Ethical Hackers partner with the Information Technology department to perform innovative security testing with the intent of increasing MSUFCU’s cybersecurity posture. MSUFCU Ethical Hackers will perform network pentests, web app pentests, mobile app pentests, adversary simulations, security product efficacy tests, phishing tests and other related penetration testing projects. MSUFCU Ethical Hackers are passionate about their work and are encouraged to research, evaluate, and apply cutting-edge attack techniques to assess MSUFCU’s resilience to current cyberattacks. Qualified candidates will be proficient in communicating expert opinions, capable of lateral thinking, and competent in modifying tool(s) to accomplish testing objectives. MSUFCU Ethical Hackers work independently under general supervision with moderate latitude for initiative and independent judgment while maintaining all organizational and professional ethical standards.
This position is a hybrid role with a combination of working both onsite at the Headquarters building in East Lansing and remotely. A schedule of expected onsite and remote workdays will be discussed during the interview process.
Essential Duties and Responsibilities
Perform network penetration tests, web application security assessments, mobile application security assessments, and phishing tests for the Credit Union within scheduled time frames.
Identify, develop, and document security issues and recommendations using independent judgment concerning areas being reviewed. Responsible for communicating information, suggestions, and/or problems regarding project status and critical findings to Credit Union management.
Systematically complete supporting documentation to support the work performed.
Follow industry best practice methodologies for penetration testing.
Assist in communicating the results of projects via written reports and oral presentations to management, the President/CEO, and the Board of Directors.
Pursue professional development opportunities, including external and internal training and professional association memberships, and share information gained with Credit Union employees and management.
Represent Risk Management on organizational project teams, at management meetings, and with external organizations.
Perform security assessments of third-party applications utilized by the Credit Union within scheduled time frames.
Assist with the coordination and performance of all contracted penetration testing projects and services conducted by third-party vendors.
Review and validate findings noted by third-party testers.
Perform related work and assist other employees as assigned by the Ethical Hacking Manager.
Senior Ethical Hacker:
All of Ethical Hacker duties and responsibilities.
Perform security system efficacy testing projects for the Credit Union within scheduled time frames.
Coordinate all aspects of penetration testing engagements conducted by third parties.
Demonstrate the ability to independently plan, perform, and complete projects within scheduled time frames.
Identify and evaluate the Credit Union’s risk areas and provide key input to the development of the annual penetration testing plan.
Apply ethical hacking tools in an innovative and comprehensive manner to increase the Credit Union’s cybersecurity posture.
Consistently takes ownership of situations and resolves them independently
Be a known resource and mentor in the department and throughout the Credit Union on ethical hacking and information security
Support the Credit Union strategic direction and initiatives while helping others understand the purpose of decisions and direction
Create and update department procedures and CU Info resources
Identify, recommend, and implement process improvements for the department.
Participates in the promoting and implementing of creative and innovative ideas and solutions for the Department and Credit Union
Identify training opportunities and work with management to implement.
Act as a mentor to new employees and interns on the team.
Knowledge, Skills, and Abilities
Considerable skill in assessing the effectiveness of cybersecurity controls, identifying significant exposures, and developing appropriate recommendations to address exposures is required.
Network, web application, or mobile application penetration testing experience is preferred.
Minimum of a Bachelor’s degree or equivalent experience in computer science, information technology, or related field or equivalent combination of work experience and education.
GIAC GPEN, GIAC GWAPT, or pursuit of similar designation is a plus.
Experience in vulnerability identification and remediation is a plus.
Experience with commercial or open source penetration testing tools.
Experience in applying adversarial techniques (e.g. ATT&CK) is a plus.
Understanding of CVSS, CVE, and other standards.
Knowledge of management information systems terminology, concepts, and practices.
Knowledge of industry program policies, procedures, regulations, and laws.
Knowledge of information security control practices and frameworks (e.g., CIS CSC, ATT&CK, OWASP, PTES, NIST, etc.).
Considerable skill in planning and project management, and in maintaining composure under pressure while meeting multiple deadlines.
Skill in negotiating issues and resolving problems.
Considerable skill in effective verbal and written communications, including active listening skills and skill in presenting findings and recommendations.
Demonstrated ability to accept increasingly complex duties and responsibilities and perform those additional duties to a satisfactory level.
Ability to establish and maintain harmonious working relationships with co-workers, staff and external contacts, and to work effectively in a professional team environment.
Ability to learn new operations quickly and work independently a must.
Physical Demands and Work Environment
May be required to remain in a stationary position for an extended period of time.
Ability to operate standard office technology, equipment and tools, which may include many hours of computer and phone usage.
Occasionally needs to move about inside of office area
Exposure to potentially hazardous condition, i.e. robbery. Receives detailed instructions and procedures to be followed to minimize the exposure
This position is able to work in hybrid or onsite working arrangements