library. eis8323.pdf · further down the attack process, ... lcrack, e-or, spike, sara, xprobe2,...

commissum www.commissum.com

[email protected]

Quay House 142 Commercial Street

Edinburgh EH6 6LB

t +44 845 644 3217

f +44 845 644 3218

1 Poultry London

EC2R 8JR

t +44 845 108 2061

f +44 845 108 2062

Commissum Associates Ltd trading as commissum Registered Office: Unit 3F2 Darnell Road, Edinburgh, EH5 3PL

REGISTERED IN SCOTLAND NO. SC229945

25 January 2013 Ref: PRO-0935 Version 1.0

Derek Farmer

The British Library

Information Systems

Boston Spa

Wetherby

LS23 7BQ

Dear Derek,

BRITISH LIBRARY - ITT RESPONSE - PROVISION OF NETWORK PENETRATION TESTING SERVICES – REF: EIS8323

commissum is pleased to provide the following response to The British Library’s Invitation

to Tender. As such, this document comprises our formal Response to Requirements

document.

As a CREST member company, and having conducted testing in previous years, The British

Library can have a high degree of confidence in commissum’s ability to continue providing

network penetration Testing Services, and a range of other information security testing

services.

We would like to draw your attention to the following related to our response:

Highly competitive pricing – See Section 2.18

Our proven track record of holding to estimates we provide

Our offer of a vulnerability scan each year of the contract at no additional charge –

See Section 2.14 1)

We accommodate telephone support at no extra charge – See Section 2.10.1

Up to one day of consultancy at no additional charge, for each report submitted –

See Section 2.14 2)

To assist with budgeting for this and future years, we have offered to cap expenses

(See Section 2.18) and to cap any potential increase in rates for future contract

extensions (See Section 2.18)

Our CLAS and CREST accreditation – See Section 3.1

Our proven responsiveness and flexibility under our previous contract

Commercial-in-Confidence

Page 2 of 28

Ref: PRO-0935 Ver 1.0

Date: 25 January 2013

In response to the Invitation to Tender, commissum has provided the following elements

as requested:

1. Completed Form of Tender

2. Response to Requirements, addressing Sections 3 & 4 of the specification document,

detailing our Offer and consisting of;

i. Company Background – Supplier Background & Philosophy

ii. Scope of Requirements

iii. Supplier Response to the Requirements

iv. Techniques, Methodology and Scanning Tools to be Used

v. Description of Risk Categories

vi. Quality Control

vii. Draft ‘Rules of Behaviour’ agreement/framework

viii. Redress

ix. Additional Services & Added Value i.e. rectification support and advice

services

x. Testers’ CV’s

xi. Sample Reports (sanitised)

xii. Itemised Pricing model – in conformance to The British Library requirement

as outlined in Section 4.

3. Supplementary Material in Support of our Offer, consisting of:

i. Qualifications and Experience of Our Team

4. In addition to respond to the invitation for additional innovative bids, we have

provided, at Appendix A, some additional suggested services that The British Library

may wish to consider.

If there are any aspects of the enclosed information which require clarification or

amendment, please do not hesitate to contact me, and I will ensure a rapid response.

We trust that our offer meets with your approval and welcome the opportunity of assisting

The British Library in addressing their security requirements.

Yours sincerely

Martin Finch

commissum


Page 3 of 28



1 Response to Requirement

The British Library requirements for the following services for testing, assessment and

consultancy are addressed:

External Penetration

Internal Penetration

Application Security

Wireless/Remote Access

Telephony Security

Social Engineering

Information Security Consultancy / Assessment

Payment Card Industry (PCI) Data Security Standard Testing

2 Techniques, Methodology & Scanning Tools to be Used

2.1 Introduction

This section outlines the approach, methodologies and tools that we would typically use to

carry out an assignment such as this. The approach outlined is based on industry best

practice and our extensive experience conducting similar assignments.

The techniques, methodologies and approaches, based on the information provided in the

requirement, are in relation to the services listed above.

An outline of the methodology for each of the above steps is provided below. This typical

approach can evidently be modified to meet any further specific requirements that The

British Library may have.

2.2 External Penetration Test

Most commercial penetration testing services are largely automated, scanning your Internet

point-of-presence, your public gateway to the world-wide-web. As a CREST Member

Company, commissum takes another step, by adding to this with a critical, further level of

expert analysis by our experienced security consultants.

The overall methodology adopted by commissum is based on the best practice of OSSTMM

(the Open Source Security Testing Methodology Manual) which defines an internationally

recognised set of rules, guidelines and an approach to security testing and security

assessment of an organisation. Testing is non-intrusive and involves no intentional

exploitation of vulnerabilities beyond that necessary to demonstrate vulnerabilities exist,

unless specifically requested and signed off by the client. Principles are:


Page 4 of 28



All tools and techniques used must be publicly/commercially available so that all

results are “real” i.e. the types of attacks simulated are those a system would be

subject to in the real world from the majority of the hacker community.

Clear reporting is required so that the results can be interpreted by all levels of the

business from board to technical.

The Penetration Test checks firewall and server defences against a range of common

vulnerabilities exploited by the hacker community, including the process of client

footprinting or Internet intelligence gathering. Most reasonably serious hackers will

undertake this footprinting – research using Internet resources. This research will

frequently uncover much information useful in launching attacks. This can include details

of your IP addresses, server names, server configuration, application configuration,

username construction information, data from newsgroups, Internet technical bulletin

boards, and other miscellaneous data that is of benefit to the hacker.

