library. eis8323.pdf · further down the attack process, ... lcrack, e-or, spike, sara, xprobe2,...
TRANSCRIPT
commissum www.commissum.com
Quay House 142 Commercial Street
Edinburgh EH6 6LB
t +44 845 644 3217
f +44 845 644 3218
1 Poultry London
EC2R 8JR
t +44 845 108 2061
f +44 845 108 2062
Commissum Associates Ltd trading as commissum Registered Office: Unit 3F2 Darnell Road, Edinburgh, EH5 3PL
REGISTERED IN SCOTLAND NO. SC229945
25 January 2013 Ref: PRO-0935 Version 1.0
Derek Farmer
The British Library
Information Systems
Boston Spa
Wetherby
LS23 7BQ
Dear Derek,
BRITISH LIBRARY - ITT RESPONSE - PROVISION OF NETWORK PENETRATION TESTING SERVICES – REF: EIS8323
commissum is pleased to provide the following response to The British Library’s Invitation
to Tender. As such, this document comprises our formal Response to Requirements
document.
As a CREST member company, and having conducted testing in previous years, The British
Library can have a high degree of confidence in commissum’s ability to continue providing
network penetration Testing Services, and a range of other information security testing
services.
We would like to draw your attention to the following related to our response:
Highly competitive pricing – See Section 2.18
Our proven track record of holding to estimates we provide
Our offer of a vulnerability scan each year of the contract at no additional charge –
See Section 2.14 1)
We accommodate telephone support at no extra charge – See Section 2.10.1
Up to one day of consultancy at no additional charge, for each report submitted –
See Section 2.14 2)
To assist with budgeting for this and future years, we have offered to cap expenses
(See Section 2.18) and to cap any potential increase in rates for future contract
extensions (See Section 2.18)
Our CLAS and CREST accreditation – See Section 3.1
Our proven responsiveness and flexibility under our previous contract
Commercial-in-Confidence
Page 2 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
In response to the Invitation to Tender, commissum has provided the following elements
as requested:
1. Completed Form of Tender
2. Response to Requirements, addressing Sections 3 & 4 of the specification document,
detailing our Offer and consisting of;
i. Company Background – Supplier Background & Philosophy
ii. Scope of Requirements
iii. Supplier Response to the Requirements
iv. Techniques, Methodology and Scanning Tools to be Used
v. Description of Risk Categories
vi. Quality Control
vii. Draft ‘Rules of Behaviour’ agreement/framework
viii. Redress
ix. Additional Services & Added Value i.e. rectification support and advice
services
x. Testers’ CV’s
xi. Sample Reports (sanitised)
xii. Itemised Pricing model – in conformance to The British Library requirement
as outlined in Section 4.
3. Supplementary Material in Support of our Offer, consisting of:
i. Qualifications and Experience of Our Team
4. In addition to respond to the invitation for additional innovative bids, we have
provided, at Appendix A, some additional suggested services that The British Library
may wish to consider.
If there are any aspects of the enclosed information which require clarification or
amendment, please do not hesitate to contact me, and I will ensure a rapid response.
We trust that our offer meets with your approval and welcome the opportunity of assisting
The British Library in addressing their security requirements.
Yours sincerely
Martin Finch
commissum
Commercial-in-Confidence
Page 3 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
1 Response to Requirement
The British Library requirements for the following services for testing, assessment and
consultancy are addressed:
External Penetration
Internal Penetration
Application Security
Wireless/Remote Access
Telephony Security
Social Engineering
Information Security Consultancy / Assessment
Payment Card Industry (PCI) Data Security Standard Testing
2 Techniques, Methodology & Scanning Tools to be Used
2.1 Introduction
This section outlines the approach, methodologies and tools that we would typically use to
carry out an assignment such as this. The approach outlined is based on industry best
practice and our extensive experience conducting similar assignments.
The techniques, methodologies and approaches, based on the information provided in the
requirement, are in relation to the services listed above.
An outline of the methodology for each of the above steps is provided below. This typical
approach can evidently be modified to meet any further specific requirements that The
British Library may have.
2.2 External Penetration Test
Most commercial penetration testing services are largely automated, scanning your Internet
point-of-presence, your public gateway to the world-wide-web. As a CREST Member
Company, commissum takes another step, by adding to this with a critical, further level of
expert analysis by our experienced security consultants.
The overall methodology adopted by commissum is based on the best practice of OSSTMM
(the Open Source Security Testing Methodology Manual) which defines an internationally
recognised set of rules, guidelines and an approach to security testing and security
assessment of an organisation. Testing is non-intrusive and involves no intentional
exploitation of vulnerabilities beyond that necessary to demonstrate vulnerabilities exist,
unless specifically requested and signed off by the client. Principles are:
Commercial-in-Confidence
Page 4 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
All tools and techniques used must be publicly/commercially available so that all
results are “real” i.e. the types of attacks simulated are those a system would be
subject to in the real world from the majority of the hacker community.
Clear reporting is required so that the results can be interpreted by all levels of the
business from board to technical.
The Penetration Test checks firewall and server defences against a range of common
vulnerabilities exploited by the hacker community, including the process of client
footprinting or Internet intelligence gathering. Most reasonably serious hackers will
undertake this footprinting – research using Internet resources. This research will
frequently uncover much information useful in launching attacks. This can include details
of your IP addresses, server names, server configuration, application configuration,
username construction information, data from newsgroups, Internet technical bulletin
boards, and other miscellaneous data that is of benefit to the hacker.
