Skilled Vulnerability Management
Resume:
Dana E. Morrow
****.******@*****.***
Dana E. Morrow
Education:
B.S., Cybersecurity – Information Assurance, Colorado Technical University (CTU)
Certifications and Special Training:
ISC2 CISSP, October 2008
CompTIA Security+, February 2008
SEC540 VoIP and Unified Communications Security (2011)
SEC564 Red Team Exercises and Adversary Emulation (2020)
EC-Council Associate C CISO, March 2024
Areas of Expertise
20 years’ experience managing and conducting penetration tests, social engineering, wireless engagements and physical security reviews.
Experience with cybersecurity penetration testing to included Red Team penetration testing and techniques.
Manages and conducts Red Team engagements to penetrate, assess and test organizational defense capabilities.
Penetration testing experience in web applications, network and organizational systems.
More than 20 years of experience securing and managing organizational/enterprise networks.
Experience working with medium and large Microsoft and Unix-based networks.
Provides innovative network security detection, design, and implementation.
Proven record of security mindset, processes, and improvement.
Conducts security presentations at various security conferences and universities.
Specific Project References
Performs research, analysis and testing of computer/network vulnerabilities via vulnerability assessments, penetration testing, social engineering and wireless engagements.
Conducts enterprise risk assessments (OCTAVE) and serves as a member of the Change Control Board (CCB) and Security Administration Team (SAT) for SOC2 compliance.
Professional Experience
Foresite MSP / Cybersecurity
Director, Security Services Jul 2021 – Aug 2024
Strong client services oriented, strong interpersonal and leadership skills and a demonstrated ability to gain the confidence and respect of clients of clients and partners.
Primary Point of Contact for integrated reporting engine (FORGE); requirements, oversight in development and phased deployment.
Manages a team of 8 security consultants.
Performs research, analysis, and testing of computer/network vulnerabilities via vulnerability assessments, penetration testing, social engineering, and wireless engagements.
Reviews service reports for content, accuracy and timely delivery.
Closely works with clients / sales representative regarding client cyber security needs and scoping
Primary contact for Statement of Work generation for Assessment team.
Coordinates with Program Managers on scheduling and logistics.
TUV Rheinland of North America, Inc.
Senior Consultant (Penetration Tester) Apr 2021 – Jun 2021
Penetration testing using commercial and opensource tool sets to included Metasploit and Kali Linux.
Outlines and portrays test findings via well-documented reports.
Delivers and participates in client briefings as needed.
ManTech
Deputy Program Manager Feb 2021 – Mar 2021
Manage team workload on (National Information Technology Operations and Applications Development) NITOAD Contract.
Daily interaction with the customer to coordinate major upgrades or emergency patching / replacement of equipment.
Work with the Sr. PM to develop all reports for the customer.
Along with the Sr. PM attend monthly report meetings with the customer.
Write up requests for non-critical patching/upgrades.
Ensure staff has all appropriate credentials and that staff completes all necessary training (both ManTech and NITOAD).
Create and monitor Key Performance Indicators (KPIs) that reflect SOC performance metrics.
Digital Defense, Inc.
Manager, Security & Compliance Operations May 2007 – Jan 2021
Manages a team of 13 analysts and interns.
Performs research, analysis, and testing of computer/network vulnerabilities via vulnerability assessments, penetration testing, social engineering, and wireless engagements.
Penetration testing experience using opensource tool sets to included Metasploit and Kali Linux.
Outlines and portrays test findings via well-documented reports.
Delivers and participates in client briefings as needed.
Assists clients with questions regarding vulnerabilities and the remediation efforts involved in mitigating them via recommended safeguards/controls.
Reviews vulnerability findings to aid organization in meeting audit / regulatory / compliance agendas.
Business Computer Applications (BCA)
Team Lead/Security Engineer; TRICARE Management Activity February 2007 – April 2007
Led a team of security professionals using the DITSCAP/DIACAP methodology.
Responsible for recommending fixes to clients and/or mitigating identified vulnerabilities.
Worked with IT management to define and document IA processes and procedures for BCA office.
Provided technical and application support to field component of IA team.
Ensured DoD/TMA network compliance via vulnerability assessments. Ultimately resulting in the award of Certification and Accreditation (C&A) of the IS.
Provided quality assurance review and tracking for security documents related to DoD requirements.
Assessed and addressed vulnerability issues.
Provided technical support for large IA and information security programs.
Kforce Government Solutions (KGS) (formerly Pinkerton Computer Consultants, Inc., Government Solutions Division)
Information Security Engineer; Department of Homeland Security, U.S. Customs & Border Protection June 2006 – January 2007
Member of risk assessment team. Experienced with advanced concepts of information security systems and communications security systems and applications.
Gained knowledge of systems or data encryption, systems attack, systems protection, and systems penetration analysis.
Performed computer systems security engineering for systems protection, attack, and penetration/protection analysis.
Developed risk assessment reports or security assessment reports (SAR), providing summaries of discovered risks, threat likelihood, and recommended corrective action(s).
Gained and used knowledge of NIST 800–series publications.
Facilitated use of POA&Ms to assist program managers/ISSOs in mitigating identified vulnerabilities.
Member of the Security Policy Change Control Board, which reviewed, interpreted, and designed policy for U.S. Customs & Border Protection. Board discussed topics and submitted disposition to the director of STP for approval or disapproval.