The commissum Penetration Testing process is broadly broken down into various phases,

summarised as follows:

footprinting (research) – basic intelligence gathering on the internet, obtain corporate

information about network addresses and IT deployment, and network topology. If the

hacker can obtain such information initially, without having to probe the system, he will be

further down the attack process, and have more chance of avoiding any detection

measures you have taken. The more a hacker can learn about you before probing your

systems, the less chance you will have to prevent the attack.

enumeration - scanning the systems, identifying open ports, the systems and

architectural features. This is the point at which most automated security scans start.

Although commissum uses scanners to perform a similar function, the raw data generated

by these tools is always interpreted by a security specialist. The goal of this phase is to

identify any links available from our location to the target location by way of a TCP/IP

network, through the TCP/IP network stack on the target through to the applications

running on the target system. This leads into attempting to identify the applications

employed, vendor, version and patch levels. Our goal is to assess whether open

applications identified are supplying useful information on connection.

exploitation – commissum stops short of launching actual attacks, unless we undertake

a risk assessment on the attack with the client and get client approval. This closely

simulates the methods employed by a hacker in that the data gathered during enumeration

is used to plan the next steps in penetrating and exploiting the system. For example, if we

can identify the vendor, version and patch information for applications in use, these could

be used with access to various public vulnerability databases to identify potential

vulnerabilities and hence routes of attack.


Page 5 of 28



analysis - examine findings, correlate with best practice, current knowledgebase, prioritise

vulnerabilities, assess risks to extent possible given knowledge of business, and prepare

recommendations for high priority items. The levels of raw data generated can be

considerable and the goal of this phase is to distil this information into a list of potential

business risks and explain these risks in plain language, make recommendations on how

these risks can be further assessed, eliminated or mitigated against. This stage of the

project is where the most value is added, through the years of experience of our

consultants.

reporting - produce summary report highlighting analysed risk areas and on request

deliver a supporting DVD/CD-ROM of the raw output from the testing tools. This reporting

phase is self explanatory although due to the fact that we make the raw data available if

required we are proud to claim a “no hide” philosophy – again best practice approved

through OSSTMM. It allows our customers to obtain additional independent review of not

only the results but of our methods and techniques, if they deem it appropriate to do so.

This is important as it allows the additional benefit of a high degree of knowledge transfer

to take place – we do not subscribe to the claim that security is “a black art.” The report is

delivered encrypted, by e-mail. The DVD/CD-ROM, if required, may be provided on request

and follows when collation and archiving of data is complete.

Tools used by consultants for testing or technical security assessment are various, and

depend upon the specific requirements of each assignment. Tools used are drawn from

those publicly/commercially available so that all results are “real” i.e. the types of attacks

simulated are those a system would be subject to in the real world from the majority of the

hacker community. Typically the “arsenal” of tools includes Nmap, Amap, Nessus, Hping,

Nikto, ike-scan, Netcat, wireshark, metasploit, Cain & Abel, Glimpse, App Detective, John

the Ripper, openSSH, THC Hydra, Paros proxy, Web Scarab, Sam Spade, THC SSL Check,

HTTP print, Absinthe, Lcrack, E-Or, Spike, SARA, Xprobe2, firewalk, rainbow crack,

nemesis, standard operating system utilities, etc.

2.3 Internal Penetration

2.3.1 Overview

This “White Box” penetration test of the internal network will utilise standard ethical

hacking techniques similar to those outlined in the “Black Box” external penetration test

above, to enumerate the systems within The British Library internal and DMZ networks.

The intent is to discover and remove vulnerabilities within the inner networks; this is to

protect and harden systems against internal attacks or an external perimeter breach.

Although internal penetration testing has been specified as a requirement, we would like to

note that many of our clients prefer an internal vulnerability assessment before conducting

an internal penetration test. Due to the nature of internal testing and the usual absence of


Page 6 of 28



internal firewalls which are filtering out ports and services and thereby limiting the scope of

the test, such testing takes typically much longer than, for instance, external testing. If

required we can conduct internal vulnerability testing instead or in addition to, and at the

same rates as, internal penetration testing.

2.3.2 Approach

The approach is essentially the same as that for the External “Black Box” test described

above, but does not include the “foot printing” phase.

For optimisation of time taken to complete this test commissum will conduct an initial host

discovery sweep to verify the existence of hosts and therefore which hosts require further

scanning. Host discovery will include ICMP based scans as well as probes for common

source and destination TCP and UDP ports, with a variety of flag combinations set.

2.4 Application Security

2.4.1 Overview

The specific British Library implementation and configuration of their applications will be

assessed from a standards based security perspective. Additionally, review from an

administrative and end user standpoint will be included within the security assessment.

The commissum testing methodology covers attacks detailed in the OWASP1 testing guide

and in relevant sections of OSSTMM. In addition our consultants will, through their

experience, adapt the test plan and devise specific attack profiles, in response to issues

encountered or features of the application revealed through testing.

The approach we take, and the stages our consultants go through are as follows, adapted

to the scale of each specific requirement.