The commissum Penetration Testing process is broadly broken down into various phases,
summarised as follows:
footprinting (research) – basic intelligence gathering on the internet, obtain corporate
information about network addresses and IT deployment, and network topology. If the
hacker can obtain such information initially, without having to probe the system, he will be
further down the attack process, and have more chance of avoiding any detection
measures you have taken. The more a hacker can learn about you before probing your
systems, the less chance you will have to prevent the attack.
enumeration - scanning the systems, identifying open ports, the systems and
architectural features. This is the point at which most automated security scans start.
Although commissum uses scanners to perform a similar function, the raw data generated
by these tools is always interpreted by a security specialist. The goal of this phase is to
identify any links available from our location to the target location by way of a TCP/IP
network, through the TCP/IP network stack on the target through to the applications
running on the target system. This leads into attempting to identify the applications
employed, vendor, version and patch levels. Our goal is to assess whether open
applications identified are supplying useful information on connection.
exploitation – commissum stops short of launching actual attacks, unless we undertake
a risk assessment on the attack with the client and get client approval. This closely
simulates the methods employed by a hacker in that the data gathered during enumeration
is used to plan the next steps in penetrating and exploiting the system. For example, if we
can identify the vendor, version and patch information for applications in use, these could
be used with access to various public vulnerability databases to identify potential
vulnerabilities and hence routes of attack.
Commercial-in-Confidence
Page 5 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
analysis - examine findings, correlate with best practice, current knowledgebase, prioritise
vulnerabilities, assess risks to extent possible given knowledge of business, and prepare
recommendations for high priority items. The levels of raw data generated can be
considerable and the goal of this phase is to distil this information into a list of potential
business risks and explain these risks in plain language, make recommendations on how
these risks can be further assessed, eliminated or mitigated against. This stage of the
project is where the most value is added, through the years of experience of our
consultants.
reporting - produce summary report highlighting analysed risk areas and on request
deliver a supporting DVD/CD-ROM of the raw output from the testing tools. This reporting
phase is self explanatory although due to the fact that we make the raw data available if
required we are proud to claim a “no hide” philosophy – again best practice approved
through OSSTMM. It allows our customers to obtain additional independent review of not
only the results but of our methods and techniques, if they deem it appropriate to do so.
This is important as it allows the additional benefit of a high degree of knowledge transfer
to take place – we do not subscribe to the claim that security is “a black art.” The report is
delivered encrypted, by e-mail. The DVD/CD-ROM, if required, may be provided on request
and follows when collation and archiving of data is complete.
Tools used by consultants for testing or technical security assessment are various, and
depend upon the specific requirements of each assignment. Tools used are drawn from
those publicly/commercially available so that all results are “real” i.e. the types of attacks
simulated are those a system would be subject to in the real world from the majority of the
hacker community. Typically the “arsenal” of tools includes Nmap, Amap, Nessus, Hping,
Nikto, ike-scan, Netcat, wireshark, metasploit, Cain & Abel, Glimpse, App Detective, John
the Ripper, openSSH, THC Hydra, Paros proxy, Web Scarab, Sam Spade, THC SSL Check,
HTTP print, Absinthe, Lcrack, E-Or, Spike, SARA, Xprobe2, firewalk, rainbow crack,
nemesis, standard operating system utilities, etc.
2.3 Internal Penetration
2.3.1 Overview
This “White Box” penetration test of the internal network will utilise standard ethical
hacking techniques similar to those outlined in the “Black Box” external penetration test
above, to enumerate the systems within The British Library internal and DMZ networks.
The intent is to discover and remove vulnerabilities within the inner networks; this is to
protect and harden systems against internal attacks or an external perimeter breach.
Although internal penetration testing has been specified as a requirement, we would like to
note that many of our clients prefer an internal vulnerability assessment before conducting
an internal penetration test. Due to the nature of internal testing and the usual absence of
Commercial-in-Confidence
Page 6 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
internal firewalls which are filtering out ports and services and thereby limiting the scope of
the test, such testing takes typically much longer than, for instance, external testing. If
required we can conduct internal vulnerability testing instead or in addition to, and at the
same rates as, internal penetration testing.
2.3.2 Approach
The approach is essentially the same as that for the External “Black Box” test described
above, but does not include the “foot printing” phase.
For optimisation of time taken to complete this test commissum will conduct an initial host
discovery sweep to verify the existence of hosts and therefore which hosts require further
scanning. Host discovery will include ICMP based scans as well as probes for common
source and destination TCP and UDP ports, with a variety of flag combinations set.
2.4 Application Security
2.4.1 Overview
The specific British Library implementation and configuration of their applications will be
assessed from a standards based security perspective. Additionally, review from an
administrative and end user standpoint will be included within the security assessment.
The commissum testing methodology covers attacks detailed in the OWASP1 testing guide
and in relevant sections of OSSTMM. In addition our consultants will, through their
experience, adapt the test plan and devise specific attack profiles, in response to issues
encountered or features of the application revealed through testing.
The approach we take, and the stages our consultants go through are as follows, adapted
to the scale of each specific requirement.
2.4.2 Approach
Project Initiation
Issue and agree a Project Initiation Document (PID) with the Client
Conduct Testing
Test Planning: This is iterative as testing progresses, and the plan is updated as
issues and features are uncovered by testing
Analysis of the application architecture through enumeration
Iterative functional analysis of application throughout testing
1 OWASP - Open Web Application Security Project (www.owasp.org) - The OWASP Foundation is a not-for-profit organisation that
provides a widely recognised knowledgebase on secure application development, review and test. Their open source projects
produce unbiased, open-source documentation, tools, and standards, and the organisation facilitates conferences, local chapters, articles, papers, and message forums.
