PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

Transcription

1 QUESTIONS ANSWERS Q1 What is the goal of testing? A1 We engage in this type of testing to promote our own best practices and ensure our security posture is as it should be. Q2 No of active IP s (internal): A2 To be updated Q3 Number of servers: A3 To be updated Q4 Type of Operating Systems deployed on servers? A4 Due to security concerns, PGW will not provide this Q5 Number of network devices (est.): A5 Due to security concerns, PGW will not provide this Q6 Is internal penetration/vulnerability testing to be white box A6 It will be a combination of white box and black box testing. (fully informed, regular User), or black box (visitor no rights, etc.), or a combination? Q7 Number of desktops/laptops A7 No more than 1000 desktops/laptops. o How many images/builds? No more than 5 images. Q8 Q9 What Operating System is deployed on the laptops that will be assessed? Is an IDS/IPS device in place on the network? If so, type and IP? A8 A9 Due to security concerns, PGW will not provide this Due to security concerns, PGW will not provide this Page 1 of 19

2 Q10 Configuration Reviews or Scope Honing for Penetration Testing: Detailed Internal Information can be helpful in honing the scope of an internal assessment. Are their standard images for system types? If so, how many? Hosts/Servers? Configuration Audit Total Number of Servers: [x] A10 Refer to A7 Q11 Q12 Windows Number of servers: Percentage of servers to be tested: Number of workstations: Percentage of workstations to be tested: Number of domain controllers: [x] [x] [x] [x] [x] For the external network, how big are the network segments and about how many active IP addresses are there? For the internal network, including servers, databases, desktops, networking devices and the VoIP system, how large is PGW s network segments and about how many active IP addresses are there? A11 A12 One segment Refer to A2 Page 2 of 19

3 Q13 How many web applications are in scope for the assessment? For each web application, please provided the following: a. Is it remotely accessible? b. How many different user roles exist? c. About how many different / unique pages exist within the application? A13 3 Web applications. a. All are remotely accessible. b. 1 to 2 user roles for each application c. Not exceeding 30 pages for each application Q14 For the physical security vulnerabilities, now many locations A14 5 locations will be included in the scope of the assessment? Approximately how big is each location? Q15 Approximately how many sites are including that have Wi-Fi A15 One floor in one building that would be included in the assessment? Q16 Is social engineering (i.e. phishing, phone calls, in person, A16 In person only. NO Phishing and NO phone calls. etc.) considered in-scope for this assessment? Q17 Please provide the total number of external systems that are A17 Refer to A11 in scope Q18 Please provide the total number of internal systems that are in A18 Refer to A2 scope Q19 Please provide the total number of physical locations A19 Refer to A14 Q20 Identify security vulnerabilities in servers, databases, desktops and network devices utilized by PGW s corporate networks, which includes a VoIP system. A20 SCADA is out of scope. Due to security concerns, PGW will not provide the rest of information and post it on the website at this time. It may be Page 3 of 19

4 Q21 Q: Is the SCADA network managed and isolated from your business IP network? Q: What Cloud Services are engaged by PGW? ERP s, CRM s SaaS, PaaS et al) Q: What is the VOIP system used? (Broadsoft et al) Q: Do you have Network Managed Services? Q: What type of Security Products i.e., Tripwire, OADM, IDS, RSA, are currently in use in the Environment? Q: What are your OS Environments? Linux, MS Windows, Mainframe. Exploit these vulnerabilities to gain access to PGW s computing environment and get as far as possible toward attaining Root or Domain Administrator access privileges. Q: What is the Geographic dispersion that it s on scope? Intra or Inter State. Q: What are the security Regulatory requirements (State and Federal for your industry DHS) (Industry NIST, et al) Q: PEN TEST: After the initial External and Internal PEN tests and reports do you want the remediation to be performed in item 8 and the re-test to only target testing of remediated issues or do you want a full scope retest to ensure capture of any added changes since the initial to capture and dynamic changes that may have been made in the interim time frame? A21 Intra-state. All the locations are within city limits- 35 miles. PGW is not under the direct guidance of any security regulation legislation. Remediation is optional. If needed, only retest the remediated issues. Page 4 of 19

