Q&A for Penetration Testing RFP

Q: Is this the first engagement of this kind, or have these systems been previously?

A: No, we have done several pentests prior to this one.

Q: Can the assessment (or a portion of the work) be performed remotely?

A: Yes. While we would prefer someone to physically be here for the majority of the testing, certainly the external network test, and email and phone campaign can be completed remotely.

Q: Are there any requirements or compliance standards driving the need for the assessment?

A: Yes, we are required to complete an annual penetration test for our SOC 1 compliance.

Q: Is there a defined budget for the project that can be shared with vendors?

A: No

Q: Is there published evaluation criteria for the vendor selection process? (Cost - 20%, Qualifications and Experience - 50%, etc.)

A: No, we select the lowest qualified bidder.

Q: How large in terms of link count are the applications in scope?

A: About 20

Q: Does RISLA want an in-depth review of the applications for vulnerabilities?

A: We do not require this testing for code review. However, we do want to test for things like SQL Injections and site misconfigurations such as bad encryption.

Q: Will the selected vendor be performing application testing against product web applications or via a test environment?

A: Production

Q: Is the testing limited to the scope defined in the RFP, or is the vendor allowed to enumerate all network connected devices for potentially expanding to the scope to other network connected systems?

A: Yes, if the selected vendor discovers something we were unaware of, you are welcome to leverage it in your attack. However, in order to avoid excess scope creep, any testing not outlined in this RFP will need to be discussed and approved by RISLA staff. With that being said, we are a small company of about 40 employees  and no wifi networks so  it is unlikely there would be a great number of hidden devices that we are unaware of.

Q: Could you please elaborate on the "Remediation Support" for RISLA? (Would this entail the vendor to supply consulting advice/guidance after the reports delivery or hands on remediation support such as patching of vulnerabilities found?)

A: We are expecting consulting advice/guidance.

Q: Penetration test is attempting to get access to the network while a Vulnerability Assessment is an assessment of the target operating systems to determine and know vulnerabilities with their associated scores with remediation recommendations. Are you attempting to conduct Penetration Test and/or Vulnerability Assessment?

A: A bit of both. We would like to do an assessment that goes beyond what you would encounter in a typical Nessus report. Certainly, we want the network to be scanned, but we will also require our selected vendor to go the step farther and try to leverage the discovered vulnerabilities to gain further access, possibly do man in the middle attacks and the such. For example, we’d expect a tester who has discovered an open share to examine it and identify if there are any administration scripts with passwords and usernames for a service account built into them, and if those discovered accounts have extra privileges they shouldn’t have, etc.

Q:  If you want to include a Vulnerability Assessment, how many Operating System IP addresses are in scope, internal and external?

A: About 60-70. 3 external, 17 servers, and about 40 workstations give or take a few.

Q: How many phone numbers are in scope for this engagement?

A: 6

Q: What is the goal of the Social Engineering Attach email campaign?

A: The goals of the testing would be to have employees visit a link or download a file they are not meant to that is clearly malicious, and/or give up PII. We want to test 1 person per department and the test provided would depend on the role of the employee.  We can provide a recommended target list. We’d expect to target 6 people.

Q: How many email addresses are in scope for this engagement?

A: We’d like to target 6 people.

Q: How many active external IP addresses are in scope?

A: 3

Q: How many external web applications are in scope?

A: 3

Q: What web programming languages are in use with the web applications?

A: VB.net

Q: Are web applications custom off the shelf (COTS) or developed internally?

A: Developed internally

Q: RISLA would like an internal penetration test of approximately 75 IPs and an external penetration test of 3 IPs?

A: Yes 3 external, 75 internal is probably a tad high, probably closer to 60-70.

Q: When should we expect the answers to be posted to the RISLA website?

A: October 17th, after questions have finished coming in.

Q: What is the number of AP the wireless infrastructure supports?

A: 0. We don’t have wireless.

Q: How many wireless networks are deployed?

A: 0

Q: Are there Unauthenticated Web Applications in scope?

A: Our loan application has a portion that is unauthenticated.

Q: Are there external web services or API endpoints in scope? If so, how many?

A: We have a loan application we’d like tested. We do have two mobile apps, but their API’s are not in the scope of this test.

Q: Are there Servers/Web Applications/Web Services hosted on AWS or similar cloud?

A: At the time of this writing no, but we are currently in the initial process of moving two sites to Azure, that may or may not be completed by the time this RFP is executed.

Q: Is there any documentation for the API?

A: Yes, but they are not in the scope to be tested.

Q: How many rounds of calls and emails would RISLA like?

A: One set of calls and emails to each person targeted.

Q: How many total employees will be ins cope for the social engineering portion?

A: 6

Q: What is the name of the vendor who won the project for a similar RP for Penetration Testing/Vulnerability Assessment in July 2016?

A: Enterprise Risk Management

Q: How many years has RISLA worked with this vendor?

A: That was our first engagement with that firm.

Q: What was the dollar value of the 2016 contract for Penetration Testing/Vulnerability Assessment?

A: $6,233 including travel.

Q: Will the results of the previous work be shared with the successful consultant?