Commercial-in-Confidence
Page 7 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
Risk based threat modelling and active testing, encompassing:
interfaces to supporting applications
the authentication mechanisms
the authorisation schemas
input validation and bounds checks
transport and storage mechanisms
audit functions as encountered through the interfaces under test
The initiation phase will inform the planning process, and establish the goals and objectives
based on the consultant’s experience and perception of risk. The testing will as a result be
prioritised on a risk basis, where testing is concentrated on functions posing the highest
potential for direct or indirect loss or damage.
Analysis and Reporting
Analyse results
Re-test and verify as appropriate depending on the time allowed for testing
High risk issue reporting – reported to the client immediately on discovery and
verification
Peer Review and Quality Assurance
Issue to client
commissum will agree user types during Project Initiation as appropriate.
2.4.3 Methodology
Our methodology for typical Application Assurance assignments, depending on the
complexity of the application and scope agreed with the client, can be summarised as
follows:
Evaluation of the security posture of the identified application
Guided spider of application
Content discovery through forceful browsing (for example: search for test, backup,
and demo content); attempts to find hidden or unlinked content, attempts to find
sensitive data in the HTML source
Assessment of the underlying web server Security (patching, configuration,
information disclosure etc) (OWASP – A6)
Assessment of the transport encryption used by the application (e.g. SSL) (OWASP
– A9)
Commercial-in-Confidence
Page 8 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
Assessment of session management security (vulnerability to session hijacking,
brute forcing etc) (OWASP – A3)
Assessment of the security of user authentication mechanisms in the role of both an
authenticated and an unauthenticated attacker (OWASP – A8)
Testing as unauthenticated and authenticated users, with attempts at horizontal and
vertical privilege escalation (OWASP – A4)
Assessment of vulnerability to SQL based attacks (injection, protection level of data
tier, attempted database enumeration, etc) (OWASP – A1)
Assessment of vulnerability to content injection based attacks (OWASP – A1)
including specific focus on Cross-Site Scripting issues (OWASP – A2) , Cross-Site
Request Forgery (OWASP – A5) and Open Redirection issues (OWASP – A10)
Assessment of the protection of sensitive information within the application where
visible to the accounts used during testing (OWASP – A7)
Assessment of vulnerability to defacement or other “damage”
High risk issue reporting – reported to the client immediately on discovery and
verification
The application is tested to an overall agreed time cap, adopting a risk based approach. In
order to deliver the testing within agreed timeframes, the following approach is typically
taken:
Concentrating on tests likely to uncover high-impact vulnerabilities
Sampling of forms based on intelligent selection (risk, exposure and uniqueness)
Testing using predefined, constrained journeys and test data as the baseline
Time-capping sections of the test based on perceived risk
The deliverable is a report issued in electronic format, appropriately encrypted. Results and
reports are put through a rigorous peer review process and final quality assurance check
prior to issue to the client. The encrypted report is sent by e-mail and the password is
supplied separately.
2.4.4 Code Assisted Application Security Testing
The British Library may wish to optionally consider this at no additional cost.
If a client is able to provide the source code or a copy of the webroot for the application
under test, commissum is able to use this as an information source to increase the
coverage and efficiency of testing. The test is conducted as described in Section 2.4.2 and
2.4.3, but the tester is able to refer to the supplied code to more quickly investigate
suspected vulnerabilities, and also assess further avenues of attack.
Commercial-in-Confidence
Page 9 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
Where issues are suspected, the code can be referred to for a better and more
comprehensive understanding of the internal workings of the application; this enables a
tester to home in on a vulnerability far more quickly in cases where trial and error would be
the normal approach to teasing out the way the application functions.
This is not essential for conduct of the testing, but is offered as an option should the client
wish to consider this. It speeds up the testing process and allows the tester to extract the
maximum value from the limited time available.
2.5 Wireless/Remote Access
2.5.1 Overview
Unlike fixed installation cable or optical fibre-based networks wireless networks “broadcast”
sensitive company information over a wide area without respecting the physical boundaries
of the organisation. This introduces some unique risks which include:
Interception and unauthorised monitoring of sensitive network traffic. This is
frequently undertaken outside of the organisation’s premises, so called “drive-by
hacking”
Many wireless networks employ incorrectly deployed encryption protocols; many can
be broken with relative ease. Once broken, a potential attacker can connect to the
internal network and deploy traditional hacker tools to intercept sensitive
information, including passwords, and to launch an attack on systems within the
wired corporate network.
Unauthorised access to network resources. For example high-bandwidth internet
connectivity (known as “war chalking”)
2.5.2 Approach
The wireless network review features the following high level tests:
Network discovery and enumeration. Assessment of 802.11x access point location
and the mapping of the wireless perimeter to quantify drive-by hacking risk
Testing of 802.11x access point security including SSID broadcasting to identify
inappropriate information disclosure.
Review of the logical and technical separation between wired and wireless LAN
Assessment of encryption techniques to determine the wireless network
implementation strength and resistance to attack and compromise.
Identification and testing of the client authentication method
Commercial-in-Confidence
Page 10 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
Review the feasibility of penetration and exploitation; and demonstrate the ability to
compromise where feasible.
2.6 Telephony Security
2.6.1 Overview
This review will ascertain if any unknown modems are connected to The British Library
telephone system. This takes the form of “war dialling” a known range of telephone
numbers to identify the presence of modems. Any modems discovered will be checked to
ensure that they offer appropriate logon security features.