2.4.2 Approach

Project Initiation

Issue and agree a Project Initiation Document (PID) with the Client

Conduct Testing

Test Planning: This is iterative as testing progresses, and the plan is updated as

issues and features are uncovered by testing

Analysis of the application architecture through enumeration

Iterative functional analysis of application throughout testing

1 OWASP - Open Web Application Security Project (www.owasp.org) - The OWASP Foundation is a not-for-profit organisation that

provides a widely recognised knowledgebase on secure application development, review and test. Their open source projects

produce unbiased, open-source documentation, tools, and standards, and the organisation facilitates conferences, local chapters, articles, papers, and message forums.

http://www.owasp.org/


Page 7 of 28



Risk based threat modelling and active testing, encompassing:

interfaces to supporting applications

the authentication mechanisms

the authorisation schemas

input validation and bounds checks

transport and storage mechanisms

audit functions as encountered through the interfaces under test

The initiation phase will inform the planning process, and establish the goals and objectives

based on the consultant’s experience and perception of risk. The testing will as a result be

prioritised on a risk basis, where testing is concentrated on functions posing the highest

potential for direct or indirect loss or damage.

Analysis and Reporting

Analyse results

Re-test and verify as appropriate depending on the time allowed for testing

High risk issue reporting – reported to the client immediately on discovery and

verification

Peer Review and Quality Assurance

Issue to client

commissum will agree user types during Project Initiation as appropriate.

2.4.3 Methodology

Our methodology for typical Application Assurance assignments, depending on the

complexity of the application and scope agreed with the client, can be summarised as

follows:

Evaluation of the security posture of the identified application

Guided spider of application

Content discovery through forceful browsing (for example: search for test, backup,

and demo content); attempts to find hidden or unlinked content, attempts to find

sensitive data in the HTML source

Assessment of the underlying web server Security (patching, configuration,

information disclosure etc) (OWASP – A6)

Assessment of the transport encryption used by the application (e.g. SSL) (OWASP

– A9)


Page 8 of 28



Assessment of session management security (vulnerability to session hijacking,

brute forcing etc) (OWASP – A3)

Assessment of the security of user authentication mechanisms in the role of both an

authenticated and an unauthenticated attacker (OWASP – A8)

Testing as unauthenticated and authenticated users, with attempts at horizontal and

vertical privilege escalation (OWASP – A4)

Assessment of vulnerability to SQL based attacks (injection, protection level of data

tier, attempted database enumeration, etc) (OWASP – A1)

Assessment of vulnerability to content injection based attacks (OWASP – A1)

including specific focus on Cross-Site Scripting issues (OWASP – A2) , Cross-Site

Request Forgery (OWASP – A5) and Open Redirection issues (OWASP – A10)

Assessment of the protection of sensitive information within the application where

visible to the accounts used during testing (OWASP – A7)

Assessment of vulnerability to defacement or other “damage”

High risk issue reporting – reported to the client immediately on discovery and

verification

The application is tested to an overall agreed time cap, adopting a risk based approach. In

order to deliver the testing within agreed timeframes, the following approach is typically

taken:

Concentrating on tests likely to uncover high-impact vulnerabilities

Sampling of forms based on intelligent selection (risk, exposure and uniqueness)

Testing using predefined, constrained journeys and test data as the baseline

Time-capping sections of the test based on perceived risk

The deliverable is a report issued in electronic format, appropriately encrypted. Results and

reports are put through a rigorous peer review process and final quality assurance check

prior to issue to the client. The encrypted report is sent by e-mail and the password is

supplied separately.

2.4.4 Code Assisted Application Security Testing

The British Library may wish to optionally consider this at no additional cost.

If a client is able to provide the source code or a copy of the webroot for the application

under test, commissum is able to use this as an information source to increase the

coverage and efficiency of testing. The test is conducted as described in Section 2.4.2 and

2.4.3, but the tester is able to refer to the supplied code to more quickly investigate

suspected vulnerabilities, and also assess further avenues of attack.


Page 9 of 28



Where issues are suspected, the code can be referred to for a better and more

comprehensive understanding of the internal workings of the application; this enables a

tester to home in on a vulnerability far more quickly in cases where trial and error would be

the normal approach to teasing out the way the application functions.

This is not essential for conduct of the testing, but is offered as an option should the client

wish to consider this. It speeds up the testing process and allows the tester to extract the

maximum value from the limited time available.

2.5 Wireless/Remote Access

2.5.1 Overview

Unlike fixed installation cable or optical fibre-based networks wireless networks “broadcast”

sensitive company information over a wide area without respecting the physical boundaries

of the organisation. This introduces some unique risks which include:

Interception and unauthorised monitoring of sensitive network traffic. This is

frequently undertaken outside of the organisation’s premises, so called “drive-by

hacking”

Many wireless networks employ incorrectly deployed encryption protocols; many can

be broken with relative ease. Once broken, a potential attacker can connect to the

internal network and deploy traditional hacker tools to intercept sensitive

information, including passwords, and to launch an attack on systems within the

wired corporate network.

Unauthorised access to network resources. For example high-bandwidth internet

connectivity (known as “war chalking”)

2.5.2 Approach

The wireless network review features the following high level tests:

Network discovery and enumeration. Assessment of 802.11x access point location

and the mapping of the wireless perimeter to quantify drive-by hacking risk

Testing of 802.11x access point security including SSID broadcasting to identify

inappropriate information disclosure.

Review of the logical and technical separation between wired and wireless LAN

Assessment of encryption techniques to determine the wireless network

implementation strength and resistance to attack and compromise.

Identification and testing of the client authentication method


Page 10 of 28



Review the feasibility of penetration and exploitation; and demonstrate the ability to

compromise where feasible.

2.6 Telephony Security

2.6.1 Overview

This review will ascertain if any unknown modems are connected to The British Library

telephone system. This takes the form of “war dialling” a known range of telephone

numbers to identify the presence of modems. Any modems discovered will be checked to

ensure that they offer appropriate logon security features.