HiTek Security, LLC
HIPAA Security Analyst; Health & Human Services October 2005 – January 2006
For this 200-hour contract:
Performed security review of Health & Human Services Commission, which included the implementation and operation of several intrusion detection system (IDS)/intrusion prevention system (IPS) security appliances.
Analyzed network design and recommended technical security solution in support of HIPAA compliance requirements and TAC 202 regulations.
Intermedia Group, Inc.
Network Security Engineer; U.S. Department of the Army August 2005 – September 2005
For this 2-month contract:
Created segregated security enclaves for U.S. Army through the use of VLAN implementation.
Protected legacy platforms in their participation in an Active Directory network.
IDC-MCS Inc.
CISCO Server Fabric Switch Installation Engineer, Sandia Labs August 2004 – July 2005
Performed partial InfiniBand hardware installation at Sandia Labs, New Mexico.
Worked with blade servers and minimal replacement/installation of blades.
U.S. Department of the Navy
Network Engineer Team Lead, Certification Agent August 2004 – February 2005
Served as certification agent for analysis of Department of the Navy networks to determine operational compliance with SPAWAR, DISA, and DITSCAP security policy requirements.
Recommended mitigation practices and procedures for failed or weak areas of infrastructure. Created and deployed documentation for certification authority approval.
Applied specialized knowledge of network and system attack vectors to perform daily functions such as router ACL validation, firewall policy testing, and system hardening checks.
Conducted facility walkthroughs and personnel interviews for compliance of set guidelines and security best practices.
Coordinated report findings with multiple field teams for review and optimization.
Conducted physical internal and exterior assessments of facilities to ensure compliance with Department of the Navy guidelines and directives. Included examination of doors, windows, vents, room layout and architecture, fences, lights, alarms, monitors, etc.
Conducted manual and automated auditing assessments to ensure compliance with guidelines and baselines set forth by the Department of the Navy.
United States Air Force, Randolph AFB, TX
Superintendent; Configuration Control Board, Network Operations and Security Center, AETC Computer Systems Squadron April 2003 – July 2004
Wrote command naming convention schema affecting approximately 60,000 users.
Developed command-wide security settings to lock down all desktop computers for the migration to Windows XP operating system–standardized command configuration.
Co-authored configuration management plan to provide the ability for development of a lifecycle management process for the command's enterprise network, ensuring documented network changes.
United States Air Force, Randolph AFB, TX
Superintendent; Configuration Control Board, Network Operations and Security Center, AETC Computer Systems Squadron May 2002 –March 2003
Managed 57 personnel on three shifts providing 24x7 availability of network assets.
Led daily operations of 39 critical circuits, ensuring network connectivity uptime of 98%.
Monitored, collected, tracked, evaluated, and reported all enterprise network events and incidents for 13 network control centers and Wilford Hall Medical Center.
Supervised security and performance monitoring, and managed a command-level customer assistance center.
Exercised operational control over network problem troubleshooting, recovery, and restoration efforts.
Prepared operational performance standup briefings and metrics.
Ensured enterprise network security posture was maintained through the enforcement of time-sensitive adjustments that minimized and countered operational risk.
NOSC lead for Public Key Infrastructure program, outlining work center role for resolving problems and enforcing mandates.
United States Air Force, Scott AFB, IL
Non-Commissioned Officer-in-Charge, Network Security Engineer; Network Operations and Security Center, 868th Communications Squadron July 2001 – April 2002
Led section of 20 personnel.
Supervised expansion of network services, designs, and implementation of network security enterprise architectures for 12 bases supporting 65,000 users. Led Defense in Depth strategies, including VLAN implementations.
Supervised flawless migration of 40,000 users and Exchange accounts from seven bases to NOSC consolidated site, eliminating the need for 50 messaging servers command-wide.
Prepared operational performance standup briefings and metrics.
United States Air Force, Scott AFB, IL
Non-Commissioned Officer-in-Charge, Network Security Engineer; Network Operations and Security Center, 868th Communications Squadron December 1998 – June 2001
Supervised section of four personnel.
Deployed configuration baseline and conducted performance enterprise security assessments for 39 remote vulnerability-scanning platforms.
Integrated operational requirements, U.S. Air Force policies, and the newest security techniques.
Tested and implemented security patches and ensured updated virus signatures were available to protect enterprise networks from new exploits.
Served as technical engineering liaison for hard-to-solve security vulnerability problems in command.
Developed command’s first-ever vulnerability scanning policy.
Organized and led security team during staff assistance visits to repair identified vulnerabilities, ensuring compliance with U.S. Air Force and command security directives.
Assisted 92 Information Warfare Aggressor Squadron on vulnerability assessments.
Engineered security solution to scan Active Directory; first command implementation.
Implemented an innovative solution to conduct enterprise security scans.
Developed network security guidelines and policy for 12 network control centers.
Developed techniques to secure more than 6,000 printers’ enterprise-wide.
Helped design first U.S. Air Force vulnerability tracker tool, Vulnerability Assessment Tracker (VA Tracker).
Correlated security trend analysis, providing enterprise-wide status to enterprise chief information officer.
Created and implemented detailed list of email attachment filters for firewalls and antivirus gateways.
Constructed comprehensive listing of mandatory advisories mapped to corresponding operating system.
Contact this candidate