RFP # Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST)

Transcription

1 August 6, 2015 McHenry County Government Center Purchasing Department Donald Gray, CPPB, Director of Purchasing 2200 N Seminary Avenue Administration Building Room 200 Woodstock, IL Phone: Fax: ADDENDUM #1 RFP # Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST) Additions & Clarifications to RFP/Bid Internal Penetration Testing: Question #1: How many locations? Addresses? How many servers/targets? 3 locations. The addresses of the locations will be disclosed with the successful vendor. Response #1: The number of Servers/Targets are to be determined during the testing. Application Penetration Testing: How many applications? URL s would be helpful. Question #2: How many directories in each application? How many user roles in each application? The RFP calls out authenticated/unauthenticated, but I want to clarify how many authenticated user roles. Response #2: This information is to be determined during the testing. Wireless Penetration Testing: Question #3: How many locations? How many WAPs? Response #3: 3 Locations. The number of WAPS is to be determined during the testing. Social Engineering: Roughly how many employees do you want ed? Question #4: How many attempts are you looking for (we can send one message and analyze the response set, or we can send multiple). Response #4: 50 addresses Question #5: Response #5: Pages 3-5 describe prevailing wage and OSHA requirements. However, the McHenry County prevailing wage website doesn t list any professional services (only physical/manual labor). I assume this does not apply to the scope of this project? That is standard verbiage in all the County s Bid documents. The specifications would reference if needed or not.

2 Question #6: Page 5 does the substance abuse policy apply to this type of engagement? The statement refers to engaged in the construction of the public works Response #6: That is standard verbiage in all the County s Bid documents. The specifications would reference if needed or not. Question #7: Section I: Of the 50 live external IP addresses, how many of them are HTTP or HTTPS (web) servers? Response #7: To be determined thru the testing. Question #8: Does the County require internal penetration testing to be performed onsite or can remotely controlled appliances be used? Response #8: Onsite. Should the proposal include a vulnerability assessment or a penetration test, or both? The RFP describes these tests as Internal Network Vulnerability Assessment and Penetration Testing. Typically, vulnerability assessments are performed with privilege (a valid username/password with sufficient privileges to read configurations/installed software) and penetration tests are performed blind (no privilege). Likewise, penetration testing is focused on identifying vulnerbles, exploiting them, taking command-and-control of the systems, leveraging them to discover and attack other systems, increasing privileges, and compromising more and more systems with higher and higher asset values. A penetration test Question #9: simulates the actions of a motivated criminal hacker who s targeted your systems or networks. A vulnerability assessment is intended to identify raw vulnerabilities by using privileged access to systems, but not to exploit them or exfiltrate data from them. An advantage of a vulnerability assessment is that it is relatively quick and produces a large number of actionable results (mostly missing patches, misconfigured services, etc.) A big advantage of penetration testing is that is simulates the actions and activities of a criminal hacker who s motivated to compromise systems and steal data/resources. Penetration testing uncovers critical flaws in administration activities, system design, system configuration, weak security controls, etc. Response #9: Both. Question #10: Approximately how many servers, workstations and total live IP addresses exist within the County s internal networks? Response #10: This information is to be determined via the assessment. How many sites will be in-scope for wireless assessment/penetration testing? Question #11: How many SSIDs per site? How many SSIDs total? Please provide the building address for each in-scope property. Response #11: 3 Sites. The number of SSID s is to be determined thru the testing. Question #12:

3 Note: Many organizations use wireless switches or cloud-controlled Aps. If all locations have the same wireless configuration and same SSIDs, a sampling of 2-3 buildings may be sufficient to conduct a thorough test. Response #12: Yes Question #13: Will non-production systems be available for testing each in-scope application? Non-production testing systems can be provided for assessment for some of the listed Response #13: systems. Question #14: Are all of the applications hosted within the County s data center(s)? Are any hosted and managed by a third-party? Yes, all applications are hosted in the County s Data Center. None of these systems are Response #14: hosted and managed by a 3 rd parties. Question #15: Will any of the in-scope applications require being onsite for testing? Response #15: Yes Question #16: Will the SharePoint site be a single server or are there multiple instances of SharePoint inscope for testing? Response #16: Single Instance, multiple servers. Question #17: Are each of the in-scope applications web/browser based? Are there any mobile applications or APIs in-scope for testing? The majority of the applications listed are web-based. There are no mobile applications Response #17: for this testing. Note: Depending on the answers to the questions above, SynerComm may want to see a Question #18: demonstration of each application to determine its size and complexity. Application assessments can be quite lengthy, therefore scoping them properly is very important. Response #18: Question #20: Response #20: Question #21: With regards to limiting the testing pool to 50 addresses, could multiple attacks be sent to the same 50 addresses? Or is the intention to make sure that no more than 50 recipients are included in each -based attack? We would like to limit the testing pool to 50 addresses for all testing. No new recipients please. Page 16 of the RFP describes Attack and gain access The bullets appear to suggest that the social engineering tests should be limited to collecting information on the system that was compromised. Should any compromised systems be used to discover and attack other systems? (pivoting?) Or, is the intention to use the internal penetration test to cover the next steps/paths of a successful social engineering attack?

4 Response #21: Question #22: Collect information of compromised system, discover other systems that could be comprised as well and discuss what the next steps would be after a successful social engineering attack. Due to the short amount of time between the Q&A release and due date, will the County extend the due date to allow adequate time to incorporate the County s clarifications and answers into the response? No. Response #22: Question #23: What is the size of the internal IP space? Response #23: The Internal IP spaces is comprised of multiple private subnets. We would like to see what network information can be discovered with little or no input from us. Question #24: How many wireless network location are in scope? Response #24: This is to be determined during the testing. Question #25: Section I: Which is the amount of IP addresses in scope, both live and dead? Response #25: The external IP address is a class C subnet. Question #26: Which are the locations for the internal network penetration test? Response #26: There will be 3 locations and the specifics will be discussed with the winning Vendor. Question #27: Which is the total number of IP addresses in scope for each location? Response #27: This is to be determined during the testing. Question #28: Which is the approximate amount of servers, network devices and workstations? Response #28: This is to be determined during the testing. Question #29: Is it possible to perform the Internal Network Penetration Testing via PIN? Response #29: No. Question #30: Response #30: Question #31: Response #31: Question #32: Response #32: Question #33: Which are the locations for this phase? Are them the same locations as for the Internal Network Penetration Testing? Yes. How many access points, networks and SSIDs will be in scope for every location? This is to be determined during the testing. Which is the size of each location (number of floors, square feet, etc.)? Location one: 3 Floors, SQ FT NA Location two: 2 Floors and basement, SQ FT NA Location three: 3 Floors, SQ FT NA How many input pages do each of the applications in scope have? Response #33: To be determined with the successful vendor. Question #34: How many user profiles will be included for each application?

5 Response #34: At most 1 user profile will be provided. Question #35: Are all the applications remotely accessible? Response #35: No Question #36: Could you describe the functions and actions users can perform in each application (for example, Upload images/videos/attachments, create/edit/view blog posts/comments, register, login, manage profiles, search, etc.) Response #36: To be determined with the successful vendor. Question #37: How many domains will be included in the harvesting process? Response #37: One. Section I: Question #38: While the RFP states, document how discovered vulnerabilities could be exploited, should any active exploitation be performed as part of this section? Response #38: No, but document what could be done. Is this testing to be performed onsite or will remote access be provided? Question #39: Will the internal vulnerability assessment be credentialed or un-credentialed? Approximately how many internal IPs will be assessed as part of the Internal Vulnerability Assessment/Penetration Test? Response #39: Un-credentialed, (blind user). This is to be determined during the testing. Question #40: How many physical locations are in scope? Response #40: 3 sites. Question #41: Are these applications internet accessible or only Internal? If Internal, will remote access be provided or will these be tested onsite? Response #41: Internal only and testing will be done on site. Question #42: If a victim is successfully compromised, does the county desire to see how far this could be used to pivot/gain additional access in addition to the local enumeration/exploitation listed (view local file system, take screenshots, deploy key logger, etc.)? Response #42: Yes Question #43: Are these tests being driven by a compliance requirement, the desire to be more secure, or something else? Response #43: Desire to be more secure. Question #44: Can this assessment be conducted remotely? Response #44: The External assessment should be done remotely, the Internal assessment is required to be done on site. Question #45: Are there any gateways or direct access to Criminal History Record Information (CHRI) repositories? If so, will the vendor require CJIS certified professionals? Response #45: CJIS certification is not required. Question #46: Does the county have updated network diagrams?

