- Hourly / - BiWeekly /
- Monthly / $64,828.00-$108,780.00 Yearly
SKILLED
SERVICE BARGAINING UNIT:
G NCP
A Department of Information
Technology (DoIT) Cyber Defense Analyst I is the intermediate level of work in
the Office of Security Management (OSM) and is tasked with first contact
handling of security logs, incidents, and events. Additional responsibilities
include the monitoring of the infrastructure that supports service delivery and
replacing failed components, making system configuration changes, and applying
patches and other updates. Employees in this classification do not supervise
lower-level positions. Employees may be required to work evenings, weekends and holidays
and may be subject to call-in.
Employees in this classification receive moderate
supervision from an Information Systems Security Manager or other designated
administrator. This position does not supervise.
Position placement in this classification is determined by the
Classification Job Evaluation Methodology. The use of this method involves
comparing the assigned duties and responsibilities of a position to the job
criteria found in the Nature of Work and Examples of Work sections of a
classification specification.
The DoIT Cyber Defense Analyst I and DoIT Cyber Defense Analyst II
and are differentiated on the basis of degree of supervisory control exercised
by the supervisor over these employees. The DoIT Cyber Defense Analyst I performs
duties under close supervision at times and under general supervision at other
times depending on the complexity of the specific duty being performed, and the
DoIT Cyber Defense Analyst II performs the full range of duties under general
supervision. The DoIT Cyber Defense Analyst II differs from the DoIT Cyber
Defense Analyst Ld/Adv in that the DoIT Cyber Defense Analyst Ld/Adv handles
cases of a more complex nature or leads lower-level DoIT Cyber Defense Analysts.
Develops content for cyber defense tools;
Characterizes and analyzes network traffic to identify
anomalous activity and potential threats to network resources;
Coordinates with enterprise-wide cyber defense staff to
validate network alerts;
Ensures that cybersecurity-enabled products or other
compensating security control technologies reduce identified risk to an
acceptable level;
Documents and escalates incidents (including event's
history, status, and potential impact for further action) that may cause
ongoing and immediate impact to the environment;
Performs cyber defense trend analysis and reporting;
Performs event correlation using information gathered from
a variety of sources within the enterprise to gain situational awareness and
determine the effectiveness of an observed attack;
Performs security reviews and identifies security gaps in
security architecture resulting in recommendations for inclusion in the risk
mitigation strategy;
Plans and recommends modifications or adjustments based on
exercise results or system environment;
Provide daily summary reports of network events and
activity relevant to cyber defense practices;
Receives and analyzes network alerts from various sources
within the enterprise and determine possible causes of such alerts;
Provides timely detection, identification, and alerting of
possible attacks/intrusions, anomalous activities, and misuse activities and
distinguish these incidents and events from benign activities;
Uses cyber defense tools for continual monitoring and
analysis of system activity to identify malicious activity;
Analyzes identified malicious activity to determine
weaknesses exploited, exploitation methods, effects on system and information;
Determines tactics, techniques, and procedures (TTPs) for
intrusion sets;
Examines network topologies to understand data flows
through the network;
Recommends computing environment vulnerability corrections;
Identifies and analyzes anomalies in network traffic using
metadata (e.g., CENTAUR);
Conducts research, analysis, and correlation across a wide
variety of all source data sets (indications and warnings);
Validates intrusion detection system (IDS) alerts against
network traffic using packet analysis tools;
Isolates and removes malware;
Identifies applications and operating systems of a network
device based on network traffic;
Reconstructs a malicious attack or activity based off
network traffic;
Identifies network mapping and operating system (OS)
fingerprinting activities;
Assist in the construction of signatures which can be
implemented on cyber defense network tools in response to new or observed
threats within the network environment or enclave;
Notifies designated managers, cyber incident responders,
and cybersecurity service provider team members of suspected cyber incidents
and articulate the event's history, status, and potential impact for further
action in accordance with the organization's cyber incident response plan;
Analyzes and reports organizational security posture
trends;
Analyzes and reports system security posture trends;
Assesses adequate access controls based on principles of
least privilege and need-to-know;
Monitors external data sources (e.g., cyber defense vendor
sites, Computer Emergency Response Teams, Security Focus) to maintain currency
of cyber defense threat condition and determines which security issues may have
an impact on the enterprise;
Assesses and monitors cybersecurity related to system
implementation and testing practices;
Provides cybersecurity recommendations to leadership based
on significant threats and vulnerabilities;
Works with stakeholders to resolve computer security
incidents and vulnerability compliance;
Provides advice and input for Disaster Recovery,
Contingency, and Continuity of Operations Plans;
Performs other related duties.
