State of Maryland

A Department of Information Technology (DoIT) Penetration Tester II is the full performance level of work in the Office of Security Management (OSM) identifying mechanisms by which adversaries could gather information about the State’s resources, penetrate the State’s infrastructure and cause harm to the State. Employees in this classification do not supervise.

Employees in this classification receive general supervision from the DoIT Special Projects Lead or other higher level IT manager or director.

Positions in this classification are evaluated using the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a class specification.

The DoIT Penetration Tester I and DoIT Penetration Tester II are differentiated on the basis of supervisory control by the supervisor over these employees. The DoIT Penetration Tester I performs duties under close supervision at times and under general supervision at other times depending on the complexity of the specific duty being performed, and the DoIT Penetration Tester II performs the full range of duties under general supervision. The DoIT Penetration Tester II is differentiated from the DoIT Penetration Tester, Lead/Advanced in that the DoIT Penetration Tester, Lead/Advanced assigns, reviews and approves the work of and trains lower-level DoIT Penetration Testers or serves as a project lead or addresses the most complex tasks and escalated issues prior to engaging a higher-level IT manager or director.

Conducts and/or supports authorized penetration testing on enterprise network assets;

Performs penetration testing as required for new or updated applications;

Applies and utilizes authorized cyber capabilities to enable access to targeted networks;

Applies cyber collection, environment preparation and engagement expertise to enable new exploitation and/or continued collection operations, or in support of customer requirements;

Applies and obeys applicable statutes, laws, regulations and policies;

Performs analysis for target infrastructure exploitation activities;

Collaborates with other internal and external partner organizations on target access and operational issues;

Communicates new developments, breakthroughs, challenges and lessons learned to leadership, and internal and external customers;

Conducts analysis of physical and logical digital technologies (e.g., wireless, Supervisory Control and Data Acquisition (SCADA), telecom) to identify potential avenues of access;

Creates comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities;

Examines intercept-related metadata and content with an understanding of targeting significance;

Collaborates with developers, conveying target and technical knowledge in tool requirements submissions, to enhance tool development;

Identifies gaps in our understanding of target technology and developing innovative collection approaches;

Identifies, locates, and tracks targets via geospatial analysis techniques;

Leads or enables exploitation operations in support of organization objectives and target requirements;

Maintains awareness of advancements in hardware and software technologies (e.g., attend training or conferences, reading) and their potential implications;

Monitors target networks to provide indications and warning of target communications changes or processing failures;

Produces network reconstructions;

Profiles network or system administrators and their activities;

Performs other related duties.