2.6.2 Approach

The British Library will be asked to provide DDI telephone number ranges to commissum,

who will, using automated “war dialling” modem sweep techniques, check these ranges for

the existence of modems set to auto-answer incoming calls. These modem sweeps will be

carried out at times of the day agreed with The British Library.

If a modem is identified on any number, this will be noted, and a high level security

assessment will be undertaken of the set-up of the modem with respect to external access

to The British Library’ systems.

The specific testing approach relating to VoIP services, should they exist, will include:

External wardial from the PSTN to pick up any responding IP PBX

Portscan/Service checks on Internet presence to find VOIP enabled services

Scanning of the Voice network from any connected internal networks

Passive sniffing of voice network (attempt to enumerate/decrypt(if encrypted)

traffic)

Attacks on VOIP phones and IP PBX, any vendor specific vulnerabilities and network

based attacks such as ARP spoofing, Man in the Middle and DOS

Associated with telephony security, commissum can also investigate/assess the following

where required:

Password Dictionary Guessing

Voicemail Access

Toll Fraud

Toll Fraud Social Engineering

2.7 Social Engineering

2.7.1 Overview

It is an axiom of information security that the overall security of an organisation is only as

strong as the weakest link in the chain. The weakest link in the information security chain is


Page 11 of 28



widely recognised as being the human factor. Social engineering is effectively an attack

method that exploits this weakest link.

Essentially the motives are the same as for any attack; to gain unauthorized access to

systems or information in order to commit:

fraud,

network intrusion,

industrial espionage,

identity theft, or

simply to disrupt the system or network

Social engineering testing is one way for organisations to test the effectiveness of the

human link in the chain. It indirectly tests the effectiveness of an organisation’s policies and

procedures, and critically, the implementation of them by the organisation’s staff.

It is increasingly common and good practice, for organisations to have information security

awareness programmes for their staff. One area these programmes should cover is the

threat from social engineering attacks and how staff should respond in these

circumstances. Social engineering testing will verify the effectiveness of the training.

2.7.2 Approach

The commissum approach to social engineering testing utilises many of the same

techniques as those used by actual hackers.

The commissum test approach would blend a range of assumed identities, and

psychological motivating factors, depending on the agreed scope, information provided, and

information gleaned from intelligence gathering activities.

Our approach will always involve the consultant carrying out the test attack assuming an

identity. A non-exclusive listing of the types of identity our consultant might use is as

follows:

Employee impersonation

Important user

Third-party authorised

Technical support [internal or external]

The following techniques are generally used to induce the victims to divulge information

they should not:

Diffusion of responsibility

Chance for ingratiation

Trust relationships

Moral duty


Page 12 of 28



Guilt

Identification

Desire to be helpful

Co-operation

Our typical approach, which we recommend using for The British Library assignment, would

be:

Confirm scenarios

Client provides information

Intelligence gathering (including internet footprinting)

Plan and script first phase attacks (depending on scope and timescale)

Assess information gleaned from first phase attacks (depending on scope this may

lead directly to reporting)

Plan and script second phase attacks based on results from first phase

Repeat the two previous steps depending on timescale and scope

Report to client

Critical to the success of the social engineering testing attacks, as in real life attacks, is the

initial information provided and if scope allows, intelligence gathering activities, which lead

to the development of credible scenarios/requests based on the organisation’s profile and

any publicly available information available about them.

2.7.3 Social Engineering Testing – Issues to be Aware of

Short term testing (as opposed to tests that may be conducted over weeks or months) is

almost always necessary owing to time and budget constraints, but it does have limitations

which must be acknowledged. In particular, when compared with a longer term approach,

it does not allow for gradual assimilation of information, with the associated reduced

chance of alerting staff, and therefore greater chance of success. However, the value is that

if short term testing shows weaknesses from social engineering attacks, you can be assured

a determined social engineer with sufficient motivation and patience will inevitably do

significantly better.

Security awareness training, together with effective policies and procedures with

management backing, are the key mitigating strategy to defeat social engineering attacks.


Page 13 of 28



2.8 Information Security Consultancy / Assessment

commissum has in depth expertise across the full range of information security services.

At this stage it is not defined which particular services The British Library wish to take up

under this area but commissum are confident that it can provide any information security

assurance requirement including:

ISO27001/ISO27002 audit and gap analysis services;

CLAS Consultancy;

QSA services for PCI DSS;

Security Architecture Consultancy;

vendor and solution assessment;

Data Protection Consultancy; and

Business Continuity Planning and Management and Disaster Recovery Consultancy.

Under the Qualifications & Experience of our Team section, see below, we provide an

outline of the wider range of services offered and the qualifications, expertise and depth of

our team to support The British Library’s requirements. Should The British Library require

information regarding our methodologies in any further areas, in addition to those outlined

in this section, we can supply the relevant details.

2.9 Payment Card Industry Data Security Standard Testing (PCI

DSS)

We are able to provide monthly or quarterly vulnerability assessment services that will

meet The British Library’s obligations regarding PCI DSS. In addition, as a CREST

company, our infrastructure penetration testing and application security testing services

will also meet the requirements of PCI DSS in those areas.

2.10 Management & Reporting

2.10.1 Management of Projects

We undertake a standard initiation exercise and apply a standard process to management

and reporting of any project. Points to highlight are:

project initiation – we prepare a project initiation document in discussion with the client

that captures the scope of the testing and any specific requirements such as IP address

ranges, domain names, etc. This document is agreed before any tests commence.

date of testing – we agree the date for the commencement of testing, following which the

client knows that we may scan or otherwise probe the systems under test. The time scale

for this can be protracted as the scanning/enumeration phases in particular can be very

unpredictable in length – note that for full penetration testing we scan all 65,536 ports for

IP addresses included in testing.


