Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Transcription

1 QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location and available bandwidth? A2 Point to point telecommunication network Q3 How many subnets or IP v-lans and how big are they? A3 Q4 How many internal IP addresses are in use? A4 Q5 What is the number of servers and types of operating systems? A5 Q6 How many workstations? A6 Q7 How many other connected devices (VOIP phones, Routers switches printers)? A7 Q8 How many mobile devices with network access? A8

2 Q9 How many IT staff? A9 Q10 Any system/applications outsourced to a third party? A10 Yes Q11 Any specific compliance requirements (HIPAA, PCI, etc.) that we need to meet? A11 PGW is not under the direct guidance of any security regulations legislation. Q12 How many internet facing IP addresses? A12 Q13 How many applications are accessible from the internet? A13 Q14 How many wireless access points are in use? A14 Q15 Q16 Q17 What type of remote access is available to employees/vendors? Can you identify what vendor supplied tools will be required for use during the Internal Vulnerability Assessment? Are you concerned about threat modeling and security development lifecycle in your SCADA environment or is your vision to have an active penetration test performed on A15 A16 A17 We do not require any specific tools from the vendor. We would like to have vendor attempt a penetration test on our SCADA network.

3 Q18 your SCADA network? PHILADELPHIA GAS WORKS How many CCAs (Critical Cyber Assets) and EADs (Electronic Access Devices) make up your SCADA environment? Q19 Do you have a SCADA lab or test environment? A19 No Q20 How many Externally Facing IP s are in scope? A20 5 Q21 How many internal IP s or hosts are in scope? A21 40 A18 Q22 How many wireless networks/facilities are in scope? How A22 2 wireless networks and 1 mobile device many wireless devices? Q23 How many SCADA Network Systems in scope? Do you A23 1 SCADA Network is in scope. want both non-ip and IP enabled devices in scope? If so how many of each? What communication channels do they use? (Ie. Modbus, dial up modem, etc.) Q24 For the physical penetration test, would you want us to A24 Tester should try to break into the facility. break into the facility or walk through and review controls? Q25 Can PGW more precisely identify the anticipated timing of the execution of the work? (e.g. A25 We would like to start as soon as contract is signed but avoid major holidays. Month x Month Y) Q26 Are there any project timeline constraints? A26 Avoid major holidays. Q27 Have funds for this project been secured and approved by PGW? Questions related to External Attacker perspective: A27 Yes

4 Q28 What is the approximate number of IP addresses that are in A28 5 scope? Q29 How many of these IPs are actually being used? A29 Q30 How many web applications are considered to be in scope? A30 2 Q31 If more than one, does PGW expect all of these to be tested? A31 Yes Q32 Q33 Q34 For each Web Application to be tested, would PGW prefer for these to be tested both with and without credentials (please note that credentialed tests are most effective in uncovering configuration or design flaws that can compromise role based security schema)? Questions related to External Attacker SCADA perspective: Note: PGW has indicated that SCADA networks are in scope for the external attacker testing (although our experience is that SCADA devices are not usually exposed to the Internet), but PGW has not included this language for the internal attacker testing. Is SCADA in scope for both internal and external attacks? If not, please clarify which testing should include the SCADA environment. Are there any direct connections between any of the SCADA environments and the Internet? If so, please A32 A33 A34 Both SCADA is in scope for both internal and external attacker phases.