6 Response #46: Yes. Are computer and applications assets managed with automated tools/repositories, and will Question #47: those be current at the time of the assessment? Response #47: Yes. Question #48: Does the county perform vulnerability scanning with remediation? Response #48: Yes. Are employees permitted to use personal devices? If so, can they access or county Question #49: applications? Are they allowed to gain Internet access via WIFI on segregated networks? No personal devices connect directly to County networks. Segregated WiFi networks are Response #49: available for public devices to connect. Does the county know what its current risk exposure is? Does the county feel confident it Question #50: will perform well during an audit? Response #50: To be determined. May the vendor be free to install the tools necessary to conduct the assessments/pen Question #51: tests? Response #51: Yes, as long as they are documented and an uninstall is provided. Question #52: Are the areas, office/locations, the county would consider higher risk than others? Response #52: Yes In unforeseen event that something should break or business functionality is interrupted, who is liable? In other words, misconfigurations, setup, outdated software/hardware, etc. Question #53: What happens if testing causes serious problems resulting in loss of data and/or business functionality? Response #53: The County will work with successful vendor on a case by case basis to control liability. Question #54: How many Virtual Servers are in scope for the Internal Penetration testing? Response #54: N/A Question #55: Are workstations standardized with respect to the OS and hardware across entire network? Response #55: Yes. Question #56: How many Active Directory Domains are operating and to be covered in the scope? Response #56: One. Question #57: What are the pertinent operating systems in the scope of the assessment? Response #57: This is to be determined during the testing. Question #58: How many active internal IP s/hosts do you have? Response #58: This is to be determined during the testing. Question #59: Are mobile devices in the scope for the assessment? Response #59: No. Question #60: Will the penetration test include the DMZ? Response #60: Yes. Question #61: Is the vendor to presume the external penetration testing is White Box form? The penetration testing should be done from the perspective of not having any Response #61: knowledge of our network. Question #62: How many wireless networks and access points (AP)? Response #62: This is to be determined during the testing. Question #63: Does the penetration assessments include Mobile apps? Response #63: No.

7 Will the vendor be provided access to support portals/documentation, including best Question #64: practices guides to IJustice, Performance Series, Microsoft Dynamics Great Plains and New Dawn? Response #64: No. Question #65: Are cloud services and any SaaS products used by the county going to be addressed? Response #65: No. Question #66: One noted specification is Attempt to gain access to an employee s machine via , phone, or other means. Does this include physical access simulated by an after-hours cleaning crew or unauthorized person? Response #66: No Physical Access. Question #67: Response #67: No. Effective spear-phishing campaigns may require having the vendor s mall server whitelisted. Can the vendor s server(s) be white-listed as required? What is the expectation of examples of past deliverables and reports? is a detailed Question #68: description of reporting structure and contents sufficient to communicate the contents without compromising sensitive information of past clients? Response #68: Yes. Question #69: How many sites and wireless networks apply to the wireless penetration test? Response #69: 3 sites. The number of Wireless Networks is to be determined during testing.