RFP # Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST)
|
|
- Andrea Day
- 8 years ago
- Views:
Transcription
1 August 6, 2015 McHenry County Government Center Purchasing Department Donald Gray, CPPB, Director of Purchasing 2200 N Seminary Avenue Administration Building Room 200 Woodstock, IL Phone: Fax: ADDENDUM #1 RFP # Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST) Additions & Clarifications to RFP/Bid Internal Penetration Testing: Question #1: How many locations? Addresses? How many servers/targets? 3 locations. The addresses of the locations will be disclosed with the successful vendor. Response #1: The number of Servers/Targets are to be determined during the testing. Application Penetration Testing: How many applications? URL s would be helpful. Question #2: How many directories in each application? How many user roles in each application? The RFP calls out authenticated/unauthenticated, but I want to clarify how many authenticated user roles. Response #2: This information is to be determined during the testing. Wireless Penetration Testing: Question #3: How many locations? How many WAPs? Response #3: 3 Locations. The number of WAPS is to be determined during the testing. Social Engineering: Roughly how many employees do you want ed? Question #4: How many attempts are you looking for (we can send one message and analyze the response set, or we can send multiple). Response #4: 50 addresses Question #5: Response #5: Pages 3-5 describe prevailing wage and OSHA requirements. However, the McHenry County prevailing wage website doesn t list any professional services (only physical/manual labor). I assume this does not apply to the scope of this project? That is standard verbiage in all the County s Bid documents. The specifications would reference if needed or not.
2 Question #6: Page 5 does the substance abuse policy apply to this type of engagement? The statement refers to engaged in the construction of the public works Response #6: That is standard verbiage in all the County s Bid documents. The specifications would reference if needed or not. Question #7: Section I: Of the 50 live external IP addresses, how many of them are HTTP or HTTPS (web) servers? Response #7: To be determined thru the testing. Question #8: Does the County require internal penetration testing to be performed onsite or can remotely controlled appliances be used? Response #8: Onsite. Should the proposal include a vulnerability assessment or a penetration test, or both? The RFP describes these tests as Internal Network Vulnerability Assessment and Penetration Testing. Typically, vulnerability assessments are performed with privilege (a valid username/password with sufficient privileges to read configurations/installed software) and penetration tests are performed blind (no privilege). Likewise, penetration testing is focused on identifying vulnerbles, exploiting them, taking command-and-control of the systems, leveraging them to discover and attack other systems, increasing privileges, and compromising more and more systems with higher and higher asset values. A penetration test Question #9: simulates the actions of a motivated criminal hacker who s targeted your systems or networks. A vulnerability assessment is intended to identify raw vulnerabilities by using privileged access to systems, but not to exploit them or exfiltrate data from them. An advantage of a vulnerability assessment is that it is relatively quick and produces a large number of actionable results (mostly missing patches, misconfigured services, etc.) A big advantage of penetration testing is that is simulates the actions and activities of a criminal hacker who s motivated to compromise systems and steal data/resources. Penetration testing uncovers critical flaws in administration activities, system design, system configuration, weak security controls, etc. Response #9: Both. Question #10: Approximately how many servers, workstations and total live IP addresses exist within the County s internal networks? Response #10: This information is to be determined via the assessment. How many sites will be in-scope for wireless assessment/penetration testing? Question #11: How many SSIDs per site? How many SSIDs total? Please provide the building address for each in-scope property. Response #11: 3 Sites. The number of SSID s is to be determined thru the testing. Question #12:
3 Note: Many organizations use wireless switches or cloud-controlled Aps. If all locations have the same wireless configuration and same SSIDs, a sampling of 2-3 buildings may be sufficient to conduct a thorough test. Response #12: Yes Question #13: Will non-production systems be available for testing each in-scope application? Non-production testing systems can be provided for assessment for some of the listed Response #13: systems. Question #14: Are all of the applications hosted within the County s data center(s)? Are any hosted and managed by a third-party? Yes, all applications are hosted in the County s Data Center. None of these systems are Response #14: hosted and managed by a 3 rd parties. Question #15: Will any of the in-scope applications require being onsite for testing? Response #15: Yes Question #16: Will the SharePoint site be a single server or are there multiple instances of SharePoint inscope for testing? Response #16: Single Instance, multiple servers. Question #17: Are each of the in-scope applications web/browser based? Are there any mobile applications or APIs in-scope for testing? The majority of the applications listed are web-based. There are no mobile applications Response #17: for this testing. Note: Depending on the answers to the questions above, SynerComm may want to see a Question #18: demonstration of each application to determine its size and complexity. Application assessments can be quite lengthy, therefore scoping them properly is very important. Response #18: Question #20: Response #20: Question #21: With regards to limiting the testing pool to 50 addresses, could multiple attacks be sent to the same 50 addresses? Or is the intention to make sure that no more than 50 recipients are included in each -based attack? We would like to limit the testing pool to 50 addresses for all testing. No new recipients please. Page 16 of the RFP describes Attack and gain access The bullets appear to suggest that the social engineering tests should be limited to collecting information on the system that was compromised. Should any compromised systems be used to discover and attack other systems? (pivoting?) Or, is the intention to use the internal penetration test to cover the next steps/paths of a successful social engineering attack?
