PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015
|
|
- Wesley Howard
- 8 years ago
- Views:
Transcription
1 QUESTIONS ANSWERS Q1 What is the goal of testing? A1 We engage in this type of testing to promote our own best practices and ensure our security posture is as it should be. Q2 No of active IP s (internal): A2 To be updated Q3 Number of servers: A3 To be updated Q4 Type of Operating Systems deployed on servers? A4 Due to security concerns, PGW will not provide this Q5 Number of network devices (est.): A5 Due to security concerns, PGW will not provide this Q6 Is internal penetration/vulnerability testing to be white box A6 It will be a combination of white box and black box testing. (fully informed, regular User), or black box (visitor no rights, etc.), or a combination? Q7 Number of desktops/laptops A7 No more than 1000 desktops/laptops. o How many images/builds? No more than 5 images. Q8 Q9 What Operating System is deployed on the laptops that will be assessed? Is an IDS/IPS device in place on the network? If so, type and IP? A8 A9 Due to security concerns, PGW will not provide this Due to security concerns, PGW will not provide this Page 1 of 19
2 Q10 Configuration Reviews or Scope Honing for Penetration Testing: Detailed Internal Information can be helpful in honing the scope of an internal assessment. Are their standard images for system types? If so, how many? Hosts/Servers? Configuration Audit Total Number of Servers: [x] A10 Refer to A7 Q11 Q12 Windows Number of servers: Percentage of servers to be tested: Number of workstations: Percentage of workstations to be tested: Number of domain controllers: [x] [x] [x] [x] [x] For the external network, how big are the network segments and about how many active IP addresses are there? For the internal network, including servers, databases, desktops, networking devices and the VoIP system, how large is PGW s network segments and about how many active IP addresses are there? A11 A12 One segment Refer to A2 Page 2 of 19
3 Q13 How many web applications are in scope for the assessment? For each web application, please provided the following: a. Is it remotely accessible? b. How many different user roles exist? c. About how many different / unique pages exist within the application? A13 3 Web applications. a. All are remotely accessible. b. 1 to 2 user roles for each application c. Not exceeding 30 pages for each application Q14 For the physical security vulnerabilities, now many locations A14 5 locations will be included in the scope of the assessment? Approximately how big is each location? Q15 Approximately how many sites are including that have Wi-Fi A15 One floor in one building that would be included in the assessment? Q16 Is social engineering (i.e. phishing, phone calls, in person, A16 In person only. NO Phishing and NO phone calls. etc.) considered in-scope for this assessment? Q17 Please provide the total number of external systems that are A17 Refer to A11 in scope Q18 Please provide the total number of internal systems that are in A18 Refer to A2 scope Q19 Please provide the total number of physical locations A19 Refer to A14 Q20 Identify security vulnerabilities in servers, databases, desktops and network devices utilized by PGW s corporate networks, which includes a VoIP system. A20 SCADA is out of scope. Due to security concerns, PGW will not provide the rest of information and post it on the website at this time. It may be Page 3 of 19
4 Q21 Q: Is the SCADA network managed and isolated from your business IP network? Q: What Cloud Services are engaged by PGW? ERP s, CRM s SaaS, PaaS et al) Q: What is the VOIP system used? (Broadsoft et al) Q: Do you have Network Managed Services? Q: What type of Security Products i.e., Tripwire, OADM, IDS, RSA, are currently in use in the Environment? Q: What are your OS Environments? Linux, MS Windows, Mainframe. Exploit these vulnerabilities to gain access to PGW s computing environment and get as far as possible toward attaining Root or Domain Administrator access privileges. Q: What is the Geographic dispersion that it s on scope? Intra or Inter State. Q: What are the security Regulatory requirements (State and Federal for your industry DHS) (Industry NIST, et al) Q: PEN TEST: After the initial External and Internal PEN tests and reports do you want the remediation to be performed in item 8 and the re-test to only target testing of remediated issues or do you want a full scope retest to ensure capture of any added changes since the initial to capture and dynamic changes that may have been made in the interim time frame? A21 Intra-state. All the locations are within city limits- 35 miles. PGW is not under the direct guidance of any security regulation legislation. Remediation is optional. If needed, only retest the remediated issues. Page 4 of 19
