Questions and Answers

2016 IT Security Assessment & Penetration Testing RFP

Question OPERS Response

With reference to section C.1, can you provide an Approximately 44
approximate number of external/public IP
addresses?

With reference to section C.2, can you provide an Approximately 10

approximate number of external/public web
applications?

With reference to section C.3, how many user Credentials for one user role will be provided.
roles (regular user, admin, etc.) need to be tested?

With reference to section C.6, please provide an Approximately apps/roles (Kronos/2, HLC/2)
estimated number of internal web applications and
user roles for these applications.

Can you provide the number of dynamic pages in Outside : 25 – 50 once authorized. This varies on the outside as
your web application outside the login and inside functionality differs between roles.
the login? This would be the number of pages that
have a field where data can be inserted such as a Inside : 100 – 200 for both apps. These are typically Active
contact form page or inquiry page. Directory authorized – without credentials there are no pages.

Pages outside/inside logon – this varies. The Outside apps you

will do an app scan on require authorization – maybe 2 pages
before auth, maybe 25-50 (varies) once authorized.
You said that you want the web application testing Non-intrusive testing may be performed during business hours.
done on the weekends. Do you have any similar Testing that poses a risk to impact network performance must
requirements for the external and internal, or can be done during the prescribed maintenance window.
we test during the day?
Do you require that we come onsite for the internal We expect the vendor selected to have a qualified
testing or can we send a black box to your location representative on site for all internal testing.
to do the test remotely?

In reference to section C.3, Please describe in a The application to be tested is used by members to access their
few lines what are the main functionalities of this individual account and perform various actions. Examples
application. include address update, password changes and applying for
benefits.
In reference to section C.6, Perform a vulnerability We use various internal facing web applications for business
assessment of specific, identified internal facing processes performed by designated user roles. Preliminary
web applications- Please describe in a few lines discussions have you assessing a Kronos (3rd party payroll
what are the main functionalities of this product, owned by OPERS) installation and a Health Care app
application. built in-house.

Does all work need to be completed on site at all All internal testing must be performed onsite.
times or may some of the work be completed off
site?

Would a mixture of past performance as a Prime Yes.

and Sub be applicable for this request?

If teaming is utilized for this engagement, do we Please provide your planned teaming approach as part of your
gain consent prior to the RFP submission? proposal and indicate whether it is an essential part of your plan
or optional.
If MBE/EDGE certification is preferred, would We have no preference for MBE/EDGE certification for this
MBE/EDGE status of subcontractor be sufficient engagement.
for this opportunity?
If MBE/EDGE certification is preferred, does the We have no preference for MBE/EDGE certification for this
Prime contractor need to hold MBE/EDGE engagement.
certification?

What are your organizations biggest security Exposure of PII, the basic confidentiality, availability, integrity of
concerns? data.

How many “live” systems are in scope? We have approximately 2000 servers and workstations and one
mainframe in scope for this project.
Will we be provided with external domain names, Yes.
network ranges and specific in-scope IP
addresses prior to testing?

Which milestone concludes the testing first, Validating vulnerabilities

achieving a defined goal, or validating every
identified vulnerability?

What are your organizations biggest security Exposure of PII, the basic confidentiality, availability, integrity of
concerns with the web application? data.

About how many dynamic pages make up the Approximately 50%.

application?

Are vulnerabilities in the system(s) hosting the Yes.

application in-scope for testing and exploitation?

Does “Vendor is expected to perform this portion We expect the vendor selected to have a qualified
of the testing onsite” mean we must be physically representative on site for all internal testing.
onsite or can this work be performed remotely with
only a vendor system physically onsite?
How large are the external ranges (two class C’s One /24 network – not all IP’s are used
or 2/24’s)?
What is the population of live devices in these Approximately 44 used IP’s on the single /24 network
ranges (213 live hosts within the 2/24’s)?
How many fully qualified domain names (FQDN) One external, two internal
are present in the environment to be tested?

Will we have the appropriate organizational Yes, but we do not anticipate doing this. The IPS systems are
support to authorize “white list” access in the part of our defense-in-depth. If the test cannot penetrate the
event that the IDPS system(s) impede progress? IPS, that test fails. We do not anticipate disabling any aspects
of our normal IT Security infrastructure for the testing.
Will the applications require authenticated testing All of the tested apps require authenticated testing (one
(login areas)? external, two internal)

Please list the number of user roles to be tested For the externally facing web application, one external user role
for each application. will be provided. For the internal network systems and
mainframe, default user credentials for two roles (Kronos) and
two roles (Health Care) will be provided.
Please list the number of pages to be tested in External – login page
authenticated/unauthenticated space for each Internal – should be no access
application.

Are these penetration testing efforts for only Yes.

vulnerability assessment efforts?

Items Out of Scope: “Searching the premises for This refers to physically searching desks/under keyboards.
passwords or other written information” – Does Electronically searching for files and passwords would be
this refer to physically looking through desks or allowable.
pertain to electronically searching for files and
passwords?