5 Q22 Q23 Q24 Demonstrate the attainment of elevated privileges and ability to export potentially sensitive data. Q: When it comes to physical security, Do you have documented Break-Glass procedures? Q: Is your current Identity and access management framework documented and available? Q: Is your current HR formal onboard and off-board documented and available? Q: How many end users? Q: Do you have a self-serve Password management system? Identify security vulnerabilities in PGW s web applications. Q: is there a documented and available Web architecture? Q: Is Web application development Mobile outsourced? Identify physical security vulnerabilities by attempting access to computing hardware and sensitive information using social engineering techniques. A22 Due to security concerns, PGW will not provide that A23 No N/A A24 Refer to A14 Q25 Q: What is the number of Business offices (How many locations in scope?) Q: Is your Data center a co-location? If so Please provide an approximate number for each of the following device types used by PGW and are considered in A25 Refer to A3, A5 and A7 Page 5 of 19

6 scope for this project. Physical Servers Virtual Servers Desk top devices Mobile devices Wireless access points Number of VoIP devices Firewalls Routers Switches Q26 What types of mobile devices are used by PGW? A26 N/A Q27 How many network user accounts do you have? A27 Due to security concerns, PGW will not provide this Q28 How many web applications are considered in scope for this A28 Refer to A13 project? Q29 The RFP states: Proposer would be expected to test physical security controls at PGW s main campus, gas plants, outlying stations and District Offices. A29 Refer to A14 Please describe the buildings that make up the PGW main campus? Page 6 of 19

7 How many gas plants are considered in scope of this project? How many outlying stations are considered in scope of this project? How many District Offices are considered in scope of this project? Q30 Does PGW want an automated tool approach or a manual A30 A combination of both technique approach for the penetration testing? Q31 Does PGW want an automated tool review of the web A31 No. Refer to A13 applications? How many applications are here? Q32 How many functional pages does each application have? A32 Refer to A13 Q33 Q34 How does PGW want the physical penetration test conducted? What locations if any are off-limits? Will the CVSS base score meet PGW s requirements for an assessment of the level of risk for each vulnerability? Or are you looking for comprehensive risk scoring based on the CVSS score (vulnerability), threats, and in-place/effective controls? A33 Refer to A16. Due to security concerns, PGW will not provide this information and post it on the website at this time. It may be A34 No specific requirement of the type of risk scoring Page 7 of 19

8 Q35 Q36 Q37 How many servers, databases, desktops, network devices are internal for testing? How many Gas Plants to visit and test, outlying stations, and district offices to visit and test? VOIP - system vendor? Is the VOIP system segmented from the main network? Q38 How does PGW evaluate current control practices? A38 N/A A35 A36 A37 Refer to A3, A5 and A7 Refer to A14 Due to security concerns, PGW will not provide this Q39 Under the risk assessment section, does PGW perform a risk A39 Refer to A34 assessment for each vulnerability discovered? Also what rating system PGW has used in the past to establish the level of risk? Q40 What is PGW s estimated budget for the project? A40 We decline to provide that information now. Q41 What does your external gateway consist of? Please provide details. A41 Due to security concerns, PGW will not provide this provided to the successful proposer Q42 Will SCADA be included or excluded in this assessment? A42 SCADA will be excluded in this assessment. Q43 Q44 For the mobile wireless access controls do you want the focus on cell phones also, or simply wireless? Testing physical security controls. Do you want people to obtain interior access beyond the initial physical entry point (that is, into restricted computer rooms, etc.) or simply A43 A44 Wireless only Due to security concerns, PGW will not provide this information and post it on the website at this time. It will be provided to the successful proposer Page 8 of 19

9 attempt to access building facilities? Q45 In the social engineering techniques item (Item 2.2, Number 5) do you want social engineering contained to the physical access component of the assessment, or do you also want a phishing test? A45 Social engineering is contained to physical test only. Refer to A16 Q46 Do you want to determine at what level your incident detection system detects our activity? In this case this would mean that our activities would start stealthy and become noisier to understand at which point activities are detected. Would blocks be initiated by PGW if detected? A46 The vendor would be expected to provide the IP addresses they are using for testing so that PGW can monitor the activities. Blocks will not be initiated. Q47 Should we assume that no internal security assessment is desired, other than the physical and wireless tasks? A47 Please refer to page 35 of RFP about Malicious Insider Phase. Q48 Are there any compliance requirements driving this project? A48 Refer to A21 Q50 For the external vulnerability and penetration test How many active IP addresses are in scope? A50 Refer to A11 Q51 How many data centers are there? A51 Due to security concerns, PGW will not provide this provided to the successful proposer Page 9 of 19

