RFP # 15-74 Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST)



Similar documents
RFP No C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST

About This Document. Response to Questions. Security Sytems Assessment RFQ

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

Secret Server Qualys Integration Guide

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

NETWORK PENETRATION TESTING

After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:

PENETRATION TESTING GUIDE. 1

REQUEST FOR PROPOSAL (RFP) # HIPAA SECURITY ASSESSMENT VENDOR QUESTIONS & ANSWERS ~ MAY 29, 2014

Goals. Understanding security testing

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

QUESTIONS & RESPONSES #2

Top 20 Critical Security Controls

Patch and Vulnerability Management Program

Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP # Addendum 1.0

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

FedRAMP Penetration Test Guidance. Version 1.0.1

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Penetration Testing //Vulnerability Assessment //Remedy

Network Documentation Checklist

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Penetration Testing Report Client: Business Solutions June 15 th 2015

Information Security Services

PCI-DSS Penetration Testing

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

PCI Compliance 3.1. About Us

Network and Security Controls

An Introduction to Network Vulnerability Testing

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

SANS Top 20 Critical Controls for Effective Cyber Defense

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Cloud Security:Threats & Mitgations

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Network and Host-based Vulnerability Assessment

Enterprise Information Technology Security Assessment RFP Answers to Questions

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Connectivity to Polycom RealPresence Platform Source Data

Global Partner Management Notice

Certification Report

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Concierge SIEM Reporting Overview

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

1. Why is the customer having the penetration test performed against their environment?

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

FREQUENTLY ASKED QUESTIONS

Penetration Testing - a way for improving our cyber security

SERENA SOFTWARE Serena Service Manager Security

Penetration Test Report

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Understanding Security Testing

Data Security for the Hospitality

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

RESPONSES TO QUESTIONS AND REQUESTS FOR CLARIFICATION Updated 7/1/15 (Question 53 and 54)

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

Security Management. Keeping the IT Security Administrator Busy

CITY OF CORONA RFP SB. ADDENDUM No. 2

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Network Security Policy

Information Technology Security Review April 16, 2012

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

5 Steps to Advanced Threat Protection

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

December P Xerox App Studio 3.0 Information Assurance Disclosure

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Virtualization System Security

Network Security Audit. Vulnerability Assessment (VA)

Security Testing and Vulnerability Management Process. e-governance

A Decision Maker s Guide to Securing an IT Infrastructure

Larry Wilson Version 1.0 November, University Cyber-security Program Controls Book

Xerox Mobile Print Cloud

IT HEALTHCHECK TOP TIPS WHITEPAPER

ADDENDUM #1 REQUEST FOR PROPOSALS

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Cisco Advanced Services for Network Security

1.0 Purpose of Solicitation

Cybersecurity Health Check At A Glance

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Transcription:

August 6, 2015 McHenry County Government Center Purchasing Department Donald Gray, CPPB, Director of Purchasing 2200 N Seminary Avenue Administration Building Room 200 Woodstock, IL 60098 Phone: 815-334-4818 Fax: 815-334-4680 ADDENDUM #1 RFP # 15-74 Provide Information Security Assessment and Penetration Testing Due August 11, 2015 at 2:00PM (CST) Additions & Clarifications to RFP/Bid Internal Penetration Testing: Question #1: How many locations? Addresses? How many servers/targets? 3 locations. The addresses of the locations will be disclosed with the successful vendor. Response #1: The number of Servers/Targets are to be determined during the testing. Application Penetration Testing: How many applications? URL s would be helpful. Question #2: How many directories in each application? How many user roles in each application? The RFP calls out authenticated/unauthenticated, but I want to clarify how many authenticated user roles. Response #2: This information is to be determined during the testing. Wireless Penetration Testing: Question #3: How many locations? How many WAPs? Response #3: 3 Locations. The number of WAPS is to be determined during the testing. Social Engineering: Roughly how many employees do you want e-mailed? Question #4: How many e-mail attempts are you looking for (we can send one message and analyze the response set, or we can send multiple). Response #4: 50 email addresses Question #5: Response #5: Pages 3-5 describe prevailing wage and OSHA requirements. However, the McHenry County prevailing wage website doesn t list any professional services (only physical/manual labor). I assume this does not apply to the scope of this project? That is standard verbiage in all the County s Bid documents. The specifications would reference if needed or not.