4 Response #21: Question #22: Collect information of compromised system, discover other systems that could be comprised as well and discuss what the next steps would be after a successful social engineering attack. Due to the short amount of time between the Q&A release and due date, will the County extend the due date to allow adequate time to incorporate the County s clarifications and answers into the response? No. Response #22: Question #23: What is the size of the internal IP space? Response #23: The Internal IP spaces is comprised of multiple private subnets. We would like to see what network information can be discovered with little or no input from us. Question #24: How many wireless network location are in scope? Response #24: This is to be determined during the testing. Question #25: Section I: Which is the amount of IP addresses in scope, both live and dead? Response #25: The external IP address is a class C subnet. Question #26: Which are the locations for the internal network penetration test? Response #26: There will be 3 locations and the specifics will be discussed with the winning Vendor. Question #27: Which is the total number of IP addresses in scope for each location? Response #27: This is to be determined during the testing. Question #28: Which is the approximate amount of servers, network devices and workstations? Response #28: This is to be determined during the testing. Question #29: Is it possible to perform the Internal Network Penetration Testing via PIN? Response #29: No. Question #30: Response #30: Question #31: Response #31: Question #32: Response #32: Question #33: Which are the locations for this phase? Are them the same locations as for the Internal Network Penetration Testing? Yes. How many access points, networks and SSIDs will be in scope for every location? This is to be determined during the testing. Which is the size of each location (number of floors, square feet, etc.)? Location one: 3 Floors, SQ FT NA Location two: 2 Floors and basement, SQ FT NA Location three: 3 Floors, SQ FT NA How many input pages do each of the applications in scope have? Response #33: To be determined with the successful vendor. Question #34: How many user profiles will be included for each application?
5 Response #34: At most 1 user profile will be provided. Question #35: Are all the applications remotely accessible? Response #35: No Question #36: Could you describe the functions and actions users can perform in each application (for example, Upload images/videos/attachments, create/edit/view blog posts/comments, register, login, manage profiles, search, etc.) Response #36: To be determined with the successful vendor. Question #37: How many domains will be included in the harvesting process? Response #37: One. Section I: Question #38: While the RFP states, document how discovered vulnerabilities could be exploited, should any active exploitation be performed as part of this section? Response #38: No, but document what could be done. Is this testing to be performed onsite or will remote access be provided? Question #39: Will the internal vulnerability assessment be credentialed or un-credentialed? Approximately how many internal IPs will be assessed as part of the Internal Vulnerability Assessment/Penetration Test? Response #39: Un-credentialed, (blind user). This is to be determined during the testing. Question #40: How many physical locations are in scope? Response #40: 3 sites. Question #41: Are these applications internet accessible or only Internal? If Internal, will remote access be provided or will these be tested onsite? Response #41: Internal only and testing will be done on site. Question #42: If a victim is successfully compromised, does the county desire to see how far this could be used to pivot/gain additional access in addition to the local enumeration/exploitation listed (view local file system, take screenshots, deploy key logger, etc.)? Response #42: Yes Question #43: Are these tests being driven by a compliance requirement, the desire to be more secure, or something else? Response #43: Desire to be more secure. Question #44: Can this assessment be conducted remotely? Response #44: The External assessment should be done remotely, the Internal assessment is required to be done on site. Question #45: Are there any gateways or direct access to Criminal History Record Information (CHRI) repositories? If so, will the vendor require CJIS certified professionals? Response #45: CJIS certification is not required. Question #46: Does the county have updated network diagrams?