2.6.2 Approach
The British Library will be asked to provide DDI telephone number ranges to commissum,
who will, using automated “war dialling” modem sweep techniques, check these ranges for
the existence of modems set to auto-answer incoming calls. These modem sweeps will be
carried out at times of the day agreed with The British Library.
If a modem is identified on any number, this will be noted, and a high level security
assessment will be undertaken of the set-up of the modem with respect to external access
to The British Library’ systems.
The specific testing approach relating to VoIP services, should they exist, will include:
External wardial from the PSTN to pick up any responding IP PBX
Portscan/Service checks on Internet presence to find VOIP enabled services
Scanning of the Voice network from any connected internal networks
Passive sniffing of voice network (attempt to enumerate/decrypt(if encrypted)
traffic)
Attacks on VOIP phones and IP PBX, any vendor specific vulnerabilities and network
based attacks such as ARP spoofing, Man in the Middle and DOS
Associated with telephony security, commissum can also investigate/assess the following
where required:
Password Dictionary Guessing
Voicemail Access
Toll Fraud
Toll Fraud Social Engineering
2.7 Social Engineering
2.7.1 Overview
It is an axiom of information security that the overall security of an organisation is only as
strong as the weakest link in the chain. The weakest link in the information security chain is
Commercial-in-Confidence
Page 11 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
widely recognised as being the human factor. Social engineering is effectively an attack
method that exploits this weakest link.
Essentially the motives are the same as for any attack; to gain unauthorized access to
systems or information in order to commit:
fraud,
network intrusion,
industrial espionage,
identity theft, or
simply to disrupt the system or network
Social engineering testing is one way for organisations to test the effectiveness of the
human link in the chain. It indirectly tests the effectiveness of an organisation’s policies and
procedures, and critically, the implementation of them by the organisation’s staff.
It is increasingly common and good practice, for organisations to have information security
awareness programmes for their staff. One area these programmes should cover is the
threat from social engineering attacks and how staff should respond in these
circumstances. Social engineering testing will verify the effectiveness of the training.
2.7.2 Approach
The commissum approach to social engineering testing utilises many of the same
techniques as those used by actual hackers.
The commissum test approach would blend a range of assumed identities, and
psychological motivating factors, depending on the agreed scope, information provided, and
information gleaned from intelligence gathering activities.
Our approach will always involve the consultant carrying out the test attack assuming an
identity. A non-exclusive listing of the types of identity our consultant might use is as
follows:
Employee impersonation
Important user
Third-party authorised
Technical support [internal or external]
The following techniques are generally used to induce the victims to divulge information
they should not:
Diffusion of responsibility
Chance for ingratiation
Trust relationships
Moral duty
Commercial-in-Confidence
Page 12 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
Guilt
Identification
Desire to be helpful
Co-operation
Our typical approach, which we recommend using for The British Library assignment, would
be:
Confirm scenarios
Client provides information
Intelligence gathering (including internet footprinting)
Plan and script first phase attacks (depending on scope and timescale)
Assess information gleaned from first phase attacks (depending on scope this may
lead directly to reporting)
Plan and script second phase attacks based on results from first phase
Repeat the two previous steps depending on timescale and scope
Report to client
Critical to the success of the social engineering testing attacks, as in real life attacks, is the
initial information provided and if scope allows, intelligence gathering activities, which lead
to the development of credible scenarios/requests based on the organisation’s profile and
any publicly available information available about them.
2.7.3 Social Engineering Testing – Issues to be Aware of
Short term testing (as opposed to tests that may be conducted over weeks or months) is
almost always necessary owing to time and budget constraints, but it does have limitations
which must be acknowledged. In particular, when compared with a longer term approach,
it does not allow for gradual assimilation of information, with the associated reduced
chance of alerting staff, and therefore greater chance of success. However, the value is that
if short term testing shows weaknesses from social engineering attacks, you can be assured
a determined social engineer with sufficient motivation and patience will inevitably do
significantly better.
Security awareness training, together with effective policies and procedures with
management backing, are the key mitigating strategy to defeat social engineering attacks.
Commercial-in-Confidence
Page 13 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
2.8 Information Security Consultancy / Assessment
commissum has in depth expertise across the full range of information security services.
At this stage it is not defined which particular services The British Library wish to take up
under this area but commissum are confident that it can provide any information security
assurance requirement including:
ISO27001/ISO27002 audit and gap analysis services;
CLAS Consultancy;
QSA services for PCI DSS;
Security Architecture Consultancy;
vendor and solution assessment;
Data Protection Consultancy; and
Business Continuity Planning and Management and Disaster Recovery Consultancy.
Under the Qualifications & Experience of our Team section, see below, we provide an
outline of the wider range of services offered and the qualifications, expertise and depth of
our team to support The British Library’s requirements. Should The British Library require
information regarding our methodologies in any further areas, in addition to those outlined
in this section, we can supply the relevant details.
2.9 Payment Card Industry Data Security Standard Testing (PCI
DSS)
We are able to provide monthly or quarterly vulnerability assessment services that will
meet The British Library’s obligations regarding PCI DSS. In addition, as a CREST
company, our infrastructure penetration testing and application security testing services
will also meet the requirements of PCI DSS in those areas.
2.10 Management & Reporting
2.10.1 Management of Projects
We undertake a standard initiation exercise and apply a standard process to management
and reporting of any project. Points to highlight are:
project initiation – we prepare a project initiation document in discussion with the client
that captures the scope of the testing and any specific requirements such as IP address
ranges, domain names, etc. This document is agreed before any tests commence.
date of testing – we agree the date for the commencement of testing, following which the
client knows that we may scan or otherwise probe the systems under test. The time scale
for this can be protracted as the scanning/enumeration phases in particular can be very
unpredictable in length – note that for full penetration testing we scan all 65,536 ports for
IP addresses included in testing.
