Your Enterprise Our Security… - VA-PT (RTA) Test Generic RFP · 2018-01-21 · 4. Internet...

© Copyright All rights Reserve Bijoy K. Chowdhury, CEO, FRED INTELLIGENCE LIMITED

General Instructions for all bidders:

A bidder can either apply for Module-A / Module-B or both. Each Module has its own bidding terms and conditions. Bidder must follow the procedures mentioned underneath.

Module-A: Sub: Request For proposal for conducting Vulnerability Assessment and Penetration Testing (VAPT) of our ABC Bank’s Network, System & application etc. as per ‘Scope of Work’.

Objective: Vulnerability is a security hole in a piece of software or operating system, Hardware or network system that provides a potential angle to attack the System. The objective of penetration testing (PT) is to search the Vulnerabilities in any angle external or internally exposed to the attacker which may be noticed proactively. ABC Bank Ltd. is interested to conduct penetration testing to identify the vulnerabilities currently exposed to so that an appropriate set of Responses to those threats/risks can be taken and mitigated.

Vulnerability assessment: The purpose of the vulnerability assessment is to discover all systems on perimeter network and on the internal network those are exposed to internet and in the internal network and to assess these systems for securities vulnerabilities. Internal vulnerability testing and configuration reviews are performed against an appropriately sized sample of system and network devices representative of the environment to understand if platforms and devices are hardened against industry standard security standard. Testing is performed via both internet, from an external perspective and internal network, with limitation in approved IPs or ranges. It is explicit that penetration tester should conduct vulnerabilities assessment consulting with concerned personnel and proper permission of the Bank. Finally remediation and recommendations must be performed.


Expected outcome of the assessment: The information maintained should be secured from external and internal

Threats (intruders, hackers, script-kiddies, theft etc.) to network, systems and Applications;

To know the process of identification of vulnerabilities that may be from the

Internet as well as from the internal network;

To comply with regulatory requirements over information security;

To implement a formal, repeatable security awareness process and capability to ensure ongoing diligence in managing risks associated with Bank's security position.

To assess risk of different categories of data according to different levels in the company

To acquire better understand of security measures in order to ensure integrity and confidentially of data.

Scope of work:

The scope of work includes external penetration testing through external IP address, internal penetration testing through block of private IPs’ which connect bank’s network, systems and running applications. Also it is associated with identifying, understanding, and verifying the weaknesses, misconfigurations and vulnerabilities associated The following areas are to be considered for vulnerability assessment and penetration testing:

Network device configuration reviews performed through the collection and analysis of data from a sampling of network devices, such as firewalls, routers, switches, and wireless access points. Network based vulnerability scanning of a sample of internal systems to assess systems, network devices, and applications for vulnerabilities and security weaknesses. Review of automated scan results with manual testing to reduce false positive results. Analysis of findings to determine and document information regarding risk severity level, systems impacted, and business risk summary for each finding. Host discovery to identify live hosts on in-scope IP address ranges Network based vulnerability scanning of DMZ and non-DMZ network devices for vulnerabilities and security weaknesses. Manual testing to identify vulnerabilities and security weaknesses that cannot be discovered through automated testing.


Analysis of findings to determine and document information regarding risk severity level, systems impacted, and business risk summary for each finding. For all Applications vulnerability assessment and Pen testing, OWASP Top Ten Projects will be applicable.

Determination and documentation of practical recommendations for remediation and remediation effort level for each finding are to be produced.

The vulnerability assessment and penetration test must include:

During VAPT, Penetration Tester should consider the following testing but not limited to:

Perform information gathering and penetration testing on devices and hosts of ABC from within the network. Attempting to guess passwords of systems using password cracking tools. Attempting to overload the system using DDoS (Distributed Denial of Service) & DoS (Denial of Service) attacks. Check if any Vulnerability exists in the Servers, Database, Applications, Network and Security devices in scope without troubling any operations. To ascertain IDS is configured for intrusion detection, suspicious activity on host are monitored and reported to server, firewall and IDS logs are generated and scrutinized. Spoofing & Network Sniffing All Trojan activities All penetration tests must comply with ICT security guideline for schedule banks. Tools used in the process of VAPT must be authentic, renowned and licensed.

Penetration Testing Deliverables:

Final Report of Penetration Testing should follow the below structure: Executive Summary Technical Findings Supplemental Data Appendices

Final Report should include:

1. The detail assessment and analysis of the weaknesses detected, 2. Evaluate the impact and probability of exploitation associated with each security weakness, 3. Formulate corrective actions, 4. And provide recommendations for mitigating the risks associated with the vulnerability.