Knowledge of computer networking concepts and protocols, and network security methodologies;
Knowledge of risk management processes (e.g., methods for assessing and mitigating risk);
Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy;
Knowledge of cybersecurity and privacy principles; Knowledge of cyber threats and vulnerabilities;
Knowledge of specific operational impacts of cybersecurity lapses;
Knowledge of authentication, authorization, and access control methods;
Knowledge of cyber defense and vulnerability assessment tools and their capabilities; Knowledge of computer algorithms;
Knowledge of encryption algorithms;
Knowledge of cryptography and cryptographic key management concepts;
Knowledge of database systems;
Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists);
Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins);
Knowledge of incident response and handling methodologies;
Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation);
Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions;
Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption);
Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML);
Knowledge of network traffic analysis methods;
Knowledge of new and emerging information technology (IT) and cybersecurity technologies;
Knowledge of operating systems;
Knowledge of how
traffic flows across the network (e.g., Transmission Control Protocol [TCP] and
Internet Protocol [IP], Open System Interconnection Model [OSI], Information
Technology Infrastructure Library, current version [ITIL]); Knowledge of
policy-based and risk adaptive access controls; Knowledge of system and
application security threats and vulnerabilities (e.g., buffer overflow, mobile
code, cross-site scripting, Procedural Language/Structured Query Language
[PL/SQL] and injections, race conditions, covert channel, replay,
return-oriented attacks, malicious code); Knowledge of key concepts in security
management (e.g., Release Management, Patch Management); Knowledge of security
system design tools, methods, and techniques; Knowledge of telecommunications
concepts (e.g., Communications channel, Systems Link Budgeting, Spectral
efficiency, Multiplexing); Knowledge of the cyber defense Service Provider
reporting structure and processes within one’s own organization; Knowledge of
Virtual Private Network (VPN) security; Knowledge of what constitutes a network
attack and a network attack’s relationship to both threats and vulnerabilities;
Knowledge of Insider Threat investigations, reporting, investigative tools and
laws/regulations; Knowledge of adversarial tactics, techniques, and procedures;
Knowledge of network tools (e.g., ping, traceroute, nslookup); Knowledge of
defense-in-depth principles and network security architecture; Knowledge of
different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN); Knowledge
of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip); Knowledge of
interpreted and compiled computer languages; Knowledge of collection management
processes, capabilities, and limitations; Knowledge of front-end collection
systems, including traffic collection, filtering, and selection; Knowledge of
cyber defense and information security policies, procedures, and regulations; Knowledge
of the common attack vectors on the network layer; Knowledge of different
classes of attacks (e.g., passive, active, insider, close-in, distribution
attacks); Knowledge of cyber attackers (e.g., script kiddies, insider threat,
non-nation state sponsored, and nation sponsored); Knowledge of system
administration, network, and operating system hardening techniques; Knowledge
of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code),
Presidential Directives, executive branch guidelines, and/or
administrative/criminal legal guidelines and procedures; Knowledge of
cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining
access, escalation of privileges, maintaining access, network exploitation,
covering tracks); Knowledge of network security architecture concepts including
topology, protocols, components, and principles (e.g., application of
defense-in-depth); Knowledge of network systems management principles, models,
methods (e.g., end-to-end systems performance monitoring), and tools; Knowledge
of encryption methodologies; Knowledge of signature implementation impact for
viruses, malware, and attacks; Knowledge of Windows/Unix ports and services; Knowledge
of security models (e.g., Bell-LaPadula model, Biba integrity model,
Clark-Wilson integrity model); Knowledge of OSI model and underlying network
protocols (e.g., TCP/IP); Knowledge of relevant laws, legal authorities,
restrictions, and regulations pertaining to cyber defense activities; Knowledge
of Personally Identifiable Information (PII) data security standards; Knowledge
of Payment Card Industry (PCI) data security standards; Knowledge of Personal
Health Information (PHI) data security standards; Knowledge of systems security
testing and evaluation methods; Knowledge of countermeasure design for
identified security risks; Knowledge of network mapping and recreating network
topologies; Knowledge of packet-level analysis using appropriate tools (e.g.,
Wireshark, tcpdump); Knowledge of the use of sub-netting tools; Knowledge of
operating system command-line tools; Knowledge of embedded systems; Knowledge
of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and
applications; Knowledge of network protocols such as TCP/IP, Dynamic Host
Configuration, Domain Name System (DNS), and directory services; Knowledge of
how to use network analysis tools to identify vulnerabilities; Knowledge of
penetration testing principles, tools, and techniques; Knowledge of Application
Security Risks (e.g. Open Web Application Security Project Top 10 list).