5 Q22 Q23 Q24 Demonstrate the attainment of elevated privileges and ability to export potentially sensitive data. Q: When it comes to physical security, Do you have documented Break-Glass procedures? Q: Is your current Identity and access management framework documented and available? Q: Is your current HR formal onboard and off-board documented and available? Q: How many end users? Q: Do you have a self-serve Password management system? Identify security vulnerabilities in PGW s web applications. Q: is there a documented and available Web architecture? Q: Is Web application development Mobile outsourced? Identify physical security vulnerabilities by attempting access to computing hardware and sensitive information using social engineering techniques. A22 Due to security concerns, PGW will not provide that A23 No N/A A24 Refer to A14 Q25 Q: What is the number of Business offices (How many locations in scope?) Q: Is your Data center a co-location? If so Please provide an approximate number for each of the following device types used by PGW and are considered in A25 Refer to A3, A5 and A7 Page 5 of 19
6 scope for this project. Physical Servers Virtual Servers Desk top devices Mobile devices Wireless access points Number of VoIP devices Firewalls Routers Switches Q26 What types of mobile devices are used by PGW? A26 N/A Q27 How many network user accounts do you have? A27 Due to security concerns, PGW will not provide this Q28 How many web applications are considered in scope for this A28 Refer to A13 project? Q29 The RFP states: Proposer would be expected to test physical security controls at PGW s main campus, gas plants, outlying stations and District Offices. A29 Refer to A14 Please describe the buildings that make up the PGW main campus? Page 6 of 19
7 How many gas plants are considered in scope of this project? How many outlying stations are considered in scope of this project? How many District Offices are considered in scope of this project? Q30 Does PGW want an automated tool approach or a manual A30 A combination of both technique approach for the penetration testing? Q31 Does PGW want an automated tool review of the web A31 No. Refer to A13 applications? How many applications are here? Q32 How many functional pages does each application have? A32 Refer to A13 Q33 Q34 How does PGW want the physical penetration test conducted? What locations if any are off-limits? Will the CVSS base score meet PGW s requirements for an assessment of the level of risk for each vulnerability? Or are you looking for comprehensive risk scoring based on the CVSS score (vulnerability), threats, and in-place/effective controls? A33 Refer to A16. Due to security concerns, PGW will not provide this information and post it on the website at this time. It may be A34 No specific requirement of the type of risk scoring Page 7 of 19
8 Q35 Q36 Q37 How many servers, databases, desktops, network devices are internal for testing? How many Gas Plants to visit and test, outlying stations, and district offices to visit and test? VOIP - system vendor? Is the VOIP system segmented from the main network? Q38 How does PGW evaluate current control practices? A38 N/A A35 A36 A37 Refer to A3, A5 and A7 Refer to A14 Due to security concerns, PGW will not provide this Q39 Under the risk assessment section, does PGW perform a risk A39 Refer to A34 assessment for each vulnerability discovered? Also what rating system PGW has used in the past to establish the level of risk? Q40 What is PGW s estimated budget for the project? A40 We decline to provide that information now. Q41 What does your external gateway consist of? Please provide details. A41 Due to security concerns, PGW will not provide this provided to the successful proposer Q42 Will SCADA be included or excluded in this assessment? A42 SCADA will be excluded in this assessment. Q43 Q44 For the mobile wireless access controls do you want the focus on cell phones also, or simply wireless? Testing physical security controls. Do you want people to obtain interior access beyond the initial physical entry point (that is, into restricted computer rooms, etc.) or simply A43 A44 Wireless only Due to security concerns, PGW will not provide this information and post it on the website at this time. It will be provided to the successful proposer Page 8 of 19