5 Q35 Q36 Q37 Q38 Q39 Q40 Q41 identify how many and what type of connections are used. Is the SCADA network protected by firewall partitioning between it and the internal PGW business network? If so, please identify the number of segmented SCADA zones environments involved. How many IP addressable devices are in the SCADA network? Of these, how many are PLC or other controllers or terminal access devices? What technical platforms are deployed in the SCADA environment that will be subject to testing? Are there any specific platforms or areas in the SCADA environment that must be excluded from testing of any type due to operational sensitivity or other factors? If so, please identify them. Questions related to a Malicious Insider perspective Can internal penetration testing be accomplished from a single location? If not, how many location, would need to be visited? Locations? A35 A36 A37 A38 A39 No Yes

6 Q42 Q43 Q44 Q45 Q46 Q47 Q48 Q49 How may internal IP addresses (devices) are considered to be in scope? Of those, how many are considered servers? Firewalls? Switches? Workstations? PGW has requested that physical security be tested at the main campus, gas plants, outlying stations and district offices. How many locations in total are there and geographic locations? Does PGW want these locations to be tested via social engineering techniques? If not please explain. How many of each category listed exists? How many would need to be tested? (e.g., sample size # or %, or all) Questions related to Wireless Testing: Please identify the geographic locations of each location to be included in the wireless testing. Please describe each location in terms of # buildings, square footage for each. For each location please provide: i. If a campus (or plant), please describe (in general terms) the grounds and approximate size and what is adjacent to the location (e.g. other offices, plants etc.) ii. How many Wireless Access Points are deployed at the location? 40 It will be a combination of servers, workstations, switches, routers and firewalls. Actual numbers will be provided to the successful proposer. 5 physical locations to be assessed and all lie within city limits(35 miles). Yes All should be tested. Test can be performed from one central location.

7 Q50 iii. Is this a multi-tenant facility, or is the building exclusive to your organization? iv. Does the location contain any managed Wireless LAN Controllers (WLCs)? If so, how many WLC s are in scope at the location? v. Please indicated the encryption key and access control methods employed (WPA, WPA 2,WEP, Enterprise, Shared Key, etc.) vi. Is guest wireless access provided at this location? vii. Is rogue wireless access point detection in scope? viii. Is assessment of wireless access intrusion monitoring in scope? ix. Is user access management in scope? x. Is change and configuration management in scope? xi. Is a signal strength analysis in scope? (this examination identifies the extent to which the wireless radio signal bleeds out to the exterior of the building) General Assessment Questions: From the RFP it was clear that the need was for external and internal penetration assessments. From reading through the entire RFP it seems to indicate that this will include the following that services you were interested in? Please indicate if this is accurate and remove or add services as necessary. External pen test, internal pen test, physical pen test, A50 Wardial and SAR are not in scope. Configuration and Policy review would be welcome if within budget.

8 Q51 Q52 Q53 Q54 Q55 wireless pen test, wardial, SAR, server, router, and firewall config review, policy and procedure review In the external attacker phase of the RFP it was mentioned about testing dial-up services. Would like a war dial assessment to be scoped in as well? Also in the external attacker phase it is mentioned, An examination and evaluation of PGW s current control practices. Does this mean you would like a policy and procedural type review or is this in regards to the technical penetration testing? Under the Malicious Insider Phase, The identification of potential vulnerabilities in network access controls, firewalls, routers, and the designed network topology. Are you also requesting a security architecture review of the network as part of these services, in addition to the penetration testing? Under the Malicious Insider Phase, A review of network and server configuration options and their implications to network security Are you also requesting a security architecture review of the network as part of these services, in addition to the penetration testing? Under the Malicious Insider Phase, it mentions An evaluation of current control practices. Does this mean you would like a policy and procedural type review or is this in regards to the technical penetration testing? A51 A52 A53 A54 A55 No wardial. Policy and procedure review would be welcome if within budget. Please provide a price quote separately. No No Policy and procedure review would be welcome if within budget. Please provide a price quote separately.

