Kraig Antony Pakulski

Professional Summary

Kraig A. Pakulski is a seasoned professional who maintains a Certified Information Systems Security Professional (CISSP) Certification and has a strong track record for successful cyber security, auditing, ATO, plan submissions, auditing and POA&M development routines. He is often tasked with writing POA&Ms and related documentation that are deliverables for task management systems. Compliance checklists guided by the NIST 800-53 and 800-171 are often the basis for these deliverables. In addition, He has 18+ years of automation experience having developed numerous database applications using MS SQL Server, MS Access and The MS Office 365 Suite of Products to include Power BI. These applications have been used to architect and manage US government network security and establish data architectures for both public trust and classified systems. He has a proven track record of data analysis, risk mitigation, team mentorship, and relationship management. Kraig consistently saves employers from contractual default by expediting cyber security workflows.

Strengths

Plan of Action and Milestones (PO&M) policy writing and development skills

POA&M Database Application Development using MS Excel and MS Access

SCAP Scan and STIG Viewer Data extraction for PO&Ms

MS Office 365 Software Integration with MS SQL Server, Power BI and MS Access

Cyber security workflow for the entire RMF lifecycle on 3-year ATO life cycles

Database Application Development, Cyber Security Auditing, IT Security,

Cross-Functional Team Leadership, Cloud Infrastructure Architecture,

Virtualization, Data Security and Privacy, Compliance,

Technology Consulting, Security Awareness, Cyber Threat Incident Management,

Data Leak Prevention, Data Disaster Recovery, Data, Migration,

Network Security, Agile Methodology, IT Systems Governance, Software Development

Education

Master of Education: University of California Los Angeles

Bachelor of Science, Information Technology: DeVry University

Bachelor of Music Composition: University of California Los Angeles

Certifications

Certified Information Systems Security Professional (CISSP)

CompTIA Security+ CE (Sec+)

Security Technologies

SCAP, STIG, Nessus, SEIM/SOAR/Splunk, MSSQL, MySQL, Windows 7,

Windows 10, Windows Defender, Symantec Endpoint Protection (SEP), Linux Red Hat (RHEL), CLAM AV,

Software Tools

MS Office (VBA),

Visual Studio .Net and Rapid Application Development (RAD) tools to include MS Access/VBA,

MS Visual Studio .Net,

VB.Net,

C#.Net DotNetNuke (DNN/Evoc),

Microsoft Azure, Amazon Web Services (AWS),

Secure JW Player,

Powershell,

CMD,

VB Script,

Python

Cyber Security Frameworks

Joint Special Operations Implementation Guide (JSIG),

Risk Management Framework (RMF), CNSSI 1253,

DCSA,

SP 800-53,

PCI DSS,

ISO 27001/27002,

CIS Critical Security Controls,

NIST Framework for Improving,

Critical Infrastructure Security

OWASP, SAST, DAST

Keywords

cyber security, network security, internet security, information security, computer security, its security, network

firewall, what is cyber security, data security, cyber security certifications, network security key, cyber safety,

endpoint security, cyber threats, cyber security degree, cyber security news, web security, firewall security,

cryptography and network security, cyber security training, website security, network firewall security,

vulnerability assessment, security policy, security solutions, ips security, cyber security companies, security

threats, internet security software, security software, best internet security, information security policy,

application security, database

Experience

PTR Automation, 10/10/2022 to present

Cyber Security Consulting,

Guided by NIST 800-53 and 800-171, I’m currently contracted by PTR Automation to perform Cyber Security baseline data collection duties to measure compliance and vulnerabilities on a network with over 500 nodes.

This is an endeavor to achieve CMMC Level 3, which is currently undefined with approximately 110 controls. The Department of Defense has only given guidance up to CMMC Level 2.

Self Employed (Apr 2022- Sept 2022)

Working in service industry, consulting with marketing and advertising, t-shirt designing. Whenever I am not working, I do this, go for various capacities. Looking for an opportunity as well.

Science Applications International Corporation (Apr 2021 to Mar 2022)

Information Systems Security Engineer

Guided by NIST 800-53, I developed database software that expedites baseline risk assessments using STIG data made available at https://public.cyber.mil/stigs.

Installed scanning software and prepared IATT documentation for the 7.3 Meter Telemetry Antenna.

