Department of Management Services. Request for Information

Transcription

1 Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley DynTek Services, Inc Wednesday St., Suite 600 Tallahassee, FL Phone: (850) Fax: (850)

2 Contents INTRODUCTION... 3 BACKGROUND... 3 CONTACT INFORMATION... 4 RESPONSE TO SECTION IV... 4 Pre-Incident Services... 5 A) Incident Response Agreements... 5 B) Assessments... 5 Standards Based Information Risk Assessments... 5 Cyber Security Testing... 7 C) Preparation... 8 Consulting on Information Assurance Issues... 8 D) Developing Cyber-Security Incident Response Plans... 9 E) Training Information Security Training Post-Incident Services A) Breach Services Toll-free Hotline B) Investigate/Clean-up C) Incident Response Cyber Incident Response D) Mitigation Plans E) Identity Monitoring, Protection, and Restoration DynTek Services, Inc. 2

3 INTRODUCTION With over 20 years of experience, DynTek Services, Inc. (DynTek) is a premier provider of technology and management solutions to commercial firms, state government and local government sectors. Our comprehensive security solutions incorporate our full range of services. DynTek plans and implements strategic projects and creates and maintains systems for a wide range of platforms and architectures. DynTek has a history of providing the vertical markets of Financial, Healthcare, Manufacturing and government agencies with technology-based tools and solutions to secure their systems from internal and external security threats. BACKGROUND DynTek s assessment process is based upon industry standard methodologies and best practices, as well as years of actual application assessment experience. The result is a highly structured methodology and assessment process that can be uniformly deployed across all organizations. An effective information security program is based on people, processes, and technology. It is our belief that simply throwing money at technology does not guarantee a sound security program. For that reason, successful information security programs require the thoughtful integration of people and processes into a sound technical architecture. The trilogy of people, process, and technology is ingrained in our people and in the solutions or work-products that we deliver. DynTek has been a vendor for State and Local customers in Florida and maintained a local office since Our office is located at: DynTek Services, Inc Wednesday Street, Suite 600 Tallahassee, FL Phone: Fax: Tax ID: DynTek maintains Federal GSA Schedule #GS-35F-0025N. DynTek also maintains state contracts in Florida, California, Nevada, New Jersey, and New York. Please visit our website at to view all government contracts. DynTek Services, Inc. 3

4 CONTACT INFORMATION Carlos Henley DynTek Services, Inc. Senior Account Manager Phone: (850) RESPONSE TO SECTION IV DynTek is able to provide: EXPERTISE Understanding Cyberspace and Cybersecurity Identifying and investigating contemporary threats involving cyberspace Anticipating the convergence of cybersecurity and the physical world Articulating risk issues related to cyberspace and cybersecurity Crafting custom solutions to the challenges of cyberspace and cybersecurity DynTek delivers: Preventative Solutions Standards Based Information Risk Assessments Cyber Security Testing Information Security Training Detective Solutions Cybersecurity Analytics & Alerting Technical Surveillance Countermeasures Business Forensics Corrective Solutions Consulting on Information Assurance Issues Cyber Incident Response IT Audit Advocacy Cybersecurity Consulting Services Consulting On Cyber & Physical Risk Management Issues Assessing People and Business Security Risk Communications Security, Systems Security Testing Operations Security, Wireless Network Assessments Risk Assessments, Third Party, Vendor DynTek Services, Inc. 4

5 Physical and Environmental Security Supply Chain Security Consulting Strategic Security Planning & Facilitation Pre-Incident Services A) Incident Response Agreements Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident. DynTek can provide for a number of terms and conditions to be in place prior to any cybersecurity event including an initial retainer Incident Response Activities On-Demand and for organizing activities necessary to prepare in advance for management and handling of incident response requires the consideration of a lifecycle approach composed of serial phases (Preparation, Identification, Containment, Eradication, Recovery, and Follow-Up) and of ongoing parallel activities (Analysis, Communication, and Documentation). Establishing a bank of hours or a retainer relative to pre-planning services in the event of a significant incident that required information/cyber security resources and expertise to augment the State of Florida from an incident response plan should incorporate an initial determination of the target organizations Information Security Incident Response Capability, Dependencies within the Organization and an Incident Response Team Structure to include the designation of an Incident Response Point of Contact and Emergency Communications Protocol. B) Assessments Evaluate a State Agency s current state of information security and cyber-security incident response capability. Evaluation of the agencies current state and capability to respond to cyber-security incident is one of the core tenants of DynTek s offerings and capabilities. Below are some samples of what we examine and the depth of what can be examined. This evaluation is one of the more important elements of the development of a security program. The Information Risk Assessment is directly related to the client s needs and information security program. Information Risk Assessments set the stage for establishing the Information Technology Big Picture. Our Information Risk Assessment process is built around an ISO 17799/27001 based framework, and controls are customized according to business needs (Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Financial Services - FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL (FFIEC) & Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation s (NERC) CRITICAL INFRASTRUCTURE PROTECTION (CIP), or the Payment DynTek Services, Inc. 5