A: No

Q: What virtual architecture is in use?

A: VMWare

Q: General architecture orientation: What versions of Unix/Linux are in use externally?

A: N/A (Just Zix)

Q: General architecture orientation: what versions of Windows server are in use externally?

A: 2008, 2012 and 2016

Q: How many internal IP addresses/subnets are in scope?

A: 2 subnets about 60 IPs

Q: Are internal workstations included?

A: Yes

Q: How many internal web applications are in scope?

A: One

Q: How many of each: servers/databases/firewalls/routers/switches?

A: 5 physical servers (2) ESX, Zix, Web, Phone. 17 virtual, 4 database, 1 firewall, 1 router, and 6 switches

Q: General architecture orientation: What versions of Linux are in use internally?

A: N/A We don’t have any

Q: General architecture orientation: what versions of Windows server are in use internally?

A: Windows 10 and (2) Windows 7 clients

Q: Is virtual architecture in use? What version, i.e., VMWare, Hypervisor, Zen, etc.?

A: VMware

Q: Are there any mainframes in scope?

A: No

Q: How many databases are in scope and what type:

A: 4 – (1) SQL 2012 Ent, (3) SQL Express

Q:  Is the social engineering to be carried out for a targeted group of people or organization wide?

A: Target group

Q: How frequently are the employees involved in communication with people outside the organization?

A: We run two call centers so many employees are constantly in direct communicate with people outside the organization.

Q: What is the preferred mode of communication – email or call?

A: We receive a good mix of calls and emails from outside the organization, but I suspect we deal mostly in phone calls.

Q: Is there any awareness campaign carried out in the organization related to cyber security or information security?

A: Yes, we do yearly training, and I previously worked as a Penetration Tester so I routinely conduct my own testing against our employees.

Q: What is the contract duration?

A: The significant dates are listed in the RFP.

Q: What is the anticipated start date of the contract?

A: Mid November

Q: Please provide the size of the organization in terms of number of employees?

A: About 40

Q: Is this requirement on-site or off-site?

A: We’d prefer on-site, though some work can be performed remotely such as the social engineering campaign and external testing.

Q: 6 External Websites: As part of the normal V&P Scan, the website server will be scanned, but are you looking for Web Application Testing (tests for SQL Injection, Web Site Misconfigurations, and other website-specific tests)?

A: Yes, though we are really looking at only one site to be tested that deeply.

Q: Initial Assessment Report within 5 days: Are you looking for something more than the Technical Report within 5 days?  Will any extension be available if more than just the Technical Report is required?

A: Our expectation is that an Initial Assessment Report would be a rough draft for critical/high findings that need to be addressed immediately if there are any such findings. A final draft is due by January 2, 2018. If something major needs to be addressed with the timing of reporting, we can discuss as needed.

Q: Formal Assessment Report within 10 days: Will any extension be available for this? Normal timeline is 30 days.

A: Please add a revised timeline to your proposal for deliverables if you feel that more time is necessary

Q: Remediation Support (hourly rate): What level of support are you looking for?  Are you seeking simple consultation and direction, or actual hands-on remediation activity?

A: Consultation and direction

Q: Payment Terms: Is there flexibility on these terms? Industry standard is 50% pre-audit deposit with balance due upon delivery of final reports.  If no flexibility, will the payment be immediate (within 24-48 hours of delivery of the requisite documentation?  Will payment be made by ACH (preferred) or by check?

A: 50% payment can be made by ACH or wire (up to vendor) upon receipt of initial assessment report and be completed within 1 business day.

Q: Paper Copies of Assessment Reports: One Paper Copy and one PDF file is required, but the instructions state that 3 individuals are to be included in the distribution.  So, are three paper copies and three PDF files required to comply with the terms?

A: One paper and one pdf

Q: Deadlines & Timing: If the deadline for proposals is November 2, 2017, when will the contract be awarded and how will the Vendor be notified?  A November 2 date with a November completion date following does not allow for much pre-audit information to be shared, let alone planning to take place.  Industry standard is at least 30 days.

A: The contract will be awarded within 1 week of deadline of November 2.

Q: Receipt of Report must be acknowledged: Is a Read Receipt sufficient to act as acknowledgment, and will the recipient be required to acknowledge receipt in this way?  Or, since paper copies are required, will Certified Mail Receipt or UPS Receipt Signature be sufficient to act as acknowledgment?

A: RISLA will email or call that report has been received.

Q: Do you need the remedial support to be provided onsite or remotely?

A: Remotely

Q: How long do you need Remediation support?

A: To be determined based on findings.

Q: Will the Penetration and Vulnerability Assessment be performed; Once, Monthly, Quarterly, Annually, or On Demand?

A: We do Annual tests, but this contract will be for a one-time test.

Q:  Based on the identified infrastructure, the approximation of IP Addresses closer to 69 Internal and 7 External addresses.  Should a Statement of work be built based on that information, or should it reflect the stated 75 Internal and 3 External addresses?  

A: 75 Internal and 3 external is what will be in scope.

Q: Will the Social Engineering Assessments be performed; Once, Monthly, Quarterly, Annually, or On Demand? 

A: Once