10 Q52 How many physical locations are there? How many A52 Refer to A14 locations have wireless access points? Q53 What other wireless services besides WiFi are used by A53 None PGW? Please describe. Are they in scope? Q54 Are all Security Procedures and Policies centrally managed? A54 Yes Q55 How many individuals will need to be interviewed in order to A55 No interview is needed. collect relevant Policy and Procedure Information? Q56 RFP identifies ISO and NIST as a policy reference model. Is A56 No PGW sensitive to PCI and/or NERC control requirements? Q57 Will you provide address ranges? A57 Yes Q58 If not would you like a Black Hat Test sequence executed? A58 N/A Q59 What are the Number of IP's/Servers owned / in scope? A59 Refer to A2, A3 and A7 Q60 What are the Number of IP s/servers managed by another party? A60 Due to security concerns, PGW will not provide this provided to the successful proposer Q61 What is the Number of separate DMZs? A61 Due to security concerns, PGW will not provide this provided to the successful proposer Q62 What are the Number of IP's active within the scope? A62 Refer to A2 Q63 What Number of Web Applications and description (approx A63 Refer to A13 Page 10 of 19

11 # of pages, components)? Q64 Is there a Mobile Device Management Solution in A64 N/A place? How many PDAs? Etc are in scope? Q65 Are there any Modems in scope? A65 No Q66 Are SCADA, Plant Controls, RTUs in scope? Please A66 No describe the environment including number and type of devices and locations. Q67 How many external WIFI environments exist? How many A67 Refer to A15 Wireless Access Points are deployed? Q68 What is Number of IP's owned. How many subnets? A68 Due to security concerns, PGW will not provide this provided to the successful proposer Q69 What is the Number of Servers, Desktops A69 Refer to A3 and A7 Q70 How many VOIP/IPT Call Manager Servers are in place? Which vendor is used? A70 Due to security concerns, PGW will not provide this provided to the successful proposer Q71 Is the Call Center IP enabled? A71 Due to security concerns, PGW will not provide this provided to the successful proposer Q72 Are Wireless IP phones utilized? A72 No Q73 What are the Number of IP's active A73 Refer to A2, A3 and A7 Page 11 of 19

12 Q74 Wireless Testing: A74 Q75 What are the # SSID's. WAPs & physical location (s) A75 Due to security concerns, PGW will not provide this provided to the successful proposer Q76 Social Engineering: A76 Q77 What is the # of phishing targets? A77 NO phishing test is required. Q78 How many locations will require a physical security check? A78 5 locations Q79 Q80 Q81 Contract term is 1 year. How many optional additional test sequences are anticipated after delivery of initial findings and recommendations report? We are assuming that our questions and all questions asked by competing vendors will be shared with all vendors or clarity of scope for the RFP. Is this assumption correct? **2 - From the statement of requirements for the RFP, elements of Vulnerability Assessment Services, Penetration Test Services and Application Assessment Services are being requested. Is this the intent of PGW, or are you asking vendors to specifically focus on the Penetration Test Services? Will there be an opportunity in the telephone conference to further clarify intent? A79 A80 Refer to part 3 of A21 Yes A81 Vulnerability Assessment Services, Penetration Test Services and Application Assessment Services are requested. The vendor is expected to focus on all the three services. Refer to 2.2 section of RFP (page 6). Yes Q82 Is there a target completion date for the services provided or A82 We expect the testing to start in 2016 as soon as the contract is Page 12 of 19

13 Q83 is this an item to be determined after contract is awarded? Will presentations to PGW be at PGW premises? Will there be any time limit to presentations? A83 signed. No specific end date. Based on past experience, the actual test should be finished within weeks. Onsite presentations are not mandatory. The presentation should not exceed an hour. Q84 Given question 2 above, there is a potential for scope changes within the life of the contract? Is there a change order process at PGW that vendors will be expected to follow, or should we provide our standard change order process? A84 Yes, there is a potential for scope change. We can follow vendor s change order process. Q85 Depending on your response to question number **2 above, we have the following questions by service line that will enable us to properly answer your RFP. A85 Refer to A2, A3, A7 and A11. NO Social Engineering via and phone. Q86 External Penetration Test: Number of Internet-facing IPs (how many total IP addresses do you have allocated on the Internet)? Number of Internet-facing IPs in use (how many IP addresses have services listening on the Internet)? Would you like the test to include social engineering ( /Phone)? Internal Penetration testing? Are all internal systems logically accessible from a single A86 Yes N/A Page 13 of 19