Skill in developing and
deploying signatures; Skill in detecting host and network-based intrusions via
intrusion detection technologies (e.g., Snort); Skill in determining how a
security system should work (including its resilience and dependability
capabilities) and how changes in conditions, operations, or the environment
will affect these outcomes; Skill in evaluating the adequacy of security
designs; Skill in using incident handling methodologies; Skill in using
protocol analyzers; Skill in collecting data from a variety of cyber defense
resources; Skill in recognizing and categorizing types of vulnerabilities and
associated attacks; Skill in reading and interpreting signatures (e.g., snort);
Skill in assessing security controls based on cybersecurity principles and
tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.); Skill
in performing packet-level analysis; Skill in recognizing vulnerabilities in
security systems. (e.g., vulnerability and compliance scanning); Skill in
conducting trend analysis; Skill to apply cybersecurity and privacy principles
to organizational requirements (relevant to confidentiality, integrity,
availability, authentication, non-repudiation); Skill in using cyber defense
Service Provider reporting structure and processes within one’s own
organization.
Ability to analyze malware;
Ability to conduct vulnerability scans and recognize vulnerabilities in
security systems; Ability to accurately and completely source all data used in
intelligence, assessment and/or planning products; Ability to apply
cybersecurity and privacy principles to organizational requirements (relevant
to confidentiality, integrity, availability, authentication, non-repudiation); Ability
to apply techniques for detecting host and network-based intrusions using
intrusion detection technologies; Ability to interpret the information
collected by network tools (e.g. Nslookup, Ping, and Traceroute).
Experience: Six years of experience in threat hunting network security analysis, network traffic analysis, information security, information systems, information assurance, trouble shooting, security operations, cryptography, and cyber threat modeling.
Notes:
1. Candidates may substitute a bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field for up to four years of the required experience.
2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.
2. Candidates
may substitute the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information
technology, software engineering, information systems, computer engineering or
related field from an accredited college or university.
1. Employees in this classification may be subject to call-in 24
hours a day and, therefore, may be required to provide the employing agency
with a telephone number where the employee can be reached. Employees may be
furnished with a pager or cell phone.
2. Applicants for this classification may handle
sensitive data. This will require a full
scope background investigation prior to appointment. A criminal conviction may be grounds for
rejection of the applicant.
3. Employees
may occasionally be required to travel to field locations and must have access
to an automobile in the event a state vehicle cannot be provided. Standard
mileage allowance will be paid for use of a privately owned vehicle.
Class
Descriptions are broad descriptions covering groups of positions used by
various State departments and agencies. Position descriptions maintained
by the using department or agency specifically address the essential job
functions of each position.
This is a Skilled Service
classification in the State Personnel Management System. All positions in this
classification are Skilled Service positions. Some positions in Skilled Service
classifications may be designated Special Appointment in accordance with the
State Personnel and Pensions Article, Section 6-405, Annotated Code of
Maryland.
This classification is assigned to Bargaining Unit G, Engineering, Scientific
and Administrative Professionals classes. As provided by the State Personnel
and Pensions Article, Section 3-102, special appointment, temporary,
contractual, supervisory, managerial and confidential employees are excluded
from collective bargaining. Additionally, certain executive branch agencies are
exempt from collective bargaining and all positions in those agencies are
excluded from collective bargaining.
This classification is one level
in a Non-Competitive Promotion (NCP) series. NCP promotions are
promotions by which employees may advance in grade and class level from trainee
to full performance level in a classification series. In order to be
non-competitively promoted to the next level in a NCP series, an employee must:
1) perform the main purpose of the class, as defined by the Nature of Work
section of the class specification; 2) receive the type of supervision defined
in the class specification and 3) meet the minimum qualifications of the
classification.
July 1, 2021
Director, Division of
Classification and Salary