Commercial-in-Confidence
Page 14 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
high risk issues – during the test process, if we uncover an issue that we believe has the
potential to be classified as a high risk, we would flag this immediately to the client to
enable rapid verification, and if necessary, corrective action to be taken.
report delivery – reports are usually issued in electronic format as pdf files, appropriately
encrypted. The report is sent by e-mail and the password is supplied separately. We can
confirm The British Library requirement to adapt our reporting format to their
requirements; we have already demonstrated our flexibility in this regard under the
existing contract.
follow-up support – as The British Library are aware from previous the engagement,
commissum is happy to accommodate telephone support at no extra charge. This enables
discussion over the details of the vulnerabilities reported on and assistance for addressing
these. In addition, we have offered under the additional services & added value section
below, a wash-up meeting following each test if required by The British Library, to provide
further advice and support, and knowledge through active involvement of internal British
Library staff in the testing engagements. If additional support beyond this is required by
The British Library, this can very quickly be provided by commissum under our day rate
provided.
2.10.2 Reporting & Deliverables
commissum reporting is clear, succinct, and accurate. Reports will carry confidentiality
markings, and if required by the client, relevant security classification markings. Reports
will be delivered electronically.
The reports will be documents developed for the use of the client’s technical staff. If
requested by the client a separate Executive Summary Report can be provided for senior
management, collating the executive summary sections from all reported areas.
a. Format
All commissum penetration test reports follow a standard format as described below. We
would however be pleased to discuss client specific requirements and ways of
accommodating these. In particular we are aware of specific requirements that The British
Library has for the annual external penetration test reporting, which includes delivery of the
results in a spreadsheet format.
Our standard reports typically include the following sections:-
Title page
Contents
Executive summary
Scope
Approach
Commercial-in-Confidence
Page 15 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
Technical detail with different headings depending on the type of report
Vulnerabilities and recommendations
Appendices
Contact details
In our standard reports we use the risk assessment levels of Low, Medium or High which
are assigned based on the following definitions (an assessment of the probability of the risk
actually existing is made where it cannot be positively verified through testing and included
in this assessment).
High
An issue which if exploited has the potential for severe impact on the
confidentiality, availability and/or integrity of your information assets; the
issue may be relatively straightforward to uncover or technical exploitation of
this may be relatively trivial.
Medium
An issue which if exploited has the potential for a moderate level of impact on
the confidentiality, availability and/or integrity of your information assets;
discovery of the issue may require a reasonable level of technical capability
and it may also be technically quite challenging to exploit or require a
reasonable level of resource/time.
Low
An issue which if exploited has a potentially low level of impact on the
confidentiality, availability and/or integrity of your information assets; it may
also be technically difficult to exploit in reality or require significant
resource/time allocation.
A further categorisation is used to help identify the type and context of risk identified:-
Vulnerability
A flaw inherent in the security mechanism itself or which can be reached
through security safeguards allowing unauthorised access to a location,
people, or business processes, and/or corruption or deletion of data.
Weakness
A flaw inherent in the platform or environment in which a security mechanism
resides, a misconfiguration, survivability fault, usability fault, or failure to
meet the requirements of the organisations desired Security Posture.
Concern
The issue or vulnerability typically presents a low risk to the business. The
risk should be reassessed on a regular basis. Action should still be taken to
address concerns as failure to do so could leave the organisation vulnerable to
a determined attacker with the time and resources to invest in a complex or
blended attack.
Information Leak
A flaw inherent in the security mechanism itself or which can be reached
through security safeguards which allows for unauthorised access to privileged
or potentially sensitive information concerning data, business processes,
people, or infrastructure.
Commercial-in-Confidence
Page 16 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
b. Peer Review of Deliverables
All work and resulting deliverables are subject to a rigorous peer review process to ensure
the high standards we set ourselves are maintained. This ensures the quality threshold and
prevents any single points of failure in our delivery capability. The peer review process is a
cornerstone of the way we monitor and improve quality.
c. Sample Report
A sample report has previously been provided to The British Library previously to illustrate
the general format that we adopt for reporting. Also a number of assignments have been
carried out where the quality of our reporting has been demonstrated. We have also
provided further updated samples of:
Standard test report format
Managed Vulnerability Scanning report format
We have assumed that no further samples are required at this stage. Please advise if
further information is required here.
2.11 Quality Control
Internal quality control is established and overseen by the Quality Manager. This is
underpinned by a Quality System based on the ISO9000 standard; it provides a framework
of standards and procedures within which we manage and control all our project, product
and service activities. The implementation of this Quality System is mandatory and is to be
observed by all those who contribute to commissum’s products and services.
Overall quality and customer satisfaction is the responsibility of the Account Manager and
quality of the specific technical delivery is the responsibility of the Lead Consultant on each
assignment.
All work delivered is subject to a rigorous peer review process to ensure the high standards
we set ourselves are maintained. This ensures the quality threshold and prevents any
single points of failure in our delivery capability. The peer review process is a cornerstone
of the way we monitor and improve quality.
Service delivery for specific projects is reviewed at the conclusion of each stage in the
project lifecycle. Generic six monthly service reviews are also built into the quality
procedures and conducted across each of the service offerings. This review process involves
the entire team for each delivered project, as well as all the senior and principal
consultants, the quality manager and head of delivery.