Question #6: Page 5 does the substance abuse policy apply to this type of engagement? The statement refers to engaged in the construction of the public works Response #6: That is standard verbiage in all the County s Bid documents. The specifications would reference if needed or not. Question #7: Section I: Of the 50 live external IP addresses, how many of them are HTTP or HTTPS (web) servers? Response #7: To be determined thru the testing. Question #8: Does the County require internal penetration testing to be performed onsite or can remotely controlled appliances be used? Response #8: Onsite. Should the proposal include a vulnerability assessment or a penetration test, or both? The RFP describes these tests as Internal Network Vulnerability Assessment and Penetration Testing. Typically, vulnerability assessments are performed with privilege (a valid username/password with sufficient privileges to read configurations/installed software) and penetration tests are performed blind (no privilege). Likewise, penetration testing is focused on identifying vulnerbles, exploiting them, taking command-and-control of the systems, leveraging them to discover and attack other systems, increasing privileges, and compromising more and more systems with higher and higher asset values. A penetration test Question #9: simulates the actions of a motivated criminal hacker who s targeted your systems or networks. A vulnerability assessment is intended to identify raw vulnerabilities by using privileged access to systems, but not to exploit them or exfiltrate data from them. An advantage of a vulnerability assessment is that it is relatively quick and produces a large number of actionable results (mostly missing patches, misconfigured services, etc.) A big advantage of penetration testing is that is simulates the actions and activities of a criminal hacker who s motivated to compromise systems and steal data/resources. Penetration testing uncovers critical flaws in administration activities, system design, system configuration, weak security controls, etc. Response #9: Both. Question #10: Approximately how many servers, workstations and total live IP addresses exist within the County s internal networks? Response #10: This information is to be determined via the assessment. How many sites will be in-scope for wireless assessment/penetration testing? Question #11: How many SSIDs per site? How many SSIDs total? Please provide the building address for each in-scope property. Response #11: 3 Sites. The number of SSID s is to be determined thru the testing. Question #12:

Note: Many organizations use wireless switches or cloud-controlled Aps. If all locations have the same wireless configuration and same SSIDs, a sampling of 2-3 buildings may be sufficient to conduct a thorough test. Response #12: Yes Question #13: Will non-production systems be available for testing each in-scope application? Non-production testing systems can be provided for assessment for some of the listed Response #13: systems. Question #14: Are all of the applications hosted within the County s data center(s)? Are any hosted and managed by a third-party? Yes, all applications are hosted in the County s Data Center. None of these systems are Response #14: hosted and managed by a 3 rd parties. Question #15: Will any of the in-scope applications require being onsite for testing? Response #15: Yes Question #16: Will the SharePoint site be a single server or are there multiple instances of SharePoint inscope for testing? Response #16: Single Instance, multiple servers. Question #17: Are each of the in-scope applications web/browser based? Are there any mobile applications or APIs in-scope for testing? The majority of the applications listed are web-based. There are no mobile applications Response #17: for this testing. Note: Depending on the answers to the questions above, SynerComm may want to see a Question #18: demonstration of each application to determine its size and complexity. Application assessments can be quite lengthy, therefore scoping them properly is very important. Response #18: Question #20: Response #20: Question #21: With regards to limiting the testing pool to 50 email addresses, could multiple attacks be sent to the same 50 email addresses? Or is the intention to make sure that no more than 50 recipients are included in each email-based attack? We would like to limit the testing pool to 50 email addresses for all testing. No new recipients please. Page 16 of the RFP describes Attack and gain access The bullets appear to suggest that the social engineering tests should be limited to collecting information on the system that was compromised. Should any compromised systems be used to discover and attack other systems? (pivoting?) Or, is the intention to use the internal penetration test to cover the next steps/paths of a successful social engineering attack?

Response #21: Question #22: Collect information of compromised system, discover other systems that could be comprised as well and discuss what the next steps would be after a successful social engineering attack. Due to the short amount of time between the Q&A release and due date, will the County extend the due date to allow adequate time to incorporate the County s clarifications and answers into the response? No. Response #22: Question #23: What is the size of the internal IP space? Response #23: The Internal IP spaces is comprised of multiple private subnets. We would like to see what network information can be discovered with little or no input from us. Question #24: How many wireless network location are in scope? Response #24: This is to be determined during the testing. Question #25: Section I: Which is the amount of IP addresses in scope, both live and dead? Response #25: The external IP address is a class C subnet. Question #26: Which are the locations for the internal network penetration test? Response #26: There will be 3 locations and the specifics will be discussed with the winning Vendor. Question #27: Which is the total number of IP addresses in scope for each location? Response #27: This is to be determined during the testing. Question #28: Which is the approximate amount of servers, network devices and workstations? Response #28: This is to be determined during the testing. Question #29: Is it possible to perform the Internal Network Penetration Testing via PIN? Response #29: No. Question #30: Response #30: Question #31: Response #31: Question #32: Response #32: Question #33: Which are the locations for this phase? Are them the same locations as for the Internal Network Penetration Testing? Yes. How many access points, networks and SSIDs will be in scope for every location? This is to be determined during the testing. Which is the size of each location (number of floors, square feet, etc.)? Location one: 3 Floors, SQ FT NA Location two: 2 Floors and basement, SQ FT NA Location three: 3 Floors, SQ FT NA How many input pages do each of the applications in scope have? Response #33: To be determined with the successful vendor. Question #34: How many user profiles will be included for each application?

