At BNP Paribas Canada, it is our employees which make the difference... Our 75 nationalities are part of our diversity!
Do you like challenges, a structured framework, the prospect of optimizing and innovating? You are known for your originality and want a certain freedom to think while sharing your knowledge and ideas?
... Come help us contribute to the growth of our Canadian platform!
You will benefit amongst other things from:
- Access to social volunteer and recreational programs, via our many Employee Resource Groups (ERGs)
- Opportunities for career development through active internal mobility and our innovative training program: Canada Academy
- A brand new workspace, flexible, comfortable and easily adaptable to your needs: remote work opportunities, standing desks, innovation lab., open meeting rooms and spaces
The Vulnerability Assessments (VA) Team is the offensive security arm of BNPP Cyber Security. The team is responsible for managing the Penetration Testing and Red Team Assessments program.
The Vulnerability Assessments (VA) Team performs global intelligence-led exercises against people, process, and technology. The Red Team challenges the organization to improve the effectiveness of Cyber Security by conducting exercises using the same Tactics, Techniques and Procedures (TTPs) as real adversaries. To be successful in this role, candidates are expected to act as subject matter experts in offensive security with a proven track record in exploitation, escalation of privileges, and lateral movement.
Candidate Success Factors:
Candidates will be measured on the following four performance drivers which will dictate how individual impact is considered on the Americas platform:
- Results and Impact
- Leadership and Collaboration
- Client, Customer and Stakeholder Focus
- Compliance Culture and Conduct
- Develops, manages, and oversees offensive cybersecurity tests to validate the completeness and effectiveness of cybersecurity controls.
- Manages vendor contracts, relationships, and staff for the execution of cybersecurity tests.
- Designs, builds, and improves the technical infrastructure necessary to perform cybersecurity testing by both in-house and outsourced penetration testers who are executing either remotely or onsite.
- Assist infrastructure and application owners in validating their remediation efforts for findings resulting from offensive cybersecurity test.
- Lead penetration testing and red team assessments.
- Lead, plan, and execute all Social Engineering simulations.
- Analyze cyber intelligence and design attack models for use against the organization.
- Testing of the overall security of critical infrastructure components and applications to ensure they comply with internal policies, security architecture best practices, and industry standards.
- Supporting Purple Team operations.
- Reporting information security vulnerabilities to businesses and vendors.
- Act as thought leaders for addressing new security challenges such as IoT, cloud, robotics, and artificial intelligence.
- Conduct vulnerability assessments and penetration tests (application and/or infrastructure) and articulate security issues to technical and non-technical audience.
- Identify, research, and validate known and unknown exploits on cyber infrastructure.
- Work closely with the Blue Team to identify gaps, address findings, and improve breach response.
- Act as advisors for the Blue Team during major events and hunt activities.
Minimum Required Qualifications
- Strong problem solving and analytical skills, verbal and written communication skills.
- Excellent interpersonal skills and the ability to work effectively with others as a team.
- Ability to work independently and effectively managing and prioritizing multiple tasks.
- Solid understanding of IT security concepts with an emphasis on Security and Risk Assessment.
- Knowledge and experience with law and regulations surrounding the financial services sector.
- Advanced user of Microsoft Excel, Microsoft Word and Microsoft PowerPoint.
- Excellent understanding of networking concepts and Information Security, including emerging threats and attack methodologies.
- Demonstrable understanding of Information Technology principles, including software, hardware, and networking.
- A broad understanding of all areas of banking and the threats faced by the financial sector.
- Strong ability to analyze threat actor TTPs at a highly detailed and technical level, examine and develop the controls, lead and execute tests of those controls using penetration testing and red team techniques.
- Conducting adversary emulations and penetration testing (application and/or infrastructure) and articulating security issues to technical and non-technical audience.
- Identifying, researching, validating, and exploiting various different known and unknown security vulnerabilities on server and client side.
- Conducting Purple Team Testing.
- Creating metrics to establish value to senior management.
- Define cyber KPIs.
- Vulnerability Assessment tools, e.g. Nessus, Qualys, etc.
- Strong familiarity with at least one major pen testing framework (MITRE ATT@CK, CBEST) and the ability to self-learn new frameworks as required (Cyber Kill Chain).
- Social Engineering campaigns, e.g. email phishing, phone calls, SET.
- Deep understanding of OSI model.
- Security devices, e.g. Firewalls, VPN, AAA systems.
- OS Security, e.g. Unix, Linux, Windows, Cisco, etc.
- Understanding of common protocols, e.g. LDAP, SMTP, DNS, Routing Protocols.
- Reporting information security vulnerabilities to businesses.
- Bachelor degree in Computer Science or Engineering (relevant concentration preferred) with 2-5+ years of experience preferably within a pen test or red team function in the financial sector; or a Graduate Degree (Masters) in MIS.
- Information Security certifications (e.g., CISSP, CISA, CISM, SANS coursework).
- Exploitation frameworks, e.g. Metasploit, CANVAS, Core Impact.
- Post-Exploitation Frameworks: Cobalt Strike, SILENTTRINITY, Covenant, Faction, Merlin, APfell, Red Team Toolkit, Voodoo.
- Web development and programming languages i.e. Python, Perl, Ruby, Java, and/or .Net.
- SharePoint administration and document management.
- Understanding of the Tactics, Techniques, and Procedures of cyber threat actors.
- Excellent writing and presentation skills to communicate findings and recommendations to different audiences and stakeholders.
About BNP Paribas
With more than 200,000 employees in 72 countries, the Group serves nearly 32 million individual customers and 850,000 professionals, entrepreneurs, SMEs and large companies. BNP Paribas is a leading bank in the euro zone and a leading international banking player.
Did you know? In 2019, BNP Paribas named World’s Best Bank for Corporate Responsibility 2019
About BNP Paribas in Canada
With more than 900 employees, BNP Paribas Canada continues to attract experts from diverse fields as well as ambitious young talent from around the world. We are proud to offer our employees a rewarding and international workplace where they can build their professional careers by honing their skills, meeting challenges and enriching their knowledge of the financial industry.
A recruitment policy that promotes equality and diversity:
BNP Paribas is an equal opportunity employer. BNP Paribas recruits, employs, trains, compensates and promotes regardless of race, religion, color, national origin, sex, disability, age, and other protected status (Employment Equity Act).
Part of BNP Paribas dedication to diversity, multiculturalism and inclusion is clearly reflected on how we believe and live diversity and inclusion all together. As such, one of BNP Paribas’ initiatives is hosting Employee Resource Groups (ERGs) which are focused on equality of gender, sexual orientation and learning from other cultures.
We can assist with access to job offers for people with disabilities who may be unable to use our career site - please contact us by email firstname.lastname@example.org or by phone on 514-285-6000
Want to know more about the BNP Paribas Group?
Only selected applications that meet the requirements of the role will be contacted