RFQ No B134 Payment Card Industry (PCI) Scanning Services for the Metropolitan Washington Airports Authority

Transcription

1 Questions and Answers RFQ No B134 Payment Card Industry (PCI) Scanning Services for the Metropolitan Washington Airports Authority Notice: Questions may have been edited for clarity and relevance. 1. Please provide the number of physical locations for the assessments to take place in. Answer: There are two physically and logically separated areas (Ronald Reagan Washington National (DCA) and Washington Dulles International Airport (IAD)). 2. Please provide the approximate number of target hosts from both an external and internal network perspective. Answer: Currently, there are less than 150 internal target hosts and less than 25 external IP addresses. 3. Please provide the number of different web applications to be assessed from both an external and internal network perspective. Answer: There are currently less than 5 web applications (internal and external). 4. Within the RFP there is conflicting data as it relates to Penetration Testing. It indicates in the pricing that the MWAA is looking for quarterly pen-testing but in the scope it indicates annual pen-testing. PCI-Requirements dictate an annual pen-test, just confirm if this is or is not the requirement. Answer: The SOW is scoped to PCISSC The PCI-DSS currently requires an annual pentest and after any significant change to the organization s PCI environment. The contract will require one annual pentest, with the possibility of another (and up to four total per year). See Amendment 002 to the Request for Quotations for changes to the Statement of Work and Price Schedule. Page 1 of 5

2 5. Will the MWAA entertain a combination web based and on-site scanning and testing solution? Answer: Yes, the winning quoter will have the opportunity to discuss their intended plan. 6. Does the MWAA have onsite IT staff or does it use managed services? Answer: MWAA has onsite IT staff and has an MSS provider. 7. Within how many days after award of the contract would the MWAA like the penetration test administered? Answer: It is expected that the pentest will occur within three months after contract award. 8. What are the organizations biggest security concerns? Examples include information disclosure, interruption of service, brand tarnishment due to defacements)? Answer: The primary objective is compliance with the PCI-DSS, but the Authority also seeks to avoid any disruption of service i.e. revenue stream and inconvenience to its customers. 9. Will the Penetration Test be conducted against a live production environment or a test environment? Answer: Pentests will be conducted against the live PCI environments. 10. Do any third parties that own systems or networks that are in scope as well as which systems they own (written permission must have been obtained in advance by the third party target organization)? Answer: Any systems to be scanned/pentested will have appropriate written permissions. 11. What is the number of External IP Addresses in scope for the penetration test? Answer: The total number of external IP addresses is less than 25. Page 2 of 5

3 12. What is the number of Internal IP Addresses in scope for the penetration test? Are client/end-user systems included in the scope? Answer: The total number of internal system is less than 150 at this time. These will include the client systems in the PCI environments. 13. Is social engineering allowed? If so, how may it be used? ( s, Phone calls, Client side exploit attempts) Answer: Social engineering is not applicable for this effort. The contract is being scoped to only cover the PCI-DSS 14. How many wireless networks are in scope for the penetration test at each location? 15. What transmission protocols are in use? WIFI, Bluetooth, or Zigbee protocols? 16. Can wireless networks be sniffed? War driving to identify any rogue wireless networks should be included. Known wireless SSIDs will be discussed. 17. Can a maninthemiddle attacked be executed on the wireless network? Maninthemiddle attacks will not be necessary. 18. Can the testing team attempt to crack wireless encryption keys? requirements and does not include attempts to crack wireless encryption keys. 19. Do you have wireless authentication mechanisms that are currently in use? The wireless authentication mechanisms are out of scope for this contract. Page 3 of 5

4 20. Is any sensitive data transmitted via the wireless network i.e. credit card data? Answer: No credit card data traverses an Airports Authority wireless network. There is wireless network in the PCI environment that used to record and transmit license plate data. 21. Do you have an inventory of the access points? Answer: A list of access points will be provided before the scan and subsequent pentest. 22. Do you have a technical solution in place to identify rogue access points on the network? Answer: Yes, this will be explained to the successful quoter. 23. Are there any restrictions on when testing can be conducted after business hours weekends etc.? Answer: Yes, a scanning and pentesting must adhere to a preplanned schedule. 24. Will the penetration test include the following techniques? Ping sweep of network ranges Port scan of target hosts Vulnerability scan of targets Penetration into targets Application-level manipulation Clientside JavaActiveX reverse engineering? Physical penetration testing 25. Are denial of service attacks allowed? Page 4 of 5

5 26. Are dangerous checks exploits allowed? 27. Are there any web based applications that could potentially be in scope of the test? Answer: Yes, web interfaces are part of the scan. 28. What language is the web app written in? What is the number of web forms inputs in the application? What is the number of pages in the application? The primary web apps were developed and PCI certified by the contractor supporting PRCS. Page 5 of 5