ofmicroprocessors code such as ARM, AVR, MIPS, or x86.+ Experiencewith exploiting side-channel attacks against connected product including power,timing, and fault injection techniques using hardware tools such as the ChipWhisperer.+ Proficiencywith performing device monitoring and analysis using logic analyzer hardwaretools such as Saleae Logic Pro or Open Workbench Logic Sniffer.+ Presented at anindustry recognized information security event such as DEFCON or participatedin CTFs such as IoT village CTF.+ Deepunderstanding and experience of fuzzing techniques to discover and exploitidentified vulnerabilities.+ Updated andfamiliarized with the latest exploits and security trends in connectedproducts.+ Knowledge ofattacking cryptographic protocols including Public Key cryptography.+ Understandingof hardware, firmware, IoT communication protocols, network, application, APIsecurity and popular attacks vectors against IoT devices.+ Anunderstanding of web-based application vulnerabilities.

(OWASP Top 10)+ Experiencetesting API, cloud environments, mobile applications, and web applications.+ Any one of thefollowing certifications: OSWE, OSWP, OSCE, OSEE, GXPN, GWAPT, GMOB.**What we look for**We’reinterested in intellectually curious people with a genuine passion for cyber security.With your specialization in attack and penetration testing, we’ll turn to youto speak up with innovative new ideas that could make a lasting difference not onlyto us
– but also to the industry as a whole.

If you have the confidence in bothyour presentation and technical abilities to grow into a leading expert here,this is the role for you.**What working at EY offers**We offer acompetitive compensation package where you’ll be rewarded based on yourperformance and recognized for the value you bring to our business.

Inaddition, our Total Rewards package includes medical and dental coverage, bothpension and 401(k) plans, a minimum of three weeks of vacation plus 10 observedholidays and three paid personal days, and a range of programs and benefitsdesigned to support your physical, financial and social wellbeing.**Plus, we offer**+ Support, coaching andfeedback from some of the most engaging colleagues around+ Opportunities todevelop new skills and progress your career+ The freedom andflexibility to handle your role in a way that’s right for you+ A rewards packagetailored to your unique needs**About EY**As a global leader inassurance, tax, transaction and advisory services, we’re using the financeproducts, expertise and systems we’ve developed to build a better workingworld.

That starts with a culture that believes in giving you the training,opportunities and creative freedom to make things better.Whenever you join, howeverlong you stay, theexceptionalEY experience lasts alifetime.And with a commitmentto hiring and developing the most passionate people, we’ll make our ambition tobe the best employer by 2020 a reality.**Join us in building abetter working world.

Apply today.****EY provides equal employment opportunities to applicants and employees without regard to race, color, religion, age, sex, sexual orientation, gender identity/expression, national origin, protected veteran status, disability status, or any other legally protected basis, in accordance with applicable law.**