Final report should be presented in logical sections, as described below, for management and technical audiences, and are written in clear, understandable English.

Executive summary - a high-level summary of results, recommendations, and the overall security posture of the assessed environment.

Supplemental data - a supplement containing the technical details of any key findings and a

comprehensive analysis of critical flaws. This section also often includes sample data recovered during the exploitation of critical or high risk vulnerabilities.

Appendices - detailed records of all activities conducted by the testing team and the tools used during the engagement

Technical Requirements: The following Technical criteria’s should be met for the above scope of works.

SL No Requirements Comply (Tick )

Yes No

1. Assets scanning shall support the following type of test out in one single scan:

Vulnerability

Application/Web Application Scanning

Policy Compliance.

2. Shall have the functionality to perform Safe Scan for fragile Devices.

3. Shall have the functionality to granular controls for managing scan speed and resource usage:

Maximum retries

Timeout Interval

Scan Delay

Packet-Per-Second Rate

Parallelism.

4. Shall support the discovery of assets in virtualized environment (e.g. VMWare, Microsoft Hypervisor or equivalent).

5. Shall be able to perform TCP scanning in full connection scan and stealth scan (including but not limited to SYN, SYN+FIN, SYN+RST, SYN+ECE).

6. Shall be able to automatically paused scheduled scans if unable to complete within the predefined durations.

7. Scans shall support credentials login to device including but not limited to CSV, FTP, HTTP, Microsoft Windows, Samba (SMB/CIFS), Oracle, POP, SNMP, SSH, Telnet.

8. Scans shall support credentials login to database but not limited To Oracle, Microsoft SQL.


9. Shall be able to provide a holistic view of the environment where users can drill down at any stage to explore:

Sites

Assets

Vulnerabilities

Exploits

Malwares

Policies

Installed Software

Services

Users & Groups

Databases

Files & Directories Listing.

10. Shall have the functionality to create dynamic groups by setting conditions including but not limited to asset name, asset risk score, CVSS, host type, IP range, Operating System (OS) name, service name, site name, software name and vulnerability type. Below is a list of general issues one might find in a typical operating system, network, web application installation: Unnecessary open shares Unused user accounts Unnecessary open ports Rogue devices connected to various systems Dangerous script configurations Servers allowing use of dangerous protocols Incorrect permissions on important system files Running of unnecessary, potentially dangerous services. Default passwords on certain devices Unnecessary services running on some devices Running web services that contain known vulnerabilities Dangerous applications such as peer-to-peer applications Third-party applications that are a vulnerability to known Exploits

Web Application Scan

11. Shall be able to cover all OWASP Top 10 Web Application Security Risk.

12. Shall include robust next generation web application scanning capabilities against complex web technologies including but not Limited to Oracle HTTP, WebLogic, VB, AJAX, ASP.NET 2.0, PHP and Flash-based sites.

13. Shall support credential login through HTTP Form and Basic Digest authentication for scanning.

14. Shall support web spidering/crawling to gather security related information such as directory structures, files and applications Running on the web servers.

15. Shall have the functionality to set scan rate such as thread per web server and spider request delay to control bandwidth Consumption and scanning time.


16. Shall have the functionality to set limit of maximum foreign host to resolve, maximum directory level, maximum spidering / crawling time, maximum pages and maximum link depth.

17. Shall have the functionality to exclude scan by HTTP daemon and path.

Vulnerability and Risk Management 18. Firewall, Router and Switch role vulnerability checks:

1. Network Configuration vulnerability checks 2. Web server Configuration vulnerability checks 3. Application server Configuration vulnerability checks 4. Operating system Configuration vulnerability checks

19. Shall have at least 3 types of criticality rating to calculate risk score.

20. Shall be able to provide information on how to develop exploit(s) to demonstrate and validate the vulnerability found.

Penetration Testing 21. Shall support direct integration with the vulnerability

management proposed (without manual/human-intervention Scan result exporting and importing).

22. Penetration tasks (e.g. scan, exploit) can be built to run on Schedule.

23. Shall support standard and customized reporting functionality for penetration testing related reports.

24. Shall be able to apply exploitation on individual or multiple IPs or hostnames been imported.

25. Exploit modules shall be applied automatically based on OS, service and vulnerability reference.

26. Shall support post exploitation actions including but not limited to collect system data (screen capture, password, and system information), build a virtual desktop connection, access file System, search the file system, and run a command shell.

27. All penetration tests must comply with lCT security guideline as per Bangladesh Bank guideline and Bank Requirements.

Deliverable Report and Data Export 28. Shall include access controls to reports based on user roles.