6 Card Industry Data Security Standard (PCI DSS). Our inquiry will include every aspect of your organization: People, Process, and Technology.. TYPES OF ASSESSMENTS PURPOSE/TYPE PROCESS DESCRIPTION INFORMATION RISK ASSESSMENT for PROGRAM DEVELOPMENT Information Risk Assessment consisting of 11 Information Security Management Controls and 132 subcomponents INFORMATION RISK GAP ANALYSIS (Existing Cybersecurity Program) Information Risk Gap Analysis consisting of 11 Information Security Management Controls and 42 sub-components INFORMATION RISK DOCUMENT REVIEW Analysis of client completed DynTek Information Risk Questionnaire and requested supplemental documents provided by client DynTek Services, Inc. 6

7 Cyber Security Testing DynTek Cyber Security Testing is a hands on effort in which Test Operators attempt to circumvent security features of a system or network based on their understanding of the technical design and implementation. The purpose of a penetration test is to identify methods for gaining access to a system or network by using common attacker tools and techniques. Accordingly, in order to conduct a penetration test, the operator must first conduct a vulnerability assessment in order to determine exploitable targets. *Pricing will vary dependent on size of target environment and the persistence requested for penetration testing (time to break). Consequently, we often scope and price testing engagements on a flat rate per day once we are able to gauge the size of the target environment. EXTERNAL NETWORK ASSESSMENT Targets: Internet facing systems and devices Attack Parameters: May include both automated and manual attacks; Will usually NOT include exploitation of any identified vulnerabilities; Password cracking usually in the scope Restrictions: Attack(s) usually limited to non-business hours Time to Complete: Dependent on target size according to Internet Protocol (IP) addresses INTERNAL NETWORK ASSESSMENT Targets: Internal network devices, not limited to domain controllers, infrastructure services (WINS/DHCP/DNS), servers, workstations, printers and network devices Optional: Configuration review of the firewall and internal Attack Parameters: Unobtrusive system vulnerability scans may occur during business hours; Caution: potential for interruption of critical business systems Restrictions: Internal network assessment will be conducted on-site Will not include mainframe systems May include both automated and manual attacks; but will not usually include exploitation of any identified vulnerabilities; password cracking is usually in the scope Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses WIRELESS ASSESSMENT Targets: Organization -Campus -Specific Building -or Facility Attack Parameters: May occur during business hours for unobtrusive scans DynTek Services, Inc. 7

8 Rogue wireless device detection; penetration testing, password cracking usually in the scope Restrictions: Wireless security risk assessment usually limited to technologies Time to Complete: Dependent on target size according to internal Internet Protocol (IP) addresses SOCIAL ENGINEERING Attempt to bypass security controls in order to gain access to sensitive areas or information Targets: Individual - Organization Campus - Specific Building - or Facility Attack Parameters: May include physical access, telephone, and /phishing Restrictions: Attack may be performed any time Time to Complete: Dependent on target size and client needs APPLICATION PEN TEST Targets: Web-based production application, Internet facing IP address Attack Parameters: May include both automated and manual attacks May include attempts to gain access through social engineering Restrictions: Will usually not include exploitation of any identified vulnerabilities Password cracking is usually in the scope Will not include a code review SOURCE CODE SECURITY REVIEW The goal of an application source code security review is to recognize software vulnerabilities that might be exploited if access were gained. C) Preparation Provide guidance on requirements and best practices. In addition to the content described in the response above, DynTek can provide Consulting on Information Assurance Issues that would include requirements and best practices for the following Security Policy Organization of Security Asset Management DynTek Services, Inc. 8

9 Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Info Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance D) Developing Cyber-Security Incident Response Plans Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident. The incident response process has several phases. The initial phase involves establishing and training an incident response team and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur in selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after implementation of controls. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it and producing a post incident mitigation plan. During this phase, activity often cycles back to detection and analysis for example, to see if additional hosts are infected by malware while eradicating a malware incident. After adequately handling the incident, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to mitigate, or prevent, future incidents. Organizing an effective information security incident response capability involves several major decisions and actions. The organization must decide what services the incident response team should provide, consider which team structures and models can provide those services, and select and implement one or more incident response teams. This section provides not only guidelines that should be helpful in establishing incident response capabilities, but also advice on maintaining and enhancing existing capabilities. DynTek Services, Inc. 9

10 It is critical early in this effort to identify and solicit cooperation from other groups within the organization that will be essential in incident handling. Every incident response team relies on the expertise, judgment, and abilities of others, including: Senior Management Legal Department Public Affairs and Media Relations Human Resources Physical Security and Facilities Management An incident response team should be available whenever an incident involving the organization is suspected to have occurred. One or more team members, depending on the magnitude of the incident and availability of personnel, should then be available exclusively to handle the incident. These incident handlers must analyze the incident data, determine the impact of the incident, and react appropriately to limit the damage and restore services to normal. Accordingly, the incident response team s success depends on the participation and cooperation of individuals throughout the organization. This section discusses incident response team models and provides advice on selecting an effective model for your organization. Team Models Possible structures for an incident response team include: Central Incident Response Team Distributed Incident Response Teams A single incident response team handles incidents throughout the organization. This model is effective for small organizations and organizations with minimal geographic diversity in terms of computing resources. The organization has multiple incident response teams, each responsible for a particular logical or physical segment of the organization. This model is effective for large organizations (e.g., one team per division) and for organizations with major computing resources at distant locations (e.g., one team per geographic region, one team per major facility). However, the teams should be part of a single coordinated entity so that the incident response process is consistent across the organization and information is shared among DynTek Services, Inc. 10