6 Response #46: Yes. Are computer and applications assets managed with automated tools/repositories, and will Question #47: those be current at the time of the assessment? Response #47: Yes. Question #48: Does the county perform vulnerability scanning with remediation? Response #48: Yes. Are employees permitted to use personal devices? If so, can they access or county Question #49: applications? Are they allowed to gain Internet access via WIFI on segregated networks? No personal devices connect directly to County networks. Segregated WiFi networks are Response #49: available for public devices to connect. Does the county know what its current risk exposure is? Does the county feel confident it Question #50: will perform well during an audit? Response #50: To be determined. May the vendor be free to install the tools necessary to conduct the assessments/pen Question #51: tests? Response #51: Yes, as long as they are documented and an uninstall is provided. Question #52: Are the areas, office/locations, the county would consider higher risk than others? Response #52: Yes In unforeseen event that something should break or business functionality is interrupted, who is liable? In other words, misconfigurations, setup, outdated software/hardware, etc. Question #53: What happens if testing causes serious problems resulting in loss of data and/or business functionality? Response #53: The County will work with successful vendor on a case by case basis to control liability. Question #54: How many Virtual Servers are in scope for the Internal Penetration testing? Response #54: N/A Question #55: Are workstations standardized with respect to the OS and hardware across entire network? Response #55: Yes. Question #56: How many Active Directory Domains are operating and to be covered in the scope? Response #56: One. Question #57: What are the pertinent operating systems in the scope of the assessment? Response #57: This is to be determined during the testing. Question #58: How many active internal IP s/hosts do you have? Response #58: This is to be determined during the testing. Question #59: Are mobile devices in the scope for the assessment? Response #59: No. Question #60: Will the penetration test include the DMZ? Response #60: Yes. Question #61: Is the vendor to presume the external penetration testing is White Box form? The penetration testing should be done from the perspective of not having any Response #61: knowledge of our network. Question #62: How many wireless networks and access points (AP)? Response #62: This is to be determined during the testing. Question #63: Does the penetration assessments include Mobile apps? Response #63: No.
7 Will the vendor be provided access to support portals/documentation, including best Question #64: practices guides to IJustice, Performance Series, Microsoft Dynamics Great Plains and New Dawn? Response #64: No. Question #65: Are cloud services and any SaaS products used by the county going to be addressed? Response #65: No. Question #66: One noted specification is Attempt to gain access to an employee s machine via , phone, or other means. Does this include physical access simulated by an after-hours cleaning crew or unauthorized person? Response #66: No Physical Access. Question #67: Response #67: No. Effective spear-phishing campaigns may require having the vendor s mall server whitelisted. Can the vendor s server(s) be white-listed as required? What is the expectation of examples of past deliverables and reports? is a detailed Question #68: description of reporting structure and contents sufficient to communicate the contents without compromising sensitive information of past clients? Response #68: Yes. Question #69: How many sites and wireless networks apply to the wireless penetration test? Response #69: 3 sites. The number of Wireless Networks is to be determined during testing.
RFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST
RFP No. 1-15-C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST Questions and Answers Notice: Questions may have been edited for clarity and relevance. 1. How many desktops,
More informationAbout This Document. Response to Questions. Security Sytems Assessment RFQ
Response to Questions Security Sytems Assessment RFQ Posted October 1, 2015 Q: Which specific security assessment processes are sought for this engagement? The RFQ mentions several kinds of analysis and
More informationPHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015
QUESTIONS ANSWERS Q1 What is the goal of testing? A1 We engage in this type of testing to promote our own best practices and ensure our security posture is as it should be. Q2 No of active IP s (internal):
More informationSecret Server Qualys Integration Guide
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
More informationPenetration Testing. I.T. Security Specialists. Penetration Testing 1
Penetration I.T. Security Specialists ing 1 about us At Caretower, we help businesses to identify vulnerabilities within their security systems and provide an action plan to help prevent security breaches
More informationNETWORK PENETRATION TESTING
Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes
More informationAfter reviewing all the questions, the most common and relevant questions were chosen and the answers are below:
2015 007 After reviewing all the questions, the most common and relevant questions were chosen and the answers are below: 1. Is there a proposed budget for this RFP? No 2. What is the expect duration for
More informationPENETRATION TESTING GUIDE. www.tbgsecurity.com 1
PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a
More informationREQUEST FOR PROPOSAL (RFP) #021-14 HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014
REQUEST FOR PROPOSAL (RFP) #021-14 HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014 Q1) Page 2, Section A and Page 5, Section H --- Does the County desire only an assessment of compliance
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationInformation Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014
QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location
More informationQ&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015
Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015 UPDATE HISTORY: 10/21/2015 10/30/2015 11/5/2015 Questions submitted by Proposers All proposers should reference the following
More informationCITY AND COUNTY OF DENVER AUDITOR S OFFICE REQUEST FOR PROPOSAL FOR PROFESSIONAL AUDITING SERVICES. Additional Information.