Staff skills are kept current by a combination of on-the-job training with senior consultants
mentoring more junior staff; and formal training such as that run by Government agencies
such as CESG for CLAS, CESG/CREST for security testing, ISACA/ISC2 for CISA/CISSP,
Commercial-in-Confidence
Page 17 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
vendors for independent security products, and BSI for ISO27001 Lead
Auditor/Implementer.
2.12 Draft ‘Rules of Behaviour’ Agreement/Framework
commissum confirms that it is satisfied with the draft rules of behaviour as outlined in the
ITT.
2.13 Redress
Overall quality and customer satisfaction is the responsibility of the Account Manager;
quality of specific consultancy delivery is the responsibility of the Project Manager and Lead
Consultants for the area of delivery and each consultant engaged.
Measures that avoid dissatisfaction and achieve the highest quality include:
clear statements of work agreed with customers
careful assignment of consultants to projects
responsibility taken by Account Manager for all quality matters; this is managed at a
working level by lead consultants and consultants as appropriate
rigorous peer review of all deliverables
Dissatisfaction is very rarely encountered, and commissum has a standard documented
approach for escalation, summarised as follows – depending upon the level where any
dissatisfaction is reported:
Independent
Arbitration
Managing Director
Account Manager
Lead Consultant
consultant
At each level, if the issue cannot be resolved to the satisfaction of the customer, it is
to be immediately escalated to the next level.
At any time, if the customer feels that the issue is of sufficient importance, they are
encouraged to escalate the matter immediately to the Managing Director.
If a matter cannot be resolved to a customer’s satisfaction by the Managing
Director, the commissum standard procedure would be to refer the matter to an
independent third party agreeable to both commissum and the customer; or if
agreement cannot be reached then the president of the British Computer Society
who shall appoint an individual to act as an expert to facilitate a resolution.
Commercial-in-Confidence
Page 18 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
We manage all projects under a Prince 2 environment, appropriately scaled to the size of
project, and it is our experience that any variance in performance can be identified and
remedied in a timely fashion without adverse impact on the project.
Separately from the direct process of resolution which always takes top priority, all reports
of dissatisfaction are recorded by commissum and are reviewed at the regular Company
Management Meetings (CMM). From this future preventative action is planned as
appropriate.
2.14 Additional Services & Added Value2
commissum offer two significant value-added items in this area, subject to contract
placement:
1) If The British Library calls on a minimum of 20 days of paid consultancy and/or
testing during the year, commissum will also provide a six month vulnerability scan
to supplement the annual penetration test at no additional cost – this is delivered as
commissum’s standard managed vulnerability test service. The report from this is
delivered electronically in spreadsheet format.
2) Up to one day of consultancy at no additional charge for the time, for each report
submitted for advice regarding implementation of remedial measures as
recommended in the relevant report where this is considered of value by The British
Library. If the blended vulnerability service or PCI quarterly or monthly assessments
are taken up, and otherwise where it is practical to do so, this support will be
provided as a telephone based wash-up/discussion of the report.
3) Knowledge transfer to The British Library through the offer of active involvement of
the internal British Library staff in the testing engagements. This can be
accommodated by staff either shadowing commissum consultants at The British
Library site for on site activities, or if The British Library would prefer, we can
accommodate a member of staff who wishes to attend at our site to allow this
Knowledge transfer during an agreed test.
4) Forensic services and incident response – commissum is able to offer expertise in
responding to and investigating incidents. This investigation can be targeted purely
at establishing the root cause, recovery and future preventative action; or through
commissum’s partner companies, a full investigative and expert witness service
can be provided working to criminal evidence standards and in accordance with
recognised and accepted industry best practice. Where required these services can
be quoted for on a case by case basis.
2 Note that this section is considered as Commercially Sensitive and should be considered CONFIDENTIAL INFORMATION with regards to FOI.
Commercial-in-Confidence
Page 19 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
5) Load/Stress Testing – commissum is able to provide consultancy and test services
related to the load testing of systems or web sites. A standard remote external
service is provided by the commissum team for web sites; for more in-depth
testing our specialist functional testing and load/stress testing partner e-testing may
be called in to support this.
2.15 Testers’ CV’s
Please see Section 3.1 – the Qualifications & Experience of our team section below.
2.16 References3
As an existing client, and under strict confidentiality, we would offer the following as
referees; in addition, The British Library already has experience of working with
commissum under the existing contract.
2.17 Sample (Sanitised Reports)
Please see the following enclosed sample Reports:
Infrastructure Penetration Testing & Application Testing Report
Managed Blended Vulnerability Scanning report.
2.18 Itemised Pricing Model4
Given our current understanding of the required team profile and calibre of staff, we offer
the rates as per the table below.
We have included caps, for budgeting purposes on the travel and subsistence expenses and
potential annual increase in price.
3 Note that this section is considered as Commercially Sensitive and should be considered CONFIDENTIAL INFORMATION with regards to FOI. 4 Note that this section is considered as Commercially Sensitive and should be considered CONFIDENTIAL INFORMATION with regards to FOI.
Commercial-in-Confidence
Page 20 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
Services Discounted Day Rate5
1 External Penetration
2 Internal Penetration
3 Application Security
4 Wireless/Remote Access
5 Telephony Security
6 Social Engineering
7 Information Security Consultancy / Assessment
Rates are exclusive of VAT.
Travel, accommodation and subsistence expenses for services 3, 6 and 7 will be
charged at cost. All other services are expected to be provided from commissum
premises and will therefore not incur expenses. Where travel and subsistence
expenses are charged these will be charged at cost, but we are happy to cap these
at no more than of the value of any agreed package of work involving on-site
activity.
