1. How many user roles are to be tested in Web Application Penetration testing? Provide the approx. no. of input fields in the web application?

Transcription

1 Below are all the questions that were submitted. This is the District s first security assessments and the District is looking to qualified firms to assess our systems. As it states in the RFQ, technical qualifications will have a higher weight than price. We are looking to the firms to recommend what testing the District should do for phase I. The final tests and pricing will be negotiated with the selected firm. At this time, do we only need to provide a proposal for Phase 1 Vulnerability Assessments and Penetration Testing Services? OR do we need to provide cost estimates for Phase 2 Additional Work as well or is the scope to be determined after Phase 1? Proposal should include all items from Phase 1. Items for Phase 2 will determine on items found in Phase 1. For the external network vulnerability assessment and penetration testing, how many target systems will be in scope? (e.g., firewall(s), web server(s), remote access gateway(s), etc.) 1 firewall, 1 web server, 1 gateway For the internal network vulnerability and penetration testing, how may target systems will be in scope? (e.g., servers, workstations, devices, etc.) 3 servers Does the District want us to test for susceptibility to denial of service attacks on either the external or internal target systems? No Does the District want a credentialed or non-credentialed vulnerability assessment scan performed? (Credentialed scans can result in a deeper dive into vulnerabilities available to an authorized user.) Non-credentialed For the SCADA network vulnerability assessment and penetration testing, how many target systems will be in scope? 4 sites Tapia - 1 firewall and 2 servers HQ - 1 firewall and 2 servers Westlake - 1 firewall and 2 servers Rancho 1 server Does the District want us to test for susceptibility to denial of service attacks on the SCADA network systems? No What is the server operating system platform used throughout the District? (e.g., Windows Server 2008 R2, Windows Server 2012, HP UX, etc.) We have a mix of 2003, 2008 R2, and 2012 How many web applications are expected to be tested? 1 How many web pages are anticipated? 1 How many wireless networks are expected to be in scope? 7 4 at HQ, 3 at 3 remote sites Are all the wireless networks located in a single facility? If not, how many facilities will be in scope for wireless network assessment and penetration testing? There are 4 facilities Does the District require any manual reviews of systems during Phase 1?

2 Only of the configurations of the 1 external firewall and 3 SCADA firewalls. Does the District have a particular report format in mind or is the vendor free to use their standard format? Vendor is free to use their format During what timeslots does the District want the test work to be performed? (e.g., Only during standard business hours (8:00-5:00), only after 5:00pm, etc.) Standard business hours Mon Thurs, 7:30 5:00 Fri, 8:00 5:00 1. How many user roles are to be tested in Web Application Penetration testing? 1 2. Provide the approx. no. of input fields in the web application? 3. Are the web application(s) using any web services? If yes, how many and what types? 4. Is the Application penetration testing intended to be done on a production environment or a controlled environment? 5. How many dynamic pages are in each application (on an average)? 6. Does LVMWD want this engagement to be performed at Onsite or Offshore? If offshore, will access be provided to the offshore team? 2 login screen no production 1 login screen Either. A VPN connection will be provided for offsite. We are blocking most countries offshore. We will open a connection for offshore. 1. Will the assessment include any other topology than Ethernet? 2. What protocols other than IP will need to be included in the assessment? None 3. Will Pentest activities need Exploit attempts? Recommend tests. But not denial of service. 4. What are the locations of the remote sites for wireless network assessment? 3 remote sites, located 1 mile, 5 miles, and 10 miles from the main office. 5. Will account credentials be provided for internal host scans?