Page 14 of 28



high risk issues – during the test process, if we uncover an issue that we believe has the

potential to be classified as a high risk, we would flag this immediately to the client to

enable rapid verification, and if necessary, corrective action to be taken.

report delivery – reports are usually issued in electronic format as pdf files, appropriately

encrypted. The report is sent by e-mail and the password is supplied separately. We can

confirm The British Library requirement to adapt our reporting format to their

requirements; we have already demonstrated our flexibility in this regard under the

existing contract.

follow-up support – as The British Library are aware from previous the engagement,

commissum is happy to accommodate telephone support at no extra charge. This enables

discussion over the details of the vulnerabilities reported on and assistance for addressing

these. In addition, we have offered under the additional services & added value section

below, a wash-up meeting following each test if required by The British Library, to provide

further advice and support, and knowledge through active involvement of internal British

Library staff in the testing engagements. If additional support beyond this is required by

The British Library, this can very quickly be provided by commissum under our day rate

provided.

2.10.2 Reporting & Deliverables

commissum reporting is clear, succinct, and accurate. Reports will carry confidentiality

markings, and if required by the client, relevant security classification markings. Reports

will be delivered electronically.

The reports will be documents developed for the use of the client’s technical staff. If

requested by the client a separate Executive Summary Report can be provided for senior

management, collating the executive summary sections from all reported areas.

a. Format

All commissum penetration test reports follow a standard format as described below. We

would however be pleased to discuss client specific requirements and ways of

accommodating these. In particular we are aware of specific requirements that The British

Library has for the annual external penetration test reporting, which includes delivery of the

results in a spreadsheet format.

Our standard reports typically include the following sections:-

Title page

Contents

Executive summary

Scope

Approach


Page 15 of 28



Technical detail with different headings depending on the type of report

Vulnerabilities and recommendations

Appendices

Contact details

In our standard reports we use the risk assessment levels of Low, Medium or High which

are assigned based on the following definitions (an assessment of the probability of the risk

actually existing is made where it cannot be positively verified through testing and included

in this assessment).

High

An issue which if exploited has the potential for severe impact on the

confidentiality, availability and/or integrity of your information assets; the

issue may be relatively straightforward to uncover or technical exploitation of

this may be relatively trivial.

Medium

An issue which if exploited has the potential for a moderate level of impact on

the confidentiality, availability and/or integrity of your information assets;

discovery of the issue may require a reasonable level of technical capability

and it may also be technically quite challenging to exploit or require a

reasonable level of resource/time.

Low

An issue which if exploited has a potentially low level of impact on the

confidentiality, availability and/or integrity of your information assets; it may

also be technically difficult to exploit in reality or require significant

resource/time allocation.

A further categorisation is used to help identify the type and context of risk identified:-

Vulnerability

A flaw inherent in the security mechanism itself or which can be reached

through security safeguards allowing unauthorised access to a location,

people, or business processes, and/or corruption or deletion of data.

Weakness

A flaw inherent in the platform or environment in which a security mechanism

resides, a misconfiguration, survivability fault, usability fault, or failure to

meet the requirements of the organisations desired Security Posture.

Concern

The issue or vulnerability typically presents a low risk to the business. The

risk should be reassessed on a regular basis. Action should still be taken to

address concerns as failure to do so could leave the organisation vulnerable to

a determined attacker with the time and resources to invest in a complex or

blended attack.

Information Leak

A flaw inherent in the security mechanism itself or which can be reached

through security safeguards which allows for unauthorised access to privileged

or potentially sensitive information concerning data, business processes,

people, or infrastructure.


Page 16 of 28



b. Peer Review of Deliverables

All work and resulting deliverables are subject to a rigorous peer review process to ensure

the high standards we set ourselves are maintained. This ensures the quality threshold and

prevents any single points of failure in our delivery capability. The peer review process is a

cornerstone of the way we monitor and improve quality.

c. Sample Report

A sample report has previously been provided to The British Library previously to illustrate

the general format that we adopt for reporting. Also a number of assignments have been

carried out where the quality of our reporting has been demonstrated. We have also

provided further updated samples of:

Standard test report format

Managed Vulnerability Scanning report format

We have assumed that no further samples are required at this stage. Please advise if

further information is required here.

2.11 Quality Control

Internal quality control is established and overseen by the Quality Manager. This is

underpinned by a Quality System based on the ISO9000 standard; it provides a framework

of standards and procedures within which we manage and control all our project, product

and service activities. The implementation of this Quality System is mandatory and is to be

observed by all those who contribute to commissum’s products and services.

Overall quality and customer satisfaction is the responsibility of the Account Manager and

quality of the specific technical delivery is the responsibility of the Lead Consultant on each

assignment.

All work delivered is subject to a rigorous peer review process to ensure the high standards

we set ourselves are maintained. This ensures the quality threshold and prevents any

single points of failure in our delivery capability. The peer review process is a cornerstone

of the way we monitor and improve quality.

Service delivery for specific projects is reviewed at the conclusion of each stage in the

project lifecycle. Generic six monthly service reviews are also built into the quality

procedures and conducted across each of the service offerings. This review process involves

the entire team for each delivered project, as well as all the senior and principal

consultants, the quality manager and head of delivery.

