Professional Experience

present
-
04.2020

Principal IT Security Consultant

RM Information Security, Manchester, United Kingdom

    ---=== Details Soon ===---

03.2020
-
12.2014

Senior Penetration Tester (VP)

Barclays, Knutsford, United Kingdom

  • Penetration Testing and Vulnerability Assessments for numerous internal and 3rd party clients including
    • infrastructure testing
    • web application assessments
    • mobile security testing
    • cloud system assessments
    • web services testing
    • VPN and remote access assessments
  • Security assessments of various systems/products including
    • Trading Platforms
    • Payments
    • Single Sign-On
    • Building Management Systems
    • Building Access Systems
    • Database Change Control
    • Active Directory
    • Network Access Control
    • Scheduling/Workload Automation
  • Reverse Engineering of Thick Clients and Android/iOS Mobile applications including cracking weak encryption mechanisms, local authentication and extracting sensitive information
  • Firewall, router and switch configuration reviews
  • MS SQL and Oracle database configuration reviews
  • Operating System build and hardening reviews
  • Architecture and design security reviews
  • Developing the ButterFly 2.0 Security Project; an updated educational environment intended to give an insight into common web application vulnerabilities based on a payment system, written in C#/ASP.NET, MVC, HTML5 and CSS3
  • Acting as mentor to other team members
11.2014
-
02.2006

Senior IT Security Consultant

Pentest Limited, Manchester, United Kingdom

  • A large number of Penetration Tests and Vulnerability Assessments for numerous customers including:
    • web application testing
    • network security assessment
    • web services testing
    • wireless network testing
    • mobile application testing
    • cloud system assessment
    • mobile device management solution assessment
    • social engineering
    • VPN and remote access assessment
  • Architecture and design security reviews
  • Firewall, router and switch configuration reviews
  • Acting as mentor to other team members
  • The author of the ButterFly Security Project - educational environment intended to give an insight into common web application vulnerabilities. The project is based on applications written in:
    • PHP
    • ASP.NET
    • J2EE/Struts
    • Adobe Coldfusion
  • Preparing and delivering web application security training in the UK, Ireland and Germany
  • Developing tools for penetration testing
  • Reverse engineering and exploit development
  • Operating System build and hardening reviews
01.2006
-
10.2004

IT Security Specialist/Security Officer

National Bank of Poland, Warsaw, Poland

  • Penetration Testing activities (devising methodologies, penetration test execution, authoring reports; member of European Central Bank (ECB) Penetration Test Team)
  • Local coordinator of TARGET (pan-European payment system) risk analysis
  • Control and assessment of the bank's systems security
  • Evaluation of security measures in IT projects
  • Hardening of systems security
  • Cooperation with IT Department in order to create secure IT solutions
  • Creating and administration of a testing environment (based on Linux Debian, FreeBSD, Microsoft Windows 2000/XP/2003 + AD2003)
  • Development of the Central Log Server Project based on open-source software
09.2004
-
12.2001

Administrator/Internet programmer

Data Bank of Engineers, Warsaw, Poland

  • Configuring and securing internal networks, servers/gateways and remote access systems
  • Securing personal data processed by the company
  • Project planning and implementation of Active Directory infrastructure
  • Project planning and implementation of the 2-layer Public Key Infrastructure; creating a Single Sign-On solution, which provides application users with access to their accounts, secure email and internal web system (based on Apache and PHP) via Smartcard technology
  • Design and automation of backup procedures within the company
  • Creating the company internet website
  • Creating complex internal website system to manage candidate data, job offers and company's documents; advanced statistics in textual and graphical form
  • Creating CV Generator application in VB .NET
  • Support of company customers and employees
  • Troubleshooting of software and hardware problems
11.2001
-
12.2000

Internet programmer/Administrator

Safenet, Lublin, Poland

  • dynamic website creation based on PHP and relational database MySQL
  • FreeBSD 4.x server administration (including account management, quota management, virtual servers, firewall)
  • technical support of company customers

Certificates and Exams

Titles:

02.2013Tiger Scheme Senior Tester (recertification)
01.2010Tiger Scheme Senior Tester
06.2005CompTIA Security+
02.2005Microsoft Certified Systems Engineer (MCSE) on Windows 2003
11.2004Microsoft Certified Systems Administrator (MCSA) on Windows 2003
04.2004Microsoft Certified Systems Engineer (MCSE) on Windows 2000
02.2004Cisco Certified Network Associate (CCNA)
08.2003Microsoft Certified Systems Administrator (MCSA) on Windows 2000
07.2002Microsoft Certified Professional (MCP)


Exams:

02.2013Tiger Scheme Senior Tester (recertification)
01.2010Tiger Scheme Senior Tester
06.2005CompTIA SY0-101 Security+
02.200570-296: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE
11.200470-292: Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA
04.200470-220: Designing Security for a Microsoft. Windows. 2000 Network
02.2004640-801: Cisco Certified Network Associate (CCNA)
11.200370-217: Implementing and Administering a Microsoft. Windows. 2000 Directory
09.200370-216: Implementing and Administering a Microsoft. Windows. 2000 Network Infrastructure
06.200370-218: Managing a Windows 2000 Network Environment
02.200370-228: Installing, Configuring, and Administering Microsoft. SQL Server. 2000 Enterprise Ed.
08.200270-210: Installing, Configuring, and Administering Microsoft. Windows. 2000 Professional
08.200270-215: Installing, Configuring, and Administering Microsoft. Windows. 2000 Server
06.2000First Certificate in English (FCE)

Skills

  • Knowledge of Penetration Tests activities:
    • creating and following methodology
    • white, grey and black box testing approaches
    • privilege escalation and pivoting techniques
    • ability of recognizing false positives in penetration testing
    • ability of manual checking of vulnerabilities, customizing exploits and shellcodes
    • using pentesting tools (including xprobe2, nmap, amap, nikto, Nessus, Burp Suite, Nexpose, Retina, ISS Internet Scanner, Spike, Metasploit, Canvas, Core Impact, NCC SQuirreL suite)
  • Ability to test significantly complex systems, products and environments, consisting of multiple components (infrastructure, network, web, mobile UI) and using custom network communication protocols.
  • Knowledge of web application vulnerabilities (for example: Blind and Time based SQL Injection, DOM Cross-Site Scripting, XML External Entity (XXE), Session Fixation, CRLF injection and many more)
  • Knowledge of cryptography: public key and symmetric cryptography, signatures, message digests, MAC
  • Reverse Engineering of Thick Clients and Android/iOS Mobile applications
  • Knowledge of software vulnerabilities and attack techniques (including Stack, Heap, BSS-based buffer overflows, format string bugs, race conditions, symlink attacks)
  • Knowledge of the following operating systems:
    • Linux Debian, RedHat, Gentoo, Ubuntu
    • Windows Workstation and Server OS
    • Cisco IOS
    • FreeBSD
    • OpenBSD
  • Knowledge of installation and configuration of the following services and functions of a network server:
    • Firewall (iptables,ipfw,ipf), NAT
    • Network Intrusion Detection System (NIDS) - Snort+pgsql plugin+acid console
    • WWW Server (Apache, IIS)
    • File-based Server (Samba, FTP)
    • Proxy Server (Squid)
    • Mail Server (Qmail, Postfix, Sendmail) + servers POP3 and IMAP
    • DNS (Bind)
    • Relational databases (MySQL, PostgreSQL, MS SQL)
    • Public Key Infrastructure (PKI)
    • Virtual Private Network (VPN), IPSEC
    • Quality of Service (QoS): ipfw, CBQ, HTB, HFSC, IMQ
    • Chroot, jail of services and users
  • Knowledge of the following programming languages:
    • PHP
    • J2EE/Struts
    • SQL/Stored Procedures
    • C# and Visual Basic .NET (ASP.NET)
    • C/C++ (network programming in UNIX systems, Visual Studio .NET)
    • HTML, XML, CSS, Javascript
  • Knowledge of many types LAN and WAN networks, routing protocols and network switching
  • Driving licence
  • Knowledge of the foreign languages:
    • Polish - native
    • English - fluent

Interests

  • Photography - http://elessar.smugmug.com
  • Freshwater aquarium
  • Sport : F1 and motorcycles racing
  • Playing a guitar, RPG games, simulators, Gran Turismo, Diablo, The Witcher
  • Cinema and literature