3 6. As a level of effort exercise, does LVW have a past estimated windows or duration for testing exercises (I.e. 2 days of on-site penetration testing and 1 day of off-site penetration testing? No, this is our first test. 7. Will LVW provide access to past penetration test or security assessments to create efficiencies in testing efforts? No, this is our first test. 8. Does LVW require code review as part of the testing process? Not application code. Review of firewall configurations 1 external and 3 SCADA. 9. Does a development or QA environment exist for testing purposes? 10. Does LVW require testing to be performed after hours or during specified maintenance/testing windows? Standard business hours Mon Thurs, 7:30 5:00 Fri, 8:00 5: Will standard account credentials be provided in order to test possible escalation/discovery activities? What is the goal of the Wireless Network Assessment? How does the District s desired scope differ from the Wireless Penetration Test? Only logged in users have access to the network. Other testing will be part of Phase II. How many applications are in scope for the Web Application Penetration Testing? One. We do not host our web site here. The web page that will be tested is a login screen. How many web pages are in scope for each application? One What types of applications are in scope? Application testing will be part of Phase II. What is the estimated number of pages with functionality, form submission, database query to be tested? Are the web applications to be tested in production or QA? Production. Is security currently embedded within The Districts SDLC process?

4 Can the District share its expected budget for this engagement? Does the District actually want Penetration Testing conducted on its SCADA network? Is it aware of the risks typically associated with this? The testing of SCADA for Phase I is to test the isolation of the SCADA network from the office network. The 2 networks share some data paths. Any additional testing would be part of Phase II. Does the District want offeror s to propose pricing and technical approaches for Phase 2 with this proposal? How many IP addresses are in scope for the external network? 8 How many IP addresses are in scope for the internal network? For Phase I, 3 servers How many IP addresses are in scope for the SCADA network? For Phase I, 1 server How many IP Addresses for the network have web services running on them? For the servers in scope none. When was the last time your organization conducted vulnerability assessments? This is our first test. How many sites are in scope for the wireless assessments? What is the estimated number of access points in scope? 7 4 at HQ, 3 at 3 remote sites What compliance drivers does The District have? None. 1. Approximately how many active IP s are on the network to be tested? For Phase I, 3 servers 2. How many subnets are on the network to be tested? 3 3. How many remote sites total are in scope for this effort? 3 4. For the vulnerability assessment and internal penetration efforts, will devices be allowed to be placed on the network (pwnplugs, jumpboxes etc.) to allow for remote testing?

5 a. If devices are not allowed to be placed on the network, will VPN access be allowed and if so what is the bandwidth capabilities of the VPN connection(s) to allow for remote testing? Or a VPN connection will be provided for offsite testing. 5. Is there a management network that can reach all other subnets? 6. How many Wireless Access Points are in scope? 7 4 at HQ, 3 at 3 remote sites 7. Will you provide the make and model of the wireless access points? 8. Are there any wireless access points at the remote sites? See For the Web Applications, how many dynamic pages and users roles exist? One. We do not host our web site here. The web page that will be tested is a login screen. 10. How many public facing devices are on the network? Will Social Engineering be in scope for the penetration testing? 12. Will a physical security assessment be in scope for this effort? 13. Will disruptive attacks (Denial of Service, etc.) be in scope for testing? Recommend tests. But not denial of service. 14. Will techniques such as password cracking be in scope for the penetration testing efforts? 15. Are the SCADA devices used for control or simply to provide readings? Control. 16. Is there a lab environment where active testing could be performed or will limited testing be performed on production devices? 17. Does the SCADA testing include HMI s and other associated IT elements? PI Historian? etc. 18. Will you provide the manufacturer and device model numbers for SCADA devices? Not for Phase I.

6 19. Will Travel expenses be reimbursable within the proposed budget if presented in an offer? And if so are there any limits and/or restrictions on itemized travel expenses, e.g., per diem, hotel, etc.? Yes, include an estimate of travel expenses. Limits and restrictions will be discussed with the selected vendor. 1. Please correct our understanding it s Windows SCADA SQL servers running Wonderware InSQL 10.5, (RFQ mentioned as Windows SCADA SQL servers running Wonderware InSQL 10.5) Yes it is Windows Can you provide more details regarding the Advanced Utilities System Customer Information Systems(CIS)? Are you using the CIS Infinity application? How many users? Is there any integration with other systems (i.e. SCADA, Historians, Data feeds). Yes we are using CIS Infinity with 10 users. No integration. 3. Can you be more specific on desktop computers and printers count? What OS(s) are installed on PCs and laptops? Approximately 100 PCs running Windows 7. There are 3 running XP. 15 laptops running Windows 7 and 10.