Items Out of Scope: “No more than three 3 guesses in 60 minutes

password attempts at any account to prevent
lockout events, unless otherwise and explicitly
permitted by OPERS” – Is that three guesses
every 30 minutes?

Business reason for penetration testing in this Regular due diligence to review our security efforts.
environment?
Is the penetration testing required for specific No.
compliance requirement?

When can the pen test be conducted? (scanning, Non-intrusive testing may be performed during business hours.
enumeration, exploitation, etc) During business Testing that poses a risk to impact network performance must
hours, after hours, weekend or any specific be done during the prescribed maintenance window.
timeframe?

Range of IP subnet to be scanned, if applicable? Details will be provided to the selected vendor.

Are there any devices in the environment which Yes. These devices will be enabled during all testing as they are
may impact the results of the penetration testing? part of our regular security profile
(firewall, IDS, IPS, Web Application firewall, load
balancers, etc.)

Are there any IP hosting more than 1 application? For these apps, they are specific to an IP:PORT configuration.
If yes, how many apps in total are present in the IP There may be other applications on the same IP but using a
range? If yes, should we also test the web different PORT. These “other applications” would not be tested
application as part of the test? as part of this engagement. And these are web based – so
what would be in scope might be https://HLCAPP:8043 and any
links you find below that TREE, but not traversing to other
servers.
Exploitation to be performed? Yes, to the extent it does not affect application availability. I.e.,
gaining access to Kronos payroll via SQL insertion is well within
scope.
Please indicate if you would like us to conduct We would need more details on what your intent here is but
black box application security tests on the generally speaking any tools you want to use are allowed as
applications hosted on these devices. Yes or No? long as they meet the criteria specified here.

Exploitation to be performed yes or no? Yes, to the extent it does not affect application availability. I.e.,
gaining access to Kronos payroll via SQL insertion is well within
scope.
Please give information: Class C range with Approximately 44 used IP’s on the single /24 network.
default subnet- Number of IP addresses? Number Vulnerability scanning will be done on this entire external
of web apps within the range of IP addresses? network. Detailed application testing will be done on a single
external app, two internal apps. Further details will be provided
to the winning vendor.
Please fill in the information regarding the One physical location – building will be in scope. Three wireless
infrastructure- Physical location, number of networks are present.
separate facilities/buildings that have a separate
wireless network.

Please specify the number of target hosts. For scanning purposes, internally there will be approximately
1,000 hosts. We have more hosts than this but we are limiting
this engagement.
You request an assessment to determine the Network based attack vectors are permitted.
capabilities of an attacker to obtain control over
target systems or gain elevated privileges, given a
set of credentials you provide. Is use of the
credential (say to access authenticated remote
services) the only attack vector to be used in
these phases of the assessment? Or is network
based exploitation of vulnerabilities permitted to
be used for these phases as well?

How many unique page views per application? Outside : 25 – 50 once authorized. This varies on the outside as
functionality differs between roles.

Inside : 100 – 200 for both apps. These are typically Active
Directory authorized – without credentials there are no pages.
Do they have REST API/API and do you want Yes
them tested as well?
Will network ranges/hosts lists be provided? Will Yes, but we would also expect a discovery to be done. Some
the in scope ranges be provided or will a full servers may be deemed off limits – these will be clearly
discovery be required? communicated in advance.
Will there be a 3rd party hosted IPS/ranges No.
included in the scope?
Is the assessment to be IDS evasive? Is it safe to IDS evasion/stealth is not required but it is not prohibited either.
assume there is no IDS evasive/stealth required? Full ITSec controls will remain active and in place for this
testing.
You state that there are various internal networks, Yes, other than what is blocked by firewalls. They are all on the
is the assumption that all the host will be same local network.
accessible from one network location?
Will active directory domains and supporting Yes.
architecture be in the scope for the assessment?
Is the assumption that all the host will be We will give you network access and local admin credentials to
accessible from 1 network location in the DMZ? the DMZ server but all other firewall rules/IPS will remain in
place.
How many pages in each application? What Externally, mostly Java. And some .Net.
technologies are employed for each application-
JAVA, PHP, etc? Can this portion of the testing be Internally, almost all Java.
done during normal business hours?

Will the vendor will able to bring/connect their The vendor will be able to connect their equipment to the
company equipment- i.e. a laptop for this portion network after it has been reviewed by IT Security personnel.
of the engagement? Is the network flat or
segmented- are all point accessible from a single The network is segmented. All resources are potentially
point, or would the evaluation need to be done at accessible from a single point.
various points in the network?
Section C4 states There are a total of approx.. Almost all of the servers are virtual but there are a handful of
1000 servers and workstations on various internal physical. The majority of workstations are physical but some of
networks and one mainframe in the scope of the these are also virtual. The focus is to be on the server side but
project- Can you specify how many of those are we are not excluding the workstation side. We have more than
servers and how many are workstations? How 1,000 devices but we are limiting it to this amount. Count on
many of the servers are physical and how many perhaps 850 servers, 150 workstations.
are virtual?