The above service rates are fixed for one year from the date of contract, services
rates thereafter we propose to vary on an annual basis by a percentage to be
agreed between commissum and The British Library where this percentage will be
no more than .
Our proposal is valid for 90 (sixty) days from the date of issue and is submitted on a
time and materials basis in accordance with terms and conditions of contract.
commissum will invoice for services 1-7 provided on a monthly in arrears basis,
acceptance of the Services will be via email.
5 This rate applies to all work quoted and undertaken under the contract associated with this Tender EIS8323.
Commercial-in-Confidence
Page 21 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
3 Supplementary Material in Support of our Offer
3.1 Qualifications & Experience of our Team
3.1.1 Introduction
As a people led organisation, commissum recognises the value of investing in people and
in attaining relevant industry-recognised accreditation and certification. Our people are all
time served professionals with core competencies in the technical and management aspects
of security. We hold the principles of trust, confidence, integrity, commitment and quality
of service as fundamental to the way we operate.
In this section we provide:
an overview of the professional and academic qualifications of our consultants
a list of consultants with outline CVs that are representative of the calibre of staff
from which other team members will be drawn – specific team selection is
dependent on the timing of contract start and subject to agreement with the British
Library.
3.1.2 Professional & Academic Qualifications & Accreditations
Qualifications, accreditations and certifications held by Key Personnel include:
Certified Security Analyst (ECSA) Licensed Penetration Tester (LPT)
Certified Ethical Hacker (CEH) CESG6/ CHECK7 Penetration Testing training
Certified Information Security Auditor (CISA8) CESG CLAS9 Consultancy
Certified in the Governance of Enterprise IT
(CGEIT4)
CREST Member Company and CREST Certified
Tester/CREST Registered Tester
Certified Information Security Manager
(CISM4)
Certified Information System Security
Professional (CISSP10)
Accredited ISO27001 Lead Auditor KÜRT Certified Ethical Hacker11
Various vendor specific IT and security qualifications e.g. ISS System Scanner, DRS/NX System
Administration, Checkpoint CCSA/CCSE, Microsoft MCSE, Cisco CCNA, Symantec ESM, etc
6 Communications-Electronics Security Group (CESG). CESG is the Information Security arm of GCHQ. They are the UK government's national technical authority for information security/ information assurance issues. 7 CESG approved scheme for Information Security testing of critical government infrastructure. 8 Certification from the Information Systems Audit and Control Association. In the three decades since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide. 9 CLAS – CESG Listed Advisor Scheme - a scheme that satisfy the demand for authoritative Infosec Information Assurance advice and guidance for critical government infrastructure by creating a pool of high quality consultants approved by CESG. 10 Certified Information Security Systems Professional (CISSP) from (ISC)2. (ISC)2 - a not-for-profit organization dedicated to maintaining a Common Body of Knowledge for Information Security (IS); certifying industry professionals and practitioners in an international IS standard; and ensuring credentials are maintained, primarily through continuing education. CISSP certification recognised as an international standard for information security and understanding of a common body of knowledge. (www.isc2.org) 11 KÜRT Academy founded course to advance students beyond those available in industry such as the Certified Ethical Hacker (CEH) course. The intensive course includes 240 hours of tutorial and practical study.
Commercial-in-Confidence
Page 22 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
3.1.3 commissum Consulting Team CVs
The following is a list of senior commissum consultants from which the resources may be
drawn to establish the team for this project for The British Library, together with three
sample CV’s:
Principal Consultant
CREST Certified Tester
Senior Consultant
CLAS Consultant
Commercial-in-Confidence
Page 23 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
Senior Consultant
KÜRT Certified Ethical Hacker
Senior Consultant
CREST Registered Tester
Senior Consultant
BCP/DR Specialist
Commercial-in-Confidence
Page 24 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
Senior Consultant
CLAS/CHECK Consultant
In addition to these sample CV’s, other staff that commissum may also draw on, as Key
Personnel include: Andrew Kelman – Technical Consultant & Penetration Tester; Simon
Clifford – Principal Technical & Assurance Consultant; Kevin Gourlay - Senior Technical
Consultant & Penetration Tester; Ernie McVey – Senior PCI DSS Consultant; Paul Guckian –
Principal Governance Consultant, Briony Williams – Penetration Test Consultant; Alun
Borland – Network & Security Firewall Engineer; David Murphy – Principal Security
Consultant & ISO27001 Lead Auditor; Terry Dawes – Principal BCP Consultant.
3.2 Team Experience
The sample of CVs provided enables The British Library to be confident in the breadth and
depth of knowledge available within commissum.
By the nature of our business, our senior consultants are very experienced at working with
top management, as well as technical staff, in organisations of all sizes – this being an
essential aspect of security audit and policy development; that is the need to establish an
understanding of the business drivers of an organisation and ensure top management buy-
in to any audit or accreditation process.
Our team has experience with organisations of all sizes including various types of private
sector and government departments, from local to central government and associated
government agencies.
Commercial-in-Confidence
Page 25 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
3.3 Resource Allocation
As explained above, commissum will allocate a team of high calibre consultants to this
project as required by each assignment. The exact team members to make up the team
will be decided upon at project start, depending on further information provided, provision
of necessary disclosures and timing and resource loading, but will normally be drawn from
those qualified individuals listed above to lead any assignment. In addition, the team will
be able to draw on the expertise in specific areas of the whole team, as the project
progresses.
commissum may use qualified Associates to resource assignments as well as permanent
staff. All such Associates have been thoroughly assessed by commissum as to their
qualifications and quality of work. Associates will always be managed by the commissum
staff project team members. All Associates are signed up under rigorous framework
contracts that cover confidentiality, commitment to deliver and quality of work.