9 attempt to access building facilities? Q45 In the social engineering techniques item (Item 2.2, Number 5) do you want social engineering contained to the physical access component of the assessment, or do you also want a phishing test? A45 Social engineering is contained to physical test only. Refer to A16 Q46 Do you want to determine at what level your incident detection system detects our activity? In this case this would mean that our activities would start stealthy and become noisier to understand at which point activities are detected. Would blocks be initiated by PGW if detected? A46 The vendor would be expected to provide the IP addresses they are using for testing so that PGW can monitor the activities. Blocks will not be initiated. Q47 Should we assume that no internal security assessment is desired, other than the physical and wireless tasks? A47 Please refer to page 35 of RFP about Malicious Insider Phase. Q48 Are there any compliance requirements driving this project? A48 Refer to A21 Q50 For the external vulnerability and penetration test How many active IP addresses are in scope? A50 Refer to A11 Q51 How many data centers are there? A51 Due to security concerns, PGW will not provide this provided to the successful proposer Page 9 of 19
10 Q52 How many physical locations are there? How many A52 Refer to A14 locations have wireless access points? Q53 What other wireless services besides WiFi are used by A53 None PGW? Please describe. Are they in scope? Q54 Are all Security Procedures and Policies centrally managed? A54 Yes Q55 How many individuals will need to be interviewed in order to A55 No interview is needed. collect relevant Policy and Procedure Information? Q56 RFP identifies ISO and NIST as a policy reference model. Is A56 No PGW sensitive to PCI and/or NERC control requirements? Q57 Will you provide address ranges? A57 Yes Q58 If not would you like a Black Hat Test sequence executed? A58 N/A Q59 What are the Number of IP's/Servers owned / in scope? A59 Refer to A2, A3 and A7 Q60 What are the Number of IP s/servers managed by another party? A60 Due to security concerns, PGW will not provide this provided to the successful proposer Q61 What is the Number of separate DMZs? A61 Due to security concerns, PGW will not provide this provided to the successful proposer Q62 What are the Number of IP's active within the scope? A62 Refer to A2 Q63 What Number of Web Applications and description (approx A63 Refer to A13 Page 10 of 19
11 # of pages, components)? Q64 Is there a Mobile Device Management Solution in A64 N/A place? How many PDAs? Etc are in scope? Q65 Are there any Modems in scope? A65 No Q66 Are SCADA, Plant Controls, RTUs in scope? Please A66 No describe the environment including number and type of devices and locations. Q67 How many external WIFI environments exist? How many A67 Refer to A15 Wireless Access Points are deployed? Q68 What is Number of IP's owned. How many subnets? A68 Due to security concerns, PGW will not provide this provided to the successful proposer Q69 What is the Number of Servers, Desktops A69 Refer to A3 and A7 Q70 How many VOIP/IPT Call Manager Servers are in place? Which vendor is used? A70 Due to security concerns, PGW will not provide this provided to the successful proposer Q71 Is the Call Center IP enabled? A71 Due to security concerns, PGW will not provide this provided to the successful proposer Q72 Are Wireless IP phones utilized? A72 No Q73 What are the Number of IP's active A73 Refer to A2, A3 and A7 Page 11 of 19
12 Q74 Wireless Testing: A74 Q75 What are the # SSID's. WAPs & physical location (s) A75 Due to security concerns, PGW will not provide this provided to the successful proposer Q76 Social Engineering: A76 Q77 What is the # of phishing targets? A77 NO phishing test is required. Q78 How many locations will require a physical security check? A78 5 locations Q79 Q80 Q81 Contract term is 1 year. How many optional additional test sequences are anticipated after delivery of initial findings and recommendations report? We are assuming that our questions and all questions asked by competing vendors will be shared with all vendors or clarity of scope for the RFP. Is this assumption correct? **2 - From the statement of requirements for the RFP, elements of Vulnerability Assessment Services, Penetration Test Services and Application Assessment Services are being requested. Is this the intent of PGW, or are you asking vendors to specifically focus on the Penetration Test Services? Will there be an opportunity in the telephone conference to further clarify intent? A79 A80 Refer to part 3 of A21 Yes A81 Vulnerability Assessment Services, Penetration Test Services and Application Assessment Services are requested. The vendor is expected to focus on all the three services. Refer to 2.2 section of RFP (page 6). Yes Q82 Is there a target completion date for the services provided or A82 We expect the testing to start in 2016 as soon as the contract is Page 12 of 19