29. Must Cover Bangladesh Bank ICT Guideline and Bank Requirements in Deliverable report.


Vulnerability Assessment and Penetration Testing Scope (System, Network, Application)

SL# System

Exposure Internal/External QTY

1. Core Banking Application

2. Core Banking Database

3. Internet Banking App

4. Internet Banking Database

5. BACH App

6. BACH Database

7. BEFTN App

8. BEFTN Database

9. RTGS App

10. RTGS Database

11. PIMS App

12. PIMS Database

13. ISS Reporting App

14. ISS Reporting Database

15. IBTA App

16. IBTA Database

17. SMS Portal App

18. SMS Portal Database

19. QuickPay Application

20. Quickpay Database

21. CIB App

22. CIB Database

23. Cheque Requisition App

24. Cheque Requisition Database

25. DPDC Bill Collection App

26. DPDC Bill Collection Database

27. WASA Application

28. WASA Database

29. DESCO Bill Collection APP

30. DESCO Bill Collection Database

31. SSO APP

32. SSO DB

Router Qty

33. Core Router

34. BACH Router

Switch Qty

35. Core Switch

36. Access Switch


Firewall Qty

37. Core Firewall

38. Internet Firewall

EVALUATION FACTOR:

SL No. Subject / Area

Bidders Response Comments

1 Completion of all required responses in the correct format.

2

The bidder (local company/foreign vendors who are associated with local company) should have a minimum of 03 (three) years' experience in vulnerability assessment and penetration testing of any Bank/ financial organization.

3

An assessment of the Vendor's ability to deliver the indicated service in the accordance with the specification set out in this RFP.

4 The Vendor's stability, experiences, and record of past performance in delivering such services.

5

Availability of sufficient high quality vendor personal with certifications such as certified Ethical Hacker (CEH), OSCP, CISA, CISSP CISM, PCI QSA, FCA or ISA is preferable.

6 Proven reference of conducting the similar activities preferably in a bank.

7 Must have licensed and approved tools used in the cyber security industry.

8 Bidders must have a PCI QSA (Qualified Security Assessor) to define and form the PCI security standards.

9 Experience/certificate of association with foreign vendor must be submitted.

10 Project must be overseen and supervised by a GIAC certified security expert (GSE).

11

Project execution team must have highest security clearance and team members who have direct experience with IT Operation & Security

12 Team should consists with red, blue and purple team members.

13

Trainer should have the experience in delivering technical course contents with the relevant course materials to international audience where English is not a primary language.

14

Trainer should be a registered and certified instructor from a world renowned education/training providing organization. (i.e (ISC)2, ISACA, SANS).

15

Course authors related to Advanced Penetration Testing, IT Governance, IT Compliance, Digital Forensics, Incident Response and subjects will be preferred.


BIDDER’S PROFILE

1. Introduction [Brief introduction of the firm with contact information such as Address telephone no, fax no etc.]

2. Registration Certificates [Firm registration information such as incorporation Date, copy of trade license etc.

3. Main Business & Services [Details of main business and services rendered] 4. Technical Support Team [Details CV of each member of the technical support

Team] 5. Any other information feels necessary to be provided along with the firm

profile.

SUBMISSION OF BID DOCUMENTS: The bidder shall deliver the technical proposal bound, sealed and labeled as “Technical Proposal”. The financial proposal should be provided in a separate sealed envelope and labeled as “Financial Proposal”. Please provide original brochures of proposed item. The business and technical proposal shall contain the followings: a. Signed bid document; b. Power of attorney (authorizing the person to sign and initial the bid document on behalf of the company); c. Documents showing eligibility of the bidder as mentioned in the Terms and conditions section. d. Response to the eligibility criteria as mentioned evaluation criteria of this document; e. Technical description of the deliverables to demonstrate the specified technical requirement; f. Response to the bidder’s profile of this document; g. Response to the technical requirements of this document and h. Any other things required for general, business and technical proposal. The financial proposal shall contain the following:

a. Bid security pursuant to performance security section; b. financial proposal according to the scope of work and technical requirements; c. Any other things required for financial proposal.

Correction or Amendment of bidding documents: The Bank may, for any reason, whether at its own initiatives or in response to a clarification requested by a prospective bidder, modify the bidding documents.

Opening of Technical Proposal: The proposals submitted against the subject RFP will be opened on in front of the purchase committee of ABC Bank Limited. The Financial offer will be opened at a later date, which will be notified earlier. Only Technically qualified offers will be opened.

Pre-Bid Meeting: The Bank will arrange a pre-bid meeting on ……….., 2017with the participated bidders to discuss on technical issues/specifications to find the anomalies/discrepancies (if any).