CITY AND COUNTY OF DENVER AUDITOR S OFFICE FOR PROFESSIONAL AUDITING SERVICES Additional Information March 10, 2016 The following questions were asked and answered at the February 26, 2016 Pre-Proposal
More informationBreach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
More informationQUESTIONS & RESPONSES #2
QUESTIONS & RESPONSES #2 RFP / TITLE 070076 IT Cybersecurity Assessment and Plan CONTACT Michael Keim, CPPB, Sr. Contract Adminstrator EMAIL procurement@portoftacoma.com PHONE NUMBER 253-428-8608 SUBMITTAL
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationVendor Questions and Answers
OHIO DEFERRED COMPENSATION REQUEST FOR PROPOSALS (RFP) FOR COMPREHENSIVE SECURITY ASSESSMENT CONSULTANT Issue Date: December 7, 2016 Written Question Deadline: January 11, 2016 Proposal Deadline: RFP Contact:
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationRequest for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP #12-680-004. Addendum 1.0
Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP #12-680-004 Addendum 1.0 ISSUE DATE: February 23, 2012 Receipt of this addendum should be acknowledged on the Proposal Form. Inquiries
More informationThis session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.
The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com
More informationFedRAMP Penetration Test Guidance. Version 1.0.1
FedRAMP Penetration Test Guidance Version 1.0.1 July 6, 2015 Revision History Date Version Page(s) Author 06/30/2015 1.0 All First Release FedRAMP PMO 07/06/2015 1.0.1 All Minor corrections and edits FedRAMP
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationPenetration Testing //Vulnerability Assessment //Remedy
A Division Penetration Testing //Vulnerability Assessment //Remedy In Penetration Testing, part of a security assessment practice attempts to simulate the techniques adopted by an attacker in compromising
More informationNetwork Documentation Checklist
Network Documentation Checklist Don Krause, Creator of NetworkDNA This list has been created to provide the most elaborate overview of elements in a network that should be documented. Network Documentation
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationPCI-DSS Penetration Testing
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationWays. to Shore Up. Security. Your. ABSTRACT: By Trish Crespo
6 Ways to Shore Up Your Security ABSTRACT: By Trish Crespo February 04 Microsoft's SharePoint collaboration software is an excellent tool for enterprise users, but some individuals have pointed to it as
More informationPCI Compliance 3.1. About Us
PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance
More informationSESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support
SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support Desktop Support and Data Breaches: The Unknown Dangers Bryan Hood Senior Solutions Engineer, Bomgar bhood@bomgar.com Session Description
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationAn Introduction to Network Vulnerability Testing
CONTENTS Introduction 3 Penetration Testing Overview 4 Step 1: Defining the Scope 4 Step 2: Performing the Penetration Test 5 Step 3: Reporting and Delivering Results 6 VeriSign SecureTEST 7 Common Vulnerability
More informationHIPAA SECURITY RISK ANALYSIS FORMAL RFP
HIPAA SECURITY RISK ANALYSIS FORMAL RFP ADDENDUM NUMBER: (2) August 1, 2012 THIS ADDENDUM IS ISSUED PRIOR TO THE ACCEPTANCE OF THE FORMAL RFPS. THE FOLLOWING CLARIFICATIONS, AMENDMENTS, ADDITIONS, DELETIONS,
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationITEC441- IS Security. Chapter 15 Performing a Penetration Test
1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationDemystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur
Demystifying Penetration Testing for the Enterprise Presented by Pravesh Gaonjur Pravesh Gaonjur Founder and Executive Director of TYLERS Information Security Consultant Certified Ethical Hacker (CEHv8Beta)