13 Q83 is this an item to be determined after contract is awarded? Will presentations to PGW be at PGW premises? Will there be any time limit to presentations? A83 signed. No specific end date. Based on past experience, the actual test should be finished within weeks. Onsite presentations are not mandatory. The presentation should not exceed an hour. Q84 Given question 2 above, there is a potential for scope changes within the life of the contract? Is there a change order process at PGW that vendors will be expected to follow, or should we provide our standard change order process? A84 Yes, there is a potential for scope change. We can follow vendor s change order process. Q85 Depending on your response to question number **2 above, we have the following questions by service line that will enable us to properly answer your RFP. A85 Refer to A2, A3, A7 and A11. NO Social Engineering via and phone. Q86 External Penetration Test: Number of Internet-facing IPs (how many total IP addresses do you have allocated on the Internet)? Number of Internet-facing IPs in use (how many IP addresses have services listening on the Internet)? Would you like the test to include social engineering ( /Phone)? Internal Penetration testing? Are all internal systems logically accessible from a single A86 Yes N/A Page 13 of 19
14 Q87 Q88 location? If not, how many locations would need to be visited? Would you like the test to include social engineering (physical)? How many physical locations (buildings, campuses, etc.) will be tested? General Questions: What operating system platforms are in use (e.g., Windows, Linux, Netware)? Approximate number of servers and workstations? (please map numbers to platforms above) Approximate number of network devices (please map count to device type: routers, firewalls, switches, wireless APs/controllers, etc.)? What vendor is your network hardware from (e.g., routers, firewalls, switches)? How many total locations make up the organization? How many have server/storage infrastructure? Are all internal systems logically accessible from a single location? If not, how many locations would need to be visited? Application Assessment Questions How many applications in scope for the assessment? How many User Roles are in the application(s)? Yes Refer to A14 A87 Refer to A2, A3, A7, A11, A14, and A86. Due to security concerns, PGW will not provide the rest of A88 Refer A13 Page 14 of 19
15 Q89 Q90 Organizational Security Are you interested in a social engineering exercise? (Y/N) Do you have documented policies and procedures? (Y/N) Are you interested in a policies, procedures and practices assessment? (Y/N) Are you interested in policies and procedures templates? (Y/N) Are you interested in a Data Loss Prevention assessment? (Y/N) Are you interested in a top-down, strategic risk assessment? (Y/N) Platform Specific Security Assessment Questions Are you interested in in-depth, platform-specific security assessments? (Y/N - If yes, please answer the questions below) Number of in-scope infrastructure devices (routers and firewalls) across all locations: Number of in-scope Microsoft servers: Number of in-scope Active Directory domains: Number of in-scope virtual host servers: A89 A90 Please refer to section 2.2 in RFP for scope of this project. Yes Due to security concerns, PGW will not provide the remaining Q91 For web application vulnerabilities, is the proposer expected to identify vulnerabilities only or identify and exploit? A91 We expect testers to exploit the identified vulnerabilities. Page 15 of 19
16 Q92 Will the web application pen testing be performed on a A92 Production production network or test network? Q93 The RFP mentions mobile wireless access controls. Was A93 Wi-Fi only the intent to specify x (WiFi) type devices or specifically tablet and smart phone access? If tablet and smart phone access, which mobile operating systems are in scope (e.g. ios, Android, etc.) Q94 When was last like assessment done/completed and by who? A94 The last assessment was done in Q95 Does vendor need certificate of good standing from State or A95 No City prior to award? Q96 Are any systems or devices in scope hosted by a third party? A96 Due to security concerns, PGW will not provide the remaining Q97 If IDS/IDP systems are in place, is the assessment also A97 No exceptions will be created. intended to test the responsiveness during this assessment? Or, will AT&T Consulting systems be configured as exceptions in the IDS/IPS? Q98 Are brute-force attacks and password cracking in scope A98 Yes Q99 Are there any timing restrictions on the testing? A99 No Q100 Where will testing be performed? A100 In our headquarters. Q101 For the Database Vulnerability Assessment and Penetration assessments, how many databases need to be A101 Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the Page 16 of 19