Bid Validity: Bid shall remain valid for a period of 3 (Three) months after the date of opening of the proposals. In exceptional circumstances, prior to expiry of the original bid validity period, the Bank may request the bidder to extend the period of validity for a specified additional period. The request and the responses shall be made in writing. A bidder agreeing to the request will not be permitted to modify its bid.

Bid Security: The bidder shall furnish as bid security of 2.50% of the total financial offer in the form of Payment Order I Demand Draft in favor of ABC Bank Limited. The bid security must be submitted inside the financial proposal. The bid security should be valid for 6 (Six) months after the date of bid opening. Any bid not accompanied by an acceptable bid security shall be rejected as non-responsive even if that bid is found technically responsive during technical evaluation. The bid security of unsuccessful bidders will be returned after selection of the successful vendor. The bid security of the successful bidder will be returned when the bidder has signed the agreement and furnished the required performance security. The bid security may be forfeited if (1) the bidder withdraws its bid during the period of bid validity specified in the bid form;(2) if a successful bidder fails to sign the contract and (3)if a successful bidder fails to furnish the performance security.

Price Negotiation: The Bank may request any number of Top bidders in writing to negotiate the price. Representative of the Bidders must have authorization for price negotiation. Bank will choose the successful bidder, after price negotiation and considering other performance, which are deemed fit to the Bank.

Award of Contract: The Bank will award the Contract to the successful bidder. After successful negotiations, the Bank will notify the successful bidder that his bid has been accepted. The notification of award will constitute the formation of the Contract.

Bank’s right: The Bank reserves the right to accept or reject any bid, and to annul the bidding process and reject all bids at any time prior to award of Contract, without thereby incurring any liability to the affected bidder or bidders or any obligation to inform the affected bidder or bidders of the grounds for the Bank’s action

Performance Security: After the receipt of award from the Bank, the successful bidder bid will be converted into performance security. The performance security must be extended, if required, to cover full period of the project timeline. This performance security will be kept until the date of issue of Performance Certificate issued by the bank. Failure of the successful bidder to comply with the requirements of this clause shall constitute sufficient grounds for the termination of the award and forfeiture of the bid security. The performance security will be returned after successful completion of the project. If the project is not completed within the validity time of the performance security, the bidder must submit a new performance security from a schedule bank for extended period.

Support and Maintenance: All products/items supplied should be covered under 1 (one) year local support and maintenance. Price for such support and maintenance should be included in the bidding price. The bidder has to submit a separate Annual Maintenance Proposal with the bid. Quoted


annual maintenance price must be valid for at least 2 years. If ABC wishes, a separate Annual Maintenance Agreement will be signed with the successful bidder to get maintenance support. Quoted Annual Maintenance price will be used in such agreement. Successful bidder shall be responsible for following job During AMC period but not limited to i) Security Monitoring (Security Incident Manage Detection and Response Services (MDR)) support for ABC on 24 x 7 x 365 basis. ii) Generation of report depending on available data. iii) Minor Customization. iv) Performance-tuning on need basis.

Withholding Sales Tax & VAT: The bidder is hereby informed that the Bank shall deduct tax at the rate prescribed under the Tax Laws of Bangladesh, from all payments for services rendered by any bidder who signs a contract with the Bank. The bidder will be responsible for all taxes on transactions and/or income, which may be levied by the bank. If bidder is exempted from any specific taxes, then it is requested to provide the relevant documents with the proposal.

Payment Terms: 10% upon the project approval and initial project kickoff. 20% upon the IT Security Review and Internal and External Vulnerability Assessment. 40% upon the Internal and External Penetration. 30% upon the completion of the service delivery. Process to be confidential. Information relating to the examination, clarification, evaluation and comparison of bids and recommendations for the award of a contract shall not be disclosed to the bidders or any other persons not officially concerned with such process until the award to the successful bidder has been announced. Any effort by a bidder to influence the Bank's processing of bids or award decisions may result in the rejection of the bidder's bid.

Signing of Contract / Work Order: At the same time that the Bank will not if the successful bidder that its bid has been accepted, the Bank will send the bidder the Form of Contract Agreement incorporating all agreements between the parties (the Bank & the Vendor) or will issue Work orders {where applicable). Within 15 days of receipt of the Form of Agreement, the successful bidder shall sign the Form and return it to the Bank. Bank’s right to accept any bid and to reject any or All bids. Notwithstanding, the Bank reserves the right to accept or reject any bid, and to annul the bidding process and reject all bids at any time prior to award of Contract, without thereby incurring any liability to the affected bidder or bidders or any obligation to inform the affected bidder or bidders of the grounds for the Bank's action.