Hardened Windows systems using NIST 800-53, STIGs and Benchmarks.

Prepared documentation for the GSA public property application environment which included Jira, Jenkins, Ansible and GitHub.

Auditing tools included Nessus, BigFix, and NetSparker.

Raytheon Technologies (Jun 2017 to Apr 2021)

Senior Cyber Defense Technologist II (ISSO)

Guided by NIST 800-53, I Performed common ISSO auditing tasks using Splunk, Nessus, LogParser/AuditReduce, custom CMD and PowerShell scripts to collect and evaluate event logs.

Added value by developing a personnel database application that tracked the entire ATO development process to include 15 application modules, and 9 dashboards.

Assigned to an Information System Security Officer (ISSO) position but added value by developing comprehensive database applications.

Projects included:

A scorecard database for use by “program security” officers that filters content based on a Login ID

An audit management System for ISSO’s and ISSM’s that expedites documentation using 15 dashboards

A training certification tracker that notifies ISSO of expired training.

A Hard drive inventory database for use by ISSOs and their leadership

Endpoint Security using Ivanti/Lumension and Symantec Endpoint Security.

Control Tower DBA (Apr 2017 to Jun 2017)

Self Employed

Worked with the Crystal Cottage to and prepare the ground for events to include power generators and staging facilities

Added value by setting up wireless internet with extenders.

Centurum (Jul 2016 to Apr 2017)

Information Security Officer (ISSO)

Guided by the NIST 800-53, I monitored and resolved Plan of Action and Milestones (POA&M) to mitigate system vulnerabilities on assigned information systems

Communicated and coordinated Information Systems Security policy across their organization and worked with government agencies to obtain rulings, interpretations, and acceptable deviations for compliance

Established, documented, implemented, and monitored the IS Security Program and related procedures for the facility and ensured compliance with IS security requirements

Prepared and maintained Systems Security Plans (SSP) which accurately reflect the installation and security provisions of the system

Ensured that each SSP has been implemented, that the specified security controls are in place and properly tested, and that the IS functioned as described in the SSP

Davidson Technology (Oct 2015 to Jul 2016)

Senior Security Engineer

Guided by the NIST 800-53, I provided justification for a contract modification that saved the contract from default

Worked closely with the Information System Security Officer (ISSO) on prioritizations and tasking

Performed Information Assurance (IA) procedures to include computer and/or network security vulnerability assessments, scans to identify, evaluate and mitigate security risks, threats and vulnerabilities, and STIG verification

Utilized Government provided information, conducted research, provided recommendations and other pertinent information to Government representatives, and assisted in the implementation of hardware and software items for new and existing projects

Self Employed (Mar 2015 -Sept 2015)

Working in service industry, consulting with marketing and advertising, t shirt designing. Looking for an opportunity.

United States Army Aeromedical Research Laboratory (USAARL) (Nov 2007 to Feb 2015)

Data Analyst Data Architect

Guided by local developed Memoranda of Agreements and the NIST 800-53, I provided custom database software solutions for the acquisition and processing of accident/injury data for the JTAPIC partnership, comprised of 10 Army agencies. See https://jtapic.amedd.army.mil/ for details

Enabled 1st place finish for a scientific research poster on HMMWV Seatbelt usage at the 2008 Force Health Protection Conference, Fort Bliss, New Mexico

Credited as an author in the Journal of Military Medicine and 3 scientific publications used to guide future military vehicle programs with new processes needed for military accident analysis (i.e., Condition, Cause, Outcome, Recommendation System (CCORS).

CCORS was used to brief Major General Dahl, Deputy Commander of CENTCOM

Experience with Categories of Technology

A summary of my experience with the following: (whichever is applicable)

Data Loss Prevention

I have worked with Ivanti/Lumension software to control ports and devices connected to a computer

Cloud Access Security Broker

I currently use Cloudflare which offers a zero-trust platform that manages my SSL certificates and a cache to speed the loading of web pages.

This is a Modern approach to securing cloud resources as it can head off DDOS attacks before the attack gets inside a cloud platform.

ZScaler is the common Government solution for security on this front but it doesn’t offer any cache service to compensate for slower response times.

Data Access Governance

The only tools I’ve used for this so far are Active Directory and a Group Policy Object. These two tools are usually sufficient to keep data and resources secure

Keeping a group policy object current is essential to good Data Access Governance

Encryption/Tokenization/Obfuscation/Masking

Bitlocker is the standard approach to encrypting data at rest on windows computers.