17 reviewed? (each instance counts as a separate database) Q102 What is the name of the database (e.g., MS SQL 2005, Oracle 9i, etc.) Q103 What OS does this database run on? (e.g., Windows Server 2008, Windows XP, AIX, etc.) A102 A103 successful proposer. Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q104 What is the business significance of this database? A104 Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q105 Will you be able to provide a read-only account (capable of A105 No reading all the security information on the database) to the vendor? This account will only be used for collecting security configuration information and will not be used for accessing the data contents. Q106 Is this area high density with other organizations, or more or A106 No less dedicated to one organization? For example, a deployment in a skyscraper may interact with many other companies. Q107 What types of traffic are traversing the Wireless LAN? A107 Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q108 Who will be aware of the testing? A108 Network and Security team Page 17 of 19
18 Q109 Q110 For the Application Vulnerability Assessment and Penetration Assessment, what are the applications name? What is the primary function of each application that will be included in the Application Vulnerability Assessment? A109 A110 Q111 What is the type of application (web, Thick-client, etc)? A111 Web Q112 Approximately how many pages/screens accept user input? A112 No more than 30 screens Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q113 What is the network transport utilized? (Raw TCP/SSL)? A113 Due to security concerns, PGW will not provide the information and post it on the website at this time. It may be provided to the successful proposer. Q114 Considering the upcoming Holiday would PGW consider A114 Yes extending the proposal due date to January 8, Q115 What is the anticipated number of personnel needed? A115 No preference Q116 Is offshore allowed? A116 No Q117 Q118 Will PGW be providing their own tools to scan the environment or will the vendor be required to provide these tools? Does PGW require the vendor to test the scripts in a lab environment before testing in the live environment? If so, A117 A118 Vendor will be required to provide tools. Vendor is not required to test the scripts in a lab environment. Page 18 of 19
19 Q119 Q120 will the test environment be provided by PGW? Are there multiple/redundant environment in place that need to be tested simultaneously? Will the tests be conducted on the PGW production or the test or the development environment? A119 A120 No Combination of all Page 19 of 19
Information Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014
QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location
More informationAbout This Document. Response to Questions. Security Sytems Assessment RFQ
Response to Questions Security Sytems Assessment RFQ Posted October 1, 2015 Q: Which specific security assessment processes are sought for this engagement? The RFQ mentions several kinds of analysis and
More informationQUESTIONS & RESPONSES #2
QUESTIONS & RESPONSES #2 RFP / TITLE 070076 IT Cybersecurity Assessment and Plan CONTACT Michael Keim, CPPB, Sr. Contract Adminstrator EMAIL procurement@portoftacoma.com PHONE NUMBER 253-428-8608 SUBMITTAL
More informationRFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST
RFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST Questions and Answers Notice: Questions may have been edited for clarity and relevance. 1. How many desktops,
More informationVendor Questions and Answers
OHIO DEFERRED COMPENSATION REQUEST FOR PROPOSALS (RFP) FOR COMPREHENSIVE SECURITY ASSESSMENT CONSULTANT Issue Date: December 7, 2016 Written Question Deadline: January 11, 2016 Proposal Deadline: RFP Contact:
More informationQ&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015
Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015 UPDATE HISTORY: 10/21/2015 10/30/2015 11/5/2015 Questions submitted by Proposers All proposers should reference the following
More informationRequest for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP #12-680-004. Addendum 1.0
Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP #12-680-004 Addendum 1.0 ISSUE DATE: February 23, 2012 Receipt of this addendum should be acknowledged on the Proposal Form. Inquiries
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationAfter reviewing all the questions, the most common and relevant questions were chosen and the answers are below:
2015 007 After reviewing all the questions, the most common and relevant questions were chosen and the answers are below: 1. Is there a proposed budget for this RFP? No 2. What is the expect duration for
More informationResponse to Questions CML 15-018 Managed Information Security
Response to Questions CML 15-018 Managed Information Security 1. What are the most critical aspects that need to be provided for this RFP, in light of the comment that multiple awards might be provided?