Response #34: At most 1 user profile will be provided. Question #35: Are all the applications remotely accessible? Response #35: No Question #36: Could you describe the functions and actions users can perform in each application (for example, Upload images/videos/attachments, create/edit/view blog posts/comments, register, login, manage profiles, search, etc.) Response #36: To be determined with the successful vendor. Question #37: How many domains will be included in the harvesting process? Response #37: One. Section I: Question #38: While the RFP states, document how discovered vulnerabilities could be exploited, should any active exploitation be performed as part of this section? Response #38: No, but document what could be done. Is this testing to be performed onsite or will remote access be provided? Question #39: Will the internal vulnerability assessment be credentialed or un-credentialed? Approximately how many internal IPs will be assessed as part of the Internal Vulnerability Assessment/Penetration Test? Response #39: Un-credentialed, (blind user). This is to be determined during the testing. Question #40: How many physical locations are in scope? Response #40: 3 sites. Question #41: Are these applications internet accessible or only Internal? If Internal, will remote access be provided or will these be tested onsite? Response #41: Internal only and testing will be done on site. Question #42: If a victim is successfully compromised, does the county desire to see how far this could be used to pivot/gain additional access in addition to the local enumeration/exploitation listed (view local file system, take screenshots, deploy key logger, etc.)? Response #42: Yes Question #43: Are these tests being driven by a compliance requirement, the desire to be more secure, or something else? Response #43: Desire to be more secure. Question #44: Can this assessment be conducted remotely? Response #44: The External assessment should be done remotely, the Internal assessment is required to be done on site. Question #45: Are there any gateways or direct access to Criminal History Record Information (CHRI) repositories? If so, will the vendor require CJIS certified professionals? Response #45: CJIS certification is not required. Question #46: Does the county have updated network diagrams?

Response #46: Yes. Are computer and applications assets managed with automated tools/repositories, and will Question #47: those be current at the time of the assessment? Response #47: Yes. Question #48: Does the county perform vulnerability scanning with remediation? Response #48: Yes. Are employees permitted to use personal devices? If so, can they access or county Question #49: applications? Are they allowed to gain Internet access via WIFI on segregated networks? No personal devices connect directly to County networks. Segregated WiFi networks are Response #49: available for public devices to connect. Does the county know what its current risk exposure is? Does the county feel confident it Question #50: will perform well during an audit? Response #50: To be determined. May the vendor be free to install the tools necessary to conduct the assessments/pen Question #51: tests? Response #51: Yes, as long as they are documented and an uninstall is provided. Question #52: Are the areas, office/locations, the county would consider higher risk than others? Response #52: Yes In unforeseen event that something should break or business functionality is interrupted, who is liable? In other words, misconfigurations, setup, outdated software/hardware, etc. Question #53: What happens if testing causes serious problems resulting in loss of data and/or business functionality? Response #53: The County will work with successful vendor on a case by case basis to control liability. Question #54: How many Virtual Servers are in scope for the Internal Penetration testing? Response #54: N/A Question #55: Are workstations standardized with respect to the OS and hardware across entire network? Response #55: Yes. Question #56: How many Active Directory Domains are operating and to be covered in the scope? Response #56: One. Question #57: What are the pertinent operating systems in the scope of the assessment? Response #57: This is to be determined during the testing. Question #58: How many active internal IP s/hosts do you have? Response #58: This is to be determined during the testing. Question #59: Are mobile devices in the scope for the assessment? Response #59: No. Question #60: Will the penetration test include the DMZ? Response #60: Yes. Question #61: Is the vendor to presume the external penetration testing is White Box form? The penetration testing should be done from the perspective of not having any Response #61: knowledge of our network. Question #62: How many wireless networks and access points (AP)? Response #62: This is to be determined during the testing. Question #63: Does the penetration assessments include Mobile apps? Response #63: No.

Will the vendor be provided access to support portals/documentation, including best Question #64: practices guides to IJustice, Performance Series, Microsoft Dynamics Great Plains and New Dawn? Response #64: No. Question #65: Are cloud services and any SaaS products used by the county going to be addressed? Response #65: No. Question #66: One noted specification is Attempt to gain access to an employee s machine via e-mail, phone, or other means. Does this include physical access simulated by an after-hours cleaning crew or unauthorized person? Response #66: No Physical Access. Question #67: Response #67: No. Effective spear-phishing campaigns may require having the vendor s mall server whitelisted. Can the vendor s server(s) be white-listed as required? What is the expectation of examples of past deliverables and reports? is a detailed Question #68: description of reporting structure and contents sufficient to communicate the contents without compromising sensitive information of past clients? Response #68: Yes. Question #69: How many sites and wireless networks apply to the wireless penetration test? Response #69: 3 sites. The number of Wireless Networks is to be determined during testing.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information