Sealing and Marking of Bid: The bidder shall seal the original technical proposal, the original financial proposal and the copies of the technical proposal and financial proposal in separate envelopes clearly arking each one as: “ORIGINAL – BUSINESS & TECHNICAL PROPOSAL”, ”ORIGINAL – FINANCIAL PROPOSAL”, “COPY – BUSINESS & TECHNICAL PROPOSAL”, “COPY - FINANCIAL PROPOSAL” etc. as appropriate. The bidders shall seal the original bids and each copy of the bids in an inner and outer envelope, duly marking the envelopes as “ORIGINAL” and “COPY”. The inner and outer envelopes shall - Be addressed to the Bank at the following address:


Terms and Conditions for Module-A

SL # Subject / Area

Bidders Response Remarks

1

The bidder should have information security service experience in Bangladesh or abroad for the last 10 (ten) years in renowned organization.

2 At least 07 (Seven) relevant Certified Professional should exist as regular employees of the bidder.

3

The bidder must have strong presence and support office in Dhaka with minimum 3(three) certified technical personnel for maintenance and support for the proposed VAPT Services.

4 The bidder must have such implementation experience in last 10(ten) years locally/globally.

6

The bidder must submit photocopy of all the relevant documents with the offer including: a) Full particulars of the ownership, constitution, Year of registration and main business activities of the Vendor. b) Copy of Valid Trade License .c) Copy of Certificate of Incorporation) Copy of TIN certificate. e) Copy of VAT registration certificate to be submitted. f) Copy of Valid Partnership Certificate with principal. g) At least 2(two) experience letter (from customer) of similar implementation in last 3(three) years. h) List of major clients in Financial Institutions and copies of certificates issued by such financial institutions regarding supply, installation and configurations of quoted products to such financial institutions.

7 CV of 3 (Three) Technical personnel.

8

The Bank reserves the right to flexible, change or drops any of the terms and conditions of the schedule without any further notice.

9

After receiving the Work Order, the successful bidder shall have to submit a Performance Security in the form of bank guarantee for the amount of 2.5% (Two and Half percent) of total price as mentioned in the Work Order. This performance security will be kept for minimum 6(Six) months.

10

The successful bidder must complete all the testing and submit final report within 04 (four) months from the date of issuance of work order. In case of failure, the Performance Security of the bidder will be forfeited.


11

All quoted prices should include testing, delivery all kind of reports and A IT, VAT, Tax and other Duties if applicable as per Govt. rules.

12 All VAT, Tax, Govt. duties etc. will be deducted from the bill as per rule prior payment of the same.

13

The Bank reserves the right to verify/evaluate the claims made by the vendor independently. Any decision of the Bank in this regard shall be final & conclusive.

14 Bidding prices must be quoted in both BDT. All payment will be made in BDT.

15

Payment will be made phase by phase after successful completion and submission of report for specific tests as per payment terms & conditions.

16

Any decision as to compliance of the terms and conditions of the Tender and on rejection of any Tender or any part thereof shall be at the sole discretion of the Bank and shall be final, conclusive and binding on the bidder.

17

The Bank reserves the right to re-issue the Tender and or any part thereof without assigning any reason whatsoever, at the sole discretion of the Bank. Any decision in this regards all be final, conclusive and binding on the bidder.

18

The Bank reserves the right to adjust arithmetic and other errors in any Tender in the manner in which the Bank deems fit and proper. Any decision in this regard shall be final, conclusive and binding on the bidder.

19

The Bank reserves the right to accept or reject in part or full any or all the offers without assigning any reasons thereof. Any decision of the Bank in this regard shall be final, conclusive and binding on the bidders.

20 The bidder must provide schedule of VAPT step by step procedure as per scope of work.

21 The bidder must submit the valid name of purchase software tools list use in this VAPT process.

22 The bidder must submit short brief/summary of each tools/software function which is using in this VAPT process.

23 The successful bidder never publishes and/or share Bank VAPT result/report.

24 The successful bidder will sign an agreement with Bank for Secrecy all its VAPT result/report.

25

The successful bidder provides recommendation for mitigating all vulnerable holes in systems and all networks devices.


26 The bidder must submit his/her responsibilities of before VAPT and after VAPT with bid document.

27 The successful bidder must train Banks officers to run VAPT without taking help from vendor.

28

Time & date of submission: Up to ….a.m. /pm as on …….., 2017. The sealed tender must be submitted in the tender box kept in the………,Dhaka-1000

29

Time & date of opening of tender: …. .,... AM/PM as on ………,2017. Bidders are encouraged to remain present during opening of Tender.

30

The management reserves the right to cancel any bid/tender without assigning any reason whatsoever. The management is not bound to award contract to the lowest bidder.