Transport Layer Security is the standard approach to keeping data encrypted in transit. The standard encryption algorithm is AES256

I have not seen data on servers encrypted at rest because it would dramatically slow performance. Obfuscation is often used on servers by striping data across multiple drives or servers.

Unencrypted server data the most egregious concern with ransomware attacks that compromise the server by forging certificates, escalating the attacker to administrative access, encrypt server data, and hold it ransom. This is what happened with the Solar Winds software.

Tokenization applies to credit card numbers when collected and saved for later use. This leaves the last 4 digits in plain text, so the number is still useful. This is a PCI requirement.

Obfuscation occurs when data is spread out across multiple sources as on a striped RAID drive. This is common on servers who need data needs to more accessible and are left encrypted.

Masking is often used to hide passwords as they are entered into a login form or to hide the true pathway to a web page with a different domain name.

Rights Management

Sailpoint is an example of a rights management solution that I’ve used to centralize the provisioning of web applications and data sources.

Database Security

Database security is ultimately handled by the permissions set by the Relational Database Management System (i.e., MS SQL Server).

MS SQL Server Management Studio allows access to these settings. Oracle has a similar interface, but its native interface is the PL/SQL command line.

Data loaded into web pages is exposed if the attacker can get to the “bindings” or scrape data from exposed controls on the webpage.

The .net framework holds the best solutions for this but this language is “strongly typed,” and more cumbersome to develop. As a result, Python has become a more popular but potentially less secure language.

Email Security

Email security can be handled by third party software that checks and tags email attachments. to see that classified or proprietary data isn’t sent outside the network.

The other approach to email security is to check to see that a user is logged in with a a secure token. This token is either an ID card inserted into the keyboard, or a USB flash drive inserted into a USB

Endpoint Security

Endpoint security can be handled by Ivanti which blocks ports and devices or by Symantec’s Endpoint Protection which is the most common.

This will offer anti malware, intrusion prevention and firewall protection

UEBA

User and Entity Behavior Analytics can be handled by Security Information and Event Management (SIEM) platforms like Splunk.

Splunk uses forwarding agents to send event logs to a centralized server where they can be analyzed and presented in a user-friendly dashboard.

I’ve used Splunk to complete weekly audits requiring 13 fundamental checks from the JSIG.

Logging & Monitoring

Collecting and deleting event logs from computers is essential to keeping them from blue screening. If event logs fill up the local hard drive this will inevitably happen. Scripts are used to automate this using Visual Basic Windows Commands, or Powershell.

A common script found on government computers is called “audit reduce.” Similar scripts can be used to collect logs on Linux Operating systems.

A cursory analysis of common events and codes can be done on a small scale but a SIEM like Splunk or Nessus LCE is the proper way to monitor event logs and identify concerns using the MITRE ATT&CK framework. This framework is the most common way to identify hacker activity that leads to an attack.

Software Testing

Airgap is a term used to describe the physical isolation of a computer network from the internet or other external networks to improve the security of information systems. In software testing, airgap can be used to test the security of a system that is not connected to any network or an external environment. This approach is commonly used in testing critical systems, such as those used in military, financial, or other high-security applications, where even the slightest security vulnerability can be exploited.

As a testing approach, airgap testing simulates real-world conditions and accurately reveals how a system might behave under different security scenarios. Airgap testing requires a combination of manual and automated testing

Airgap techniques, and well-defined testing procedures can help ensure thorough testing and accurate results. The use of airgap testing can help organizations identify and address security vulnerabilities before they are exploited by malicious attackers.

A common Blackbox testing protocol for a Java-based API involves the following:

1. Isolate the system or “Air Gap” the system so it can be tested away from would be attackers

2. Identify the inputs and outputs of the API calls.

3. Create test cases that cover the different permutations and combinations of these inputs and outputs.

4. Send requests to the API and capturing the responses.

5. Validate the responses against the expected results.

6. Log any errors or failures that occur during the testing process.

There are several tools available for automating Blackbox testing of Java-based APIs, such as

Postman, SoapUI, JMeter, and Rest-Assured. These tools can help streamline the testing process and ensure that the API is functioning as intended

Contact this candidate