14 Q87 Q88 location? If not, how many locations would need to be visited? Would you like the test to include social engineering (physical)? How many physical locations (buildings, campuses, etc.) will be tested? General Questions: What operating system platforms are in use (e.g., Windows, Linux, Netware)? Approximate number of servers and workstations? (please map numbers to platforms above) Approximate number of network devices (please map count to device type: routers, firewalls, switches, wireless APs/controllers, etc.)? What vendor is your network hardware from (e.g., routers, firewalls, switches)? How many total locations make up the organization? How many have server/storage infrastructure? Are all internal systems logically accessible from a single location? If not, how many locations would need to be visited? Application Assessment Questions How many applications in scope for the assessment? How many User Roles are in the application(s)? Yes Refer to A14 A87 Refer to A2, A3, A7, A11, A14, and A86. Due to security concerns, PGW will not provide the rest of A88 Refer A13 Page 14 of 19

15 Q89 Q90 Organizational Security Are you interested in a social engineering exercise? (Y/N) Do you have documented policies and procedures? (Y/N) Are you interested in a policies, procedures and practices assessment? (Y/N) Are you interested in policies and procedures templates? (Y/N) Are you interested in a Data Loss Prevention assessment? (Y/N) Are you interested in a top-down, strategic risk assessment? (Y/N) Platform Specific Security Assessment Questions Are you interested in in-depth, platform-specific security assessments? (Y/N - If yes, please answer the questions below) Number of in-scope infrastructure devices (routers and firewalls) across all locations: Number of in-scope Microsoft servers: Number of in-scope Active Directory domains: Number of in-scope virtual host servers: A89 A90 Please refer to section 2.2 in RFP for scope of this project. Yes Due to security concerns, PGW will not provide the remaining Q91 For web application vulnerabilities, is the proposer expected to identify vulnerabilities only or identify and exploit? A91 We expect testers to exploit the identified vulnerabilities. Page 15 of 19

16 Q92 Will the web application pen testing be performed on a A92 Production production network or test network? Q93 The RFP mentions mobile wireless access controls. Was A93 Wi-Fi only the intent to specify x (WiFi) type devices or specifically tablet and smart phone access? If tablet and smart phone access, which mobile operating systems are in scope (e.g. ios, Android, etc.) Q94 When was last like assessment done/completed and by who? A94 The last assessment was done in Q95 Does vendor need certificate of good standing from State or A95 No City prior to award? Q96 Are any systems or devices in scope hosted by a third party? A96 Due to security concerns, PGW will not provide the remaining Q97 If IDS/IDP systems are in place, is the assessment also A97 No exceptions will be created. intended to test the responsiveness during this assessment? Or, will AT&T Consulting systems be configured as exceptions in the IDS/IPS? Q98 Are brute-force attacks and password cracking in scope A98 Yes Q99 Are there any timing restrictions on the testing? A99 No Q100 Where will testing be performed? A100 In our headquarters. Q101 For the Database Vulnerability Assessment and Penetration assessments, how many databases need to be A101 Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the Page 16 of 19

17 reviewed? (each instance counts as a separate database) Q102 What is the name of the database (e.g., MS SQL 2005, Oracle 9i, etc.) Q103 What OS does this database run on? (e.g., Windows Server 2008, Windows XP, AIX, etc.) A102 A103 successful proposer. Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q104 What is the business significance of this database? A104 Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q105 Will you be able to provide a read-only account (capable of A105 No reading all the security information on the database) to the vendor? This account will only be used for collecting security configuration information and will not be used for accessing the data contents. Q106 Is this area high density with other organizations, or more or A106 No less dedicated to one organization? For example, a deployment in a skyscraper may interact with many other companies. Q107 What types of traffic are traversing the Wireless LAN? A107 Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q108 Who will be aware of the testing? A108 Network and Security team Page 17 of 19

18 Q109 Q110 For the Application Vulnerability Assessment and Penetration Assessment, what are the applications name? What is the primary function of each application that will be included in the Application Vulnerability Assessment? A109 A110 Q111 What is the type of application (web, Thick-client, etc)? A111 Web Q112 Approximately how many pages/screens accept user input? A112 No more than 30 screens Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q113 What is the network transport utilized? (Raw TCP/SSL)? A113 Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q114 Considering the upcoming Holiday would PGW consider A114 Yes extending the proposal due date to January 8, Q115 What is the anticipated number of personnel needed? A115 No preference Q116 Is offshore allowed? A116 No Q117 Q118 Will PGW be providing their own tools to scan the environment or will the vendor be required to provide these tools? Does PGW require the vendor to test the scripts in a lab environment before testing in the live environment? If so, A117 A118 Vendor will be required to provide tools. Vendor is not required to test the scripts in a lab environment. Page 18 of 19

19 Q119 Q120 will the test environment be provided by PGW? Are there multiple/redundant environment in place that need to be tested simultaneously? Will the tests be conducted on the PGW production or the test or the development environment? A119 A120 No Combination of all Page 19 of 19