Name of the Bidder: Signature:


Module-B: Sub: Request For proposal for supplying VAPT tools to identify and perforate Security Weaknesses of our Bank’s IT infrastructure including Network, System & application etc. as per ‘Scope of Work’.

Objective: ABC Bank Limited invites responses for supplying Vulnerability Assessment and Penetration Testing tool to identify the vulnerabilities on the IT devices and applications so that preventive action can be taken to prevent threats to the devices or applications deployed across the organization.

Vulnerability assessment and Penetration Testing Tools: The main objective of the RFP is to supply and support of Vulnerability Assessment and Penetration Testing tool to assess weaknesses, misconfigurations and vulnerabilities associated with the ABC’s hosts at network, operating system and application levels.

Annexure- Technical Compliance Sheet

Vulnerability Assessment/Management Product Requirement Specs

Sl# Description Comply (Tick)

1 Asset Scanning and Management Yes No

1.1 Assets scanning shall supports the following type of checks in one single scan: -Vulnerability -Web Application Scanning -Policy Compliance

1.2 Shall have the functionality to perform Safe Scan for fragile devices.

Shall have the functionality to granular controls for managing scan speed and resource usage: -Maximum retries

1.3 Shall have the functionality to granular controls for managing scan

speed and resource usage:

Maximum retries

Timeout Interval

Scan Delay

Packet-Per-Second Rate

Parallelism

Shall supports the automatic discovery of virtual assets on:

Vmware vCenter

Vmware ESX/ESXi

and Supports hypervisor scanning of virtual assets - Vmware NSX


1.5 Shall be able to perform TCP scanning in full connection scan and stealth scan (including but not limited to SYN, SYN+FIN, SYN+RST,SYN+ECE).

1.6 Scans shall be able to be started, stopped, paused and resumed at any time.

1.7 Shall be able to schedule scans at specific starting date and time, frequencies and maximum scan durations.

1.8 Shall be able to automatically paused scheduled scans if unable to complete within the predefined durations.

1.9

Unfinished scheduled scans shall be able to automatically or manually continue the scan where it previously stopped on the next scheduled session.

1.1 0 Scans shall support credentials login to device but not limited to CVS, FTP, HTTP, Microsoft Windows, Oracle, POP, SNMP, SSH, Telnet.

1.1 1 Scans shall support credentials login to database but not limited toDB2, Microsoft SQL, MySQL Server, Oracle.

1.1 2

Shall be able to provide a holistic view of the environment where users can drill down at any stage to explore: -Sites -Assets -Vulnerabilities -Exploits -Malwares -

Shall be able to provide a holistic view of the environment where users can drill down at any stage to explore: - Sites - Assets - Vulnerabilities - Exploits - Malwares - Policies - Installed Software - Services - Users & Groups - Databases - Files & Directories Listing

1.1 3

Shall have the functionality to build a database of discovered assets and detected vulnerabilities: - Independently of scanning frequency - Independently of scanning type - Providing real time up-to-date security posture of the environment

1.1 4 Shall be able to support IPv6.

1.1 5

Shall have the functionality to create dynamic groups by setting conditions including but not limited to asset name, asset risk score, CVSS, host type, IP range, Operating System (OS) name, PCI compliance status, service name, site name, software name and vulnerability type.

1.1 6

Supports out of the box the following three alert types: - SMTP - SNMP - Syslog

1.1 7

Provides time-based exclusion workflow for both: - Vulnerabilities - Policy Compliance Controls


2 Web Application Scan

2.1 Shall be able to cover all OWASP Top 10 Web Application Security Risk

2.2

Shall include robust fourth generation web application scanning capabilities against complex web technologies including but not limited to AJAX, ASP.NET 2.0 and Flash-based sites.

2.3 Shall support credential login through HTTP Form and Basic Digest authentication for scanning.

2.4

Shall support web spidering/crawling to gather security related information such as directory structures, files and applications running on the web servers.

2.5

Shall have the functionality to set scan rate such as thread per webserver and spider request delay to control bandwidth consumption and scanning time.

2.6

Shall have the functionality to set limit of maximum foreign host to resolve, maximum directory level, maximum spidering/crawlingtime, maximum pages and maximum link depth.

2.7 Shall have the functionality to exclude scan by HTTP daemon and path.

3 Vulnerability and Risk Management

3.1 Shall have a vulnerability database of at least 120,000 vulnerabilities checks.

3.2 Shall perform more than 80,000 vulnerability checks across network, operating systems, web applications and databases.

3.3 Shall provide the functionality to perform search on a specific vulnerability and to browse the vulnerability database by category and type.

