Loading...
HomeMy WebLinkAboutRook Security/IT/24,850/Advisory Services – Network Penetration TestingJP�o STATEMENT OF WORK HAMILTON COUNTY G CITY OF CARMEL Advisory Services // Network Penetration Testing Prepared By: Rook Security June 4, 2018 CONFIDENTIALITY STATEMENT The project described herein is protected by copyright and forth e exclusive use of Rook Security and Hamilton County & City of Carmel for the purposes outlined in this Statement of Work. This information is not to be made available to any third party without the written permission of Rook Security and should be considered proprietary and confidential. Client and Project Information Project Overview Methodology and Scope Network Penetration Test Pricing Travel Invoicing Reasonable Access Ownership and Indemnity Nondisclosure and Confidentiality //Scheduling Termination Client Reference Change Management Project Acceptance About Rook 4 5 5 5 7 7 7 8 8 8 9 9 10 10 13 14 k ROOK SECURITY // Client and Project Information Company Name Hamilton County & City of Carmel Contact Name Chris Mertens Contact Title Director of IT Contact Phone 317-776-8293 Contact Email chris.mertens@hamiltoncounty.in.gov Billing Address — Line 1 1 Hamilton County Square Billing Address — Line 2 Billing City, State, Zip Noblesville, IN 46060 Billing Contact Name Chris Mertens Billing Contact Phone Billing Contact Email Purchase Order Number Contact Name Daniel Wale Contact Title Director of Sales Contact Phone 888.712.9531 x 782 or mobile 317.640.5120 Contact Email daniel.wale@rooksecurity.com Rook Security www.rooksecurity.com Copyright© 2018 Rook Security, LLC. All Rights Reserved. Distribution is approved for internal use only. 4 888.712.9531 k ROOK SECURITY 5 // Project Overview Hamilton County & City of Carmel recognizes that its sensitive and restricted data is under the possible threat of improper discovery and/or potential disclosure, and that such action would bring negative consequences in terms of quantified and qualified impact, including potential loss of reputation, and general brand damage. Therefore, Hamilton County & City of Carmel has decided to retain Rook Security (Rook) to assist in the following areas: ■ External Network Penetration Test // Methodology and Scope Network Penetration Test Service Description Penetration testing, commonly referred to as "pen testing" or "ethical hacking," is conducted to confirm the true risk of identified vulnerabilities. A penetration test is designed to fully disclose and identify vulnerabilities that can lead to sensitive information disclosure and/or significant impact to the Hamilton County & City of Carmel network and its users. To this end, automated vulnerability scanning and manual review of the network and the hosts within is performed to identify vulnerable entry points, exploitable services, and avenues for ingress and egress of data. Additionally, open source reconnaissance and social engineering are utilized, as required, to pivot and extend access within the application. The goal of a network penetration test is notjust to enumerate vulnerabilities but to also identify sensitive information such as user PII, passwords, and/or client information and, if possible, gain administrator access to the domain. Methodology Using automated tools and manual analysis, identified vulnerabilities will be reviewed in the following five phases: ■ Discovery. Automated scanning to develop an understanding of identified devices and potential vulnerabilities. ■ Analysis. Identify and prioritize vulnerabilities based on an analysis of the results from the discovery phase. ■ Exploitation. Perform exploitation techniques on high value vulnerabilities along with manual penetration testing activities on common vulnerable services with intent to gain access to the system. ■ Escalatio n. Once access on a system is gained, Rook will attempt to escalate its privileges on the host. ■ Extend and Pivot. On a compromised host, Rook will attempt to discover additional hosts/networks. Tools that Rook will use to perform the automated and manual analysis are noted below: ■ Nmap Port Scanner Rook Security www.rooksecurity.com 888.712.9531 Copyright © 2018 Rook Security, LLC. All Rights Reserved. Distribution is approved for interna( use only. k ROOK SECURITY ■ Nessus Vulnerability Scanner ■ Metasploit ■ Hyd ra ■ Fierce • Scapy ■ HashCat ■ JohntheRipper Scope Carmel: Up to 44 external live hosts Hamilton County: Up to 66 external live hosts (64 in Judicial Center; 2 in Sheriff's Department) Reporting and Deliverables Rook will prepare deliverables as required through execution of various project tasks. Rook will prepare a report of our findings for Hamilton County & City of Carmel. The report will be delivered first in draft form to allow time for Hamilton County & City of Carmel to prepare a management response if desired. Upon receipt of management's response from Hamilton County & City of Carmel, Rook will prepare a final report that incorporates all responses. The report will contain at least the following information, which will address issues discovered during the review: ■ Executive Su m ma ry: This part of the report will address the overall security posture of the environment reviewed and highlight major findings. ■ Testing Methodology: A high-level description of Rook's methodology used for performing the assessment will be documented in this area. ■ Identified Technical Vulnerabilities: Describes identified vulnerabilities/issues,the likelihood or difficulty of exploit, the potential impact, remediation recommendations, and impacted hosts. ■ Appendix: This part of the reportwill address the vulnerability data that Rook collects throughout the engagement. In addition, identified findings will be labeled with a risk rating based on the following: ■ High: Pose an immediate danger to the security of infrastructure and should be addressed immediately. ■ Medium: Important and should be addressed in a timely manner. • Low: Do not pose immediate risks but should be remediated as able. All output and deliverables will be provided electronically. Any additional project deliverables requested by Hamilton County & City of Carmel will be billed separately at Rook's standard consulting rates. Rook Security www.rooksecurity.com 888.712.9531 Copyright© 2018 Rook Security, LLC. All Rights Reserved. Distribution is approved for internal use only. k ROOK SECURITY Irl // Pricing The Services described in this document will be performed as a fixed fee service as set forth herein below and based upon the scope as defined by Hamilton County & City of Carmel as follows: Network Penetration Test (110 External Live Hosts) $24,850.00 After Hours Surcharge [Optional]: $2,500.00 Total Cost [Excluding Surcharges]: $24,850.00 Pricing is inclusive of operations and directly related facilities located within a 50 -mile radius of Rook's headquarters in Carmel, Indiana. The optional after hours surcharge will be applied for any service that must be performed between the hours of 6:OOPM EST and 8:OOAM EST. All monetary amounts are in USD (US Dollars). // Travel Hamilton County & City of Carmel agrees to reimburse Rook for all travel expenses (outside of a 50 -mile radius of Rook's headquarters in Fishers, Indiana) which are directly related to the consulting services detailed in this Statement of Work. These travel expenses include, but are not limited to, airfare, hotel, temporary housing, meals, rental cars, insurance for rented travel equipment and/or vehicles, parking, taxis, mileage, etc. If available, Rook will work with Hamilton County & City of Carmel to take advantage of any hotel and/or car discounts that Hamilton County & City of Carmel may have available to minimize these costs. // Invoicing Rook will invoice Hamilton County & City of Carmel the fixed price total upon delivery of draft reporting. Any travel, lodging, or meal expenses incurred fortravel outside a 50 -mile radius of Rook's Fishers, Indiana headquarters will be invoiced as incurred as discussed under "Travel" above. Invoice payment terms are Net 35 days. Any amount that is not paid within 30 days of receipt of the invoice shall bear interest at the rate of 1% per month or portion thereof from the date such amount became due through the date on which payment is received by Rook. Rook Security www.rooksecurity.com 888.712.9531 Copyright © 2018 Rook Security, LLC. All Rights Reserved. Distribution is approved for internal use only.