Staff skills are kept current by a combination of on-the-job training with senior consultants

mentoring more junior staff; and formal training such as that run by Government agencies

such as CESG for CLAS, CESG/CREST for security testing, ISACA/ISC2 for CISA/CISSP,


Page 17 of 28



vendors for independent security products, and BSI for ISO27001 Lead

Auditor/Implementer.

2.12 Draft ‘Rules of Behaviour’ Agreement/Framework

commissum confirms that it is satisfied with the draft rules of behaviour as outlined in the

ITT.

2.13 Redress

Overall quality and customer satisfaction is the responsibility of the Account Manager;

quality of specific consultancy delivery is the responsibility of the Project Manager and Lead

Consultants for the area of delivery and each consultant engaged.

Measures that avoid dissatisfaction and achieve the highest quality include:

clear statements of work agreed with customers

careful assignment of consultants to projects

responsibility taken by Account Manager for all quality matters; this is managed at a

working level by lead consultants and consultants as appropriate

rigorous peer review of all deliverables

Dissatisfaction is very rarely encountered, and commissum has a standard documented

approach for escalation, summarised as follows – depending upon the level where any

dissatisfaction is reported:

Independent

Arbitration

Managing Director

Account Manager

Lead Consultant

consultant

At each level, if the issue cannot be resolved to the satisfaction of the customer, it is

to be immediately escalated to the next level.

At any time, if the customer feels that the issue is of sufficient importance, they are

encouraged to escalate the matter immediately to the Managing Director.

If a matter cannot be resolved to a customer’s satisfaction by the Managing

Director, the commissum standard procedure would be to refer the matter to an

independent third party agreeable to both commissum and the customer; or if

agreement cannot be reached then the president of the British Computer Society

who shall appoint an individual to act as an expert to facilitate a resolution.


Page 18 of 28



We manage all projects under a Prince 2 environment, appropriately scaled to the size of

project, and it is our experience that any variance in performance can be identified and

remedied in a timely fashion without adverse impact on the project.

Separately from the direct process of resolution which always takes top priority, all reports

of dissatisfaction are recorded by commissum and are reviewed at the regular Company

Management Meetings (CMM). From this future preventative action is planned as

appropriate.

2.14 Additional Services & Added Value2

commissum offer two significant value-added items in this area, subject to contract

placement:

1) If The British Library calls on a minimum of 20 days of paid consultancy and/or

testing during the year, commissum will also provide a six month vulnerability scan

to supplement the annual penetration test at no additional cost – this is delivered as

commissum’s standard managed vulnerability test service. The report from this is

delivered electronically in spreadsheet format.

2) Up to one day of consultancy at no additional charge for the time, for each report

submitted for advice regarding implementation of remedial measures as

recommended in the relevant report where this is considered of value by The British

Library. If the blended vulnerability service or PCI quarterly or monthly assessments

are taken up, and otherwise where it is practical to do so, this support will be

provided as a telephone based wash-up/discussion of the report.

3) Knowledge transfer to The British Library through the offer of active involvement of

the internal British Library staff in the testing engagements. This can be

accommodated by staff either shadowing commissum consultants at The British

Library site for on site activities, or if The British Library would prefer, we can

accommodate a member of staff who wishes to attend at our site to allow this

Knowledge transfer during an agreed test.

4) Forensic services and incident response – commissum is able to offer expertise in

responding to and investigating incidents. This investigation can be targeted purely

at establishing the root cause, recovery and future preventative action; or through

commissum’s partner companies, a full investigative and expert witness service

can be provided working to criminal evidence standards and in accordance with

recognised and accepted industry best practice. Where required these services can

be quoted for on a case by case basis.

2 Note that this section is considered as Commercially Sensitive and should be considered CONFIDENTIAL INFORMATION with regards to FOI.


Page 19 of 28



5) Load/Stress Testing – commissum is able to provide consultancy and test services

related to the load testing of systems or web sites. A standard remote external

service is provided by the commissum team for web sites; for more in-depth

testing our specialist functional testing and load/stress testing partner e-testing may

be called in to support this.

2.15 Testers’ CV’s

Please see Section 3.1 – the Qualifications & Experience of our team section below.

2.16 References3

As an existing client, and under strict confidentiality, we would offer the following as

referees; in addition, The British Library already has experience of working with

commissum under the existing contract.

2.17 Sample (Sanitised Reports)

Please see the following enclosed sample Reports:

Infrastructure Penetration Testing & Application Testing Report

Managed Blended Vulnerability Scanning report.

2.18 Itemised Pricing Model4

Given our current understanding of the required team profile and calibre of staff, we offer

the rates as per the table below.

We have included caps, for budgeting purposes on the travel and subsistence expenses and

potential annual increase in price.

3 Note that this section is considered as Commercially Sensitive and should be considered CONFIDENTIAL INFORMATION with regards to FOI. 4 Note that this section is considered as Commercially Sensitive and should be considered CONFIDENTIAL INFORMATION with regards to FOI.


Page 20 of 28



Services Discounted Day Rate5

1 External Penetration

2 Internal Penetration

3 Application Security

4 Wireless/Remote Access

5 Telephony Security

6 Social Engineering

7 Information Security Consultancy / Assessment

Rates are exclusive of VAT.

Travel, accommodation and subsistence expenses for services 3, 6 and 7 will be

charged at cost. All other services are expected to be provided from commissum

premises and will therefore not incur expenses. Where travel and subsistence

expenses are charged these will be charged at cost, but we are happy to cap these

at no more than of the value of any agreed package of work involving on-site

activity.