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationEnterprise Information Technology Security Assessment RFP Answers to Questions
Enterprise Information Technology Security Assessment RFP Answers to Questions GENERAL QUESTIONS Q: How do the goals of the security assessment relate to improving the way VEIC does business? A: Security
More informationTable of Contents. Application Vulnerability Trends Report 2013. Introduction. 99% of Tested Applications Have Vulnerabilities
Application Vulnerability Trends Report : 2013 Table of Contents 3 4 5 6 7 8 8 9 10 10 Introduction 99% of Tested Applications Have Vulnerabilities Cross Site Scripting Tops a Long List of Vulnerabilities
More informationHow To Secure An Extended Enterprise
Data Security Initiatives The Layered Approach Melissa Perisce Regional Director, Global Services, South Asia April 25, 2010 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Intel Case Study Asia North
More informationConnectivity to Polycom RealPresence Platform Source Data
Polycom RealAccess Security White Paper The Polycom RealAccess service is delivered using the Software as a Service (SaaS) model. This white paper outlines how the service protects sensitive customer data
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationCertification Report
Certification Report HP Network Automation Ultimate Edition 10.10 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationSAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)
SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More information1. Why is the customer having the penetration test performed against their environment?
General Questions 1. Why is the customer having the penetration test performed against their environment? Assess vulnerabilities in order to improve security and protect client information. 2. Is the penetration
More informationWhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program
WhiteHat Security White Paper Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program October 2015 The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Secure Bytes, October 2011 This document is confidential and for the use of a Secure Bytes client only. The information contained herein is the property of Secure Bytes and may
More informationPenetration Testing - a way for improving our cyber security
OWASP EU Tour Bucharest 2013 The OWASP Foundation http://www.owasp.org Penetration Testing - a way for improving our cyber security Adrian Furtunǎ, PhD, OSCP, CEH adif2k8@gmail.com Copyright The OWASP
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationPenetration Test Report
Penetration Test Report MegaCorp One August 10 th, 2013 Offensive Security Services, LLC 19706 One Norman Blvd. Suite B #253 Cornelius, NC 28031 United States of America Tel: 1-402-608-1337 Fax: 1-704-625-3787
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationUnderstanding Security Testing
Understanding Security Testing Choosing between vulnerability assessments and penetration testing need not be confusing or onerous. Arian Eigen Heald, M.A., Ms.IA., CNE, CISA, CISSP I. Introduction Many
More informationData Security for the Hospitality
M&T Bank and SecurityMetrics Present: Data Security for the Hospitality Industry Featuring Lee Pierce, SecurityMetricsStrategicStrategic Accounts Dave Ellis, SecurityMetrics Forensic Investigator Doug
More information2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report
2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report 28 September 2012 Submitted to: Donald Lafleur IS Audit Manager ND State Auditor
More informationABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London
More informationRESPONSES TO QUESTIONS AND REQUESTS FOR CLARIFICATION Updated 7/1/15 (Question 53 and 54)
RESPONSES TO QUESTIONS AND REQUESTS FOR CLARIFICATION Updated 7/1/15 (Question 53 and 54) COLORADO HOUSING AND FINANCE AUTHORITY 1981 BLAKE STREET DENVER, CO 80202 REQUEST FOR PROPOSAL Intranet Replacement
More informationCautela Labs Cloud Agile. Secured.