11 teams. This is particularly important because multiple teams may see components of the same incident or may handle similar incidents. Coordinating Team An incident response team provides advice to other teams without having authority over those teams for example, a department-wide team may assist individual agencies teams. This model can be thought of as a CSIRT for CSIRTs. Because the focus of this document is central and distributed CSIRTs, the coordinating team model is not addressed in detail in this document. DynTek facilitates and where appropriate provides on-going assistance in the creation and management of client incident response programs. Upon developing the information, policies, procedures and teaming structures as identified below, the incident response program plan serves to facilitate information about the coordinating team model, as well as extensive information on other team models, is available in a CERT /CC document titled Organizational Models for Computer Security Incident Response Teams (CSIRTs) ( E) Training Provide training for State Agency staff from basic user awareness to technical education. Virtually all Information Security Standards and Regulations require both information security awareness and information security training targeted at all users (including managers, senior executives, and contractors) on an on-going basis. Learning is a continuum it starts with awareness, builds to training, and evolves into education. (NIST Special Publication Revision 1) DynTek has developed a Web based Information Security tutoring solution. Our approach delivers two options for our clients: 1) Generic (ISO1799/27001) Information Security Awareness and Training modules or 2) Customized (branded if desired) Information Security Awareness and Training modules based on specific corporate or regulatory requirements DynTek Services, Inc. 11

12 unique to the client or line of business, such as HIPAA, FISMA, NERC CIP, CJIS, IRS Pub 1075, Red Flags, etc. In either case, our training is designed to provide a convenient and cost-effective approach to Information Security Awareness and Training. Most organizations have either adopted or are moving toward a remote or off-site business model. Consequently, the opportunity to conduct collective information security awareness or training sessions has become a challenge. Our solution provides a web based series of awareness and training modules that can be accessed via the Internet anywhere, anytime. The student simply logs in using a credit card, selects a module and follows on-screen prompts through the module. When the module has been completed with a passing score an is generated by our system informing your Human Resources organization that successful Information Security Awareness or Training has been accomplished by the student. Post-Incident Services A) Breach Services Toll-free Hotline Provide a scalable, resilient call center for incident response information to State Agencies. DynTek does not provide this service. B) Investigate/Clean-up Conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre-incident levels. DynTek can help manage all aspects of incident response including subsequent activities. Our experts are experienced in cybercrime investigations and can be available to provide legal liaison as needed. In response to risks identified by a breach, we work with clients to: Limit immediate incident impact to customers and partners Recover from the incident and return to operations Determine how the incident occurred Avoid escalation and further incidents Help assess impact and damage Determine who initiated the incident and your options going forward Review existing policies and protocols for adequacy Review adequacy of other systems security Develop long-term mitigation plans DynTek Services, Inc. 12

13 Provide necessary training C) Incident Response Provide guidance or technical staff to assist State Agencies in response to an incident. DynTek is available to help you manage all aspects of a breach including subsequent activities. Our experts are experienced in cybercrime investigations and can be available to provide legal liaison as needed. In response to risks identified by a breach, we work with you to: Limit immediate incident impact to customers and partners Recover from the incident and return to operations Determine how the incident occurred Avoid escalation and further incidents Help assess impact and damage Determine who initiated the incident and your options going forward Review existing policies and protocols for adequacy Review adequacy of other systems security Develop long-term mitigation plans Provide necessary training D) Mitigation Plans Assist State Agency staff in development of mitigation plans based on investigation and incident response. Assist State Agency staff with incident mitigation activities. The DynTek Team can provide support in all phases of cyber security mitigation efforts planning, testing, and implementation. Advise DMS employees regarding information security best practices and security architecture mitigation efforts. Review and recommend technical solutions to DMS based on an understanding of recognized risk results. Conduct systems security analysis and implementation, system engineering, electrical design, design assurance, testing, software engineering, program design, configuration management, integration and testing of products and techniques, as well as providing information risk advice. The Team s solutions will be based on a firm understanding of DMS policy, practices, procedures, customer requirements, and emerging technologies, as well as anticipated future trends associated with information management, information systems, and data networks. Especially affecting: Security Policy DynTek Services, Inc. 13

14 Organization of Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Info Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance E) Identity Monitoring, Protection, and Restoration Provide identity monitoring, protection, and restoration services to any individuals potentially affected by a cyber-security incident. DynTek does not provide this service. DynTek Services, Inc. 14