3.4 Management Points of Contact
For each assignment, a nominated individual is identified as the client point of contact.
Other contacts may be required to address or discuss more technical matters, but these
requirements will be managed by the Account Manager identified.
For this assignment with The British Library, the following lead individual is nominated as
the prime Account Management point of contact with the client:
Martin Finch commissum
T 0845 108 2064 Quay House
F 0845 644 3218 142 Commercial Street
M 0781 234 0940 Edinburgh
E [email protected] EH6 6LB
Commercial-in-Confidence
Page 26 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
4 Appendix A – INNOVATIVE/ALTERNATIVE ITEMS BID
We have appended this additional section to our response to suggest an alternative
approach that The British Library may wish to consider to satisfy their regular security
testing requirements.
4.1 Managed Quarterly/Monthly Vulnerability Scanning
From a budgetary perspective, commissum is able to offer a cost effective approach to
balancing detailed penetration testing with more frequent, wider coverage of The British
Library external perimeter. This could be achieved through a combination of focused,
detailed testing, annually and six monthly, combined with a quarterly or monthly blended
vulnerability assessment.
The quarterly or monthly scan will pick up changes that may occur in the vulnerability
landscape and also ensure no inadvertent services are exposed.
The reports provide data for vulnerability remediation; the monthly option is the most cost
effective, picking up changes as they occur and also addressing the large number of
vulnerabilities that are constantly reported every week and month.
A sample report for our blended vulnerability assessment service is provided with this
response.
4.1.1 Approach
commissum offers a bespoke managed vulnerability scanning service tailored to the target
installation.
The scope of the assessment covers the same devices as for the external penetration test
above.
The managed vulnerability assessment service proposed here complements the external
penetration test, which in accordance with best practice should be conducted at least on an
annual basis, by providing an ongoing view of your exposures, ensuring your knowledge of
your security status is always up to date.
Our approach combines the automated scanning with a level of manual checking that
strikes a balance between cost and reasonably minimising ‘false positive’ results. The
testing is designed to be non-destructive; exploitation of vulnerabilities found is not carried
out.
The managed vulnerability assessments are performed in accordance with the following
assessment methodology:
Service Scanning - The service scanning phase of the assessment identifies all
responding TCP, UDP and ICMP services. This entails scanning all TCP ports, well-
Commercial-in-Confidence
Page 27 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
defined UDP ports and a range of ICMP sub-services. Only reliable UDP scanning is
performed. Unless a positive application layer response can be obtained from the UDP
service it will not be reported as available. Reliable UDP checking assists in the
elimination of false positive results.
Service Enumeration - once the presence of a service has been confirmed, banner
information capture is attempted to assist in determining machine vulnerability status.
Only ‘good practice’, nonintrusive banner grabbing methods that will not affect machine
availability or stability are employed. Depending upon the services discovered
fingerprinting is also performed in this phase of the assessment.
Vulnerability Detection - this phase consists of performing a configurable number of
tests, from a range of application layer vulnerability tests down to a single specific test
if necessary, against those services discovered in earlier phases of the assessment.
Thousands of separate tests are performed; the tools are continually updated with the
latest known vulnerability exploits.
Manual Vulnerability Examination and Verification - upon completion of
automated vulnerability testing a time limited level of manual vulnerability examination
and checking is undertaken. This is not as intensive or exhaustive as that undertaken
for the full penetration test, but does assist in improving the findings through
assessment of potential false positives and some non-trivial vulnerabilities. It also helps
to improve the reporting.
Reporting – upon completion of each assessment; through an electronically delivered
report. This reports the findings together with corrective actions, historical trends and
summary statistics. This is delivered in spreadsheet format (sample provided).
4.1.2 Pricing - Managed Quarterly/Monthly Vulnerability Scanning12
For the scope commissum has provided an indication of price based on a representative
number of external IP addresses - explicitly:
Up to a total of 150 active targets
When run in parallel with a full annual penetration test:
o Single assessment -
o 4 Quarterly assessments -
o 12 Monthly assessments -
If the single assessment is taken, the price of this can be offset against the quarterly or
monthly service, if this is committed to within 1 month (in the case of the monthly service)
12 Note that this section is considered as Commercially Sensitive and should be considered CONFIDENTIAL INFORMATION with regards to FOI.
Commercial-in-Confidence
Page 28 of 28
Ref: PRO-0935 Ver 1.0
Date: 25 January 2013
or 3 months (in the case of the quarterly service) of the single assessment being
commenced. Assessment dates in each case are agreed in a single Project Initiation
Document following contract commencement, for the year.
Invoicing for the service is on contract award for the year. Reduced pricing can be offered
for a two or three year commitment.
4.2 Managed Application Security Assessment
commissum is able to quote for regular managed semi-automated application security
scans. These are a cost effective way of supplementing full application security testing at
more regular intervals and following changes to applications.
The objective would be to run the scans on a regular basis against key applications –
quarterly would be an optimum frequency, with additional scans if a significant change
occurred between quarterly scans.
commissum will quote for this service if The British Library considers that this service may
be of value as part of the security element of the software development lifecycle.
4.3 Managed Static Code Review
This service provides a managed, automated security check of developed code. The return
on investment concept is that the earlier in the development lifecycle issues are identified
and rectified, the less costly they are and the less impact they have on project timescales.
This proven review is ideally incorporated into the development lifecycle as early as
possible.
commissum is able to provide more detail on this and pricing if The British Library
considers this of interest.