3.4

Shall have the ability to correlate discovered information between web application and network/operation system scan results to uncover vulnerabilities.

3.5 Shall have at least 4 types of criticality rating to calculate risk score.

3.6

Shall provide granular risk scoring ranging from 0 to 999,999 usable in 2 different models: -Temporal model = Taking into account the length of time the vulnerability has been known to exist, as well as the nature of the risk -Weighted model = Taking into account the type and importance of the scanned asset

3.7 Risk score shall include but not limited to vulnerability impact, likelihood of compromise, date of disclosure, exploit exposure and malware exposure.

3.8 Shall have the functionality to set importance level to allow user to scale up or down the risk.

3.9 Shall have the functionality to assign tickets to individual user for fixing of vulnerability(s).

3.1 0 Assigned tickets shall have the functionality to add comments or update ticket status for both Administrators and ticket owners.

3.1 1 Shall be able to integrate native exploit information from well-known sources such as Exploit DB.

3.1 2 Shall be able to demonstrate threat data from correlating known exploits with vulnerability found.

3.1 3 Shall be able to provide information on how to develop exploit(s) to demonstrate and validate the vulnerability found.


4 Policy Audit

4.1 Policy compliance testing shall include Oracle, Windows Group Policy and UNIX.

4.2 Shall support custom SCAP compliance policy upload & creation

4.3 Shall include built-in CIS Hardening Guidelines, FDCC Policy and USGCB Standard

4.4 Shall support customized policy check.

4.5 Shall support Windows Group Policy audit.

5 Report and Data Export

5.1

Built-in reports shall include but not limited to audit, baseline comparison, executive summary, PCI, policy compliance, remediation planning, and top remediation, SANS Top 20 and vulnerability verification report.

5.2

Base-line comparison reports shall include risk trend, newly added or missed assets, newly added or missed service between current and previous scans, first scan or any specific scans performed previously.

5.3

Remediation reports shall provide step-by-step guide for administrators to fix the vulnerabilities found. Steps shall be well organized with correct orders without duplicates. Steps shall also include estimated down time as a reference for the administrators.

5.4 Shall support customization / editing of reports.

5.5 Customized reports shall include at least 4 technical detail level options.

5.6 Customized reports shall support creation of new templates and inclusion of customized logo and title.

5.7 Shall be able to generate report based on scan groups (site), asset group (static or dynamic), and individual asset(s).

5.8 Report shall be automatically generated after each complete scan or on a pre-determined frequency.

5.9 Shall be able to export reports in various formats such as but not limited to CSV, PDF, RTF, HTML, Text and XML.

5.1 0

Shall be able to export scan data in format such as but not limited to ARF, CSV, Cyber Scope XML, JDBC-Compliant Database, Simple, XML 1.0 and 2.0, SCAP XML, SQL Query Export and XCCDF.

5.1 1

Shall be able to export scan data to external database for integration with external reporting system. Database support shall include MSSQL, Oracle and MySQL.

5.1 2 Shall include access controls to reports based on user roles.

5.1 3 Shall be able to distribute reports to external recipient in the form of Electronic Mail (Email).

5.1 3

Shall provide correlated list of: - Metasploit exploit modules available for each vulnerability - Provides correlated list of malware kits available for each vulnerability - Provides an automatic workflow to validate vulnerability in Metasploit

6 Server Management

6.1 Management console shall include web-based user interface through encrypted channels.

6.2 Management console shall include command line console.


6.3 Shall support role based customization on a per user basis to allow finer granular controls and/or extend/restrict permissions.

6.4 Shall support external authentication system including but not limited to LDAP, AD and Kerberos.

6.5 Shall include built-in diagnostic tools to display system status. Diagnostic tools shall be able to upload log files through encrypted channels for analysis.

6.6 Shall be able to perform backup and restore of database, configuration files, and reports and scan logs.

6.7 Receiving of updates shall be at least bi-weekly or more frequently.

7 Installation, Deployment and Integration

7.1 Shall be an agent less solution.

7.2 Software shall be able to install on Linux and Windows. It must be truly 64-bit architecture built

7.3 Software shall officially support running on virtual machine, laptop and server as an .ova virtual appliance.

7.4 Software shall support up to 72GB of memory for higher performance.

7.5

Shall provide distributed client/server architecture with unlimited scalability. A centralized management security console, which is able to manage multiple scan engines for consolidated reporting and data aggregation.

7.6 Shall have an established based of certified technology partners.

7.7 Shall support a wide range of open APIs to integration solutions from non-certified technology partners.

7.8 Both the console and scanner engines shall be available as a hardware appliances

7.9 Software and OS of the appliance shall be true 64bit architecture and the OS shall be hardened.

7.1 0 Shall include options to switch to Federal Information Processing Standard (FIPS) 140-2 encryption mode.

