This document is a proposal for a network vulnerability assessment of ABC Card Corporation submitted by Dave Sweigert Consulting. It proposes assessing 200 servers and 5 applications for vulnerabilities. The assessment will scan the IP address range and ports to identify vulnerabilities but will not test for specific web vulnerabilities. It defines vulnerabilities as exploitable problems or errors and limits of the assessment. ABC Card Corporation must provide network access for the assessment tools. The cost proposal is in a separate document.
1. THIS PAGE IS SUBJECT TO THE CONFIDENTIALITY RESTRICTIONS CONTAINED ON THE COVER PAGE OF THIS DOCUMENT. THE MATERIAL IS
COPYRIGHT 2015 AND PROTECTED UNDER THE UNIFORM TRADE SECRETS ACT.
DAVE SWEIGERT, CISA, CISSP, HCISSP, PMP, SEC+ PEN-TEST PROPOSAL
PROPOSAL
FOR THE
ABC CARD CORPORATION
Odin, Minnesota 06333
CONFIDENTIALITY NOTICE: All the material contained herein is consider a
confidential trade secret of the proposal submitter. Therefore, the reader/reviewer
shall take diligent steps to protect, store and safely review this materials without
disclosure to unauthorized third parties.
Submitted by:
Dave Sweigert Consulting
2. THIS PAGE IS SUBJECT TO THE CONFIDENTIALITY RESTRICTIONS CONTAINED ON THE COVER PAGE OF THIS DOCUMENT. THE MATERIAL IS
COPYRIGHT 2015 AND PROTECTED UNDER THE UNIFORM TRADE SECRETS ACT.
DAVE SWEIGERT, CISA, CISSP, HCISSP, PMP, SEC+ PEN-TEST PROPOSAL
BACKGROUND
Pursuant to Requirement Eleven (11) of the Payment card Industry Data Security
Standard (PCI-DSS) the offeror presents this proposal to provide the owner of the
Target of Evaluation (ToE) with a proposal to complete an appropriate vulnerability scan
of enterprise core infrastructure.
This proposal addresses the requirement of conducting a Network Vulnerability
Assessment (NVA), and this term is used as a leading industry practice term of art.
An NVA can be considered a foundational step within a more comprehensive
penetration test.
In this particular proposal, the NVA is designed to produce measurable results that can
achieve SMART objectives to develop further analysis, testing and mitigation strategies
(see below).
SPECIFIC
MEASURABLE
ATTAINABLE
REALISTIC
TIME-BOUND
POINTS OF CONTACT
The lead principal investigator for this effort shall be:
SCOPE OF EFFORT
The ToE owner has identified the following parameters for the test effort:
COORDINATION
The accompanying document entitled “SAMPLE PENETRATION TESTING
ENGAGEMENT LETTER” shall be completed prior to testing commencement. The
offeror incorporates this accompanying document as if fully restated herein.
Dave Sweigert, M.Sci.,
CISA, CISSP, HCISPP, PMP, SEC+
200 servers with 200 I.P. address range
Three (3) business critical applications host on the above
Two (2) non-critical apps host on forum servers
3. THIS PAGE IS SUBJECT TO THE CONFIDENTIALITY RESTRICTIONS CONTAINED ON THE COVER PAGE OF THIS DOCUMENT. THE MATERIAL IS
COPYRIGHT 2015 AND PROTECTED UNDER THE UNIFORM TRADE SECRETS ACT.
DAVE SWEIGERT, CISA, CISSP, HCISSP, PMP, SEC+ PEN-TEST PROPOSAL
LIMITATIONS OF THE NVA
The NVA can be understood as a Phase One objective within an overarching
penetration test. Specific NVA testing includes:
Scan of IP address range to verify hosts (network
scanning)
Scan of ports on hosts to discover open services
Identification of vulnerabilities based on the above
The results of the NVA can be used to identify vulnerabilities for which a malicious
threat agent (dark side hacker) could exploit. Typically, the vulnerabilities will provide a
list of potential targets to a malicious threat agent, resulting in the development of a
specific attack and/or exploit. The development of the specific vulnerability to exploit
with a specific threat agent is beyond the scope of this phase.
The NVA will not address the following web application issues:
Cross-site scripting (XSS)
Cross-site forgery request (CSFR)
Buffer overflows
SQL injection
Malformed data web form input (‘)
VULNERABILITIES DEFINED
Vulnerabilities are documented problems or errors that can be exploited by a threat
agent to make a system perform in an unintended manner. Usually a technical NVA will
only discover well-known vulnerabilities of operating systems (O/S), core applications,
etc. In this context, “soft” vulnerabilities would include misconfigurations of files, active
default accounts and passwords, etc.
The technical NVA does not address issues such as the lack of general security
policies, use of logging and audit trails, etc.
4. THIS PAGE IS SUBJECT TO THE CONFIDENTIALITY RESTRICTIONS CONTAINED ON THE COVER PAGE OF THIS DOCUMENT. THE MATERIAL IS
COPYRIGHT 2015 AND PROTECTED UNDER THE UNIFORM TRADE SECRETS ACT.
DAVE SWEIGERT, CISA, CISSP, HCISSP, PMP, SEC+ PEN-TEST PROPOSAL
ACCESS TO RESOURCES
The ToE owner shall provide appropriate access to the network infrastructure to allow
for the connection of tools that will be relied upon by the offeror. This includes network
connectivity within the enterprise; commonly known as “behind the firewall”, or within
the enterprise core infrastructure.
COSTING PROPOSAL
The costing proposal is contained in a separate accompanying document.