The above service rates are fixed for one year from the date of contract, services

rates thereafter we propose to vary on an annual basis by a percentage to be

agreed between commissum and The British Library where this percentage will be

no more than .

Our proposal is valid for 90 (sixty) days from the date of issue and is submitted on a

time and materials basis in accordance with terms and conditions of contract.

commissum will invoice for services 1-7 provided on a monthly in arrears basis,

acceptance of the Services will be via email.

5 This rate applies to all work quoted and undertaken under the contract associated with this Tender EIS8323.


Page 21 of 28



3 Supplementary Material in Support of our Offer

3.1 Qualifications & Experience of our Team

3.1.1 Introduction

As a people led organisation, commissum recognises the value of investing in people and

in attaining relevant industry-recognised accreditation and certification. Our people are all

time served professionals with core competencies in the technical and management aspects

of security. We hold the principles of trust, confidence, integrity, commitment and quality

of service as fundamental to the way we operate.

In this section we provide:

an overview of the professional and academic qualifications of our consultants

a list of consultants with outline CVs that are representative of the calibre of staff

from which other team members will be drawn – specific team selection is

dependent on the timing of contract start and subject to agreement with the British

Library.

3.1.2 Professional & Academic Qualifications & Accreditations

Qualifications, accreditations and certifications held by Key Personnel include:

Certified Security Analyst (ECSA) Licensed Penetration Tester (LPT)

Certified Ethical Hacker (CEH) CESG6/ CHECK7 Penetration Testing training

Certified Information Security Auditor (CISA8) CESG CLAS9 Consultancy

Certified in the Governance of Enterprise IT

(CGEIT4)

CREST Member Company and CREST Certified

Tester/CREST Registered Tester

Certified Information Security Manager

(CISM4)

Certified Information System Security

Professional (CISSP10)

Accredited ISO27001 Lead Auditor KÜRT Certified Ethical Hacker11

Various vendor specific IT and security qualifications e.g. ISS System Scanner, DRS/NX System

Administration, Checkpoint CCSA/CCSE, Microsoft MCSE, Cisco CCNA, Symantec ESM, etc

6 Communications-Electronics Security Group (CESG). CESG is the Information Security arm of GCHQ. They are the UK government's national technical authority for information security/ information assurance issues. 7 CESG approved scheme for Information Security testing of critical government infrastructure. 8 Certification from the Information Systems Audit and Control Association. In the three decades since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide. 9 CLAS – CESG Listed Advisor Scheme - a scheme that satisfy the demand for authoritative Infosec Information Assurance advice and guidance for critical government infrastructure by creating a pool of high quality consultants approved by CESG. 10 Certified Information Security Systems Professional (CISSP) from (ISC)2. (ISC)2 - a not-for-profit organization dedicated to maintaining a Common Body of Knowledge for Information Security (IS); certifying industry professionals and practitioners in an international IS standard; and ensuring credentials are maintained, primarily through continuing education. CISSP certification recognised as an international standard for information security and understanding of a common body of knowledge. (www.isc2.org) 11 KÜRT Academy founded course to advance students beyond those available in industry such as the Certified Ethical Hacker (CEH) course. The intensive course includes 240 hours of tutorial and practical study.

http://www.isc2.org/


Page 22 of 28



3.1.3 commissum Consulting Team CVs

The following is a list of senior commissum consultants from which the resources may be

drawn to establish the team for this project for The British Library, together with three

sample CV’s:

Principal Consultant

CREST Certified Tester

Senior Consultant

CLAS Consultant


Page 23 of 28



Senior Consultant

KÜRT Certified Ethical Hacker

Senior Consultant

CREST Registered Tester

Senior Consultant

BCP/DR Specialist


Page 24 of 28



Senior Consultant

CLAS/CHECK Consultant

In addition to these sample CV’s, other staff that commissum may also draw on, as Key

Personnel include: Andrew Kelman – Technical Consultant & Penetration Tester; Simon

Clifford – Principal Technical & Assurance Consultant; Kevin Gourlay - Senior Technical

Consultant & Penetration Tester; Ernie McVey – Senior PCI DSS Consultant; Paul Guckian –

Principal Governance Consultant, Briony Williams – Penetration Test Consultant; Alun

Borland – Network & Security Firewall Engineer; David Murphy – Principal Security

Consultant & ISO27001 Lead Auditor; Terry Dawes – Principal BCP Consultant.

3.2 Team Experience

The sample of CVs provided enables The British Library to be confident in the breadth and

depth of knowledge available within commissum.

By the nature of our business, our senior consultants are very experienced at working with

top management, as well as technical staff, in organisations of all sizes – this being an

essential aspect of security audit and policy development; that is the need to establish an

understanding of the business drivers of an organisation and ensure top management buy-

in to any audit or accreditation process.

Our team has experience with organisations of all sizes including various types of private

sector and government departments, from local to central government and associated

government agencies.


Page 25 of 28



3.3 Resource Allocation

As explained above, commissum will allocate a team of high calibre consultants to this

project as required by each assignment. The exact team members to make up the team

will be decided upon at project start, depending on further information provided, provision

of necessary disclosures and timing and resource loading, but will normally be drawn from

those qualified individuals listed above to lead any assignment. In addition, the team will

be able to draw on the expertise in specific areas of the whole team, as the project

progresses.

commissum may use qualified Associates to resource assignments as well as permanent

staff. All such Associates have been thoroughly assessed by commissum as to their

qualifications and quality of work. Associates will always be managed by the commissum

staff project team members. All Associates are signed up under rigorous framework

contracts that cover confidentiality, commitment to deliver and quality of work.

