EY Jobs

Job Information

EY VAPT - Senior in Kochi, India

VAPT - Senior


Requisition # KOC0024L

Post Date Feb 18, 2021

EY- CyberTechnology Consulting – Senior Consultant

As part of our Cyber Technology Consulting team, you will be performing managed or ad-hoc vulnerability assessment and penetration testing for various clients across the MENA region. Working with Cyber Technology consulting team, you will also perform application security assessments, code & architecture reviews, threat modelling, configuration audit, AD assessments, social engineering assessments, red/purple teaming etc. The client base spans across various sectors and includes collaboration with other teams within Advisory services.

The opportunity

We’re looking for Senior Consultants with real hands-on expertise in performing cyber security assessments to join the group of our Cyber Technology Consulting team. The candidate would be expected to work in diverse consulting engagements and are willing to travel to Middle East countries for project execution atleast 50% of their time. This is a fantastic opportunity to be part of a leading firm whilst being instrumental in the growth of our service offering.

Your key responsibilities

  • Perform end-to-end project execution for end clients (VAPT domain) both offshore and onshore

  • Perform infrastructure penetration testing and vulnerability assessments

  • Perform web/mobile/API penetration testing.

  • Perform threat modelling, security code reviews and architecture reviews

  • Perform security configuration reviews for OS, Databases, Network & Security devices, applications etc.

  • Perform Active directory assessments

  • Perform Red Team assessments/Attack Simulations aligned to cyber kill-chain and MITRE ATT&CK

  • Experience with AV evasion, obfuscation, bypass windows ASR/device guard, network security controls, emails gateway filtering etc.

  • Experience with both commercial & open-source tools mapped to the different stages in the cyber kill-chain

  • Review operational logs and event console activity to determine cause of security-related events or to identify potential security related events

  • Analysis of the patches released by the vendors

  • Prepare reports and convey the observations to the top management in layman’s language emphasizing on the business risks.

  • Mentor junior resources or managing a group of resources.

Skills and attributes for success

  • Collaborating with other members of the engagement team to plan the engagement and develop work program timelines, risk assessments and other documents/templates.

  • Good Communication skill and willingness to travel at a short notice

  • Demonstrating and applying strong project management skills, inspiring teamwork and responsibility with engagement team members

  • Hands on experience will tools/frameworks like Kali, Burp Suite, Nessus, Qualys, Acunetix scanners (DAST and SAST)

  • Good knowledge of OWASP and Secure SDLC standards

  • Hands on experience with programming using Python/Perl/PowerShell/C++ Hands on experience with exploit development and VS code compilation.

  • Hands on experience with C2 frameworks (e.g.PoshC2, Covenant, Metasploit etc.)

  • Hands on experience with setting-up phishing and red teaming infrastructure

  • Good knowledge of encryption technologies & MiTM attacks

  • Good understanding of MITRE ATT&CK framework and how to leverage it.

  • Good understanding of AD administration, different authentication mechanisms, trust boundaries etc.

  • Knowledge of Linux administration, TCP/IP, DNS, Network protocols and OSI model

To qualify for the role, you must have

  • A bachelor's or master's degree

  • 5+ years of experience working as an Information security professional with cyber security assessment background in a professional services firm.

  • Excellent communication skills with consulting experience preferred

  • A valid passport for travel.

Ideally, you’ll also have

  • Experience with performing assessment related to Red Teaming, Network Penetration Testing, Web Application Penetration Testing, Mobile Application Penetration Testing, Secure Code review, AD Security Assessments, Vulnerability Management, Social Engineering Assessments, Wireless Penetration Testing.

  • OSCE, OSCP, GPEN, LPT, ECSA, CEH, CompTIA Security+ (atleast two certifications are desired)