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationHIPAA SECURITY RISK ANALYSIS FORMAL RFP
HIPAA SECURITY RISK ANALYSIS FORMAL RFP ADDENDUM NUMBER: (2) August 1, 2012 THIS ADDENDUM IS ISSUED PRIOR TO THE ACCEPTANCE OF THE FORMAL RFPS. THE FOLLOWING CLARIFICATIONS, AMENDMENTS, ADDITIONS, DELETIONS,
More information1. How many user roles are to be tested in Web Application Penetration testing? 1. 2. Provide the approx. no. of input fields in the web application?
Below are all the questions that were submitted. This is the District s first security assessments and the District is looking to qualified firms to assess our systems. As it states in the RFQ, technical
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationCITY AND COUNTY OF DENVER AUDITOR S OFFICE REQUEST FOR PROPOSAL FOR PROFESSIONAL AUDITING SERVICES. Additional Information.
CITY AND COUNTY OF DENVER AUDITOR S OFFICE FOR PROFESSIONAL AUDITING SERVICES Additional Information March 10, 2016 The following questions were asked and answered at the February 26, 2016 Pre-Proposal
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationSpokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A
Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Request for Proposals (RFP) for PCI DSS COMPLIANCE SERVICES Project # 15-49-9999-016 Addendum #1 - Q&A May 29,
More informationDepartment of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationPresented by Evan Sylvester, CISSP
Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information
More informationHackers are here. Where are you?
1 2 What is EC-Council Certified Security Analyst Licensed Penetration Tester Program You are an ethical hacker. Your last name is Pwned. You dream about enumeration and you can scan networks in your sleep.
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationHow To Ensure The C.E.A.S.A
APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT TUGeneral TUSecurity TURequirements TUDesign TUIntegration
More informationADDENDUM #1 REQUEST FOR PROPOSALS 2015-151
ADDENDUM #1 REQUEST FOR PROPOSALS 2015-151 HIPAA/HITECH/OMNIBUS Act Compliance Consulting Services TO: FROM: CLOSING DATE: SUBJECT: All Potential Responders Angie Williams, RFP Coordinator September 24,
More informationMicrosoft Technologies
NETWORK ENGINEERING TRACK Microsoft Technologies QUARTER 1 DESKTOP APPLICATIONS - ESSENTIALS Module 1 - Office Applications This subject enables users to acquire the necessary knowledge and skills to use
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationSample Vulnerability Management Policy
Sample Internal Procedures and Policy Guidelines February 2015 Document Control Title: Document Control Number: 1.0.0 Initial Release: Last Updated: February 2015, Manager IT Security February 2015, Director
More informationProfessional Services Overview
Professional Services Overview INFORMATION SECURITY ASSESSMENT AND ADVISORY NETWORK APPLICATION MOBILE CLOUD IOT Praetorian Company Overview HISTORY Founded in 2010 Headquartered in Austin, TX Self-funded
More informationTop 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services
Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project
More informationIndustrial Security for Process Automation
Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationSAN ANTONIO WATER SYSTEM PURCHASING DEPARTMENT
SAN ANTONIO WATER SYSTEM PURCHASING DEPARTMENT Issued By: Clifford Gorman Date Issued: July 6, 2015 BID NO.: 15-15060 FORMAL INVITATION FOR BEST VALUE BID (BVB) FOR THE ONE TIME PURCHASE OF SCADA NETWORK
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationPension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update
Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationRFP # 15-74 Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST)
August 6, 2015 McHenry County Government Center Purchasing Department Donald Gray, CPPB, Director of Purchasing 2200 N Seminary Avenue Administration Building Room 200 Woodstock, IL 60098 Phone: 815-334-4818
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationHow To Prevent Hacker Attacks With Network Behavior Analysis
E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal
More informationICT budget and staffing trends in the UK
ICT budget and staffing trends in the UK Enterprise ICT investment plans to 2013 January 2013 TABLE OF CONTENTS 1 Trends in ICT budgets... 1 1.1 Introduction... 1 1.2 Survey demographics... 1 1.3 IT budget
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationGUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT
GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology A comprehensive approach
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Security Scanning Procedures Version 1.1 Release: September 2006 Table of Contents Purpose...1 Introduction...1 Scope of PCI Security Scanning...1 Scanning
More informationNational Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2. Exit Conference...