3.4 Management Points of Contact

For each assignment, a nominated individual is identified as the client point of contact.

Other contacts may be required to address or discuss more technical matters, but these

requirements will be managed by the Account Manager identified.

For this assignment with The British Library, the following lead individual is nominated as

the prime Account Management point of contact with the client:

Martin Finch commissum

T 0845 108 2064 Quay House

F 0845 644 3218 142 Commercial Street

M 0781 234 0940 Edinburgh

E [email protected] EH6 6LB


Page 26 of 28



4 Appendix A – INNOVATIVE/ALTERNATIVE ITEMS BID

We have appended this additional section to our response to suggest an alternative

approach that The British Library may wish to consider to satisfy their regular security

testing requirements.

4.1 Managed Quarterly/Monthly Vulnerability Scanning

From a budgetary perspective, commissum is able to offer a cost effective approach to

balancing detailed penetration testing with more frequent, wider coverage of The British

Library external perimeter. This could be achieved through a combination of focused,

detailed testing, annually and six monthly, combined with a quarterly or monthly blended

vulnerability assessment.

The quarterly or monthly scan will pick up changes that may occur in the vulnerability

landscape and also ensure no inadvertent services are exposed.

The reports provide data for vulnerability remediation; the monthly option is the most cost

effective, picking up changes as they occur and also addressing the large number of

vulnerabilities that are constantly reported every week and month.

A sample report for our blended vulnerability assessment service is provided with this

response.

4.1.1 Approach

commissum offers a bespoke managed vulnerability scanning service tailored to the target

installation.

The scope of the assessment covers the same devices as for the external penetration test

above.

The managed vulnerability assessment service proposed here complements the external

penetration test, which in accordance with best practice should be conducted at least on an

annual basis, by providing an ongoing view of your exposures, ensuring your knowledge of

your security status is always up to date.

Our approach combines the automated scanning with a level of manual checking that

strikes a balance between cost and reasonably minimising ‘false positive’ results. The

testing is designed to be non-destructive; exploitation of vulnerabilities found is not carried

out.

The managed vulnerability assessments are performed in accordance with the following

assessment methodology:

Service Scanning - The service scanning phase of the assessment identifies all

responding TCP, UDP and ICMP services. This entails scanning all TCP ports, well-


Page 27 of 28



defined UDP ports and a range of ICMP sub-services. Only reliable UDP scanning is

performed. Unless a positive application layer response can be obtained from the UDP

service it will not be reported as available. Reliable UDP checking assists in the

elimination of false positive results.

Service Enumeration - once the presence of a service has been confirmed, banner

information capture is attempted to assist in determining machine vulnerability status.

Only ‘good practice’, nonintrusive banner grabbing methods that will not affect machine

availability or stability are employed. Depending upon the services discovered

fingerprinting is also performed in this phase of the assessment.

Vulnerability Detection - this phase consists of performing a configurable number of

tests, from a range of application layer vulnerability tests down to a single specific test

if necessary, against those services discovered in earlier phases of the assessment.

Thousands of separate tests are performed; the tools are continually updated with the

latest known vulnerability exploits.

Manual Vulnerability Examination and Verification - upon completion of

automated vulnerability testing a time limited level of manual vulnerability examination

and checking is undertaken. This is not as intensive or exhaustive as that undertaken

for the full penetration test, but does assist in improving the findings through

assessment of potential false positives and some non-trivial vulnerabilities. It also helps

to improve the reporting.

Reporting – upon completion of each assessment; through an electronically delivered

report. This reports the findings together with corrective actions, historical trends and

summary statistics. This is delivered in spreadsheet format (sample provided).

4.1.2 Pricing - Managed Quarterly/Monthly Vulnerability Scanning12

For the scope commissum has provided an indication of price based on a representative

number of external IP addresses - explicitly:

Up to a total of 150 active targets

When run in parallel with a full annual penetration test:

o Single assessment -

o 4 Quarterly assessments -

o 12 Monthly assessments -

If the single assessment is taken, the price of this can be offset against the quarterly or

monthly service, if this is committed to within 1 month (in the case of the monthly service)

12 Note that this section is considered as Commercially Sensitive and should be considered CONFIDENTIAL INFORMATION with regards to FOI.


Page 28 of 28



or 3 months (in the case of the quarterly service) of the single assessment being

commenced. Assessment dates in each case are agreed in a single Project Initiation

Document following contract commencement, for the year.

Invoicing for the service is on contract award for the year. Reduced pricing can be offered

for a two or three year commitment.

4.2 Managed Application Security Assessment

commissum is able to quote for regular managed semi-automated application security

scans. These are a cost effective way of supplementing full application security testing at

more regular intervals and following changes to applications.

The objective would be to run the scans on a regular basis against key applications –

quarterly would be an optimum frequency, with additional scans if a significant change

occurred between quarterly scans.

commissum will quote for this service if The British Library considers that this service may

be of value as part of the security element of the software development lifecycle.

4.3 Managed Static Code Review

This service provides a managed, automated security check of developed code. The return

on investment concept is that the earlier in the development lifecycle issues are identified

and rectified, the less costly they are and the less impact they have on project timescales.

This proven review is ideally incorporated into the development lifecycle as early as

possible.

commissum is able to provide more detail on this and pricing if The British Library

considers this of interest.

library. eis8323.pdf · further down the attack process, ... lcrack, e-or, spike, sara, xprobe2,...

Documents