Cautela Labs Cloud Agile. Secured. Vulnerability Management Scanning and Assessment Service Vulnerability Management Services New network, application and database vulnerabilities emerge every day. Because
More informationAUTOMATING THE 20 CRITICAL SECURITY CONTROLS
AUTOMATING THE 20 CRITICAL SECURITY CONTROLS Wolfgang Kandek, CTO Qualys Session ID: Session Classification: SPO-T07 Intermediate 2012 the Year of Data Breaches 2013 continued in a similar Way Background
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationCertification Report
Certification Report EAL 2+ Evaluation of McAfee Email and Web Security Appliance Version 5.5 Patch 2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria
More informationCITY OF CORONA RFP 15-005SB. ADDENDUM No. 2
CITY OF CORONA ADDENDUM No. 2 Purchasing Division (951) 736-2272 400 S. Vicentia Ave., Ste. 320 purchasing@discovercorona.com Corona, CA 92882 09/22/2014 Scott Briggs Addendum No. 2 for the Evaluation
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationAddressing the United States CIO Office s Cybersecurity Sprint Directives
RFP Response Addressing the United States CIO Office s Cybersecurity Sprint Directives How BeyondTrust Helps Government Agencies Address Privileged Account Management and Improve Security July 2015 Addressing
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationPension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update
Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report
More information5 Steps to Advanced Threat Protection
5 Steps to Advanced Threat Protection Agenda Endpoint Protection Gap Profile of Advanced Threats Consensus Audit Guidelines 5 Steps to Advanced Threat Protection Resources 20 Years of Chasing Malicious
More informationIBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing
IBM Global Technology Services Statement of Work for IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing The information in this Statement of Work may not be disclosed
More informationForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
More informationTowards End-to-End Security
Towards End-to-End Security Thomas M. Chen Dept. of Electrical Engineering Southern Methodist University PO Box 750338 Dallas, TX 75275-0338 USA Tel: 214-768-8541 Fax: 214-768-3573 Email: tchen@engr.smu.edu
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationWhite Paper. McAfee Web Security Service Technical White Paper
McAfee Web Security Service Technical White Paper Effective Management of Anti-Virus and Security Solutions for Smaller Businesses Continaul Security Auditing Vulnerability Knowledge Base Vulnerability
More informationMcAfee SECURE Technical White Paper
Protect what you value. VERSION #1 093008 McAfee SECURE Technical White Paper Table of Contents Contnuous Security Auditing....................................................................... 2 Vulnerability
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationDecember 2015 702P00860. Xerox App Studio 3.0 Information Assurance Disclosure
December 2015 702P00860 Xerox App Studio 3.0 Information Assurance Disclosure 2014 Xerox Corporation. All rights reserved. Xerox and Xerox and Design and ConnectKey are trademarks of Xerox Corporation
More informationPCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics
PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationS E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s
S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s During the period between November 2012 and March 2013, Symantec Consulting Services partnered with Bomgar to assess the security
More informationVirtualization System Security
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Controls Book
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program s Book Cyber-security s Summary Council on Cyber-security Critical Security s (CSC) CSC-01 CSC-02 CSC-03 CSC-04 CSC-05 IT Asset
More informationXerox Mobile Print Cloud
September 2012 702P00860 Xerox Mobile Print Cloud Information Assurance Disclosure 2012 Xerox Corporation. All rights reserved. Xerox and Xerox and Design are trademarks of Xerox Corporation in the United
More informationIT HEALTHCHECK TOP TIPS WHITEPAPER
WHITEPAPER PREPARED BY MTI TECHNOLOGY LTD w: mti.com t: 01483 520200 f: 01483 520222 MTI Technology have been specifying and conducting IT Healthcheck s across numerous sectors including commercial, public
More informationADDENDUM #1 REQUEST FOR PROPOSALS 2015-151
ADDENDUM #1 REQUEST FOR PROPOSALS 2015-151 HIPAA/HITECH/OMNIBUS Act Compliance Consulting Services TO: FROM: CLOSING DATE: SUBJECT: All Potential Responders Angie Williams, RFP Coordinator September 24,
More informationQuick Start Guide: Utilizing Nessus to Secure Microsoft Azure
Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure Introduction Tenable Network Security is the first and only solution to offer security visibility, Azure cloud environment auditing, system
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More information1.0 Purpose of Solicitation
Information Technology Consulting Services Notice of Request for Proposal Information Technology Managed Services and Support South Adams County Water and Sanitation District 1.0 Purpose of Solicitation
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationGetting Started with the iscan Online Data Breach Risk Intelligence Platform
Getting Started with the iscan Online Data Breach Risk Intelligence Platform 2 Table of Contents Overview... 3 Data Breach Risk Intelligence... 3 Data Breach Prevention Lifecycle Defined... 3 Choosing
More information