NEA OIG Report No. R-13-03 Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities... 2 Area
More informationPenetration Testing. Presented by
Penetration Testing Presented by Roadmap Introduction to Pen Testing Types of Pen Testing Approach and Methodology Side Effects Demonstration Questions Introduction and Fundamentals Penetration Testing
More informationICT budget and staffing trends in Healthcare
ICT budget and staffing trends in Healthcare Enterprise ICT investment plans November 2013 ICT budget and staffing trends in Healthcare P a g e 1 www.kable.co.uk / The id Factor Ltd / + 44 (0) 207 936
More informationAnalyze. Secure. Defend. Do you hold ECSA credential?
1 Analyze. Secure. Defend. Do you hold ECSA credential? TM E C S A EC-Council Certified Security Analyst 1 EC-Council Cyber Security Professional Path Threat Agent Application of Methodology So You Can
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationInstructions for Completing the Information Technology Examination Officer s Questionnaire
Instructions for Completing the Information Technology Examination Officer s Questionnaire Please answer the following information security program questions as of the examination date pre-determined by
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationAPPENDIX C - PRICING INDEX DIR-SDD-2514 VERIZON BUSINESS NETWORK SERVICES, INC SERVICES
APPENDIX C - PRICING INDEX DIR-SDD-2514 VERIZON BUSINESS NETWORK SERVICES, INC SERVICES Application Vulnerability Scanning. A web-based application service hosted by Verizon Business to provide customers
More informationKASEYA CLOUD SOLUTION CATALOG 2016 Q1. UPDATED & EFFECTIVE AS OF: February 1, 2016. Kaseya Catalog - 1 - Kaseya Copyright 2016. All rights reserved.
KASEYA CLOUD SOLUTION CATALOG 2016 Q1 UPDATED & EFFECTIVE AS OF: February 1, 2016 Kaseya Catalog - 1 - Overview of the Kaseya Cloud Subscription Solutions The Kaseya Cloud solutions are designed to meet
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationInformation Technology 2016-2021 Strategic Plan
Information Technology 2016-2021 Strategic Plan Draft Table of Contents Table of Contents... 3 Introduction... 4 Mission of IT... 4 Primary Service Delivery Objectives... 4 Availability of Systems...