9 Q56 Q57 Q58 Q59 Are there any special requirements or considerations Verizon should be aware of (such as testing in a test environment vs. production, specific devices/services/functionality that should NOT be tested, or testing during specific hours of the day)? Did you want the pricing quoted as fixed price or time and material? External Network Penetration Test & Vulnerability Assessment Questions (i.e. testing is external or sourced from the Internet): Would you like Verizon to perform discovery scans on the given subnets to identify active devices on the network or will all active IP s be provided, if so please provide how many subnets and their size (e.g., 20 Class C or /24 networks)? How many "active" devices within the provided networks will be included in the network assessment? (An active device is an accessible IP address with at least one TCP/UDP service/port available or a Protocol such as ICMP). NOTE: If this assessment is for PCI compliance then any hosts or systems that have access to a PCI system is also within scope of PCI. So for example if a PCI system is on a flat internal network then your scope for the PCI assessment is not one active device, but for all your devices on the A56 A57 A58 A59 5 Special requirements if any will be given to the testers before execution. Fixed price We would like vendor to perform a discovery scan.

10 Q60 Q61 Q62 internal flat network. Would you like Verizon to exploit vulnerabilities or just validate and report their existence (Note: the exploitation of vulnerabilities does NOT include any DoS testing and is the beginning of the penetration testing vs. a vulnerability assessment which is to validate but not exploit vulnerabilities)? How many web applications will be tested from an unauthenticated point of view within the provided network subnets to be tested (i.e. no credentials to be provided to the applications as we are testing as an external attacker would) during the external assessment? For example a customer portal, corporate website, banking application, etc. should be included but please don t include applications such as OWA, SSL VPN interfaces, etc. (Please also list/identify the applications URL s here to be assessed, if available) Are the external networks and applications to be assessed hosted within your own environment or are any hosted by a third party provider at their data center (such as with Akamai for content delivery, web hosting/colocation provider, or other third party data center)? Note: If hosted by a third party you will need to get the appropriate authorization from the 3rd party provider. If an application is Akamai hosted we will need access to the origin server hosted on your network externally or you will need to get A60 A61 2 A62 We would like to exploit vulnerabilities. Hosted on site

11 Q63 Q64 Q65 authorization to allow testing the application they are hosting for your company. Would you like Verizon to retest the discovered vulnerabilities after you have had a chance to remediate them? (Upon request within 90 days Verizon will perform one retest the identified medium or higher vulnerabilities to verify remediation efforts). Note: If this is a penetration test for PCI compliance then retesting is required once the exploitable vulnerabilities have been remediated/corrected. Internal Network Penetration Test & Vulnerability Assessment Questions (i.e. testing is internal or taking place on site from a customer location): Would you like Verizon to perform discovery scans on the given subnets to identify active devices on the network or will all active IP s be provided, if so please provide how many subnets and their size (e.g., 20 Class C or /24 networks)? How many "active" devices within the provided networks will be included in the network assessment? (An active device is an accessible IP address with at least one TCP/UDP service/port available or a Protocol such as ICMP). NOTE: If this assessment is for PCI compliance then any hosts or systems that have access to a PCI system is also A63 A64 A65 40 A retest would be welcome if within budget. Please provide a price quote separately. We would like vendor to perform a discovery scan.

12 Q66 Q67 Q68 within scope of PCI. So for example if a PCI system is on a flat internal network then your scope for the PCI assessment is not one active device, but for all your devices on the internal flat network. Would you like Verizon to exploit vulnerabilities or just validate and report their existence (Note: the exploitation of vulnerabilities does NOT include any DoS testing and is the beginning of the penetration testing vs. a vulnerability assessment which is to validate but not exploit vulnerabilities)? Please provide the address where the internal testing will be performed. Note: If the devices to be assessed are at different physical locations but can all be fully accessed remotely from one location, then just provide the one address. If testing will need to take place from multiple physical locations then please indicate the addresses of all the locations. Wireless Vulnerability Assessment Questions: Please provide the address of each building and describe the locations. Such as the approximate distance between each building, the number of buildings at each location, the approximate size or estimated square footage of each building, and the number of floors at each location: (For example, 100 Test Lane, Test, NC 28104/ 3 buildings within 3 city blocks of each other/ 10,000 sq. feet total/5 A66 A67 A68 We would like to exploit vulnerabilities. Internal testing can be performed from one central location. Test can be performed from one central location.