7.1 1 Product Market Position and Certification

8 Must be certified with Common Criteria EAL3+ or above.

8.1 Must be rated as “strong positive” in “Gartner Market Scope for Vulnerability Assessment”.

8.2 Must be rated as “leader” in Forrester Wave for Vulnerability Management.


Penetration Test Product Requirement Specs

Sl# Description Comply (Tick)

1 Installation, Deployment and Integration Yes No

1.1 Software shall be installed on Linux (32bit/64bit) and Windows (32bit/64bit).For 64bit OS, the software must be truly 64bit architecture built.

1.2 Shall have weekly update (e.g. exploit module).

1.3 Shall support offline activation and update.

1.4 Shall integrate with Vulnerability Management Tool for Vulnerability Validation through automated import & export of Vulnerability scan results and reporting

2 Administration

2.1 Shall have encrypted web GUI.

2.2 Shall have command line console.

2.3 Shall apply API to integrate with other system or to automate the workflow.

2.4 Tasks (e.g. scan, exploit) shall be run on schedule.

3 Host Scan and Web Scan

3.1 Shall discover the host’s OS and running service

3.2 Shall support customized nmap command for scan

3.4 Shall integrate with NeXpose to discover host’s OS, running service and vulnerability

3.5 Shall support automatic tag by OS

3.6 Shall import the scan result from solutions including but not limited to NeXpose, Metasploit, Acunetix, Amap,Appscan, Foundstone, Libpcap, Microsoft MBSA, Nessus,NetSparker, Nmap, Qualys .

4 System Exploitation

4.1 Shall apply exploit on individual IP or multiple IP.

4.2 Exploit modules shall be applied automatically based on OS, service and vulnerability reference.

4.3 Shall have at least 6 reliability levels of exploit codes for automated exploitation

4.4 Shall support running individual exploit module.

4.5 Shall have option to skip exploit on known fragile device.

4.6 Shall support dry run to show exploit information in task log only.

4.8 Shall replay the exploit code and the code can be customized.


5 Brute forcing

5.1 Shall apply bruteforce on the services including but not limited to SMB, Postgres, DB2, MySQL, MSSQL, Oracle, HTTP, HTTPS, SSH, Telnet, FTP, POP3, BSD EXEC, BSD LOGIN, BSD SHELL, VMAuthd, VNC, SNMP, AFP.

5.2 Shall have built-in dictionary for well-known credential anddefault login.

5.3 Shall support customized credential and dictionary.

5.4 Shall support credential mutation.

6 Post Exploitation Action And Evidence Collection

6.1 Shall support payload types “Meterpreter” and “CommandShell” with special customized scripts.

6.2 Shall support customized macro to run the selected operations automatically after exploit.

6.3

Shall support post exploitation actions including but not limited to collect system data (screen capture, password, system information), build a virtual desktop connection, access filesystem, search the file system, run a command shell, create proxy pivot, create VPN pivot.

6.4 Shall deploy persistent listener to allow exploited host connecting back automatically like building a botnet.

7 Social Engineering Campaign

7.1 Shall support Web campaign, Email campaign and USB campaign.

7.2 Web campaign shall be customized with http/https, IP address, port and path (e.g. https://www.abc.com:1234/abcd).

7.3 Web content shall be cloned from another web site (e.g.www.google.com).

7.4

Web campaign shall supports browser auto pwn (apply all the appropriate exploit modules based on the browser version), specific browser exploit (e.g. MS11-050) and not do anything (just checking the connection from the users).

7.5 Email campaign shall support email content customization to include a specific URL or an agent attachment.

7.6 USB campaign shall support generating an agent deployment exe file.

8 Web Application Exploitation

8.1 Shall support web crawling on IPv4 and IPv6 web sites.

8.2 Web crawling shall be applied on a web site (e.g. http://www.abc.com) or started from a specific point (e.g. http://www.abc.com/path/starthere/).

8.3 Shall detect the vulnerable URL and parameter such as SQL Injection and Cross Site Scripting.

9 Report and Data Export

9.1 Shall have built-in standard report and customized report functionality

9.2 Shall have at least 9 built-in standard reports.

9.3 Report format shall include but not limited to PDF, Word, RTF & HTML

9.4 Report shall be stored locally and sent to recipient by email after created.

Your Enterprise Our Security… - VA-PT (RTA) Test Generic RFP · 2018-01-21 · 4. Internet...

Documents

Transcript of Your Enterprise Our Security… - VA-PT (RTA) Test Generic RFP · 2018-01-21 · 4. Internet...