Knowledge of computer networking concepts and protocols, and network security methodologies; Knowledge of risk management processes (e.g., methods for assessing and mitigating risk); Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy; Knowledge of cybersecurity and privacy principles; Knowledge of cyber threats and vulnerabilities; Knowledge of specific operational impacts of cybersecurity lapses; Knowledge of application vulnerabilities; Knowledge of concepts, terminology, and operations of a wide range of communications media (computer and telephone networks, satellite, fiber, wireless); Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies; Knowledge of collection management processes, capabilities, and limitations; Knowledge of front-end collection systems, including traffic collection, filtering, and selection; Knowledge of cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks); Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems; Knowledge of website types, administration, functions, and content management system (CMS); Knowledge of applicable statutes, laws, regulations and policies governing cyber targeting and exploitation; Knowledge of relevant reporting and dissemination procedures; Knowledge of attack methods and techniques (Distributed Denial of Service (DDoS), brute force, spoofing, etc.); Knowledge of implants that enable cyber collection and/or preparation activities; Knowledge of principles of the collection development processes (e.g., Dialed Number Recognition, Social Network Analysis); Knowledge of internal and external customers and partner organizations, including information needs, objectives, structure, capabilities, etc.; Knowledge of collection searching/analyzing techniques and tools for chat/buddy list, emerging technologies, Voice Over Internet Protocol (VOIP), Media Over Internet Protocol (IP), Virtual Private Network (VPN), ery small aperture terminal (VSAT)/wireless, web mail and cookies; Knowledge of common networking devices and their configurations; Knowledge of common reporting databases and tools; Knowledge of concepts for operating systems (e.g., Linux, Unix.); Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media); Knowledge of data flow process for terminal or environment collection; Knowledge of evasion strategies and techniques; Knowledge of how hubs, switches, routers work together in the design of a network; Knowledge of how Internet applications work (Simple Mail Transfer Protocol (SMTP) email, web-based email, chat clients, VOIP); Knowledge of how to collect, view, and identify essential information on targets of interest from metadata (e.g., email, Hypertext Transfer Protocol (http); Knowledge of identification and reporting processes; Knowledge of Internet and routing protocols; Knowledge of Internet network addressing (IP addresses, classless inter-domain routing, Transmission Control Protocol (TCP)/ User Datagram Protocol (UDP) port numbering); Knowledge of intrusion sets; Knowledge of midpoint collection (process, objectives, organization, targets, etc.); Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection); Knowledge of network topology; Knowledge of organizational and partner authorities, responsibilities, and contributions to achieving objectives; Knowledge of organizational and partner policies, tools, capabilities, and procedures; Knowledge of products and nomenclature of major vendors (e.g., security suites - Trend Micro, Symantec, McAfee, Outpost, and Panda) and how those products affect exploitation and reduce vulnerabilities; Knowledge of scripting; Knowledge of strategies and tools for target research; Knowledge of target intelligence gathering and operational preparation techniques and life cycles; Knowledge of terminal or environmental collection (process, objectives, organization, targets, etc.); Knowledge of the basic structure, architecture, and design of converged applications; Knowledge of the basic structure, architecture, and design of modern communication networks; Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Skill in identifying gaps in technical capabilities; Skill in analyzing traffic to identify network devices; Skill in creating and extracting important information from packet captures; Skill in creating collection requirements in support of data acquisition activities; Skill in creating plans in support of remote operations; Skill in depicting source or collateral data on a network map; Skill in determining the effect of various router and firewall configurations on traffic patterns and network performance in both Large Area Network (LAN) and Wide Area Network (WAN) environments; Skill in evaluating accesses for intelligence value. Skill in generating operation plans in support of mission and target requirements; Skill in identifying the devices that work at each level of protocol models; Skill in identifying, locating, and tracking targets via geospatial analysis techniques; Skill in interpreting compiled and interpretive programming languages; Skill in interpreting metadata and content as applied by collection systems; Skill in navigating network visualization software; Skill in performing data fusion from existing intelligence for enabling new and continued collection; Skill in recognizing and interpreting malicious network activity in traffic; Skill in recognizing midpoint opportunities and essential information; Skill in recognizing technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information); Skill in researching vulnerabilities and exploits utilized in traffic; Skill in target development in direct support of collection operations; Skill in using databases to identify target-relevant information; Skill in using non-attributable networks; Skill in using trace route tools and interpreting the results as they apply to network analysis and reconstruction; Skill in writing (and submitting) requirements to meet gaps in technical capabilities.

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means; Ability to accurately and completely source all data used in intelligence, assessment and/or planning products; Ability to collaborate effectively with others; Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists; Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products; Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products; Ability to expand network access by conducting target analysis and collection to identify targets of interest; Ability to identify/describe target vulnerability; Ability to identify/describe techniques/methods for conducting technical exploitation of the target; Ability to select the appropriate implant to achieve operational goals.

Experience: Twelve years of experience in an IT position with primary responsibility that includes network management, server management, or security operations.  At least two years of specialized experience performing penetration tests and/or red-team exercises. 

Notes:

1. Candidates may substitute a bachelor’s degree in computer science, IT security or other related field for up to four years of the required experience.

2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.

3. Candidates may substitute up to two years of the “Experience” requirement listed above for a graduate level degree in Computer science, IT security or other related field.

Must have a Penetration Tester Level II or higher certification as described on the Maryland Department of Information Technology website.

Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

Applicants for this classification may handle sensitive data. This will require a full scope background investigation prior to appointment. A criminal conviction may be grounds for rejection of the applicant.

Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.

Class Descriptions are broad descriptions covering groups of positions used by various State departments and agencies.  Position descriptions maintained by the using department or agency specifically address the essential job functions of each position. 

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is assigned to Bargaining Unit G, Engineering, Scientific and Administrative Professionals classes. As provided by the State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded from collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.

This classification is one level in a Non-Competitive Promotion (NCP) series.  NCP promotions are promotions by which employees may advance in grade and class level from trainee to full performance level in a classification series.  In order to be non-competitively promoted to the next level in a NCP series, an employee must: 1) perform the main purpose of the class, as defined by the Nature of Work section of the class specification; 2) receive the type of supervision defined in the class specification and 3) meet the minimum qualifications of the classification.

July 1, 2021

Director, Division of Classification and Salary