13 Q69 floors) PHILADELPHIA GAS WORKS How many SSID s are configured at each location (for example location1 has 2 SSIDs accessible, location2 has 1 SSID, etc.)? Q70 Is rogue access point detection desired at each location? A70 Yes Q71 Q72 Q73 Q74 Q75 Q76 Would you like a security configuration review of a wireless access point and associated wireless client? Host Configuration Review (if applicable): What type of devices and quantity of each would you like reviewed? Please also provide OS version information. Please provide a description of the functionality of each of the devices and what information either flows through it and/or the data that is stored or processed on it. Please provide an estimate of how many configuration lines entries are to be reviewed if this is a network device (ex: Cisco router). Will you be able to provide a text file output of the configuration, screenshots, or will authenticated access to the device(s) be provided? Modem/War Dial Questions: Please provide the range of phone numbers to be tested, and number of expected carriers. A69 A71 A72 A73 A74 A75 A76 No Configuration review would be welcome if within budget. Please provide a price quote separately. Details may Configuration review would be welcome if within budget. Please provide a price quote separately. Details may Configuration review would be welcome if within budget. Please provide a price quote separately. Details may Yes Wardial is not in scope.

14 Q77 Q78 Q79 Q80 Q81 Q82 Would you like us to (1) just identify vulnerable dial-in entry points or (2) do you want us to exploit them to gain access to the network? Site Security (Physical Penetration Test) Assessment Questions (if applicable): Please provide the address of each building, approximate distance between each building, the number of buildings at each location, the approximate size or estimated square footage of each building, and the number of floors: (For example, 100 Test Lane, Test, NC 28104/ 3 buildings within 3 city blocks of each other/ 10,000 sq. feet total/5 floors). Are all the buildings to be assessed solely occupied by your company or are they multi-tenet buildings such as a high rise building? If it is multi-tenet building, are any of the common areas or floors shared with other companies? Are there any sensitive areas such as bank vaults or government facilities (such as a SCIF)? Also please indicate if there are any armed guards at any of the locations? If it is a shared facility is there a receptionist or security that is provided by the facility owner or property manager? Is this a Data Center that is solely owned or occupied by your company or is it third party data center that you lease out a cabinet or cage from? A77 A78 A79 A80 A81 A82 5 physical locations to be assessed and all lie within city limits(35 miles). All locations are solely occupied by PGW. Solely owned

15 Secure Network Architecture Questions (if applicable): Q83 How many sites (including remote offices, hubs, Data A83 Centers, etc.) are within your network? Q84 Approximately how many routers, core switches (not access A84 layer switches), and firewalls are in your environment? Q85 Do you have logical, physical, and data flow diagrams A85 already created and up to date? Q86 Approximately how many users do you have? A86 Q87 Q88 Q89 Q90 Q91 How many internet connections does your organization have? Approximately how many extranet/3rd party connections do you have to business partners or service providers? Firewall Configuration Review (if applicable): How many firewalls are to be reviewed and please provide the vendor and model/version information? Please also indicate if there are virtual/context based firewalls configured for any of the firewalls and how many. How many active interfaces/sub-interfaces does each firewall have (If the firewall is context-based/virtual firewalls please answer this for virtual firewall)? How many configuration line entries (access control list entries) does each firewall have? A87 A88 A89 A90 A91 Configuration review would be welcome if within budget. Please provide a price quote separately. Details may Configuration review would be welcome if within budget. Please provide a price quote separately. Details may Configuration review would be welcome if within budget. Please provide a price quote separately. Details may

16 Q92 Q93 Would you be able to provide information about the IP subnets in the firewall access lists or route tables? Please also provide if the firewalls are in HA (High Availability) active/active or active/standby configuration? A92 A93 Configuration review would be welcome if within budget. Please provide a price quote separately. Details may Configuration review would be welcome if within budget. Please provide a price quote separately. Details may