More informationInnovative Defense Strategies for Securing SCADA & Control Systems
1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationPCI DSS v3.0 Vulnerability & Penetration Testing
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationLumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation
Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation Version 7.0 SP1 Evaluation Guide September 2010 Version 2.4 Copyright 2010, Lumension, Inc. Table of Contents Lumension Endpoint
More informationSecurity Testing in Critical Systems
Security Testing in Critical Systems An Ethical Hacker s View Peter Wood Chief Executive Officer First Base Technologies Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base
More informationChecklist for Vulnerability Assessment
Checklist for Vulnerability Assessment Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on
More informationCase Study: Security Implementation for a Non-Profit Hospital
Case Study: Security Implementation for a Non-Profit Hospital The Story Security Challenges and Analysis The Case The Clone Solution The Results The Story About the hospital A private, not-for-profit hospital
More informationITEC441- IS Security. Chapter 15 Performing a Penetration Test
1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and
More informationPCI-DSS Penetration Testing
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationLessons from the DHS Cyber Test Bed Project
Lessons from the DHS Cyber Test Bed Project Theresa Payton President/CEO Fortalice, LLC Presented by: Kemal O. Piskin Senior Cyber Security Engineer Applied Research Associates, Inc. What We ll Discuss
More informationVESZPROG ANTI-MALWARE TEST BATTERY
VESZPROG ANTI-MALWARE TEST BATTERY 2012 The number of threats increased in large measure in the last few years. A set of unique anti-malware testing procedures have been developed under the aegis of CheckVir
More informationVirtualization and Cloud Computing
Virtualization and Cloud Computing Security is a Process, not a Product Guillermo Macias CIP Security Auditor, Sr. Virtualization Purpose of Presentation: To inform entities about the importance of assessing
More informationHP Security Assessment Services
HP Security Assessment Services HP Data Center Services Technical data Your corporate information and intellectual property are important assets that you want to protect from unauthorized users. Developing
More informationAlcatel-Lucent Services
SOLUTION DESCRIPTION Alcatel-Lucent Services Security Introduction Security is a sophisticated business and technical challenge, and it plays an important role in the success of any network, service or
More informationHackers are here. Where are you?
1 2 What is EC-Council Certified Security Analyst Licensed Penetration Tester Program You are an ethical hacker. Your last name is Pwned. You dream about enumeration and you can scan networks in your sleep.
More informationHow To Manage Your Information Systems At Aerosoft.Com
Your information systems are at the heart of your businesses daily operation. System down time costs businesses a significant amount of money each year. Most problems that cause down time can be prevented
More informationTake Control of Identities & Data Loss. Vipul Kumra
Take Control of Identities & Data Loss Vipul Kumra Security Risks - Results Whom you should fear the most when it comes to securing your environment? 4. 3. 2. 1. Hackers / script kiddies Insiders Ex-employees
More informationKlickstart Business Solutions & Services
About us With an Engineering background & vast experience spanning across two decades with an expertise in Technology Marketing, Branding, Business development & Sales we set out to create a platform every
More informationModule 5 Introduction to Processes and Controls
IT Terminology 1. General IT Environment The general IT environment is the umbrella over the following IT processes: 1. Operating Systems 2. Physical and Logical Security 3. Program Changes 4. System Development
More informationThe Importance of Cybersecurity Monitoring for Utilities
The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationWhen a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.
Ethical Hacking and Countermeasures Course Description: This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More informationInformation Technology Cluster
Network Systems Pathway Information Technology Cluster Assistant Network Technician -- This major prepares students to install, configure, operate, and connections to remote sites in a wide area network
More information11th AMC Conference on Securely Connecting Communities for Improved Health
11th AMC Conference on Securely Connecting Communities for Improved Health Information Security Testing How Do AMCs Ensure Your Networks are Secure June 22, 2015 Ray Hillen, Dennis Schmidt, Adam Bennett
More informationSECURITY TRENDS & VULNERABILITIES REVIEW 2015
SECURITY TRENDS & VULNERABILITIES REVIEW 2015 Contents 1. Introduction...3 2. Executive summary...4 3. Inputs...6 4. Statistics as of 2014. Comparative study of results obtained in 2013...7 4.1. Overall
More informationAdministrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation
The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationAPPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW
EHIBIT H to Amendment No. 60 APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT SECURITY SERVICES SOW EHIBIT H to Amendment No. 60 Table of Contents 1.0 Security Services Overview
More informationResponse to Queries Received for RFP of Security Integrator - Tender No. 63
Sr.N RFP Clause Original Query Reply/Remark o. 1. Perform Incident Management with respect to the following: For Forensic Analysis of logs Please clarify the systems/devices Contain attacks through for
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More information7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008
U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October
More informationWindows Least Privilege Management and Beyond
CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has
More informationPenetration testing & Ethical Hacking. Security Week 2014
Penetration testing & Ethical Hacking Security Week 2014 Agenda Penetration Testing Vulnerability Scanning Social engineering Security Services offered by Endava 2 3 Who I am Catanoi Maxim Information
More information